Information Management

NARA preps for new info control rules

National Archives and Records Adminstration logo.

Policies across the federal government for locking down sensitive but unclassified information are, well, a little federated.                         

Plans to create a single category, dubbed "controlled unclassified information," and craft regulations about its handling by government agencies and contractors who store such information on their systems are about to bear fruit.

"The methods that are applied currently are confusing and drive excessive costs. Allowing a thousand flowers to bloom in the manner of labels, markings, safeguarding techniques and all these kinds of instructions -- there's a certain amount of inefficiency here," John P. Fitzpatrick, director of the Information Security Oversight Office at the National Archives and Records Administration, said at a May 28 public meeting to update feds and stakeholders about plans for CUI handling.

The process was set in motion by a 2012 executive order.

The change in rules is not aimed at creating new categories of information to guard from disclosure, Fitzpatrick said. Statutory requirements, regulations and government-wide policies drive the decisions to tab information as CUI. To accommodate the demands of the entire federal enterprise, NARA established, with input from agencies, 23 categories and 82 subcategories of CUI in a registry, with links to the statutory or regulatory basis for keeping the info under wraps.

If the final rule on CUI handling is published at the end of the 2015, it starts the clock on a three- to four-year phased implementation. For agencies, the biggest change is in the marking of CUI documents prior to dissemination. A marking handbook is being developed internally at NARA with input from agencies, and the expectation is that every page of a protected document will contain banner information identifying it as CUI.

Agencies are also expected to protect CUI stored on federal computer systems at the FISMA moderate level for information security. NARA expects the IT changes to be among the most arduous for agencies. While an estimated 70 percent of agencies will have no trouble meeting the moderate requirement, some agencies that aren't accustomed to dealing with information controls are likely to face hurdles. NARA is shooting for all agencies to be in compliance by the end of the implementation process.

On the contractor side, the National Institute of Standards and Technology is due to release a new special publication covering confidentiality of CUI on nonfederal systems that sets security standards similar to FISMA moderate for contractors. The NIST advisory will serve as guidance for vendors who store, transmit and handle CUI on behalf of agencies until the Federal Acquisition Regulation is updated to create contractual standards for CUI.

This could represent a significant change for federal contractors. Fitzpatrick estimates there are at least 300,000 who have CUI in their systems. There are no plans for formal checks of systems to make sure they are compliant, as is done for contractors cleared for classified information. Instead, Fitzpatrick said, the plan is for contractors to certify themselves, and any checks will be done by agencies that have special needs, or perhaps in the aftermath of a breach. He urged contractors to stay involved as these requirements wend through the FAR draft rule process, so that they are not blindsided.

"It's really not until the FAR rule lands, the CUI rule and this NIST rule, that you're going to understand every implication on a company through the contracting process," Fitzpatrick said.

Privacy and decontrol

Some agencies are concerned about the disposition of personally identifiable information in their systems. There are some specific legal protections in place that apply precisely to government information.

For instance, personally identifiable census information is kept from public release for 72 years after collection, and patent filers are guaranteed 18 months of secrecy after submitting an application. In most cases, the law is less specific, and agencies are guided by regulations and policies when it comes to "decontrolling" information. Other personal info is protected by the Privacy Act and other statutes that apply to health and financial information, or regulations on information collection that are agency-specific.

"What we're trying to do in the privacy space is to recognize that that information is unique," Fitzpatrick told reporters after the NARA event. "There are times when its presence in the government's possession requires protection under the privacy laws in a certain way, and there are times when the laws say no, not as much," he said.

One of the goals of the CUI policy is to end the practice of officials reflexively stamping "for official use only" on government documents, even though they are not protected under the standards promulgated by the executive order and the CUI policy.

On the other hand, agencies have identified a few categories of information that are considered worthy of protection that don't have specific language in law, regulations or government policy. During the rule-writing process, NARA learned that federal law enforcement protected certain investigative information, including the identity of confidential informants, more by custom than by rule. NARA worked to create a provisional category of protected CUI that covered this area. 

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy, health IT and the Department of Veterans Affairs. Prior to joining FCW, Mr. Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian started his career as an arts reporter and critic, and has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, Architect magazine, and other publications. He was an editorial assistant and staff writer at the now-defunct New York Press and arts editor at the About.com online network in the 1990s, and was a weekly contributor of music and film reviews to the Washington Times from 2007 to 2014.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.

Featured

  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from Shutterstock.com

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Fri, May 29, 2015 Michelle Boyd

Executive Order 13556 was signed in 2010, not 2012 as the article states.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group