Two major NIST publications are about to be finalized on June 14: NIST Special Publication (SP) 800-171A, “Assessing Security Requirements for Controlled Unclassified Information”; and an update to the NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” The draft 171A text may be found on the NIST site: https://csrc.nist.gov/publications/detail/sp/800-171a/draft. The 800-171A is intended to help organizations develop assessment plans and conduct assessments of the security requirements in NIST SP 800-171, which defines the requirements for protecting CUI on non-Federal systems consistent with the CUI Federal regulation (32 CFR 2002.14h2).
Agencies can waive the requirement to re-mark legacy information with the new CUI markings while the CUI is in their control. The CUI Program does not require the agencies to re-mark unless reusing and sharing the information with others outside of their agency. In addition, because the CUI regulation also contains flexibility in handling such things as existing on-line databases with numerous PDF documents, a flash screen may suffice to alert users that a law, Federal regulation, or Government-wide policy requires safeguarding and dissemination controls.
Under the FOUO (For Official Use Only) system (and multiple other protection schemes), agencies are already spending money on protecting the same (or even a greater) range of unclassified information as identified in the CUI Registry. This includes marking, safeguarding measures, and training. The CUI Program’s requirements were based on the baseline for current protection measures purposely. In fact, Executive Order Continue reading “The CUI Program and budget considerations”
Employees that handle CUI in the course of doing agency business are not expected to go directly to and interpret the laws, Federal regulations, and Government-wide policies to determine what unclassified information is controlled, nor will they be responsible for interpreting those authorities and assessing what requirements apply to a given document in their hands or on their systems. They will be going to their agency information management policies, on which they are trained. This is what takes place now and will continue in the future. However, with the advent of the CUI Program and oversight functions, agency policies will be reviewed periodically to ensure they are in line with CUI Program requirements and underlying authorities, and to ensure they are providing sufficient information for employees to carry out both the required protections and permissible sharing.
The CUI Registry is a listing of the categories/subcategories of CUI that are required (or permitted) to be protected by law, Federal regulation, and Government-wide policy. While the Registry was compiled through agency submissions, the entirety of those submissions were vetted to ensure that the text in the law, Federal regulation, or Government-wide policy identified an information type and called for (or permitted) the protection of the information. By bringing all these authorities together in one place for Continue reading “The CUI Registry and reform”
The full implementation of CUI is unlikely to cause an expansion of the use of Exemption 3 statutes by agencies, and in fact is more likely to produce the opposite effect by prohibiting agencies from marking and controlling information unless a valid law, Federal regulation, or Government-wide policy authorizes it. The CUI Program, for the first time, establishes a clear distinction between a marking purporting to control Continue reading “Will the CUI Program cause an expansion of the use of Exemption 3 of the Freedom of Information Act (FOIA)?”