DNI Tries to Abort Controlled Unclassified Info Policy

In a bureaucratic bombshell, Director of National Intelligence John Ratcliffe has asked the White House to rescind a ten-year-old executive order that required a uniform policy for marking and handling “controlled unclassified information” (CUI).

CUI refers to information that while unclassified is nevertheless restricted by law or policy from broad distribution. It includes more than 100 distinct categories of unclassified information ranging from export controlled data to privacy information to information systems vulnerability and much more.

In order to facilitate both the appropriate protection and the authorized sharing of such diverse information, Executive Order 13556 was issued in 2010 to develop a comprehensive system of CUI practices that would replace the dozens of different, incompatible controls on unclassified information that have proliferated over time.

It is just now starting to take effect. Executive branch agencies are required to issue their implementation plans for CUI policy by December 31 — two weeks from now — according to the Information Security Oversight Office, the executive agent for CUI.

But DNI Ratcliffe did not request an extension of time to achieve compliance, as he might ordinarily have done. Nor did he seek an exemption for intelligence agencies from the overall policy. Nor did he suggest another approach to address the persistent problem of identifying, sharing and protecting CUI whose broad contours have long been recognized, including by President Bush in 2008.

Instead, he asked the White House to completely nullify more than ten years of government-wide policy development in this area and to cancel its application to all government agencies both inside and outside of the intelligence community.

“Given the complexity of the program, I believe that the full rescission of E.O. 13556 is the only viable alternative,” he wrote in a December 4 memo to the National Security Advisor.

This is a breathtaking move, given its timing and considering that the executive order has been fully embraced by most other agencies. The Department of Defense, where much of the intelligence community is housed, issued a directive last March (DoD Instruction 5200.48) to implement CUI policy throughout the Department.

“Although its clear mandate was to simplify the unclassified markings system and sharing rules, the resulting CUI program is exponentially more complex than the classification system,” DNI Ratcliffe wrote.

But this is a non sequitur, since the classification system deals exclusively with national security information. In contrast, CUI encompasses many unrelated domains including taxpayer data, health records, nuclear safeguards, law enforcement information, and various other categories established in statute. And CUI involves every government agency. Within the intelligence community, CUI pertains to certain geospatial data, operations security information, financial records obtained for counterintelligence purposes, and other items.

So it was always clear that CUI policy would be more complex and far-reaching than national security secrecy. Its detailed particularity follows from the need to make it as precise and limited in its application as possible.

But “The complexity and lack of clarity within the CUI Program has stymied uniform implementation policy within the IC,” the DNI said. “I cannot justify the continued investment in time and resources required for CUI implementation in the IC.”

The Information Security Oversight Office said in its most recent (2019) annual report to the President that it was “working with the Office of the Director of National Intelligence to address CUI implementation issues that are unique to the Intelligence Community.” Still, the Ratcliffe memo said “our concerns remain unaddressed.”

The White House response to the DNI’s request is thus far unknown. The Office of the DNI declined to comment on the record. Mark Bradley, director of the Information Security Oversight Office, said that CUI “plays a vital role in the twilight realm between classified and unclassified information.” He said that current program deadlines remain in effect.

According to an ISOO Notice last May, “”Most agencies project full [CUI] program implementation by the end of the third quarter of FY 2021.” So cancellation of the policy at this late date, without a well-defined strategy to replace it, would be disruptive to say the least, likely including adverse impacts on information security.

DNI Ratcliffe’s “strong opposition” to US Government policy on CUI together with his inability to formulate an acceptable alternate approach may, however, serve to elevate information policy as a priority for the Biden Administration.

DNI Ratcliffe’s memo was marked FOUO, For Official Use Only.

“Controlled Unclassified Information” Is Coming

After years of preparation, the executive branch is poised to adopt a government-wide system for designating and safeguarding unclassified information that is to be withheld from public disclosure.

The new system of “controlled unclassified information” (CUI) will replace the dozens of improvised control markings used by various agencies that have created confusion and impeded information sharing inside and outside of government. A proposed rule on CUI was published for public comment on May 8 in the Federal Register.

While CUI is by definition unclassified, it is nevertheless understood to require protection against public disclosure on the basis of statute, regulation, or agency policy. In many or most cases, the categories of information that qualify as CUI are non-controversial, and include sensitive information related to law enforcement, nuclear security, grand jury proceedings, and so on.

Until lately, “more than 100 different markings for such information existed across the executive branch. This ad hoc, agency-specific approach created inefficiency and confusion, led to a patchwork system that failed to adequately safeguard information requiring protection, and unnecessarily restricted information sharing,” the proposed rule said.

One of the striking features of the new CUI program is that it limits the prevailing autonomy of individual agencies and obliges them to conform to a consistent government-wide standard.

“CUI categories and subcategories are the exclusive means of designating CUI throughout the executive branch,” the proposed rule states. “Agencies may not control any unclassified information outside of the CUI Program.”

Nor do agencies get to decide on their own what qualifies as CUI. That status must be approved by the CUI Executive Agent (who is the director of the Information Security Oversight Office) based on an existing statutory or regulatory requirement, or on a legitimate agency policy. And it must be published in the online CUI Registry. There are to be no “secret” CUI categories.

Importantly, the CUI Program offers a way of validating agency information control practices pertaining to unclassified information. (A comparable procedure for externally validating agency classification practices does not exist.) But CUI status itself is not intended to become an additional barrier to disclosure.

“The mere fact that information is designated as CUI has no bearing on determinations pursuant to any law requiring the disclosure of information or permitting disclosure as a matter of discretion,” the new proposed rule said. The possibility that CUI information could or should be publicly disclosed on an authorized basis is not precluded.

More specifically, a CUI marking in itself does not constitute an exemption to the Freedom of Information Act, the rule said. However, a statutory restriction that justifies designating information as CUI would also likely make it exempt from release under FOIA.

One complication arises from the fact that simply removing CUI controls does not equate to or imply public release.

“Decontrolling CUI relieves authorized holders from requirements to handle the information under the CUI Program, but does not constitute authorization for public release,” the rule said. Instead, disclosure is only permitted “in accordance with existing agency policies on the public release of information.”

The upshot is that while there can be “controlled unclassified information” that is publicly releasable, there can also be non-CUI (or former CUI) information that is not releasable. The latter category might include unclassified deliberative materials, for example, that are not controlled as CUI but are still exempt from disclosure under the Freedom of Information Act.

More subtly, noted John P. Fitzpatrick, the director of the Information Security Oversight Office, there is a large mass of material that is neither CUI nor non-CUI– until someone looks at it and makes an assessment. In all such cases (other than voluntary disclosure by an agency), public access would be governed by the provisions and exemptions of the FOIA.

The genealogy of the CUI Program dates back at least to a December 16, 2005 memorandum in which President George W. Bush directed that procedures for handling what was called “sensitive but unclassified” information “must be standardized across the Federal Government.”

At that time, the impetus for standardization (which never came to fruition) was based on the need for improved sharing of homeland security and terrorism-related information. The initiative was broadened and developed in the 2010 Obama executive order 13556, which eventually led to the current proposed rule. Public comments are due by July 7.