Controlled Unclassified Information Program

AGENCY:

Nuclear Regulatory Commission.

ACTION:

Policy statement; issuance.

SUMMARY:

The U.S. Nuclear Regulatory Commission (NRC) is issuing this Statement of Policy to set forth its expectation regarding the treatment of controlled unclassified information (CUI). This final policy statement describes how the NRC will comply with regulations issued by the National Archives and Records Administration (NARA) that direct agencies to minimize the risk of unauthorized disclosure of controlled unclassified information while allowing timely access by authorized holders. This policy statement aligns with similar actions taken by other Federal agencies to communicate changes in agency CUI policy to align with NARA requirements. During the transition to the CUI program, all elements of the NRC's existing Sensitive Unclassified Non-Safeguards Information (SUNSI) program will remain in place.

DATES:

The policy statement is effective on November 12, 2021.

ADDRESSES:

Please refer to Docket ID NRC-2021-0204 when contacting the NRC about the availability of information regarding this document. You may obtain publicly-available information related to this document using any of the following methods:

• Federal Rulemaking Website: Go to https://www.regulations.gov and search for Docket ID NRC-2021-0204. Address questions about NRC dockets to Dawn Forder; telephone: 301-415-3407; email: Dawn.Forder@nrc.gov . For technical questions, contact the individual listed in the FOR FURTHER INFORMATION CONTACT section of this document.

• NRC's Agencywide Documents Access and Management System (ADAMS): You may obtain publicly-available documents online in the ADAMS Public Documents collection at http://www.nrc.gov/reading-rm/adams.html. To begin the search, select “Begin Web-based ADAMS Search.” For problems with ADAMS, please contact the NRC's Public Document Room (PDR) reference staff at 1-800-397-4209, 301-415-4737, or by email to pdr.resource@nrc.gov. The ADAMS accession number for each document referenced (if it is available in ADAMS) is provided the first time that it is mentioned in this document.

• Attention: The Public Document Room (PDR), where you may examine and order copies of public documents is currently closed. You may submit your request to the PDR via email at pdr.resource@nrc.gov or call 1-800-397-4209 between 8:00 a.m. and 4:00 p.m. (EST), Monday through Friday, except Federal holidays.

FOR FURTHER INFORMATION CONTACT:

Tanya Mensah, Office of the Chief Information Officer, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001; telephone: 301-415-3610, email: Tanya.Mensah@nrc.gov.

SUPPLEMENTARY INFORMATION:

I. Background

In November 2010, the President issued Executive Order (E.O.) 13556, “Controlled Unclassified Information (CUI),” to “establish an open and uniform program for managing unclassified information that requires safeguarding or dissemination controls.” According to the E.O., agency-specific approaches have created an inefficient and confusing patchwork system, resulting in inconsistent marking and safeguarding of information and unnecessarily restricted information-sharing. On September 14, 2016, the National Archives and Records Administration (NARA) published in the Federal Register a final CUI rule adding new part 2002 to title 32 of the Code of Federal Regulations (32 CFR) (81 FR 63324). The CUI rule went into effect on November 14, 2016, and established requirements for CUI designation, safeguarding, dissemination, marking, decontrolling, destruction, incident management, self-inspection, and oversight across the executive branch. The CUI rule applies directly to Federal executive branch agencies, including the NRC, and the rule's primary function is to define how the CUI program will be implemented within these agencies. Controlled unclassified information does not include Classified National Security Information that has been classified pursuant to E.O. 13526 or the Atomic Energy Act of 1954 (AEA), as amended, or information a non-executive branch entity ( e.g., contractors, licensees, Agreement States, intervenors) possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for such an agency. However, the CUI rule can apply indirectly, through information-sharing agreements, to non-executive branch entities that are provided access to information that has been designated as CUI.

II. Statement of Policy

In November 2010, the President issued E.O. 13556, “Controlled Unclassified Information (CUI),” to “establish an open and uniform program for managing unclassified information that requires safeguarding or dissemination controls.” On September 14, 2016, NARA published 32 CFR part 2002 in the Federal Register (81 FR 63324). It is the Commission's policy that the NRC will comply with 32 CFR part 2002, “Controlled Unclassified Information (CUI)” (CUI rule), in order to minimize the risk of unauthorized disclosure of CUI while allowing timely access by authorized holders.

The CUI rule went into effect on November 14, 2016. It defines CUI as information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. The CUI rule established requirements for CUI designation, safeguarding, dissemination, marking, decontrolling, destruction, incident management, self- inspection, and oversight across the executive branch.

The CUI rule identifies NARA as the Executive Agent responsible for implementing E.O. 13556 and overseeing agency actions to ensure compliance with the E.O., the CUI rule, and the CUI registry. The CUI registry is an online repository located on the NARA website ( https://www.archives.gov/cui ) which, among other information, identifies all approved CUI categories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures. The categories within the CUI registry serve as the exclusive designations for identifying CUI.

The CUI program at the NRC will replace the SUNSI program and will also include, within its scope, Safeguards Information (SGI) and Safeguards Information—Modified Handling. Section 147 of the AEA, as amended, provides NRC with the statutory authority to prohibit the unauthorized disclosure of SGI. Even though SGI is a form of CUI under the CUI rule, specific controls found in part 73 of title 10 of the Code of Federal Regulations, “Physical Protection of Plants and Materials,” continue to apply to SGI.

The NRC recognizes that the CUI rule could alter how information is shared between the agency and external parties, including licensees, applicants, Agreement and non-Agreement States, and others. The NRC is committed to avoiding unintended consequences that unnecessarily increase the burden on external stakeholders while also maintaining adequate protective measures for CUI.

The CUI program is separate from the Classified National Security Information program. While the two programs may share similar language and some similar requirements, the CUI program's requirements for designating, protecting, accessing, sharing, and decontrolling information, as well as the repercussions for misuse, differ from those for the Classified National Security Information program.

The CUI program does not change NRC policy and practices in responding to a Freedom of Information Act (FOIA) request. Marking and designating information as CUI does not preclude information from release under the FOIA or preclude it from otherwise being considered for public release. The staff must still review the information and apply FOIA exemptions appropriately.

While the NRC transitions to the CUI program, all elements of the NRC's SUNSI program will remain in place. If NRC employees or contractors receive CUI before the implementation of the CUI program at the NRC, they will continue to follow current NRC guidance to protect sensitive information.

Key Elements of the CUI Program

(1) The NRC's CUI Program Office: The NRC's CUI Senior Agency Official (SAO) is responsible for planning, directing, and overseeing the implementation of a comprehensive, coordinated, integrated, efficient, and cost-effective NRC CUI program, consistent with applicable laws, regulations, and Commission direction and policies. The SAO's duties are assigned to the Director, Governance and Enterprise Management Services Division, in the Office of the Chief Information Officer.

(2) Applicability: This policy applies to all NRC employees and contractors. The CUI rule also may apply indirectly through information-sharing agreements to persons or entities that are provided access to information that has been designated as CUI.

In accordance with the CUI rule, the NRC's CUI program will contain the following elements:

• Safeguarding standards, including for marking, physical protection, and destruction;
• Information technology and cybersecurity control standards;
• Access and dissemination standards, including, where feasible, agreements with external parties for sharing information;
• Training;
• Processes for decontrolling information, issuing waivers, managing incidents, and challenging designations of information as CUI; and
• A self-inspection and corrective action program.

Management Directive 12.6, “NRC Controlled Unclassified Information Program,” will provide detailed guidance to NRC staff and contractors for the handling, marking, protecting, sharing, destroying, and decontrolling of CUI.