For those persons who navigate the interesting world of classified or sensitive information, few, if any, would dispute the importance of protecting that information from individuals without a proper clearance or a legitimate “need to know.” One tragic day in 2001 changed the way we think about and share information, including sensitive information not deemed classified by intelligence-community standards.
The idea of Controlled Unclassified Information (CUI) was born out of necessity. The efforts behind CUI began in earnest in 2008 under the President George W. Bush administration as a way for “our Nation’s entire network of defenders to be able to share information more rapidly so those who must act have the information they need.” The attacks on Sept. 11, 2001, illustrated the critical need to share timely and accurate information among an assortment of communities – intelligence, public safety, defense, law enforcement, and state and local governments – resulting in the creation of the U.S. Department of Homeland Security. Under memorandum, the president directed the development of an executive branch CUI Framework.
The President’s Memorandum of May 27, 2009, directed a task force, led by the secretary of Homeland Security and the attorney general, to review the CUI Framework for the management of Sensitive But Unclassified (SBU) terrorism-related information. The task force undertook a 90-day study of the CUI Framework, the organizations managing SBU information in the executive branch, and, by extension, the sharing of that information with non-federal information-sharing partners.
The task force concluded that “Executive Branch performance suffers immensely from interagency inconsistency in SBU policies, frequent uncertainty in interagency settings as to exactly what policies apply to given SBU information, and the inconsistent application of similar policies across agencies. Additionally, the absence of effective training, oversight, and accountability at many agencies results in a tendency to over-protect information, greatly diminishing government transparency.”
Their conclusion was that “a simple, concise, and standardized CUI Framework with effective centralized governance and oversight has the best chance of both wide acceptance within the federal government and broad adoption throughout our State, local, tribal, and private sector partner communities. The successful expansion of the scope of the CUI Framework requires careful consideration of agency missions, requirements, and the processes by which SBU information is currently managed.”
In a broad sense, “CUI” refers to unclassified information that is intended to be sheltered from public exposure. The CUI designation replaces SBU and other comparable markings that usually originate at the agency level. The CUI effort, once finalized as a fully-sanctioned and operational program, will standardize the way the executive branch handles unclassified information, the foundation ensuring that protections must have a basis in “law, regulation, or government-wide policy.”
Executive Order 13556, published by President Obama on Nov. 4, 2010, rescinded the Presidential Memorandum of May 7, 2008, and created “Controlled Unclassified Information,” an Order established to ensure “an open and uniform program for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies.”
EO 13556 cited the “inefficient, confusing patchwork” that “has resulted in inconsistent marking and safeguarding of documents, [leading] to unclear or unnecessarily restrictive dissemination policies, and [the creation of] impediments to authorized information sharing.” The Order also designated the National Archives and Records Administration (NARA) to serve as the executive agent to implement this effort and to oversee governmental agency actions to ensure compliance with the Order. To this end, NARA, as codified under 32 CFR Section § 2002.6, delegated the CUI executive agent’s responsibilities to the Director of the Information Security Oversight Office (ISOO). Under this authority, ISOO staff carry out CUI oversight responsibilities and manage the Federal CUI program.
From 2008 to present day, executive-branch agencies have been working in close coordination with each other to build the CUI Framework across the U.S. government enterprise. A CUI advisory council was established to build the program and address affairs pertaining to phased implementation. A planning framework has been established. Policy and guidance documents are being developed and refined. Compliance systems are being introduced, to include instructions for oversight and the adoption of agency self-inspection programs.
But the long process and inter-agency coordination have not occurred without critics or concerns. The Order required that NARA develop and issue the implementing 32 CFR Part 2002 within six months, by the summer of 2011. The final CFR, however, was not issued until September 2016, and only after the function of resolving “non-concurs” received from the Departments of Justice and Homeland Security – ostensibly, the two major proponents of developing the Framework in the first place.
