Administration Identifies Unclassified Information to be Safeguarded
On Nov. 4, the National Archives and Records Administration (NARA) released the initial registry of controlled unclassified information (CUI) categories. When fully implemented, the categories listed in the CUI registry will be the only labels that agencies can use to identify unclassified information that requires safeguarding or dissemination controls.
Better sharing of sensitive information became a national priority when it was discovered that communication failures between agencies contributed to the United States' vulnerability to terrorism and the challenges the nation faced responding to the September 11 attacks effectively and in real time. However, efforts to improve the sharing of important public information have been inhibited by the haphazard proliferation of CUI categories and the lack of standards regarding their meaning and use.
In addition to hindering the critical work of government, the former system of sensitive but unclassified information unduly stymied transparency, as agencies claimed "pseudo-secrecy" with little oversight. For instance, some agencies restricted public access through the use of unjustified labels such as "For Official Use Only (FOUO)." The launch of the CUI registry is the latest step toward addressing those problems as part of the reforms in President Obama's November 2010 executive order on CUI.
Categories in the Registry
The categories of information included in the registry, while unclassified, are deemed to warrant safeguarding – such as storage on a secure server – or conditions on dissemination – such as limitations on information sharing between agencies. The executive order requires each category to be based in statute, regulation, or government-wide policy in order to ensure that controls are reasonable and justified, and the registry lists such authorizations for each category.
The CUI office at NARA developed the registry based on agency submissions of categories currently in use. The submissions were reviewed for appropriate authorizations and standardized with equivalent categories across agencies.
Many of the authorizations referenced by the registry use language about preventing public disclosure: according to NARA, information restricted from public release should be safeguarded at some level, even if a statute or regulation does not require any specific security measures. However, the executive order is clear that CUI status imposes no additional restrictions on public access. CUI labels do not indicate how much information can be disclosed, but rather indicate how such information should be managed.
The initial registry comprises 15 categories, in addition to their sub-categories, representing the most widely used CUI categories. Each category identifies the type of information to be controlled, such as information related to nuclear materials or to a person's privacy. By thus specifying the reason for control, the new system should reduce overly broad restrictions on information.
For example, the Privacy-Death Certificates subcategory includes a description of the information and cites an authority for the subcategory. The authorizing language states that the Social Security Administration may share death records for statistical and research purposes, "subject to such safeguards as the Commissioner of Social Security determines are necessary or appropriate to protect the information from unauthorized use or disclosure." When the new CUI system is implemented, any user who encounters a document labeled "Privacy-Death Certificates" would be able to view that category's listing, creating a better common understanding of the category and preventing mishandling.
NARA is expected to add additional categories in the coming months as it continues to process agencies' proposals. As the initial focus was on categories that cut across agencies, most of the forthcoming additions to the registry will likely be categories that only apply to single agencies. Agencies may also propose new categories or revisions to existing categories. Once the executive order is fully implemented, agencies will be prohibited from using categories that have not been approved by NARA. Such oversight should standardize the system and limit categories. However, it's unclear to what extent NARA's role as executive agent of the registry would allow it to modify problematic categories being authorized through appropriate channels.
Implementing the New System
Agencies are required to submit their CUI implementation plans to NARA by Dec. 6. After reviewing the plans, NARA will establish phased deadlines to implement the executive order.
That implementation, however, is unlikely to begin soon because several key elements required by the executive order and NARA's implementation guidance have yet to be completed. For instance, NARA has not yet determined how agencies will mark documents or systems containing CUI. Requiring more extensive labeling that precisely indicates the information subject to controls would reduce the risk of overly broad restrictions. However, more extensive labeling also would increase the compliance burden on agencies.
No decision has yet been made on how long each category will be subject to controls. Shorter control periods would reduce the risks that CUI will inhibit government openness, as well as limit agencies' compliance costs. However, agencies are likely to push for lengthier control for sensitive information.
The delays are not surprising given the difficulty and complexity of designing a new CUI system without the problems of earlier information control regimes. Tight agency budgets have left the NARA office overseeing the CUI system significantly understaffed, which has lengthened the delays.