VR-SECY-18-0097: Proposed Controlled Unclassified Information Policy Statement

ML19030B670
Person / Time
Issue date:	01/29/2019
From:	Commissioners NRC/OCM
To:	Annette Vietti-Cook NRC/SECY
References
SECY-18-0097
Download: ML19030B670 (48)
v • d • e

Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 January 29, 2019 COMMISSION VOTING RECORD DECISION ITEM: SECY-18-0097 TITLE: PROPOSED CONTROLLED UNCLASSIFIED INFORMATION POLICY STATEMENT The Commission acted on the subject paper as recorded in the Staff Requirements Memorandum (SRM) of January 29, 2019.

This Record contains a summary of voting on this matter together with the individual vote sheets, views and comments of the Commission.

~ (~-~Annette L. Vietti-Cook Secretary of the Commission

Enclosures:

1. Voting Summary

2. Commissioner Vote Sheets cc: Chairman Svinicki Commissioner Baran Commissioner Burns Commissioner Caputo Commissioner Wright OGC EDO PDR

VOTING

SUMMARY

- SECY-18-0097 RECORDED VOTES NOT APPROVED DISAPPROVED ABSTAIN PARTICIPATING COMMENTS DATE Chrm. Svinicki X X 01/10/19 Cmr. Baran X X 12/11/18 Cmr. Burns X X 12/03/18 Cmr. Caputo X X 01/15/19 Cmr. Wright X X 01/10/19

NOTATION VOTE RESPONSE SHEET TO: Annette Vietti-Cook, Secretary FROM: CHAIRMAN SVINICKI

SUBJECT:

SECY-18-0097: Draft Controlled Unclassified Information Policy Statement Approved XX Disapproved - - Abstain - - Not Participating COMMENTS: Below XX Attached XX None I approve the staff's recommendation to publish a Controlled Unclassified Information policy statement in the Federal Register, subject to the attached edits and concurrent with the issuance of Management Directive 12.6.

1

/ J TE "

Entered on "STARS" Yes J

____.;:.._ No

SECY-18-0097, Encl. 2 KLS Edits

[7590-01-P]

NUCLEAR REGULATORY COMMISSION

[NRC-20YY-XXXX Controlled Unclassified Information Program AGENCY: Nuclear Regulatory Commission.

ACTION: Policy statement; issuance.

SUMMARY

The U.S. Nuclear Regulatory Commission (NRC) is issuing this Statement of Policy to set forth its expectation regarding the treatment of controlled unclassified information (CUI). This final policy statement describes how the NRC will comply with regulations recently issued by the National Archives and Records Administration (NARA) that direct agencies to minimize the risk of unauthorized disclosure of controlled unclassified information while allowing timely access by authorized holders. This Policy Statement aligns with similar actions taken by other Federal agencies to communicate changes in agency CUI policy to align with NARA requirements. During the transition to the CUI program , all elements of NRC's existing Sensitive Unclassified Non-Safeguards Information (SUNSI) program will remain in place.

DATES: The policy statement is effective on [INSERT DATE OF PUBLICATION IN THE FEDERAL REGISTER] .

ADDRESSES: Please refer to Docket ID <NRC-20YY-XXXX> when contacting the NRC about the availability of information regarding this document. You may obtain Enclosure 2

publicly-ava ilable information related to this document using any of the following methods:

• Federal Rulemaking Web Site: Go to http://www.regulations .gov and search for Docket ID <NRC-20YY-XXXX> . Address questions about NRC dockets to Carol Gallagher; telephone: 301-415-3463; e-mail: Carol.Gallagher@nrc.gov. For technical questions, contact the individual(s) listed in the FOR FURTHER INFORMATION CONTACT section of this document.

• NRC's Agencywide Documents Access and Management System (ADAMS): You may obtain publicly-available documents online in the ADAMS Public Documents collection at http://www.nrc.gov/reading-rm/adams.html . To begin the search , select "Begin Web-based ADAMS Search ." For problems with ADAMS , please contact the NRC's Public Document Room (PDR) reference staff at 1-800-397-4209, 301-415-4737, or by e-mail to pdr.resource@nrc.gov. The ADAMS accession number for each document referenced (if it is available in ADAMS) is provided the first time that it is mentioned in this document.

• NRC's PDR: You may examine and purchase copies of public documents at the NRC's PDR, Room 01-F21, One White Flint North , 11555 Rockville Pike, Rockville ,

Maryland 20852.

FOR FURTHER INFORMATION CONTACT: Tanya Mensah , Office of the Chief Information Officer, U.S. Nuclear Regulatory Commission , Washington , DC 20555-0001 ;

telephone : 301 -415-3610, e-mail : Tanya .Mensah@nrc.gov.

2

SUPPLEMENTARY INFORMATION:

I. Background In November 2010 , the President issued Executive Order (EO) 13556,

~Controlled Unclassified Information (CUI)~ to "establish an open and uniform program for managing unclassified information that requires safeguarding or dissemination controls." According to the Executive OrderEO, agency-specific approaches have created an inefficient and confusing patchwork system , resulting in inconsistent marking and safeguarding of information and unnecessarily restricted information-sharing . On September 14, 2016, NARA published in the Federal Register a final CUI rule adding new part 2002 to title 32 of the Code of Federal Regulations (32 CFR) (81 FR 63323) .

The CUI fi.A.at.rule went into effect on November 14, 2016, and established requirements for CUI designation , safeguarding , dissemination, marking , decontrolling , destruction ,

incident management, self-inspection, and oversight across the executive branch . The CUI rule applies directly to Federal executive branch agencies, including the NRC, and the rule 's primary function is to define how the CUI program will be implemented within these agencies. Controlled Unclassified Information does not include Classified National Security Information that has been classified pursuant to Executive Order 13526 or the Atomic Energy Act of 1954 (AEA), as amended, or information a non-Executive Branch entity (e .g ., contractors, licensees, Agreement States1. intervenors) possesses and maintains in its own systems that did not come from, or was not created or possessed by 1 Agreement States are States that have entered into formal agreements with the NRC, pursuant to Section 27 4 of the AEA, to regulate certain quantities of AEA material at facilities located within their borders.

• 3

or for, an Executive Branch agency or an entity acting for such an agency. However,

+!he CUI rule can-aIBG apply indirectly, through information-sharing agreements, to non-executive branch entities that are provided access to information that has been designated as CUI.

Controlled Unclassified Information does not include information that has been classified pursuant to an Executive Order or the Atomic Energy Act of 1954 , as amended , or information a non Executive Branch entity (e.g., contractors, licensees, Agreement States, intervenors) possesses and maintains in its own systems that did not come from , or 1Nas not created or possessed by or for, an Executive Branch agency or an entity acting for such an agency .

II. Statement of Policy

+he NRG has long been committed to protecting sensitive information . It is tRe C@mR9issi@R's f3@li@y tRet tRe M~C will @@mf3IY witR 32 CFR f38Ft 2QQ2, "C@Rtrnllel UR@lessifiel IRformeti@R (CUI)" (CUI na1le), iR 01=ler t@ miRimi;;rn tl;:te risl< @f WR8WtR@Fiii!:el lis@l@swre @f CUI wl;:tile ell@wiR~ timely e@@ess ~y ewtl;:t01=iii!:el R@lle1=s. In November 2010, the President issued Executive Order (EOt 13556, ~Controlled Unclassified Information (CUI) ,~ to "establish an open and uniform program for managing unclassified information that requires safeguarding or dissemination controls ." On September 14, 2016 , NARA published 32 CFR part 2002 in the Federal Register(81 FR 63323). It is the Commission 's policy that the NRC wilt comply with 32 CFR part 2002, "Controlled Unclassified Information (CUI}" <CUI rule}. in order to minimize the risk of unauthorized disclosure of CUI while allowing timely access by authorized holders.

The CUI Rrule went into effect on November 14, 2016. It defines CUI as information the Government creates or possesses, or that an entity creates or 4

possesses for or on behalf of the Government, that a law, regulation , or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. The CUI Rrule established requirements for CUI designation , safeguarding, dissemination, marking, decontrolling , destruction , incident management, self-inspection, and oversight across the executive branch .

The CUI Rrule applies directly to Federal Executive Branch agencies, including the NRC. The CUI rule identifies NARA as the Executive Agent te-responsible for implementi.o.g Executive OrderEO 13556 and te overseei.o.g agency actions to ensure compliance with the Executive OrderEO, the CUI rule , and the CUI registry. The CUI registry is an online repository located on the NARA website (https://www.archives.gov/cui) which , among other information, identifies all approved CUI categories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures. The categories within the CUI registry serve as the exclusive designations for identifying CUI.

32 CFR 2002.8(c)(4) states that the CUI Senior Agency Official (SAO) is responsible for ensuring that the agency has CUI implementing policies and plans, as needed . The NRG staff reviewed NARA guidance, including NARA's CUI policy template , to determine the appropriate scope and level of detail needed to comply with the CUI Rule including developing and issuing an agency CUI policy, creating agency CUI training , implementing and verifying that all physical safeguarding requirements are in place to protect CUI , providing CUI training to all agency employees, assessing and transitioning the current configuration of information systems to the CUI rule standard, and developing and implementing internal oversight efforts to measure and monitor the CUI program .

5

The CUI program at the NRC will replace the Sensitive Unclassified Non Safeguards Information (SUNSl 1 program and will also include, within its scope, Safeguards Information (SGI) and Safeguards Information-Modified Handling . Section 147 of the AEA, as amended, provides NRC with the statutory authority to prohibit the unauthorized disclosure of SGI. Even though SGI is a form of CUI under the CUI rule, any specific controls found in 10 CFR part 73, "Physical Protection of Plants and Materials," continue to apply to SGI and will continue to do so until and unless modifications are made through the NRC's rulemaking process.

The NRC recognizes that the CUI rule could alter how information is shared between the agency and external parties, including licensees, applicants, Agreement and non-Agreement States, and others. The NRC is committed to avoiding unintended consequences that unnecessarily increase the burden on external stakeholders while also maintaining adequate protective measures for CUI.

The CUI program is separate from the Classified National Security Information program . While the two programs may share similar language and some similar requirements, the CUI program 's requirements for designating , protecting, accessing, sharing, and decontrolling information , as well as the repercussions for misuse, differ from those for the G.Qlassified National Security +Information program.

In addition , tihe CUI program does not change NRC policy and practices in responding to a Freedom of Information Act (FOIA) request. Marking and designating information as CUI does not preclude information from release under the FOIA or preclude it from otherwise being considered for public release . The staff must still review the information and apply FOIA exemptions appropriately.

While the NRC transitions to the CUI program , all elements of the NRC's 6

Sensitive Unclassified Non Safeguards Information (SUNSl1 program will remain in place. Until directed in accordance with the NRC's CUI policy, guidance, and training, NRG employees and contractors will not use CUI markings or follow other requirements specific to CUI. If NRC employees or contractors receive CUI before the implementation of the CUI program at the NRC, they will continue to follow current NRC guidance to protect sensitive information .

Key Elements of the CUI Program (1) The NRC's CUI Program Office: The NRC's CUI Senior Agency Official (SAO) is responsible for planning , directing , and overseeing the implementation of a comprehensive, coordinated , integrated, efficient, and cost-effective NRC CUI program , consistent with applicable laws... aR1-regulations... and Commission direction, management initiatives, and policies from the Commission, the Executive Director for Operations , and the Chief Information Officer. The SAO's duties are assigned to the Director, Governance and Enterprise Management Services Division in the Office of the Chief Information Officer.

(2) Applicability: This policy applies to all NRC employees and contractors. The CUI rule also may apply indirectly through information-sharing agreements, as discussed in the CUI rule, to persons or entities that are provided access to information that has been designated as CUI.

In accordance with the CUI rule, the NRC's CUI program will contain the following 7

elements:

• Safeguarding standards , including for marking , physical protection, and destruction ;

• Information technology and cybersecurity control standards ;

• Access and dissemination standards , including , where feasible , agreements with external parties for sharing information;

• Training ;

• Processes for decontrolling information , issuing waivers , managing incidents, and challenging designations of information as CUI ; and

• A self-inspection and corrective action program .

Management Directive 12.6, "NRC Controlled Unclassified Information Program ,"

when published , will provide detailed guidance to NRC staff and contractors for the handling , marking , protecting , sharing , destroying , and decontrolling of CUI in accordance with 32 CFR part 2002.

Dated at Rockville, Maryland , this XX:1h day of <MONTH> 2019.

For the Nuclear Regulatory Commission .

Annette Vietti-Cook, Secretary of the Comm ission 8

NOTATION VOTE RESPONSE SHEET TO: Annette Vietti-Cook, Secretary FROM: Commissioner Baran

SUBJECT:

SECY-18-0097: Draft Controlled Unclassified Information Policy Statement Approved X Disapproved - - Abstain - - Not Participating COMMENTS: Below X Attached X None In 2016, the National Archives and Records Administration (NARA) issued a Controlled Unclassified Information (CUI) rule to standardize the way executive branch agencies handle information that requires protection but is not Classified National Security Information. As part of NRC's implementation of the CUI rule, the staff is seeking approval of a proposed policy statement. The staff presents two options for the high-level policy statement: (1) publishing the proposed CUI policy statement in the Federal Register for public comment; or (2) approving a final CUI policy statement now, without seeking public comment, but issuing it in September 2019, when the staff expects to concurrently issue NRG-specific implementing guidance. I do not view the core elements of these two options as mutually exclusive. I think it makes sense to release a draft policy statement for public comment now and, after considering the public comments, finalize the policy statement in September 2019 at the same time NRC's more detailed implementing guidance is issued. If, as the staff expects, the proposed policy statement does not generate significant public comment, then it should not be challenging to finalize the policy statement in that timeframe. This approach maximizes transparency and public participation while avoiding the strange result of withholding a finalized policy statement from the public for almost a year. Using the Federal Register notice to state NRC's intent to finalize the policy statement in September 2019 should also demonstrate to NARA and other stakeholders that the agency is committed to a smooth and timely transition to a CUI program.

