CUI Executive Agent Response to INSA Report

The Intelligence and National Security Alliance (INSA) recently issued a report on the CUI Program and we welcome their input. We wanted to take this opportunity to give the broader CUI community an update on some of our ongoing efforts.

It is a top priority of the Controlled Unclassified Information (CUI) Executive Agent to work with industry. We recognize the impact CUI implementation will have not just on Federal agencies, but also on industry, state, local, tribal, and foreign partners. Throughout the development of CUI, we have worked to engage with each of these partners to improve the ease of how the executive branch protects and shares information.

Our efforts are focused on achieving a user-friendly CUI Program. We are undertaking several efforts to achieve that:

1 ) Streamlining the CUI Registry to reduce the number of CUI categories. We started with the privacy categories since they are used by every agency. Currently we are projecting we will be able to reduce the number of privacy categories from their current nine to around two or three. We have also started work on reducing the law enforcement and legal groups of categories, which are also broadly used across agencies. We will soon be starting on the categories in the financial, acquisition, and proprietary information groupings, with the remaining categories to follow.  

2 ) Transitioning more CUI categories from Specified to Basic. Currently 65 out of 125 categories have only CUI Basic authorities. An authority in the CUI Registry context is a law, Federal regulation, or Government-wide policy that requires or permits the Federal Government to safeguard or restrict dissemination of particular information. Some authorities do not specify, or set out, protections for the information they allow agencies to safeguard; they are called CUI Basic authorities. The CUI program has established a baseline set of protections for information that is governed by such authorities, which are the CUI Basic protections. Thus, all of the information in these 65 categories have the same CUI Basic safeguarding standard, rather than each having their own.

The remaining 60 categories have one or more Specified authorities. An authority is a Specified authority when it not only requires or permits an agency to protect the information or restrict its dissemination, but also establishes specific protections – it specifies what the protection must be. All of these Specified authorities existed prior to the establishment of the CUI Program, most in laws or Federal regulations, and they could not be ignored or disregarded. They have thus been incorporated, for the time being, into the CUI program with their pre-existing Specified requirements. Often, the authority specifies only one, or a couple, of protections, in which case the remaining protections for the information involved default to CUI Basic protections. This means that even CUI Specified information is in many cases protected using the same standards as information in the 65 Basic-only categories, with only one or two differences. We have a longer-term initiative we have already begun, to work with agencies to address “grandfathered” regulations on the Registry and bring them into alignment with CUI standards. In addition, all new authorities must be coordinated with the CUI Executive Agent and it will take a very high threshold to justify any authority not being aligned with the Basic protections.

The CUI Executive Agent is actively working with agencies to transition a number of pre-existing authorities from Specified to Basic. Every Specified category’s authorities are being re-reviewed to determine the steps necessary to move it to Basic. The lowest-hanging fruit will be moved first. That starts with authorities that are Specified because of dissemination requirements. Some of the existing dissemination control markings, combined with increased agency interest in moving authorities from Specified to Basic as they implement, have already allowed us to build agreement within the inter-agency community to move authorities from Specified to Basic. We are exploring new dissemination controls that would serve the dual purpose of allowing authorities to be moved to Basic and communicating more effectively to recipients the protections they must follow.

After addressing authorities that can move from Specified to Basic due to dissemination restriction aspects, we will be working with agencies to revise regulations and Government-wide policies to align those authorities with the Basic protections where reasonable. We have already begun this effort with a few agencies who had such regulations up for revision. Once those authorities have been addressed, we will work with both agencies and Congress to address Specified protections that are required by law.

3 ) Adding more information to CUI Registry entries. The CUI categories were originally developed with substantial input from agencies approximately ten years ago. As agencies have begun earnest implementation in recent years, they have started realizing that they don’t necessarily need all the category divisions to effectively safeguard and share the information, but that it would be helpful, particularly in categories that have many authorities listed, to have more information about each authority conveyed on the category page. To make the CUI Registry more user-friendly, we are therefore also improving the category descriptions and adding information for each authority, such as which entity promulgated the authority, which agencies are covered by the authority, how it connects with other authorities, which information the authority covers, and a summary of the authority’s requirements.

As we work to make the CUI Program more user-friendly, we are also taking steps to address its impact on industry:

1 ) Prioritizing a Federal Acquisition Regulation (FAR) clause for CUI. One of the highest priorities of the CUI Executive Agent is getting a CUI FAR clause issued. This will create a common mechanism to communicate which information contractors create for and receive from the Federal Government must be protected, how to protect it, and who it can be shared with. Currently laws, Federal regulations, and Government-wide policies already mandate these protections, but there is not a standard way these requirements are shared with contractors. Once the FAR clause is issued, it will be a standard vehicle for conveying whether CUI is involved in the contract and what the existing requirements are for safeguarding it. Contractors and Government officials will know the place in any solicitation or contract to find this information. It will also increase the clarity of the existing requirements, while the continued implementation of CUI further reduces the complexity and vagueness that existed pre-CUI.

