An End to Sensitive Security Information as We Know It?

Last Thursday, the President signed an Executive Order that “establishes an open and uniform program for managing information” that is not classified but “requires safeguarding or dissemination controls.” Designed to replace designations, and their associated procedures and markings, that various federal agencies have developed to safeguard and control such information with an information management program that “emphasizes the openness and uniformity of Government-wide practice.” (The Government Accountability Office identified 56 different labels in a 2006 report and a recent New York Times article claims there are “almost 120 markings.”)
The article in the New York Times interprets the Executive Order as replacing all of these ad hoc markings with the single label “Controlled Unclassified Information” (CUI). If correct, entities regulated under the Maritime Transportation Security Act of 2002 would not be responsible for Sensitive Security Information (SSI) any more and some of those entities would no longer deal with Protected Critical Infrastructure Information (CPII) or Chemical-terrorism Vulnerability Information (CVI), by those names anyway. Law enforcement agencies active in the maritime sector would similarly deal with the singular label CUI instead of For Official Use Only (FOUO), Law Enforcement Sensitive (LES), or anything else. But are we really going to get a “uniform” program? The Executive Order is somewhat similar to a Memorandum for The Heads Of Executive Departments And Agencies on Designation and Sharing of Controlled Unclassified Information (CUI) that was signed by President Bush in May 2008, which it rescinds. Both documents put the National Archives and Records Administration in charge of developing the CUI program as “the Executive Agent.” The Bush directive has considerably more detail as to what “the single set of policies and procedures governing the designation, marking, safeguarding, and dissemination of CUI” would include, such as three different levels of controlled dissemination. Notably, however, it limited this “CUI Framework” to “CUI terrorism-related information,” although the definition of CUI itself was not similarly limited. Additionally, the Bush directive specifically exempted PCII, SSI, CVI, and Safeguards Information (SGI — a category used in the nuclear energy industry) from the CUI Framework. The Framework was be used for these categories, however, to “the maximum extent possible, but shall not affect or interfere with specific regulatory requirements for marking, safeguarding, and disseminating.”
The new Executive Order does not establish these or any other specific exemptions. On the other hand, it speaks repeatedly of “CUI categories and subcategories.” Agency heads are tasked with submitting to the Executive Agent a catalogue of “proposed categories and subcategories of CUI, and proposed markings for information designated as CUI,” along with definitions of each proposed category and subcategory. The Executive Agent is to approve categories and subcategories and their associated markings “to be applied uniformly throughout the Executive Branch.” The direction of uniformity is undercut not only by the acceptance of categories and subcategories, but by the recognition that they may have their own “associated markings and applicable safeguarding, dissemination, and decontrol procedures.”
Given that some categories of sensitive information are based on statute (e.g., PCII) and/or have existing regulatory schemes (PCII, SSI, CVI, SGI, and maybe others) that already establish varying markings and safeguarding, dissemination, and decontrol procedures, uniformity across the Government will prove illusive. Instead on everything being CUI, we are likely to see CUI-PCII, CUI-SSI, and so forth. But is it too much to hope that we could be freed of my personal bête noire — the requirement in 49 CFR 1520.13 to plaster the “distribution limitation statement” on the bottom of each page of a CUI-SSI document?
By the way, the new Executive Order sets a much tighter timetable for implementation than the previous directive (180 days for the Executive Agent to promulgate implementation directives, followed by 180 days for agency implementation directives vs. implementation to be completed within five years), although if the Government had followed through on the Bush directive, its implementation would have been effected by next May. Whether the one-year schedule of the Executive Order will be feasible also remains to be seen. Who would you bet on when the National Archives goes toe to toe with the Department of Defense or Homeland Security? (The Transportation Security Administration doesn’t even have a planned date for making permanent the interim SSI regulations that have been in effect since 2004. This process would require no more than a relatively straight forward notice in the Federal Register.)
NOTE: This post may be copied, distributed, and displayed and derivative works may be based on it, provided it is attributed to Maritime Transportation Security News and Views by John C. W. Bennett,
By Professional Mariner Staff