ML22251A084
ML22251A084 | |
Person / Time | |
---|---|
Issue date: | 01/24/2023 |
From: | NRC/OCIO |
To: | |
Shared Package | |
ML22258A170 | List: |
References | |
Download: ML22251A084 (6) | |
Text
DRAFT SUPPORTING STATEMENT FOR NRC Controlled Unclassified Information Program Information-Sha ring Agreement (3150-XXXX)
NEW
Description of the Information Collection
The CUI program was established pursuant to Executive Order 135 56, "Controlled Unclassified Information." The National Archives and Records Administration (NARA) has issued government-wide implementing regulations for executive branch agencies to implement the CUI program at 32 CFR Part 2002.
32 CFR 2002.16(a)(5)(i), Information-sharing agreements, requ ires agencies to enter into a formal CUI information-sharing agreement, whenever feasible, when they intend to share CUI in any form (hard copy or electronic) with non-executive branch entities. To implement this requirement, the NRC developed a formal information-sharing agreement to comply with this requirement and to facilitate the agencys ability to share CUI with non-executive branch entities. In addition, if the non-executive branch entitys in formation systems process or store CUI, the CUI Rule requires agencies to prescribe National Insti tute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, when esta blishing security requirements in written agreements to protect the CUIs confidentiality.
Any non-executive branch entity (i.e., licensees, applicants, vendors, State, Local, Tribal Governments, etc.) that the NRC intends to share CUI regardless of form (hard copy or electronic) will be asked to voluntarily sign the CUI information-sharing agreement. This agreement contains reporting and recordkeeping requirements for non-executive branch entities to review and submit the signed information-sharing agreement to the NRC, to report any non-compliance when handling CUI to the NRC, and to report if their information systems meet the CUI security requirements in NIST SP 800-171. The establishmen t of this agreement satisfies the requirements under 32 CFR 2002.16(a)(5)(i), Information-sh aring agreements.
A. JUSTIFICATION
- 1. Need For the Collection of Information
- 32 CFR 2002.16(a)(5)(i), Information-sharing agreements, requires agencies to enter into a formal agreement, whenever feasible, when they int end to share CUI in any form (hard copy or electronic) with non-executive branch entities. By regulation, agreements with non-executive branch entities must include provisions that state:
o Non-executive branch entities must handle CUI in accordance with Executive Order 13556, 32 CFR 2002, and the CUI Registry (see 32 CFR 2002.16(a)(5)(i) and (6)(i)).
o Misuse of CUI is subject to penalties established in applicable laws, regulations, or Government-wide polices (see 32 CFR 2002.16(a)(6)(ii); and
The non-executive branch entity must report any non-compliance with handling requirements to the disseminating agency using methods approved by that agencys CUI Senior Agency Official.
- The NRC information-sharing agreement includes these required provisions, including the requirement for non-executive branch entities to report any non-compliance with handling CUI (See Section 9, CUI security incidents and misuse, of the NRC information-sharing agreement).
- The NRC intends to enter into formal information-sharing agreements with non-executive branch entities before the agency transitions to CUI. The NRC informs non-executive branch entities of the status of its transition to CUI during routine NRC CUI public meetings and by including updates on the NRCs CUI public website:
https://www.nrc.gov/reading-rm/cui.html. The NRC will make the formal information-sharing agreement available to non-executive branch entities fo r voluntary signature in a fillable-fileable format, or in hard copy format upon requ est. Any non-executive branch entity may transmit the signed agreement to the NRC in e lectronic or hard copy format.
- 2. Agency Use and Practical Utility of Information
The information requested in Section 9 of the CUI information-sharing agreement is the minimum necessary for non-executive branch entities to report a non-compliance, when handling CUI, to the NRC.
The information reported will be analyzed by the NRC to facilitate the rapid resolution of any breaches of CUI and to implement any mitigation efforts to minimize further security risks.
In addition, this information-sharing agreement helps the NRC t o comply with the CUI rule requirement to establish formal CUI information-sharing agreements with its stakeholders and to support the NRCs ability to identify how CUI will be shared with each signee of the agreement.
- 3. Reduction of Burden Through Information Technology
The NRC staff estimates that approximately 100% of any potential CUI security incidents and misuse will be reported to the NRC electronically. There will be no paper-based submissions to implement this reporting requirement.
- 4. Effort to Identify Duplication and Use Similar Information
No sources of similar information are available. There is no d uplication of requirements.
- 5. Effort to Reduce Small Business Burden Since the requirements for handling and storing CUI are the same for large and small entities, it is not possible to reduce the burden on small busi nesses by imposing less frequent or less complete reporting or recordkeeping requirements.
- 6. Consequences to Federal Progr am or Policy Activities if the Collection Is Not Conducted or Is Conducted Less Frequently
This information is collected only when a non-executive branch entity reports any mishandling or misuse of CUI to the NRC. It could not be less f requently. If the collection of information were not collected, the NRC could not comply with the requirements of 32 CFR 2002.16(a)(6)(iii). Specifically, the N RC will have no way to be informed of CUI security incidents when the non-executive branch entity mishandles or misuses CUI disseminated to them by the NRC staff.
- 7. Circumstances Which Justify Variation from OMB Guidelines
Not applicable.