2 ) Multi-agency information sharing agreements. We are also working on developing a standard multi-agency information sharing agreement that allows an entity outside the Federal Government to establish an information sharing agreement with multiple agencies at once.

3 ) Consistent information systems requirements. The CUI program uses the most common existing information security controls, the FIPS Publication 199 moderate confidentiality impact level, as the standard for systems containing CUI Basic information, and for the vast majority of systems containing CUI Specified information (most CUI Specified authorities don’t set information systems controls). In addition, the CUI Executive Agent worked extensively with the National Institute of Standards and Technology (NIST) to incorporate these requirements into a contractor-specific environment and framework using NIST SP 800-171, which reduces the controls contractors need to implement. Agencies are required to use NIST SP 800-171 for all non-Federal information systems, and its use will also be incorporated into the CUI FAR clause. This grounds technology protections in an existing standard (moderate confidentiality) that most agencies were already using and most contractors were already required to meet, and provides much-desired clarity and streamlining for contractors, via NIST SP 800-171, as we see increased cyber threats.

4 ) Decontrol mechanisms. Prior to the CUI program, contractors would often have no formal recourse to get information decontrolled. The CUI program requires that agencies establish a decontrol process, which provides contractors and others with a mechanism by which to make those requests. Though we recognize this might not go as far as some industry and open-government advocates would wish, it is a step forward. INSA, in particular, raises the prospect that the Government might mark information a company provides to the Government as proprietary information, and that this could restrict the company’s future ability to use the information. However, the status of a company’s information as CUI (and the accompanying proprietary information markings) begin with a request from the company and its own identification of the information as something it believes is proprietary, it believes would damage the company if shared, and it requests the Government to protect on the company’s behalf. It doesn’t restrict the company’s own ability to use and share duplicates of that information in its own hands; it simply restricts the Government from doing so and establishes a basis for the Government to protect it from access by others (including other companies) without a lawful Government purpose.  Any decontrol request that comes from the company that shared the information carries immense weight in the decontrol decision. In addition, although a company indicates that certain information is proprietary and requests its protection when they submit it to the Government, the Government still must make its own assessment of the information to ensure it falls within the limited scope of the CUI authority allowing protection of such information, so companies aren’t able to use this as a mechanism for restricting access to all information they provide to the Government. If industry believes either of these aspects need to be further spelled out, we welcome a conversation on the subject.

On all aspects of the CUI program, we welcome conversations with industry. We acknowledge that the CUI Program may not yet be as standardized as we or industry wish. Implementation has just started in the past year at many agencies. Changing the entire executive branch on something this impactful resembles turning an aircraft carrier battle group. Each agency, like each ship in the battle group, has its own specs and experiences unique conditions. Even with all this variety in scope, scale, structure, working processes, and kinds of information, every agency outside the Intelligence Community is now turning in the same direction. Returning to the legacy, agency-specific FOUO/SBU practices of the past would be simply an unwise and unworkable option.

Regarding program costs, large cabinet agencies informally report to us that the implementation costs they have are in the six-figure range. Laws, Federal regulations, and Government-wide policies already required or permitted the information covered by CUI to be protected, so there isn’t much net change in cost, since the requirements were already there. The main difference is that, by bringing all these various protection requirements together into one framework, agencies are establishing a manager or staff to oversee them as a standardized program, they are conducting training on the concepts of CUI and how it works, and they are re-marking or newly marking information or spaces. These are the primary costs, and for most smaller- to medium-sized agencies they are fairly minimal, while they are in the six-figure range for the larger agencies. In addition, agencies are reporting that, standardization is now reducing unnecessary costs, as well, and it is helping the agencies realize the scope of what they were already protecting.

As to the scope of the CUI program, INSA raises, in a couple different ways, that CUI includes information types outside the national security sector, including pointing out that it also includes, for example, protecting information about historic properties. We recognize that we each see the problem from our own perspective and INSA’s members are part of the national security sector. But national security information is not the only kind of information the Federal Government is tasked with protecting – and was tasked with protecting long before the CUI program came about to create a standardized framework for doing so. The CUI program is entirely based on law, Federal regulations, and Government-wide policies that require agencies, or permit them, to protect the information described in those authorities. In doing the very identification of what information the Government is required or permitted to protect that INSA now recommends we do again, it became clear that the scope of information that existing laws, Federal regulations, and Government-wide policies require or permit to be protected is very large and, in the interests of standardizing, it was best to have a single system rather than the complexity of multiple systems.

