Presentation is loading. Please wait.

Presentation is loading. Please wait.

CUI Controlled Unclassified Information

Published byLamar Corell Modified over 10 years ago

Similar presentations

Presentation on theme: "CUI Controlled Unclassified Information"— Presentation transcript:

1 CUI Controlled Unclassified Information
A Review & Overview of Changes to Come Judy C. Gilmore DOE OSTI William D. Rhodes NNSA STIP Annual Working Meeting April 11, 2013

2 Overview of Changes to Come
CUI – Review & Overview Review Categories of CUI within DOE Ways to Process Ways to Access Overview of Changes to Come Background 2010 Executive Order and Resulting Actions Within DOE

3 CUI Defined Controlled Unclassified Information (CUI) Unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulation, and Government-wide policy. WITHIN DOE: "Controlled Unclassified Information " (CUI) is an overarching term used to refer to unclassified information that is identified and marked as sensitive (e.g., OUO and Unclassified Controlled Nuclear Information (UCNI)).

4 DOE STI is Disseminated by OSTI per Access Limitation Provided by Submitting Sites/Organizations
Unrestricted Distribution Unlimited Announcement OpenNet (only publicly releasable) Distribution Limitations – Controlled Unclassified Copyrighted Material w. Restrictions Small Business Innovative Research Data (SBIR) Small Business Technology Transfer Research Data (STTR) Naval Nuclear Propulsion Information (NNPI) Unclassified Controlled Nuclear Information (UCNI) Official Use Only Distribution Limitations – Controlled Unclassified Export Controlled Information Security Sensitive Information Protected Data (CRADA or Other) Patentable Material Patent Pending Limited Rights Data (Proprietary/Trade Secret) Nuclear Energy Applied Technology Program-Determined Official Use Only Classified Distribution Classified Information NOTE: Sites which do not produce CUI based on mission responsibilities, MAY produce CUI as a result of CRADAs, SBIR agreements, etc.

5 Within DOE Order 241.1B DEFINITIONS: REQUIREMENTS:
Controlled Unclassified Information (CUI). Certain unclassified information requiring safeguarding and dissemination controls mandated by statute or policy. Examples of such information within DOE include Official Use Only (OUO), Export Controlled Information (ECI), Unclassified Controlled Nuclear Information (UCNI), unclassified Naval Nuclear Propulsion Information (U-NNPI), and protected Personally Identifiable Information (PII). Within DOE other terms have been used, such as Unclassified Controlled Information (UCI) and Sensitive Unclassified Information (SUI), to refer to information that warrants protection as CUI. (Note: Current Government-wide efforts are under way to standardize CUI markings. Refer to which will be updated for most current information.) Scientific and Technical Information: ……STI may be classified, Unclassified Controlled Nuclear Information (UCNI), controlled unclassified information (CUI), or unclassified with no access restrictions. .. REQUIREMENTS: STI must be reviewed for public release as appropriate. STI that is potentially classified must be reviewed for classification. STI that is potentially controlled unclassified information (CUI) (e.g., nonproliferation, national security, export control, intellectual property, or protected Personally Identifiable Information and privacy) must be reviewed to identify such information. STI that contains either classified, Unclassified Controlled Nuclear Information (UCNI), or CUI must be marked in accordance with Departmental directives. Prior to providing the STI to OSTI, an STI Releasing Official must ensure that appropriate announcement and availability restrictions have been applied in accordance with statutory, regulatory, Executive order, and/or other Departmental requirements.

6 STI Submission Options for CUI
Utilize E-Link and provide individual web Announcement Notices for each STI product & upload full text (E-Link is compliant with FIPS encryption standard) Upload metadata & documents in a batch XML file STI Announcement Web Service Harvesting (i.e., allowing OSTI to run weekly queries against site servers to pick up XML output files of metadata with URL links to site-posted full text) is only for unlimited STI products; Harvesting sites need to ensure submission process is in place for CUI

7 Important Points CUI is to be routinely submitted to OSTI; any subsequent and further distribution by OSTI on behalf of the Department is then based on approval and ‘need to know’ of the requestor. CUI is a valuable resource to DOE and DOE contractors and STI tenets for central collection hold true: Provides accountability and historical records. Fulfills statutory mandates and Departmental requirements. Saves research dollars by reducing duplication.

8 Science Research CONNECTION (SRC) https://www.osti.gov/src
Makes sites’ submitted CUI known & accessible Available to DOE Federal or DOE Contractor employees, includes unclassified/unlimited and statutorily controlled information (CUI) Provides access to full-text on a case-by-case/as approved basis. Important resource within DOE/NNSA Over 900 approved users and growing

9 Other Important Resources www.directives.doe.gov
DOE O 471.3 Identifying and Protecting Official Use Only Information DOE M Manual for Identifying and Protecting Official Use Only Information DOE O 471.1B Identification and Protection of Unclassified Controlled Nuclear Information

10 An Overview of Changes to Come
Per Executive Order, the way the Executive branch handles CUI will be standardized. Executive Branch Departments - including Energy, Defense, and Homeland Security – are actively involved. NOTE: Existing practices for sensitive unclassified information remain in effect until the CUI marking implementation deadline (TBD).

11 Why CUI Reform? To address current issues within Executive Branch by providing a common definition and standardized processes and procedures… Key points: Currently over 100 ways to characterize CUI (no common definition, no common protocols describing marking, safeguarding, disseminating, etc.). Lack of standardization and clarity can put some information at risk through inadequate safeguarding, other information may be needlessly restricted. EXCERPT: “Its purpose is to address the current inefficient and confusing patchwork that leads to inconsistent marking and safeguarding as well as restrictive dissemination policies, which are often hidden from public view.”

12 Background Following 9/11… The number of different categories for ‘Sensitive But Unclassified Information’ grew, leading to confusion and shut down of some public access. May President Bush issued memo to adopt CUI as single, standardized method for handling terrorism-related info, intended to lower barriers to information sharing among agencies. May President Obama’s memo calls for a review of all markings that control unclassified information, not just terrorism-related info.

13 November 2010 Executive Order “Controlled Unclassified Information” Established the CUI program to standardize and simplify the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls. CUI must be based on law, regulation, or Government-wide policy. Emphasis on openness and uniformity of Government-wide practices. CUI labels have no effect on disclosure decisions under FOIA.

14 Executive Agent: National Archives and Records Administration (NARA)
Issue a Registry of CUI categories and subcategories to be the only markings permitted for unclassified information that requires safeguarding or dissemination controls (to replace OUO, FOUO, SBU, etc.). Only categories/subcategories identified in the Registry may be used to safeguard information within the executive branch (“administrative markings” will be allowed). Registry:

15 CUI Implementation DOE and all Agencies have submitted implementation plans and comments to draft policy underway. Formal interagency coordination expected to begin Spring 2013. NARA will establish deadlines for phased implementation by the Agencies.

16 CUI Consolidated Policy
DRAFT POLICY ADDRESSES: Background and Applicability Elements of the CUI Program Safeguarding Dissemination Decontrol Marking Additional Facets Roles and Responsibilities Definitions

17 Key Points Relating to STI Management
Regarding Markings: CUI markings will be only markings authorized for use with unclassified information requiring safeguarding and/or dissemination controls. Banner markings placed at either top or bottom of each page containing CUI. Legacy materials – no re-marking required unless it will be re-used, restated, or paraphrased.

18 Key Points Relating to STI Management
Regarding Safeguarding & Dissemination : Safeguarding will involve Levels: Basic, High, Specified Associated IT considerations. Disseminate as extensively as necessary provided dissemination is consistent with Lawful Government Purpose.

19 Key Points Relating to STI Management
Regarding Decontrol: Decontrol as soon as practicable. Section 5.1(e) This should be accomplished without review and should be a transparent process to authorized holders. This is best accomplished by including a decontrol schedule or date with all CUI. Accordingly, in cases where originators of specific items of CUI know with certainty at what point such CUI should be decontrolled, originators shall include such information. Agencies to establish internal processes to manage decisions related to decontrol. Decontrol is not authority for public release. CUI must be reviewed/decontrolled prior to or concurrent with public release. Where feasible, originating agencies will include a specific date or event for decontrol with all media containing CUI.

