Embed Size (px)
Citation preview
Review Criteria
a. All figures or drawings showing access to (i.e., building location, elevation, and access (e.g., hallways, doors, stairwells)) or composition of (e.g., cut-away drawings) vital equipment or vital areas. (Refer to NSIR memo – ADAMs Accession No. ML15253A607).
b. Descriptions of elevations and/or locations of vital equipment or vital areas in combination with its usage or protective measures taken in the event of an accident that can lead to a radiological release. This also applies to source and special nuclear material. When deciding on the removal of this information, consider the detailed description given and how it could be used to cause a threat to the nuclear power plant’s safety.
c. Descriptions regarding the design of nearby dams and inundation maps.
d. Descriptions of EP, Security, and FP inspections, tests, analyses, and acceptance criteria (ITAACs).
e. Any descriptions of locations of explosives or their consequences. The following information may be contain in fire protection documents and should be redacted:
• Descriptions of the entering/exiting routes for responders at the facility (i.e., Local Law Enforcement, Fire, and Rescue). Descriptions of onsite personnel actions and procedures in the event of an emergency, which could, for example, direct operator action. This discussion includes descriptions of controls, displays, and alarms needed by the operator to address in the event of an emergency. Specifically, a description of an event in conjunction with the operator’s or responder’s path through the plant which includes the location of the equipment involved should be redacted.
The following information may be provided with the UFSAR submittal or separately, and should be withheld if it contains personally identifiable information (PII):
• Foreign ownership, control or influence (FOCI).
Public Discussion for the Review and Submission of FSARs, Emergency
Preparedness, and Fire Protection Documents
Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation
March 1, 2016
Objectives
Definitions
Background
Discuss SUNSI Markings
Public comments/clarifications
DEFINITIONS
3
Definitions
Restricted Data
Data concerning
– The design, manufacture, or utilization of atomic weapons;
– Production of special nuclear material; or
– Use of special nuclear material in the production of energy.
Definitions
Classified Data
Restricted Data, Formerly Restricted Data, and National Security Information processed or produced by a system that requires protection against unauthorized disclosure in the interest of national security
Definitions
Confidential
“Confidential” is a security classification that must be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security, damage which the original classification authority is able to identify and/or describe.
Definitions
Critical Energy Infrastructure Information (CEII)– Information regarding nearby energy-related facilities (e.g.,
hydroelectric dams, electric transmission systems) – Information related to the location of pipelines may warrant
review and withholding – Most of the information regarding electric transmission systems
provided to Federal Energy Regulatory Commission is designated CEII
– Information on potential threats and the coordination of responses to a terrorist attack.
Definitions
Sensitive Information
– Any information or material, regardless of its physical form or characteristics, which meets the following two requirements:•The information or material is originated, owned, or
possessed by the United States Government; and,•A compromise of the confidentiality, integrity, or
availability of the information could have an adverse effect on government operations, government assets, or individuals.
Definitions
Security-Sensitive
– Information that could be •Useful, or reasonably be expected to be
useful, to a terrorist in a potential attack – Does not qualify as Safeguards or Classified
Information
BACKGROUND
No Change to Criteria
Past Criteria
Present Criteria
Change to Practice
Withheld Until Requested
Proactive Release
PAS
TP
RE
SE
NT
Unclassified Information
Atomic Energy Act of 1954, as amended
Freedom of Information Act – 1967
FOIA Exemptions
Exemption 1: Information that is classified to protect national security.
Exemption 3: Information that is prohibited from disclosure by another federal law.
Exemption 4: Trade secrets or commercial or financial information that is confidential or privileged.
Public Requests for Information
Request for Hearing (Part 2, 10 CFR 50.91)– Individuals with standing may request and be granted access to
sensitive information as part of a hearing
Routine Stakeholder Correspondence– Requests from educational institutions
SUNSI MARKINGS
Commission Direction
SECY 04-191 and SECY 05-101
COMSECY-05-0054
SECY 15-0032
Review Criteria
Focus is on unclassified information that could be useful to an adversary – Location and controls associated with special
nuclear material;– Specific vital equipment locations;– Combination of equipment and consequences of its
loss to vital equipment; and,– Information regarding response actions necessary to
protect the facility.
