[Federal Register Volume 86, Number 216 (Friday, November 12, 2021)]
[Rules and Regulations]
[Pages 62713-62714]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-24543]



 ========================================================================
 Rules and Regulations
                                                 Federal Register
 ________________________________________________________________________
 
 This section of the FEDERAL REGISTER contains regulatory documents 
 having general applicability and legal effect, most of which are keyed 
 to and codified in the Code of Federal Regulations, which is published 
 under 50 titles pursuant to 44 U.S.C. 1510.
 
 The Code of Federal Regulations is sold by the Superintendent of Documents. 
 
 ========================================================================
 

  Federal Register / Vol. 86, No. 216 / Friday, November 12, 2021 / 
Rules and Regulations  

[[Page 62713]]



NUCLEAR REGULATORY COMMISSION

10 CFR Chapter I

[NRC-2021-0204]


Controlled Unclassified Information Program

AGENCY: Nuclear Regulatory Commission.

ACTION: Policy statement; issuance.

-----------------------------------------------------------------------

SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is issuing this 
Statement of Policy to set forth its expectation regarding the 
treatment of controlled unclassified information (CUI). This final 
policy statement describes how the NRC will comply with regulations 
issued by the National Archives and Records Administration (NARA) that 
direct agencies to minimize the risk of unauthorized disclosure of 
controlled unclassified information while allowing timely access by 
authorized holders. This policy statement aligns with similar actions 
taken by other Federal agencies to communicate changes in agency CUI 
policy to align with NARA requirements. During the transition to the 
CUI program, all elements of the NRC's existing Sensitive Unclassified 
Non-Safeguards Information (SUNSI) program will remain in place.

DATES: The policy statement is effective on November 12, 2021.

ADDRESSES: Please refer to Docket ID NRC-2021-0204 when contacting the 
NRC about the availability of information regarding this document. You 
may obtain publicly-available information related to this document 
using any of the following methods:
     Federal Rulemaking Website: Go to https://www.regulations.gov and search for Docket ID NRC-2021-0204. Address 
questions about NRC dockets to Dawn Forder; telephone: 301-415-3407; 
email: [email protected]. For technical questions, contact the 
individual listed in the FOR FURTHER INFORMATION CONTACT section of 
this document.
     NRC's Agencywide Documents Access and Management System 
(ADAMS): You may obtain publicly-available documents online in the 
ADAMS Public Documents collection at http://www.nrc.gov/reading-rm/adams.html. To begin the search, select ``Begin Web-based ADAMS 
Search.'' For problems with ADAMS, please contact the NRC's Public 
Document Room (PDR) reference staff at 1-800-397-4209, 301-415-4737, or 
by email to [email protected]. The ADAMS accession number for each 
document referenced (if it is available in ADAMS) is provided the first 
time that it is mentioned in this document.
     Attention: The Public Document Room (PDR), where you may 
examine and order copies of public documents is currently closed. You 
may submit your request to the PDR via email at [email protected] or 
call 1-800-397-4209 between 8:00 a.m. and 4:00 p.m. (EST), Monday 
through Friday, except Federal holidays.

FOR FURTHER INFORMATION CONTACT: Tanya Mensah, Office of the Chief 
Information Officer, U.S. Nuclear Regulatory Commission, Washington, DC 
20555-0001; telephone: 301-415-3610, email: [email protected].

SUPPLEMENTARY INFORMATION:

I. Background

    In November 2010, the President issued Executive Order (E.O.) 
13556, ``Controlled Unclassified Information (CUI),'' to ``establish an 
open and uniform program for managing unclassified information that 
requires safeguarding or dissemination controls.'' According to the 
E.O., agency-specific approaches have created an inefficient and 
confusing patchwork system, resulting in inconsistent marking and 
safeguarding of information and unnecessarily restricted information-
sharing. On September 14, 2016, the National Archives and Records 
Administration (NARA) published in the Federal Register a final CUI 
rule adding new part 2002 to title 32 of the Code of Federal 
Regulations (32 CFR) (81 FR 63324). The CUI rule went into effect on 
November 14, 2016, and established requirements for CUI designation, 
safeguarding, dissemination, marking, decontrolling, destruction, 
incident management, self-inspection, and oversight across the 
executive branch. The CUI rule applies directly to Federal executive 
branch agencies, including the NRC, and the rule's primary function is 
to define how the CUI program will be implemented within these 
agencies. Controlled unclassified information does not include 
Classified National Security Information that has been classified 
pursuant to E.O. 13526 or the Atomic Energy Act of 1954 (AEA), as 
amended, or information a non-executive branch entity (e.g., 
contractors, licensees, Agreement States,\1\ intervenors) possesses and 
maintains in its own systems that did not come from, or was not created 
or possessed by or for, an executive branch agency or an entity acting 
for such an agency. However, the CUI rule can apply indirectly, through 
information-sharing agreements, to non-executive branch entities that 
are provided access to information that has been designated as CUI.
---------------------------------------------------------------------------

