Coming on the heels of a non-classified but still highly sensitive Transportation Security Administration (TSA) screening manual having been posted online without first having been properly redacted, the presidential task force on Controlled Unclassified Information (CUI) this week concluded that Executive Branch performance suffers immensely from interagency inconsistency in Sensitive but Unclassified (SBU) terrorism-related information policies.

The task force’s findings, outlined in the Report and Recommendations of the Presidental Task Force on Controlled Unclassified Information, found that  there’s frequent uncertainty in interagency settings as to exactly what policies apply to given SBU information, and inconsistent application of similar policies across agencies.

Additionally, the absence of effective training, oversight, and accountability at many agencies results in a tendency to over-protect information, greatly diminishing government transparency, the task force report determined.

The May 27, 2009 presidential memorandum, Classified Information and Controlled Unclassified Information, directed the creation of the task force, led by the Secretary of Homeland Security and Attorney General, to review the CUI framework that was established in 2008 for the management of SBU terrorism-related information.

“The task force undertook a 90-day study of the CUI Framework, the current regimes for managing SBU information in the Executive Branch, and, by extension, the sharing of that information with non-federal information-sharing partners,” the report’s Executive Summary reads.

“Although the CUI Framework is intended to improve the sharing of only terrorism-related information,” according to the report, “the task force concluded that a single, standardized framework for marking, safeguarding, and disseminating all Executive Branch SBU is required to further the goals of:

• “Standardizing currently disparate terminology and procedures (represented by over 107 distinct SBU regimes);
• “Facilitating information-sharing through the promulgation of common and understandable rules for information protection and dissemination; and
• “Enhancing government transparency through policies and training that clarify the standards for protecting information within the Framework.

“A simple, concise, and standardized CUI Framework, with effective centralized governance and oversight has the best chance of both wide acceptance within the federal government and broad adoption throughout our state, local, tribal, and private sector partner communities,” the report concluded, adding “the successful expansion of the scope of the CUI Framework requires careful consideration of agency missions, requirements, and the processes by which SBU information is currently managed.”

“Our review of policies and procedures for access to and sharing of sensitive but unclassified information across the US Government revealed a need for a more open, standardized approach,” said Homeland Security Secretary Janet Napolitano. “The task force recommendations, coupled with newly-dedicated federal-wide resources to support fusion centers, will improve information sharing, transparency and engagement with our partners in state and local law enforcement as we work together to combat terrorism, violent crime and other dangerous threats to the homeland.”

“Our recommendations will allow the federal government to be more open and transparent while still meeting our first priority of keeping the American people safe,” said Attorney General Eric Holder. “By streamlining and modernizing the system for designating, marking and handling sensitive information, we can achieve the appropriate balance between the public’s right to access information and the government's imperative to maintain the security and privacy of all Americans.”

Overall, the task force report proposes 40 actions that are intended to mitigate current inconsistencies among SBU information policies in federal agencies by simplifying and consolidating procedures – all of which the report found shoud enhance standardization, information sharing, government transparency, and protection of information only where there is a compelling requirement to do so. The recommendations also seek to balance the imperatives of protecting legitimate security, law enforcement, privacy and civil liberties interests.

Presently there are more than 100 different SBU markings and handling procedures in use across the federal government. The report recommends that all SBU markings be replaced with one, simplified set of markings—“CUI”—which will be standardized under the CUI Framework. Additional recommendations include simplifying the definition of CUI; clarifying that CUI markings have no bearing on releases either under the Freedom of Information Act or to Congress; and phasing in implementation of the expanded scope of the CUI Framework.

President Obama initiated the review on May 27 with a Presidential Memorandum directing Secretary Napolitano and Attorney General Holder to lead a 90-day review of current procedures for categorizing and sharing SBU information. If implemented, the recommendations would revise the 2008 Presidential Memorandum that established the CUI Framework for handling and disseminating CUI information.

“The task force proposal is an admirable effort to bring order to a chaotic information environment, but it has some rough edges, and some unresolved internal contradictions,” wrote Steven Aftergood, director of the Federation of American Scientists’ Government Secrecy Project, in Secrecy News.

“The proposed definition of CUI seems disturbingly lax: ‘All unclassified information for which, pursuant to statute, regulation, or departmental or agency policy, there is a compelling requirement for safeguarding and/or dissemination controls.’ Putting ‘departmental or agency policy’ on a par with statutes or regulations could potentially open the door to all kinds of arbitrary or improvised controls on information.

“More fundamentally,” Aftergood stated, “it is hard to see how the task force proposal could achieve its central goal of eliminating all non-CUI controls on unclassified information. The task force report itself states that ‘decontrol of CUI’ does not by itself authorize public disclosure; it only means removal from the CUI Framework. But if information that has been removed from the CUI Framework does not necessarily have to be disclosed, this means that decontrolled information can still be controlled!”

Additionally, “the report properly takes pains to distinguish information control under the CUI regime from the statutory disclosure requirements of the Freedom of Information Act, which cannot be altered by executive fiat,” Aftergood continued. ‘At no time, pre- or post-control, is a CUI marking itself determinative of whether it may be released,’ the report stated. But this implies, oddly, that information marked as CUI may sometimes be released, while information that is no longer CUI may sometimes be withheld. And if it is withheld, one must also expect it to be marked with a (non-CUI) control marking.

“In short, the CUI concept still has some wrinkles that remain to be ironed out.”

Other problems cited are the task force’s recommendation of a ten-year life cycle for CUI that is not otherwise subject to defined disclosure deadlines, and a baseline assessment of the volume of current SBU activity, which Aftergood said “is probably unachievable or at least not worth the effort involved.”

Staffing and resources for the "Executive Agent" that manages the new CUI Framework bureaucracy also are uncertain, even though they will likely to be crucial - even decisive, Aftergood pointed out -  in the success of the proposed policy.

The Task Force proposal is "a good foundation," according to a senior administration official, but the final policy "needs to be more forward-leaning.”

Meanwhile, the Departments of Defense and Homeland Security and the Intelligence Community have indicated they plan to use the CUI Framework for all sensitive but unclassified information.

Elsewhere, the Constitution Project urged the administration “to clarify that this system should be governed by a presumption of openness, and to develop additional oversight tools and enforcement mechanisms to ensure that these policy recommendations are effective.”

"The new Task Force recommendations will go a long way toward promoting transparency and limiting the use of control markings on government documents," said Sharon Bradford Franklin, senior counsel at the Constitution Project in an emailed statement. "However, we urge the administration to adopt an explicit presumption of openness, and to put more teeth into its new policy. The CUI reforms should include safeguards such as regular audits and a process for the public to challenge control markings."

The Constitution Project applauded the task force’s position that CUI markings should have no bearing on determinations of whether a document should be released under the Freedom of Information Act (FOIA), and that a CUI marking is not a basis for withholding a document from Congress or the courts.

The task force, which involved senior representatives from 12 federal agencies, met with representatives both within and outside the information sharing environment; state, local and tribal partners; privacy and open government organizations; and members of Congress. The task force also analyzed previous studies of SBU and the efforts of the CUI Council.