The public can advocate, through the legislative and regulatory processes, whether certain information should be protected or not, and make changes to the underlying authorities. When those changes are made, they will be reflected on the CUI Registry and the scope of what information falls into CUI will change. But, at the same time, the non-national security information the Government already protects is not protected on a whim. Most people agree that most of the information protected is information that they would want protected. Each item the Government protects has immense impact, whether it is tax information, census information, patent information, peoples’ personal medical records or health information, huge amounts of other privacy information, or information about sites on which historic properties exist. In the national security sector, we place great importance on retrieving and protecting the bodies of our fallen. The historical properties, archeological resources, and national park system resources categories not only protect our natural and historical treasures from looting, but also protect grave site locations that tribal governments share with Federal agencies.

Yes, the task of creating a standard information protection and sharing system for all unclassified information the Federal Government protects is complex. That is a direct by-product of what existed prior to the CUI Program. Change takes institutional mechanisms and program structure that leads to increased standardization.  We are now far down that path with mechanisms and program structure in place creating their own momentum towards ever increasing standardization. Though there is much work still to be done, we are seeing throughout agency implementation continual movement towards standardization.

TODAY: Q1 Stakeholders Meeting 1:00 – 3:00 PM Eastern Time

The conference is going to be from 1:00 – 3:00 PM Eastern Time on December 17, 2020.

Topics include:

  • CUI and Metadata (update)
  • CUI Federal Acquisition Regulation case (update)
  • NIST SP 800-172 (update)
  • NIST SP 800-171A and CUI Notice 2020-04 discussion
  • Recent CUI Notices (2020-06 and 7)
  • Live Question and Answer period

Step 1: Dial into the conference.
Dial-in: 888-251-2949 or 215-861-0694
Access Code: 5211961#

Step 2: Join the conference on your computer
Entry Link: https://ems8.intellor.com/login/835169

When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.

Need technical assistance?
Audio Connection: 1-888-796-6118 or 1-847-562-7015
Web Connection: 1-888-793-6118

Q1 Stakeholders Meeting 12/17/2020 (Dial in and meeting link)

The conference is going to be from 1:00 – 3:00 PM Eastern Time on December 17, 2020.

Topics include:

  • CUI and Metadata (update)
  • CUI Federal Acquisition Regulation case (update)
  • NIST SP 800-172 (update)
  • NIST SP 800-171A and CUI Notice 2020-04 discussion
  • Recent CUI Notices (2020-06 and 7)
  • Live Question and Answer period

Step 1: Dial into the conference.
Dial-in: 888-251-2949 or 215-861-0694
Access Code: 5211961#

Step 2: Join the conference on your computer
Entry Link: https://ems8.intellor.com/login/835169

When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.

Need technical assistance?
Audio Connection: 1-888-796-6118 or 1-847-562-7015
Web Connection: 1-888-793-6118

CUI Q4 Stakeholders Update! Wednesday@1:00(ET)

The conference is from 1:00 – 3:00 PM Eastern Time on August 19, 2020.
Step 1: Dial into the conference.
Dial-in: 888-251-2949 or 215-861-0694
Access Code: 2563977#
Step 2: Join the conference on your computer.
Entry Link: https://ems8.intellor.com/login/830824

Topics include:

  • CUI and Metadata (update)
  • CUI Federal Acquisition Regulation case (update)
  • Recent CUI Notices
  • An overview of some frequently asked questions
  • Live Question and Answer period

New ESTIMATED Comment Period for CUI FAR Case

The Spring 2020 Unified Agenda of Regulatory and Deregulatory Actions has been published and with it comes a new, estimated, notice of proposed rulemaking (NPRM) date as well as a new, estimated, NPRM comment period end for the Federal Acquisition Regulation (FAR); FAR Case 2017-016, Controlled Unclassified Information (CUI).

The comment period is from Oct 2020 to Dec 2020 (these dates are an estimate and are subject to change).

More information can be found here:  https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202004&RIN=9000-AN56

AD HOC STAKEHOLDER UPDATE: CUI Metadata markings and NIEM 5.0 beta 1 Release (Presentation with Q&A)

Join us on Monday for a quick presentation and some Q&A!

The conference begins at 2:30 PM Eastern Time on July 13, 2020; you may join the conference 10 minutes prior.

