[Federal Register Volume 86, Number 216 (Friday, November 12, 2021)]
[Rules and Regulations]
[Pages 62713-62714]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-24543]
�========================================================================
�Rules and Regulations
� Federal Register
�________________________________________________________________________
�
�This section of the FEDERAL REGISTER contains regulatory documents
�having general applicability and legal effect, most of which are keyed
�to and codified in the Code of Federal Regulations, which is published
�under 50 titles pursuant to 44 U.S.C. 1510.
�
�The Code of Federal Regulations is sold by the Superintendent of Documents.
�
�========================================================================
�
��Federal Register / Vol. 86, No. 216 / Friday, November 12, 2021 /
Rules and Regulations��
[[Page 62713]]
NUCLEAR REGULATORY COMMISSION
10 CFR Chapter I
[NRC-2021-0204]
Controlled Unclassified Information Program
AGENCY: Nuclear Regulatory Commission.
ACTION: Policy statement; issuance.
-----------------------------------------------------------------------
SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is issuing this
Statement of Policy to set forth its expectation regarding the
treatment of controlled unclassified information (CUI). This final
policy statement describes how the NRC will comply with regulations
issued by the National Archives and Records Administration (NARA) that
direct agencies to minimize the risk of unauthorized disclosure of
controlled unclassified information while allowing timely access by
authorized holders. This policy statement aligns with similar actions
taken by other Federal agencies to communicate changes in agency CUI
policy to align with NARA requirements. During the transition to the
CUI program, all elements of the NRC's existing Sensitive Unclassified
Non-Safeguards Information (SUNSI) program will remain in place.
DATES: The policy statement is effective on November 12, 2021.
ADDRESSES: Please refer to Docket ID NRC-2021-0204 when contacting the
NRC about the availability of information regarding this document. You
may obtain publicly-available information related to this document
using any of the following methods:
Federal Rulemaking Website: Go to https://www.regulations.gov and search for Docket ID NRC-2021-0204. Address
questions about NRC dockets to Dawn Forder; telephone: 301-415-3407;
email: [email protected]. For technical questions, contact the
individual listed in the FOR FURTHER INFORMATION CONTACT section of
this document.
NRC's Agencywide Documents Access and Management System
(ADAMS): You may obtain publicly-available documents online in the
ADAMS Public Documents collection at http://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``Begin Web-based ADAMS
Search.'' For problems with ADAMS, please contact the NRC's Public
Document Room (PDR) reference staff at 1-800-397-4209, 301-415-4737, or
by email to [email protected]. The ADAMS accession number for each
document referenced (if it is available in ADAMS) is provided the first
time that it is mentioned in this document.
Attention: The Public Document Room (PDR), where you may
examine and order copies of public documents is currently closed. You
may submit your request to the PDR via email at [email protected] or
call 1-800-397-4209 between 8:00 a.m. and 4:00 p.m. (EST), Monday
through Friday, except Federal holidays.
FOR FURTHER INFORMATION CONTACT: Tanya Mensah, Office of the Chief
Information Officer, U.S. Nuclear Regulatory Commission, Washington, DC
20555-0001; telephone: 301-415-3610, email: [email protected].
SUPPLEMENTARY INFORMATION:
I. Background
In November 2010, the President issued Executive Order (E.O.)
13556, ``Controlled Unclassified Information (CUI),'' to ``establish an
open and uniform program for managing unclassified information that
requires safeguarding or dissemination controls.'' According to the
E.O., agency-specific approaches have created an inefficient and
confusing patchwork system, resulting in inconsistent marking and
safeguarding of information and unnecessarily restricted information-
sharing. On September 14, 2016, the National Archives and Records
Administration (NARA) published in the Federal Register a final CUI
rule adding new part 2002 to title 32 of the Code of Federal
Regulations (32 CFR) (81 FR 63324). The CUI rule went into effect on
November 14, 2016, and established requirements for CUI designation,
safeguarding, dissemination, marking, decontrolling, destruction,
incident management, self-inspection, and oversight across the
executive branch. The CUI rule applies directly to Federal executive
branch agencies, including the NRC, and the rule's primary function is
to define how the CUI program will be implemented within these
agencies. Controlled unclassified information does not include
Classified National Security Information that has been classified
pursuant to E.O. 13526 or the Atomic Energy Act of 1954 (AEA), as
amended, or information a non-executive branch entity (e.g.,
contractors, licensees, Agreement States,\1\ intervenors) possesses and
maintains in its own systems that did not come from, or was not created
or possessed by or for, an executive branch agency or an entity acting
for such an agency. However, the CUI rule can apply indirectly, through
information-sharing agreements, to non-executive branch entities that
are provided access to information that has been designated as CUI.
