Controlled Unclassified Information (CUI)

Leslie BethuneInformation Security Manager

Headquarters U.S. Marine CorpsMarch 2010

Overview• Authorities• Current Status• CUI Criteria• Markings• Governance Structure• National Actions• DoD Actions

Authority• Section 1016 of the Intelligence Reform Terrorism

Prevention Act (IRTPA) of 2004– The President shall:

• Create an information sharing environment (ISE)

• designate the organizational and management structures that will be used to operate and manage the ISE

• ensure that the ISE provides and facilitates the means for sharing terrorism information among all appropriate Federal, State, local, and tribal entities, and the private sector through the use of policy guidelines and technologies.

Authority• Guideline 3, Presidential Memorandum, December

16, 2005

“To promote and enhance the effective and efficient acquisition, access, retention, production, use, management, and sharing of

Sensitive But Unclassified (SBU) information, including homeland security information, law enforcement information, and terrorism information, procedures and standards for designating, marking, and handling SBU information (collectively "SBU procedures") must be standardized across the Federal Government.”

-Guideline 3, December 16, 2005 Presidential Memorandum

Authority• Presidential Memorandum, May 9, 2008,

“Designation and Sharing of Controlled Unclassified Information”– Replaces the term SBU with CUI– Defines CUI

“Unclassified information that does not meet the standard for National Security Classification under Executive Order 12958, as amended, but is pertinent to the national interest of the United States or originated by entities outside the U.S. Federal government, and under law or policy requires protection from disclosure, special handling safeguards, and prescribed limits on exchange or dissemination”

-Presidential Memorandum, May 9, 2008, Designation and Sharing of Controlled Unclassified Information

Current Status• May 7, 2008 – Presidential Memorandum

– Established a standardized framework designed to facilitate & enhance the sharing of CUI

• July 21, 2008 – Joint USD(I) & ASD(NII)/DoD CIO memo– Advised components that transition to the CUI Framework would encompass

all DoD Systems and programs• April 7, 2009 – USD(I) memo

– Reminded components to adhere to the current DoD guidance for CUI (5200.1R)

– No new markings for CUI to be used until National and DoD level policy is developed and implemented

• Feb 1, 2010 – Draft Executive Order Controlled Unclassified Information– For review and comment

CUI Criteria

• Information shall be designated as CUI if:– Statute so requires or authorizes; or– Agency Head determines that the information is

CUI. (Based on mission requirements, business prudence, legal privilege, the protection of personal or commercial rights, etc.)

CUI Criteria

• Information shall not be designated as CUI– To conceal violations of the law, inefficiency, or administrative error;

– To prevent embarrassment to the US Government, any US official, organization, or agency;

– To improperly or unlawfully interfere with competition;

– To prevent or delay the release of information that does not require such protection;

– If it is required by statute or Executive Order to be made available to the public; or

– If it has been released to the public under proper authority.

Markings

• Current CUI Markings– Two safeguarding levels: Controlled or Controlled

Enhanced

– Two dissemination levels: Standard or Specified

– Overall CUI markings will convey the safeguarding and dissemination levels of the document

Markings– All CUI will carry one of the three overall

markings…• CONTROLLED WITH STANDARD

DESSEMINATION• CONTROLLED WITH SPECIFIED

DISSEMINATION- insert designator(s)

• CONTROLLED ENHANCED WITH SPECIFIED DISSEMINATION- insert designator(s)

(The above are NOT classification markings therefore should not be used for marking classified information)

Governance Structure

• CUI Governance Structure:– CUI Executive Agent – NARA– CUI Council – Membership drawn from within the

existing Information Sharing Council– Departments and Agencies – Responsible for

implementing and overseeing compliance with the CUI Framework

National Actions

• National actions since May 9, 2008– May 21, 2008: Archivist of the United States established

the CUI Office

– June 30, 2008: Director of CUI Office letter to Departments and Agencies introducing the Executive Agent and tentative plans for implementation of the Framework

