New Guidance for Handling Sensitive Information

Cybersecurity

The Information Security Oversight Office (ISOO) oversees the “Controlled Unclassified Information” (CUI) program. A 2016 National Industrial Security Program (NISP) directive concerning the insider threat provides more clarification on the more than 100 categories of information deemed ‘sensitive but unclassified.’ The NISP directive provides guidance for vetting contractors. What does it mean to those whose companies are part of the NISP?

The ISOO feels your pain – inconsistent policies, procedures and more

In the report, the ISOO said what all who grapple with sensitive information have been muttering under their breath for ages.

The controlled unclassified information program aims to reform the inconsistent and conflicting of agency-specific policies, procedures, safeguarding measures, and labels used to handle sensitive unclassified information throughout the executive branch.

Finally, an attempt to herd the cats and bring uniformity to the process, and in doing so keeping many of those dealing with sensitive information out of trouble. After all, no one wants to be told to sit in “time-out.” ISOO is teaming with both the Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST). The three organizations, supported by many others, successfully created a CUI federal regulation. This regulation served to put to rest the “100 different policies and practices” being used across the executive branch.

To accomplish this, ISOO reviewed over 2,200 proposed category, subcategory submissions (and here we thought it was binary, and it was several order of magnitudes greater). Their work created, 32 CFR part 2002, issued in November 2016, which offered a few significant features on the safeguarding of information:

  • Drawing attention to any specified protections required on certain information by law, regulation or government-wide policy.
  • Determining the overall marking strategy for CUI while providing some latitude for individual agencies.
  • Setting electronic safeguarding standards for CUI.

What does it mean for the government agencies?

One year from implementation, November 2017, every government agency must have configured their IT systems and develop a strategy/plan to protect CUI.  By November, each agency must submit their first annual report to the ISOO. The purpose of the report is to evaluate and assess agency efforts in implementing and sustaining the CUI program.

Your clock is been ticking. If you require assistance, ISOO has training materials and has created a CUI Portal for those desiring additional information.

Here’s a video with more information about what SBU and CUI are (and why your office’s policies are changing). It’s an appropriate overview for your cleared employees. 

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008).

More in Cybersecurity