The Intelligence and National Security Alliance (INSA) detailed the challenges with the Controlled Unclassified Information (CUI) program in a new paper, called Complex, Confusing, and Costly: Challenges Implementing the Government’s Controlled Unclassified Information (CUI) Program. INSA also provided eight urgent recommendations for the federal government to implement if they want the program to succeed. INSA gives voice to what many in government have been trying to say as they have dealt with many frustrations in implementing CUI.
Reason for CUI
As part of initiatives to promote greater sharing of terrorism-related information after the 9/11 attacks, the CUI program was established by Executive Order in 2010 to safeguard sensitive information while enhancing information sharing among federal, state, local, and tribal law enforcement agencies, and their private sector partners. However, implementation rules issued in 2017 are so complex, costly, and inconsistently applied that in 2020 the Office of the Director of National Intelligence requested the EO establishing the program be rescinded. Additionally, a September 2021 DoD Inspector General memo highlighted the difficulty of implementing the CUI program across the DoD and its components.
INSA’s Security Policy Reform Council Highlights Changes Needed
The INSA paper, developed by INSA’s Security Policy Reform Council, captures industry perspectives on the CUI program’s uneven implementation. Notably, the paper finds that an explosion of CUI categories, overly complex protection and handling guidelines, and a lack of strong centralized management authority undermine the program’s effectiveness. At the same time, onerous and inconsistent requirements burden government contractors with the need to establish multiple information management and security practices–all while imposing consequences for failing to adhere to unclear guidance or to protect information whose status can change without warning.
The paper recommends a reevaluation of the program and implementation of several reforms, including reassessing what really needs protection, clarifying the impact of CUI designation on proprietary information, codifying how CUI costs will be calculated, and implementing a mechanism to incorporate industry insights. Read INSA’s thoughts on CUI.