1 / 39

Controlled Unclassified Information (CUI), the New Marking System: What's Ahead for DoD and DTIC?

Controlled Unclassified Information (CUI), the New Marking System: What's Ahead for DoD and DTIC? April 6, 2009 Ms. Roberta Schoen. Controlled Unclassified Information (CUI), the New Marking System: What's Ahead for DoD and DTIC?. Ms. Deborah Ross

joelle-kirkland
Télécharger la présentation

Controlled Unclassified Information (CUI), the New Marking System: What's Ahead for DoD and DTIC?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Controlled Unclassified Information (CUI), the New Marking System: What's Ahead for DoD and DTIC? April 6, 2009 Ms. Roberta Schoen

  2. Controlled Unclassified Information (CUI), the New Marking System: What's Ahead for DoD and DTIC? Ms. Deborah Ross Deputy Director, Information Security Policy Office of the Under Secretary of Defense (Intelligence) Ms. Roberta Schoen Director of Operations Defense Technical Information Center

  3. Controlled Unclassified Information (CUI) Deborah RossDeputy Director, Information Security PolicyOffice of the Under Secretary of Defense (Intelligence) 6 April 2009

  4. Overview • Standardization Needed • Authorities • CUI Criteria • Markings • Exceptions • Governance Structure • CUI Council • National Actions • National FY09 Priorities

  5. Overview • National Timeline • Guiding Principles • DoD Actions

  6. Standardization Needed • CUI is shared according to an ungoverned body of policies and practices thatconfuse both its producers and users • Across the Federal Government there are at least 107 unique markings and over 130 different labeling or handling processes and proceduresfor CUI • Inconsistency in CUI policies increases the likelihood of erroneous handling and dissemination of information • Inconsistency in CUI policies hampers the sharing of information across the US Government and with State, Local, and Tribal entities.

  7. Authority • Section 1016 of the Intelligence Reform Terrorism Prevention Act (IRTPA) • The President shall: • create an information sharing environment (ISE) • ensure that the ISE provides and facilitates the means for sharing information among all appropriate entities through the use of policy guidelines and technologies

  8. Authority • Guideline 3, Presidential Memorandum, December 16, 2005 “To promote and enhance the effective and efficient acquisition, access, retention, production, use, management, and sharing of sensitive but unclassified (SBU) information, including homeland security information, law enforcement information, and terrorism information, procedures and standards for designating, marking, and handling SBU information (collectively “SBU procedures”) must be standardized across the Federal government.” -Guideline 3, December 16, 2005 Presidential Memorandum

  9. Authority • Presidential Memorandum, May 9, 2008, Designation and Sharing of Controlled Unclassified Information • Replaces the term SBU with CUI • Defines CUI • “Unclassified information that does not meet the standard for National Security Classification under Executive Order 12958, as amended, but is pertinent to the national interest of the United States or originated by entities outside the U.S. Federal government, and under law or policy requires protection from disclosure, special handling safeguards, and prescribed limits on exchange or dissemination” • - Presidential Memorandum, May 9, 2008, Designation and Sharing of Controlled Unclassified Information

  10. Authority • Establishes a new CUI Framework • Standardizes practices to improve information sharing • Designates the National Archives and Records Administration (NARA) as the Executive Agent to oversee and implement

  11. CUI Criteria • Information shall be designated as CUI based on • Statute, or • Agency head determination • Information shall not be designated as CUI • To conceal violations of law, inefficiency, or administrative error; • To prevent embarrassment to the US Government, any US official, organization, or agency;

  12. CUI Criteria • To improperly or unlawfully interfere with competition; • To prevent or delay the release of information that does not require such protection; • If it is required by statute or Executive Order to be made available to the public; or • If it has been released to the public under proper authority.

