After years of preparation, the executive branch is poised to adopt a government-wide system for designating and safeguarding unclassified information that is to be withheld from public disclosure.
The new system of “controlled unclassified information” (CUI) will replace the dozens of improvised control markings used by various agencies that have created confusion and impeded information sharing inside and outside of government. A proposed rule on CUI was published for public comment on May 8 in the Federal Register.
While CUI is by definition unclassified, it is nevertheless understood to require protection against public disclosure on the basis of statute, regulation, or agency policy. In many or most cases, the categories of information that qualify as CUI are non-controversial, and include sensitive information related to law enforcement, nuclear security, grand jury proceedings, and so on.
Until lately, “more than 100 different markings for such information existed across the executive branch. This ad hoc, agency-specific approach created inefficiency and confusion, led to a patchwork system that failed to adequately safeguard information requiring protection, and unnecessarily restricted information sharing,” the proposed rule said.
One of the striking features of the new CUI program is that it limits the prevailing autonomy of individual agencies and obliges them to conform to a consistent government-wide standard.
“CUI categories and subcategories are the exclusive means of designating CUI throughout the executive branch,” the proposed rule states. “Agencies may not control any unclassified information outside of the CUI Program.”
Nor do agencies get to decide on their own what qualifies as CUI. That status must be approved by the CUI Executive Agent (who is the director of the Information Security Oversight Office) based on an existing statutory or regulatory requirement, or on a legitimate agency policy. And it must be published in the online CUI Registry. There are to be no “secret” CUI categories.
Importantly, the CUI Program offers a way of validating agency information control practices pertaining to unclassified information. (A comparable procedure for externally validating agency classification practices does not exist.) But CUI status itself is not intended to become an additional barrier to disclosure.
“The mere fact that information is designated as CUI has no bearing on determinations pursuant to any law requiring the disclosure of information or permitting disclosure as a matter of discretion,” the new proposed rule said. The possibility that CUI information could or should be publicly disclosed on an authorized basis is not precluded.
More specifically, a CUI marking in itself does not constitute an exemption to the Freedom of Information Act, the rule said. However, a statutory restriction that justifies designating information as CUI would also likely make it exempt from release under FOIA.
One complication arises from the fact that simply removing CUI controls does not equate to or imply public release.
“Decontrolling CUI relieves authorized holders from requirements to handle the information under the CUI Program, but does not constitute authorization for public release,” the rule said. Instead, disclosure is only permitted “in accordance with existing agency policies on the public release of information.”
The upshot is that while there can be “controlled unclassified information” that is publicly releasable, there can also be non-CUI (or former CUI) information that is not releasable. The latter category might include unclassified deliberative materials, for example, that are not controlled as CUI but are still exempt from disclosure under the Freedom of Information Act.
More subtly, noted John P. Fitzpatrick, the director of the Information Security Oversight Office, there is a large mass of material that is neither CUI nor non-CUI– until someone looks at it and makes an assessment. In all such cases (other than voluntary disclosure by an agency), public access would be governed by the provisions and exemptions of the FOIA.
The genealogy of the CUI Program dates back at least to a December 16, 2005 memorandum in which President George W. Bush directed that procedures for handling what was called “sensitive but unclassified” information “must be standardized across the Federal Government.”
At that time, the impetus for standardization (which never came to fruition) was based on the need for improved sharing of homeland security and terrorism-related information. The initiative was broadened and developed in the 2010 Obama executive order 13556, which eventually led to the current proposed rule. Public comments are due by July 7.