340 likes | 918 Views
CUI Controlled Unclassified Information. Judy C. Gilmore DOE OSTI. William D. Rhodes NNSA. A Review & Overview of Changes to Come. STIP Annual Working Meeting April 11, 2013. CUI – Review & Overview. CUI Defined.
E N D
CUIControlled Unclassified Information Judy C. Gilmore DOE OSTI William D. Rhodes NNSA A Review & Overview of Changes to Come STIP Annual Working Meeting April 11, 2013
CUI Defined Controlled Unclassified Information (CUI) Unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulation, and Government-wide policy. WITHIN DOE: "Controlled Unclassified Information " (CUI) is an overarching term used to refer to unclassified information that is identified and marked as sensitive (e.g., OUO and Unclassified Controlled Nuclear Information (UCNI)).
DOE STI is Disseminated by OSTI per Access Limitation Provided by Submitting Sites/Organizations NOTE: Sites which do not produce CUI based on mission responsibilities, MAY produce CUI as a result of CRADAs, SBIR agreements, etc.
Within DOE Order 241.1B DEFINITIONS: • Controlled Unclassified Information (CUI). Certain unclassified information requiring safeguarding and dissemination controls mandated by statute or policy. Examples of such information within DOE include Official Use Only (OUO), Export Controlled Information (ECI), Unclassified Controlled Nuclear Information (UCNI), unclassified Naval Nuclear Propulsion Information (U-NNPI), and protected Personally Identifiable Information (PII). Within DOE other terms have been used, such as Unclassified Controlled Information (UCI) and Sensitive Unclassified Information (SUI), to refer to information that warrants protection as CUI. (Note: Current Government-wide efforts are under way to standardize CUI markings. Refer to www.osti.gov/stip, which will be updated for most current information.) • Scientific and Technical Information: ……STI may be classified, Unclassified Controlled Nuclear Information (UCNI), controlled unclassified information (CUI), or unclassified with no access restrictions. .. REQUIREMENTS: • STI must be reviewed for public release as appropriate. STI that is potentially classified must be reviewed for classification. STI that is potentially controlled unclassified information (CUI) (e.g., nonproliferation, national security, export control, intellectual property, or protected Personally Identifiable Information and privacy) must be reviewed to identify such information. STI that contains either classified, Unclassified Controlled Nuclear Information (UCNI), or CUI must be marked in accordance with Departmental directives. Prior to providing the STI to OSTI, an STI Releasing Official must ensure that appropriate announcement and availability restrictions have been applied in accordance with statutory, regulatory, Executive order, and/or other Departmental requirements.
STI Submission Options for CUI • Utilize E-Link and provide individual web Announcement Notices for each STI product & upload full text (E-Link is compliant with FIPS 140.2 encryption standard) • Upload metadata & documents in a batch XML file • STI Announcement Web Service http://www.osti.gov/stip/docs/AN241.1web_%20service_0.pdf Harvesting (i.e., allowing OSTI to run weekly queries against site servers to pick up XML output files of metadata with URL links to site-posted full text) is only for unlimited STI products; Harvesting sites need to ensure submission process is in place for CUI
Important Points • CUI is to be routinely submitted to OSTI; any subsequent and further distribution by OSTI on behalf of the Department is then based on approval and ‘need to know’ of the requestor. • CUI is a valuable resource to DOE and DOE contractors and STI tenets for central collection hold true: • Provides accountability and historical records. • Fulfills statutory mandates and Departmental requirements. • Saves research dollars by reducing duplication.
Science Research CONNECTION (SRC)https://www.osti.gov/src • Makes sites’ submitted CUI known & accessible • Available to DOE Federal or DOE Contractor employees, includes unclassified/unlimited and statutorily controlled information (CUI) • Provides access to full-text on a case-by-case/as approved basis. • Important resource within DOE/NNSA • Over 900 approved users and growing
Other Important Resourceswww.directives.doe.gov • DOE O 471.3 Identifying and Protecting Official Use Only Information • DOE M 471.3-1 Manual for Identifying and Protecting Official Use Only Information • DOE O 471.1B Identification and Protection of Unclassified Controlled Nuclear Information • http://www.hss.doe.gov/classificiation/QualityMgt/ouo.html
An Overview of Changes to Come • Per Executive Order, the way the Executive branch handles CUI will be standardized. • Executive Branch Departments - including Energy, Defense, and Homeland Security – are actively involved. NOTE: Existing practices for sensitive unclassified information remain in effect until the CUI marking implementation deadline (TBD).
