Skip to main content
All
June 25, 2015

Proposed Rule Sets Agenda for Unified Treatment of Controlled Unclassified Information

Arnold & Porter Advisory

Not all sensitive information held by the Federal Government is classified. Proprietary material, information subject to export controls, and other such information is unclassified, but protected by the Government from public disclosure. Such information is referred to as controlled unclassified information (CUI). Currently, executive branch agencies use agency-specific procedures and marking conventions for CUI. In response to a 2010 Executive Order,1 however, the Information Security Oversight Office (ISOO) of the National Archives and Records Administration (NARA) recently issued a proposed rule standardizing the designation and safeguarding of such information.2 This rule, when finalized and implemented through a Federal Acquisition Regulation (FAR) clause, will govern Government contractors' treatment of CUI.3 Contractors may wish to submit comments on the proposed rule by the deadline of July 7, 2015, and should familiarize themselves with the tenets of the coming common system.

Executive Order 13556 instructed NARA to survey the agencies and collect CUI categories for "appli[cation] uniformly throughout the executive branch."4 Critically, NARA's proposed new rule states clearly that "[a]gencies may not control any unclassified information outside of the CUI Program."5 Once the initial list of categories are established, no further categories may be used until they are submitted to NARA-ISOO, approved for use in the CUI Program, and published on NARA-ISOO's CUI Registry.

The preamble to the rule promises benefits to Government contractors, as "[i]n the present contractor environment, differing requirements and conflicting guidance from agencies for the same types of information gives rise to confusion and inefficiencies for contractors working with more than one agency or handling information originating from different agencies."6 The preamble goes on to emphasize, however, that the Government does not anticipate this rule to cost anything, as the unified system does not add new requirements for handling controlled information, but merely applies "standards…with which businesses should [already] be complying."7 Presumably, this is a signal that the Government does not anticipate paying contractor overhead costs for compliance with these new requirements.

CONTROL AND MARKING STANDARDS

The proposed rule does not establish new standards for the safeguarding of CUI. Rather, it requires the use of existing standards promulgated by the National Institute of Standards and Technology (NIST). NARA acknowledged in the proposed rule, however, that current NIST standards are largely directed to agency personnel, and do not provide practical guidance to the industry, as contractor information control systems "are often built using different processes from the Government-specific ones outlined in the NIST guidelines."8 To provide industry-specific guidance, the preamble states that NIST is developing NIST SP-800-171 to establish security requirements related to contractor handling and safeguarding of CUI. NIST released its final version of this guidance on June 18, 2015.9

In establishing this guidance, NIST confirmed that the same statutes and regulations defining CUI apply both within and outside the Government, the safeguards afforded CUI must be the same whether in the hands of the contractor or the Government, and the "confidentiality impact value for CUI is no lower than moderate" in accordance with Federal Information Processing Standards (FIPS) Publication 199.10 Contractors that work with CUI should review SP-800-171, specifically the control requirements listed in Chapter 3.11 These specific items, including access and cryptographic standards, will be requirements once the new rule and FAR clause are in use.

On a practical level, the rule establishes a new marking scheme by which CUI may be recognized and properly handled by agency and contractor personnel alike. The baseline procedure for marking and controlling all CUI is referred to as "CUI Basic." CUI Basic documents may be marked "CUI" or "CONTROLLED," and are subject to the various procedures and requirements of the proposed rule, but not to specific statutory or regulatory standards beyond the guidance of the proposed rule.12 Information that is not classified, but that is subject to specific statutory or regulatory controls is designated as "CUI Specified," and will be encoded with identifying categories limiting or specifying how it may be used, transferred, handled, or with whom it may be shared.13 "Specified" documents are similarly marked, but the CUI designation is followed by an abbreviated code indicating its particular category or subcategory, and any associated handling instructions.14 Categories are indicated by a single slash, handling instructions by a double slash. For example, law enforcement information that is not to be shared with non-US citizens is to be marked "CUI/LEI//NOFORN."15 NARA has set up the CUI registry website at http://www.archives.gov/cui/registry/category-list.html, but the site has not yet been populated with the various abbreviations and codes for the CUI categories and subcategories.

