NARA preps for new info control rules

Policies across the federal government for locking down sensitive but unclassified information are, well, a little federated.                         

Plans to create a single category, dubbed "controlled unclassified information," and craft regulations about its handling by government agencies and contractors who store such information on their systems are about to bear fruit.

"The methods that are applied currently are confusing and drive excessive costs. Allowing a thousand flowers to bloom in the manner of labels, markings, safeguarding techniques and all these kinds of instructions -- there's a certain amount of inefficiency here," John P. Fitzpatrick, director of the Information Security Oversight Office at the National Archives and Records Administration, said at a May 28 public meeting to update feds and stakeholders about plans for CUI handling.

The process was set in motion by a 2012 executive order.

The change in rules is not aimed at creating new categories of information to guard from disclosure, Fitzpatrick said. Statutory requirements, regulations and government-wide policies drive the decisions to tab information as CUI. To accommodate the demands of the entire federal enterprise, NARA established, with input from agencies, 23 categories and 82 subcategories of CUI in a registry, with links to the statutory or regulatory basis for keeping the info under wraps.

If the final rule on CUI handling is published at the end of the 2015, it starts the clock on a three- to four-year phased implementation. For agencies, the biggest change is in the marking of CUI documents prior to dissemination. A marking handbook is being developed internally at NARA with input from agencies, and the expectation is that every page of a protected document will contain banner information identifying it as CUI.

Agencies are also expected to protect CUI stored on federal computer systems at the FISMA moderate level for information security. NARA expects the IT changes to be among the most arduous for agencies. While an estimated 70 percent of agencies will have no trouble meeting the moderate requirement, some agencies that aren't accustomed to dealing with information controls are likely to face hurdles. NARA is shooting for all agencies to be in compliance by the end of the implementation process.

On the contractor side, the National Institute of Standards and Technology is due to release a new special publication covering confidentiality of CUI on nonfederal systems that sets security standards similar to FISMA moderate for contractors. The NIST advisory will serve as guidance for vendors who store, transmit and handle CUI on behalf of agencies until the Federal Acquisition Regulation is updated to create contractual standards for CUI.

This could represent a significant change for federal contractors. Fitzpatrick estimates there are at least 300,000 who have CUI in their systems. There are no plans for formal checks of systems to make sure they are compliant, as is done for contractors cleared for classified information. Instead, Fitzpatrick said, the plan is for contractors to certify themselves, and any checks will be done by agencies that have special needs, or perhaps in the aftermath of a breach. He urged contractors to stay involved as these requirements wend through the FAR draft rule process, so that they are not blindsided.

"It's really not until the FAR rule lands, the CUI rule and this NIST rule, that you're going to understand every implication on a company through the contracting process," Fitzpatrick said.

Privacy and decontrol

Some agencies are concerned about the disposition of personally identifiable information in their systems. There are some specific legal protections in place that apply precisely to government information.

For instance, personally identifiable census information is kept from public release for 72 years after collection, and patent filers are guaranteed 18 months of secrecy after submitting an application. In most cases, the law is less specific, and agencies are guided by regulations and policies when it comes to "decontrolling" information. Other personal info is protected by the Privacy Act and other statutes that apply to health and financial information, or regulations on information collection that are agency-specific.

"What we're trying to do in the privacy space is to recognize that that information is unique," Fitzpatrick told reporters after the NARA event. "There are times when its presence in the government's possession requires protection under the privacy laws in a certain way, and there are times when the laws say no, not as much," he said.

One of the goals of the CUI policy is to end the practice of officials reflexively stamping "for official use only" on government documents, even though they are not protected under the standards promulgated by the executive order and the CUI policy.

On the other hand, agencies have identified a few categories of information that are considered worthy of protection that don't have specific language in law, regulations or government policy. During the rule-writing process, NARA learned that federal law enforcement protected certain investigative information, including the identity of confidential informants, more by custom than by rule. NARA worked to create a provisional category of protected CUI that covered this area.