    \1\ Agreement States are States that have entered into formal 
agreements with the NRC, pursuant to Section 274 of the AEA, to 
regulate certain quantities of AEA material at facilities located 
within their borders.
---------------------------------------------------------------------------

II. Statement of Policy

    In November 2010, the President issued E.O. 13556, ``Controlled 
Unclassified Information (CUI),'' to ``establish an open and uniform 
program for managing unclassified information that requires 
safeguarding or dissemination controls.'' On September 14, 2016, NARA 
published 32 CFR part 2002 in the Federal Register (81 FR 63324). It is 
the Commission's policy that the NRC will comply with 32 CFR part 2002, 
``Controlled Unclassified Information (CUI)'' (CUI rule), in order to 
minimize the risk of unauthorized disclosure of CUI while allowing 
timely access by authorized holders.
    The CUI rule went into effect on November 14, 2016. It defines CUI 
as information the Government creates or possesses, or that an entity 
creates or possesses for or on behalf of the Government, that a law, 
regulation, or Government-wide policy requires or permits an agency to 
handle using safeguarding or dissemination controls. The CUI rule 
established requirements for CUI designation, safeguarding, 
dissemination, marking, decontrolling, destruction, incident 
management, self-

[[Page 62714]]

inspection, and oversight across the executive branch.
    The CUI rule identifies NARA as the Executive Agent responsible for 
implementing E.O. 13556 and overseeing agency actions to ensure 
compliance with the E.O., the CUI rule, and the CUI registry. The CUI 
registry is an online repository located on the NARA website (https://www.archives.gov/cui) which, among other information, identifies all 
approved CUI categories, provides general descriptions for each, 
identifies the basis for controls, establishes markings, and includes 
guidance on handling procedures. The categories within the CUI registry 
serve as the exclusive designations for identifying CUI.
    The CUI program at the NRC will replace the SUNSI program and will 
also include, within its scope, Safeguards Information (SGI) and 
Safeguards Information--Modified Handling. Section 147 of the AEA, as 
amended, provides NRC with the statutory authority to prohibit the 
unauthorized disclosure of SGI. Even though SGI is a form of CUI under 
the CUI rule, specific controls found in part 73 of title 10 of the 
Code of Federal Regulations, ``Physical Protection of Plants and 
Materials,'' continue to apply to SGI.
    The NRC recognizes that the CUI rule could alter how information is 
shared between the agency and external parties, including licensees, 
applicants, Agreement and non-Agreement States, and others. The NRC is 
committed to avoiding unintended consequences that unnecessarily 
increase the burden on external stakeholders while also maintaining 
adequate protective measures for CUI.
    The CUI program is separate from the Classified National Security 
Information program. While the two programs may share similar language 
and some similar requirements, the CUI program's requirements for 
designating, protecting, accessing, sharing, and decontrolling 
information, as well as the repercussions for misuse, differ from those 
for the Classified National Security Information program.
    The CUI program does not change NRC policy and practices in 
responding to a Freedom of Information Act (FOIA) request. Marking and 
designating information as CUI does not preclude information from 
release under the FOIA or preclude it from otherwise being considered 
for public release. The staff must still review the information and 
apply FOIA exemptions appropriately.
    While the NRC transitions to the CUI program, all elements of the 
NRC's SUNSI program will remain in place. If NRC employees or 
contractors receive CUI before the implementation of the CUI program at 
the NRC, they will continue to follow current NRC guidance to protect 
sensitive information.

Key Elements of the CUI Program

    (1) The NRC's CUI Program Office: The NRC's CUI Senior Agency 
Official (SAO) is responsible for planning, directing, and overseeing 
the implementation of a comprehensive, coordinated, integrated, 
efficient, and cost-effective NRC CUI program, consistent with 
applicable laws, regulations, and Commission direction and policies. 
The SAO's duties are assigned to the Director, Governance and 
Enterprise Management Services Division, in the Office of the Chief 
Information Officer.
    (2) Applicability: This policy applies to all NRC employees and 
contractors. The CUI rule also may apply indirectly through 
information-sharing agreements to persons or entities that are provided 
access to information that has been designated as CUI.
    In accordance with the CUI rule, the NRC's CUI program will contain 
the following elements:
     Safeguarding standards, including for marking, physical 
protection, and destruction;
     Information technology and cybersecurity control 
standards;
     Access and dissemination standards, including, where 
feasible, agreements with external parties for sharing information;
     Training;
     Processes for decontrolling information, issuing waivers, 
managing incidents, and challenging designations of information as CUI; 
and
     A self-inspection and corrective action program.
    Management Directive 12.6, ``NRC Controlled Unclassified 
Information Program,'' will provide detailed guidance to NRC staff and 
contractors for the handling, marking, protecting, sharing, destroying, 
and decontrolling of CUI.

    Dated: November 4, 2021.

    For the Nuclear Regulatory Commission.
Annette Vietti-Cook,
Secretary of the Commission.
[FR Doc. 2021-24543 Filed 11-10-21; 8:45 am]
BILLING CODE 7590-01-P