Plan would help agencies control sensitive data
Presidential order calls for a governmentwide policy for managing controlled unclassified information
Protecting sensitive information requires that the information first be identified, a job that the executive branch has not been doing well, according to a 2009 interagency study.
As a result, a 2010 executive order, charges the National Archives and Records Administration with creating a standard plan for categorizing controlled unclassified information (CUI) across executive branch agencies to replace what President Barack Obama called an inefficient, confusing patchwork of ad hoc policies.
E-mail security as a (not-so-simple) service
Agencies currently are reviewing their policies and will propose a catalog of categories to NARA this spring. An initial framework with a registry of CUI categories, along with associated markings and procedures for disseminating and decontrolling information, will be established by November.
The new CUI plan is the result of an interagency task force headed by the Justice and Homeland Security departments to determine whether a 2008 policy for sharing terrorism-related information should be expanded to all sensitive but unclassified (SBU) information in the executive branch.
The task force found more than 100 separate systems for handling SBU and concluded that “executive branch performance suffers immensely from interagency inconsistency in SBU policies, frequent uncertainty in interagency settings as to exactly what policies apply to given SBU information, and the inconsistent application of similar policies across agencies. Additionally, the absence of effective training, oversight, and accountability at many agencies results in a tendency to overprotect information, greatly diminishing government transparency.”
The task force recommended that these systems be replaced by a simple, concise and standardized framework for controlled unclassified information. The president responded in November 2010 with an order for NARA to establish it.
Agencies were given 180 days to review their own processes for handling sensitive information and report to NARA with their recommendations. NARA will forge the recommendations into a consistent policy with information-handling procedures, and agencies will have six months to come up with compliance plans, with estimated target dates for implementation.
NARA, along with the Office of Management and Budget, will establish deadlines for phased implementation and will publish annual reports for the next five years on progress. Reports will be published every two years after that.
Under the order, CUI policies will default toward openness, with an assumption that information should be made available. “If there is significant doubt about whether information should be designated CUI, it shall not be so designated,” the order states. Also, a CUI designation will not have any bearing on whether data should be released under the Freedom of Information Act.