Skip Navigation
United States

Implement the Controlled Unclassified Information Program (US0068)

Overview

At-a-Glance

Action Plan: United States Action Plan 2015-2017

Action Plan Cycle: 2015

Status: Inactive

Institutions

Lead Institution: The National Archives

Support Institution(s): Federal Acquisition Regulatory Council

Policy Areas

Open Data

IRM Review

IRM Report: United States End-of-Term IRM Report 2015-2017, United States Mid-Term Report 2015-2017

Starred: No

Early Results: Did Not Change

Design i

Verifiable: Yes

Relevant to OGP Values: Access to Information

Potential Impact:

Implementation i

Completion:

Description

The National Archives will continue implementation of an open and unified program for managing unclassified information that requires safeguarding or dissemination controls that are consistent with law, regulations, and government-wide policies, which is known as Controlled Unclassified Information (CUI). The National Archives
will issue implementation guidance, establish phased implementation schedules, and publish an enhanced CUI Registry that designates what information falls under the program. In addition, the National Archives will work with the Federal Acquisition Regulatory Council to propose a Federal Acquisition Regulation rule to apply the requirements of the CUI program to contractors, grantees, and licensees.

IRM Midterm Status Summary

For details of these commitments, see the report: https://www.opengovpartnership.org/documents/united-states-mid-term-report-2015-2017/

IRM End of Term Status Summary

Commitment 16. Implement the Controlled Unclassified Information Program

Commitment Text:

Implement the Controlled Unclassified Information Program

The National Archives will continue implementation of an open and unified program for managing unclassified information that requires safeguarding or dissemination controls that are consistent with law, regulations, and government-wide policies, which is known as Controlled Unclassified Information (CUI). The National Archives will issue implementation guidance, establish phased implementation schedules, and publish an enhanced CUI Registry that designates what information falls under the program. In addition, the National Archives will work with the Federal Acquisition Regulatory Council to propose a Federal Acquisition Regulation rule to apply the requirements of the CUI program to contractors, grantees, and licensees.

Responsible Institution: National Archives and Records Administration

Supporting Institutions: CUI Advisory Council and Federal agencies possessing controlled unclassified information (CUI)

Start Date: Not Specified End Date: Not Specified

Commitment Aim

Prior to the action plan, no common protocols existed for safeguarding sensitive information that was unclassified but required special controls. This commitment aimed to implement a program for managing this Controlled Unclassified Information (CUI).[1] It would issue an implementation guidance and schedules. It would also publish a registry designating which information is covered by the CUI Program. The commitment further aimed to propose a regulation applying CUI requirements to contractors, grantees, and licensees.

Status

Midterm: Not Started

At the midterm, the government had not made any visible progress on this commitment.

End of term: Substantial

At the end of term, this commitment was substantially complete.

The government issued implementing guidance for the Controlled Unclassified Information (CUI) Program in the form of CUI Notice 2016-01 on 14 September 2016.[2] The guidance served as a complement to final rule 32 CFR Part 2002 on Controlled Unclassified Information. That rule was published by the National Archives and Records Administration’s (NARA) Information Security Oversight Office (ISOO) on the same date, with an effective date of 14 November 2016.[3] Section 2002.10 of the rule designates the CUI Registry as the central repository for all information on CUI, including guidance, policy instructions, and decontrolling procedures. Various sections of the rule pertain to government contractors, grantees, and licensees, whose access to and use of CUI must be subject to information-sharing agreements under the rule. CUI Notice 2016-01 requires parent agencies to “publish an implementing policy for the CUI Program.” More specifically, these policies must identify the responsible office or organization within each agency, as well as their CUI senior agency official and program manager. The policies must also establish a reporting system for CUI-related incidents, establish an agency-level self-inspection program, and establish CUI training requirements and safeguarding procedures.[4]

The final rule “establish[es] policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements.” It also applies to all federal agencies that deal with CUI and “which operate, use, or have access to Federal information and information systems on behalf of an agency.”[5] Agencies are required to develop and administer the aforementioned CUI training programs to all agency employees within 180 days of the effective date of a given agency’s CUI policy. Agencies must also verify that safeguarding requirements described in 32 CFR Part 2002 are met. Within 360 days of the effective date of the rule (14 November 2016), agencies must also establish a transition plan for configuring CUI systems in line with the requirements. Within two years of this same date, agencies must develop and begin to implement the aforementioned self-inspection programs. Collectively, these specifications constitute the phased implementation guidelines outlined in the commitment.

