Thursday, June 26, 2008

A New Level of Classification?

A buzz is sweeping the security community since May as folks are notified of the new CUI program. The President has published a Memorandum with the subject, Designation and sharing of Controlled Unclassified Information. This memorandum implements a program designed to encourage the speedy sharing of information to those authorized and to better protect the information, privacy and legal rights of Americans. The Controlled Unclassified Information program is designed to promote proper safeguarding and dissemination of unclassified information.
Many readers may be familiar with the program CUI has replaced. Sensitive But Unclassified (SBU) information had enjoyed protection to a certain level but was not conducive to the necessary information sharing. Controlled Unclassified Information (CUI) provides procedures for a more appropriate Information Sharing Environment.
Controlled Unclassified Information is a designation of unclassified information that does not meet the requirements of Executive Order 12958, as amended (Classified National Security Information). However the protection is necessary for national security or the interests of entities outside the Federal Government. The unclassified information also falls under the law or policy advocating protection from unauthorized disclosure, proper safeguarding and limiting dissemination. Though not a classification, the controls in place may prove to require significant administrative action.
These controls include assigning two levels of protection procedures identified as standard or enhanced. The standard is marked “Controlled” and the enhanced is marked “Controlled Enhanced”. Likewise, there are two dissemination controls identified with “Standard Dissemination” and “Specified Dissemination”. These controls are combined into one of three possibilities indicating how the unclassified information is to be protected and disseminated:
• Controlled with Standard Dissemination
• Controlled with Specified Dissemination
• Controlled enhanced with Specified Dissemination
The responsibilities under this memo continue to look like requirements as identified in Classified National Security Information. All information must:
• be protected from unauthorized disclosure
• be properly marked
• the markings must distinguish whether or not the text is CUI and non-CUI
• markings are necessary for all media of dissemination including verbal
Designation of CUI can only be based on mission requirements, business prudence, legal privilege, protection of personal or commercial rights, safety or security. Finally information cannot be labeled CUI for the purposes of concealing violation of law, inefficiency, or administrative error. The designation cannot be used to prevent embarrassment to the Federal Government or an official, organization or agency, improperly or unlawfully interfere with competition in the private sector or prevent or delay the release of information that does not require such protection.
What does this mean for affected businesses and government agencies? Be prepared to implement the program to allow for proper storage and dissemination. This requires the ability to properly mark the material or provide proper warning before discussing the information. Things to think about include: training employees, developing mail, fax, email and reception procedures, and ordering marking supplies. Also, keep information technology and other business units in the loop of communication. They will need to provide the right support at the right time.
Post 9/11 America is experiencing many new changes as directed from the executive government level. These changes include new ethics, security, safety, and business practices. Those who work with the Federal Government on contract should be prepared to meet the challenges quickly.

No comments: