CUI briefing II
-
Upload
kaye-beach -
Category
Documents
-
view
889 -
download
6
Transcript of CUI briefing II
Controlled Unclassified Information (CUI)
Leslie BethuneInformation Security Manager
Headquarters U.S. Marine CorpsMarch 2010
Overview• Authorities• Current Status• CUI Criteria• Markings• Governance Structure• National Actions• DoD Actions
Authority• Section 1016 of the Intelligence Reform Terrorism
Prevention Act (IRTPA) of 2004– The President shall:
• Create an information sharing environment (ISE)
• designate the organizational and management structures that will be used to operate and manage the ISE
• ensure that the ISE provides and facilitates the means for sharing terrorism information among all appropriate Federal, State, local, and tribal entities, and the private sector through the use of policy guidelines and technologies.
Authority• Guideline 3, Presidential Memorandum, December
16, 2005
“To promote and enhance the effective and efficient acquisition, access, retention, production, use, management, and sharing of
Sensitive But Unclassified (SBU) information, including homeland security information, law enforcement information, and terrorism information, procedures and standards for designating, marking, and handling SBU information (collectively "SBU procedures") must be standardized across the Federal Government.”
-Guideline 3, December 16, 2005 Presidential Memorandum
Authority• Presidential Memorandum, May 9, 2008,
“Designation and Sharing of Controlled Unclassified Information”– Replaces the term SBU with CUI– Defines CUI
“Unclassified information that does not meet the standard for National Security Classification under Executive Order 12958, as amended, but is pertinent to the national interest of the United States or originated by entities outside the U.S. Federal government, and under law or policy requires protection from disclosure, special handling safeguards, and prescribed limits on exchange or dissemination”
-Presidential Memorandum, May 9, 2008, Designation and Sharing of Controlled Unclassified Information
Current Status• May 7, 2008 – Presidential Memorandum
– Established a standardized framework designed to facilitate & enhance the sharing of CUI
• July 21, 2008 – Joint USD(I) & ASD(NII)/DoD CIO memo– Advised components that transition to the CUI Framework would encompass
all DoD Systems and programs• April 7, 2009 – USD(I) memo
– Reminded components to adhere to the current DoD guidance for CUI (5200.1R)
– No new markings for CUI to be used until National and DoD level policy is developed and implemented
• Feb 1, 2010 – Draft Executive Order Controlled Unclassified Information– For review and comment
CUI Criteria
• Information shall be designated as CUI if:– Statute so requires or authorizes; or– Agency Head determines that the information is
CUI. (Based on mission requirements, business prudence, legal privilege, the protection of personal or commercial rights, etc.)
CUI Criteria
• Information shall not be designated as CUI– To conceal violations of the law, inefficiency, or administrative error;
– To prevent embarrassment to the US Government, any US official, organization, or agency;
– To improperly or unlawfully interfere with competition;
– To prevent or delay the release of information that does not require such protection;
– If it is required by statute or Executive Order to be made available to the public; or
– If it has been released to the public under proper authority.