Under CUI Notice 2016-01, agencies are also required to report annually on their progress to the NARA, with the first annual report due on 1 November 2017.[6] Moreover, on 7 April 2017, the director of the ISOO issued a memorandum for heads of executive departments and agencies. The memorandum requested interim progress reports on agencies’ implementation of the CUI Program be submitted to the NARA by 31 May 2017.[7] However, the IRM researcher was unable to confirm how many agencies submitted such reports.

Beyond these activities, the NARA has published the CUI Registry on its website.[8] As described on the site, the CUI Registry represents “the Government-wide online repository for Federal-level guidance regarding CUI policy and practice.” The registry serves as a guide to information under the CUI Program.

By the end of term, a stand-alone Federal Acquisition Regulation (FAR) applying the requirements of the CUI Program to contractors, grantees, and licensees had not been finalized. According to a NARA status update, the FAR has been under development through weekly meetings within the FAR Council for a year and is now expected in FY2019.[9] In light of the commitment’s explicit reference to the US government proposing a FAR, this commitment is considered to be substantially complete.

Did It Open Government?

Access to Information: Did Not Change

As described in the regulation 32 CFR Part 2002, “prior to the CUI [Controlled Unclassified Information] Program, agencies often employed ad hoc, agency-specific policies, procedures, and markings to handle this information. This patchwork approach caused agencies to mark and handle information inconsistently, implement unclear or unnecessarily restrictive disseminating policies, and create obstacles to sharing information. . . . An executive branch-wide CUI policy balances the need to safeguard CUI with the public interest in sharing information appropriately and without unnecessary burdens.”[10]

By outlining the federal government’s method of handling and disseminating CUI information, the guidelines carried out under this commitment lay the groundwork for facilitating greater public access to CUI. This will help remedy the core CUI-related accessibility issues described above in the regulation. That said, the Information Security Oversight Office (ISOO) acknowledged in February 2018 that the full implementation of the new CUI policies will require three to four years.[11] Comments provided to the IRM researcher by Steven Aftergood, project director at the Federation of American Scientists (FAS), echo this concern. Aftergood noted that “the development of a new policy on [CUI] has been more arduous and more time-consuming than anyone inside or outside of government expected.”[12] Moreover, several agencies have also raised issues that must be resolved before implementation, such as lack of funding and gaps in coverage of certain kinds of information.[13]

While the implementation of the new policies could help to ensure that CUI is handled efficiently, it does not guarantee an increase in the quantity of information released. The ISOO emphasized that the new program should result in more transparency. However, the FAS Project on Government Secrecy pointed out it remains to be seen if this will be the case.[14] Aftergood noted to the IRM researcher that “the implications of CUI for transparency and public access to information are uncertain. Positive features include clear articulation of criteria for CUI, which must be based on statute, regulation or established policy. Other controls that lack such an identifiable basis will be disallowed. However, the number of authorized CUI categories and subcategories has now ballooned to more than 400 distinct items, which is a much larger number than public observers had anticipated.” Aftergood concluded that even if the CUI program is fully implemented, it is not clear that there will be a net increase in transparency.

On the other hand, NARA clarified that the CUI program no longer has subcategories, only categories.[15] According to the change log of the CUI Registry, the government revised the registry’s taxonomy on 2 April 2018 “for simplification and to better meet agency needs.”[16] Moreover, NARA noted that these categories are based on statute, federal regulation, and government-wide policy (i.e., not just any regulation or policy). As a result, NARA insisted that there has been no increase in the amount of information that requires protection as a result of the program. Rather, CUI is limited to the types of unclassified information that already required protection previously. In other words, according to NARA, the CUI program merely pulls together the information types that agencies were already obliged to protect into one place by category.[17]

NARA also noted that there are only roughly 100 categories of CUI. Indeed, upon reviewing archived versions of the CUI Registry’s list of categories and subcategories, the IRM confirmed that the total number of classifications—even before the change in taxonomy that eliminated the “subcategory” level—lingered around 100.[18]

Carried Forward?

At the time of writing, the US government had not published its fourth national action plan, so it is unclear if this commitment is carried forward. In the future, it will be important for the government to continue to implement the new CUI guidelines. It should also continue taking concrete actions to ensure that agencies use the new system to make more information available to the public.

[1] CUI is “unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and [g]overnment-wide policies.” See “CUI,” National Archives and Records Administration, https://www.archives.gov/cui, last updated 4 October 2017, consulted 4 October 2017.