In short, the rule proposes to create a Government-wide library of CUI categories, each reviewed and approved by NARA-ISOO before it may be used to designate CUI as controlled. Information bearing legacy CUI markings will still be deemed controlled, but new documents for which no control designation is made will not be considered CUI, or as controlled information at all.16

As noted in the preamble to the rule and in the NIST guidance, most contractors are likely already compliant with these requirements. For example, contractors who deal with unclassified technical data controlled under the International Traffic in Arms Regulations (ITAR) already participate in the State Department's program for the handling of such materials and the Department of Defense (DoD) has additional requirements for unclassified controlled technical information (UCTI). These agency-specific regimes will likely be given CUI Specified subcategory (/) and treatment (//) abbreviations which will be incorporated into the marking system anticipated by the rule. Contractors dealing with such material will not have to fundamentally change their internal controls to comply, as the existing DoD and State Department systems likely meet or exceed the requirements of the baseline NIST guidance. Regardless of the type of data, however, all contractors dealing with CUI should perform a check against the baseline NIST publication to confirm compliance, and should stay apprised of the abbreviations assigned in the CUI Registry under the new marking scheme to adapt their intake and handling system as needed.

RELATION TO THE FREEDOM OF INFORMATION ACT

The rule takes pains to distinguish designation of information as CUI under the CUI Program from treatment of information under the US Freedom of Information Act (FOIA). The proposed rule is clear that a CUI designation is not, by itself, an appropriate basis for denying a request under the Freedom of Information Act: "The mere fact that information is designated as CUI has no bearing on determinations pursuant to any law requiring the disclosure of information or permitting disclosure as a matter of discretion."17 CUI markings cannot be used "as a dispositive factor in making a FOIA disclosure determination."18 Nor does the absence of CUI markings, or de-marking of a document, mean that the document is therefore releasable. All documents, CUI and non-CUI, must continue to be assessed under the standards of the FOIA.

However, the CUI-Specified markings will likely provide significant information to agencies that is relevant to a FOIA assessment. For example, under Federal law, unsuccessful contractor proposals, whether classified or not, may not be released under FOIA.19 Such documents, because of this statutory treatment, are likely to receive a particular designation under the CUI Registry as CUI-Specified documents. The new CUI rule does not prevent agencies from using the CUI system to help identify and/or categorize certain documents that agencies know must be dealt with in a particular way under FOIA, but only prevents them from using the CUI marking itself as the basis for withholding. But if the CUI designator may be used to quickly spot documents that must be withheld by statute -- unsuccessful proposals, for example -- it is likely that agencies will use the new CUI program in this way, and will submit such helpful subcategories to the CUI Executive Agent for approval and inclusion in the CUI Registry. It would be wise for contractors to familiarize themselves with CUI markings of particular relevance to their own data, and ensure that such markings are consistently used by agencies.

CONCLUSION

The new rule proposes to permanently establish the CUI Program as the only gatekeeper for the designation and control of non-classified, sensitive information. The old fractured system has likely resulted in a patchwork of approaches among contractors to handle material of this kind. The new rule, however, when it is finalized and results in a FAR contracts clause, will require contractors to confirm that CUI in their information systems is subject to specific types of internal controls.

  1. Executive Order 13556, available here.

  2. 80 FR 26501-26511, available here, published on May 8, 2015.

  3. The FAR clause will actually "apply the requirements of the proposed rule to the contractor environment." Id. at 26503. The FAR clause is "planned," but will not be released until after the finalization of both the rule and the guidance from the National Institute of Standards and Technology (NIST), which will be discussed further below. Id.

  4. See note 1.

  5. § C.F.R. 2002.11(a).

  6. 80 FR 26502.

  7. Id.

  8. Id. at 26503.

  9. Id. SP-800-171 available here.

  10. NIST SP-800-171 at 5. See FIPS 199 at 2 ("The potential impact is MODERATE if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals."), available here.

  11. Id. at pp. 9-14 (listing specific control requirements under 14 headings: Access Control; Awareness and Training; Audit and Accountability; Configuration Management; Identification and Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical Protection; Risk Assessment; Security Assessment; System and Communications Protection; and System and Information Integrity.)

  12. § 2002.12(b)(1); § 2002.15(b)(1).

  13. § 2002.12(b)(2); § 2002.15(b)(2).

  14. § 2002.15(b)(2)(iii).

  15. § 2002.15(b)(2)(v); (b)(3)(iv).

  16. § 2002.15(a)(6).

  17. § 2002.27(a).

  18. § 2002.27(d).

  19. See 10 U.S.C. § 2305(g) (proposals to DoD); 41 U.S.C. § 253b(m) (proposals to civilian agencies).