Implement the Controlled Unclassified Information Program (US0068)

The National Archives will continue implementation of an open and unified program for managing unclassified information that requires safeguarding or dissemination controls that are consistent with law, regulations, and government-wide policies, which is known as Controlled Unclassified Information (CUI). The National Archives
will issue implementation guidance, establish phased implementation schedules, and publish an enhanced CUI Registry that designates what information falls under the program. In addition, the National Archives will work with the Federal Acquisition Regulatory Council to propose a Federal Acquisition Regulation rule to apply the requirements of the CUI program to contractors, grantees, and licensees.

For details of these commitments, see the report: https://www.opengovpartnership.org/documents/united-states-mid-term-report-2015-2017/

Commitment 16. Implement the Controlled Unclassified Information Program

Commitment Text:

Implement the Controlled Unclassified Information Program

The National Archives will continue implementation of an open and unified program for managing unclassified information that requires safeguarding or dissemination controls that are consistent with law, regulations, and government-wide policies, which is known as Controlled Unclassified Information (CUI). The National Archives will issue implementation guidance, establish phased implementation schedules, and publish an enhanced CUI Registry that designates what information falls under the program. In addition, the National Archives will work with the Federal Acquisition Regulatory Council to propose a Federal Acquisition Regulation rule to apply the requirements of the CUI program to contractors, grantees, and licensees.

Responsible Institution: National Archives and Records Administration

Supporting Institutions: CUI Advisory Council and Federal agencies possessing controlled unclassified information (CUI)

Start Date: Not Specified ....... End Date: Not Specified

Commitment Aim

Prior to the action plan, no common protocols existed for safeguarding sensitive information that was unclassified but required special controls. This commitment aimed to implement a program for managing this Controlled Unclassified Information (CUI). [207] It would issue an implementation guidance and schedules. It would also publish a registry designating which information is covered by the CUI Program. The commitment further aimed to propose a regulation applying CUI requirements to contractors, grantees, and licensees.

Status

Midterm: Not Started

At the midterm, the government had not made any visible progress on this commitment.

End of term: Substantial

At the end of term, this commitment was substantially complete.

The government issued implementing guidance for the Controlled Unclassified Information (CUI) Program in the form of CUI Notice 2016-01 on 14 September 2016. [208] The guidance served as a complement to final rule 32 CFR Part 2002 on Controlled Unclassified Information. That rule was published by the National Archives and Records Administration’s (NARA) Information Security Oversight Office (ISOO) on the same date, with an effective date of 14 November 2016. [209] Section 2002.10 of the rule designates the CUI Registry as the central repository for all information on CUI, including guidance, policy instructions, and decontrolling procedures. Various sections of the rule pertain to government contractors, grantees, and licensees, whose access to and use of CUI must be subject to information-sharing agreements under the rule. CUI Notice 2016-01 requires parent agencies to “publish an implementing policy for the CUI Program.” More specifically, these policies must identify the responsible office or organization within each agency, as well as their CUI senior agency official and program manager. The policies must also establish a reporting system for CUI-related incidents, establish an agency-level self-inspection program, and establish CUI training requirements and safeguarding procedures. [210]

The final rule “establish[es] policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements.” It also applies to all federal agencies that deal with CUI and “which operate, use, or have access to Federal information and information systems on behalf of an agency.” [211] Agencies are required to develop and administer the aforementioned CUI training programs to all agency employees within 180 days of the effective date of a given agency’s CUI policy. Agencies must also verify that safeguarding requirements described in 32 CFR Part 2002 are met. Within 360 days of the effective date of the rule (14 November 2016), agencies must also establish a transition plan for configuring CUI systems in line with the requirements. Within two years of this same date, agencies must develop and begin to implement the aforementioned self-inspection programs. Collectively, these specifications constitute the phased implementation guidelines outlined in the commitment.