[2] National Archives and Records Administration, Information Security Oversight Office, CUI Notice 2016-01: Implementation Guidance for the Controlled Unclassified Information Program, 14 September 2016, https://www.archives.gov/files/2016-cuio-notice-2016-01-implementation-guidance.pdf, consulted 11 September 2011.

[3] National Archives and Records Administration, Information Security Oversight Office. : Controlled Unclassified Information, Final Rule, 14 September 2016, https://www.gpo.gov/fdsys/pkg/FR-2016-09-14/pdf/2016-21665.pdf, consulted 11 September 2017. Note that the final rule does not contain page numbers; thus none are cited here.

[4] National Archives and Records Administration, Information Security Oversight Office, CUI Notice 2016-01: Implementation Guidance for the Controlled Unclassified Information Program, 14 September 2016, https://www.archives.gov/files/2016-cuio-notice-2016-01-implementation-guidance.pdf, consulted 11 September 2011.

[5] National Archives and Records Administration, Information Security Oversight Office, 32 CFR Part 2002: Controlled Unclassified Information, Final Rule, 14 September 2016, https://www.gpo.gov/fdsys/pkg/FR-2016-09-14/pdf/2016-21665.pdf, consulted 11 September 2017.

[6] National Archives and Records Administration, Information Security Oversight Office, CUI Notice 2016-01: Implementation Guidance for the Controlled Unclassified Information Program, 14 September 2016, https://www.archives.gov/files/2016-cuio-notice-2016-01-implementation-guidance.pdf, consulted 11 September 2011.

[7] National Archives and Records Administration, Information Security Oversight Office, Memorandum on Controlled Unclassified Information (CUI) Program Implementation Status Report, 7 April 2017, 1, https://www.archives.gov/files/cui/registry/policy-guidance/registry-documents/20170407-cui-status-report-request-and-forms.pdf, consulted 11 September 2017.

[8] “Controlled Unclassified Information Registry,” National Archives, https://www.archives.gov/cui, consulted 11 September 2011.

[9] National Archives and Records Administration, Information Security Oversight Office, Controlled Unclassified Information, 15 September 2017, https://archivescarterchronicle.files.wordpress.com/2018/02/feb-15-2018-webex.pdf.

[10] National Archives and Records Administration, Information Security Oversight Office, : Controlled Unclassified Information, Final Rule, 14 September 2016, https://www.gpo.gov/fdsys/pkg/FR-2016-09-14/pdf/2016-21665.pdf, consulted 11 September 2017.

[11] National Archives and Records Administration, Information Security Oversight Office, Controlled Unclassified Information, 15 February 2018, https://archivescarterchronicle.files.wordpress.com/2018/02/feb-15-2018-webex.pdf.

[12] Written comments provided by Steven Aftergood, 28 October 2017.

[13] Steven Aftergood, “A Bumpy Road for Controlled Unclassified Information, Federation of American Scientists, 30 October 2017, https://fas.org/blogs/secrecy/2017/10/cui-bumpy/.

[14] Ibid.

[15] NARA provided this information in a comment to the IRM during the pre-publication review of this report. The IRM received the comment via e-mail on 30 April 2018.

[16] “CUI Registry: Change Log,” National Archives and Records Administration, Controlled Unclassified Information (CUI), https://www.archives.gov/cui/registry/registry-change-log, consulted 4 May 2018.

[17] All of this information was provided in the comments submitted to the IRM mentioned in note 15 above.

[18] An archived version of the CUI Registry website from December 2017 (available here: https://web.archive.org/web/20171212030450/https://www.archives.gov/cui/registry/category-list) shows that the registry contained about 110 categories and subcategories.

Commitments

  1. Federal Data Strategy

    US0105, 2019, E-Government

  2. Grants Accountability

    US0106, 2019, E-Government

  3. Public Access to Federally Funded Research

    US0107, 2019, E-Government

  4. Workforce Data Standards

    US0108, 2019, E-Government

  5. Chief Data Officers

    US0109, 2019, Capacity Building

  6. Open Data for Public Health

    US0110, 2019, E-Government

  7. Enterprise Objective

    US0111, 2019, Capacity Building

  8. Developing Future Action Plans

    US0112, 2019, OGP

  9. Reconstitution of the USA.gov

    US0053, 2015, E-Government

  10. Accessibility of Government Information Online

    US0054, 2015, Marginalized Communities

  11. Access to Educational Resources

    US0055, 2015, Open Data

  12. Public Listing of Every Address in the US

    US0056, 2015, Open Data

  13. Informed Decisions About Higher Education.

    US0057, 2015, Open Data

  14. New Authentication Tools to Protect Individual Privacy and Ensure That Personal Records Go Only to the Intended Recipients.