For these reasons, I approve Option 1 and a modified Option 2 (as discussed above). I approve the Federal Register notice, subject to the attached edits.

Entered in STARS Yes X ){gnature

/ 2-- / , , I 1 'j No Date

[7590-01-P]

NUCLEAR REGULATORY COMMISSION

[N RC-20YY-XXXX]

Controlled Unclassified Information Program JMB edits AGENCY: Nuclear Regulatory Commission.

ACTION: Proposed policy statement; request for comment.

SUMMARY

The U.S. Nuclear Regulatory Commission (NRC) is issuing for public comment a proposed policy statement to set forth its expectation regarding the treatment of controlled unclassified information (CUI). This proposed policy statement describes how the NRC will comply with regulations recently issued by the National Archives and Records Administration (NARA) that direct agencies to minimize the risk of unauthorized disclosure of controlled unclassified information while allowing timely access by authorized holders. During the transition to the CUI program, all elements of the NRC's existing Sensitive Unclassified Non-Safeguards Information (SUNSI) program will remain in place. The NRC intends to issue a final policy statement in September 2019, concurrent with the publication of detailed implementing guidance.

DATES: Submit comments by [INSERT DATE 30 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER]. Comments received after this date will be considered if it is practical to do so, but the Commission is able to ensure consideration only for comments received before this date.

ADDRESSES: You may submit comments by any of the following methods.

Enclosure 1

comment submissions at http://www.regulations.gov as well as enter the comment submissions into ADAMS. The NRC does not routinely edit comment submissions to remove identifying or contact information.

If you are requesting or aggregating comments from other persons for submission to the NRC, then you should inform those persons not to include identifying or contact information that they do not want to be publicly disclosed in their comment submission. Your request should state that the NRC does not routinely edit comment submissions to remove such information before making the comment submissions available to the public or entering the comment into ADAMS.

II. Background In November 2010, the President issued Executive Order 13556, Controlled Unclassified Information (CUI), to "establish an open and uniform program for managing unclassified information that requires safeguarding or dissemination controls. "

According to the Executive Order, agency-specific approaches have created an inefficient and confusing patchwork system, resulting in inconsistent marking and safeguarding of information and unnecessarily restricted information-sharing. On September 14, 2016, NARA published in the Federal Register a final CUI rule adding new part 2002 to title 32 of the Code of Federal Regulations (32 CFR) (81 FR 63323).

The CUI ~ rule went into effect on November 14, 2016, and established requirements for CUI designation, safeguarding, dissemination, marking, decontrolling, destruction, incident management, self-inspection , and oversight across the executive branch. The CUI rule applies directly to Federal executive branch agencies, including the NRC, and the rule 's primary function is to define how the CUI program will be implemented within 4

these agencies. The CUI rule can also apply indirectly, through information-sharing agreements, to non-executive branch entities that are provided access to information that has been designated as CUI.

Controlled Unclassified Information does not include information that has been classified pursuant to an Executive Order or the Atomic Energy Act of 1954, as amended, nor information a non-Executive Branch entity (e.g., contractors, licensees, Agreement States, intervenors) possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an Executive Branch agency or an entity acting for such an agency.

Ill. Proposed Statement of Policy The NRG has long been committed to protecting sensitive information. On September 14. 2016. NARA published 32 CFR part 2002. "Controlled Unclassified Information (CUI)" (CUI rule) in the Federal Register (81 FR 63323). It is the Commission's policy that the NRC will expeditiously comply with 32 CFR part 2002, "Controlled Unclassified Information (CUI)" (the CUI rule}, in order to minimize the risk of unauthorized disclosure of CUI while allowing timely access by authorized holders. t-R November 2010 , the President issued Executive Order (EO) 13556, Controlled Unclassified Information (CUI), to "establish an open and uniform program for managing unclassified information that requires safeguarding or dissemination controls ." On September 14 , 2016 , NARI\ published 32 CFR part 2002 in the Federal Register (81 FR 63323).

The CUI Rule went into effect on November 14, 2016. It defines CUI as information the Government creates or possesses, or that an entity creates or 5

possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. The CUI Rule established requirements for CUI designation, safeguarding, dissemination, marking, decontrolling, destruction, incident management, self-inspection, and oversight across the executive branch.

The CUI Rule applies directly to Federal Executive Branch agencies, including the NRC. The CUI rule identifies NARA as the Executive Agent to implement Executive Order 13556 and to oversee agency actions to ensure compliance with the Executive Order, the CUI rule, and the CUI registry. The CUI registry is an online repository located on the NARA website (https://www.archives .gov/cui) which, among other information, identifies all approved CUI categories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures. The categories within the CUI registry serve as the exclusive designations for identifying CUI. Agencies may not implement safeguarding or dissemination controls for any unclassified information other than those controls permitted by the CUI Program .

32 CFR 2002.8(c)(4) states that the CUI Senior Agency Official (SAO) is responsible for ensuring that the agency has CUI implementing policies and plans, as needed . The NRC staff reviewed NARA guidance, including NARA's CUI policy template, to determine the appropriate scope and level of detail needed to comply with the CUI Rule including developing and issuing an agency CUI policy, creating agency CUI training, implementing and verifying that all physical safeguarding requirements are in place to protect CUI, providing CUI training to all agency employees, assessing and transitioning the current configuration of information systems to the CUI rule standard, 6

and developing and implementing internal oversight efforts to measure and monitor the CUI program .

The CUI program at the NRC will replace the Sensitive Unclassified Non-Safeguards Information (SUNS!) program and will also include, within its scope, Safeguards Information (SGI) and Safeguards Information-Modified Handling . Even though SGI is a form of CUI under the CUI rule, any specific controls found in 10 CFR part 73, "Physical Protection of Plants and Materials," continue to apply to SGI and will continue to do so until and unless modifications are made through the NRC's rulemaking process.

The NRC recognizes that the CUI rule could alter how information is shared between the agency and external parties, including licensees, applicants, Agreement and non-Agreement States, and others. The NRC is committed to avoiding unintended consequences that unnecessarily increase the burden on external stakeholders while also maintaining adequate protective measures for CUI.

