This is part of a series of posts on the notice of
proposed rulemaking (NPRM) recently published by the National Archives and
Records Administration’s (NARA) Information Security Oversight Office (ISOO) on
the establishment and harmonization of controls on controlled unclassified
information (CUI). Other posts in the series include:
Section 2002.15 outlines
the marking requirements for CUI. This is a specific area that is going to
require significant changes in the way that the various categories and subcategories
of CUI are handled since portions of the new marking requirements will apply to
both CUI Basic and CUI Specified categories and subcategories.
Banner Markings
All CUI documents will include a mandatory banner marking
(across the top-center of each page of the controlled document). The first element of
that banner marking will either be the word ‘Controlled’ or the abbreviation ‘CUI’.
For categories and subcategories that are listed in the CUI
Registery as CUI Basic (no ‘*’ marking behind name) this may be the only element
in the banner.
For
CUI Specific a slash (‘/’) will be placed after the ‘Controlled’ or ‘CUI’
marking and the marking required for the category or subcategory of CUI will be
used; at some point in time these will be listed in the CUI Registry page for
each type of CUI Specific information. Where multiple CUI
Specific categories or subcategories are used in the document, each must be
listed in the banner in alphabetical order.
This rule would allow for the limited use of ‘limited dissemination control’
markings (ie: NOFORN; no foreign dissemination). These markings will be placed
after all of the CUI Specific markings and will be preceded by a ‘//’. Multiple
LDCs will be listed in alphabetical order. A listing of the authorized LDC
abreviations will be included in the CUI Registry.
First Page Markings
The first page of any CUI document will also contain two
additional markings; CUI designation
indicator and CUI
decontrolling indicators. The first is mandatory on all CUI documents. The
second will be used where feasible.
The designation
indicator will typically be the words ‘Controlled by:’ followed by the agency
(at a minimum) and the office of the entity designating the material as CUI.
For CFATS documents (for example) this would typically be something like ‘Controlled
by: Infrastructure Security Compliance Division, NPPD, DHS’. The agency in this
case would be DHS (see here and here).
The decontrolling
indicator will be used where feasible (undefined). It will be in the format ‘Decontrol
on:’ followed by either a date (YYYYMMDD) or an event. The event must be a
specific event that is “foreseeable and verifiable by any authorized holder”.
Including a point of contact listing for verifying the event is acceptable.
Portion Markings
As long as the
banner markings for the document apply to all of the contents of the document
then portion or paragraph markings are not required. They are, however,
recommended. Where there is a mixture of CUI categories or subcategories in a
document or where uncontrolled information is included, then portion markings are
required to differentiate the difference in status.
The format for portion
markings will be generally the same as for banner markings except that they
will be enclosed in parenthesis; for example: (CUI) for CUI Basic or (CUI/CI-CVI//NOFORN)
for CUI Specific. Note in the last example that a ‘-‘ is used to separate the
category (Critical Infrastructure) from the subcategory (Chemical Terrorism
Vulnerablity Information); interestingly this convention is not used in the
banner markings. Uncontrolled information will be marked with ‘(U)’.
There are also rules for the use of CUI markings in
classified documents that I won’t go into in this post.
Posts
No comments:
Post a Comment