Controlled Unclassified Information (CUI)

1
Controlled Unclassified Information (CUI), the
New Marking System What's Ahead for DoD and
DTIC? April 6, 2009 Ms. Roberta Schoen
2
Controlled Unclassified Information (CUI), the
New Marking System What's Ahead for DoD and DTIC?

• Ms. Deborah Ross
• Deputy Director, Information Security Policy
• Office of the Under Secretary of Defense
  (Intelligence)
• Ms. Roberta Schoen
• Director of Operations
• Defense Technical Information Center

3
Controlled Unclassified Information (CUI)

• Deborah RossDeputy Director, Information
  Security PolicyOffice of the Under Secretary of
  Defense (Intelligence)
• 6 April 2009

4
Overview

• Standardization Needed
• Authorities
• CUI Criteria
• Markings
• Exceptions
• Governance Structure
• CUI Council
• National Actions
• National FY09 Priorities

5
Overview

• National Timeline
• Guiding Principles
• DoD Actions

6
Standardization Needed

• CUI is shared according to an ungoverned body of
  policies and practices that confuse both its
  producers and users
• Across the Federal Government there are at least
  107 unique markings and over 130 different
  labeling or handling processes and procedures for
  CUI
• Inconsistency in CUI policies increases the
  likelihood of erroneous handling and
  dissemination of information
• Inconsistency in CUI policies hampers the sharing
  of information across the US Government and with
  State, Local, and Tribal entities.

7
Authority

• Section 1016 of the Intelligence Reform Terrorism
  Prevention Act (IRTPA)
• The President shall
• create an information sharing environment (ISE)
• ensure that the ISE provides and facilitates the
  means for sharing information among all
  appropriate entities through the use of policy
  guidelines and technologies

8
Authority

• Guideline 3, Presidential Memorandum, December
  16, 2005
• To promote and enhance the effective and
  efficient acquisition, access, retention,
  production, use, management, and sharing of
  sensitive but unclassified (SBU) information,
  including homeland security information, law
  enforcement information, and terrorism
  information, procedures and standards for
  designating, marking, and handling SBU
  information (collectively SBU procedures) must
  be standardized across the Federal government.
• -Guideline 3, December 16, 2005
  Presidential Memorandum

9
Authority

• Presidential Memorandum, May 9, 2008, Designation
  and Sharing of Controlled Unclassified
  Information
• Replaces the term SBU with CUI
• Defines CUI
• Unclassified information that does not meet the
  standard for National Security Classification
  under Executive Order 12958, as amended, but is
  pertinent to the national interest of the United
  States or originated by entities outside the U.S.
  Federal government, and under law or policy
  requires protection from disclosure, special
  handling safeguards, and prescribed limits on
  exchange or dissemination
• - Presidential Memorandum,
  May 9, 2008, Designation and Sharing of
  Controlled Unclassified Information

10
Authority

• Establishes a new CUI Framework
• Standardizes practices to improve information
  sharing
• Designates the National Archives and Records
  Administration (NARA) as the Executive Agent to
  oversee and implement

11
CUI Criteria

• Information shall be designated as CUI based on
• Statute, or
• Agency head determination
• Information shall not be designated as CUI
• To conceal violations of law, inefficiency, or
  administrative error
• To prevent embarrassment to the US Government,
  any US official, organization, or agency

12
CUI Criteria

• To improperly or unlawfully interfere with
  competition
• To prevent or delay the release of information
  that does not require such protection
• If it is required by statute or Executive Order
  to be made available to the public or
• If it has been released to the public under
  proper authority.

13
Markings

• CUI Markings
• Two safeguarding levels Controlled or
  Controlled Enhanced
• Two dissemination levels Standard or Specified
• Overall CUI marking will convey the safeguarding
  and dissemination levels of the document
• All CUI will carry one of three overall markings

14
Markings

• CONTROLLED WITH STANDARD DISSEMINATION
• CONTROLLED WITH SPECIFIED DISSEMINATION
• CONTROLLED ENHANCED WITH SPECIFIED DISSEMINATION

15
Exceptions

• CUI Exceptions
• CUI Framework shall be used for excepted
  information to the maximum extent possible
• CUI Framework shall not interfere with regulatory
  requirements for marking, safeguarding, and
  disseminating
• Exceptions will be listed on a CUI Register
• Any regulatory marking shall follow the most
  applicable CUI safeguarding marking along with a
  specified dissemination instruction

