Jay Bosanko of the National Archives says it is unknown how many records are covered by the government's myriad designations for sensitive but unclassified information. (Chris Maddaloni / Staff)
The label may be "For Official Use Only." Or "Eyes Only." Or "Close Hold." These are a few of more than 100 markings that federal officials use to designate records as sensitive but unclassified information.
Use of those designations is believed to have soared after 9/11 and, as a result, stymied effective information sharing among agencies.
But it has been more than a year since the Obama administration began pushing for a standard, streamlined approach to handling such information.
The White House is attempting to draft an executive order to streamline the way sensitive but unclassified (SBU) material is marked and handled. Experts say the process has taken longer than expected.
Among the complex issues to be sorted out by the executive order: how to balance openness and security, how to define "sensitive but unclassified" (SBU), how long SBU materials should remain protected, and what penalties, if any, federal employees could face for failing to follow protocols.
"I think they are getting a lot of conflicting pressures that they are trying to work through," said Sharon Bradford Franklin, senior counsel of the Constitution Project. The Project is among numerous groups talking to the administration on a draft executive order that aims to tame the hodge-podge of 107-plus designations that control "sensitive but unclassified" information. In addition to those labels, there exist more than 130 sets of handling requirements.
Sensitive records could include everything from health information to law enforcement documents. Just how many are covered by the myriad designations now in use is unknown, but Jay Bosanko, director of the National Archives' Information Security Oversight Office, which helps set information policy, said the total is likely more than the millions of records covered by new classification decisions each year.
"Absent a standardized system, we will continue to place information that is legitimately sensitive at needless increased risk," he said. "We will also needlessly protect information that does not require protection."
A presidential task force last year proposed a consolidated system under the umbrella of "Controlled Unclassified Information," or CUI.
"Depending upon the breadth of the CUI definition used, this could be expected to require enormous changes in agencies' administrative handling of their records," said Dan Metcalfe, former director of the Justice Department's Office of Information and Privacy who now runs the Collaboration on Government Secrecy at American University's Washington College of Law.
Bosanko predicts the impact will vary by agency. "In some quarters, it's going to be very minor changes. In others, the changes will be much more significant."
Under existing policy set by former President George W. Bush, the CUI label basically applies to terrorism-related information with the goal of providing a common "information sharing environment" for federal, state and local authorities.
In a May 2009 memorandum, President Obama charged a 14-member task force with exploring whether the CUI designation should be widened to cover all sensitive executive branch records. In a report made public in December, the task force answered yes. Among some 40 recommendations, the group also said the government should devise a standardized set of markings, set a standard 10-year life cycle for "decontrolling" CUI records, and proceed with an agency-by-agency training regimen.
"Implementation of CUI will require cultural changes, including a more proactive balancing of security and openness," the report said.
The effort to draft an executive order is led by the National Security Council, according to open-government groups involved in the effort. NSC officials did not respond to interview requests or written questions last week.
A draft executive order dated July 6 ran into flak on the grounds that it risked creating a de facto level of classification, complete with penalties — ranging up to suspension and dismissal — for federal workers who release sensitive information without authorization.
On paper, those sanctions would also apply to employees who improperly use CUI designations to cover up wrongdoing, but critics question whether that would happen in practice. "You don't get in trouble for withholding something," said Patrice McDermott, executive director of OpenTheGovernment.org, a coalition group also involved in the effort. McDermott said she heard that the July draft has been replaced by a much shorter version that "basically punted everything" to Bosanko's office. Bosanko declined to comment on any aspect of the administration's work on crafting a new policy.
In attempting to impose order on a system that has mushroomed willy-nilly, the White House has picked up a challenge that dates back decades, but gained urgency after the September 2001 terrorist attacks. In its report published three years later, the 9/11 Commission spotlighted flawed agency information handling as a factor in the failure to head off the attacks.
"Information was not shared, sometimes inadvertently or because of legal misunderstandings," the commission concluded in a passage cited by the CUI task force. "Often, the handoffs of information were lost across the divide separating the foreign and domestic agencies of government."
The task force was equally critical. However the status quo works in individual agencies, the report said, "it is clear that as a whole, Executive Branch performance under these measures suffers immensely." The problems include inconsistent policies; inconsistent application of policies and uncertainty as to what policies actually apply, the report said.
The vast quantity and types of sensitive information, however, make it difficult to come up with an easily understood meaning for CUI.
"The most controversial aspect should be the breadth of the definition of Controlled Unclassified Information," Metcalfe said in an e-mail. "Whether the executive order will even have such a definition at all."