The Intelligence and National Security Alliance (INSA) released a new paper on October 25 that details what it calls onerous implementation requirements of the government’s Controlled Unclassified Information (CUI) Program, and offered eight recommendations to improve the program.
The Federal government established the CUI Program in 2010 in an attempt to overcome agency-specific policies for controlling sensitive materials, and share information more widely among Federal, state, local, and private sector officials.
However, the INSA paper – titled Complex, Confusing, and Costly: Challenges Implementing the Government’s CUI Program – argues that new rules issued in 2017 have proven to be complex, confusing, and costly to implement, and they are applied inconsistently across agencies.
The paper also says that onerous and inconsistent requirements burden government contractors with the need to establish multiple information management and security practices – all while imposing consequences for failing to adhere to unclear guidance or to protect information whose status can change without warning.
Moreover, CUI compliances require U.S. government agencies and contractors to invest enormous amounts in information technology systems and document control systems to govern access to more than 120 distinct categories of CUI that each requires unique protections, the paper says.
“Unless the Program is re-evaluated and reformed, it will have replaced the pre-9/11 system of ad hoc, agency-specific policies, procedures, and markings with a new system that has the same problems,” the paper states. “For the CUI Program to succeed, there needs to be a clear set of uniform rules that contractors can implement consistently for clients across the Federal government. There also needs to be standardized practices across agencies and continue to address industry feedback on implementation challenges.”
The paper made the following recommendations for the CUI Program:
- Reassess what needs protection – and whether the CUI Program, as constituted, achieves that goal.
- Simplify the CUI Program.
- Clarify the impact of CUI designation on proprietary information.
- Evaluate the effectiveness of CUI controls considering today’s cyber threats.
- Evaluate CUI requirements considering the industry’s supply chain structures.
- Codify how CUI implementation costs will be calculated for industry bidding and compensation.
- Establish an ongoing mechanism for incorporating industry comments and recommendations.
- Revise CUI rules to clarify handling of legacy-marked materials.