    US0058, 2015, Public Service Delivery

  15. Transparency of Open311

    US0059, 2015, E-Government

  16. Support Medicine Research Throught Opening up Relevant Data of the Field

    US0060, 2015, Health

  17. Access to Workforce Data

    US0061, 2015, Open Data

  18. Using Evidence and Concrete Data to Improve Public Service Delivery

    US0062, 2015, Capacity Building

  19. Expand Use of the Federal Infrastructure Permitting Dashboard

    US0063, 2015,

  20. Consolidation of Import and Export Systems

    US0064, 2015, E-Government

  21. Improving Government Records

    US0065, 2015, Open Data

  22. Starred commitment Ammendments to FOIA

    US0066, 2015, Open Data

  23. Streamline the Declassification Process

    US0067, 2015, Capacity Building

  24. Implement the Controlled Unclassified Information Program

    US0068, 2015, Open Data

  25. Transparency of Privacy Programs and Practices

    US0069, 2015, Capacity Building

  26. Transparency of Federal Use of Investigative Technologies

    US0070, 2015, E-Government

  27. Increase Transparency of the Intelligence Community

    US0071, 2015, Capacity Building

  28. Starred commitment Open Science Through Open Data

    US0072, 2015, Open Data

  29. Open Data Portal

    US0073, 2015, E-Government

  30. Increase Transparency of Trade Policy and Negotiations

    US0074, 2015, E-Government

  31. Develop a Machine Readable Government Organizational Chart

    US0075, 2015, E-Government

  32. Improving Public Participation

    US0076, 2015, Public Participation

  33. Expand Public Participation in the Development of Regulations

    US0077, 2015, Public Participation

  34. Civic Engagement in Decision-Making Processes

    US0078, 2015, Public Participation

  35. Open Mapping

    US0079, 2015, E-Government

  36. Tracking OGP Implementation

    US0080, 2015, OGP

  37. Strengthening Whistleblower Protection

    US0081, 2015, Capacity Building

  38. Transparency of Legal Entities

    US0082, 2015, Beneficial Ownership

  39. Extractive Industries Transparency

    US0083, 2015, Extractive Industries

  40. Spending Transparency

    US0084, 2015, E-Government

  41. Enhance the Use of U.S. Foreign Assistance Information

    US0085, 2015, Aid

  42. Participatory Budgets and Responsive Spending

    US0086, 2015, Participation in Budget Processes

  43. Expand Access to Justice to Promote Federal Programs

    US0087, 2015, E-Government

  44. Starred commitment Build Safer Communities with Police Open Data

    US0088, 2015, E-Government

  45. Open Federal Data to Benefit Local Communities

    US0089, 2015, E-Government

  46. Support the Municipal Data Network

    US0090, 2015, E-Government

  47. Foster Data Ecosystems

    US0091, 2015, Capacity Building

  48. Extend Digital, Data-Driven Government to Federal Government’S Support for Communities

    US0092, 2015, Capacity Building

  49. Promote Implementation of SDGs

    US0093, 2015, Open Data

  50. Starred commitment Promote Open Climate Data

    US0094, 2015, E-Government

  51. Air Quality Data Available

    US0095, 2015, E-Government

  52. Promote Food Security and Data Sharing for Agriculture and Nutrition

    US0096, 2015, Capacity Building

  53. Promote Data Sharing About Global Preparedness for Epidemic Threats

    US0097, 2015, Capacity Building

  54. Promote Global Interconnectivity

    US0098, 2015, Aid

  55. Open Contracting

    US0099, 2015, Capacity Building

  56. Harness the Data Revolution for Sustainable Development

    US0100, 2015, OGP

  57. Open Government to Support Global Sustainable Development

    US0101, 2015, Anti-Corruption Institutions

  58. Open Collaboration Onf the Arctic

    US0102, 2015, Environment and Climate

  59. Support Capacity Building for Extractives Transparency

    US0103, 2015, Capacity Building

  60. Support Responsible Investment and Business Practices for Companies

    US0104, 2015, Private Sector

  61. Improve Public Participation in Government

    US0027, 2013, Capacity Building

  62. Modernize Management of Government Records

    US0028, 2013, Records Management

  63. Modernize the Freedom of Information Act

    US0029, 2013, Capacity Building

  64. Transform the Security Classification System

    US0030, 2013, Records Management

  65. Implement the Controlled Unclassified Information Program

