The Information Security Oversight Office at the National Archives and Records Administration is finalizing a new rule for how agencies mark controlled unclassified information (CUI). As the office hones in on the specifics of the new rule, ISOO Director John Fitzpatrick sat down with Federal Times Senior Writer Aaron Boyd to discuss what this means for agencies and the day-to-day of federal employees.

Why is a new CUI rule necessary?

The government is a steward of information. Doing things in the interest of the citizens, the government divides its mission up among entities and says, "Go do these things."

Individually, agencies feel very confident that they are doing the things that are consistent with their mission and that they are doing good for the American people and they are right. In the aggregate, variations in behavior also affect the citizens but any one agency cannot see it. So having governmentwide policy for something like this is important to remind agencies of the implications of their work, the unintended consequence or the need to mind behavior in the collective rather than just in the individual. That is the brand of regulation this is.

More: Draft sets rules governing controlled unclassified info

We do not expect this rule to affect mission performance. Agencies that have missions and do them the way they do will still do it that way. But in the process of doing that, information should become more available; that reasons for its protection when it is required should be clearly understood; the limits of that protection, when it might no longer require that protection, should be knowable; and the ineffective inefficiencies that are built in the status quo should be reduced.

Previously, agencies were coming at it from the opposite side, where something was controlled information if it was marked so. Now you are looking at only marking it if it should be controlled?

If it has an authority for control. What we did in the first months after the executive order [in 2010] was poll agencies: submit your suggestions for information types that you have that you place controls on today and that you believe you have a proper authority under the executive order — one of these law, regulations, or governmentwide policies.

That was part of the early learning curve for agencies to realize they actually needed to have something that was a governmentwide authority. And there are plenty of them. We got 2,200 submissions from agencies, slips of paper under the door that said, "Hey, here's what we are doing today and what we believe we should be able to do in the CUI realm." We racked and stacked all of those and put them in a taxonomy of categories and subcategories and put it up on the web at archives.gov/cui.

In the registry you can click from these 23 broad categories like export, agriculture, nuclear, privacy — those kinds of big buckets. Then you click down in them and you get to things like bank secrecy or criminal investigation or personnel privacy information — the subcategory level. There are 85 of those subcategories. There are 315 laws, regulations, and government wide policies that put them there so there is a lot of overlap.

Obviously, these things were written for their own purpose. They were not written to create an orderly regime for CUI. So we are trying to pull this blanket over an existing authority regime and say anything that is in this world we are now calling CUI merits, common practices, and procedures.

If anything there is going to be less CUI once the rule goes into effect?

Yes, that is the intent. Things that were marked today as [for official use only] because that feels like the right thing to do should only be marked if they have a category. We know that there are many, many things marked with FOUO or "sensitive but unclassified" that do not have these categories.

Things to Know

Photo Credit: staff

I expect that in the implementation phase of this we will have whitelist and blacklist markings so we know the kinds of things that were used before. The draft rule that we have, the draft regulation, outlines a marking scheme and how they will be arrayed on any given page.

We have also created a marking handbook working together with the affected agencies – all the permutations for how things that need to get marked should be marked.

Can you give a basic rule of thumb for what is CUI and what is not?

There is not a rule of thumb beyond if it is a law, regulation or governmentwide policy.

If you work in an HR shop or you work in a contracting shop then there are types of information that you regularly encounter where they instruct you: this requires some protection. Privacy information: there is all kinds of instruction all across government for how privacy information is collected and when it merits some level of control in the acquisition world. Or in the regulatory world, there is a lot of collection that is made from businesses. It would be proprietary information that might be a moniker we would give it. So confidential business information is another label for this. When the government collects it from companies it does so under an obligation that we will protect it; we will not give it to your competitors, foreign or domestic, and we are going to give your intellectual property a proper level of protection.

That kind of instruction happens already in just the mission space of any agency. You can take that to the law enforcement angle, you can take it to the legal world, you can take it to information management, you can take it to Homeland Security. Each one of those big bucket areas has their own usual types of information.

What agencies will have to do with the rule and the new marking is train their employees again to recognize the broad categories. There are 23 broad categories of information. Agencies will look at that registry and say to their employees, "We have 11 of them and they exist in these directorates and this is how we will train you to control them."