The CUI program is separate from the Classified National Security Information program . While the two programs may share similar language and some similar requirements , the CUI program 's requirements for designating, protecting, accessing, sharing, and decontrolling information, as well as the repercussions for misuse, differ from those for the classified information program.

In addition , the CUI program does not change NRC policy and practices in responding to a Freedom of Information Act (FOIA) request. Marking and designating information as CUI does not preclude information from release under the FOIA or preclude it from otherwise being considered for public release. The staff must still review the information and apply FOIA exemptions appropriately.

7

In accordance with the CUI rule, the NRC's CUI program will contain the following elements:

• Safeguarding standards, including for marking, physical protection, and destruction;

• Information technology and cybersecurity control standards;

• Access and dissemination standards, including, where feasible, agreements with external parties for sharing information;

• Training;

• Processes for decontrolling information, issuing waivers, managing incidents, and challenging designations of information as CUI; and

• A self-inspection and corrective action program.

Management Directive 12.6, "NRC Controlled Unclassified Information Program,"

when published, will provide detailed guidance to NRC staff and contractors for the handling, marking, protecting, sharing, destroying, and decontrolling of CUI in accordance with 32 CFR part 2002. The NRC intends to issue a final policy statement in September 2019, concurrent with the publication of Management Directive 12.6.

Dated at Rockville, Maryland, this XX1h day of <MONTH> 2018.

For the Nuclear Regulatory Commission.

Annette Vietti-Cook, Secretary of the Commission 9

NOTATION VOTE RESPONSE SHEET TO: Annette Vietti-Cook, Secretary FROM: Commissioner Burns

SUBJECT:

SECY-18-0097: Draft Controlled Unclassified Information Policy Statement Approved X Disapproved

- - Abstain - - Not Participating COMMENTS: Below X Attached X None I approve NRC staff's recommendation to publish a Controlled Unclassified Information policy statement in the Federal Register concurrent with the issuance of Management Directive 12.6, subject to the attached edits.

Entered in STARS Signatur Yes X ~ December 2018 No Date

[7590-01-P]

SGB Edits (SECY-18-0097 Enclosure 2)

NUCLEAR REGULATORY COMMISSION

[NRC-20YY-XXXX]

Controlled Unclassified Information Program AGENCY: Nuclear Regulatory Commission.

ACTION: Policy statement; issuance.

SUMMARY

The U.S. Nuclear Regulatory Commission (NRC) is issuing this Statement of Policy to set forth its expectation regarding the treatment of controlled unclassified information (CUI). This final policy statement describes how the NRC will comply with regulations recently issued by the National Archives and Records Administration (NARA) that direct agencies to minimize the risk of unauthorized disclosure of controlled unclassified information while allowing timely access by authorized holders. This Statement of Policy also aligns with similar actions taken by other Federal agencies to communicate a uniform statement about change in agency policy to internal and external stakeholders. During the transition to the CUI program, all elements of NRC's existing Sensitive Unclassified Non-Safeguards Information (SUNSI) program will remain in place.

DATES: The policy statement is effective on [INSERT DATE OF PUBLICATION IN THE FEDERAL REGISTER].

ADDRESSES: Please refer to Docket ID <NRC-20YY-XXXX> when contacting the Enclosure 2

NRC about the availability of information regarding this document. You may obtain publicly-available information related to this document using any of the following methods:

• Federal Rulemaking Web Site: Go to http://www.regulations.gov and search for Docket ID <NRC-20YY-XXXX>. Address questions about NRC dockets to Carol Gallagher; telephone: 301-415-3463; e-mail: Carol.Gallagher@nrc.gov. For technical questions, contact the individual(s) listed in the FOR FURTHER INFORMATION CONTACT section of this document.

• NRC's Agencywide Documents Access and Management System (ADAMS): You may obtain publicly-available documents online in the ADAMS Public Documents collection at http://www.nrc.gov/reading-rm/adams.html. To begin the search, select "Begin Web-based ADAMS Search." For problems with ADAMS , please contact the NRC's Public Document Room (PDR) reference staff at 1-800-397-4209, 301-415-4737, or by e-mail to pdr.resource@nrc.gov. The ADAMS accession number for each document referenced (if it is available in ADAMS) is provided the first time that it is mentioned in this document.

• NRC's PDR: You may examine and purchase copies of public documents at the NRC's PDR, Room 01-F21 , One White Flint North , 11555 Rockville Pike, Rockville, Maryland 20852.

FOR FURTHER INFORMATION CONTACT: Tanya Mensah, Office of the Chief Information Officer, U.S. Nuclear Regulatory Commission, Washington , DC 20555-0001; telephone: 301-415-3610, e-mail: Tanya .Mensah@nrc.gov.

2

SUPPLEMENTARY INFORMATION:

I. Background In November 2010, the President issued Executive Order 13556, Controlled Unclassified Information (CUI),. to "establish an open and uniform program for managing unclassified information that requires safeguarding or dissemination controls."

According to the Executive Order, agency-specific approaches have created an inefficient and confusing patchwork system, resulting in inconsistent marking and safeguarding of information and unnecessarily restricted information-sharing. On September 14, 2016, the National Archives and Records Administration (NARA}

published in the Federal Register a final CUI rule adding new part 2002 to title 32 of the Code of Federal Regulations (32 CFR) (81 FR 63323). The CUI fiflat-rule went into effect on November 14, 2016, and established requirements for CUI designation, safeguarding, dissemination, marking, decontrolling, destruction, incident management, self-inspection, and oversight across the executive branch. The CUI rule applies directly to Federal executive branch agencies, including the NRC, and the rule's primary function is to define how the CUI program will be implemented within these agencies. The CUI rule can also apply indirectly, through information-sharing agreements, to non-executive branch entities (e.g., contractors, licensees, Agreement States, intervenors in adjudicatory proceedings) that are provided access to information that has been designated as CUI.

Controlled Unclassified Information does not include Classified National Security lnformationinf.ormation that has been classified pursuant to aR-Executive Order 13526 or 3

entity (e.g., contractors , licensees, Agreement States, intervenors) possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an Executive Branch agency or an entity acting for such an agency.

II. Statement of Policy The NRG has long been committed to protecting sensitive information. It is the Commission's policy that the NRG will comply with 32 CFR part 2002, "Controlled Unclassified Information (CUI)" (CUI rule), in order to minimize the risk of unauthorized disclosure of CUI while allowing timely access by authorized holders. In November 2010, the President issued Executive Order (EO) 13556, Controlled Unclassified Information (CUI), to "establish an open and uniform program for managing unclassified information that requires safeguarding or dissemination controls ." On September 14, 2016, the National Archives and Records Administration (NARA) published 32 CFR part 2002 in the Federal Register (81 FR 63323). The NRC will comply with 32 CFR part 2002, "Controlled Unclassified Information (CUI)" (CUI Rule), in order to minimize the risk of unauthorized disclosure of CUI while allowing timely access by authorized holders.