Under CUI Notice 2016-01, agencies are also required to report annually on their progress to the NARA, with the first annual report due on 1 November 2017. [212] Moreover, on 7 April 2017, the director of the ISOO issued a memorandum for heads of executive departments and agencies. The memorandum requested interim progress reports on agencies’ implementation of the CUI Program be submitted to the NARA by 31 May 2017. [213] However, the IRM researcher was unable to confirm how many agencies submitted such reports.

Beyond these activities, the NARA has published the CUI Registry on its website. [214] As described on the site, the CUI Registry represents “the Government-wide online repository for Federal-level guidance regarding CUI policy and practice.” The registry serves as a guide to information under the CUI Program.

By the end of term, a stand-alone Federal Acquisition Regulation (FAR) applying the requirements of the CUI Program to contractors, grantees, and licensees had not been finalized. According to a NARA status update, the FAR has been under development through weekly meetings within the FAR Council for a year and is now expected in FY2019. [215] In light of the commitment’s explicit reference to the US government proposing a FAR, this commitment is considered to be substantially complete.

Did It Open Government?

Access to Information: Did Not Change

As described in the regulation 32 CFR Part 2002, “prior to the CUI [Controlled Unclassified Information] Program, agencies often employed ad hoc, agency-specific policies, procedures, and markings to handle this information. This patchwork approach caused agencies to mark and handle information inconsistently, implement unclear or unnecessarily restrictive disseminating policies, and create obstacles to sharing information. . . . An executive branch-wide CUI policy balances the need to safeguard CUI with the public interest in sharing information appropriately and without unnecessary burdens.” [216]

By outlining the federal government’s method of handling and disseminating CUI information, the guidelines carried out under this commitment lay the groundwork for facilitating greater public access to CUI. This will help remedy the core CUI-related accessibility issues described above in the regulation. That said, the Information Security Oversight Office (ISOO) acknowledged in February 2018 that the full implementation of the new CUI policies will require three to four years. [217] Comments provided to the IRM researcher by Steven Aftergood, project director at the Federation of American Scientists (FAS), echo this concern. Aftergood noted that “the development of a new policy on [CUI] has been more arduous and more time-consuming than anyone inside or outside of government expected.” [218] Moreover, several agencies have also raised issues that must be resolved before implementation, such as lack of funding and gaps in coverage of certain kinds of information. [219]

While the implementation of the new policies could help to ensure that CUI is handled efficiently, it does not guarantee an increase in the quantity of information released. The ISOO emphasized that the new program should result in more transparency. However, the FAS Project on Government Secrecy pointed out it remains to be seen if this will be the case. [220] Aftergood noted to the IRM researcher that “the implications of CUI for transparency and public access to information are uncertain. Positive features include clear articulation of criteria for CUI, which must be based on statute, regulation or established policy. Other controls that lack such an identifiable basis will be disallowed. However, the number of authorized CUI categories and subcategories has now ballooned to more than 400 distinct items, which is a much larger number than public observers had anticipated.” Aftergood concluded that even if the CUI program is fully implemented, it is not clear that there will be a net increase in transparency.

On the other hand, NARA clarified that the CUI program no longer has subcategories, only categories. [221] According to the change log of the CUI Registry, the government revised the registry’s taxonomy on 2 April 2018 “for simplification and to better meet agency needs.” [222] Moreover, NARA noted that these categories are based on statute, federal regulation, and government-wide policy (i.e., not just any regulation or policy). As a result, NARA insisted that there has been no increase in the amount of information that requires protection as a result of the program. Rather, CUI is limited to the types of unclassified information that already required protection previously. In other words, according to NARA, the CUI program merely pulls together the information types that agencies were already obliged to protect into one place by category. [223]

NARA also noted that there are only roughly 100 categories of CUI. Indeed, upon reviewing archived versions of the CUI Registry’s list of categories and subcategories, the IRM confirmed that the total number of classifications—even before the change in taxonomy that eliminated the “subcategory” level—lingered around 100. [224]

Carried Forward?

