FAS

DoD Fails to Control “Controlled Unclassified Info”

10.23.08 | 2 min read | Text by Steven Aftergood

Pentagon officials say that the Department of Defense and its contractors are failing to adequately protect “controlled unclassified information” (CUI) that may have significant military or technological value to adversaries or competitors.

“Simply stated, hostile actors can exfiltrate large volumes of unclassified program information in a single attack that can potentially net enough information to enable adversaries to narrow a capability gap,” according to a recent Army information paper (marked “for official use only”).

Digitized information in the hands of Defense Industrial Base (DIB) contractors is said to be particularly vulnerable.

“Exfiltrations of unclassified data from DIB unclassified systems have occurred and continue to occur, potentially undermining and even neutralizing the technological advantage and combat effectiveness of the future force,” the paper stated.

See “U.S. Army’s Concerns with Protection of Controlled Unclassified Information,” (pdf) August 15, 2008.

The paper was obtained by Inside the Army and first reported in “Army Cyber Task Force To Manage Growing Industrial Espionage Risk” by Daniel Wasserbly, Inside the Army, October 20, 2008.

A similar concern about protection of controlled unclassified information was expressed last month by DoD Chief Information Officer John G. Grimes.

He reiterated “the importance of properly protecting controlled unclassified information placed on information systems connected to the Internet, especially those that use file transfer protocol (FTP), peer-to-peer (P2P), and other protocols that are inherently insecure and pose significant security risks.”

“DoD is currently hosting thousands of such sites and, in spite of previous direction, far too much CUI data is still publicly available from these DoD sites,” he wrote.

See “Protection of Controlled Unclassified Information on DoD Information Systems Connected to the Internet” (pdf), September 22, 2008. The Grimes memo was first reported by Sebastian Sprenger in Inside Defense on October 22.

The Department of Defense Inspector General recently reported that defense contractors had failed to properly manage, recover or revoke thousands of Common Access Cards that permit the holder to access controlled defense information on DoD information systems.

This presents “a potential national security risk that may result in unauthorized access to DoD resources, installations, and sensitive information worldwide,” the DoD IG said.

See “Controls Over the Contractor Common Access Card Life Cycle” (large pdf), DoD Inspector General, October 10, 2008.

Among other things, a failure to reliably protect restricted information that is unclassified may produce an undesirable incentive to classify such information.

publications
See all publications
Emerging Technology
day one project
Policy Memo
Strategies to Accelerate and Expand Access to the U.S. Innovation Economy

With targeted policy interventions, we can efficiently and effectively support the U.S. innovation economy through the translation of breakthrough scientific research from the lab to the market.

11.27.24 | 16 min read
read more
Government Capacity
day one project
Policy Memo
Collaborative Intelligence: Harnessing Crowd Forecasting for National Security

Crowd forecasting methods offer a systematic approach to quantifying the U.S. intelligence community’s uncertainty about the future and predicting the impact of interventions, allowing decision-makers to strategize effectively and allocate resources by outlining risks and tradeoffs in a legible format.

11.27.24 | 5 min read
read more
Clean Energy
day one project
Policy Memo
The Energy Transition Workforce Initiative

The energy transition underway in the United States continues to present a unique set of opportunities to put Americans back to work through the deployment of new technologies, infrastructure, energy efficiency, and expansion of the electricity system to meet our carbon goals.

11.27.24 | 5 min read
read more
Clean Energy
day one project
Policy Memo
Promoting Fusion Energy Leadership with U.S. Tritium Production Capacity

The United States has the only proven and scalable tritium production supply chain, but it is largely reserved for nuclear weapons. Excess tritium production capacity should be leveraged to ensure the success of and U.S. leadership in fusion energy.

11.26.24 | 12 min read
read more