cui controlled unclassified information stip annual working meeting april 11, 2013 judy c. gilmore...

CUIControlled Unclassified

Information

STIP Annual Working Meeting April 11, 2013

Judy C. Gilmore

DOE OSTI

William D. RhodesNNSA

A Review & Overview of Changes to Come

CUI – Review & Overview

Review

• Categories of CUI within DOE

• Ways to Process

• Ways to Access

Overview of Changes to

Come• Background• 2010 Executive

Order and Resulting Actions

• Within DOE

CUI DefinedControlled Unclassified Information (CUI) Unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulation, and Government-wide policy.

WITHIN DOE: "Controlled Unclassified Information " (CUI) is an overarching term used to refer to unclassified information that is identified and marked as sensitive (e.g., OUO and Unclassified Controlled Nuclear Information (UCNI)).

Unrestricted Distribution• Unlimited Announcement • OpenNet (only publicly releasable)

Distribution Limitations – Controlled Unclassified• Copyrighted Material w. Restrictions • Small Business Innovative Research Data (SBIR)• Small Business Technology Transfer Research Data (STTR)• Naval Nuclear Propulsion Information (NNPI) • Unclassified Controlled Nuclear Information (UCNI)

Official Use Only Distribution Limitations – Controlled Unclassified

• Export Controlled Information• Security Sensitive Information• Protected Data (CRADA or Other)• Patentable Material• Patent Pending• Limited Rights Data (Proprietary/Trade Secret)• Nuclear Energy Applied Technology• Program-Determined Official Use Only

Classified Distribution • Classified Information

DOE STI is Disseminated by OSTI per Access Limitation Provided by Submitting Sites/Organizations

NOTE: Sites which do not produce CUI based on mission responsibilities, MAY produce CUI as a result of CRADAs, SBIR agreements, etc.

Within DOE Order 241.1BDEFINITIONS:

O Controlled Unclassified Information (CUI). Certain unclassified information requiring safeguarding and dissemination controls mandated by statute or policy. Examples of such information within DOE include Official Use Only (OUO), Export Controlled Information (ECI), Unclassified Controlled Nuclear Information (UCNI), unclassified Naval Nuclear Propulsion Information (U-NNPI), and protected Personally Identifiable Information (PII). Within DOE other terms have been used, such as Unclassified Controlled Information (UCI) and Sensitive Unclassified Information (SUI), to refer to information that warrants protection as CUI. (Note: Current Government-wide efforts are under way to standardize CUI markings. Refer to www.osti.gov/stip, which will be updated for most current information.)

O Scientific and Technical Information: ……STI may be classified, Unclassified Controlled Nuclear Information (UCNI), controlled unclassified information (CUI), or unclassified with no access restrictions. ..

REQUIREMENTS:O STI must be reviewed for public release as appropriate. STI that is potentially classified must be

reviewed for classification. STI that is potentially controlled unclassified information (CUI) (e.g., nonproliferation, national security, export control, intellectual property, or protected Personally Identifiable Information and privacy) must be reviewed to identify such information. STI that contains either classified, Unclassified Controlled Nuclear Information (UCNI), or CUI must be marked in accordance with Departmental directives. Prior to providing the STI to OSTI, an STI Releasing Official must ensure that appropriate announcement and availability restrictions have been applied in accordance with statutory, regulatory, Executive order, and/or other Departmental requirements.

STI Submission Options for CUI

O Utilize E-Link and provide individual web Announcement Notices for each STI product & upload full text (E-Link is compliant with FIPS 140.2 encryption standard)

O Upload metadata & documents in a batch XML fileO STI Announcement Web Service

http://www.osti.gov/stip/docs/AN241.1web_%20service_0.pdf

Harvesting (i.e., allowing OSTI to run weekly queries against site servers to pick up XML output files of metadata with URL links to site-posted

full text) is only for unlimited STI products; Harvesting sites need to ensure submission process is in place

for CUI

Important PointsO CUI is to be routinely submitted to OSTI; any

subsequent and further distribution by OSTI on behalf of the Department is then based on approval and ‘need to know’ of the requestor.

O CUI is a valuable resource to DOE and DOE contractors and STI tenets for central collection hold true:O Provides accountability and historical records.O Fulfills statutory mandates and Departmental

requirements.O Saves research dollars by reducing duplication.

Science Research CONNECTION (SRC)

https://www.osti.gov/src

O Makes sites’ submitted CUI known & accessible

O Available to DOE Federal or DOE Contractor employees, includes unclassified/unlimited and statutorily controlled information (CUI)

O Provides access to full-text on a case-by-case/as approved basis.O Important resource within DOE/NNSAO Over 900 approved users and growing

Other Important Resourceswww.directives.doe.gov

O DOE O 471.3Identifying and Protecting Official Use Only Information

O DOE M 471.3-1Manual for Identifying and Protecting Official Use Only Information

O DOE O 471.1BIdentification and Protection of Unclassified Controlled Nuclear Information

O http://www.hss.doe.gov/classificiation/QualityMgt/ouo.html

An Overview of Changes to ComeO Per Executive Order, the way the Executive

branch handles CUI will be standardized.O Executive Branch Departments - including

Energy, Defense, and Homeland Security – are actively involved.

