Managing Controlled Unclassified Information Creates Challenges

May 19, 2010

Federal government agencies produce reams of documentation, not all of which is classified, but much of which is sensitive. For decades, agencies applied their own individual markings to categorize sensitive data. However, these notations conflict with other agency marking, which opens the possibility of infomration being withheld or potentially being released. These issues were pondered by the Wednesday morning panel at the AFCEA SOLUTIONS conference. Controlled unclassified information (CUI) is data that requires some protection. However, because of the conflicting agency rules for CUI, the government has recently issued an order to implement a CUI famework to stanardize the documentation across the government. The CUI work is being led by the U.S. National Archives. The archives were selected by the U.S. government because it is viewed as a neutral organization, explains Jay Bosanko, director of the National Archives' CUI Office. One reason for the archive's involvement is to avoid the perception that CUI is another level of security classification. He notes that the framework promotes information sharing while providing security for the documents. It is also good governance he maintains. Becuase of the lack of standardization, the government did not trust CUI documents from the agencies. Initial reform efforts under the Bush administration focused only on terrorism related materials, specifically with the goal of cross-agency information sharing. In May 2009, the Obama adminstration issued a memorandum calling for a review of CUI procedures. Boskano said that his organization is leading the CUI task force to develop recommendations. The ultimate goal is to create an overarching framework that standardized CUI infomation to promote the sharing of data. Kelly Brickley, Chief of the CUI Program Office with the Office of the Intelligence Community Chief Information Officer and Information Sharing Executive, noted that the rules for classifying CUI documents in the Department of Justice were completely different from those of the Department of Defense. Besides providing an information framework, the government must provide training to educate personnel and to change the culture regarding how infomation is categorized. John Diehl with the Defense Department's Office of the Chief Information Officer explained that the framework will provide a consistent set of guidelines to train personnel. Aside from training, the panelists noted that the goal of the framework will standardize how agencies mark their CUI documentation is marked. Boskano noted that the process will move away from an agency-based process to a government-wide effort.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.

Share Your Thoughts:

Mr. Kenyon,

I just received an email with a link to your article about Lockheed Martin being one of four US-Based companies having the ISO 20000 and ISO 27001 certifications.

Well, there are five. OnPoint Consulting, Inc. holds both certifications. We received ISO 20000 certification on 9/25/09 and the ISO 27001 certification on July 14, 2010.

We would be glad to discuss this further with you at your convenience.

Our website is Under PROFILE, you will see the listing of the two certifications.

Thanks for letting us know, Mr. Hefter; this blog entry was written in May of 2010 and Henry Kenyon no longer works for SIGNAL. We are happy to let your comment stand that you are the fifth company, and I will let our editors know they may wish to revisit the topic.

Share Your Thoughts: