Information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.
Sources: 1 Designation and Sharing of Controlled Unclassified Information (CUI). White House Memorandum. (2008, May 7). National Archives. www.archives.gov/files/cui/documents/2008-WH-memo-on-designation-and-sharing-of-cui.pdf 2 Singel, R. (2009, October 1). Probe Targets Archives’ Handling of Data on 70 Million Vets. Wired. www.wired.com/2009/10/probe-targets-archives-handling-of-data-on-70-million-vets/ 3 Executive Order 13556 -- Controlled Unclassified Information. (2011, December 12). Whitehouse.Gov. obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information 4 Vogel, S. (2011, November 24). Tricare military beneficiaries being informed of stolen personal data. Washington Post. www.washingtonpost.com/politics/tricare-military-beneficiaries-being-informed-of-stolen-personal-data/2011/11/23/gIQAcRNHtN_story.html 5 Fruhlinger, J. (2020, February 12). The OPM hack explained: Bad security practices meet China’s Captain America. CSO Online. www.csoonline.com/article/3318238/the-opm-hack-explained-bad-security-practices-meet-chinas-captain-america.html 6 Executive Order -- Improving Critical Infrastructure Cybersecurity. (2013, February 12). Whitehouse.Gov. obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity 7 Fruhlinger, J. (2020, February 12). The OPM hack explained: Bad security practices meet China’s Captain America. CSO Online. www.csoonline.com/article/3318238/the-opm-hack-explained-bad-security-practices-meet-chinas-captain-america.html 8 Cybersecurity Incidents. (2015). U.S. Office of Personnel Management. www.opm.gov/cybersecurity/cybersecurity-incidents/ 9 Committee on Oversight and Government Reform. (2016, September). The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation. House Oversight and Government Reform. republicans-oversight.house.gov/report/opm-data-breach-government-jeopardized-national-security-generation 10 Chappell, B. (2015, July 10). OPM Director Archuleta Resigns In Wake Of Data Breaches. NPR. www.npr.org/sections/thetwo-way/2015/07/10/421783403/opm-director-archuleta-resigns-in-wake-of-data-breaches 11 NIST Releases Cybersecurity Framework Version 1.0. (2018, January 8). NIST. www.nist.gov/news-events/news/2014/02/nist-releases-cybersecurity-framework-version-10 12 Chappell, B. (2018, September 27). Uber Pays $148 Million Over Yearlong Cover-Up Of Data Breach. NPR. www.npr.org/2018/09/27/652119109/uber-pays-148-million-over-year-long-cover-up-of-data-breach 13 Nakashima, E., & Harris, S. (2018, July 13). How the Russians hacked the DNC and passed its emails to WikiLeaks. Washington Post. www.washingtonpost.com/world/national-security/how-the-russians-hacked-the-dnc-and-passed-its-emails-to-wikileaks/2018/07/13/af19a828-86c3-11e8-8553-a3ce89036c78_story.html 14 Newman, L. H. (2017, September 14). The Equifax Breach Was Entirely Preventable. Wired. www.wired.com/story/equifax-breach-no-excuse/ 15 Barrett, B. (2020, March 31). Marriott Got Hacked. Yes, Again. Wired. www.wired.com/story/marriott-hacked-yes-again-2020/ 16 Harwell, D., & Fowler, G. A. (2019, June 11). U.S. Customs and Border Protection says photos of travelers were taken in a data breach. Washington Post. www.washingtonpost.com/technology/2019/06/10/us-customs-border-protection-says-photos-travelers-into-out-country-were-recently-taken-data-breach/ 17 Barrett, B. (2020b, December 19). Russia’s SolarWinds Hack Is a Historic Mess. Wired. www.wired.com/story/russia-solarwinds-hack-roundup/ 18 Turton, W., & Mehrotra, K. (2021, June 4). Hackers Breached Colonial Pipeline Using Compromised Password. Bloomberg. www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password 19 Lewis, J. A. (2018, February 21). Economic Impact of Cybercrime. Center for Strategic and International Studies. www.csis.org/analysis/economic-impact-cybercrime 20 National Archives Issues Regulation on Controlled Unclassified. (2016, November 1). National Archives. www.archives.gov/press/press-releases/2016/nr16-90  Controlled Unclassified Information (CUI) is a category of unclassified information within the U.S. Federal government. The CUI program was created by President Obama’s Executive Order 13556 to create a streamlined method for information sharing and safeguarding. The Information Security Oversight Office (ISOO) acts as the Executive Agent (EA) of the National Archives and Records Administration (NARA), and is responsible for oversight of the CUI program. The ISOO monitors the implementation of the CUI program by executive branch agencies. CUI will replace agency specific labels such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and Law Enforcement Sensitive (LES) on new data and some data with legacy labels will also qualify as Controlled Unclassified Information.