New guidance streamlines agency handling of unclassified information

The Information Security Oversight Office of the National Archives and Records Administration has published a new guide to help agencies manage and label unclas...

Agencies will have an easier time managing the dissemination of controlled unclassified information (CUI), thanks to new guidance published by the National Archives and Records Administration’s Information Security Oversight Office.

CUI is unclassified information that a law, regulation or govermentwide policy has given an agency the authority to safeguard or control access to. Over time, agencies have developed a myriad of rules an long-held practices of how to handle and label this type of information

John Fitzpatrick, director of NARA’s Information Security Oversight Office
“Over 100 different labels are in use across the government for this,” ISOO Director John Fitzpatrick told Emily Kopp on Federal Drive with Tom Temin. “Things labeled ‘For Official Use Only’ or ‘Administrative, Internal Use Only’, ‘Sensative, But Unclassified’ or ‘Law Enforcement Sensitive Information’ and there’s dozens and dozens more.”

President Barack Obama signed an executive order in November 2010 to bring all of this confusing language into order and establish a system and guidance for labeling CUI.

“The executive order makes it explicit that you’re only supposed to use this when it’s really necessary and when it’s authorized by a law or a reg,” Fitzpatrick said. “What has happened through time is individuals and sometimes agencies instruct their employees to mark things that really don’t merit control and really ought not to be bogged down with cost, inefficiencies and a lack of transparency around information that doesn’t warrant control.”

Unnecessarily labeling of CUI can lead to confusion and put at risk information that legitimately needs to be controlled.

“If people are used to seeing these markings and ignoring it, then when it really does need to be controlled, when it’s about some proper security matter or a privacy matter, then it won’t get the protection that it needs,” Fitzpatrick said. “So, we’re hoping that a consistent set of rules will focus people on protecting the information that needs to and then sharing or not burdening information that doesn’t.”

In the past, agencies may have thought labeling everything was a good way to put a security blanket over their information, adopting sort of a “It’s better to be safe than sorry” approach.

“In general, that’s a good thing when they feel that way about their work,” Fitzpatrick said. “But, when everybody has something special and it’s the same stuff, they have to realize it really isn’t as special as they think and it merits consistent handling.”

Following the executive order, NARA created an online registry where agencies can look at the different categories of information that have laws, regulations or reasons they need to be protected.

“We’ve defined the universe of CUI,” Fitzpatrick said.

In addition, ISOO has published a proposed rule in the Federal Register seeking public comment through the end of July. If enacted, the rule would instruct agencies how to operate a CUI program and designate their CUI so that it is inline with the new guidelines.

“Agencies will need to observe safeguarding rules that are reasonable,” Fitzpatrick said. “Put a cover sheet on it. Make sure you leave it in your locked office. What has happened over time is agencies have made themselves feel better by putting all kinds of extraneous safeguards on things. Wrap it in one envelope. Wrap it in two envelopes. Wrap it in three envelopes, when you get on the Metro. Those kinds of things, those practices and instructions do exist, they don’t make a lot of sense. This rule is trying to set a baseline for how you would handle these things and how you would mark them. What are the reasonable markings that everyone will recognize that don’t have 118 different variations, but will clearly indicate, ‘OK, this is something I need to pay attention to. Let me look closer and make sure I’m handling it properly.'”

Fitzpatrick’s office is preparing training material to put online that agencies can use to instruct employees. At the same time, agencies are refining their internal rules, regulations and directives covering CUI.

“We understand that roll out and the implementation of this will take some time,” Fitzpatrick said. “And the first stage is to familiarize employees with what information they have that qualifies under this program for some level of protection and how the practices around it will be changing.”

Properly marking these documents should also help to improve transparency.

“CUI is about, ‘When it needs safeguarding, you do these things with it,'” Fitzgerald said. “But when it is the subject of a [Freedom of Information Act] request, the FOIA process takes over and makes all the considerations, all the deliberations about whether or not to release that information. It is unchanged by the CUI program. … As the program is implemented, less information would be marked in the first instance, and so, any inquiry about it or request for that no longer marked information should have a smoother pass through any release request process.”

RELATED STORIES:

Declassification board ‘agitates’ for changes to document management

EPA fixes security classification shortcomings

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.