FAS

DoD Fails to Control “Controlled Unclassified Info”

10.23.08 | 2 min read | Text by Steven Aftergood

Pentagon officials say that the Department of Defense and its contractors are failing to adequately protect “controlled unclassified information” (CUI) that may have significant military or technological value to adversaries or competitors.

“Simply stated, hostile actors can exfiltrate large volumes of unclassified program information in a single attack that can potentially net enough information to enable adversaries to narrow a capability gap,” according to a recent Army information paper (marked “for official use only”).

Digitized information in the hands of Defense Industrial Base (DIB) contractors is said to be particularly vulnerable.

“Exfiltrations of unclassified data from DIB unclassified systems have occurred and continue to occur, potentially undermining and even neutralizing the technological advantage and combat effectiveness of the future force,” the paper stated.

See “U.S. Army’s Concerns with Protection of Controlled Unclassified Information,” (pdf) August 15, 2008.

The paper was obtained by Inside the Army and first reported in “Army Cyber Task Force To Manage Growing Industrial Espionage Risk” by Daniel Wasserbly, Inside the Army, October 20, 2008.

A similar concern about protection of controlled unclassified information was expressed last month by DoD Chief Information Officer John G. Grimes.

He reiterated “the importance of properly protecting controlled unclassified information placed on information systems connected to the Internet, especially those that use file transfer protocol (FTP), peer-to-peer (P2P), and other protocols that are inherently insecure and pose significant security risks.”

“DoD is currently hosting thousands of such sites and, in spite of previous direction, far too much CUI data is still publicly available from these DoD sites,” he wrote.

See “Protection of Controlled Unclassified Information on DoD Information Systems Connected to the Internet” (pdf), September 22, 2008. The Grimes memo was first reported by Sebastian Sprenger in Inside Defense on October 22.

The Department of Defense Inspector General recently reported that defense contractors had failed to properly manage, recover or revoke thousands of Common Access Cards that permit the holder to access controlled defense information on DoD information systems.

This presents “a potential national security risk that may result in unauthorized access to DoD resources, installations, and sensitive information worldwide,” the DoD IG said.

See “Controls Over the Contractor Common Access Card Life Cycle” (large pdf), DoD Inspector General, October 10, 2008.

Among other things, a failure to reliably protect restricted information that is unclassified may produce an undesirable incentive to classify such information.

publications
See all publications
Government Capacity
Blog
The National Security Council’s Decision-Making Process: When Consensus Becomes a Constraint

The emphasis on interagency consensus, while well-intentioned, has become a structural impediment to bold or innovative policy options. When every agency effectively holds veto power over proposals, the path of least resistance becomes maintaining existing approaches with minor modifications.

01.22.25 | 4 min read
read more
Environment
Press release
Position on the Re-Introduction of H.R. 471 – The Fix Our Forests Act

The Federation of American Scientists supports H.R. 471, the re-introduction of the Fix Our Forests Act.

01.17.25 | 2 min read
read more
Emerging Technology
day one project
Policy Memo
Fighting Fakes and Liars’ Dividends: We Need To Build a National Digital Content Authentication Technologies Research Ecosystem

As people become less able to distinguish between what is real and what is fake, it has become easier than ever to be misled by synthetic content, whether by accident or with malicious intent. This makes advancing alternative countermeasures, such as technical solutions, more vital than ever before. 

01.17.25 | 12 min read
read more
Government Capacity
Blog
Herding Unicorns: Sharing Resources Speeds Hiring

Throughout this phase of work, there are many actions hiring managers and staffing specialists can take to streamline the process and improve the quality of eligible candidates. Most importantly, hiring managers and staffing specialists can collaborate within and across agencies to expedite and simplify the process.

01.17.25 | 10 min read
read more