- 8. Consultations Outside the NRC
Opportunity for public comment on the information collection re quirements for this clearance package was published In the Federal Register.
- 9. Payment or Gift to Respondents
Not applicable.
- 10. Confidentiality of Information
Confidential and proprietary information is protected in accordance with NRC regulations at 10 CFR 9.17(a) and 10 CFR 2.390(b).
- 11. Justification for Sensitive Questions
This information collection does not request sensitive information.
- 12. Estimated Burden and Burden Hour Cost
The following estimates are based upon the NRCs review of its existing information-sharing program.
- a. Reporting burden for each non-executive entity review of the NRCs CUI information-sharing agreement
On average, the NRC estimates that it will take a non-executive branch entity approximately ten hours to review, sign, and submit the signed agreement to the NRC. This estimate is based upon the fact that many of the non -executive branch entities that are expected to receive CUI from the NRC, are already receiving sensitive unclassified information from the NRC under its exist ing information-sharing program. Although the concept of protecting sensitive unclassified information consistent with any applicable laws, regulations, or governmentwide policies is not new to these non-executive branch entities, the NRCs CUI information-sharing agreement is new. Therefore, the NRC expects that it would ta ke approximately ten hours to support their internal review and signature within the ir respective organizations. In addition, the NRC expects one response per ea ch respondent. Commented [DC1]: Responses per respondent?
Commented [TM2R1]: We only expect one
- b. Reporting burden for each non-executive branch entity report suspected CUI response per each respondent. The response being security incidents that they sign the agreement. They do not have to sign multiple agreements. Does my proposed edit address your question or were you seeking A CUI security incident is the improper access, use, disclosure, modification, or additional clarification? Thank you.
destruction of CUI, in any form or medium. The NRC currently e stimates that:
o It will receive approximately twenty-five reports per year (25 different respondents submitting one report annually). Commented [DC3]: Am I correct to assume this is for 25 different respondents per year.
o It will take the non-executive branch entity approximately four hours to Commented [TM4R3]: For the purposes of this prepare, review, and submit the initial notification to the NRC, to the extent information collection, we are assuming that this is that it is known at the time. The notification would include the information 25 different respondents, each submitting 1 report.
required in Section 9 of the NRCs information-sharing agreemen t. But because I have no way to predict what type of security incidents could occur in the future, the o The non-executive branch entity may also need to promptly supplement any potential exists for a respondent to report more than one security incident.
initial notification to the NRC with additional information as it becomes available. At this time, the NRC roughly estimates receiving ap proximately one follow-up notification from the non-executive branch entity.
- c. The NRC estimates that it will take the non-executive branch en tity approximately one hour to prepare, review, and submit any follow-up notification to the NRC.Recordkeeping burden for each non-executive branch entity developing and maintaining the record to demonstrate compliance with NIST SP 800-171.
Based upon feedback provided by non-executive branch entities d uring recent NRC CUI public meetings, the NRC does not anticipate any recordkeeping burden for non-executive branch entities to maintain records of their compliance with NIST SP 800-171 security requirements.
The $288 hourly rate used in the burden estimates is based on the Nuclear Regulatory Commissions fee for hourly rates as noted in 10 CFR 170.20 Average cost per professional staff-hour. For more information on the basis of this rate, see the Revision of Fee Schedules; Fee Recovery for Fiscal Year 202 1 (86 FR 32146, June 17, 2021).
Table 1: Reporting and Recordkeeping Burden Hours/Burden Cost to Respondents Estimated Estimated Estimated Estimated Estimated Item Burden Responses Burden Rate Total Cost Hours (yr) (hrs/yr) ($/hr) ($/hr)
Review, sign, and submit the information-10 1,236 12,360 $288.00 3,559,680 sharing agreement Initial review and reporting of a CUI 4 25 100 $288.00 $28,800.00 security incident or breach Follow-on reporting of a CUI security 1 25 25 $288.00 $7.200.00 incident or breach Recordkeeping burden for each non-executive branch entity developing and 1 0 0 0 0 maintaining the record to demonstrate compliance with NIST SP 800-171.
Totals 12,485 $3,595,680.00
- 13. Estimate of Other Additional Costs
There are no additional costs.
- 14. Estimated Annualized Cost to the Federal Government
The NRC estimates that it takes approximately:
o 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to review the initial report and process each notificat ion.
o 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to review one follow up notification. Commented [DC5]: Am I correct to assume that we do not anticipate any burden to the Federal Table 2: Burden Hour/Burden Cost to the Federal Government Government for reviewing the submitted Information Sharing Agreements?
Estimate Estimated Estimated Estimate Estimated Commented [TM6R5]: That is correct.
Item d Hours Responses Burden d Rate Total Cost (yr) (hrs/yr) ($/hr)
Review initial report and 1 25 25 hrs/year $288.00 $7, 200.00 process
Review follow up notification 1 25 25 hrs/year $288.00 $7, 200.00
Totals $14,400.00
- 15. Reasons for Change in Burden or Cost
This is a new clearance.
- 16. Publication for Statistical Use
Not applicable. The NRC does not plan to publish this informati on for statistical use.
- 17. Reason for Not Displaying the Expiration Date
The form in this information collection will display the OMB Control Number and the expiration date of OMB approval.
- 18. Exceptions to the Certification Statement
There are no exceptions.
B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS Not Applicable