  13. Markings • CUI Markings • Two safeguarding levels: Controlled or Controlled Enhanced • Two dissemination levels: Standard or Specified • Overall CUI marking will convey the safeguarding and dissemination levels of the document • All CUI will carry one of three overall markings

  14. Markings • CONTROLLED WITH STANDARD DISSEMINATION • CONTROLLED WITH SPECIFIED DISSEMINATION • CONTROLLED ENHANCED WITH SPECIFIED DISSEMINATION

  15. Exceptions • CUI Exceptions • CUI Framework shall be used for excepted information to the maximum extent possible • CUI Framework shall not interfere with regulatory requirements for marking, safeguarding, and disseminating • Exceptions will be listed on a CUI Register • Any regulatory marking shall follow the most applicable CUI safeguarding marking along with a specified dissemination instruction

  16. Exceptions • Known Exceptions include: • 6 CFR Pt. 29 - PCII (Protected Critical Infrastructure Information) • 49 CFR Pts, 15 (DOT) & 1520 (DHS/Transportation Security Administration) - SSI (Sensitive Security Information) • 6 CFR Pt. 27 - CVI (Chemical Vulnerability Information) • 10 CFR Pt. 73 - SGI (Safeguards Information)

  17. Governance Structure • CUI Governance Structure: • CUI Executive Agent – NARA • CUI Council – Membership drawn from within the existing Information Sharing Council • Departments and Agencies – Responsible for implementing and overseeing compliance with the CUI Framework

  18. National Actions • National actions since May 9, 2008: • May 21, 2008: Archivist of the United States established the CUI Office • June 30, 2008: Director of CUI Office sent a letter out to Departments and Agencies introducing the Executive Agent and tentative plans for implementation of the Framework

  19. National Actions • July 9, 2008: PM-ISE activated the CUI Council as a subcommittee of the Information Sharing Council (ISC) and requested designees • August 2008: CUI Office launched its website at www.archives.gov/CUI • September 2008: CUI EA began developing implementing guidance

  20. National-Level FY09 Priorities • National-level FY09 Priorities: • Develop a Centralized Implementation Plan • Set priorities for implementation • Establish milestones for alignment to CUI Framework • Establish training schedule • Develop Implementation Policies • Define Safeguarding Standards • Define Department/Agency CUI Dissemination Policies

  21. National-Level FY09 Priorities • Develop detailed guidance on CUI life cycle, portion marking, and application of CUI Framework to archived information • Establish Centralized CUI Training (CUI 101) • Begin to Develop Department/Agency-specific Implementation Plan • Establish Department/Agency-specific CUI Training (CUI 201)

  22. CUI Framework Implementation Timeline Overview (as of 11/17/08) Guiding Documents CUI Council Meetings CUI Council Initial Meeting Aug 21 Every 3rd Thurs as needed Stand-up CUIC Sep 18 CUIC VM Nov 19 Full Implementation of CUI Framework May 2013 Departments & Agencies Identify reps Outreach Phase Department & Agencies submit Plans to CUIO Data call due Sep 8 CUIC Oct 16 CUIC Dec 4 Planning Phase Implementation Phase Date May 08 Jun Jul Aug Sep 08 Oct Nov Dec 08………Sep 09 Oct 09 Oct 10 Oct 11 Oct 12 FY 08FY09 FY10 FY 11 FY12 FY 13 Phase Stand-up Initial Outreach Planning Implementation – Phase I Implementation – Phase II Dept Agency Letter Jun 27 FY10 FY11 FY12 – FY 13 FY09 Monitor Department & Agency compliance with CUI policy, standards, and markings Evaluate effectiveness of CUI Implementation Policy and Guidance Update Policy and Guidance as necessary Annual Report Alignment of Policy Markings with Exceptions Alignment of Regulatory Markings Confirm necessary changes to regulation and statute Annual Report Presidential CUI Memo May 9 NARA CUI Memo May 21 CUIO at PM- ISE PR Aug 28 Finalize Department & Agency Plans Activate Registry Initiate CUI 201Training Identify and designate CUI Alignment of Policy-based Markings Begin federal rule-making process Annual Report Milestones and Plan Draft Implementing Guidance Safeguarding Dissemination Designating Marking Initiate CUI 101Training Design Registry Review Department & Agency Plans Annual Report CUI Council Letter Jul 9 Background CUI Framework May 20 CUIO Review Data call Updates/ Outreach CUIO Brief to ISC Jul 16 Outreach to Departments & Agencies Jun-Aug Updated data call to Departments & Agencies Aug 8