16
Exceptions

• Known Exceptions include
• 6 CFR Pt. 29 - PCII (Protected Critical
  Infrastructure Information)
• 49 CFR Pts, 15 (DOT) 1520 (DHS/Transportation
  Security Administration) - SSI (Sensitive
  Security Information)
• 6 CFR Pt. 27 - CVI (Chemical Vulnerability
  Information)
• 10 CFR Pt. 73 - SGI (Safeguards Information)

17
Governance Structure

• CUI Governance Structure
• CUI Executive Agent NARA
• CUI Council Membership drawn from within the
  existing Information Sharing Council
• Departments and Agencies Responsible for
  implementing and overseeing compliance with the
  CUI Framework

18
National Actions

• National actions since May 9, 2008
• May 21, 2008 Archivist of the United States
  established the CUI Office
• June 30, 2008 Director of CUI Office sent a
  letter out to Departments and Agencies
  introducing the Executive Agent and tentative
  plans for implementation of the Framework

19
National Actions

• July 9, 2008 PM-ISE activated the CUI Council
  as a subcommittee of the Information Sharing
  Council (ISC) and requested designees
• August 2008 CUI Office launched its website at
  www.archives.gov/CUI
• September 2008 CUI EA began developing
  implementing guidance

20
National-Level FY09 Priorities

• National-level FY09 Priorities
• Develop a Centralized Implementation Plan
• Set priorities for implementation
• Establish milestones for alignment to CUI
  Framework
• Establish training schedule
• Develop Implementation Policies
• Define Safeguarding Standards
• Define Department/Agency CUI Dissemination
  Policies

21
National-Level FY09 Priorities

• Develop detailed guidance on CUI life cycle,
  portion marking, and application of CUI Framework
  to archived information
• Establish Centralized CUI Training (CUI 101)
• Begin to Develop Department/Agency-specific
  Implementation Plan
• Establish Department/Agency-specific CUI Training
  (CUI 201)

22
CUI Framework Implementation Timeline Overview
(as of 11/17/08)
Guiding Documents CUI Council Meetings
CUI Council Initial Meeting Aug 21
Every 3rd Thurs as needed
Stand-up
CUIC Sep 18
CUIC VM Nov 19
Full Implementation of CUI Framework May 2013
Departments Agencies Identify reps
Outreach Phase
Department Agencies submit Plans to CUIO
Data call due Sep 8
CUIC Oct 16
CUIC Dec 4
Planning Phase
Implementation Phase
Date May 08 Jun
Jul Aug Sep 08 Oct
Nov Dec 08Sep 09 Oct 09
Oct 10
Oct 11 Oct 12
FY 08 FY09
FY10
FY
11 FY12 FY
13
Phase Stand-up Initial Outreach
Planning

Implementation Phase I
Implementation Phase II
Dept Agency Letter Jun 27
FY10
FY11
FY12 FY 13
FY09
Monitor Department Agency compliance
with CUI policy, standards, and
markings Evaluate effectiveness of CUI
Implementation Policy and Guidance Update
Policy and Guidance as necessary Annual
Report
Alignment of Policy Markings with
Exceptions Alignment of Regulatory
Markings Confirm necessary changes to
regulation and statute Annual Report
Presidential CUI Memo May 9
NARA CUI Memo May 21
CUIO at PM- ISE PR Aug 28
Finalize Department Agency Plans Activate
Registry Initiate CUI 201Training Identify and
designate CUI Alignment of Policy-based
Markings Begin federal rule-making
process Annual Report
Milestones and Plan Draft Implementing Guidance
Safeguarding Dissemination Designating
Marking Initiate CUI 101Training Design
Registry Review Department Agency
Plans Annual Report
CUI Council Letter Jul 9
Background CUI Framework May 20
CUIO Review Data call Updates/ Outreach
CUIO Brief to ISC Jul 16
Outreach to Departments Agencies Jun-Aug
Updated data call to Departments Agencies Aug
8
23
Guiding Principles
Sharing CUI will be shared as broadly as possible.
Protection CUI will be appropriately protected.
Rationalization CUI policy will be developed with deliberate consideration to managing risk and information sharing.
Flexibility CUI policy development will respond to changes through centralized management and distributed execution.
Inclusiveness CUI policy will address the needs of all ISE partners, both users and producers of information, taking into account all media types.
Standardization CUI policy will be standardized so all participants are governed by uniform definitions and practices.
Transparency CUI policy will be developed with input by State, local, tribal, and private sector entities and comment by the public.
24
DoD Actions

