Promoting Appropriate Information Protection and Sharing: CUI and the Public Interest Declassification Board
Just as the Information Security Oversight Office (ISOO) Director Mark A. Bradley acts as the Executive Agent for the Controlled Unclassified Information (CUI) Program in reforming the protection and handling of unclassified information across Executive Branch agencies, the ISOO Director also serves as the Executive Secretary for the Public Interest Declassification Board (PIDB).
Congress established the PIDB to promote broad public access to an accurate record of the most significant national security decisions and activities of the United States Government. Serving the President as a joint Executive and Legislative Branch advisory board, the PIDB seats nine members, five appointed by the President and one each by the Speaker and Minority Leader of the House as well as the Majority and Minority Leaders of the Senate. Appointees must be U.S. citizens who are preeminent in the fields of history, national security, foreign policy, intelligence policy, social science, law, or archives.
The PIDB advises the President on the classification and declassification of National Security Information (NSI), providing policy recommendations that promote the appropriate sharing and protection of NSI in the current digital age. The bipartisan PIDB is in the final stages of preparing a new report to the President recommending a strategy to reduce over-classification, to make classification more precise, and to facilitate more rapid and agile information sharing through digital communications and information systems.
PIDB’s Declassification Technology Working Group, composed of Executive Branch classification and information security officials, have provided input to develop the forthcoming report to the President. Recommendations in the report focus on issues of modernizing declassification in the management of electronic records across the federal government, and other issues of information security and access vital to the public interest.
PIDB encourages information and security management professionals to comment on the recommendations by subscribing to the PIDB blog Transforming Classification, at: https://transforming-classification.blogs.archives.gov/, where, in the coming weeks, PIDB will publish the report.
The next scheduled webinar will be 15 May 2018 (1-3 EDT). All subscribers to the CUI Blog will receive links and call-in information to access the webinar prior to the event.
We had great attendance in our webinar yesterday with some great participation in the Q&A period. Thank you to all those who attended. The following topics were covered during the webinar:
A brief overview of the CUI program;
A summary of the upcoming changes to the CUI Registry;
An update on agency implementation efforts;
A review of all existing notices, policies, training and resources currently available from the CUI Registry;
The status and plans for a CUI Federal Acquisition Regulation Rule; and
Time for Questions and Answers.
Please see the slides attached: Feb 15, 2018 Webex
Q&As from the webinar will be posted soon.
The Archivist of the United States, David S. Ferriero, introduces a new CUI video on YouTube, which stresses the critical importance of sharing and protecting CUI.
Addressed to the wide community involved in handling and protecting CUI, the CUI video runs about 12 minutes, and presents discussions on the following topics:
- The definition of CUI, and the distinctions between types of information provided in the CUI Registry;
- The principles of access and sharing as they apply to lawful government purpose and limited dissemination control markings;
- Marking requirements overall, and for email, packages and standard mail;
- Controlled environments, both physical and electronic;
- The reproduction of CUI;
- FAXing CUI;
- Reporting incidents;
- The destruction of CUI; and
- The acceptable indicators for the decontrol of CUI.
In the video, Mr. Ferriero acknowledges the implementation of CUI concepts and tools “as an art practiced by civil servants in every department and agency, and their non-federal partners, working on behalf of the American people.”
The video is available for download from the ISOO website and may be used to support and supplement training and awareness efforts.
The next scheduled webinar will be February 15, 2018 (1-3 EDT). All subscribers to the CUI Blog will receive links and call-in information to access the webinar prior to the event. The webinar will include:
- A brief overview of the CUI program;
- A summary of the upcoming changes to the CUI Registry;
- An update on agency implementation efforts;
- A review of all existing notices, policies, training and resources currently available;
- from the CUI Registry;
- The status and plans for a CUI Federal Acquisition Regulation Rule; and
- Time for Questions and Answers.
On January 24, 2018, ISOO issued two CUI Notices, one with recommendations for CUI Basic Training, and another regarding the agreements required for sharing CUI between Executive Branch entities and their non-Executive Branch partners.
The Notice on CUI Basic Training (CUI Notice 2018-02) recommends common learning objectives and curriculum design content, training delivery methods, and testing objectives, for Executive Branch entities to incorporate in their required basic-training courses on CUI. The Notice presents these recommendations in the form of a table based on the first three levels of Bloom’s Taxonomy, a classification benchmark for learning objectives that is widely accepted by training professionals.
The Notice on Agreements (CUI Notice 2018-01) provides guidance and recommendations on how information-sharing agreements between Executive Branch entities and their non-Executive Branch partners must convey CUI Program requirements. The Notice excludes reference to guidance for information-sharing with foreign entities.
The Notice explains that as Executive Branch entities implement their own CUI policies, they must negotiate modifications to existing agreements in compliance with the CUI Program. When feasible, Executive Branch entities should enter into written agreements that include explicit CUI requirements.
Such agreements must require non-Executive Branch partners to handle CUI in accord with the CUI Program, subject to applicable penalties, while also stipulating that non-Executive Branch partners must follow methods approved by the Executive Branch entity in reporting any non-compliance with CUI requirements.
As a best practice, the Notice recommends that agreements between Executive Branch entities and their non-Executive Branch partners: 1) identify categories of CUI and specific handling, safeguarding, or dissemination requirements for CUI shared under the agreement; 2) state where the terms of the agreement will be performed; and, 3) indicate specific technical requirements for protecting the CUI, as well as whether a federal or non-federal information system will be used to process, store or transmit it.
Please join the Department of Veterans Affairs (VA) for its Controlled Unclassified Information (CUI) Symposium to learn about the CUI Program, associated implementation efforts, and expected federal impact. The symposium will feature VA CUI subject matter experts, alongside panelists from the National Archives and Records Administration (NARA), the U.S. Department of State (DoS) and the Internal Revenue Service (IRS).
EventBrite Registration: https://www.eventbrite.com/e/controlled-unclassified-information-cui-symposium-tickets-41336909810
Address: G.V. “Sonny” Montgomery Veterans Auditorium (RM 230), 810 Vermont Ave NW, Washington D.C. 20420
Controlled Unclassified Information (CUI) is information that the Government creates or possesses. CUI requires protection under laws, regulations, or Government-wide policies, and it can correspond to any of the following sources: privacy, health, military, information technology (IT), contract, and personnel data.
Within VA, the Office of Information and Technology’s (OIT) Department of Quality, Privacy, and Risk (QPR) hosts the Controlled Unclassified Information (CUI) Program, a consolidation of best practices that standardize how sensitive information is marked, handled, disseminated, decontrolled, and destroyed across federal agencies.
Are there ID or minimum age requirements to enter the event?
You must be a US government employee or contractor with a valid government ID to attend the VA CUI Symposium.
How can I contact the organizer with any questions?
Please send any questions about the VA CUI Symposium to firstname.lastname@example.org.
Do I have to bring my printed ticket to the event?
Yes, please print your ticket and bring it to the event.
Is my registration fee or ticket transferrable?
No, tickets are not transferrable.
Is it ok if the name on my ticket or registration doesn’t match the person who attends?
No, the name on your ticket must match the name on your valid government ID to enter the event.
The next scheduled webinar will be February 15, 2018 (1-3 EDT). All subscribers to the CUI Blog will receive links and call-in information to access the webinar prior to the event.