The effort to establish a uniform policy for Controlled Unclassified Information (CUI) is meeting opposition from some executive branch agencies who see it as unnecessary and unwelcome.
CUI refers to information that is unclassified but that requires protection for reasons other than national security– such as privacy, proprietary concerns, law enforcement sensitivity, and so on. In past years, more than 100 separate and sometimes conflicting policies for such information were put in place. The CUI program, established by President Obama’s executive order 13556 in 2010, was intended to simplify, standardize and streamline that profusion of security policies for unclassified information.
Some agencies, like Veterans Affairs and the Social Security Administration, are moving forward to adopt the new CUI policy.
Others, however, are not.
Earlier this month, officials from several large agencies — including CIA, DOJ, DHS and DOD — raised a whole series of objections to the CUI program in a letter to the Information Security Oversight Office (ISOO).
The officials contended in the undisclosed letter that there are several unresolved issues that must be addressed before CUI implementation can go forward. These are said to include inadequately defined governance of the program, financial costs thought to be in the billions of dollars, gaps in coverage affecting certain types of information, and commingling of CUI and classified information that will make proper marking of documents excessively long and complicated.
But ISOO director Mark Bradley said that these issues had either already been addressed or could be resolved. He said ISOO would prepare a formal response to the agency complaints.
Another point of contention is the impact of the CUI policy on government transparency and whether it will enhance or impede public access to unclassified information.
One of the original objectives of the CUI program was to reduce controls on unclassified information by limiting their use only to those instances where they were required by law, regulation or agency-specific policy. Arbitrary or improvised prohibitions on disclosure (such as the open-ended “for official use only”) would be not be authorized.
But in a privately circulated white paper, former CIA classification official Harry Cooper said that the CUI approach would lead to more government secrecy, not less.
Cooper noted that there were now some 129 authorized categories and subcategories that could be used to withhold information as CUI based on more than 400 laws and regulations. (Agencies had originally submitted more than 2,200 proposed CUI categories and subcategories.) As recently as September 25, a new CUI subcategory was added for “Intelligence-Internal Data” to cover various types of unclassified CIA information that is “not intended to be disseminated beyond CIA channels” including names, titles, salaries, and more.
“The full implementation of CUI will likely cause an expansion of the use of [FOIA exemption] (b)(3) and as a result information that would have been released prior to CUI will now be protected from release,” Cooper wrote. “Without CUI there is no marking to identify specific laws blocking access and government reviewers often missed those obscure laws that could potentially block access.” See Controlled Unclassified Information: Government Bureaucracy Out of Control by Harry Cooper, July 2017.
ISOO director Mark Bradley disputed Cooper’s critique. He said that the CUI categories and subcategories are not equivalent to FOIA exemptions. And the CUI implementing directive makes it clear, he said, that CUI markings are not to be used as a basis for rendering FOIA decisions.
Bradley said that the CUI program should result in an increase in transparency by excluding unauthorized controls on information and by exposing the CUI decision-making process to public scrutiny. He noted that some agencies had urged that the CUI Registry — which lists all of the CUI categories and subcategories — should not be a public document. But that view was rejected by ISOO, especially since the contents of the Registry refer to public laws and regulations.
CUI has roots in the Obama Administration’s executive order 13556, and even further back in a 2008 memorandum from President Bush. So it is conceivable that the CUI policy could be modified or abolished by the Trump Administration.
But in a September 8 memo to agency heads on unauthorized disclosures, national security advisor H.R. McMaster referred to “the importance of protecting classified and controlled unclassified information” — which was understood as a White House endorsement of the CUI construct.
In the meantime, CUI is entering the implementation phase, ISOO director Bradley said. “It’s not going to go away. It’s not going to be reversed.”
It is entirely possible that there will be unintended consequences from CUI implementation, he allowed in an interview last week, “but we will deal with them. As we find problems, we will fine-tune and adjust.”