Let’s start with the basics of CUI.
CUI stands for “Controlled Unclassified Information.” Per the DCSA, “CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government-wide policies.”
After 9/11 there were initiatives to encourage greater sharing of terrorism–related information. The CUI program was the result, having been established by a 2010 Executive Order.
The agencies affected by the program include federal, state, local, and tribal law enforcement agencies, as well as their partners in the private sector.
But there was a problem: implementation. INSA assesses that actually putting the rules into practice is both complex and costly and that they’re inconsistently applied.
In fact, the Office of the Director of National Intelligence and The DoD Inspector General have both spoken out about the difficulties of implementing the CUI program.
A new paper by INSA highlights the problems that are undermining the program’s effectiveness, as well as representing industry perspectives on the irregular, inconsistent execution.
Here’s a quick summary of the paper that lays out 9 areas of concern.
CUI Program concerns
Concern #1: CUI rules are more complex than the problem they’re intended to solve.
When you consider that there are 125 categories of CUI in 20 groupings, it’s easy to see why tracking and regulating this data would be a nightmare.
Especially with the wide range of topics, including:
- Naval nuclear propulsion information regarding ship-borne nuclear reactors.
- Confidential federal grand jury information.
- Witness protection files.
- Patent applications.
- Archeological resources.
- National park system resources.
- Railroad safety analysis records.
Each of these categories has its own unique requirements for “marking, storage, access, dissemination, destruction, staffing, record-keeping, and reporting.”
Concern #2: CUI adoption, requirements, and implementation rules differ across agencies.
In practice, these rules are supposed to be the same for all agencies, but that’s not always the case. The lack of consistency results in additional costs and multiple challenges.
Concern #3: The CUI Program office has not defined measures of effectiveness.
Without benchmarks, there’s no way to definitively determine if the program is performing effectively or not.
Due to the high cost and the administrative burdens, it’s critical to know whether the program is adding value. Plus, it’s important to know what adjustments and/or improvements need to be made.
Concern #4: The program is being implemented through already overworked government acquisition staff.
All the details of the CUI Program are the responsibility of the acquisition staff of individual departments, agencies, and sub-agencies to define. This means the implementation can look different for multiple clients.
Concern #5: The CUI Program has a weak central management mechanism to resolve inconsistent requirements and implementation across government.
Despite CUI Executive Agents having a formal role in overseeing program implementation, the responsibility for resolving inconsistencies in practice falls to agencies.
Concern #6: No uniform system exists for calculating or accounting for CUI implementation and compliance costs.
Individual agencies (by industry) are responsible for managing:
- Information technology.
- Physical infrastructure.
- Administrative costs.
There’s no commonly accepted way for contractors to account for, allocate, and recover CUI compliance costs.
Concern #7: CUI rules do not clearly address ownership of proprietary information.
Companies with significant commercial businesses may withhold support from government agencies, or they may keep their most innovative technologies under wraps from government customers.
Concern #8: CUI compliance throughout complex supply chains will be difficult to ensure and verify.
Large contractors don’t have the resources to ensure that their 3rd and 4th tier subcontractors have the training, expertise, and system controls to be in compliance with CUI program regulations. The network of vendors and subcontractors is too large.
Concern #9: CUI rules do not effectively protect legacy CUI information.
This guidance focuses on the age of the document markings instead of how sensitive the information in the document is. Sensitive information could end up being disclosed due to its out-of-date labeling.
The following are the suggestions that INSA has to counter the concerns.
Recommendation #1: Reassess what really needs protection – and whether the CUI Program, as constituted, achieves that goal.
Zeroing in on information that requires considerable protections would increase the chances of success while easing the burdens on government and industry, as well as freeing up financial and human resources.
Recommendation #2: Simplify the CUI Program.
Remember the lessons already learned from prior experiences with over-classification and reducing barriers to information sharing.
Recommendation #3: Evaluate the effectiveness of CUI controls in light of today’s cyber threats.
Due to the complexity, interconnectivity, and vulnerability of modern IT systems, ISOO should reconsider whether a system established on the marking, handling, transmission, and control of individual documents is the best course of action for the future.
Recommendation #4: Evaluate CUI requirements in light of industry’s supply chain structures.
ISOO should work with industry to develop a more feasible approach to handling CUI across extended industrial networks.
Agencies that should be involved include acquisition officials from:
- The Defense Department.
- The Intelligence community.
- The General Services Administration.
Recommendation #5: Codify how CUI implementation costs will be calculated for industry bidding and compensation.
There should be a consistent definition of how to estimate, bid, and recover costs associated with CUI Program implementation.
Recommendation #6: Establish an ongoing mechanism for incorporating industry comments and recommendations.
An established forum made up of industry representatives is needed for the purpose of giving constructive feedback and recommendations for a responsive and cost-effective implementation of the program.
The current system is complex and confusing. If you need help to navigate what all of this means, especially in terms of your specific industry, please get in touch. We know all the ins and outs of the program and we’re here to help!