A case of too many data restrictions

Intelligence leaders will offer a new proposal to stop excesses of unclassified data labeling.

The ways agencies label sensitive-but-unclassified information have spawned more than 100 approaches and prevented data sharing inside the federal government and with state and local authorities. But that labeling situation is about to be cleaned up, which could mean improved information sharing. The official responsible for promoting information sharing said he will submit a plan to President Bush in the next month or so that will contain final recommendations for standardizing and simplifying the categorization of unclassified information.Thomas McNamara, the top official in the Office of the Program Manager for the Information Sharing Environment (PM-ISE), said all sensitive-but-unclassified (SBU) data will be categorized as controlled unclassified information (CUI). Agencies will separate CUI into three categories based on how many and which safeguards they need to apply. The plan will describe the different levels and provide guidelines for what they mean and how they are to be used, said a government official familiar with the effort, who requested anonymity.“We patterned this along the lines of classified data,” McNamara said during a panel discussion on information sharing sponsored by Government Executive magazine. “This will be a major change in policies and business practices. By using CUI, information will flow more easily.”Lawmakers and some other experts have said the inability to share SBU information continues to be a major inhibitor to sharing information that could enhance public safety.When the Government Accountability Office looked at the data categorizing practices of the 24 largest Cabinet agencies, it found they used at least 56 SBU classifications, each with different definitions. “Agencies realized they had sensitive information that didn’t qualify as national security issues so these labels grew out of the agency’s mission,” said Eileen Larence, GAO’s director for homeland security and justice issues. “There is not a regimen over  SBU like there is over classified information, so there was no structure or oversight.”In December 2006, Bush asked the PM-ISE to deal with categorization practices because they have created obstacles to sharing information.PM-ISE went to work by setting up a committee that created an inventory of all agencies’ SBU classifications. The government official said the group stopped counting at 107, but committee members assumed there were hundreds more.“The three main buckets are based on a simple process: How do you protect a document and who do you send it to?” the official said. “That is the crux of the confusion right now. Users, especially state and local officials, don’t know how to protect the information.”The PM-ISE plan will include a cost estimate for establishing the categorization framework it proposes. The official would not provide specific costs. However, the official did say agencies might need to spend millions to make changes in their software and train employees.David Marin, a spokesman for Rep. Tom Davis (R-Va.), who was co-author of a bill to address the data issue, said PM-ISE’s effort is focused on the wrong issues.“We need a system that narrowly defines why, how and for how long SBU markings can be applied, when they expire and how they can be challenged,” Marin said.

Information Sharing Environment implementation plan

Related Links

ODNI moves away from a ‘need-to-know’ cultureFor decades, agencies worked in a need-to-know culture when it came to sharing sensitive information. Mike McConnell, director of the Office of the Director of National Intelligence, said analysts need to shift gears and accept a new cultural standard, which he described as a responsibility to provide information.

To move the government to that new culture, intelligence agencies must retrain analysts and other employees to think about new ways to share information and change their business practices.

“This will put pressure on the analyst to think about who is their customer and how do they get the information to them,” McConnell said.

Other experts said the most costly and challenging aspect of creating a new culture is building an internal infrastructure that supports new methods, including audits, self-inspections and other internal controls.

— Jason Miller