In October 2017, six executive-branch agencies expressed concerns in a letter to NARA/ISOO outlining six shared concerns that needed to be satisfactorily addressed prior to implementation of CUI.The first concern is cost. CUI is an unfunded program and considered by some agency representatives involved in implementation to be expensive. The estimates vary by opinion, with most of the outlays believed to be associated with information technology (IT) costs to ensure that CUI is appropriately marked and properly coded in systems. Additionally, because CUI will likely touch every federal employee, it will be necessary to properly train each of these employees in the use of the IT systems and the appropriate handling of each CUI product.
Markings and co-mingling with classified information are the drivers for much of the IT costs – the question is how best to integrate the already complex classified systems with the vastly more complex CUI system, and in exactly what way conflicts in classified markings are to be handled. For example, classified information could be releasable to allied nations, while CUI could have a restricted dissemination that does not allow further sharing. Notwithstanding all the problem-solving efforts that are likely to occur in unique situations, many believe that having an advanced framework in place before predicaments occur is the best solution.
Another cost-driver anxiety involves inspection programs and how oversight for those programs is deployed. For example, DHS, through the Office of the Chief Security Officer, manages a well-established Security Compliance Review (SCR) program that unites all security disciplines in a decentralized fashion to accomplish pre-scheduled reviews and assessments of all Headquarters and Component security programs, to include information security. Members of the SCR team are subject-matter security experts and operate in a decentralized structure. They assemble for SCRs on an as-needed basis, as an auxiliary duty. SCR team members maintain other full-time duties and responsibilities, but through coordination they can plan and schedule SCR participation accordingly. It’s important to note, however, that the focus of most information-inspection programs, including SCRs, is on classified information and associated protections. As the volume of CUI is anticipated to be much greater than that of classified information, such inspection programs will likely face unfunded requirements that may double or triple the workloads of persons currently doing the work.
The fact that agencies already protect sensitive information has posed a challenge as they attempt to acquire funding to implement a program represented as essentially cost-neutral. Agencies see the cost-neutral argument as simplistic: although agencies will protect the same information, they are required to overhaul their existing programs to continue to do so. Normally, if significant costs are involved as part of a CFR initiative, a formal economic evaluation and cost analysis would be included in the regulatory process. Because agencies currently protect sensitive information, “NARA certifies [in 32 CFR Part 2002], after review and analysis, that this rule will not have a significant adverse economic impact on a substantial number of small entities.” Accordingly, the regulation downplays the costs as minimal.
Those providing CUI implementation direction are likely to ignore the SCR-type platform structure and put the onus on existing or individualized compliance programs. The uniqueness of a compliance program in an unfunded-mandate environment effectively means that the administration of such a program will “come out of hide,” and would likely be accomplished by the very same people responsible for conducting reviews of classified programs. As such, there is a shared belief among subject-matter experts that agencies can anticipate less classified oversight.
Considering that the purpose of the program was to share information more efficiently and effectively, the unfunded nature of the CUI effort doesn’t address the costs to the state, local, tribal, and private-sector (SLTPS) partners or to the United States government by way of higher contracting costs. For example, 32 CFR 2002 requires the use of NIST 800-171 outside of the federal government. This guideline establishes requirements for the protection of CUI “while residing in nonfederal information systems and organizations.”
The difficulty created by this scenario causes what some believe to be financial harm to both executive agencies and SLTPS partners. For example, NIST 800-171 sets a baseline of moderate confidentiality for any non-federal system processing CUI. While industry can bake the added cost into contracts, SLTPS entities are now faced with compliance costs that they will have to pay “out of hide” or not receive CUI as part of a sharing agreement. The harshest effect is on DHS, as sharing information is one of that agency’s primary missions. Gone are the days when targeted information can only go to those who subjectively “may” need it. In a “need-to-know environment,” a risk-based decision is necessary in all information-sharing situations. With this fact in mind, the risk assessment of sharing information with SLTPS, regardless of what is shared, has been removed from DHS and placed on NARA, possibly betraying a core DHS mission.