  23. Guiding Principles

  24. DoD Actions • DoD Actions • Participating as a member of the CUI Council (OASD(NII)/DoD CIO primary, OUSD(I) alternate) • Leading a DoD CUI Task Force • Exploring enterprise solutions—Marking Software • Developing a DoD Transition Plan that addresses all DoD CUI • Planning resources

  25. DoD Actions • Coordinating with Intelligence Community effort to avoid duplication and align implementation schedules • Informing DoD at large— • Joint OASD(NII)/DoD CIO and USD(I) memorandum • Currently staffing a USD(I) memorandum addressing status of national policy and existing DoD CUI policy • Positioning detailees at the NARA CUI Office to represent DoD interests

  26. Take Aways • Do NOT implement the national level policy—continue to follow guidance in DoD 5200.1-R • Express your issues/ideas to your CUI representative within your DoD organization • If you are responsible for implementing within your organization begin planning implementation to include resources

  27. Controlled Unclassified Information (CUI), the New Marking System: What's Ahead for DoD and DTIC? Controlled Unclassified Information:An STI View April 6, 2009Roberta Schoen

  28. General CUI Points • CUI is what used to be called “Sensitive But Unclassified (SBU)” or “Unclassified Limited” information • Most Scientific/Technical CUI will be at the Controlled Standard Dissemination or Controlled Specified level • Controlled Enhanced Standard Dissemination is handled in a more controlled manner than regular unclassified - for Witness Protection, etc.

  29. General CUI Points • Memo signed by the White House in May 2008 • National Archives and Records Administration (NARA) is the Executive Agent, ~23 agencies are in the discussions • Processes and markings are still “under construction” • 2010 Implementation for Intelligence Community • 2013 for the rest of DoD

  30. Problems with Current System • At least 107 different markings across the government • The same marking sometimes means different things • “SBU” • “FOUO” • People don’t know the current marking rules for classified or controlled unclassified information • Markings are too restrictive for sharing

  31. General • Note that DoD is only one of many agencies and Scientific/Technical Information is only one area of documents • Also Includes • Intelligence • Law enforcement • Acquisitions • Contracting • Personnel/Medical records • Operational Warfighter information • Etc.

  32. General Implementation • Secretary of Agency must submit dissemination markings to be registered • We are hoping that the first markings DoD will submit are from DoDD 5230.24, the STI markings • Document cover marking and possibly Portion marking • When a document is delimited, it does not automatically become Public Release – still needs PA Review • Money for conversion/implementation – so far, no new monies • Training – part of yearly security training for DoD, not clear about contractors

  33. CAPCO Compliance • Controlled Access Program Coordinate Office (CAPCO) • Intelligence community office dealing with standards, markings, and metadata • Enterprise Marking Tool will be CAPCO-compliant • CUI markings will be added to the current CAPCO markings

  34. Progress So Far • NARA-level Subgroups include: • Safeguarding • Dissemination • Marking • Life Cycle • Exceptions • Dispute Resolution Process • DoD-level CUI meetings • DoD Enterprise Marking Tool Group

  35. Some Outstanding Issues • Will this improve sharing? • Everything must be marked? Lists of laundry items in the field? • Will the proposed rules be too classification-based? (Too complicated?) • Who starts 2010 vs 2013? How handle in the interim when libraries receive both types of documents?

  36. Issues Over Life Cycle • Conflict Resolution within DoD • Legacy documents • When do they need to be re-marked? • Will there be information on the document to tell when to de-limit? • DoD will need a cross-matching from old to new markings • Will there be a mandatory review over time? • Central Authority to tell when changed? • How handle Unclassified with no other markings? (Markings removed but not reviewed by PA yet)

  37. Dissemination Markings • Reality is in the details… • How many and which current markings will be registered as legal Specified Dissemination markings? • Most items are supposed to be Standard Dissemination • For Official Use Only (FOUO) • Include Distribution F (always ask owner)? • Include Distribution C (Government and Contractor)?

  38. Controlled Unclassified Information (CUI), the New Marking System: What’s Ahead for DOD and DTIC? Questions?

  39. Points of Contact Ms. Roberta Schoen DTIC (703) 767-8064, DSN: 427-8064 rschoen@dtic.mil Ms. Deborah Ross OUSD(I) (703) 607-0323 deborah.ross@osd.mil

More Related