20 Key Points Relating to STI Management
Regarding Education, Training & Self-Inspections Personnel who create or handle CUI must be trained Initial and Refresher training (at least biannually) Senior Agency Officials shall establish ongoing agency self-inspection Report to EA annually for first 3 years, biennially thereafter

21 Within DOE – Major Issues Under Discussion Include:
Inconsistent with DOE authority for UCNI Portion marking – RD/FRD documents Encryption requirements Decontrol-related issues More….

22 DOE Implementation Following NARA’s issuance of implementation deadlines, DOE will: Develop regulations for information that requires safeguarding that is not in the Registry (e.g., some security-related information, Applied Technology). Develop DOE CUI Regulation and Directive (CUI will officially replace OUO). Revise classification and UCNI guidance to reflect CUI. Develop and promulgate CUI training. Ensure compliance with CUI policies

23 Timeframe We’re marching ever closer to CUI being a reality,
but deadlines not yet established. CUI may be implemented within DOE in 2014 or 2015 but will be implemented. Until then Existing practices and marking requirements for sensitive unclassified information remain in effect and continued adherence to DOE Orders for OUO and UCNI is required.

24 Questions/Comments and Sites’ Perspectives?
Additional information available: Special thanks to HS-61 for CUI-related information.

Download ppt "CUI Controlled Unclassified Information"

Similar presentations

June 27, 2005 Preparing your Implementation Plan.

June 27, 2005 Preparing your Implementation Plan.
S.L. 2013-413 Part 1, Section 3.(b) G.S. 150B-21.3A: PERIODIC REVIEW AND EXPIRATION OF EXISTING RULES.

S.L Part 1, Section 3.(b) G.S. 150B-21.3A: PERIODIC REVIEW AND EXPIRATION OF EXISTING RULES.
FOIA Exemption 1 & E.O Classified National Security Information

FOIA Exemption 1 & E.O Classified National Security Information
Managing Government Records Directive ACERA Meeting November 6, 2012 Don Rosen Director of Policy, Analysis and Enforcement Office of the Chief Records.

Managing Government Records Directive ACERA Meeting November 6, 2012 Don Rosen Director of Policy, Analysis and Enforcement Office of the Chief Records.
2009 Data Protection Seminar

2009 Data Protection Seminar
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
OMB Circular A133 Audits of States, Local Governments, and Non-Profit Organizations 1 Departmental Research Administrators Training Track.

OMB Circular A133 Audits of States, Local Governments, and Non-Profit Organizations 1 Departmental Research Administrators Training Track.
Www.eia.gov U.S. Energy Information Administration Independent Statistics & Analysis Controlled Unclassified Information FCSM Conference Jacob Bournazian,

U.S. Energy Information Administration Independent Statistics & Analysis Controlled Unclassified Information FCSM Conference Jacob Bournazian,
CHORUS Implementation Webinar May 16, 2014 Mark Martin Assistant Director, Office of Scientific and Technical Information Office of Science U.S. Department.

CHORUS Implementation Webinar May 16, 2014 Mark Martin Assistant Director, Office of Scientific and Technical Information Office of Science U.S. Department.
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
IT Security Law for Federal Agencies As of: 30 December 2002.

IT Security Law for Federal Agencies As of: 30 December 2002.
Briefing Outline  Overview of the CUI Program  Establishment of the Program  Elements of the CUI Executive Order  Requirements and Timelines  Categories.

Briefing Outline  Overview of the CUI Program  Establishment of the Program  Elements of the CUI Executive Order  Requirements and Timelines  Categories.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication 800-171 Protecting Controlled.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
The National Declassification Center Releasing All We Can, Protecting What We Must Public Interest Declassification Board NDC Project Update April 22,

The National Declassification Center Releasing All We Can, Protecting What We Must Public Interest Declassification Board NDC Project Update April 22,
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Information Governance and the Presidential Memo on Managing Government Records: Converging Issues and the Search for New Ideas Presidential Memorandum:

Information Governance and the Presidential Memo on Managing Government Records: Converging Issues and the Search for New Ideas Presidential Memorandum:
Contractor Management and ISO 14001:2004

Contractor Management and ISO 14001:2004
Introduction to Intellectual Property using the Federal Acquisitions Regulations (FAR) To talk about intellectual property in government contracting, we.

Introduction to Intellectual Property using the Federal Acquisitions Regulations (FAR) To talk about intellectual property in government contracting, we.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)

Similar presentations

Ads by Google