On November 4, 2011, the National Archives and Records Administration (NARA) released the first-ever registry for Controlled Unclassified Information(CUI) for records that are not classified as top secret or secret, but require some protection. The release of this registry meets one of the first targets of President Obama’s Executive Order on Controlled Unclassified Information. Although much work remains, the new registry “is certainly an important milestone,” according to John Fitzpatrick, the office’s director.
The new CUI registry provides a common definition, standardizes processes and procedures and breaks CUI down into 15 subject categories, such as law enforcement, immigration and privacy, followed by 85 subcategories (“privacy-contract use,” privacy-financial,” and so on.) It also justifies each with a reference to a specific law, regulation or government-wide policy. The next major steps for agencies now will be to meet the second target (Deadline Dec 6 2011) specified in the Obama Executive Order “Within 180 days of the issuance of initial policies and procedures by the Executive Agent in accordance with section 4(b) of this order, each agency that originates or handles CUI shall provide the Executive Agent with a proposed plan for compliance with the requirements of this order, including the establishment of interim target dates.”
What’s Next and What Does This Mean for You Today?
A good number of agencies are ahead of the curve, looking at the CUI implementation and evaluating COTS solutions to address the CUI markings. Other agencies, on the other hand, are in the research phase and have just started looking at CUI. Regardless of where you might be, when preparing your initial compliance plan for NARA and beginning to evaluate a COTS CUI marking solution, you should consider the following best practices:
1) Users will need to be able to apply CUI-compliant markings to email and documents.
2) Any existing marking tools will need to support the new CUI framework.
3) Any marking solution should be easy to use and require minimal training for the user.
4) Users should be prompted when sensitive information is detected.
5) Some CUI information will require extra protection such as encryption and dissemination controls.