President orders agencies to simplify data labeling
President Bush ordered federal agencies last week to standardize the labels they use to categorize sensitive but unclassified information. The order requires agencies to adopt three standard labels and drop the more than 100 different markings now in use.
Some officials and lawmakers have expressed concern that an ad hoc proliferation of labels for handling sensitive data has hindered the sharing of terrorist-related information among federal agencies and state and local partners. Open-government groups also have complained that the confusing categorization of sensitive information prevents proper disclosure of unclassified data.
The order directs agencies to use the Controlled Unclassified Information (CUI) framework, which addresses the disclosure interests of open-government groups and officials concerned with sharing data, said John Cohen, a spokesman for the Office of the Director of National Intelligence’s Program Manager of the Information Sharing Environment.
However, the directive’s effectiveness will depend on how agencies apply it and how well the National Archives and Records Administration oversees its implementation, observers say. The memo puts NARA in charge of implementation.
Patrice McDermott, director of OpenTheGovernment.org, said the new framework is a good first step, but a greater focus on disclosure would improve it. She said the framework should also limit how long information can be maintained in certain CUI categories.
“The devil is going to be in the details and how this is implemented by NARA,” McDermott said.
Cohen’s office has been working with NARA to prepare for the next steps, which include planning and implementation. Officials also must determine what costs NARA will incur as the executive agency in charge of the program and what other agencies must spend to comply with the new standards.
Steven Aftergood, director of the Project on Government Secrecy at the Federation of American Scientists, said he is concerned about how NARA can effectively serve in its executive role when it typically receives a small budget. The framework is probably the best that could be achieved by consensus, but it is incomplete and could lead to overuse, he added.
“It doesn’t clearly define either the scope of CUI or the procedures for safeguarding it,” Aftergood said. “Those basic questions are kicked down the road to an implementation phase.”
The May 9 directive announcing the CUI framework states that the new standards will not affect Freedom of Information Act requests, and they do not require agencies to classify or declassify any new or additional terrorism-related information.
Getting agencies to fully switch to the new labels and incorporate them into their information handling processes and and information technology systems could take as long as five years, the directive states.
Ben Bain is a reporter for Federal Computer Week.