The CUI Rule went into effect on November 14, 2016. It defines CUI as information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. The CUI Rule established requirements for CUI designation, safeguarding, dissemination, marking, decontrolling, destruction, incident management, self-inspection, and oversight across the executive branch, including the NRC.

Tho CUI Rule applies directly to Federal Executive Branch agencies, including 4

the NRG. The CUI rule identifies NARA as the Executive Agent responsible forte implementing Executive Order 13556 and te overseeing agency actions to ensure compliance with the Executive Order, the CUI Rfule, and the CUI registry. The CUI registry is an online repository located on the NARA website

{https://www.archives.gov/cui) which, among other information, identifies all approved CUI categories , provides general descriptions for each , identifies the basis for controls, establishes markings, and includes guidance on handling procedures. The categories within the CUI registry serve as the exclusive designations for identifying CUI.

32 CFR 2002.8(c)(4) states that the CUI Senior Agency Official (SAO) is responsible for ensuring that the agenoy has CUI implementing policies and plans, as needed. The NRG staff reviewed NARA guidance, including NARA's CUI polioy template, to determine the appropriate scope and level of detail needed to comply 1,vith the CUI Rule including developing and issuing an agency CUI policy, oreating agency CUI training, implementing and verifying that all physical safeguarding requirements are in place to protect CUI, providing CUI training to all agenoy employees, assessing and transitioning the current oonfiguration of information systems to the CUI rule standard, and developing and implementing internal oversight efforts to measure and monitor the CUI program .

The CUI program at the NRC will replace the Sensitive Unclassified Non-Safeguards Information (SUNSI) program and will also include, within its scope ,

Safeguards Information (SGI) and Safeguards Information-Modified Handling. EveR though SGI is a form of CUI under the CUI rule.Section 147 of the Atomic Energy Act of 1954 as amended provides NRC with the statutory authority to prohibit the unauthorized disclosure of safeguards information. S-aRy-S Even though SGI is a form of CUI under 5

the CU I rule specific controls found in 10 CFR part 73, "Physical Protection of Plants and Materials," continue to apply to SGI and will continue to do so until and unless modifications are made through the NRC's rulemaking process.

The NRC recognizes that the CUI rule could alter how information is shared between the agency and external parties, including licensees, applicants, Agreement and non-Agreement States, and others. The NRC is committed to avoiding unintended consequences that unnecessarily increase the burden on external stakeholders while also maintaining adequate protective measures for CUI.

The CUI program is separate from the Classified National Security Information program. While the two programs may share similar language and some similar requirements, the CUI program's requirements for designating, protecting, accessing, sharing, and decontrolling information, as well as the repercu_ssions for misuse, differ from those for the classified information program .

In addition, theThe CUI program does not change NRC policy and practices in responding to a Freedom of Information Act (FOIA) request. Marking and designating information as CUI does not preclude information from release under the FOIA or preclude it from otherwise being considered for public release. The staff must still review the information and apply FOIA exemptions appropriately.

While the NRC transitions to the CUI program, all elements of the Sensitive Unclassified Non-Safeguards Information (SUNSI) program will remain in place. YRtH directed in accordance with the NRC's CUI policy, guidance, and training , NRG employees and contractors will not use CUI markings or f.ollow other requirements specific to CU I. If NRC employees or contractors receive CUI before the implementation of the CUI program at the NRC, they will continue to follow current NRC guidance to 6

protect sensitive information.

Key Elements of the CUI Program (1) The NRC's CUI Program Office: The NRC's CUI Senior Agency Official (SAO) is responsible for planning, directing, and overseeing the implementation of a comprehensive, coordinated, integrated, efficient, and cost-effective NRC CUI program, consistent with applicable laws and regulations and Commission direction, management initiatives, and policies from the Commission, the Executive Director for Operations, and the Chief Information Officer. The SAO's duties are assigned to the Director, Governance and Enterprise Management Services , Division in the Office of the Chief Information Officer.

(2) Applicability: This policy applies to all NRC employees and contractors. The CUI rule also may apply indirectly through information-sharing agreements, as discussed in the CUI rule, to persons or entities that are provided access to information that has been designated as CUI.

In accordance with the CUI rule, the NRC's CUI program will contain the following elements:

• Safeguarding standards, including for marking, physical protection, and destruction;

• Information technology and cybersecurity control standards;

• Access and dissemination standards, including, where feasible, agreements with 7

external parties for sharing information;

• Training;

• Processes for decontrolling information, issuing waivers, managing incidents, and challenging designations of information as CUI; and

• A self-inspection and corrective action program.

8

Management Directive 12.6, "NRC Controlled Unclassified Information Program, "

when published, will provide detailed guidance to NRC staff and contractors for the handling, marking, protecting, sharing, destroying, and decontrolling of CUI iR accordance with 32 CFR part 2002.

Dated at Rockville, Maryland, this XX1h day of <MONTH> 2019.

For the Nuclear Regulatory Commission.

Annette Vietti-Cook, Secretary of the Commission .

9

NOTATION VOTE RESPONSE SHEET TO: Annette Vietti-Cook, Secretary FROM: Commissioner Caputo

SUBJECT:

SECY-18-0097: Draft Controlled Unclassified Information Policy Statement Approved X Disapproved Abstain Not Participating COMMENTS: Below X Attached None I approve NRC staff's recommendation to publish a Controlled Unclassified Information policy statement in the Federal Register concurrent with the issuance of Management Directive 12.6, "NRC Controlled Unclassified Information Program" subject to the attached edits.

Entered in STARS naturj' V /

I 1s <A.211 Yes X No Date T I

SECY-18-0097, Enclosure 2 AXC Edits

[7590-01-P]

NUCLEAR REGULATORY COMMISSION

[NRC-20YY-XXXX]

Controlled Unclassified Information Program AGENCY: Nuclear Regulatory Commission.

ACTION: Policy statement; issuance.

SUMMARY

The U.S. Nuclear Regulatory Commission (NRC) is issuing this Statement of Policy to set forth its expectation regarding the treatment of Cw ntrolled U\:mclassified

!information (CUI). This final policy statement describes how the NRC will comply with regulations recently issued by the National Archives and Records Administration (NARA) that direct agencies to minimize the risk of unauthorized disclosure of controlled unclassified information while allowing timely access by authorized holders. This Policy Statement aligns with similar actions taken by other Federal agencies to communicate change in agency CUI policy to align with NARA requirements. During the transition to the CUI program, all elements of NRC's existing Sensitive Unclassified Non-Safeguards Information (SUNSI) program will remain in place.

