CUI: The High Notes

by rfahs

Information security reform

Controlled Unclassified Information (CUI), is sensitive information that laws, Federal regulations, or Government-wide policies require or permit executive branch agencies to protect – protection that agencies have undertaken for decades, but on an ad hoc and inconsistent basis.  The legacy of agency-specific policies, procedures, and markings that arose to safeguard privacy, proprietary business, law enforcement, and other sensitive information, has spurred the ongoing drive for reform by the past three Presidential administrations.

An agent for change

The Information Security Oversight Office (ISOO) acts as the Executive Agent (EA), responsible for oversight of the CUI Program and monitoring its implementation by executive branch agencies.  To meet the Program’s annual reporting requirement, agencies must submit their first annual reports in November this year (2017), which we will use to prepare an annual report to the President.  As implementation continues, we will also monitor compliance through inspections and data calls.

Moving forward

Since 2016, agencies have been carrying out the first phases of the CUI phased implementation plan.  The Program’s Federal regulation at 32 CFR 2002 went into effect last November, and we issued guidance to agencies with recommendations on how to  implement the Program’s requirements and meet the phased implementation stages  (see CUI Notices 2017-01 and 2016-01).  The first phase of the implementation plan was to review agency policies concerning sensitive information and draft or revise them as needed to reflect CUI Program requirements.  By the end of June 2017, most major agencies had drafted policies that put them well on their way to meeting the expectation of full implementation within 3-5 years.

Budgeting for implementation

Thus far, agencies have been utilizing existing resources for the initial phases of CUI implementation.  In 2016 and 2017, OMB Circular A-11 (the latest version issued by the current administration in July), recognizing that continued implementation and reform will require additional resources, requested agencies to include CUI program and implementation costs in their FY 2018 and FY 2019 budgets and provided guidelines for doing so. 

Standards and best practices

The CUI Program establishes standards and best practices built on existing agency policies and programs to replace the legacy of inconsistencies in safeguarding and handling sensitive information – for the entire lifecycle of the information, from marking through destroying.  The CUI Program establishes consistent protections, while facilitating authorized information sharing across the executive branch. 

The instruments of change

The Federal regulation governing the CUI Program is 32 CFR 2002.  As the Executive Agent for the CUI Program, we also use the following tools to support information security reform:

  • The CUI Registry – Published by ISOO in 2011, the CUI Registry presents the first compendium of all laws, Federal regulations, and Government-wide policies requiring or permitting agencies to protect sensitive information across the executive branch. The CUI Registry includes ISOO-approved markings for categories and subcategories divided into two fundamental types of CUI – CUI Basic and CUI Specified.  Although CUI Basic and CUI Specified are distinct types of information, they are not different levels of protection.  If a law, Federal regulation, or Government-wide policy identifies what information to control without also asserting how to control it, that is CUI Basic.  All categories and subcategories of CUI Basic are protected with the same standards, described in 32 CFR 2002.  If the authority includes instructions or details about how to protect information, that is CUI Specified.  The requirements prescribed by a CUI Specified authority must be followed for the relevant category or subcategory of CUI Specified.  Even for CUI Specified, if the appropriate authorities governing those categories and subcategories are silent on some aspects of protection, standards from the CUI regulation at 32 CFR 2002 fill the void.
  • NIST SP 800-171 – In addition to the CUI Registry, the CUI Program draws on National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171, published in 2015, and NIST SP 800-171 Rev. 1, published in 2016), which establishes protection standards for non-Federal information systems – such as those owned by contractors, universities, research labs, state and tribal governments, and other partners – that receive or use CUI under contracts or agreements with the executive branch and are not operating a system on behalf of the Government. Under NIST SP 800-171, non-Federal partners must handle CUI received from executive branch agencies at no less than the Moderate Confidentiality Impact level.
  • The CUI FAR – In FY18, an upcoming proposed CUI Federal Acquisition Regulation (FAR) aims to standardize how contracts between executive agencies and non-Federal partners address safeguarding and handling of CUI in compliance with the CUI Program.