This is the second in a series of posts on the notice of
proposed rulemaking (NPRM) recently published by the National Archives and
Records Administration’s (NARA) Information Security Oversight Office (ISOO) on
the establishment and harmonization of controls on controlled unclassified
information (CUI). Other posts in the series include:
The first subpart of the rule outlines the general
information about the CUI program. It includes:
∙ Purpose and scope.
∙ Definitions.
∙ CUI Executive Agent.
∙ Roles and responsibilities.
Purpose and Scope
This section explains
that the CUI program “establishes policy for designating, handling, and
decontrolling information that qualifies as CUI” {§2002.1(a)} as it attempts to balance “the need to
safeguard CUI with the public interest in sharing information appropriately and
without unnecessary burdens” {§2002.1(d)}.
While this rulemaking is primarily directed at executive
branch agencies, it “also applies, by extension, to agency practices involving
non-executive branch CUI recipients” {§2002.1(e)}. Those non-executive branch
CUI recipients include contractors and other non-executive
branch entities. Where laws, regulations or ‘government wide policies’ do
not govern the sharing of CUI with those ‘other entities’, the rulemaking
specifically recommends agencies establish formal information-sharing
agreements that require the non-executive branch entity to comply with the
underlying Executive Order (EO
13556) and this regulation.
Finally, this section makes it clear that this program does
not supersede any existing requirements established by law, regulation or
government wide policy; those requirements are incorporated as ‘CUI Specified’
requirements under this regulation.
Definitions
This section provides a
very large number of definitions of terms used in this rulemaking. Some of the
more important terms defined include:
∙ CUI Basic;
∙ Document (very
expansive definition);
I will be discussing the concepts related to these terms in
more detail in later posts.
CUI Executive Agent
In EP 13556 the President designated NARA as the Executive
Agent for this program and that authority was further delegated to ISOO.
Roles and
Responsibilities
This section outlines the responsibilities for various
personnel in the establishment, implementation and oversight of the CUI
program. The personnel included in this section are the:
∙ Agency Heads;
∙ CUI Senior Agency
Officials; and
While the first three listings show the normal establish,
designate and oversee responsibilities associated with any regulatory program,
the last one is a bit odd. This is the listing for the DNI {§2002.4(d)}:
“The Director of National
Intelligence: After consultation with the heads of affected agencies and the
Director of the Information Security Oversight Office, may issue directives to
implement this part with respect to the protection of intelligence sources,
methods, and activities. Such directives must be consistent with the Order,
this part, and the CUI Registry.”
It would seem that even after the four plus years that this
NPRM has been in the works, there is still some work that remains to be done.
Posts
No comments:
Post a Comment