The Nuclear Regulatory Commission (NRC) and the Federal Energy Regulatory Commission (FERC) entered into a Memorandum of Understanding (MOU) on June 6 regarding the care and protection of critical energy/electric infrastructure information (CEII). The MOU delineates how the two agencies will cooperate to identify, process, and protect CEII that the NRC holds, explaining that the two independent agencies “mutually agree that it is important to protect CEII to ensure the safety and security of the electric grid.” Under the MOU, the NRC will be able to consult with FERC to designate certain NRC-held information as CEII—and therefore FOIA-exempt—if requested by a third-party under that open records law.
The MOU is another step in the US government’s attempt to address growing concerns about physical and cybersecurity threats to the electricity grid. Congress, recognizing these threats, directed the US Department of Energy and FERC to identify and protect CEII when it passed the “Fixing America’s Surface Transportation Act” (FAST Act) in 2015. FERC issued its CEII regulations in late 2016.
FERC’s regulations define CEII as “information related to critical electric infrastructure . . . that is designated as critical electric infrastructure information” by FERC or the Secretary of Energy. See 18 CFR 388.113(c). A subset of CEII is critical energy infrastructure information, which is defined by FERC regulations as “specific engineering, vulnerability, or detailed design information about proposed or existing critical infrastructure that (i) relates details about the production, generation, transportation, transmission, or distribution of energy; and (ii) could be useful to a person in planning an attack on critical infrastructure” and is exempt from disclosure under the Freedom of Information Act (FOIA). “Critical infrastructure” is in turn defined as “existing and proposed systems and assets, whether physical or virtual, the incapacity or destruction of which would negatively affect security, economic security, public health or safety, or any combination of those matters.”
The MOU, signed by the NRC’s acting Executive Director of Operations and FERC’s CEII Coordinator, commits both agencies to coordinate in protecting CEII. The MOU provides a mechanism for the NRC Staff to consult with FERC’s CEII coordinator to determine whether information requested under FOIA is CEII and therefore exempt from public disclosure under the FAST Act and FERC’s regulations. If the NRC Staff requests that consultation and provides the information specified in the MOU, FERC will endeavor to provide a determination within 10 business days.
For information that the FERC CEII Coordinator agrees is CEII, the NRC staff will
- identify information in its custody that contains CEII and “prominently label” the documents as CEII;
- handle the documents in accordance with the FAST Act and the FERC’s CEII regulations; and
- protect any CEII from being easily accessible or visible to unauthorized individuals when transporting or disseminating the information, and disseminating such information either by using encryption during electronic transmission or certified mail for hard copy dissemination.
Information that would qualify as CEII would typically be classified by the NRC as sensitive, unclassified non-safeguards information, or “SUNSI.” This MOU further formalizes the NRC’s process for protecting such information and leveraging the FOIA exemption provided by the FAST Act.