Why CUI Reform? To address current issues within Executive Branch by providing a common definition and standardized processes and procedures… Key points: • Currently over 100 ways to characterize CUI (no common definition, no common protocols describing marking, safeguarding, disseminating, etc.). • Lack of standardization and clarity can put some information at risk through inadequate safeguarding, other information may be needlessly restricted. EXCERPT: “Its purpose is to address the current inefficient and confusing patchwork that leads to inconsistent marking and safeguarding as well as restrictive dissemination policies, which are often hidden from public view.”
Background Following 9/11…The number of different categories for ‘Sensitive But Unclassified Information’ grew, leading to confusion and shut down of some public access. May 2008 President Bush issued memo to adopt CUI as single, standardized method for handling terrorism-related info, intended to lower barriers to information sharing among agencies. May 2009 President Obama’s memo calls for a review of all markings that control unclassified information, not just terrorism-related info.
November 2010 • Executive Order 13556 “Controlled Unclassified Information” • Established the CUI program to standardize and simplify the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls. • CUI must be based on law, regulation, or Government-wide policy. • Emphasis on openness and uniformity of Government-wide practices. • CUI labels have no effect on disclosure decisions under FOIA.
Executive Agent:National Archives and Records Administration (NARA) • Issue a Registry of CUI categories and subcategories to be the only markings permitted for unclassified information that requires safeguarding or dissemination controls (to replace OUO, FOUO, SBU, etc.). • Onlycategories/subcategories identified in the Registry may be used to safeguard information within the executive branch (“administrative markings” will be allowed). • Registry:http://www.archives.gov/cui/registry/category-list.html
CUI Implementation • DOE and all Agencies have submitted implementation plans and comments to draft policy underway. • Formal interagency coordination expected to begin Spring 2013. • NARA will establish deadlines for phased implementation by the Agencies.
Key Points Relating to STI Management Regarding Markings: • CUI markings will be only markings authorized for use with unclassified information requiring safeguarding and/or dissemination controls. • Banner markings placed at either top or bottom of each page containing CUI. • Legacy materials – no re-marking required unless it will be re-used, restated, or paraphrased.
Key Points Relating to STI Management Regarding Safeguarding & Dissemination : • Safeguarding will involve Levels: Basic, High, Specified • Associated IT considerations. • Disseminate as extensively as necessary provided dissemination is consistent with Lawful Government Purpose.
Key Points Relating to STI Management Regarding Decontrol: • Decontrol as soon as practicable. Section 5.1(e) This should be accomplished without review and should be a transparent process to authorized holders. This is best accomplished by including a decontrol schedule or date with all CUI. Accordingly, in cases where originators of specific items of CUI know with certainty at what point such CUI should be decontrolled, originators shall include such information. • Agencies to establish internal processes to manage decisions related to decontrol. • Decontrol is not authority for public release. • CUI must be reviewed/decontrolled prior to or concurrent with public release. • Where feasible, originating agencies will include a specific date or event for decontrol with all media containing CUI.
Key Points Relating to STI Management Regarding Education, Training & Self-Inspections • Personnel who create or handle CUI must be trained • Initial and Refresher training (at least biannually) • Senior Agency Officials shall establish ongoing agency self-inspection • Report to EA annually for first 3 years, biennially thereafter
Within DOE – Major Issues Under Discussion Include: • Inconsistent with DOE authority for UCNI • Portion marking – RD/FRD documents • Encryption requirements • Decontrol-related issues More….
DOE Implementation Following NARA’s issuance of implementation deadlines, DOE will: • Develop regulations for information that requires safeguarding that is not in the Registry (e.g., some security-related information, Applied Technology). • Develop DOE CUI Regulation and Directive (CUI will officially replace OUO). • Revise classification and UCNI guidance to reflect CUI. • Develop and promulgate CUI training. • Ensure compliance with CUI policies
Timeframe We’re marching ever closer to CUI being a reality, butdeadlines not yet established. CUI may be implemented within DOE in 2014 or 2015 but will be implemented. Until then Existing practices and marking requirements for sensitive unclassified information remain in effect and continued adherence to DOE Orders for OUO and UCNI is required.
Questions/Comments and Sites’ Perspectives? • Additional information available: www.archives.gov/cui • Special thanks to HS-61 for CUI-related information.