Step 1: Dial into the conference.
Dial-in: 888-251-2949 or 215-861-0694
Access Code: 2367572#

Step 2: Join the conference on your computer.
Entry Link: https://ems8.intellor.com/login/829772

Need technical assistance?
Audio Connection: 1-888-796-6118 or 1-847-562-7015
Web Connection: 1-888-793-6118

The Ad Hoc Stakeholder Update will have two parts followed by a short Q&A:

  • (10-15 min) An introduction to the CUI Program and how metadata markings can help support CUI Marking and Sharing Requirements. By Devin Casey, Program Analyst.

DEVIN CASEY is the lead for agency implementation and oversight activities for the Controlled Unclassified Information (CUI) Program. Since joining the CUI Program, Devin has authored numerous policies and guidance documents that have aided stakeholders, agencies and industry, in the implementation and management of the CUI Program.

  • (30 min) An overview of the CUI additions to the upcoming NIEM 5.0 as well as instructions on how to submit comments to NIEM 5.0 Beta 1. By Charles Chipman, Senior Research Scientist.

CHARLES “CHUCK” CHIPMAN is a senior research scientist working for Georgia Tech Research Institute (GTRI) supporting the Joint Staff J6 Data and Services Division, which serves as the NIEM Management Office and MilOps Domain steward. He is retired Air Force (C4ISR) and before GTRI spent 10 years as a contractor supporting the AF’s Joint Interoperability of Tactical Command and Control Systems (JINTACCS) program, primarily providing configuration management of the U.S. Message Text Format Program (MilStd6040), an XML-based exchange standard, which is where he was introduced to NIEM/GTRI.

  • (15-20 min) Q&A

Draft SP 800-172 (formerly Draft NIST SP 800-171B) is out for Public Comment

NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft)

Comments are due by August 21, 2020.
Please see https://csrc.nist.gov/publications/detail/sp/800-172/draft for more information, the draft publication, and directions for submitting comments.

Background:

“In certain situations, CUI may be associated with a critical program6 or a high value asset7. These critical programs and high value assets are potential targets for the advanced persistent threat (APT). An APT is an adversary or adversarial group that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors, including cyber, physical, and deception. The APT objectives include establishing footholds within the infrastructure of the targeted organizations for purposes of exfiltrating information; undermining or impeding critical aspects of a mission, functions, program, or organization; or positioning itself to carry out these objectives in the future. The APT pursues its objectives repeatedly over an extended period, adapts to defenders’ efforts to resist it, and is determined to maintain the level of interaction needed to execute its objectives. While the category of CUI itself does not require greater protection, CUI associated with critical programs or high value assets is at greater risk because the APT is more likely to target such information and therefore requires additional protection.
6 The definition of a critical program may vary from organization to organization. For example, the Department of Defense defines a critical program as a program which significantly increases capabilities and mission effectiveness or extends the expected effective life of an essential system/capability [DOD ACQ].
7 See [OMB M-19-03] and [OCIO HVA].”

-NIST SP 800-172 (Daft) Lines 223-235

CUI Metadata standard available for review

The CUI Executive Agent has been working with the CUI Advisory Council and the National Information Exchange Model (NIEM) to develop a metadata standard for CUI categories and limited dissemination controls.  NIEM is a common vocabulary that enables efficient information exchange across diverse public and private organizations.

The draft standard can be found here and is available for comment until July 17, 2020.

​FCI and CUI, what is the difference?

Buckle up, this is a long one…

First, a disclaimer:

This blog post does not constitute CUI guidance.  This post is solely an effort to provide helpful information and context.

Then on to some definitions!

Federal contract information (from 48 CFR 52.204-21) means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

Controlled Unclassified Information (from 32 CFR 2002.4) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify. [emphasis added]

When we look at both of these definitions, we find some similarities as well as a very important distinction. Both CUI and FCI include information created or collected by or for the Government, as well as information received from the Government. But, while FCI is any information that is “not intended for public release,” CUI is information that requires safeguarding.

In short:  All CUI in possession of a Government contractor is FCI, but not all FCI is CUI.

So, what does this mean for safeguarding in a non-federal system?

Non-federal systems that store, process, or transmit FCI that does not also qualify as CUI must follow, at a minimum, the basic safeguarding requirements outlined in FAR clause 52.204-21.

Non-federal systems that store, process, or transmit CUI are required to meet any additional safeguarding requirements identified in the contract. As agencies implement the CUI program and incorporate the standards of this program into their contracts and agreements, the NIST SP 800-171 will be the minimum standard for protecting CUI in non-federal information systems and organizations (per 32 CFR 2002.14 and 2002.16).