    US0031, 2013, Security

  66. Increase Transparency of Foreign Intelligence Surveillance Activities

    US0032, 2013, E-Government

  67. Make Privacy Compliance Information More Accessible

    US0033, 2013, E-Government

  68. Support and Improve Agency Implementation of Open Government Plans

    US0034, 2013, OGP

  69. Strengthen and Expand Whistleblower Protections for Government Personnel

    US0035, 2013, Capacity Building

  70. Increase Transparency of Legal Entities Formed in the United States

    US0036, 2013, Legislation & Regulation

  71. Starred commitment Implement the Extractive Industries Transparency Initiative

    US0037, 2013, Environment and Climate

  72. Make Fossil Fuel Subsidies More Transparent

    US0038, 2013, Extractive Industries

  73. Starred commitment Increase Transparency in Spending

    US0039, 2013, Fiscal Transparency

  74. Increase Transparency of Foreign Assistance

    US0040, 2013, Aid

  75. Continue to Improve Performance.Gov

    US0041, 2013, E-Government

  76. Consolidate Import and Export Systems to Curb Corruption

    US0042, 2013, Private Sector

  77. Promote Public Participation in Community Spending Decisions

    US0043, 2013, Infrastructure & Transport

  78. Expand Visa Sanctions to Combat Corruption

    US0044, 2013, Anti-Corruption Institutions

  79. Further Expand Public Participation in the Development of Regulations

    US0045, 2013, Capacity Building

  80. Open Data to the Public

    US0046, 2013, E-Government

  81. Continue to Pilot Expert Networking Platforms

    US0047, 2013, Public Participation

  82. Reform Government Websites

    US0048, 2013, E-Government

  83. Promote Innovation Through Collaboration and Harness the Ingenuity of the American Public

    US0049, 2013, Capacity Building

  84. Promote Open Education to Increase Awareness and Engagement

    US0050, 2013, E-Government

  85. Deliver Government Services More Effectively Through Information Technology

    US0051, 2013, E-Government

  86. Increase Transparency in Spending

    US0052, 2013, E-Government

  87. Reform Records Management

    US0001, 2011, Records Management

  88. Lead a Multi-Agency Effort

    US0002, 2011, Capacity Building

  89. Monitor Agency Implementation of Plans

    US0003, 2011, OGP

  90. Provide Enforcement and Compliance Data Online

    US0004, 2011, Environment and Climate

  91. Advocate for Legislation Requiring Meaningful Disclosure

    US0005, 2011, Legislation & Regulation

  92. Apply Lessons from Recovery Act to Increate Spending Transparency

    US0006, 2011, Fiscal Transparency

  93. Government-Wide Reporting Requirements for Foreign Aid

    US0007, 2011, Aid

  94. Use Performanc.Gov to Improve Government Performance and Accountability

    US0008, 2011, Public Service Delivery

  95. Overhaul the Public Participation Interface on Regulations.Gov

    US0009, 2011, Legislation & Regulation

  96. Launch Expertnet

    US0010, 2011, E-Government

  97. Launch International Space Apps Competition

    US0011, 2011, E-Government

  98. Launch “We the People”

    US0012, 2011,

  99. Open Source “We the People”

    US0013, 2011,

  100. Develop Best Practices and Metrics for Public Participation

    US0014, 2011, Capacity Building

  101. Professionalize the FOIA Administration

    US0015, 2011, Right to Information

  102. Harness the Power of Technology

    US0016, 2011, Right to Information

  103. Advocate for Legislation on Whistleblower Protection

    US0017, 2011, E-Government

  104. Explore Executive Authority to Protect Whistleblowers

    US0018, 2011, Legislation & Regulation

  105. Implement the EITI

    US0019, 2011, Extractive Industries

  106. Partnership to Build on Recent Progress

    US0020, 2011, Extractive Industries

  107. Promote Data.Gov to Spur Innovation Through Open Sourcing

    US0021, 2011, Open Data

  108. Data.Gov: Foster Communities on Data.Gov

    US0022, 2011, Education

  109. Begin Online National Dialogue with the American Public

    US0023, 2011, Public Participation

  110. Update Government-Wide Policies for Websites

    US0024, 2011,

  111. Promote Smart Disclosure to Ensure Timely Release of Information

    US0025, 2011, Capacity Building

  112. Publish Guidelines on Scientific Data

    US0026, 2011, Capacity Building