Presentation is loading. Please wait.

Presentation is loading. Please wait.

CUI Controlled Unclassified Information

Similar presentations

Presentation on theme: "CUI Controlled Unclassified Information"— Presentation transcript:

1 CUI Controlled Unclassified Information
A Review & Overview of Changes to Come Judy C. Gilmore DOE OSTI William D. Rhodes NNSA STIP Annual Working Meeting April 11, 2013

2 Overview of Changes to Come
CUI – Review & Overview Review Categories of CUI within DOE Ways to Process Ways to Access Overview of Changes to Come Background 2010 Executive Order and Resulting Actions Within DOE

3 CUI Defined Controlled Unclassified Information (CUI) Unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulation, and Government-wide policy. WITHIN DOE: "Controlled Unclassified Information " (CUI) is an overarching term used to refer to unclassified information that is identified and marked as sensitive (e.g., OUO and Unclassified Controlled Nuclear Information (UCNI)).

4 DOE STI is Disseminated by OSTI per Access Limitation Provided by Submitting Sites/Organizations
Unrestricted Distribution Unlimited Announcement OpenNet (only publicly releasable) Distribution Limitations – Controlled Unclassified Copyrighted Material w. Restrictions Small Business Innovative Research Data (SBIR) Small Business Technology Transfer Research Data (STTR) Naval Nuclear Propulsion Information (NNPI) Unclassified Controlled Nuclear Information (UCNI) Official Use Only Distribution Limitations – Controlled Unclassified Export Controlled Information Security Sensitive Information Protected Data (CRADA or Other) Patentable Material Patent Pending Limited Rights Data (Proprietary/Trade Secret) Nuclear Energy Applied Technology Program-Determined Official Use Only Classified Distribution Classified Information NOTE: Sites which do not produce CUI based on mission responsibilities, MAY produce CUI as a result of CRADAs, SBIR agreements, etc.

Controlled Unclassified Information (CUI). Certain unclassified information requiring safeguarding and dissemination controls mandated by statute or policy. Examples of such information within DOE include Official Use Only (OUO), Export Controlled Information (ECI), Unclassified Controlled Nuclear Information (UCNI), unclassified Naval Nuclear Propulsion Information (U-NNPI), and protected Personally Identifiable Information (PII). Within DOE other terms have been used, such as Unclassified Controlled Information (UCI) and Sensitive Unclassified Information (SUI), to refer to information that warrants protection as CUI. (Note: Current Government-wide efforts are under way to standardize CUI markings. Refer to which will be updated for most current information.) Scientific and Technical Information: ……STI may be classified, Unclassified Controlled Nuclear Information (UCNI), controlled unclassified information (CUI), or unclassified with no access restrictions. .. REQUIREMENTS: STI must be reviewed for public release as appropriate. STI that is potentially classified must be reviewed for classification. STI that is potentially controlled unclassified information (CUI) (e.g., nonproliferation, national security, export control, intellectual property, or protected Personally Identifiable Information and privacy) must be reviewed to identify such information. STI that contains either classified, Unclassified Controlled Nuclear Information (UCNI), or CUI must be marked in accordance with Departmental directives. Prior to providing the STI to OSTI, an STI Releasing Official must ensure that appropriate announcement and availability restrictions have been applied in accordance with statutory, regulatory, Executive order, and/or other Departmental requirements.

6 STI Submission Options for CUI
Utilize E-Link and provide individual web Announcement Notices for each STI product & upload full text (E-Link is compliant with FIPS encryption standard) Upload metadata & documents in a batch XML file STI Announcement Web Service Harvesting (i.e., allowing OSTI to run weekly queries against site servers to pick up XML output files of metadata with URL links to site-posted full text) is only for unlimited STI products; Harvesting sites need to ensure submission process is in place for CUI

7 Important Points CUI is to be routinely submitted to OSTI; any subsequent and further distribution by OSTI on behalf of the Department is then based on approval and ‘need to know’ of the requestor. CUI is a valuable resource to DOE and DOE contractors and STI tenets for central collection hold true: Provides accountability and historical records. Fulfills statutory mandates and Departmental requirements. Saves research dollars by reducing duplication.

8 Science Research CONNECTION (SRC)
Makes sites’ submitted CUI known & accessible Available to DOE Federal or DOE Contractor employees, includes unclassified/unlimited and statutorily controlled information (CUI) Provides access to full-text on a case-by-case/as approved basis. Important resource within DOE/NNSA Over 900 approved users and growing

9 Other Important Resources
DOE O 471.3 Identifying and Protecting Official Use Only Information DOE M Manual for Identifying and Protecting Official Use Only Information DOE O 471.1B Identification and Protection of Unclassified Controlled Nuclear Information

10 An Overview of Changes to Come
Per Executive Order, the way the Executive branch handles CUI will be standardized. Executive Branch Departments - including Energy, Defense, and Homeland Security – are actively involved. NOTE: Existing practices for sensitive unclassified information remain in effect until the CUI marking implementation deadline (TBD).

