Sensitive Security Information in the New CUI World
On November 4th, the National Archives and Records Administration (NARA) posted a Controlled Unclassified Information (CUI) Registry on its website. The Registry is designed to list the categories of information that federal agencies are authorized to use to safeguard sensitive material that is not classified. It matters for maritime transportation security because of its potential impact on Sensitive Security Information (SSI).
The CUI program came about as an attempt to reign in the proliferating categories of what used to be called Sensitive But Unclassified Information. A year ago today, the President signed Executive Order 13556, which mandated a review of existing designations, development of CUI categories and subcategories, and Government-wide policies and procedures concerning marking, safeguarding, dissemination, and decontrol of CUI. The NARA was also tasked to establish, within a year, a public CUI registry “reflecting authorized CUI categories and subcategories, associated markings, and applicable safeguarding, dissemination, and decontrol procedures.”
Depending on how you count, the National Archives either just met or just missed the deadline. But even if the Registry was timely published, its content is quite incomplete. It does list 15 CUI categories and an additional 73 subcategories, along with their “Safeguarding and/or Dissemination Authority” and any sanctions for violation. If those numbers hold up, the entire CUI effort represents a moderate reduction in types of unclassified information too sensitive to let the public in on. (When the Executive Order was issued, the New York Times reported that agencies had developed “almost 120 markings.”)
Despite having four separate statutory authorization provisions, Sensitive Security Information (SSI) is not a CUI category. Instead, it is a subcategory of “Critical Infrastructure,” along with “Ammonium Nitrate,” “Chemical-terrorism Vulnerability Information,” “Critical Energy Infrastructure Information,” “Physical Security,” “Protected Critical Infrastructure Information,” and “Water Assessments.”
As of now, the Registry provides generic guidance (one or two sentences each) for safeguarding, dissemination, and decontrol of CUI, and its formatting does not appear to contemplate procedures specific to any category or subcategory. NARA’s Initial Implementation Guidance states, however, that “[w]hen law, regulation, or Government-wide policy mandates specific requirements for the safeguarding of a particular category or subcategory of CUI, these requirements shall be published in the CUI registry.” It’s not clear whether this requirement could be satisfied by mere reference to existing regulations, such as the Transportation Security Administration’s SSI regulation. If not, and wording “these requirements shall be published” suggests cross referencing is insufficient, the Registry will eventuall turn out to be quite lengthy. Additionally, the initial guidance continues “Agency-specific safeguarding controls that exceed those published in the CUI registry shall not be imposed on users outside of the implementing agency.” This raises interesting issues with regard to the Coast Guard’s Navigation and Vessel Inspection Circular (NVIC) 10-04 on SSI. This extensive tome provides lots of detailed SSI guidance for the MTSA-regulated community. As the NVIC is neither a regulation nor a Government-wide policy, its requirements presumably will not make it into the Registry. So could not a MTSA-regulated entity defeat a Notice of Violation be defeated that it received from a Coast Guard inspector who found a deviation from the minutiae of the NVIC?
In contrast to the absence of provision for subcategory-specific procedures, the Registry has dedicated space for category or subcategory markings, but none are indicated as yet. They “will be developed and scheduled for implementation following Executive Agent [NARA] review of agency initial compliance plans and publication of additional guidance.” (Agency plans are due to NARA by December 6.) So all we know at this point, based on the initial guidance, is that the only authorized overall CUI markings will look something like “CUI//Authorized Category-Subcategory (if necessary).” Portion markings, which are to be encouraged) will look something like “(CUI//Authorized Category-Subcategory (if necessary)).” Presumably, in the latter case, abbreviations will be used, such as (CUI/CI/SSI).
While waiting for further CUI developments, however, nothing changes regarding the handling, making, and disclosure of SSI. The CUI Registry is prefaced with a “reminder” that “[e]xisting practices for sensitive unclassified information remain in effect until the CUI marking implementation deadline.” And even that deadline has yet to be determined.
Tip of the hat to Gavin Baker at OMB Watch for breaking the news of the registry’s publication..
NOTE: This post may be copied, distributed, and displayed and derivative works may be based on it, provided it is attributed to Maritime Transportation Security News and Views by John C. W. Bennett, http://mpsint.com