White House Issues Policy on “Controlled Unclassified Info”

The White House last week issued a long-awaited policy on “controlled unclassified information” (CUI) to provide a uniform government-wide system for safeguarding unclassified information that is deemed sensitive.

The CUI framework is supposed to replace the numerous individual agency control markings — “sensitive but unclassified,” “for official use only,” and over a hundred other designations — and thereby to overcome barriers to information sharing within the government.

But the new policy will do nothing to restore public access to government records that have been improperly withheld.

Development of the CUI policy began with a December 16, 2005 memo from the President directing agencies to “standardize procedures for sensitive but unclassified information.” Despite the passage of two and a half years, however, little progress has been made in defining the terms of the new policy.

It establishes a single CUI framework, with three graduated levels of sensitivity and security. But the definition of what information may qualify as CUI, which includes anything that “under law or policy” requires protection from unauthorized disclosure, is vague and expansive.

To put it another way, the CUI policy does not exclude anything that is currently controlled as Sensitive But Unclassified.

This is a disappointment in light of previous suggestions that wholesale disclosures of currently controlled unclassified information might ensue.

“The great majority of the information which is now controlled can be put in a simple unclassified, uncontrolled category, it seems to me,” said Amb. Thomas McNamara, program manage of the ODNI Information Sharing Environment, in 2006 testimony (pdf) before Congress.

But under the new Bush policy, “the great majority of the information” that Amb. McNamara said should be uncontrolled will remain controlled and unavailable to the public.

The CUI policy properly notes that the new policy does not modify the requirements of the Freedom of Information Act process: “CUI markings may inform but do not control the decision of whether to disclose or release the information to the public, such as in response to a request made pursuant to the Freedom of Information Act.”

But despite the passage of years since the policy was proposed, many of the hard decisions involved have been deferred to the implementation phase.

Which, if any, of the more than 100 existing control categories will be canceled, rather than absorbed into the new CUI category? The new policy does not say. At what point, if any, does the CUI designation expire? There’s no way to tell. What enforcement mechanisms are established to ensure compliance with the new policy? To be determined.

Update: Smintheus at Daily Kos has more.