There is no doubt the U.S. federal government has an interest in protecting information that, although unclassified, is sensitive enough in nature that strict controls over its use and distribution are essential. This information, known as Sensitive But Unclassified (SBU), is a broad category that includes, but isn’t limited to, material covered by such designations as For Official Use Only (FOUO), Law Enforcement Sensitive (LES), Sensitive Homeland Security Information (SHSI), Security Sensitive Information (SSI) and Critical Infrastructure Information (CII).
According to the National Archives and Records Administration (NARA) there are currently over 100 ways of characterizing SBU information, each of which has its unique policies and procedures for protecting this information. Such an assemblage results in inconsistent categorizing of information, which may inadequately protect sensitive information and/or unreasonably restrict access to benign information.
In an effort to eliminate this “inefficient” and “confusing patchwork” of policies and procedures for protecting SBU, the Obama Administration on November 4, 2010, issued Executive Order 13556, which established a Controlled Unclassified Information (CUI) program.
According to the order, the CUI program standardizes and simplifies the way the executive branch handles unclassified information that requires safeguarding or dissemination controls. At its core, the CUI program consolidates the characterization of SBU information under a universal set of guidelines.
Federal departments and agencies have been put on the fast track to implement the requirements of the order. By this spring each agency head must submit a catalog to NARA, the designated executive agency, with its proposed categories and subcategories of CUI. Within the same time frame, NARA is required to issue initial directives for implementation of the order. Once these directives are revealed, agency heads will have 180 days to submit an implementation plan to NARA.
Time will tell how each agency will respond to the NARA directives and how this change will impact the designation process of CII, LES, and SSI, if at all. However, it is already clear that this order will dramatically change the way the U.S. federal government protects its information.
Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises, for optimizing risk-based strategic, policy, and budgetary decisions.