Need to Know: A new mission for CIOs?

In Washington, where information is power -- and access to it defines power -- it’s not surprising that federal agencies have come up with myriad ways to tag, label, share and hoard their proprietary data.
What is harder to comprehend – or employ for such needs as anti-terrorism efforts across multiple agencies and jurisdictions -- are the multitude of ways that many civilian agencies use to keep their information secret.

Intelligence and defense agencies have long used a system to classify information and restrict its access to individuals with security clearances. But there is another level of fencing for "sensitive but unclassified" government information. SBU includes material covered by designations such as For Official Use Only, Law Enforcement Sensitive, Sensitive Homeland Security Information, and Critical Infrastructure Information, among many others.

Actually, officials have more ways to describe SBU data than Eskimos have words for snow. Agencies slap more than 100 unique markings on SBU documents, and they use 130-plus ways to label or handle that information, according to government estimates. Documents can have different but seemingly similar SBU categories, such as For Official Use only and Limited Official Use.

The glut of markings is worrisome to many. It severely constricts the government’s ability to use information technology systems to share data that is sufficiently sensitive to warrant protection but is not sensitive enough to be considered classified. SBU data is particularly important to state and local officials who don't have the security clearances needed to access classified information.

“Most of [the categories] had a plausible basis in practice,” said Steven Aftergood, director of the Federation of American Scientists’ Project on Government Secrecy. “Where they went astray was when agencies started using them to protect their own prerogatives and to preserve control over what they considered to be their information.”

Meanwhile, the situation isn’t straightforward when it comes to IT products for categorizing information. “If you look at 10 different vendors, you’ll see 10 different marking methods,” said Stephen Serrao, Memex’s product manager for the Americas region. Memex provides data management, analysis, information sharing and intelligence management services to several state and local intelligence fusion centers, which are frequent users of SBU networks.

An interagency task force convened by President Barack Obama to examine the SBU problem recommended consulting federal chief information officers through the CIO Council.

The task force recommended that the government get the CIOs' advice on how to use technology to set up the controlled unclassified information (CUI) framework, which former President George W. Bush instructed agencies to use to categorize terrorism-related data. The task force suggested that CIOs could develop a balanced set of technology requirements for safeguarding the data and create metadata standards.

The group also recommended expanding the CUI framework to go beyond terrorism-related information and include all SBU data. Obama will reportedly use the task force’s 40 recommendations to shape an executive order on CUI.

Serrao, a former intelligence official at the New Jersey State Police, said that if the IT requirements are included in a CUI executive order, state and local solicitations for information-sharing software will start to include the CUI requirements. And IT providers will need to make sure their products have the appropriate capability.

“We’ve seen that happen time and again, where folks have put requirements in the [request for proposals] that we bid on, and they’re straight cut-and-pasted out of a federal standard,” he said.

It’s unlikely that IT standards alone would be enough to alleviate the many competing interests and quickly solve the unclassified classification problem. However, widespread technology standards and an administrative push for agencies to develop a culture that’s more conducive to sharing information couldn’t hurt.

The task force said agencies should be authorized to impose administrative sanctions for repeated noncompliance with CUI policies, and they should consider how employees follow the CUI framework as part of their evaluation, promotion and award decisions.

“Getting across to these agencies that sharing this information is often better for security than withholding it is difficult,” said Michael German, policy counsel at the American Civil Liberties Union. “They still often present it as a transparency versus security sort of argument, when really it’s [an] information security versus national security debate.”

About the Author

Ben Bain is a reporter for Federal Computer Week.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group