– July 9, 2008: PM-ISE activated the CUI Council as a subcommittee of the Information Sharing Council (ISC) and requested designees

National Actions– August 2008, CUI Office launched its website at

www.archives.gov/CUI– September 2008, CUI EA began developing

implementing guidance– May 27, 2009, Presidential memo establishing

Interagency CUI Task Force• Reported to the President on August 26,2009

DoD Actions• Participating as a member of the CUI Council

– OASD(NII)/DoD CIO

– OUSD(I)

• Developed a DoD Transition Plan that addresses all DoD CUI– Draft Plan located at https://www.dodtechipedia.mil

CUI Governing Organizations

CUI Training• The 2008 President’s memorandum directed

an ISE-wide training program• CUI Office tasked to develop CUI 101 training

for Federal Agencies– Provide general information on CUI from the national level– Web-based component– Classroom based setting– Modules tailored to specific users (Record Managers,

FOIA Officers, Security Specialist, etc.)

CUI Training• ODN(I) developed their version of CUI 101• USD(I) is consulting with DSSA to leverage

ODN(I) efforts for the benefit of DoD components

• USD(I) responsible for developing CUI 201 for DoD components

• DSSA on board to develop CUI training for DoD

CUI Framework Implementation Timeline CUI Framework Implementation Timeline

Overview (as of 11/17/08)Overview (as of 11/17/08)

PresidentialCUI Memo

May 9

NARACUI Memo

May 21

BackgroundCUI

FrameworkMay 20

Outreach toDepartments& AgenciesJun-Aug

DeptAgencyLetter

Jun 27 CUICouncilLetterJul 9

Updateddata call toDepartments& AgenciesAug 8

CUIOBrief to

ISC Jul 16

Phase Stand-up Initial Outreach Planning Implementation – Phase I Implementation – Phase II

Date May 08 Jun Jul Aug Sep 08 Oct Nov Dec 08………Sep 09 Oct 09 Oct 10 Oct 11 Oct 12 FY 08 FY09 FY10 FY 11 FY12 FY 13

CUICouncilInitialMeetingAug 21

CUICSep 18

Data call due Sep 8

CUIOReview

Data callUpdates/Outreach

CUIOat PM-ISE PRAug 28

CUICOct 16

CUIC VMNov 19

CUICDec 4

Guiding Documents

CUI Council Meetings

Stand-up

Outreach Phase

Planning Phase

Implementation Phase

Departments& AgenciesIdentify reps

Every 3rd

Thurs asneeded

Milestones and PlanDraft Implementing Guidance Safeguarding Dissemination Designating MarkingInitiate CUI 101TrainingDesign RegistryReview Department & Agency PlansAnnual Report

Finalize Department & Agency PlansActivate RegistryInitiate CUI 201TrainingIdentify and designate CUI Alignment of Policy-based MarkingsBegin federal rule-making processAnnual Report

FY09 FY10

Alignment of Policy Markings with ExceptionsAlignment of Regulatory MarkingsConfirm necessary changes to regulation and statute Annual Report

FY11

Department &Agencies submitPlans to CUIO

Monitor Department & Agency compliance with CUI policy, standards, and markingsEvaluate effectiveness of CUI Implementation Policy and GuidanceUpdate Policy and Guidance as necessaryAnnual Report

FY12 – FY 13

FullImplementation

of CUI FrameworkMay 2013

Conclusion• Major DoD policy documents that will require update

are: – DoD 5200.1-R, "Information Security Policy“– DoD Directive 5230.24, "Distribution Statements on Technical

Documents“– DoD Instruction 5210.83, "Department of Defense Unclassified

Controlled Nuclear Information (DoD UCNI)“– DoD Instruction 5030.59, "National Geospatial-Intelligence Agency

(NGA) LIMITED DISTRIBUTION Geospatial Information“

(Do NOT implement the national level policy—continue to follow guidance in DoD 5200.1-R)

QUESTIONS?