DATES: The policy statement is effective on [INSERT DATE OF PUBLICATION IN iTHE FEDERAL REGISTER].

ADDRESSES: Please refer to Docket ID <NRC-20YY-XXXX> when contacting the NRC about the availability of information regarding this document. You may obtain Enclosure 2

publicly-available information related to this document using any of the following methods:

• Federal Rulemaking Web Site: Go to http://www.regulations.gov and search for Docket ID <NRC-20YY-XXXX>. Address questions about NRC dockets to Carol Gallagher; telephone: 301-415-3463; e-mail: Carol.Gallagher@nrc.gov. For technical questions, contact the individual(s) listed in the FOR FURTHER INFORMATION CONTACT section of this document.

• NRC's Agencywide Documents Access and Management System

{ADAMS): You may obtain publicly-available documents online in the ADAMS Public Documents collection at http://www.nrc.gov/reading-rm/adams.html. To begin the search, select "Begin Web-based ADAMS Search." For problems with ADAMS, please contact the NRC's Public Document Room (PDR) reference staff at 1-800-397-4209, 301-415-4737, or by e-mail to pdr.resource@nrc.gov. The ADAMS accession number for each document referenced (if it is available in ADAMS) is provided the first time that it is mentioned in this document.

• NRC's PDR: You may examine and purchase copies of public documents at the NRC's PDR, Room 01 -F21, One White Flint North, 11555 Rockville Pike, Rockville, Maryland 20852.

FOR FURTHER INFORMATION CONTACT: Tanya Mensah, Office of the Chief Information Officer, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001; telephone: 301-415-3610, e-mail: Tanya.Mensah@nrc.gov.

2

SUPPLEMENTARY INFORMATION:

I. Background In November 2010, the President issued Executive Order (EO) 13556, Controlled Unclassified Information (CUI) to "establish an open and uniform program for managing unclassified information that requires safeguarding or dissemination controls."

According to the Executive OrderEO, agency-specific approaches have created an inefficient and confusing patchwork system, resulting in inconsistent marking and safeguarding of information and unnecessarily restricted information-sharing. On September 14, 2016, NARA published in the Federal Register a final CUI rule adding new part 2002 to title 32 of the Code of Federal Regulations (32 CFR) (81 FR 63323).

The CUI ~ rule went into effect on November 14, 2016, and established requirements for CUI designation, safeguarding, dissemination, marking, decontrolling, destruction, incident management, self-inspection , and oversight across the executive branch. The CUI rule applies directly to Federal executive branch agencies, including the NRC, and the rule 's primary function is to define how the CUI program will be implemented within these agencies. Controlled Unclassified Information does not include Classified National Security Information that has been classified pursuant to Executive Order 13526 or the Atomic Energy Act of 1954 (AEA), as amended, or information a non-Executive Branch entity (e.g., contractors, licensees, Agreement States\ intervenors) possesses and maintains in its own systems that did not come from, or was not created or possessed by 1 Agreement States are States that have entered into formal agreements with the NRC, pursuant to Section 274 of the AEA, to regulate certain quantities of AEA material at facilities located within the ir borders .

3

or for, an Executive Branch agency or an entity acting for such an agency. However,

+!he CUI rule can also apply indirectly, through information-sharing agreements, to non-executive branch entities (e.g ., contractors , licensees, Agreement States, intervenors in adjudicatory proceedings) that are provided access to information that has been designated as CUI.

Controlled Unclassified Information does not include Classified National Securitv

!information that has been classified pursuant to an Executive Order 13526 or the Atomic Energy Act of 1954, as amended.:., or information a non Executive Branch entity (e.g., contractors , licensees, Agreement States, intervenors) possesses and maintains in its own systems that did not come from , or was not created or possessed by or for, an Executive Branch agency or an entity acting for such an agency.

II. Statement of Policy

+he NRG has long been committed to protecting sensitive information. It is the Commission's policy that the NRG will comply with 32 CFR part 2002, "Controlled Unclassified Information (CUI)" (CUI rule), in order to minimize the risk of unauthorized disclosure of CUI while allowing timely access by authorized holders. In November 2010, the President issued Executive Order (EOt 13556, Controlled Unclassified Information (CUI), to "establish an open and uniform program for managing unclassified information that requires safeguarding or dissemination controls." On September 14, 2016, NARA published 32 CFR part 2002 in the Federal Register(81 FR 63323). It is the Commission's policy that the NRC will comply with 32 CFR part 2002, "Controlled Unclassified Information (CUI)" (CUI rule) , in order to minimize the risk of unauthorized disclosure of CUI while allowing timely access by authorized holders. NRG will complv with 32 CFR part 2002, "Controlled Unclassified Information (CUI)" (CUI rule), in order to 4

minimize the risk of unauthorized disclosure of CUI while allowing timely access by authorized holders.

The CUI [Rule went into effect on November 14, 2016. It defines CUI as information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation , or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. The CUI rRule established requirements for CUI designation, safeguarding, dissemination, marking, decontrolling, destruction, incident management, self-inspection, and oversight across the executive branch , including the NRC.

The CUI Rule applies directly to Federal Executive Branch agencies, including the NRG. The CUI rule identifies NARA as the Executive Agent to implement EOxecutive Order 13556 and to-overseeir}g agency actions to ensure compliance with the EOxecutive Order, the CUI rule, and the CUI registry. The CUI registry is an online repository located on the NARA website (https://www.archives.gov/cui) which, among other information, identifies all approved CUI categories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures. The categories within the CUI registry serve as the exclusive designations for identifying CUI.

32 CFR 2002.8(c)(4) states that the CUI Senior Agency Official (SAO) is responsible for ensuring that the agency has CUI implementing policies and plans, as needed . The NRG staff reviewed NARA guidance, including NARA's CUI policy template, to determine the appropriate scope and level of detail needed to comply with the CUI Rule including developing and issuing an agency CU I policy, creating agency CUI training , implementing and verifying that all physical safeguarding requirements are 5

in place to protect CU I, providing CUI training to all agency employees , assessing and transitioning the current configuration of information systems to the CUI rule standard ,

and developing and implementing internal oversight efforts to measure and monitor the CUI program .

The CUI program at the NRC will replace the Sensitive Unclassified Non-Safeguards Information (SUNSI) program and will also include, within its scope, Safeguards Information (SGI) and Safeguards Information-Modified Handling. &leR though SGI is a form of CUI under the CUI rule , any Section 147 of the Atomic Energy Act of 1954, as amended, provides NRC with statutory authority to prohibit the unauthorized disclosure of safoguardsSGI information. Even though SGI is a form of CU I under the rule, any specific controls found in 10 CFR part 73, "Physical Protection of Plants and Materials," continue to apply to SGI and will continue to do so until and unless modifications are made through the NRC 's rulemaking process.