At the time of writing, the US government had not published its fourth national action plan, so it is unclear if this commitment is carried forward. In the future, it will be important for the government to continue to implement the new CUI guidelines. It should also continue taking concrete actions to ensure that agencies use the new system to make more information available to the public.

[207] CUI is “unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and [g]overnment-wide policies.” See “CUI,” National Archives and Records Administration, https://www.archives.gov/cui, last updated 4 October 2017, consulted 4 October 2017.

[208] National Archives and Records Administration, Information Security Oversight Office, CUI Notice 2016-01: Implementation Guidance for the Controlled Unclassified Information Program, 14 September 2016, https://www.archives.gov/files/2016-cuio-notice-2016-01-implementation-guidance.pdf, consulted 11 September 2011.

[209] National Archives and Records Administration, Information Security Oversight Office. : Controlled Unclassified Information, Final Rule, 14 September 2016, https://www.gpo.gov/fdsys/pkg/FR-2016-09-14/pdf/2016-21665.pdf, consulted 11 September 2017. Note that the final rule does not contain page numbers; thus none are cited here.

[210] National Archives and Records Administration, Information Security Oversight Office, CUI Notice 2016-01: Implementation Guidance for the Controlled Unclassified Information Program, 14 September 2016, https://www.archives.gov/files/2016-cuio-notice-2016-01-implementation-guidance.pdf, consulted 11 September 2011.

[211] National Archives and Records Administration, Information Security Oversight Office, 32 CFR Part 2002: Controlled Unclassified Information, Final Rule, 14 September 2016, https://www.gpo.gov/fdsys/pkg/FR-2016-09-14/pdf/2016-21665.pdf, consulted 11 September 2017.

[212] National Archives and Records Administration, Information Security Oversight Office, CUI Notice 2016-01: Implementation Guidance for the Controlled Unclassified Information Program, 14 September 2016, https://www.archives.gov/files/2016-cuio-notice-2016-01-implementation-guidance.pdf, consulted 11 September 2011.

[213] National Archives and Records Administration, Information Security Oversight Office, Memorandum on Controlled Unclassified Information (CUI) Program Implementation Status Report, 7 April 2017, 1, https://www.archives.gov/files/cui/registry/policy-guidance/registry-documents/20170407-cui-status-report-request-and-forms.pdf, consulted 11 September 2017.

[214] “Controlled Unclassified Information Registry,” National Archives, https://www.archives.gov/cui, consulted 11 September 2011.

[215] National Archives and Records Administration, Information Security Oversight Office, Controlled Unclassified Information, 15 September 2017, https://archivescarterchronicle.files.wordpress.com/2018/02/feb-15-2018-webex.pdf.  

[216] National Archives and Records Administration, Information Security Oversight Office, : Controlled Unclassified Information, Final Rule, 14 September 2016, https://www.gpo.gov/fdsys/pkg/FR-2016-09-14/pdf/2016-21665.pdf, consulted 11 September 2017.

[217] National Archives and Records Administration, Information Security Oversight Office, Controlled Unclassified Information, 15 February 2018, https://archivescarterchronicle.files.wordpress.com/2018/02/feb-15-2018-webex.pdf.

[218] Written comments provided by Steven Aftergood, 28 October 2017.

[219] Steven Aftergood, “A Bumpy Road for Controlled Unclassified Information, Federation of American Scientists, 30 October 2017, https://fas.org/blogs/secrecy/2017/10/cui-bumpy/.

[220] Ibid.

[221] NARA provided this information in a comment to the IRM during the pre-publication review of this report. The IRM received the comment via e-mail on 30 April 2018.

[222] “CUI Registry: Change Log,” National Archives and Records Administration, Controlled Unclassified Information (CUI), https://www.archives.gov/cui/registry/registry-change-log, consulted 4 May 2018.

[223] All of this information was provided in the comments submitted to the IRM mentioned in note 15 above.

[224] An archived version of the CUI Registry website from December 2017 (available here: https://web.archive.org/web/20171212030450/https://www.archives.gov/cui/registry/category-list) shows that the registry contained about 110 categories and subcategories.