Presentation on theme: "CUI Controlled Unclassified Information"— Presentation transcript:
1CUI Controlled Unclassified Information A Review & Overview of Changes to ComeJudy C. GilmoreDOE OSTIWilliam D. RhodesNNSASTIP Annual Working MeetingApril 11, 2013
2Overview of Changes to Come CUI – Review & OverviewReviewCategories of CUI within DOEWays to ProcessWays to AccessOverview of Changes to ComeBackground2010 Executive Order and Resulting ActionsWithin DOE
3CUI DefinedControlled Unclassified Information (CUI) Unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulation, and Government-wide policy.WITHIN DOE: "Controlled Unclassified Information " (CUI) is an overarching term used to refer to unclassified information that is identified and marked as sensitive (e.g., OUO and Unclassified Controlled Nuclear Information (UCNI)).
4DOE STI is Disseminated by OSTI per Access Limitation Provided by Submitting Sites/Organizations Unrestricted DistributionUnlimited AnnouncementOpenNet (only publicly releasable)Distribution Limitations – Controlled UnclassifiedCopyrighted Material w. RestrictionsSmall Business Innovative Research Data (SBIR)Small Business Technology Transfer Research Data (STTR)Naval Nuclear Propulsion Information (NNPI)Unclassified Controlled Nuclear Information (UCNI)Official Use Only Distribution Limitations – Controlled UnclassifiedExport Controlled InformationSecurity Sensitive InformationProtected Data (CRADA or Other)Patentable MaterialPatent PendingLimited Rights Data (Proprietary/Trade Secret)Nuclear Energy Applied TechnologyProgram-Determined Official Use OnlyClassified DistributionClassified InformationNOTE: Sites which do not produce CUI based on mission responsibilities, MAY produce CUI as a result of CRADAs, SBIR agreements, etc.
5Within DOE Order 241.1B DEFINITIONS: REQUIREMENTS: Controlled Unclassified Information (CUI). Certain unclassified information requiring safeguarding and dissemination controls mandated by statute or policy. Examples of such information within DOE include Official Use Only (OUO), Export Controlled Information (ECI), Unclassified Controlled Nuclear Information (UCNI), unclassified Naval Nuclear Propulsion Information (U-NNPI), and protected Personally Identifiable Information (PII). Within DOE other terms have been used, such as Unclassified Controlled Information (UCI) and Sensitive Unclassified Information (SUI), to refer to information that warrants protection as CUI. (Note: Current Government-wide efforts are under way to standardize CUI markings. Refer to which will be updated for most current information.)Scientific and Technical Information: ……STI may be classified, Unclassified Controlled Nuclear Information (UCNI), controlled unclassified information (CUI), or unclassified with no access restrictions. ..REQUIREMENTS:STI must be reviewed for public release as appropriate. STI that is potentially classified must be reviewed for classification. STI that is potentially controlled unclassified information (CUI) (e.g., nonproliferation, national security, export control, intellectual property, or protected Personally Identifiable Information and privacy) must be reviewed to identify such information. STI that contains either classified, Unclassified Controlled Nuclear Information (UCNI), or CUI must be marked in accordance with Departmental directives. Prior to providing the STI to OSTI, an STI Releasing Official must ensure that appropriate announcement and availability restrictions have been applied in accordance with statutory, regulatory, Executive order, and/or other Departmental requirements.
6STI Submission Options for CUI Utilize E-Link and provide individual web Announcement Notices for each STI product & upload full text (E-Link is compliant with FIPS encryption standard)Upload metadata & documents in a batch XML fileSTI Announcement Web ServiceHarvesting (i.e., allowing OSTI to run weekly queries against site serversto pick up XML output files of metadata with URL links to site-posted full text) is only for unlimited STI products;Harvesting sites need to ensure submission process is in place for CUI
7Important PointsCUI is to be routinely submitted to OSTI; any subsequent and further distribution by OSTI on behalf of the Department is then based on approval and ‘need to know’ of the requestor.CUI is a valuable resource to DOE and DOE contractors and STI tenets for central collection hold true:Provides accountability and historical records.Fulfills statutory mandates and Departmental requirements.Saves research dollars by reducing duplication.
8Science Research CONNECTION (SRC) https://www.osti.gov/src Makes sites’ submitted CUI known & accessibleAvailable to DOE Federal or DOE Contractor employees, includes unclassified/unlimited and statutorily controlled information (CUI)Provides access to full-text on a case-by-case/as approved basis.Important resource within DOE/NNSAOver 900 approved users and growing
9Other Important Resources www.directives.doe.gov DOE O 471.3Identifying and Protecting Official Use Only InformationDOE MManual for Identifying and Protecting Official Use Only InformationDOE O 471.1BIdentification and Protection of Unclassified Controlled Nuclear Information
10An Overview of Changes to Come Per Executive Order, the way the Executive branch handles CUI will be standardized.Executive Branch Departments - including Energy, Defense, and Homeland Security – are actively involved.NOTE: Existing practices for sensitive unclassified information remain in effect until the CUI marking implementation deadline (TBD).
