FAS

New Framework Proposed for “Sensitive” Govt Info

12.15.09 | 4 min read | Text by Steven Aftergood

The government should replace the more than 100 different control markings that are now used to limit the distribution of sensitive but unclassified (SBU) information and should establish a single “controlled unclassified information” (CUI) policy for all such information in government, according to an interagency task force report (pdf) that was released by the Obama Administration today.

“The Task Force concluded that Executive Branch performance suffers immensely from interagency inconsistency in SBU policies, frequent uncertainty in interagency settings as to exactly what policies apply to given SBU information, and the inconsistent application of similar policies across agencies,” the report said.  “Additionally, the absence of effective training, oversight, and accountability at many agencies results in a tendency to over-protect information, greatly diminishing government transparency.”

The Task Force said that their proposal for a single “controlled unclassified information” (CUI) regime would not only facilitate information sharing among federal, state and local government agencies, it would also increase transparency and enhance public access to government information.

“Because of its uniformity, standardized training requirements, and the public availability of the registry [indicating what categories of information are controlled], the expanded scope of the CUI Framework can be expected to significantly increase the openness and transparency of government….”

Not only that, “It is foreseeable, based on the revised definition and scope of CUI recommended herein, that some information currently treated as ‘sensitive’ may be found not to warrant CUI designation.”

The Task Force presented 40 recommendations to the President on implementing the proposed CUI policy that could serve as the basis for an executive order on the subject.  It builds upon, and would expand the scope of, the CUI Framework that was established in a May 2008 memorandum issued by President Bush, which dealt with the control and sharing of terrorism-related information.  See the Report and Recommendations of the Presidential Task Force on Controlled Unclassified Information, transmitted August 25, 2009 and released December 15, 2009.

The Task Force proposal is an admirable effort to bring order to a chaotic information environment.  But it has some rough edges, and some unresolved internal contradictions.

The proposed definition of CUI seems disturbingly lax:  “All unclassified information for which, pursuant to statute, regulation, or departmental or agency policy, there is a compelling requirement for safeguarding and/or dissemination controls” (p.11).  Putting “departmental or agency policy” on a par with statutes or regulations could potentially open the door to all kinds of arbitrary or improvised controls on information.

More fundamentally, it is hard to see how the Task Force proposal could achieve its central goal of eliminating all non-CUI controls on unclassified information.  The Task Force report itself states (in Recommendation 20) that “decontrol of CUI” does not by itself authorize public disclosure; it only means removal from the CUI Framework.  But if information that has been removed from the CUI Framework does not necessarily have to be disclosed, this means that decontrolled information can still be controlled!

The report properly takes pains to distinguish information control under the CUI regime from the statutory disclosure requirements of the Freedom of Information Act, which cannot be altered by executive fiat.  “At no time, pre- or post-control, is a CUI marking itself determinative of whether it may be released,” the report stated (p. 21).  But this implies, oddly, that information marked as CUI may sometimes be released, while information that is no longer CUI may sometimes be withheld.  And if it is withheld, one must also expect it to be marked with a (non-CUI) control marking.

In short, the CUI concept still has some wrinkles that remain to be ironed out.

The Task Force recommended a ten-year life cycle for CUI that is not otherwise subject to defined disclosure deadlines.  It recommended a baseline assessment of the volume of current SBU activity, but this is probably unachievable or at least not worth the effort involved.  Staffing and resources for the “Executive Agent” that manages the whole enterprise are uncertain, but are likely to be crucial or even decisive in the success of the proposed policy.  An appendix to the Task Force report listed 117 different markings currently in use to protect SBU information (described as “a partial listing”).

The Task Force proposal is “a good foundation,” said one senior Administration official.  But before the subject is addressed in an executive order, the final policy “needs to be more forward-leaning,” he said.

Meanwhile, the Department of Defense, the intelligence agencies, and the Department of Homeland Security have already indicated that they plan to use the CUI Framework for all of their sensitive unclassified information, another official said.