On December 10, the NRC staff issued SECY-21-0105 seeking approval from the NRC commissioners to publish a notice of final rule that would officially replace the NRC's sensitive unclassified non-safeguards information (SUNSI) program with a Controlled Unclassified Information (CUI) program. The new rules would appear in 10 CFR Part 2, "Agency Rules of Practice and Procedure," and be consistent with the government-wide rules on CUI in 32 CFR Part 2002.
A detailed background on the NRC’s transition to CUI is available in our previous posts on January 24, 2019 and December 8, 2021. As particularly relevant here, the NRC staff previously requested and received Commission approval of a rulemaking plan for the agency’s transition to CUI. The NRC staff identified two categories of revisions: (1) nomenclature changes, such as replacing the use of the phrase "sensitive unclassified non-safeguards information" or "SUNSI" with references to CUI, and (2) revisions to NRC regulations that "would appear to create substantive problems if not revised when the CUI Program is implemented."
The Staff’s Recommended Final Rule
As written, the final rule would make minor nomenclature revisions to remove references to SUNSI in two sections of the regulations. The amendment replaces those terms with other language intended to cover the same information, resulting in no substantive change to the regulations. Notably, the final rule declines to make the potentially substantive changes first contemplated by the NRC staff in COMSECY-18-0022. As a result, the NRC is not soliciting public comment on this change because the change is limited to an agency rule of procedure and practice that does not affect the substantive responsibilities of any person or entity regulated by the NRC.
The final rule proposes specific changes to two regulations in 10 CFR Part 2 that reference the soon-defunct SUNSI program—10 CFR 2.307(c) and 10 CFR 2.311. The first provides the Secretary of the Commission the delegated authority to issue orders establishing procedures and timelines for potential parties in NRC adjudications to seek access to Safeguards Information (SGI) or SUNSI if such persons believe access is necessary to meet Commission intervention requirements. The second provides adjudicatory procedures for interlocutory review of orders granting or denying potential party requests for access to SGI and SUNSI. The final rule would update these regulations to remove SUNSI and refer instead to "nonpublic unclassified information" (or "other nonpublic unclassified information," as appropriate).
Markedly, the final rule makes no substantive changes through these revisions, allows potential parties to still seek access to the same types of nonpublic information they are now able to seek under 10 CFR §§ 2.307(c) and 2.311—including but not limited to proprietary, confidential, and commercial information; security-related information; and SGI—and does not intend to affect any protective orders already in place.
As part of the deliberative process, the NRC staff contemplated potential revisions to additional regulations affecting marking requirements, namely 10 CFR § 2.390, "Public inspections, exemptions, requests for withholding," and 10 CFR Part 73, "Physical protection of plants and materials." Ultimately, the NRC staff rejected revisions to Section 2.390 with the view that requiring submitters to apply CUI-compliant markings themselves could create confusion and is unnecessary to implement an effective CUI program at the NRC. For similar reasons, the NRC staff declined to revise the marking requirements for SGI in 10 CFR Part 73, as they determined the regulations would not prohibit the application of CUI markings to SGI when needed to comply with CUI requirements.
As the year draws to a close, it appears the NRC is on target to transition to CUI as expected by October 2022. However, we note that this rulemaking is one of several implementation tasks the NRC staff has prepared for its forthcoming transition to CUI. Accordingly, more amendments to the detailed procedures the NRC uses for implementing the CUI information-request processes could be expected.
As Morgan Lewis continues to counsel NRC-regulated entities that handle sensitive information, we will closely follow developments in this area.