Today the National Archives and Records Administration’s Information
Security Oversight Office (ISOO) published a notice of proposed rulemaking
(NPRM) in the Federal Register (80 FR
26501-26511) concerning the harmonization of the way that the Federal
Government manages the security of Controlled Unclassified Information (CUI).
The authority for this rulemaking is drawn from Executive
Order 13556, Controlled Unclassified Information. The National
Institute of Standards and Technology (NIST) is providing
cybersecurity guidance supporting this program in SP 800-171.
The NPRM would add 32 CFR
Part 20 to the Code of Federal Regulations. It would consist of three subparts:
Subpart A – General Information;
Subpart B – Key Elements of the
CUI Program; and
Subpart C – CUI Program Management
Purpose
The federal government produces a great deal of sensitive
information. Some of that information is classified information with specific
rules for classifying, marking and protecting the information. Those rules are
not affected by this NPRM. This NPRM attempts to do establish the baseline
rules for classifying, marking and protecting sensitive (but not classified)
information in over 100 existing programs.
There are a couple of factor that complicate the issue. First
is the fact that some of those programs have procedures already in place that
were established by law or regulation. This rulemaking will have minimal effect
on those procedures. Secondly there has been no centralized authority to
oversee the administration of these programs. That was changed by EO 13556
which gave NARA the authority which was further delegated to ISOO.
According
to the Preamble to this NPRM:
“The CUI Program provides a unified
system for handling unclassified information that requires safeguarding or
dissemination controls, and sets consistent, executive branch-wide standards
and markings for doing so. The CUI Program has established controls pursuant to
and consistent with already-existing applicable law, Federal regulations, and
Government-wide policy. However, because those authorities, as well as ad
hoc agency policies and practices, were often applied in different
ways by different agencies, the CUI Program also establishes unambiguous
policy, requirements, and consistent standards.”
CUI Registry
Well before this rulemaking was drafted NARA established the
CUI Registry,
a listing of all authorized CUI programs. It established 23 categories of CUI
programs and a number of sub-categories; the sub-categories being essentially
the approved CUI programs. There are two categories of principal interest to
readers of this blog; Critical Infrastructure and Transportation. Specific
programs/sub-categories include (* indicates programs with procedures established
by law or regulations):
Impact
This rulemaking is principally targeted at government agencies
that manage CUI programs and/or hold CUI information. The effects will be felt,
however, by private sector entities that hold or produce CUI information.
Generally where there are existing standards in place by regulation or law,
this rulemaking will not generally change those standards. Where existing
standards do not specifically address one or more of the requirements proposed
(cybersecurity requirements for example) in this rulemaking the CUI standards
will apply.
It is not clear whether or not agencies will have to conduct
their own rulemakings to incorporate the additional requirements imposed by
this CUI program, or if they will be able to just change their guidance
documents to reference these new requirements. It may, in fact, be left up to
agency discretion.
I will be looking at the proposed CUI program requirements
in more detail in future posts.
Public Comments
NARA is soliciting public comments on this proposed
rulemaking. Comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket # NARA-2015-037).
Comments need to be submitted by July 7th, 2015.
Posts
No comments:
Post a Comment