Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Building the Hybrid Cloud
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal Tech Talk
- The Future of Government Data Centers
- The Future of IT: How CIOs Can Enable the Service-Oriented Enterprise
- Government Perspectives on Mobility and the Cloud
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Mitigating Insider Threats in Virtual & Cloud Environments
- Modern Mission Critical Series
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- The New Generation of Database
- Reimagining the Next Generation of Government
- Satellite Communications: Acquiring SATCOM in Tight Times
- Targeting Advanced Threats: Proven Methods from Detection through Remediation
- Transformative Technology: Desktop Virtualization in Government
- The Truth About IT Opex and Software Defined Networking
- Value of Health IT
- Air Traffic Management Transformation Report
- Cloud First Report
- General Dynamics IT Enterprise Center
- Gov Cloud Minute
- Government in Technology Series
- Homeland Security Cybersecurity Market Report
- National Cybersecurity Awareness Month
- Technology Insights
- The Cyber Security Report
- The Next Generation Cyber Security Experts
Shows & Panels
Despite Obama directive, agencies maintain ad-hoc approach to unclassified information
Friday - 5/30/2014, 12:00pm EDT
Four years after President Barack Obama signed an executive order telling agencies to settle on a single set of standards for handling unclassified information, agencies are still using their own labels and their own rules to decide when information should be withheld from public disclosure.
The point was illustrated on Thursday with the release of a new Congressional investigation into practices within the Transportation Security Administration. The report, compiled by House Oversight and Government Reform committee staff found that TSA had been routinely misusing one of its own information labels: "Sensitive Security Information," in some cases manipulating the definition of "SSI" in order to withhold documents that posed no threat to aviation security but were merely embarrassing, and in other cases releasing documents without consulting its own security review experts.
TSA also repeatedly violated its own policies that required the agency's administrator to make a written determination when the agency decided that information should be tagged with the SSI label, the report concluded. "Failures by TSA officials to submit written determinations supporting the release or withholding of SSI caused a rift between senior TSA leadership and the SSI office," said Rep. John Mica (R-Fla.), the chairman of the government operations subcommittee. "This rift resulted in an inconsistent application of the SSI designation, and such inconsistency, unfortunately, has also shown to be detrimental to the process of protecting sensitive transportation security information."
The committee found problems with TSA's use of the SSI designation dating back to at least 2004. The agency says it has made several changes in recent years, including the issuance of an SSI handbook and updated training for TSA staff, and has refined the program further in response to the congressional inquiry.
"I'm very confident that the new measures we have put in place have significantly improved the way we handle SSI," said Annmarie Lontz, the director of TSA's security services and assessments division. "It is much more consistent, there is a memorialization of any and all SSI reviews that are done. It is comprehensive in the training. We can customize it depending on various programs so they get a more in-depth understanding of what SSI is and is not."
Irrespective of whether TSA has fixed problems with that particular designation, under the 2010 White House directive, the SSI label isn't even supposed to exist in its current form. Nor are the 116 other stamps that agencies across government routinely apply to unclassified information in order to protect it from public disclosure.
The 2010 executive order was a response to a proliferation of what the National Archives and Records Administration has termed a "confusing and inefficient patchwork of agency-specific practices" for tagging and protecting unclassified information. The mix includes the pervasive "For Official Use Only" stamp, "Limited Official Use," "Law Enforcement Sensitive" and dozens of others that are more narrowly descriptive of the type of data involved. Many of the labels were mandated by Congress or by formal agency rulemaking, but many others have no legal basis whatsoever.
The Obama order effectively told agencies they were no longer free to make up their own rules for the "pseudo-classification" of information. It created a single label, "Controlled Unclassified Information." Unclassified data that agencies have legitimate legal authority to withhold would be covered beneath that umbrella, and extralegal labeling schemes were supposed to go by the wayside. The order also made clear that the new "CUI" label doesn't trump the Freedom of Information Act.
Patrice McDermott, the executive director of OpenTheGovernment.org, said the order itself was a major victory for open government advocates. "The agency policy markings are going to be ended. The question is when, and regrettably, that's where the rub comes in," she said.
In order to do away with agencies' ad-hoc processes for handling unclassified information, the federal government needs to publish a final rule that implements the intent of the 2010 executive order. But federal agencies, advocacy groups and NARA have not been able to reach a consensus on what the CUI program should look like until very recently. NARA — the agency in charge of creating a master registry of what constitutes legitimate CUI and what doesn't — finally submitted a draft regulation to OMB earlier this month. When the regulation is finalized, it will take several more years before the concept takes hold.
McDermott doesn't fault NARA, which has been working since 2010 to survey current agency practices in order to build a map for the CUI program. But she said federal agencies appear to have worked to slow the process down and hold onto their current information management practices for as long as possible.