The Obama administration is expected to issue a proposed rule to require agencies to stop labeling sensitive data with dozens of classification markings -- and to call it all by one name, federal officials say.
Right now, there are around 120 different designations for information that does not reach the level of classified status, but requires some sort of safeguarding, such as personnel files. Next year, these labels -- examples include Sensitive but Unclassified, Law Enforcement Sensitive, and For Official Use Only -- will simply become "Controlled Unclassified Information," according to the National Archives and Records Administration.
The proposed regulation is expected to be introduced by March 2015.
"Don’t apply controls randomly" is the premise, John Fitzpatrick, director of the Archives' Information Security Oversight Office, told Nextgov. "Have a rationale system for applying the controls. Hopefully, that will lead to controls not being applied where they are not needed."
As part of a government transparency initiative, Obama directed the Archives, in a 2010 executive order, to harmonize the way agencies restrict confidential information.
Fitzpatrick said the Archives recently received 1,000 comments on the second version of a draft proposal circulated governmentwide. The Archives, by mid-February 2015, must submit to the White House a proposed rule incorporating the comments for the public to see, he said. The rule is anticipated to take effect late in 2015.
The old demarcations “had no basis in anything -- the agencies made them up,” said Patrice McDermott, executive director of OpenTheGovernment.org, who has reviewed the draft rule.
When it kicks in, agencies must write it into contracts with companies that store sensitive data, such as scientific research and background investigations, officials said. The administration is in early discussions about amending the Federal Acquisition Regulation to incorporate the new rule. As a start, last month the National Institute of Standards and Technology published for public review draft recommendations for dealing with CUI on contractor networks.
Level of Security? Wrap It in Three Envelopes
There are more than 300 laws, regulations and governmentwide policies that require certain types of information to be safeguarded.
The Archives has boiled all that legalese into 20-some broad categories, such as nuclear data and cybersecurity vulnerabilities, and posted instructions for handling each group in a public, online registry. Under the rule, all of it would be labeled CUI and protected as directed.
Up until now, the instructions on securing privacy-related information have essentially varied from “Put it in a folder,” to “Put it in a closed container,” to “Put it in a secure container.’”
Fitzpatrick said: "What do all those different things mean? To one person it means, 'It’s covered up when it’s on my desk’ -- the range of safeguarding practices was everything you could imagine, including ‘Wrap it in one envelope,’ ‘Wrap it in two envelopes,’ ‘Wrap it in three envelopes.’ And it was all over the map.”
Some public interest groups who have reviewed the draft say they are generally pleased with the outcome. Even though there are only 20 classes of information, subgroups within each category create a total of 100 groupings, McDermott noted.
The CUI effort predates leaks of U.S. secrets by former soldier Chelsea Manning and ex-intelligence contractor Edward Snowden.
“It was part of that early push to really try to reign in the secrecy and make government more open,” McDermott said. “We know how much they've struggled with that -- this at least is genuine.”
The problem of classification proliferation also crept up in a whistle-blower case the U.S. Supreme Court heard last month, involving a federal air marshal who was fired after disclosing alleged aviation security lapses. The government argued former air marshal Robert MacLean violated agency rules that prohibit releasing "security sensitive information," one of the many data designations for sensitive but unclassified information.
MacLean reportedly said the documents were not marked "security sensitive" when they were distributed to employees.
The Marker Police
While the CUI rule takes effect next year, it could take until the end of the decade to grow some teeth. Full implementation is not scheduled until fiscal year 2018. It remains unknown how agencies and contractors will demonstrate compliance. Because of the number of companies affected, they may be asked to self-certify they are following the mandate.
“We recognize there is information that does need to be protected for a certain amount of time," McDermott said. "One of our concerns is to make sure it gets decontrolled as soon as possible."
The Defense Department in November 2013 issued a separate rule for contractors on handling nonpublic military technological and scientific data, referred to as "Unclassified Controlled Technical Information.”
The regulation, Fitzpatrick says, was formed with the new CUI regime in mind. And "Unclassified Controlled Technical Information" will be a category in the registry. Ultimately, the forthcoming Federal Acquisition Rule likely will replace the Defense rule, which has been criticized as too prescriptive, he said.
Multiple directives for handling, marking and figuring out who is responsible for nonpublic data generate more than just secrecy.
“Those drive costs, in addition to driving people crazy," Fitzpatrick said.