In November of 2010, the President issued Executive Order 13556, which directed the National Archives and Records Administration (NARA) to implement a program to manage Controlled Unclassified Information (CUI, also known as Sensitive But Unclassified, or SBU) markings across the entirety of the Executive Branch of the US Federal Government.  Executive Order 13556 reflected the recommendations of an Interagency Task Force (ITF) originally formed in 2009.  With PM-ISE aboard as a key member, the ITF was chaired by DHS and DOJ and included representation from HHS, DOD, DOS, OMB, NARA, ODNI, FBI, DOI, and USDA.  The ITF found that the “Executive Branch performance suffers immensely from interagency inconsistency in SBU policies, frequent uncertainty in interagency settings as to exactly what policies apply to given SBU information, and the inconsistent application of similar policies across agencies.”  NARA immediately responded with initial guidance and has spent the time since carefully crafting regulations to minimize the various categories and treatment of CUI to only that required by law.  However, the history of PM-ISE and CUI goes back even further, to 2005 when PM-ISE supported aPresidential Memorandum which included “direction to standardize procedures for sensitive but unclassified information.”

Though any change of this magnitude has an associated cost, ITF members have observed that the benefits of sharing information are well worth the cost, often in ways that were not foreseen ahead of time.  However, the mission to share information across government can only be fully realized when every agency trusts that its information will be amply protected while in the hands of partner agencies.  NARA’s proposed regulation will ensure that a minimum level of protection is required at all executive branch agencies and any other organizations which seek to assist the executive branch in performing its duties.  By ensuring a minimum standard is published and clear to all parties involved, individual agencies may trust that their partner agencies meet the standard, and they are free to share information at the appropriate levels.  At the same time, NARA has identified when federal law requires an additional level of protection for certain information (such as Privacy orLaw Enforcement information).

The Information Sharing Environment (ISE) is inherently horizontal, multi-agency, and cross cutting.  For a robust ISE, consistent terminology and consistent treatment for CUI is required.  Techniques such as Data TaggingFederated SearchAttribute-based Access Control (ABAC),Federated Identity Control and Management (Federated ICAM, or FICAM) enable the sharing of information across government at machine-speed.  Protection of the information is ensured by comparing user attributes to the protection requirements associated with the category of CUI.  In order to implement these techniques, all parties to a sharing agreement must have a common understanding of how the information is categorized, how that category must be protected, and which users may access that category.

By supporting uniformity across government, the NARA CUI program helps ensure the right people have the right information at the right time.

News Source: 

Program Manager, Information Sharing Environment - Blog Post December 2015