Controlled Unclassified Information (CUI) is a new information security program utilized by the executive branch. Effective April 2023, the NRC’s plans to transition to a CUI program on November 1, 2023, have been delayed. This delay will support the NRC’s overall readiness to transition to CUI, while working towards minimizing the burden on NRC employees and external stakeholders, where practicable. Once a new transition date is established, the NRC will communicate the new date to all stakeholders well in advance. The CUI program is intended to standardize the way the executive branch handles unclassified information that, although unclassified, is still sensitive and merits special controls to prevent unauthorized access. It introduces a new framework for the entire executive branch to designate, mark, safeguard, and disseminate unclassified information that laws, regulations, or government-wide policies require or allow agencies to protect using safeguarding or dissemination controls.
The CUI program was established pursuant to Executive Order 13556, "Controlled Unclassified Information." The National Archives and Records Administration (NARA) has issued government-wide implementing regulations for executive branch agencies to implement the CUI program at 32 CFR Part 2002. The CUI Executive Agent (CUI EA) at NARA also issues guidance to executive branch departments and agencies that handle such information. NARA maintains a list of information categories that qualify as CUI at the CUI Registry.
The CUI program will be implemented at the NRC through the NRC CUI Senior Agency Official (SAO). The NRC SAO is responsible for ensuring the agency has sufficient policies and guidance in place for NRC staff and contractors that handle CUI. The CUI program will eventually replace the NRC's current Sensitive Unclassified Information and Non-Safeguards Information (SUNSI) program. SUNSI is an internal NRC program for the handling of sensitive information such as proprietary and confidential financial information, security-related information, personal privacy information, and information relating to investigations or allegations. Safeguards Information (SGI) will also be included within the scope of the NRC's CUI program, though all SGI controls codified in NRC regulations will remain in effect.
On November 12, 2021, the NRC's CUI Policy Statement was published in the Federal Register. On December 3, 2021, Management Directive 12.6, "NRC Controlled Unclassified Information (CUI) Program" (formerly titled "NRC Sensitive Unclassified Information Security Program") was published to describe the agency CUI program. It is important to note that implementation of the NRC's CUI program is not immediately effective upon the issuance of the updated MD 12.6. Until the NRC transitions to CUI, both the NRC’s SUNSI program and SGI program remain in place.
On December 8, 2022, the NRC issued Regulatory Issue Summary 2022-03 to inform all NRC external stakeholders of its plans to transition to CUI and of plans to establish formal CUI information-sharing agreements with non-executive branch entities. The NRC CUI SAO will continue to keep all NRC external stakeholders informed of any next steps as it prepares to implement a CUI program.