Several years ago, the US government embarked on a project to standardize federal agency programs—including the NRC’s—for managing unclassified-but-sensitive information. At the NRC, this government-wide Controlled Unclassified Information (CUI) program is intended to replace the agency’s Sensitive Unclassified Non-Safeguards Information (SUNSI) program.
Morgan Lewis reported on the transition from SUNSI to CUI in January 2019, when the Commissioners first directed the Staff to proceed with a CUI rulemaking. Since that time, the NRC has been working behind the scenes to develop a CUI program and recently issued a final policy statement that “describes how the NRC will comply with regulations issued by the National Archives and Records Administration (NARA) that direct agencies to minimize the risk of unauthorized disclosure of controlled unclassified information while allowing timely access by authorized holders.” A few weeks later, on December 3, the NRC publicly released a Management Directive describing the planned CUI program in further detail. Although the NRC’s CUI program has not yet been implemented, these are important interim milestones toward that ultimate objective.
In 2010, President Obama issued Executive Order (EO) 13556, “Controlled Unclassified Information,” to establish “an open and uniform program for managing information that requires safeguarding or dissemination controls. . . .” On September 14, 2016, the NARA published a final CUI rule to add new Part 2002 to Title 32 of the Code of Federal Regulations, which went into effect on November 14, 2016, and established requirements for CUI designation, safeguarding, dissemination, and other actions across the executive branch. The CUI rule applies directly to federal executive branch agencies, including the NRC.
The NRC Policy Statement and Management Directive
The Policy Statement emphasizes that “the NRC will comply with 32 CFR part 2002, ‘Controlled Unclassified Information (CUI)’ (CUI rule), in order to minimize the risk of unauthorized disclosure of CUI while allowing timely access by authorized holders.” Importantly, and as Morgan Lewis previously reported, the CUI program at the NRC will replace the SUNSI program and will also include Safeguards Information (SGI) and “Safeguards Information—Modified Handling.” The Policy Statement notes that, “[e]ven though SGI is a form of CUI under the CUI rule, specific controls found in part 73 of title 10 of the Code of Federal Regulations, ‘Physical Protection of Plants and Materials,’ continue to apply to SGI.”
The policy applies to all NRC employees and contractors. However, the CUI rule also may apply indirectly through information-sharing agreements to persons or entities—such as NRC licensees—that are provided access to information that has been designated as CUI.
The corollary Management Directive 12.6, “NRC Controlled Unclassified Information Program,” provides “detailed guidance to NRC staff and contractors for the handling, marking, protecting, sharing, destroying, and decontrolling of CUI.”
The NRC’s target to fully transition to CUI is the end of 2022. However, the NRC has not yet issued a proposed rule. So, realistically, the implementation date may slip. Until then, both the NRC's SUNSI program and the SGI program will remain in place.
Morgan Lewis will continue to monitor the evolving CUI program.