The CUI Registry and reform

The CUI Registry is a listing of the categories/subcategories of CUI that are required (or permitted) to be protected by law, Federal regulation, and Government-wide policy.  While the Registry was compiled through agency submissions, the entirety of those submissions were vetted to ensure that the text in the law, Federal regulation, or Government-wide policy identified an information type and called for (or permitted) the protection of the information.  By bringing all these authorities together in one place for the first time, the CUI Registry brings out into the open and makes clear just how many protection authorities have been in existence and being used across the executive branch, how broadly or narrowly each of them applies, and to what kinds of information, and begins to enable identification of conflicts, overlaps, gaps, inconsistencies, and other ways in which the steady evolution of disparate protection requirements has been inefficient, overly restrictive, and under-protective for many years.  It also helps to open the door for further reform of these requirements in the future.  The CUI Program did not create these situations or the conflicting or duplicative authorities, nor did it newly require agencies to deal with them.  By bringing the authorities and practices together in one place and requiring them to work together in one framework, it is allowing such conflicts to be clearly identified and seen in action so that changes can occur in future — through open discussion and possible legislative, regulatory, or Government-wide policy revisions.  Agencies and the CUI Executive Agent have already been identifying some authorities that contain requirements that duplicate each other (creating unnecessary different categories), or that are now redundant in light of the overarching CUI requirements, and suggesting that these authorities are ripe for revision in those areas, which would further streamline the CUI framework.

Leave a Reply