A second concern that is shared by persons involved relates to CUI program governance. NARA/ISOO manages oversight of classified information programs under 32 CFR 2001. Other government agencies currently enjoy autonomy, within limits, to manage their classified programs and original classification authorities, with ultimate authority vested in the Interagency Security Classification Appeals Panel (ISCAP), which is chaired by NARA but has interagency membership. NARA acknowledges no similar construct with CUI. As codified, they are the undisputed executive agent. However, executive-branch agency representatives involved in CUI Program development and implementation admit there has been professional disagreement regarding how the program was established and the CFR developed.
The issue for agencies here is their ability to manage their statutory responsibilities. For classified formation, there is no ambiguity – authority originates with the president and flows to agency heads with ISOO taking an intermediary role. Much of CUI derives from agency statutory authorities directly from Congress to the agency. It is now believed that NARA interprets its position as the CUI executive agent as one that can now intervene in agencies carrying out these authorities. Some executive-branch agency representatives believe that Congress never intended for NARA to have such sweeping oversight authority in the CUI realm. As allied agency members, representatives prefer a clear and meaningful role for the CUI Advisory Council in moderating NARA authorities.
A third concern shared by some executive branch representatives involves the CUI Registry platform. Some consider the registry to be much too complex in its construction, resulting in confusion and misunderstanding. For example, the registry now contains over 100 categories and sub-categories of information, a large number that seems counterintuitive to the concept and goals of information-sharing.
The next concern involves risk mitigation. The Federal Information Security Management Act (FISMA), as it relates to CUI, puts the responsibility on the agency’s chief information officer to manage risk for agency systems and data. This may create a problem in some situations. For example, some CUI, such as investigative files, might be protected at “high confidentiality” as defined by NIST 800-53 (which applies to government agencies). The problem occurs with NIST 800-171, which is the no-longer-optional standard for contractors. Accordingly, agencies seemed to be faced with the decision of using non-contractors for anything requiring tailored IT controls or accepting the risks of working with contractors.
DHS is addressing this challenge by updating to the Homeland Security Acquisition Regulation (HSAR).The proposed HSAR assigns a decision into every DHS contract to essentially federalize any information system used for that contract, effectively allowing the Department the same ability to protect CUI on the contractor’s system as DHS would protect it on their federally-controlled systems. This effectively bakes an IT system decision into the contract and binds the contractors to follow the higher standard to which they contractually agree.
CUI must be contained in “law, regulation, or government-wide policy.” NARA interprets this to mean “written law.” This creates a problem for law enforcement agencies whose investigative practices, techniques, and sources have protections based in common law. This problem was first recognized by the 2009 CUI task force, which recommends a definition of CUI to include agency policy.
DHS rectified this issue through the HSAR, which lists the categories of information that DHS protects as part of agency policy. Since a final HSAR would be a codified regulation, it would likely meet NARA’s written-law requirement for ensuring CUI protections as part of agency policy.
Some agencies, including NARA, have informally suggested the Freedom of Information Act (FOIA) Exemption 7 as a solution to this problem. However, 32 CFR 2002 explicitly denies that CUI has any connection to FOIA. Comparable to the cost issue, ensuring a disconnect between CUI and FOIA was considered by some to be an effort to accelerate the task force’s review of the CFR. Any relationship to FOIA would have necessitated a more complex review and further scrutiny. This deviation is now problematic, because it creates a peculiar circumstance where information can be both non-CUI (i.e., not protectable) and exempt from disclosure under FOIA.
In summary, effective progress has been made by many people on CUI implementation. What began as a necessary and useful initiative resulting in clear presidential direction continues to develop almost 10 years later. The interagency CUI effort is both noble and worthwhile, and the solution seems reasonable. However, some involved feel that we are 16 years removed from 9/11, and CUI seems to be an expensive solution to a problem from 10 years ago – a familiarization problem that has been solved with time. That said, the concept of CUI has real merit, but reasonable people believe that more work is required and additional agreement necessary concerning the underlying statutes that currently protect information.