Scope of Documents
Safety Analysis Report (SAR) related– Preliminary SAR – Final SAR (COL application)– Updated Final SAR
Fire Protection Program related submittals
Emergency Plan related submittals
Publicly Available
Within a week–Cover letter released
In the coming months–Release a redacted copy
Change to Withholding Level of Detail
Past Present
Training Purposes Only – No actual Sensitive Information Used
PUBLIC COMMENT
1
Meeting Agenda
Introductions Discussion of Controlled Unclassified Information (CUI) Review Submission and Evaluation Criteria Public Comment Break Closed Session Adjourn
2
March 2016
Briefing Outline
NRC and SUNSI Overview of the CUI Program
– Elements of the CUI Executive Order– CUI Categories and Registry– Types of CUI
CUI Implementation Timeline– CUI and NIST Standards and Guidelines
Handling CUI– 32 CFR Part 2002– NRC and CUI
4
SUNSI Background
NRC: Sensitive Unclassified Non-Safeguards Information (SUNSI)
SUNSI IS any information of which the loss, misuse, modification, or unauthorized access can reasonably be foreseen to harm the public interest, the commercial or financial interests of the entity or individual to whom the information pertains, the conduct of NRC and Federal programs, or the personal privacy of individuals.
SUNSI is NOT: Classified, SGI, or FOIA.
5
Overview of the CUI Program
6
Executive Order 13556
Established CUI Program– In consultation with affected agencies – (CUI Advisory Council)
Designated an Executive Agent (EA) to implement the E.O. and oversee department and agency actions to ensure compliance. – National Archives and Records Administration
An open and uniform program to manage all unclassified information within the executive branch that requires safeguarding and dissemination controls as required by law, regulation, and Government-wide policy.
7
• Bank Secrecy• DNA• Investigation
• Census• Investment Survey
Approved CUI Categories
8
23 Categories
1. Agriculture
2. Copyright
3. Critical Infrastructure
4. Emergency Management
5. Export Control
6. Financial
7. Foreign Government
8. Geodetic Product Information
9. Immigration10. Information Systems
Vulnerability Information11. Intelligence
12. Law Enforcement
13. Legal
14. NATO
15. Nuclear
16. Patent
17. Privacy
18. Proprietary Business
19. Safety Act Information
20. Statistical
21. Tax
22. Transportation
Agriculture Law Enforcement
Controlled Technical Information Legal
Copyright NATO
Critical Infrastructure Nuclear
Export Control Patent
Emergency Management Privacy
Financial Proprietary Business
Foreign Government Safety Act Information
Geodetic Product Information Statistical
Immigration Tax
Information SystemsVulnerability Information Transportation
Intelligence
82 Subcategories
• Financial• Health Information• Personnel
Online Registry
9
23 Categories
82 Sub-categories
315 unique Control citations
106 unique Sanction citations
http://www.archives.gov/cui
Two types: Basic and Specified
CUI Basic versus CUI Specified based on Laws, Regulations, and Government wide policies
CUI Basic = Identifies an information type and says protect it.
CUI Specified = Identifies an information type and says protect it but specifies exactly how it should be protected or handled.
10
Day
Phased CUI Implementation Timeline
Planning Readiness Initiation Final
Prepare environment and workforce for the CUI transition
Identify and initiate planning activities for CUI implementation
Full implementation of the CUI program
• *Develop & publish policy• Develop training (NARA)
• Plan for FY 16 – 18 Budget Cycles
• Develop IT transition plan • Develop self-inspection plan
• Develop process for internal non-compliance
• *Assert physical safeguarding
• *Conduct training• Initiate awareness
• Prepare IT transition• Continue Budget
Cycle Planning
• Initiate CUI implementation
o Handle
o Recognize
o Receive
• Initiate IT transition• Permit creation of CUI
• Initiate self-inspection program
• Eliminate old markings
• Assure use of only New Markings
• Complete IT Transition• Monitor & Report
Implementation
6 Months0 (3rd Qtr 2016) 1 Year 3-4 Years
Begin implementation of CUI practices and phase out of obsolete practices
Key
D/A
Act
iviti
esP
hase
s
IOC FOC
*Required for IOC (Initial Operational Capability) FOC – Final Operational Capability
11
What is needed to implement a CUI Program?
