Today the National Archives and Records Administration’s Information Security Oversight Office (ISOO) published a notice of proposed rulemaking (NPRM) in the Federal Register (80 FR 26501-26511) concerning the harmonization of the way that the Federal Government manages the security of Controlled Unclassified Information (CUI). The authority for this rulemaking is drawn from Executive Order 13556, Controlled Unclassified Information. The National Institute of Standards and Technology (NIST) is providing cybersecurity guidance supporting this program in SP 800-171.
The NPRM would add 32 CFR Part 20 to the Code of Federal Regulations. It would consist of three subparts:
Subpart A – General Information;
Subpart B – Key Elements of the CUI Program; and
Subpart C – CUI Program Management
The federal government produces a great deal of sensitive information. Some of that information is classified information with specific rules for classifying, marking and protecting the information. Those rules are not affected by this NPRM. This NPRM attempts to do establish the baseline rules for classifying, marking and protecting sensitive (but not classified) information in over 100 existing programs.
There are a couple of factor that complicate the issue. First is the fact that some of those programs have procedures already in place that were established by law or regulation. This rulemaking will have minimal effect on those procedures. Secondly there has been no centralized authority to oversee the administration of these programs. That was changed by EO 13556 which gave NARA the authority which was further delegated to ISOO.
According to the Preamble to this NPRM:
“The CUI Program provides a unified system for handling unclassified information that requires safeguarding or dissemination controls, and sets consistent, executive branch-wide standards and markings for doing so. The CUI Program has established controls pursuant to and consistent with already-existing applicable law, Federal regulations, and Government-wide policy. However, because those authorities, as well as ad hoc agency policies and practices, were often applied in different ways by different agencies, the CUI Program also establishes unambiguous policy, requirements, and consistent standards.”
Well before this rulemaking was drafted NARA established the CUI Registry, a listing of all authorized CUI programs. It established 23 categories of CUI programs and a number of sub-categories; the sub-categories being essentially the approved CUI programs. There are two categories of principal interest to readers of this blog; Critical Infrastructure and Transportation. Specific programs/sub-categories include (* indicates programs with procedures established by law or regulations):
This rulemaking is principally targeted at government agencies that manage CUI programs and/or hold CUI information. The effects will be felt, however, by private sector entities that hold or produce CUI information. Generally where there are existing standards in place by regulation or law, this rulemaking will not generally change those standards. Where existing standards do not specifically address one or more of the requirements proposed (cybersecurity requirements for example) in this rulemaking the CUI standards will apply.
It is not clear whether or not agencies will have to conduct their own rulemakings to incorporate the additional requirements imposed by this CUI program, or if they will be able to just change their guidance documents to reference these new requirements. It may, in fact, be left up to agency discretion.
I will be looking at the proposed CUI program requirements in more detail in future posts.
NARA is soliciting public comments on this proposed rulemaking. Comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket # NARA-2015-037). Comments need to be submitted by July 7th, 2015.