On November 4, 2011, the National Archives and Records Administration (NARA) released the first-ever registry for Controlled Unclassified Information(CUI) for records that are not classified as top secret or secret, but require some protection. The release of this registry meets one of the first targets of President Obama’s Executive Order on Controlled Unclassified Information.
The order stated that “Within 1 year of the date of this order, the Executive Agent shall establish and maintain a public CUI registry reflecting authorized CUI categories and subcategories”. Although much work remains, the new registry “is certainly an important milestone,” according to John Fitzpatrick, the office’s director. Looking back at the origin of this registry, one of the key reasons to move forward with this initiative was that executive branch performance “suffers immensely from interagency inconsistency” in the CUI arena. And no wonder– there were 117 different markings. The results were inconsistent marking and safeguarding of documents, which led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing.
The new CUI registry provides a common definition, standardizes processes and procedures and breaks CUI down into 15 subject categories, such as law enforcement, immigration and privacy, followed by 85 subcategories (“privacy-contract use,” privacy-financial,” and so on.) It also justifies each with a reference to a specific law, regulation or government-wide policy. The next major steps for agencies now will be to meet the second target (Deadline Dec 6, 2011) specified in the Obama Executive Order “Within 180 days of the issuance of initial policies and procedures by the Executive Agent in accordance with section 4(b) of this order, each agency that originates or handles CUI shall provide the Executive Agent with a proposed plan for compliance with the requirements of this order, including the establishment of interim target dates.”
What’s Next and What Does This Mean for You Today?
A good number of agencies are ahead of the curve, looking at the CUI implementation and evaluating COTS solutions to address the CUI markings. Other agencies, on the other hand, are in the research phase and have just started looking at CUI. Regardless of where you might be, when preparing your initial compliance plan for NARA and beginning to evaluate a COTS CUI marking solution, you should consider the following best practices:
1) Users will need to be able to apply CUI-compliant markings to email and documents. This includes CUI-compliant headers, footers, watermarks, and portion markings. The markings should be applied automatically to ensure consistency and compliance with the CUI framework.
2) Any existing marking tools will need to support the new CUI framework, and should be able to switch over to the new markings within a very short period of time. Ideally, the marking tools will recognize the old markings such as SBU and FOUO, and will automatically map them to the new CUI markings.
3) Any marking solution should be easy to use and require minimal training for the user. Ideally, the solution will be integrated into the user’s regular email and document workflow.
4) Users should be prompted when sensitive information is detected within an email or document, even if the information has not been marked as CUI. For example, if a Social Security Number is found within a document, the user should be warned before sending that information through email.
5) Some CUI information will require extra protection such as encryption and dissemination controls. This should be enforced automatically.
6) CUI markings should be stored as metadata, which can be used by downstream technology, such as archiving, e-Discovery, and data loss prevention (DLP) solutions.
All agencies should think about the CUI compliance plan as an opportunity to leverage, protect, and share this information. If you haven’t started looking at a solution or thinking on how you can tackle this, it’s never too late to start today.
TITUS has extensive knowledge and expertise in the development and deployment of marking and safeguarding tools. TITUS has worked closely with other government agencies worldwide to help them comply with data and marking regulations similar to Controlled Unclassified Information, including departments across the Australian government, as well as government departments in the UK. To provide additional services to federal agencies moving to CUI, TITUS has partnered with PKH Enterprises to offer organizations assistance in formulating their complete CUI compliance plan. PKH provides legal, policy, and technical expertise on CUI. TITUS labeling and safeguarding software solutions are available in combination with PKH’s facilitated training and work sessions to allow organizations to systematically implement CUI.
As part of our collaboration with PKH, we have developed two white papers to help agencies address CUI. These are free to download from the TITUS website. “Protect Your CUI Data: 5 Steps to Successful CUI Compliance Plan” is co-authored with Patricia Hammar, executive secretary of the CUI Presidential Task Force. In the paper we provide expert advice, templates, and best practices from governments that have implemented similar initiatives. If you are evaluating a COTS solution, I would also recommend “Meeting CUI Requirements with TITUS Classification” that describes in depth the benefits of a TITUS CUI marking solution.