- Source: Controlled Unclassified Information
Controlled Unclassified Information (CUI) is a category of unclassified information within the U.S. Federal government. The CUI program was created by President Obama’s Executive Order 13556 to create a streamlined method for information sharing and safeguarding. The Information Security Oversight Office (ISOO) acts as the Executive Agent (EA) of the National Archives and Records Administration (NARA), and is responsible for oversight of the CUI program. The ISOO monitors the implementation of the CUI program by executive branch agencies. CUI will replace agency specific labels such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and Law Enforcement Sensitive (LES) on new data and some data with legacy labels will also qualify as Controlled Unclassified Information. Federal contractors who handle CUI will be required to self-assess (or, in some cases, require a government official to review) with the Cybersecurity Maturity Model Certification (CMMC) under the Cyber AB (Accreditation Board).
History
A Presidential memorandum of May 9, 2008, signed by President George W. Bush, assigned responsibility to the National Archives (NARA) for overseeing and managing the implementation of the CUI framework. This memorandum was rescinded by Executive Order 13556 of November 4, 2010, and the guidelines previously outlined within it were expanded upon to improve uniformity across all Federal agencies and to develop a standard policy regarding the controlled unclassification process itself.
In a similar previous effort, the U.S. House of Representatives passed the Reducing Information Control Designations Act, H.R. 1323, on March 17, 2009. The bill was referred to the Committee on Homeland Security and Governmental Affairs of the 111th Congress in the US Senate, but it was never passed by the Senate.
The doctrine, policy, and processes for Controlled Unclassified Information came out of a study and policy change proposal which originated within the Information Sharing and Collaboration Office of the Information Analysis and Infrastructure Protection Under Secretariat of the Department of Homeland Security in 2004. The term Controlled Unclassified Information (CUI) was coined by the authors of the study which reviewed over 140 various forms of unclassified information in use throughout the federal government at the time. Authors of the study recommended a new doctrine and policy framework and recommended that ISOO, within the NARA, be charged with implementing and overseeing the new doctrine and policy. At the time of delivery of the policy framework, NARA voiced objections to undertaking the effort due to a lack of resources. The policy recommendation continued to be worked within DHS and the rest of government as part of the Program Manager for the Information Sharing Environment, which moved from DHS to the ODNI. While the executive order, rescission of the order, and subsequent policy structure worked their way through the government, the timeline for the study/ analysis, creation of a draft policy and framework, the political processes, and the resulting policy implementation lasted from 2005 through 2017. The study was led by Grace Mastalli and Richard Russell.
The US Department of Defense has been handling "Controlled Unclassified Information" before the Presidential 2008 memorandum was published and NARA became the Executive Agent in 2010. The DoD term embraced a similar type of data category. However, the DoD and NARA differed then and now (2019) on specific categories of data defined as "CUI". DoDM 5200.01 Vol 4 defines DoD CUI policy until it is revised to align with NARA's definition. The Secretary of the Navy published SECNAV 5510.34 in November 1993 entitled Disclosure of Classified Military Information and Controlled Unclassified Information.
As of December, 2020, the Director of National Intelligence at the time, John Ratcliffe, issued a memorandum to the Assistant to the President for National Security Affairs asking the President of the United States (President Trump) to rescind EO 13556. In the memo, Director Ratcliffe referred to the policies as "exponentially more complex", and "vastly overcomplicated". According to the memo "As currently conceived, instead of simplifying and replacing a handful document markings with one new CUI marking, the CUI Program has expanded to over 124 categories in 20 groupings, with 60 Specified and 60+ Basic categories." He continued to express concerns from the Intelligence Community about significant cost, unclear guidance, and requested recision and a process for presidential action.
DNI Ratcliffe stated that the following rescission, support would be given to an Executive-branch review and replacement of the current FOUO and related markings to protect unclassified information. No extension of the previous December 31, 2020 timeline has been proposed, which has now passed, and it is currently unclear what action, if any, will be taken on this request.
The Department of Defense has clarified the policy on legacy markings such as FOUO. "Information previously marked as FOUO does not need to be re-marked as long it remains under DoD control or is accessed online and downloaded for use within the DoD." Based on CFR 32 Part 2002 each agency will develop the steps to handle legacy markings in their CUI programs.
Department of Defense Distribution Statements
The Department of Defense (DoD) has defined 6 distributions, A-F. Technically, Distribution A is not CUI, but Distributions B-F are. The distributions are defined as:
References
Kata Kunci Pencarian:
- Strok
- Controlled Unclassified Information
- Classified information in the United States
- Cybersecurity Maturity Model Certification
- Sensitive but unclassified
- Information Security Oversight Office
- Classified information
- Cui
- For Official Use Only
- Operations security
- Palantir Technologies