NOTE: Existing practices for sensitive unclassified information remain in effect until the CUI marking implementation deadline (TBD).

Why CUI Reform?To address current issues within Executive Branch by providing a common definition and standardized processes and procedures…

Key points:O Currently over 100 ways to characterize CUI (no common

definition, no common protocols describing marking, safeguarding, disseminating, etc.).

O Lack of standardization and clarity can put some information at risk through inadequate safeguarding, other information may be needlessly restricted.

EXCERPT: “Its purpose is to address the current inefficient and confusing patchwork that leads to inconsistent marking and safeguarding as well as restrictive dissemination policies, which are often hidden from public view.”

BackgroundFollowing 9/11…The number of different categories for ‘Sensitive But Unclassified Information’ grew, leading to confusion and shut down of some public access.

May 2008 President Bush issued memo to adopt CUI as single, standardized method for handling terrorism-related info, intended to lower barriers to information sharing among agencies.

May 2009 President Obama’s memo calls for a review of all markings that control unclassified information, not just terrorism-related info.

November 2010Executive Order 13556 “Controlled Unclassified Information”

• Established the CUI program to standardize and simplify the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls.

• CUI must be based on law, regulation, or Government-wide policy.

• Emphasis on openness and uniformity of Government-wide practices.

• CUI labels have no effect on disclosure decisions under FOIA.

Executive Agent:National Archives and Records Administration (NARA)

O Issue a Registry of CUI categories and subcategories to be the only markings permitted for unclassified information that requires safeguarding or dissemination controls (to replace OUO, FOUO, SBU, etc.).

O Only categories/subcategories identified in the Registry may be used to safeguard information within the executive branch (“administrative markings” will be allowed).

O Registry:http://www.archives.gov/cui/registry/category-list.html

CUI ImplementationODOE and all Agencies have submitted

implementation plans and comments to draft policy underway.

OFormal interagency coordination expected to begin Spring 2013.

ONARA will establish deadlines for phased implementation by the Agencies.

16

CUI Consolidated Policy

DRAFT POLICY ADDRESSES:• Background and Applicability• Elements of the CUI Program• Safeguarding• Dissemination• Decontrol• Marking• Additional Facets• Roles and Responsibilities• Definitions

Key Points Relating to STI Management

Regarding Markings:O CUI markings will be only markings

authorized for use with unclassified information requiring safeguarding and/or dissemination controls.

O Banner markings placed at either top or bottom of each page containing CUI.

O Legacy materials – no re-marking required unless it will be re-used, restated, or paraphrased.

Key Points Relating to STI Management

Regarding Safeguarding & Dissemination :O Safeguarding will involve Levels:

Basic, High, Specified

O Associated IT considerations.

O Disseminate as extensively as necessary provided dissemination is consistent with Lawful Government Purpose.

Key Points Relating to STI Management

Regarding Decontrol:O Decontrol as soon as practicable.

Section 5.1(e) This should be accomplished without review and should be a transparent process to authorized holders. This is best accomplished by including a decontrol schedule or date with all CUI. Accordingly, in cases where originators of specific items of CUI know with certainty at what point such CUI should be decontrolled, originators shall include such information.

O Agencies to establish internal processes to manage decisions related to decontrol.

O Decontrol is not authority for public release.O CUI must be reviewed/decontrolled prior to or

concurrent with public release.O Where feasible, originating agencies will include a

specific date or event for decontrol with all media containing CUI.

Key Points Relating to STI Management

Regarding Education, Training & Self-InspectionsO Personnel who create or handle CUI must

be trainedO Initial and Refresher training (at least

biannually)O Senior Agency Officials shall establish

ongoing agency self-inspectionO Report to EA annually for first 3 years,

biennially thereafter

21

Within DOE – Major Issues Under Discussion Include:

O Inconsistent with DOE authority for UCNI

OPortion marking – RD/FRD documents

OEncryption requirementsODecontrol-related issues

More….

DOE ImplementationFollowing NARA’s issuance of implementation deadlines, DOE will: Develop regulations for information that requires

safeguarding that is not in the Registry (e.g., some security-related information, Applied Technology).

Develop DOE CUI Regulation and Directive (CUI will officially replace OUO).

Revise classification and UCNI guidance to reflect CUI.

Develop and promulgate CUI training. Ensure compliance with CUI policies

Timeframe

We’re marching ever closer to CUI being a reality,

but deadlines not yet established.

CUI may be implemented within DOE in 2014 or 2015 but will be implemented.

Until thenExisting practices and marking requirements for

sensitive unclassified information remain in effect and continued adherence to DOE Orders for OUO and UCNI

is required.

Questions/Comments and Sites’ Perspectives?

O Additional information available: www.archives.gov/cui

OSpecial thanks to HS-61 for CUI-related information.