Controlled Unclassified Information (CUI):An Overview

2

The Memorandum:

• Adopts, defines, and institutes “Controlled Unclassified Information” (CUI) as the single categorical designation for all information referred to as “Sensitive But Unclassified” (SBU) in the Information Sharing Environment (ISE); and

• Establishes a corresponding new CUI Framework for designating, marking, safeguarding, and disseminating information designated as CUI; and

• Designates the National Archives and Records Administration (NARA) as the Executive Agent, to oversee and implement the new CUI Framework.

On May 9, 2008, the President released the Memorandum for the Heads of Executive Departments and Agencies on the Designation and Sharing of Controlled Unclassified Information.

May 9th Presidential Memorandum

The purpose of the Framework is to standardize practices and thereby improve the sharing of information.

3

The Presidential Memorandum designates NARA as the CUI The Presidential Memorandum designates NARA as the CUI Executive Agent. On May 21, 2008, the Archivist of the United Executive Agent. On May 21, 2008, the Archivist of the United States established the CUI Office within NARA to oversee and States established the CUI Office within NARA to oversee and manage the implementation of the new CUI Framework.manage the implementation of the new CUI Framework.

CUI CUI

Executive AgentExecutive Agent

CUI CUI

Executive AgentExecutive Agent

CUI CUI

CouncilCouncil

CUI CUI

CouncilCouncil

The CUI Council members shall be drawn from within the existing The CUI Council members shall be drawn from within the existing ISC. As appropriate, the CUI Council will consult with the ISC’s ISC. As appropriate, the CUI Council will consult with the ISC’s State, Local, Tribal, and Private Sector Subcommittee. State, Local, Tribal, and Private Sector Subcommittee. Representing the needs and equities of ISE participants, the CUI Representing the needs and equities of ISE participants, the CUI Council will provide advice and recommendations to the Executive Council will provide advice and recommendations to the Executive Agent on ISE-wide CUI policies, procedures, guidelines, and Agent on ISE-wide CUI policies, procedures, guidelines, and standards. The PM-ISE issued guidance establishing the CUI standards. The PM-ISE issued guidance establishing the CUI Council on July 9, 2008. The first CUI Council meeting was held Council on July 9, 2008. The first CUI Council meeting was held on Aug. 21, 2008.on Aug. 21, 2008.

Departments Departments and and

AgenciesAgencies

Departments Departments and and

AgenciesAgencies

Heads of all Federal departments and agencies will be responsible Heads of all Federal departments and agencies will be responsible for implementing the CUI Framework standards for ISE-wide CUI for implementing the CUI Framework standards for ISE-wide CUI policy and ensuring that their departments or agencies comply with policy and ensuring that their departments or agencies comply with the CUI Framework. On June 30, 2008, the Director of the CUI the CUI Framework. On June 30, 2008, the Director of the CUI Office sent a letter to Departments and Agencies with initial Office sent a letter to Departments and Agencies with initial implementing guidance for CUI.implementing guidance for CUI.

CUI Governance Structure

4

The CUI Council will carry out the following functions as directed by the President:• Serve as the primary advisor to the Executive Agent on issues pertaining to the CUI Framework

• Advise the Executive Agent in developing procedures, guidelines, and standards necessary to establish, implement, and maintain the CUI Framework;

• Ensure coordination among the depts. and agencies participating in the CUI Framework; and

• Resolve complaints and disputes among departments and agencies about proper designation or marking of CUI.

The CUI Council

• Department of Commerce• Department of Defense • Director of National Intelligence (IC)• Department of Energy• Federal Bureau of Investigation• Department of Health and Human Services• Joint Staff• Department of Homeland Security• Department of Interior

• Department of Justice

• Office of Management and Budget

• Program Manager for the Information Sharing Environment

• Department of State

• Department of Transportation

• Department of Treasury

• Environmental Protection Agency

• Nuclear Regulatory Commission

• Two SLT members and two private sector members on the CUI Council.

