Navigating and Complying with CUI Requirements
The essential prerogative of the U.S. Department of Defense (DoD) is to regulate national security, and a large part of that function entails keeping the wrong information out of the wrong hands and safely sharing it with authorized government agencies and partners. This latter aspect of DoD is commonly designated in pop culture as “classified information”; for several decades, however, the U.S. has struggled with information that does not merit a “classified” designation but nevertheless meets the criteria for protection.
Early attempts to deal with this Sensitive But Unclassified (SBU) information varied widely across U.S departments and agencies, creating a great deal of confusion and ambiguity in cooperative sharing. As EO 13556 issued during the Obama administration observes, SBU practices had “resulted in inconsistent marking and safeguarding of documents, [leading] to unclear or unnecessarily restrictive dissemination policies, and impediments to authorized information sharing.”
The Executive Order in question finally issued vast policy initiatives sought from the Post-9/11 Bush administration onwards, and those fall under the umbrella of Controlled Unclassified Information (CUI).
What CUI Does
CUI establishes an Executive Agent to ensure compliance throughout the government. The National Archives and Records Administration (NARA) currently holds this title, though there has been recent debate about the proper interpretation of its role. The second important piece of CUI is the CUI Registry, which identifies all information falling under its jurisdiction.
- Controlled technical information with military or space application
- Critical infrastructure information (e.g., energy infrastructure, water systems, etc.)
- Export controlled information or materials used in research
- Nuclear information related to protecting reactors, materials, or security
- Statistical information (e.g., U.S. Census)
- Transportation information (e.g., railroad safety, etc.)
When implemented properly, these guidelines will ideally generate “a simple, concise, and standardized CUI Framework with effective centralized governance and oversight has the best chance of both wide acceptance within the federal government and broad adoption throughout our State, local, tribal, and private sector partner communities.” But while goals have been received with approval by the intelligence community, struggles have persisted around implementation.
The State of CUI Compliance
The executive order establishing CUI guidelines anticipated challenges in real-world compliance: “The successful expansion of the scope of the CUI Framework requires careful consideration of agency missions, requirements, and the processes by which SBU information is currently managed.” So far, these processes are still in need of further standardization, which the Executive Agent is seeking to redress.
Devin Casey, Program Analyst at NARA has identified four key areas where wider CUI adoption can still create positive reform:
- Inefficient patchwork systems with more than 100 different policies and markings
- Expensive information-sharing processes
- Inconsistent marking and safeguarding of documents
- Unnecessarily restrictive dissemination policies
To aid in compliance, the National Archives maintains a site with training materials for agencies and organizations that handle SBU information. In the meanwhile, some discretion is still left to responsible parties regarding the exact details of CUI reform.
Within this space, industry leaders have pointed to impediments that organizations must overcome for best compliance practices.
Impediments to Compliance
Because CUI is an unfunded program, organizations seeking compliance must shoulder the financial burden of implementation by themselves. The basic logic behind this is that systems for managing sensitive information are assumed to be part of a government partner’s budget. Therefore NARA has certified that “after review and analysis, that this rule will not have a significant adverse economic impact on a substantial number of small entities.”
But the claim has been disputed as overly-simplistic. In late 2017, six federal agencies jointly issued a statement of concerns about CUI, where cost played a prominent role. There are several reasons for this:
- Increased burden of information – prior to CUI, procedures for managing SBU information varied substantially, if they were extant at all. Because SBU is much broader than standard classified information, agencies and partners are now faced with a much larger volume of protected information than before.
- IT-related costs – in many cases, CUI compliance requires the adoption of new technology and infrastructure to integrate with existing systems, ensure appropriate document handling, adopt secure sharing procedures and bear the extra information load.
- Oversight – in order to ensure compliance, organizations require extended oversight procedures and personnel. The cost of inspection programs may double or triple with CUI adoption.
- Training – CUI applies to all federal employees. While is the due diligence of administrators to ensure their organization is compliant on the whole, they must also ensure that their personnel are trained and knowledgeable of CUI procedures.
The Future of CUI
As relatively new legislation, CUI is still being debated and discussed. NARA continues to revisit and revise its oversight procedures while federal agencies grapple with compliance initiatives. In the meanwhile, there is every reason to be cautiously optimistic that CUI will lead to smoother sailing over time.
It is imperative for organizations handling SBU to grapple with it accordingly and overcome the impediments to compliance accordingly. The National Archive remains a very good resource for understanding CUI legislation better and how to implement it. Examining IT infrastructure and seeking more cost-effective ways to shoulder CUI will also go a long way in removing barriers to the better transparency and sharing procedures that it seeks to usher in.
MathCraft Security Technologies offers a robust product line of NISPOM-compliant security applications for cleared contracts and enterprises. Our solutions are carefully engineered to improve security processes, giving Facility Security Officers (FSOs) and employees the comprehensive tools that they need to manage data, monitor visitors, and automate workflows. For ultimate convenience, they are also available on-premises or via the cloud.