---------------------------------------------------------------------------
\1\ Agreement States are States that have entered into formal
agreements with the NRC, pursuant to Section 274 of the AEA, to
regulate certain quantities of AEA material at facilities located
within their borders.
---------------------------------------------------------------------------
II. Statement of Policy
In November 2010, the President issued E.O. 13556, ``Controlled
Unclassified Information (CUI),'' to ``establish an open and uniform
program for managing unclassified information that requires
safeguarding or dissemination controls.'' On September 14, 2016, NARA
published 32 CFR part 2002 in the Federal Register (81 FR 63324). It is
the Commission's policy that the NRC will comply with 32 CFR part 2002,
``Controlled Unclassified Information (CUI)'' (CUI rule), in order to
minimize the risk of unauthorized disclosure of CUI while allowing
timely access by authorized holders.
The CUI rule went into effect on November 14, 2016. It defines CUI
as information the Government creates or possesses, or that an entity
creates or possesses for or on behalf of the Government, that a law,
regulation, or Government-wide policy requires or permits an agency to
handle using safeguarding or dissemination controls. The CUI rule
established requirements for CUI designation, safeguarding,
dissemination, marking, decontrolling, destruction, incident
management, self-
[[Page 62714]]
inspection, and oversight across the executive branch.
The CUI rule identifies NARA as the Executive Agent responsible for
implementing E.O. 13556 and overseeing agency actions to ensure
compliance with the E.O., the CUI rule, and the CUI registry. The CUI
registry is an online repository located on the NARA website (https://www.archives.gov/cui) which, among other information, identifies all
approved CUI categories, provides general descriptions for each,
identifies the basis for controls, establishes markings, and includes
guidance on handling procedures. The categories within the CUI registry
serve as the exclusive designations for identifying CUI.
The CUI program at the NRC will replace the SUNSI program and will
also include, within its scope, Safeguards Information (SGI) and
Safeguards Information--Modified Handling. Section 147 of the AEA, as
amended, provides NRC with the statutory authority to prohibit the
unauthorized disclosure of SGI. Even though SGI is a form of CUI under
the CUI rule, specific controls found in part 73 of title 10 of the
Code of Federal Regulations, ``Physical Protection of Plants and
Materials,'' continue to apply to SGI.
The NRC recognizes that the CUI rule could alter how information is
shared between the agency and external parties, including licensees,
applicants, Agreement and non-Agreement States, and others. The NRC is
committed to avoiding unintended consequences that unnecessarily
increase the burden on external stakeholders while also maintaining
adequate protective measures for CUI.
The CUI program is separate from the Classified National Security
Information program. While the two programs may share similar language
and some similar requirements, the CUI program's requirements for
designating, protecting, accessing, sharing, and decontrolling
information, as well as the repercussions for misuse, differ from those
for the Classified National Security Information program.
The CUI program does not change NRC policy and practices in
responding to a Freedom of Information Act (FOIA) request. Marking and
designating information as CUI does not preclude information from
release under the FOIA or preclude it from otherwise being considered
for public release. The staff must still review the information and
apply FOIA exemptions appropriately.
While the NRC transitions to the CUI program, all elements of the
NRC's SUNSI program will remain in place. If NRC employees or
contractors receive CUI before the implementation of the CUI program at
the NRC, they will continue to follow current NRC guidance to protect
sensitive information.
Key Elements of the CUI Program
(1) The NRC's CUI Program Office: The NRC's CUI Senior Agency
Official (SAO) is responsible for planning, directing, and overseeing
the implementation of a comprehensive, coordinated, integrated,
efficient, and cost-effective NRC CUI program, consistent with
applicable laws, regulations, and Commission direction and policies.
The SAO's duties are assigned to the Director, Governance and
Enterprise Management Services Division, in the Office of the Chief
Information Officer.
(2) Applicability: This policy applies to all NRC employees and
contractors. The CUI rule also may apply indirectly through
information-sharing agreements to persons or entities that are provided
access to information that has been designated as CUI.
In accordance with the CUI rule, the NRC's CUI program will contain
the following elements:
Safeguarding standards, including for marking, physical
protection, and destruction;
Information technology and cybersecurity control
standards;
Access and dissemination standards, including, where
feasible, agreements with external parties for sharing information;
Training;
Processes for decontrolling information, issuing waivers,
managing incidents, and challenging designations of information as CUI;
and
A self-inspection and corrective action program.
Management Directive 12.6, ``NRC Controlled Unclassified
Information Program,'' will provide detailed guidance to NRC staff and
contractors for the handling, marking, protecting, sharing, destroying,
and decontrolling of CUI.
Dated: November 4, 2021.
For the Nuclear Regulatory Commission.
Annette Vietti-Cook,
Secretary of the Commission.
[FR Doc. 2021-24543 Filed 11-10-21; 8:45 am]
BILLING CODE 7590-01-P