Markings
• Current CUI Markings– Two safeguarding levels: Controlled or Controlled
Enhanced
– Two dissemination levels: Standard or Specified
– Overall CUI markings will convey the safeguarding and dissemination levels of the document
Markings– All CUI will carry one of the three overall
markings…• CONTROLLED WITH STANDARD
DESSEMINATION• CONTROLLED WITH SPECIFIED
DISSEMINATION- insert designator(s)
• CONTROLLED ENHANCED WITH SPECIFIED DISSEMINATION- insert designator(s)
(The above are NOT classification markings therefore should not be used for marking classified information)
Governance Structure
• CUI Governance Structure:– CUI Executive Agent – NARA– CUI Council – Membership drawn from within the
existing Information Sharing Council– Departments and Agencies – Responsible for
implementing and overseeing compliance with the CUI Framework
National Actions
• National actions since May 9, 2008– May 21, 2008: Archivist of the United States established
the CUI Office
– June 30, 2008: Director of CUI Office letter to Departments and Agencies introducing the Executive Agent and tentative plans for implementation of the Framework
– July 9, 2008: PM-ISE activated the CUI Council as a subcommittee of the Information Sharing Council (ISC) and requested designees
National Actions– August 2008, CUI Office launched its website at
www.archives.gov/CUI– September 2008, CUI EA began developing
implementing guidance– May 27, 2009, Presidential memo establishing
Interagency CUI Task Force• Reported to the President on August 26,2009
DoD Actions• Participating as a member of the CUI Council
– OASD(NII)/DoD CIO
– OUSD(I)
• Developed a DoD Transition Plan that addresses all DoD CUI– Draft Plan located at https://www.dodtechipedia.mil
CUI Governing Organizations
CUI Training• The 2008 President’s memorandum directed
an ISE-wide training program• CUI Office tasked to develop CUI 101 training
for Federal Agencies– Provide general information on CUI from the national level– Web-based component– Classroom based setting– Modules tailored to specific users (Record Managers,
FOIA Officers, Security Specialist, etc.)
CUI Training• ODN(I) developed their version of CUI 101• USD(I) is consulting with DSSA to leverage
ODN(I) efforts for the benefit of DoD components
• USD(I) responsible for developing CUI 201 for DoD components
• DSSA on board to develop CUI training for DoD
CUI Framework Implementation Timeline CUI Framework Implementation Timeline
Overview (as of 11/17/08)Overview (as of 11/17/08)
PresidentialCUI Memo
May 9
NARACUI Memo
May 21
BackgroundCUI
FrameworkMay 20
Outreach toDepartments& AgenciesJun-Aug
DeptAgencyLetter
Jun 27 CUICouncilLetterJul 9
Updateddata call toDepartments& AgenciesAug 8
CUIOBrief to
ISC Jul 16
Phase Stand-up Initial Outreach Planning Implementation – Phase I Implementation – Phase II
Date May 08 Jun Jul Aug Sep 08 Oct Nov Dec 08………Sep 09 Oct 09 Oct 10 Oct 11 Oct 12 FY 08 FY09 FY10 FY 11 FY12 FY 13
CUICouncilInitialMeetingAug 21
CUICSep 18
Data call due Sep 8
CUIOReview
Data callUpdates/Outreach
CUIOat PM-ISE PRAug 28
CUICOct 16
CUIC VMNov 19
CUICDec 4
Guiding Documents
CUI Council Meetings
Stand-up
Outreach Phase
Planning Phase
Implementation Phase
Departments& AgenciesIdentify reps
Every 3rd
Thurs asneeded
Milestones and PlanDraft Implementing Guidance Safeguarding Dissemination Designating MarkingInitiate CUI 101TrainingDesign RegistryReview Department & Agency PlansAnnual Report
Finalize Department & Agency PlansActivate RegistryInitiate CUI 201TrainingIdentify and designate CUI Alignment of Policy-based MarkingsBegin federal rule-making processAnnual Report
FY09 FY10
Alignment of Policy Markings with ExceptionsAlignment of Regulatory MarkingsConfirm necessary changes to regulation and statute Annual Report
FY11
Department &Agencies submitPlans to CUIO
Monitor Department & Agency compliance with CUI policy, standards, and markingsEvaluate effectiveness of CUI Implementation Policy and GuidanceUpdate Policy and Guidance as necessaryAnnual Report
FY12 – FY 13
FullImplementation
of CUI FrameworkMay 2013
Conclusion• Major DoD policy documents that will require update
are: – DoD 5200.1-R, "Information Security Policy“– DoD Directive 5230.24, "Distribution Statements on Technical
Documents“– DoD Instruction 5210.83, "Department of Defense Unclassified
Controlled Nuclear Information (DoD UCNI)“– DoD Instruction 5030.59, "National Geospatial-Intelligence Agency
(NGA) LIMITED DISTRIBUTION Geospatial Information“
(Do NOT implement the national level policy—continue to follow guidance in DoD 5200.1-R)
QUESTIONS?