A new whitepaper by the Intelligence and National Security Alliance (INSA) addresses concerns surrounding information security. Getting it Right: Establishing Uniform Policies for Controlled Unclassified Information, prepared by INSA’s Security Policy Reform Council, identifies nine different challenges that the National Archives’ Information Security Oversight Office (ISOO) must address during the implementation of the federal Controlled Unclassified Information (CUI) program. Failure to do so, the paper argues, will result in an inconsistent adoption of the program across government and a significant increase in program costs.
According to the National Archives, CUI is “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”
INSA says the handling of this information is complicated by the existence of 124 categories of CUI within 20 distinct organizational groups. It’s research found that although the Archives is developing consolidated CUI guidance for all government agencies, more than 100 executive branch departments and agencies maintain their own practices for CUI. As a result “a patchwork of rules dictates how this information must be categorized, stored, handled, disseminated, and destroyed”.
According to the white paper, individual agencies are struggling to implement the Archives’ guidance, “making it likely that the new rules will be inconsistently interpreted and applied”. Federal contractors typically support multiple government agencies and must therefore ensure their internal computer systems and their document handling and storage practices comply with this broad range of sometimes conflicting rules and procedures.
INSA lists the nine key challenges identified in the paper as:
Agencies Lack Resources and Incentives to Implement New CUI Rules
The implementation of new CUI rules is not a priority for most agencies, and few have allocated sufficient resources to implement them. ISOO acknowledged as much in its FY2018 Report to the President, writing, “Many agencies are struggling to issue their CUI implementing regulations, submit CUI budget proposals to OMB, implement the program’s marking requirements, and staff their agency’s CUI Program sufficiently. Solutions to these challenges will require senior agency leadership to prioritize implementing the CUI Program. ISOO assesses that agencies will not be able to fully implement the CUI Program without dedicated funds and sufficient levels of full-time staff.”
Absence of Standards for Access to CUI
In the realm of classified information, personnel who pass thorough background investigations are granted security clearances with access to specific categories of information. The investigations and tiered levels of access (e.g., a Secret vs. a Top Secret clearance), which are recognized across government and industry, afford greater protection to more sensitive information. However, no such system exists to govern access to CUI and its 124 sub-categories of information.
Lack of Clarity Regarding Implementation and Compliance Costs
Additional and enhanced CUI requirements will increase overhead costs for contractors, which will inevitably result in higher contract prices for government. This will be especially true for programs designated critical and subject to “Advanced Persistent Threats (APT),” which will require enhanced contractor personnel vetting, access control, and training systems.
Lack of Consistency in CUI Implementation
More than 100 executive branch departments and agencies maintain their own practices for handling CUI. Current internal government audits show that consistent CUI implementation guidance and program controls are absent both within and across individual contracting entities.
Ownership of Proprietary Information
There are concerns about how contractors can protect their own data and intellectual property. For example, it is unclear whether a federal agency may have the right to designate as CUI a contractor’s proprietary information, design data, process details or other intellectual property if it was used in the preparation of a deliverable to the government. The mere concern that proprietary tools and information could become off-limits to non-government or foreign clients may make contractors reluctant to provide such insights to government clients.
Lack of Clarity in Sharing CUI with Subcontractors
CUI protections are expected to flow down to all subcontractors and vendors. Several supply chain concerns and their potential resolution have yet to be adequately identified. Additionally, many large-scale integrators may not know (or be able to identify) subcontractors below the first or second tier, making it difficult to prevent the dissemination of CUI-designated information to organizations that need such data to design component parts or software.
Recategorizing Legacy CUI Information
The National Archives’ current plan focuses on CUI designations and markings for future data, with no stated requirement to re-mark legacy categories of controlled data.
Undefined Statutory Authorities, Rules, and Mechanisms Regarding Compliance Management
Compliance concerns include the responsibility for audit / control of CUI requirements, compliance, and enforcement; dispute resolution mechanisms for CUI conflicts between (or within) individual federal entities; and mechanisms to compel CUI compliance other than contract termination.
Confusion Causing Slow and Inconsistent Adoption of New Rules
Despite the National Archives’ outreach and education, the absence of whole-of-government governance, uniform standards for access, specific implementation guidance, and dispute resolution mechanisms will continue to limit overall acceptance and adoption.
INSA says the impact of these concerns will be especially high for small firms that cannot afford large-scale infrastructure investments and for companies that support multiple departments and agencies with conflicting policies, requirements, and compliance activities. If the issues are not addressed, INSA’s experts believe industry’s ability to execute contracts in a cost-effective and efficient manner will suffer. “Without specific, uniform, and comprehensive implementation guidance and cost recovery options from ISOO, industry may be unable to meet the intent of the requirements without significant (and time-consuming) additional investments, resulting in program delays and increased costs right from the start.”