Under the FOUO (For Official Use Only) system (and multiple other protection schemes), agencies are already spending money on protecting the same (or even a greater) range of unclassified information as identified in the CUI Registry. This includes marking, safeguarding measures, and training. The CUI Program’s requirements were based on the baseline for current protection measures purposely. In fact, Executive Order 13556,”Controlled Unclassified Information,” made clear that the information systems costs were to be consistent with current Office of Management and Budget (OMB) policies and National Institute of Standards and Technology (NIST) guidelines and standards (Executive Order 13556, 6a3). In its latest budget guidance, OMB Circular A-11, OMB is asking agencies to plan and budget for the implementation of the CUI Program.
Agencies should take a serious look at what they are already spending on handling FOUO and determine what, if any, additional costs will be necessary. For example, OMB policy already requires privacy information to be protected minimally at the NIST moderate confidentiality level on all Federal information systems; the CUI Basic moderate confidentiality baseline does not change that and thus incurs no additional costs for protecting that information.
The CUI Program is not creating new types of protected information, nor is it requiring agencies to start from scratch to protect the information as though they have not already been protecting it and expending funds on such protections, nor is it creating a massively complex or unduly burdensome set of protected information or protection requirements. It is, for the first time, allowing the Government and American people to fully identify the wide range of existing protected information and the combined costs of protecting it.
In an age of weekly breaches, anyone arguing for changing the moderate confidentiality baseline level for CUI and reducing these information systems protections is clearly on the wrong side of history. The effects of the largest Government breach of CUI in history – the OPM data breach – continue to cost the taxpayer hundreds of millions of dollars – and some of its costs can never be quantified including the exploitation of the information for its intelligence value and the effects on the Government’s reputation for safeguarding any information.
The CUI Executive Agent’s oversight will include tracking agency requests for CUI Program implementation funding, monitoring what was received, and connecting the amount of resources to the pace of implementation in the Executive branch.