Policy – Roles and Responsibilities– Identify CUI handled– Specialized implementation
Suitable physical environment Training (of all affected personnel)
– Basic– Specified
Suitable electronic environment– Moderate Confidentiality
12
180 Days
Year 1+
Year 1-4
32 CFR Part 2002 is scheduled to be published in 2016
Develop Systems Transition Strategy
Assessment of Systems
Develop and Publish PolicyPolicy
Training
Physical Safeguarding
Systems
Self-Inspection
Complete CUI Training
Develop and Publish Component Policy
180 Year 1 180 Year 2
Implementation of the CUI ProgramDay 0
Develop and Deploy Training
Implement Physical Safeguarding
Initiate Internal Oversight
NIST Special Publication 800-171
14
This publication provides federal agencies with recommended requirements for protecting the confidentiality of CUI:
(i) when the CUI is resident in nonfederal information systems and organizations;
(ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and
(iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry.
The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components.
Marking
15
CONTROLLED/Categories or Subcategories//Dissemination
CUI Control Marking
CategoryMarking
(if required)
DisseminationControlMarking
The banner marking consists of the CUI control marking, category markings (if required), and dissemination control markings.
• The CUI control marking (the word “CONTROLLED” or the acronym “CUI”) is mandatory for all CUI banners.
• Category markings are mandatory in the case of CUI Specified, and for CUI Basic when required by agency policy. Either complete category names or abbreviations may be used in banners to designate the categories of CUI contained within the document.
• All dissemination control markings must be approved by the CUI EA and published in the CUI Registry. Access to and dissemination of CUI must be allowed as extensively as necessary, consistent with or in furtherance of a Lawful Government Purpose.
Top center of each page
containing CUI
Dissemination and Sharing
16
Dissemination of CUI shall be allowed as extensively as possible to any individuals, organizations, or groupings of users, provided such dissemination is in the furtherance of a Lawful Government Purpose.
Authorized holders must confirm that intended recipients are authorized to receive the CUI in question.
Authorized holders must mark CUI prior to dissemination.
When discussing CUI, authorized holders must ensure that unauthorized persons cannot overhear the conversation.
Legacy Information
Sensitive unclassified information that was marked prior to the implementation of the CUI Program which meets the standards for CUI is considered legacy information.
Agencies are not required to review and re-mark legacy information until and unless the information is re-used, restated, or paraphrased. In such instances, pre-CUI markings must not be carried forward. If the information falls under the CUI Program, new documents containing the information must be marked in accordance with CUI directives.
17
How Will NRC Processes be Affected?
18
Marking - Legacy Documents (leaving agency)– FOIA, Congressional, etc.– Creating new CUI Documents– Using Legacy documents to create a new CUI record
Safeguarding– New CUI standards
Reporting– Periodic– Non-compliance
Inspecting – Creating of Internal Audit Program
Handbooks, Training and Tools
Job Aids for All Users
• Marking Handbook
• Safeguarding Handbook
• Category Specific Guidance
• Cover Sheets
• Awareness Posters
• Training Materials
19
20
Current Status
CUI rule– RULE Status– Major concerns:
Training– 180 days– Promotional Videos– Mandatory training / reporting
Final rule estimated release date
Final thoughts
NRC Contact Information
Darren Ash - Senior Agency Official
Ron Gagnon – NRC CUI Program Manager(301) 415-6873
Executive Agentwww.archives.gov/cui
21
CONTROLLED
UNCLASSIFIED
INFORMATION
