Classified documents usually get all the attention, but a new rule is addressing the way controlled information is marked and disseminated in non-classified documents.
The final rule from the National Archives and Records Administration’s Information Security Oversight Office establishes a central framework for how agencies are required to treat controlled unclassified information (CUI). It provides implementation guidance for Executive Order 13556, which aimed to standardize the way federal agencies deal with CUI.
CUI is a broad category that encompasses many different types of sensitive, but not classified, information. For example, personally identifiable information such as health documents, proprietary material and information related to legal proceedings would all count as CUI.
“What this rule tries to do is capture what agencies are now doing and treat them in a uniform way,” Chuck Blanchard, attorney and partner at law firm Arnold and Porter, said as part of Federal News Radio’s Information Management Month.
Right now, agencies all have different ways of treating CUI, and contractors aren’t bound by the same rules as agencies.
One of the functions of the rule is to ensure that agencies are marking and handling the information in the same way. Documents that may have been marked “proprietary” or “official use only” will now be marked “CUI.”
This will help standardize not only handling within agencies, but how information is treated when it gets transferred between them. Right now, the same information that is stringently protected at one agency could be vulnerable at another.
But guidance on handling documents isn’t the only thing the rule accomplishes.
“There’s a lot of good information and good guidance in the rule, but one of the most important things the rule does is it creates an executive agent for CUI information that will then be a central clearing house for practices and standards that will need to be followed by agencies,” Blanchard told the Federal Drive with Tom Temin.
Blanchard said that at a lot of agencies, the chief information officer is typically the Freedom of Information Act officer as well, so that individual may well find themselves taking on the role of executive CUI agent as well.
One pertinent piece of information is what exactly constitutes CUI.
“There are two different sets: the easy set are the kinds of special restrictions that are already imposed on law, regulations or governmentwide policy,” Blanchard said.
These include export restrictions and health personal information governed by the Health Insurance Portability and Accountability Act.
“The more troubling ones are CUI-basic, which is basically information that requires more safe-keeping. That’s the kind of information that already is being marked as “for official use only” or confidential, or other kinds of markings,” Blanchard said.