[2][3] HistoryA Presidential memorandum of May 9, 2008, signed by President George W. Bush, assigned responsibility to the National Archives (NARA) for overseeing and managing the implementation of the CUI framework.[4] This memorandum was rescinded by Executive Order 13556 of November 4, 2010, and the guidelines previously outlined within it were expanded upon to improve uniformity across all Federal agencies and to develop a standard policy regarding the controlled unclassification process itself.[5] In a similar previous effort, the U.S. House of Representatives passed the Reducing Information Control Designations Act, H.R. 1323, on March 17, 2009. The bill was referred to the Committee on Homeland Security and Governmental Affairs of the 111th Congress in the US Senate, but it was never passed by the Senate. The doctrine, policy, and processes for Controlled Unclassified Information came out of a study and policy change proposal which originated within the Information Sharing and Collaboration Office of the Information Analysis and Infrastructure Protection Under Secretariat of the Department of Homeland Security in 2004. The term Controlled Unclassified Information (CUI) was coined by the authors of the study which reviewed over 140 various forms of unclassified information in use throughout the federal government at the time. Authors of the study recommended a new doctrine and policy framework and recommended that ISOO, within the NARA, be charged with implementing and overseeing the new doctrine and policy. At the time of delivery of the policy framework, NARA voiced objections to undertaking the effort due to a lack of resources. The policy recommendation continued to be worked within DHS and the rest of government as part of the Program Manager for the Information Sharing Environment, which moved from DHS to the ODNI. While the executive order, rescission of the order, and subsequent policy structure worked their way through the government, the timeline for the study/ analysis, creation of a draft policy and framework, the political processes, and the resulting policy implementation lasted from 2005 through 2017. The study was led by Grace Mastalli and Richard Russell. The US Department of Defense has been handling "Controlled Unclassified Information" before the Presidential 2008 memorandum was published and NARA became the Executive Agent in 2010. The DoD term embraced a similar type of data category. However, the DoD and NARA differed then and now (2019) on specific categories of data defined as "CUI". DoDM 5200.01 Vol 4 defines DoD CUI policy until it is revised to align with NARA's definition. The Secretary of the Navy published SECNAV 5510.34 in November 1993 entitled Disclosure of Classified Military Information and Controlled Unclassified Information. As of December, 2020, the Director of National Intelligence at the time, John Ratcliffe, issued a memorandum to the Assistant to the President for National Security Affairs asking the President of the United States (President Trump) to rescind EO 13556. In the memo, Director Ratcliffe referred to the policies as "exponentially more complex", and "vastly overcomplicated". According to the memo "As currently conceived, instead of simplifying and replacing a handful document markings with one new CUI marking, the CUI Program has expanded to over 124 categories in 20 groupings, with 60 Specified and 60+ Basic categories." He continued to express concerns from the Intelligence Community about significant cost, unclear guidance, and requested recision and a process for presidential action. DNI Ratcliffe stated that the following rescission, support would be given to an Executive-branch review and replacement of the current FOUO and related markings to protect unclassified information. No extension of the previous December 31, 2020 timeline has been proposed, which has now passed, and it is currently unclear what action, if any, will be taken on this request.[6][7] The Department of Defense has clarified the policy on legacy markings such as FOUO.[8] "Information previously marked as FOUO does not need to be re-marked as long it remains under DoD control or is accessed online and downloaded for use within the DoD." Based on CFR 32 Part 2002 each agency will develop the steps to handle legacy markings in their CUI programs. References
|
What is considered a CUI?
Postagens relacionadas
direito autoral © 2024 mesadeestudo Inc.