11Why CUI Reform?To address current issues within Executive Branch by providing a common definition and standardized processes and procedures…Key points:Currently over 100 ways to characterize CUI (no common definition, no common protocols describing marking, safeguarding, disseminating, etc.).Lack of standardization and clarity can put some information at risk through inadequate safeguarding, other information may be needlessly restricted.EXCERPT: “Its purpose is to address the current inefficient and confusing patchwork that leads to inconsistent marking and safeguarding as well as restrictive dissemination policies, which are often hidden from public view.”
12BackgroundFollowing 9/11… The number of different categories for ‘Sensitive But Unclassified Information’ grew, leading to confusion and shut down of some public access.May President Bush issued memo to adopt CUI as single, standardized method for handling terrorism-related info, intended to lower barriers to information sharing among agencies.May President Obama’s memo calls for a review of all markings that control unclassified information, not just terrorism-related info.
13November 2010Executive Order “Controlled Unclassified Information”Established the CUI program to standardize and simplify the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls.CUI must be based on law, regulation, or Government-wide policy.Emphasis on openness and uniformity of Government-wide practices.CUI labels have no effect on disclosure decisions under FOIA.
14Executive Agent: National Archives and Records Administration (NARA) Issue a Registry of CUI categories and subcategories to be the only markings permitted for unclassified information that requires safeguarding or dissemination controls (to replace OUO, FOUO, SBU, etc.).Only categories/subcategories identified in the Registry may be used to safeguard information within the executive branch (“administrative markings” will be allowed).Registry:
15CUI ImplementationDOE and all Agencies have submitted implementation plans and comments to draft policy underway.Formal interagency coordination expected to begin Spring 2013.NARA will establish deadlines for phased implementation by the Agencies.
16CUI Consolidated Policy DRAFT POLICY ADDRESSES:Background and ApplicabilityElements of the CUI ProgramSafeguardingDisseminationDecontrolMarkingAdditional FacetsRoles and ResponsibilitiesDefinitions
17Key Points Relating to STI Management Regarding Markings:CUI markings will be only markings authorized for use with unclassified information requiring safeguarding and/or dissemination controls.Banner markings placed at either top or bottom of each page containing CUI.Legacy materials – no re-marking required unless it will be re-used, restated, or paraphrased.
18Key Points Relating to STI Management Regarding Safeguarding & Dissemination :Safeguarding will involve Levels: Basic, High, SpecifiedAssociated IT considerations.Disseminate as extensively as necessary provided dissemination is consistent with Lawful Government Purpose.
19Key Points Relating to STI Management Regarding Decontrol:Decontrol as soon as practicable.Section 5.1(e) This should be accomplished without review and should be a transparent process to authorized holders. This is best accomplished by including a decontrol schedule or date with all CUI. Accordingly, in cases where originators of specific items of CUI know with certainty at what point such CUI should be decontrolled, originators shall include such information.Agencies to establish internal processes to manage decisions related to decontrol.Decontrol is not authority for public release.CUI must be reviewed/decontrolled prior to or concurrent with public release.Where feasible, originating agencies will include a specific date or event for decontrol with all media containing CUI.
20Key Points Relating to STI Management Regarding Education, Training & Self-InspectionsPersonnel who create or handle CUI must be trainedInitial and Refresher training (at least biannually)Senior Agency Officials shall establish ongoing agency self-inspectionReport to EA annually for first 3 years, biennially thereafter
21Within DOE – Major Issues Under Discussion Include: Inconsistent with DOE authority for UCNIPortion marking – RD/FRD documentsEncryption requirementsDecontrol-related issuesMore….
22DOE ImplementationFollowing NARA’s issuance of implementation deadlines, DOE will:Develop regulations for information that requires safeguarding that is not in the Registry (e.g., some security-related information, Applied Technology).Develop DOE CUI Regulation and Directive (CUI will officially replace OUO).Revise classification and UCNI guidance to reflect CUI.Develop and promulgate CUI training.Ensure compliance with CUI policies
23Timeframe We’re marching ever closer to CUI being a reality, but deadlines not yet established.CUI may be implemented within DOE in 2014 or 2015 but will be implemented.Until thenExisting practices and marking requirements for sensitive unclassified information remain in effect and continued adherence to DOE Orders for OUO and UCNI is required.
24Questions/Comments and Sites’ Perspectives? Additional information available:Special thanks to HS-61 for CUI-related information.