CUI Task Force Report - Federation of American Scientists

More documents

Recommendations

Info

Distinguish from FOIA Finally, the Task Force believes it is critical to recognize that the CUI Framework does not alter the requirements of FOIA, and that CUI implementation guidance and training make clear that the presence or absence of a CUI marking has no bearing on whether a record is releasable or exempt from release under FOIA. Recommendation #11 Simplification of Categories and Markings The 2008 Memorandum marking nomenclature should be replaced with succinct, informative overall markings, such as: ● CONTROLLED-ENHANCED ● CONTROLLED-SPECIFIED ● CONTROLLED-STANDARD or ● CONTROLLED-HIGH ● CONTROLLED-MEDIUM ● CONTROLLED-LOW Recommendation #12 EA to Establish Standard Markings and Guidance The EA should establish standardized CUI markings that identify CUI designation, safeguarding and dissemination controls; originating agency; and life cycle. The EA should publish the standardized markings and marking guidance to the agencies. Upon agency request, the EA may grant specific waivers or modifications to these standards, and the EA should work with agencies to ensure compliance with both the Framework and agency requirements. Recommendation #13 Flexible Marking of CUI CUI intended for dissemination must be marked in accordance with the standardized markings established by the EA. Agency decisions regarding how and when to apply standardized CUI markings should consider the full range of marking options and be driven by agency mission, the medium in which the CUI resides or is conveyed, and information protection and sharing requirements. Recommendation #14 Clarify that CUI Has No Bearing on FOIA CUI implementation guidance and CUI training should make clear that the CUI Framework and FOIA are entirely separate and that CUI markings have no bearing on whether records are exempt from release under FOIA. 16
3. Safeguarding “Safeguarding” refers to physical or electronic measures that ensure CUI is not accessed inadvertently or improperly. The two levels of safeguarding established in the 2008 Memorandum, “standard” 26 and “enhanced”, 27 are believed adequate for the expanded scope of the CUI Framework proposed herein. The Task Force is concerned, however, that incorporating existing federal IT standards directly into the CUI Framework could pose a significant impediment to CUI implementation, as application and adherence have been inconsistent to date. The reasons for the inconsistency include cost, complexity, and some contradiction between overlapping rules. Mindful of the fact that agencies are obligated to comply with federal IT standards independent of those standards’ inclusion in the CUI Framework, the Task Force has concluded that the EA, in consultation with the Federal Chief Information Officer (CIO) Council, should develop IT safeguarding standards for the CUI Framework in a phased manner. The Task Force endorses the position of OMB that phased development of IT standards for the CUI Framework is neither authority for nor endorsement of non-compliance by agencies with federal IT standards. The Task Force believes that Federal CIOs, through the Federal CIO Council, could provide relevant, practical, and objective advice and perspectives given their current responsibilities across government for balancing security requirements with IT planning and implementation. Assistance in aligning metadata tagging and digital identity management with the CUI Framework to manage access to CUI is one goal for such advice. An additional safeguarding challenge arises when sensitive federal government information is shared with State, local, tribal, private sector, and foreign partners. As non-federal partners, these entities are neither required by law to comply with the same physical or IT safeguarding standards as the federal Executive Branch, nor are they necessarily funded to do so. Nonetheless, the Task Force believes that non-federal entities that receive CUI from the federal government should be encouraged to provide safeguarding protection consistent with the CUI Framework to the maximum extent possible. Recognizing the need to achieve the parallel goals of information protection and information sharing with these partners, the Task Force concluded that the CUI Framework would likely benefit from the establishment of standardized arrangements to address formal, recurring, and institutionalized information sharing settings as well as informal, irregular, or field conditions. Such means must be based on risk management as informed by operational requirements. 26 “‘Standard Safeguarding’ is a handling instruction that means the information so designated is subject to baseline safeguarding measures that reduce the risks of unauthorized or inadvertent disclosure.” 2008 Memorandum, at 3. 27 “‘Enhanced Safeguarding’ is a handling requirement that means the information so designated is subject to measures more stringent than those normally required because inadvertent or unauthorized disclosure would create a risk of substantial harm.” 2008 Memorandum, at 2. 17
Page 3: The Task Force on Controlled Unclas
Page 7 and 8: The President The White House Washi
Page 9 and 10: Executive Summary The President's M
Page 11: CUI Task Force Recommendations Reco
Page 14 and 15: 1.1 The CUI Task Force 1. Membershi
Page 17 and 18: Part 2. The SBU Challenge All feder
Page 19 and 20: 2.2 The 2008 CUI Framework Although
Page 21 and 22: Part 3. Recommendations 3.1 Expandi
Page 23 and 24: esponsibilities and authorities ide
Page 25 and 26: coordination with the CUI Council,
Page 27: agencies, but for a very limited pu
Page 31 and 32: Recommendation # 17 CIO Council as
Page 33 and 34: undetermined, decontrol should occu
Page 35 and 36: Recommendation #25 Establish Traini
Page 37 and 38: Recommendation #30 Federal Acquisit
Page 39 and 40: Recommendation #34 Ensure Adequate
Page 41: Part 4. Conclusion Through its 90-d
Page 45 and 46: APPENDIX 2 SBU Markings Currently i
Page 47: APPENDIX 3 Acronyms used in this re

CUI Task Force Report - Federation of American Scientists

Create successful ePaper yourself

Delete template?

Save as template?