The NRC recognizes that the CUI rule could alter how information is shared between the agency and external parties, including licensees, applicants, Agreement and non-Agreement States, and others. The NRC is committed to avoiding unintended consequences that unnecessarily increase the burden on external stakeholders while also maintaining adequate protective measures for CU I.

The CUI program is separate from the Classified National Security Information program . While the two programs may share similar language and some similar requirements, the CUI program's requirements for designating, protecting, accessing ,

sharing, and decontrolling information, as well as the repercussions for misuse, d#for from.differ from those for the Cslassified National Security Hnformation program.

In addition , ti he CU I program does not change NRC policy and practices in 6

responding to a Freedom of Information Act (FOIA) request. Marking and designating information as CUI does not preclude information from release under the FOIA or preclude it from otherwise being considered for public release . The staff must still review the information and apply FOIA exemptions appropriately.

While the NRC transitions to the CUI program, all elements of the Sensitive Unclassified Non Safeguards Information (SUNSl1 program will remain in place. YRW directed in accordance with the NRC's CUI policy, guidance , and training , NRG employees and contractors will not use CUI markings or follow other requirements specific to CUI. If NRC employees or contractors receive CUI before the implementation of the CUI program at the NRC, they will continue to follow current NRC guidance to protect sensitive information.

Key Elements of the CUI Program (1) The NRC's CUI Program Office: The NRC's CUI Senior Agency Official (SAO) is responsible for planning, directing, and overseeing the implementation of a comprehensive, coordinated, integrated, efficient, and cost-effective NRC CUI program, consistent with applicable laws.._ aRG-regulationsJ. and Commission direction, management initiatives, and policies from the Commission , the Executive Director for Operations, and the Chief Information Officer. The SAO's duties are assigned to the Director, Governance and Enterprise Management Services Division in the Office of the Chief Information Officer.

(2) Applicability: This policy applies to all NRC employees and contractors. The CUI 7

rule also may apply indirectly through information-sharing agreements, as discussed in tho CUI rule, to persons or entities that are provided access to information that has been designated as CUI.

In accordance with the CUI rule, the NRC's CUI program will contain the following elements:

• Safeguarding standards, including for marking, physical protection, and destruction;

• Information technology and cybersecurity control standards;

• Access and dissemination standards, including, where feasible, agreements with external parties for sharing information;

• Training;

• Processes for decontrolling information, issuing waivers, managing incidents, and challenging designations of information as CUI; and

• A self-inspection and corrective action program.

8

Management Directive 12.6, "NRC Controlled Unclassified Information Program,"

when published, will provide detailed guidance to NRC staff and contractors for the handling, marking, protecting, sharing, destroying, and decontrolling of CUI in accordance with 32 CFR part 2002.

Dated at Rockville, Maryland, this XX1h day of <MONTH> 2019.

For the Nuclear Regulatory Commission.

Annette Vietti-Cook, Secretary of the Commission 9

NOTATION VOTE RESPONSE SHEET TO: Annette Vietti-Cook, Secretary FROM: Commissioner Wright

SUBJECT:

SECY-18-0097: Draft Controlled Unclassified Information Policy Statement Approved X Disapproved - - Abstain - - - Not Participating COMMENTS: Below X Attached X None I approve the proposed Controlled Unclassified Information policy statement and its publication in the Federal Register, concurrent with the issuance of Management Directive 12.6, subject to the attached edits.

Entered in STARS Yes V Signature 1-- /Q..., Zo( 1 No Date

[7590-01-P]

DAW Edits NUCLEAR REGULATORY COMMISSION

[NRC-20YY-XXXX]

Controlled Unclassified Information Program AGENCY: Nuclear Regulatory Comm ission.

ACTION: Policy statement; issuance.

SUMMARY

The U.S. Nuclear Regulatory Commission (NRC) is issuing this Statement of Policy to set forth its expectation regarding the treatment of controlled unclassified information (CUI). This final policy statement describes how the NRC will comply with regulations reoently issued by the National Archives and Records Administration (NARA) that direct agencies to minimize the risk of unauthorized disclosure of controlled unclassified information wh ile allowing timely access by authorized holders. This Statement of Policy also aligns with similar actions taken by other Federal agencies to communicate a uniform statement about change in agency policy to internal and external stakeholders. During the transition to the CUI program , all elements of NRC's existing Sensitive Unclassified Non-Safeguards Information (SUNSI) program will remain in place.

DATES: The policy statement is effective on [INSERT DATE OF PUBLICATION IN THE FEDERAL REGISTER].

ADDRESSES: Please refer to Docket ID <NRC-20YY-XXXX> when contacting the NRC about the availability of information regarding this document. You may obtain Enclosure 2

publicly-available information related to this document using any of the following methods:

• Federal Rulemaking Web Site: Go to http://www.requlations .gov and search for Docket ID <NRC-20YY-XXXX>. Address questions about NRC dockets to Carol Gallagher; telephone: 301-415-3463; e-mail: Carol. Gallaqher@nrc.gov. For technical questions, contact the individual(s) listed in the FOR FURTHER INFORMATION CONTACT section of this document.

• NRC's Agencywide Documents Access and Management System (ADAMS): You may obtain publicly-available documents online in the ADAMS Public Documents collection at http://www.nrc.gov/readinq-rm/adams.html. To begin the search, select "Begin Web-based ADAMS Search." For problems with ADAMS , please contact the NRC's Public Document Room (PDR) reference staff at 1-800-397-4209, 301-415-4737, or by e-mail to pdr.resource@nrc.gov. The ADAMS accession number for each document referenced (if it is available in ADAMS) is provided the first time that it is mentioned in this document.

• NRC's PDR: You may examine and purchase copies of public documents at the NRC's PDR, Room 01-F21, One White Flint North, 11555 Rockville Pike, Rockville, Maryland 20852.

FOR FURTHER INFORMATION CONTACT: Tanya Mensah, Office of the Chief Information Officer, U.S. Nuclear Regulatory Commission , Washington , DC 20555-0001 ;

telephone: 301-415-3610, e-mail: Tanya.Mensah@nrc.gov.

2

SUPPLEMENTARY INFORMATION:

I. Background In November 2010, the President issued Executive Order 13556, Controlled Unclassified Information (CUI) to "establish an open and uniform program for managing unclassified information that requires safeguarding or dissemination controls."

According to the Executive Order, agency-specific approaches have created an inefficient and confusing patchwork system, resulting in inconsistent marking and safeguarding of information and unnecessarily restricted information-sharing . On September 14, 2016, the National Archives and Records Administration (NARA) published in the Federal Register a final CUI rule adding new part 2002 to title 32 of the Code of Federal Regulations (32 CFR) (81 FR 63323). The CUI fffia+-rule went into effect on November 14, 2016, and established requirements for CUI designation, safeguarding, dissemination, marking, decontrolling, destruction, incident management, self-inspection, and oversight across the executive branch. The CUI rule applies directly to Federal executive branch agencies, including the NRC, and the rule's primary function is to define how the CUI program will be implemented within these agencies. The CUI rule can also apply indirectly, through information-sharing agreements, to non-executive branch entities that are provided access to information that has been designated as CUI.

Controlled Unclassified Information does not include Classified National Security

!information that has been classified pursuant to a-A-Executive Order 13526 or the Atomic Energy Act of 1954, as amended, or information a non-Executive Branch entity (e.g., contractors, licensees, Agreement States, intervenors) possesses and maintains in 3

its own systems that did not come from , or was not created or possessed by or for, an Executive Branch agency or an entity acting for such an agency.

II. Statement of Policy Tho NRG has long boon committed to protecting sensitive information. It is tho Commission's policy that the NRG will comply with 32 CFR part 2002, "Controlled Unclassified Information (CUI)" (CUI rule), in order to minimize tho risk of unauthorized disclosure of CUI while allowing timely access by authorized holders. In November 2010, the President issued Executive Order (EO) 13556, Controlled Unclassified Information (CUI), to "establish an open and uniform program for managing [unclassified}

information that requires safeguarding or dissemination controls." On September 14, 2016, the National Archives and Records Administration (NARA) published 32 CFR part 2002 in the Federal Register (81 FR 6332~ ). The NRC will comply with 32 CFR part 2002, "Controlled Unclassified Information (CUI)" (CUI Rule), in order to minimize the risk of unauthorized disclosure of CUI while allowing timely access by authorized holders.

The CUI Rule went into effect on November 14, 2016. It defines CUI as information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. The CUI Rule established requirements for CUI designation, safeguarding, dissemination, marking, decontrolling, destruction, incident management, self-inspection, and oversight across the executive branch.

Tho CUI Rulo applies directly to Federal Executive Branch agencies, including tho NRG. The CUI rBule identifies NARA as the Executive Agent le-responsible for 4

implementio.g Executive Order 13556 and te-overseeio.g agency actions to ensure compliance with the Executive Order, the CUI FBule, and the CUI registry. The CUI registry is an online repository located on the NARA website (https://www.archives.gov/cui) which, among other information, identifies all approved CUI categories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures. The categories within the CUI registry serve as the exclusive designations for identifying CUI.

32 CFR 2002.8(c)(4) states that the CUI SenioF Agency Official (SAO) is Fesponsible foF ensuFing that the agency has CUI implementing policies and plans, as needed. The NRG staff Feviewed NARP, guidance, including NARA's CUI policy template, to deteFmine the appropFiate scope and level of detail needed to comply with the CUI Rule including developing and issuing an agency CUI policy, cFeating agency CUI training, implementing and veFifying that all physical saf.eguaFding FequiFements aFe in place to pmtect CUI, pmviding CUI tmining to all agency employees , assessing and transitioning the cuFFent configumtion of infoFmation systems to the CUI Fule standaFd ,

and developing and implementing intemal oveFsight efforts to measuFe and monitoF the CUI pmgFam.

The CUI program at the NRC will replace the Sensitive Unclassified Non-Safeguards Information (SUNSI) program and will also include, within its scope, Safeguards Information (SGI) and Safeguards Information-Modified Handling. eve-A though SGI is a fOFm of CUI undeF the CUI Fule , Section 147 of the Atomic Energy Act of 1954, as amended , provides the NRC with the statutory authority to prohibit the unauthorized disclosure of safeguards information. aHy-Even though SGI is a form of CUI under the CUI Rule, specific controls found in 10 CFR part 73, "Physical Protection 5

of Plants and Materials," continue to apply to SGI and will oontinue to do so until and unless modifioations are made through the NRC's rulemaking prooess.

The NRC recognizes that the CUI r,Bule could alter how information is shared between the agency and external parties, including licensees, applicants, Agreement and non-Agreement States, and others. The NRC is committed to avoiding unintended consequences that unnecessarily increase the burden on external stakeholders while also maintaining adequate protective measures for CUI.

The CUI program is separate from the Classified National Security Information program. While the two programs may share similar language and some similar requirements, the CUI program 's requirements for designating, protecting, accessing, sharing, and decontrolling information, as well as the repercussions for misuse, differ from those for the classified information program.

In addition, tihe CUI program does not change NRC policy and practices in responding to a Freedom of Information Act (FOIA) request. Marking and designating information as CUI does not preclude information from release under the FOIA or preclude it from otherwise being considered for public release. The staff must still review the information and apply FOIA exemptions appropriately.

While the NRC transitions to the CUI program, all elements of the Sensitive Unclassified Non-Safeguards Information (SUNSI) program will remain in place. YRW direoted in aooordanoe vJith the NRC's CUI polioy, guidanoe, and training , NRG employees and oontractors will not use CUI markings or follow other requirements speoifio to CUI. If NRC employees or contractors receive CUI before the implementation of the CUI program at the NRC, they will continue to follow current NRC guidance to protect sensitive information.

6

Key Elements of the CUI Program (1) The NRC's CUI Program Office: The NRC's CUI Senior Agency Official (SAO) is responsible for planning, directing, and overseeing the implementation of a comprehensive , coordinated , integrated, efficient, and cost-effective NRC CUI program, consistent with applicable laws and regulations and Commission direction, management initiatives, and policies from the Commission, the Executive Director for Operations, and the Chief Information Officer. The SAO's duties are assigned to the Director, Governance and Enterprise Management Services Division in the Office of the Chief Information Officer.

(2) Applicability: This policy applies to all NRC employees and contractors. The CUI rRule also may apply indirectly through information-sharing agreements_,as discussed in the CUI rule, to persons or entities that are provided access to information that has been designated as CUI.

In accordance with the CUI RFLi le, the NRC's CUI program will contain the following elements:

• Safeguarding standards, including for marking, physical protection , and destruction ;

• Information technology and cybersecurity control standards;

• Access and dissemination standards, including , where feasible, agreements with external parties for sharing information; 7

• Training;

• Processes for decontrolling information, issuing waivers, managing incidents, and challenging designations of information as CUI ; and

• A self-inspection and corrective action program.

8

Management Directive 12.6, "NRC Controlled Unclassified Information Program,"

when published, will provide detailed guidance to NRC staff and contractors for the handling, marking , protecting, sharing, destroying, and decontrolling of CUl--ffi accordance with 32 CFR part 2002.

Dated at Rockville, Maryland , this XX1h day of <MONTH> 2019.

For the Nuclear Regulatory Commission.

Annette Vietti-Cook, Secretary of the Commission 9