Say hello to CUI and get ready to say goodbye to SUNSI. The commissioners of the Nuclear Regulatory Commission (NRC) have directed the staff to proceed with a rulemaking to implement the governmentwide Controlled Unclassified Information (CUI) program. One impact of this rulemaking will be to eliminate one of our favorite acronyms: Sensitive Unclassified Non-Safeguards Information (SUNSI). But we are still at least a year away from an official change because the staff doesn’t plan to issue a final rule until 2021.
By way of background, the US National Archives and Records Administration (NARA) published the governmentwide CUI rule on September 14, 2016 (81 Fed. Reg. 63,324), seeking to standardize the current patchwork of more than 100 agency-specific policies for handling sensitive unclassified information requiring safeguarding or dissemination controls. That rule (32 CFR Part 2002) establishes specific handling, incident management, inspection, and oversight requirements for covered information. The NRC CUI program will eventually replace the agency’s current SUNSI program, and will retain safeguards information (SGI).
In COMSECY-18-0022, the NRC staff identified two types of amendments to existing NRC regulations required to fully implement the NRC CUI program. First, NRC regulations explicitly use the old SUNSI nomenclature and must be updated to reference the new CUI program. Second, NRC’s current regulations create substantive conflicts with requirements in the governmentwide CUI rule. For example, document marking instructions in 10 CFR § 2.390 (the NRC’s Freedom of Information Act (FOIA) implementing regulation) and 10 CFR Part 73 (pertaining to SGI) are inconsistent with NARA requirements. Accordingly, the staff proposed to conduct a standard notice and comment rulemaking to codify the necessary amendments.
On January 18, 2019, the Commission approved the staff’s request to proceed with rulemaking as part of the NRC’s transition to the CUI program (SRM-COMSECY-18-0022). The staff expects to publish a proposed rule for public comment in FY 2020, and to submit a draft final rule to the Commission in FY 2021.
In terms of scope, the CUI rule only applies directly to executive branch agencies. The staff previously stated that “licensees would not need to change their handling” of internal licensee documents neither shared with nor received from the NRC. However, a footnote in COMSECY-18-0022 indicates the staff is considering whether efficiency and information protection goals would be best served by adopting consistent document marking requirements for all SGI, including internal-only licensee documents. When the proposed rule is published next year, licensees and other stakeholders should consider submitting comments on this topic.
Although COMSECY-18-0022, and the Commission’s approval thereof, provides additional detail regarding plans for the NRC’s CUI program, the rulemaking effort is just now beginning and the contours of the final program are still very much in flux. As we counsel NRC-regulated entities that handle sensitive information, we will continue to closely follow developments in this area.