The US Nuclear Regulatory Commission (NRC) staff recently published a paper, SECY-18-0035, with an update regarding its development of a Controlled Unclassified Information (CUI) Program for the agency. The staff is still in the early stages of developing the program, which it plans to implement over the next three and a half years.
The US National Archives and Records Administration (NARA) published the CUI Rule on September 14, 2016 (81 Fed. Reg. 63,324), to implement Executive Order 13556, which President Barack Obama issued on November 4, 2010. The CUI Rule seeks to standardize the current patchwork of more than 100 agency-specific policies for handling sensitive unclassified information that requires safeguarding or dissemination controls. The NRC CUI Program will eventually replace the current Sensitive Unclassified Non-Safeguards Information (SUNSI) program, and will also include Safeguards Information (SGI).
The CUI Rule establishes specific handling, incident management, inspection, and oversight requirements for covered information. The staff recently completed a “gap analysis” to assess the differences between the CUI Rule requirements and the existing SUNSI and SGI programs. The results of that analysis were used to identify implementation activities going forward. For example, the staff concluded that the destruction standards established by the CUI Rule are more stringent than the standards for the destruction of SUNSI and SGI. Thus, the NRC is moving forward with plans to enhance its capabilities for the destruction of covered paper and electronic information. Additionally, the NRC likely will need to complete a rulemaking to implement the NRC’s CUI Program (e.g., to update the document marking instructions in 10 CFR § 2.390); however, the staff’s assessment of potential changes is not yet complete.
In terms of scope, the CUI Rule only applies directly to executive branch agencies. However, when an agency shares CUI with a non–executive branch entity (e.g., contractor, licensee, NRC Agreement State, tribe, intervenor), the rule encourages the use of external stakeholder agreements requiring the entity to handle the information in accordance with the CUI Rule. Notably, the CUI Rule does not apply to information that a non–executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency.
The paper calls attention to a specific concern recently raised by industry stakeholders regarding the status of internal licensee documents that have been neither shared with nor received from the NRC, but relate to information the NRC has designated as CUI in a different document. The staff clarified that, in this example, “licensees would not need to change their handling of the information, and an information sharing agreement would not be required.”
Again, although SECY-18-0035 provides some additional details regarding plans for the CUI Program, the NRC staff is still in the preliminary stages of developing it, and the contours of the final program are still very much in flux. As we counsel NRC-regulated entities that handle sensitive information, we will continue to closely follow developments in this area.