Saturday, May 9, 2015

CUI NPRM – General Information

This is the second in a series of posts on the notice of proposed rulemaking (NPRM) recently published by the National Archives and Records Administration’s (NARA) Information Security Oversight Office (ISOO) on the establishment and harmonization of controls on controlled unclassified information (CUI). Other posts in the series include:

The first subpart of the rule outlines the general information about the CUI program. It includes:

∙ Purpose and scope.
∙ Definitions.
∙ CUI Executive Agent.
∙ Roles and responsibilities.

Purpose and Scope

This section explains that the CUI program “establishes policy for designating, handling, and decontrolling information that qualifies as CUI” {§2002.1(a)} as it attempts to balance “the need to safeguard CUI with the public interest in sharing information appropriately and without unnecessary burdens” {§2002.1(d)}.

While this rulemaking is primarily directed at executive branch agencies, it “also applies, by extension, to agency practices involving non-executive branch CUI recipients” {§2002.1(e)}. Those non-executive branch CUI recipients include contractors and other non-executive branch entities. Where laws, regulations or ‘government wide policies’ do not govern the sharing of CUI with those ‘other entities’, the rulemaking specifically recommends agencies establish formal information-sharing agreements that require the non-executive branch entity to comply with the underlying Executive Order (EO 13556) and this regulation.

Finally, this section makes it clear that this program does not supersede any existing requirements established by law, regulation or government wide policy; those requirements are incorporated as ‘CUI Specified’ requirements under this regulation.


This section provides a very large number of definitions of terms used in this rulemaking. Some of the more important terms defined include:

CUI Basic;
Document (very expansive definition);

I will be discussing the concepts related to these terms in more detail in later posts.

CUI Executive Agent

In EP 13556 the President designated NARA as the Executive Agent for this program and that authority was further delegated to ISOO.

Roles and Responsibilities

This section outlines the responsibilities for various personnel in the establishment, implementation and oversight of the CUI program. The personnel included in this section are the:

While the first three listings show the normal establish, designate and oversee responsibilities associated with any regulatory program, the last one is a bit odd. This is the listing for the DNI {§2002.4(d)}:

“The Director of National Intelligence: After consultation with the heads of affected agencies and the Director of the Information Security Oversight Office, may issue directives to implement this part with respect to the protection of intelligence sources, methods, and activities. Such directives must be consistent with the Order, this part, and the CUI Registry.”

It would seem that even after the four plus years that this NPRM has been in the works, there is still some work that remains to be done.

No comments:

/* Use this with templates/template-twocol.html */