In a bureaucratic bombshell, Director of National Intelligence John Ratcliffe has asked the White House to rescind a ten-year-old executive order that required a uniform policy for marking and handling “controlled unclassified information” (CUI).
CUI refers to information that while unclassified is nevertheless restricted by law or policy from broad distribution. It includes more than 100 distinct categories of unclassified information ranging from export controlled data to privacy information to information systems vulnerability and much more.
In order to facilitate both the appropriate protection and the authorized sharing of such diverse information, Executive Order 13556 was issued in 2010 to develop a comprehensive system of CUI practices that would replace the dozens of different, incompatible controls on unclassified information that have proliferated over time.
It is just now starting to take effect. Executive branch agencies are required to issue their implementation plans for CUI policy by December 31 — two weeks from now — according to the Information Security Oversight Office, the executive agent for CUI.
But DNI Ratcliffe did not request an extension of time to achieve compliance, as he might ordinarily have done. Nor did he seek an exemption for intelligence agencies from the overall policy. Nor did he suggest another approach to address the persistent problem of identifying, sharing and protecting CUI whose broad contours have long been recognized, including by President Bush in 2008.
Instead, he asked the White House to completely nullify more than ten years of government-wide policy development in this area and to cancel its application to all government agencies both inside and outside of the intelligence community.
“Given the complexity of the program, I believe that the full rescission of E.O. 13556 is the only viable alternative,” he wrote in a December 4 memo to the National Security Advisor.
This is a breathtaking move, given its timing and considering that the executive order has been fully embraced by most other agencies. The Department of Defense, where much of the intelligence community is housed, issued a directive last March (DoD Instruction 5200.48) to implement CUI policy throughout the Department.
“Although its clear mandate was to simplify the unclassified markings system and sharing rules, the resulting CUI program is exponentially more complex than the classification system,” DNI Ratcliffe wrote.
But this is a non sequitur, since the classification system deals exclusively with national security information. In contrast, CUI encompasses many unrelated domains including taxpayer data, health records, nuclear safeguards, law enforcement information, and various other categories established in statute. And CUI involves every government agency. Within the intelligence community, CUI pertains to certain geospatial data, operations security information, financial records obtained for counterintelligence purposes, and other items.
So it was always clear that CUI policy would be more complex and far-reaching than national security secrecy. Its detailed particularity follows from the need to make it as precise and limited in its application as possible.
But “The complexity and lack of clarity within the CUI Program has stymied uniform implementation policy within the IC,” the DNI said. “I cannot justify the continued investment in time and resources required for CUI implementation in the IC.”
The Information Security Oversight Office said in its most recent (2019) annual report to the President that it was “working with the Office of the Director of National Intelligence to address CUI implementation issues that are unique to the Intelligence Community.” Still, the Ratcliffe memo said “our concerns remain unaddressed.”
The White House response to the DNI’s request is thus far unknown. The Office of the DNI declined to comment on the record. Mark Bradley, director of the Information Security Oversight Office, said that CUI “plays a vital role in the twilight realm between classified and unclassified information.” He said that current program deadlines remain in effect.
According to an ISOO Notice last May, “”Most agencies project full [CUI] program implementation by the end of the third quarter of FY 2021.” So cancellation of the policy at this late date, without a well-defined strategy to replace it, would be disruptive to say the least, likely including adverse impacts on information security.
DNI Ratcliffe’s “strong opposition” to US Government policy on CUI together with his inability to formulate an acceptable alternate approach may, however, serve to elevate information policy as a priority for the Biden Administration.
DNI Ratcliffe’s memo was marked FOUO, For Official Use Only.