Are agencies going to have to go back and remark old information?

No. And it is a very important question. If the answer were yes it would be unimplementable, right?

With the oceans of data that exist today and is getting the protection that it always has gotten the change in rules do not really imply a change in the state of protection. Rather it is the state of instruction and the handling of that material going forward. Agencies are not going to have to do anything with databases, libraries, boxes of records, or the petabytes of information that are sitting around on servers. It is not a requirement.

Legacy information is reused at times. When you take information from the previously unmarked document or a document that was marked with the previous markings and you put it in a new creation that is the time that that information gets handled under the new regime. But the old documents or digital containers for this information are unaffected.

If I am an average agency employee who has to mark things on a regular basis what do I need to know about this?

There will be training for every federal employee as part of the implementation plan. That training will begin after the rule is made final.

We are giving agencies a period of time and the first phase will involve two things: rewriting their internal policies and instructions so that employees have local, authorized descriptions of what the rules are; and then to train their employees to be aware of the changes.

The changes constitute very little in the ways of physical work or IT protection in a government agency. We have that information now, it is on a system that is protected according to NIST and OMB standards. That part is not going to change. Markings will change.

The instruction for marking is intended to simplify and make consistent the regime for marking. It might be that most documents if they are labeled simply "sensitive and unclassified" or "for official use only" today, they will be marked controlled or controlled unclassified information. And that is it. Top, bottom, that is it.

Is it going to be a financial lift? And have there been any provisions made for that?

A little bit — the preference for doing that is when the rule is nearly final. Agencies have lots of real world budget planning decisions to make all the time. Prospective rules that may or may not come on time are not a place that they want to spend a lot of time worrying about.

We are now in this final stretch with the rule. It has been through public review and comment. It is going to survive intact and we will make improvements and get it to final. So now we are preparing the data collection for agencies to say now, in your budget planning these are the considerations, begin the discussion with your resource management officials to figure out where, how much, when your resource needs can be addressed.

You got some feedback from sectors of the public that you did not expect?

We did. This is why you do the public review.

We heard from a couple of states and the legal communities there where there are states' rights issues around transparency and sunshine laws that we have to make sure our language does not inadvertently cause conflict there. And so we have heard that and worked with the legal teams to make revisions there.

Also the legal community here in Washington that supports business activities with the government has been just terrific, both on their own and coming to our public meeting on the topic and coming to the meetings that we were having through those government contracting groups I mentioned and then blogging about it.

And really sharp observations — they have provided comments through the rule that make it a better rule.

What are some of the specific changes being incorporating based on those comments?

There is a lot of concern around information systems that are non-federal systems. Inside the government, the FISMA and NIST and OMB guidance regulate how agencies and agency systems are to protect all types of information, including CUI. There is no similar regulation or standard [for non-federal systems]. There was no regulation or standard that said when you are contracting with an entity and you are providing for their use on their systems to deliver what you are buying how to protect it there.

Things to Know

Photo Credit: staff

So we partnered with the NIST and just late last month NIST published their special publication 800-171, which is protections for CUI on non-federal systems and in non-federal organizations. That is intended to be used as a reference whenever you make a contract that requires the protection of CUI or an information sharing agreement, which is what happens a lot between federal, state, local and tribal law enforcement and other Homeland Security entities. There are lots of information sharing agreements. So it simply says, "Here are the standards for protection in that space."

How information gets designated in the first place and how much of it is a great concern for folks outside of government. If we were to just mark CUI on everything we could and then throw it over the fence to our contractor partners and say everywhere you put that you have to have these levels of control that becomes, in their view, an onerous burden. So not only are they the right IT standards in a very cyber-sensitive time, but if they have to apply it to too much information it becomes onerous and burdensome.

Similarly there are folks that share and interact with the government but do not do so in a contractually bound way. Non-profits, non-government organizations, information advocates, information openness advocates and the like are regularly consulted by their government counterparts on a draft. But for some reason it might require some level of control.

And so there is a flexibility needed because we are sensitive both to agencies and those non-government organizations. They want that channel to stay open and they do not want it to be over burdened by controls.

About Aaron Boyd

Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.

Share:
In Other News
Load More