Authorizing Official Program
On this page:
Overview
This webpage is intended to provide licensees, applicants, and other entities with preliminary information and resources to help navigate the communication and authorization process for a Nuclear Regulatory Commission (NRC) authorization to operate (ATO) a national security system (NSS). Classified information may not be processed or produced on an NSS unless the system and procedures to protect the classified information have been approved and authorized by the NRC’s Authorizing Official (AO), the Director of the Office of Nuclear Security and Incident Response.
Classified information is information requiring protection against unauthorized disclosure as defined by Executive Order 13526. NRC requirements for the protection of classified information on an automatic data processing NSS are set forth in Title 10 of the Code of Federal Regulations (10 CFR), Part 95.49 “Security of automatic data processing (ADP) systems,” and 32 CFR Part 117, "National Industrial Security Program Operating Manual” (NISPOM).
An ATO, as defined in the Committee on National Security Systems (CNSS) Instruction No. 4009, “Committee on National Security Systems (CNSS) Glossary,” is the official management decision given by a senior Federal official or officials to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the nation, based on the implementation of an agreed-upon set of security and privacy controls.
Documentation for this process may be held as non-public information due to the sensitivity of the content.
Step 1: Initial contact with the NRC
Licensees or applicants seeking a license should reach out to their assigned project manager to begin initial discussions regarding a request for an NSS ATO. The applicant will be asked to formally request an ATO via an official letter.
Based on this initial contact, the NRC will make a provisional determination if the licensee, applicant, or other entity has a need for access to classified information and will require a classified NSS in accordance with the applicable NISPOM requirements (32 CFR 117.9(c)(1)).The determination will consist of a review of the documents submitted as part of the NRC Facility Security Clearance process and discussions during the initial contact. NRC staff will ensure that access to classified information in connection with a legitimate U.S. government or foreign government requirement exists and that the access is consistent with U.S. national security interests as determined by the NRC. It is important to note that an entity must first be issued an NRC facility security clearance and be approved for the use/possession of classified information prior to a classified NSS being authorized.
Step 2: ATO Request Package
An ATO request prepared by a licensee, applicant, or other entity should include sufficiently detailed information to allow the NRC AO to initiate an assessment of cybersecurity control implementation as part of a risk-informed authorization decision. The NRC will review the request in accordance with 10 CFR 95.49 and 32 CFR 117.18 to determine whether the requestor is able to adequately protect the confidentially, integrity, and availability of all classified information processed, stored, or transmitted on an NSS. The requestor is required to submit documentation based on the most current CNSS and National Institute of Standards and Technology (NIST) guidance to enable the NRC to make a risk-informed authorization determination. Additional documentation may be required based on the specific applicant’s operational environment.
The “List of Authorizing Official Program Guidance Documents” outlines the guidance used to ensure the entity can adequately protect the confidentially, integrity, and availability of classified information processed, stored, or transmitted on an NSS.
Step 2A: ATO Review Process
The NRC will review the documentation and request clarification or additional information from the applicant, if necessary. The NRC will then conduct an on-site cybersecurity assessment, using a sample set of controls. The assessment will comprise a documentation review, interviews with appropriate security personnel, observation of procedures, verification of cybersecurity control implementations, and other activities as appropriate. NRC staff will use this information to develop an assessment report and associated documentation for review and approval by the NRC chief information security officer and the NRC AO.
Step 3: ATO Approval Process
The NRC AO will use the assessment report to make a risk-informed authorization decision. The authorization may include conditions that must be maintained by the applicant during the duration of the authorization period. Corrective actions in the form of plans of action and milestones or deviations may also be included. Once the authorization determination is made, the NRC will send a written notification of the determination to the requestor as defined in 10 CFR 95.15. The approval letter will specify the duration of the ATO and any conditions or corrective actions. The system and associated documentation may require regular assessments by the NRC as part of a continuous monitoring program.
Paperwork Reduction Act
This website provides voluntary guidance for implementing the mandatory information collections in 10 CFR Parts 95 that are subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et. seq.). These information collections were approved by the Office of Management and Budget (OMB), under control number 3150-0047. Send comments regarding this information collection to the FOIA, Library, and Information Collections Branch, Office of the Chief Information Officer, Mail Stop: T6-A10M, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001 or by e-mail to Infocollects.Resource@nrc.gov, and to the OMB reviewer at: OMB Office of Information and Regulatory Affairs (3150-0011 and 3150-0151), Attn: Desk Officer for the Nuclear Regulatory Commission, 725 17th Street, NW, Washington, DC, 20503.
Public Protection Notification
The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless the document requesting or requiring the collection displays a currently valid OMB control number.
For Further Assistance
Mark MacDonald, Chief
Information Security Branch
Office of Nuclear Security and Incident Response
U.S. Nuclear Regulatory Commission
Mark.MacDonald@nrc.gov
Mike Mangefrida
Information Security Branch
Office of Nuclear Security and Incident Response
U.S. Nuclear Regulatory Commission
Michael.Mangefrida@nrc.gov
Zia Anderson
Information Security Branch
Office of Nuclear Security and Incident Response
U.S. Nuclear Regulatory Commission
Zia.Anderson@nrc.gov