5

Two Private Sector Representatives

Frederick V. Riccardi• Senior Executive Director

Security and Mission AssuranceManTech International Corporation

• National Defense Industrial Association – Chairman Industrial Security Committee 2008-2009

• Nominated by the NISPPAC membership for representation on CUI Council

Turner D. Madden, Esquire• Madden & Patton, LLC• Vice Chairman of the Partnership for Critical Infrastructure and the Co-Chairman of the

Commercial Sector Coordinating Council for the U.S. Department of Homeland Security Elected by the sub-sector chairs in the Commercial Sector

• Nominated by the industry members of the Critical Infrastructure Partnership Advisory Council (CIPAC) for representation on CUI Council

6

CUI Framework Implementation Timeline Overview 08/21/08

PresidentialCUI Memo

May 9

NARACUI Memo

May 21

BackgroundCUI

FrameworkMay 20

Outreach toDepartments& AgenciesJun-Aug

DeptAgencyLetter

Jun 27 CUICouncilLetterJul 9

Updateddata call toDepartments& AgenciesAug 8

CUIOBrief to

ISC Jul 16

Phase Stand-up Initial Outreach Planning Implementation – Phase I Implementation – Phase II

Date May 08 Jun Jul Aug Sep 08 Oct Nov Dec 08………Sep 09 Oct 09 Oct 10 Oct 11 Oct 12 FY 08 FY09 FY10 FY 11 FY12 FY 13

CUICouncilInitialMeetingAug 21

CUICSep 18

Data call due Sep 4

CUIOReview

Data callUpdates/Outreach

CUIOat PM-ISE PRAug 28

CUICOct 16

CUICNov 20

CUICDec 18

Guiding Documents

CUI Council Meetings

Stand-up

Outreach Phase

Planning Phase

Implementation Phase

Departments& AgenciesIdentify reps

Every 3rd

Thurs asneeded

Milestones for ImplementationDraft Implementing Guidance Safeguarding Dissemination Designating MarkingInitiate CUI 101TrainingDesign RegistryReview Department & Agency PlansAnnual Report

Finalize Department & Agency PlansActivate RegistryInitiate CUI 201TrainingIdentify and designate CUI Alignment of Policy-based MarkingsBegin federal rule-making processAnnual Report

FY09 FY10

Alignment of Policy Markings with ExceptionsAlignment of Regulatory MarkingsConfirm necessary changes to regulation and statute Annual Report

FY11

Department &Agencies submitPlans to CUIO

Monitor Department & Agency compliance with CUI policy, standards, and markingsEvaluate effectiveness of CUI Implementation Policy and GuidanceUpdate Policy and Guidance as necessaryAnnual Report

FY12 – FY 13

FullImplementation

of CUI FrameworkMay 2013

7

• Development of Centralized Implementation Plan Set priorities for implementation

Establish milestones for alignment to CUI Framework

Establish training schedule

• Development of Implementation Policies

Define Safeguarding Standards

Define Department and Agency CUI Dissemination Policies

Develop detailed guidance on CUI life cycle, portion marking, and application of CUI Framework to archived information

Establish Centralized CUI Training (“CUI 101”)

• Begin the development of Department- and Agency-specific Implementation Plans

Establish Department- and Agency-specific CUI Training (“CUI 201”)

FY09 Priorities

The intent is to provide departments and agencies the information that they need to plan for implementation and align this implementation with their normal budget cycles.

8

Guiding Principles

Sharing CUI will be shared as broadly as possible.

Protection CUI will be appropriately protected.

RationalizationCUI policy will be developed with deliberate consideration to managing risk and information sharing.

FlexibilityCUI policy development will respond to changes through centralized management and distributed execution.

InclusivenessCUI policy will address the needs of all ISE partners, both users and producers of information, taking into account all media types.

StandardizationCUI policy will be standardized so all participants are governed by uniform definitions and practices.

TransparencyCUI policy will be developed with input by State, local, tribal, and private sector entities and comment by the public.

9

Policy Development Process

• Safeguarding introduced to CUI Council 18 Sep 08 Discussed at five Council sessions

• Working Group formed 25 Sep 08 Strawman language discussed and vetted at three WG sessions

• Draft strawman guidance organized into six general sections:- General Policy - Storage

- Waivers for Exigent Situations - Transmission

- Controls in Use - Destruction

• Draft Interim Guidance briefed at 19 Feb 09 CUI Council• Retained in “draft” status until other focus areas drafted and

vetted through same CUIO process

10

Policy Development – Stage in Process

• CUI Policy is being organized under eight primary focus areas

• Safeguarding

• Dissemination

• Dispute Resolution

• Markings

• Designation

• Life Cycle

• Exceptions

• Penalties/Enforcement

Intro development Draft Final

development Draft

development Draft

development Draft

development Draft

Intro

Intro

Intro

Final

Final

Final

Final

Intro

11

Other Implementation Preparation Activities

• Designation

• Specified Dissemination

• Registry

• Training

• Outreach

12

Contact Information

Controlled Unclassified Information OfficeNational Archives and Records Administration700 Pennsylvania Avenue, N.W., Room 100

Washington, DC 20408-0001

(202) 357-6870 (voice)(202) 357-6871 (fax)cui@nara.gov (email)

www.archives.gov/CUI (website)