11 Why CUI Reform? To address current issues within Executive Branch by providing a common definition and standardized processes and procedures… Key points: Currently over 100 ways to characterize CUI (no common definition, no common protocols describing marking, safeguarding, disseminating, etc.). Lack of standardization and clarity can put some information at risk through inadequate safeguarding, other information may be needlessly restricted. EXCERPT: “Its purpose is to address the current inefficient and confusing patchwork that leads to inconsistent marking and safeguarding as well as restrictive dissemination policies, which are often hidden from public view.”

12 Background Following 9/11… The number of different categories for ‘Sensitive But Unclassified Information’ grew, leading to confusion and shut down of some public access. May President Bush issued memo to adopt CUI as single, standardized method for handling terrorism-related info, intended to lower barriers to information sharing among agencies. May President Obama’s memo calls for a review of all markings that control unclassified information, not just terrorism-related info.

13 November 2010 Executive Order “Controlled Unclassified Information” Established the CUI program to standardize and simplify the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls. CUI must be based on law, regulation, or Government-wide policy. Emphasis on openness and uniformity of Government-wide practices. CUI labels have no effect on disclosure decisions under FOIA.

14 Executive Agent: National Archives and Records Administration (NARA)
Issue a Registry of CUI categories and subcategories to be the only markings permitted for unclassified information that requires safeguarding or dissemination controls (to replace OUO, FOUO, SBU, etc.). Only categories/subcategories identified in the Registry may be used to safeguard information within the executive branch (“administrative markings” will be allowed). Registry:

15 CUI Implementation DOE and all Agencies have submitted implementation plans and comments to draft policy underway. Formal interagency coordination expected to begin Spring 2013. NARA will establish deadlines for phased implementation by the Agencies.

16 CUI Consolidated Policy
DRAFT POLICY ADDRESSES: Background and Applicability Elements of the CUI Program Safeguarding Dissemination Decontrol Marking Additional Facets Roles and Responsibilities Definitions

17 Key Points Relating to STI Management
Regarding Markings: CUI markings will be only markings authorized for use with unclassified information requiring safeguarding and/or dissemination controls. Banner markings placed at either top or bottom of each page containing CUI. Legacy materials – no re-marking required unless it will be re-used, restated, or paraphrased.

18 Key Points Relating to STI Management
Regarding Safeguarding & Dissemination : Safeguarding will involve Levels: Basic, High, Specified Associated IT considerations. Disseminate as extensively as necessary provided dissemination is consistent with Lawful Government Purpose.

19 Key Points Relating to STI Management
Regarding Decontrol: Decontrol as soon as practicable. Section 5.1(e) This should be accomplished without review and should be a transparent process to authorized holders. This is best accomplished by including a decontrol schedule or date with all CUI. Accordingly, in cases where originators of specific items of CUI know with certainty at what point such CUI should be decontrolled, originators shall include such information. Agencies to establish internal processes to manage decisions related to decontrol. Decontrol is not authority for public release. CUI must be reviewed/decontrolled prior to or concurrent with public release. Where feasible, originating agencies will include a specific date or event for decontrol with all media containing CUI.

20 Key Points Relating to STI Management
Regarding Education, Training & Self-Inspections Personnel who create or handle CUI must be trained Initial and Refresher training (at least biannually) Senior Agency Officials shall establish ongoing agency self-inspection Report to EA annually for first 3 years, biennially thereafter

21 Within DOE – Major Issues Under Discussion Include:
Inconsistent with DOE authority for UCNI Portion marking – RD/FRD documents Encryption requirements Decontrol-related issues More….

22 DOE Implementation Following NARA’s issuance of implementation deadlines, DOE will: Develop regulations for information that requires safeguarding that is not in the Registry (e.g., some security-related information, Applied Technology). Develop DOE CUI Regulation and Directive (CUI will officially replace OUO). Revise classification and UCNI guidance to reflect CUI. Develop and promulgate CUI training. Ensure compliance with CUI policies

23 Timeframe We’re marching ever closer to CUI being a reality,
but deadlines not yet established. CUI may be implemented within DOE in 2014 or 2015 but will be implemented. Until then Existing practices and marking requirements for sensitive unclassified information remain in effect and continued adherence to DOE Orders for OUO and UCNI is required.

24 Questions/Comments and Sites’ Perspectives?
Additional information available: Special thanks to HS-61 for CUI-related information.

Download ppt "CUI Controlled Unclassified Information"

Similar presentations

Ads by Google