• DoD Actions
• Participating as a member of the CUI Council
  (OASD(NII)/DoD CIO primary, OUSD(I) alternate)
• Leading a DoD CUI Task Force
• Exploring enterprise solutionsMarking Software
• Developing a DoD Transition Plan that addresses
  all DoD CUI
• Planning resources

25
DoD Actions

• Coordinating with Intelligence Community effort
  to avoid duplication and align implementation
  schedules
• Informing DoD at large
• Joint OASD(NII)/DoD CIO and USD(I) memorandum
• Currently staffing a USD(I) memorandum addressing
  status of national policy and existing DoD CUI
  policy
• Positioning detailees at the NARA CUI Office to
  represent DoD interests

26
Take Aways

• Do NOT implement the national level
  policycontinue to follow guidance in DoD
  5200.1-R
• Express your issues/ideas to your CUI
  representative within your DoD organization
• If you are responsible for implementing within
  your organization begin planning implementation
  to include resources

27
Controlled Unclassified Information (CUI), the
New Marking System What's Ahead for DoD and DTIC?
Controlled Unclassified InformationAn STI
View April 6, 2009Roberta Schoen
28
General CUI Points

• CUI is what used to be called Sensitive But
  Unclassified (SBU) or Unclassified Limited
  information
• Most Scientific/Technical CUI will be at the
  Controlled Standard Dissemination or Controlled
  Specified level
• Controlled Enhanced Standard Dissemination is
  handled in a more controlled manner than regular
  unclassified - for Witness Protection, etc.

29
General CUI Points

• Memo signed by the White House in May 2008
• National Archives and Records Administration
  (NARA) is the Executive Agent, 23 agencies are
  in the discussions
• Processes and markings are still under
  construction
• 2010 Implementation for Intelligence Community
• 2013 for the rest of DoD

30
Problems with Current System

• At least 107 different markings across the
  government
• The same marking sometimes means different things
  
• SBU
• FOUO
• People dont know the current marking rules for
  classified or controlled unclassified information
• Markings are too restrictive for sharing

31
General

• Note that DoD is only one of many agencies and
  Scientific/Technical Information is only one area
  of documents
• Also Includes
• Intelligence
• Law enforcement
• Acquisitions
• Contracting
• Personnel/Medical records
• Operational Warfighter information
• Etc.

32
General Implementation

• Secretary of Agency must submit dissemination
  markings to be registered
• We are hoping that the first markings DoD will
  submit are from DoDD 5230.24, the STI markings
• Document cover marking and possibly Portion
  marking
• When a document is delimited, it does not
  automatically become Public Release still needs
  PA Review
• Money for conversion/implementation so far, no
  new monies
• Training part of yearly security training for
  DoD, not clear about contractors

33
CAPCO Compliance

• Controlled Access Program Coordinate Office
  (CAPCO)
• Intelligence community office dealing with
  standards, markings, and metadata
• Enterprise Marking Tool will be CAPCO-compliant
• CUI markings will be added to the current CAPCO
  markings

34
Progress So Far

• NARA-level Subgroups include
• Safeguarding
• Dissemination
• Marking
• Life Cycle
• Exceptions
• Dispute Resolution Process
• DoD-level CUI meetings
• DoD Enterprise Marking Tool Group

35
Some Outstanding Issues

• Will this improve sharing?
• Everything must be marked? Lists of laundry
  items in the field?
• Will the proposed rules be too classification-base
  d? (Too complicated?)
• Who starts 2010 vs 2013? How handle in the
  interim when libraries receive both types of
  documents?

36
Issues Over Life Cycle

• Conflict Resolution within DoD
• Legacy documents
• When do they need to be re-marked?
• Will there be information on the document to tell
  when to de-limit?
• DoD will need a cross-matching from old to new
  markings
• Will there be a mandatory review over time?
• Central Authority to tell when changed?
• How handle Unclassified with no other markings?
  (Markings removed but not reviewed by PA yet)

37
Dissemination Markings

• Reality is in the details
• How many and which current markings will be
  registered as legal Specified Dissemination
  markings?
• Most items are supposed to be Standard
  Dissemination
• For Official Use Only (FOUO)
• Include Distribution F (always ask owner)?
• Include Distribution C (Government and
  Contractor)?

38
Controlled Unclassified Information (CUI), the
New Marking System Whats Ahead for DOD and
DTIC?

• Questions?

39
Points of Contact
Ms. Roberta Schoen DTIC (703) 767-8064, DSN
427-8064 rschoen_at_dtic.mil Ms. Deborah
Ross OUSD(I) (703) 607-0323 deborah.ross_at_osd.mil