CUI: Unclassified Information Isn’t Always Public

The United States Government is currently going through a review of how it labels and handles “Controlled Unclassified Information”. In May 2008, President George W. Bush issued a Memorandum for the Heads of Executive Departments and Agencies on the Designation and Sharing of Controlled Unclassified Information (CUI) to replace the existing “Sensitive But Unclassified” (SBU) Information Sharing Environment. The National Archives and Records Administration (NARA) was appointed as the Executive Agent for implementation and oversight of the CUI program. In this article we’ll look briefly at some of the important elements of the CUI Framework, and their impacts on how unclassified information is handled in the US Government.

A Brief History of CUI and SBU

The need for labeling and handling of unclassified information was driven by the Freedom of Information Act (FOIA) in the United States, which includes nine (9) exemption areas which contain justification for types of information that may be withheld from being publicly disclosed. Clearly, a labeling system makes sense for tracking this type of information. However, most organizations have created their own interpretation of how to comply with this requirement. For the most part, exempt information has typically been labeled as “For Official Use Only” or FOUO.

Prior to the May 2008 Memorandum from President Bush (which can be found at ), the concept of Sensitive But Unclassified (SBU) information existed, but was defined and implemented differently in numerous organizations throughout the US Government. The purpose of the Memorandum from President Bush was to improve information sharing by standardizing the handling of unclassified information under the CUI initiative. The intent of standardization would be to improve consistency and reduce uncertainty in situations where the existing treatment might have caused a barrier to sharing documents that could impede security instead of advance it.

Under the CUI framework, there are now three proposed classifications:

1. Controlled with Standard Dissemination – The information requires standard safeguard measures that reduce the risks of unauthorized or inadvertent disclosure. Dissemination is permitted to the extent that it is reasonably believed that it would further the execution of a lawful or official purpose.

2. Controlled with Specified Dissemination – The information requires safeguarding measures that reduce the risks of unauthorized or inadvertent disclosure. Material contains additional instructions on what dissemination is permitted.

3. Controlled Enhanced with Specified Dissemination – The information requires safeguarding measures more stringent than those normally required since the inadvertent or unauthorized disclosure would create risk of substantial harm. Material contains additional instructions on what dissemination is permitted.

Within these definitions, the use of “additional instructions” is limited to only those instructions authorized by the Executive Agent. The labels are only meant to inform, but not actually control the disclosure or release of the information. This allows for situations where interpretation of the Freedom of Information Act may depend on the situation.

In January 2009, President Barak Obama issued a new Memorandum that ordered an Inter-agency Task Force to perform a review of the CUI program, and provide recommendations. In August, 2009, the task force issued their report with 40 recommendations. The primary focus of these recommendations is to provide a simple, concise and standardized framework that would be easily adopted across all departments, as well as all levels of government.

The report can be found at .

What does this mean to organizations that have used SBU or CUI information labels?

The CUI initiative, and subsequent reviews will, in time, have an impact on most organizations. The SBU labels and markings such as FOUO will ultimately have to be deprecated. However, there will be a transition period during which document labeling and marking schemes will have to be reviewed. Many organizations may find that they need to change the way they label and handle CUI. Others may find that they must initiate a labeling and marking program for the first time.

How Titus Can Help

The Titus Document Classification and Titus Message Classification software products provide the ability to classify documents under the existing SBU Information Sharing Environment (ISE) and under the CUI Framework. Standardized dissemination instructions used in an Executive Department’s CUI Framework can be easily created by the organization and consistently applied when users create or update documents.

The diagram below shows how a user saving an MS Office document would select the proper labeling indicators, allowing the Titus Document Classification product to enforce standardized fields in watermarks, headers, footers, etc.

Titus Document Classification interface screenshot

Titus Document Classification user interface for CUI labeling and marking

The Titus products are designed to allow organizations to define their labeling and marking rules, and to provide enforcement in document handling that is interoperable with rights management systems such as Microsoft’s  AD RMS, as well as digital signature or metadata based enforcement systems.

Titus also provides tools for implementing batch mode conversion of large numbers of documents, ensuring consistency of marking and handling in a virtually instantaneous transition.

What are your views on the CUI Framework? Do you believe it will improve information sharing between US Government departments? What issues are you seeing that present challenges in its implementation?

If you’d like more information on how the Titus products can help implement the CUI Framework in your organization quickly and consistently, please use the coordinates on our Contact Us page to let us know.

Other CUI References:

Tags: , , , , , , , , , ,

Leave a Reply