Color Yourself CUI Confused? You’re Not Alone

We’re talking this segment about CUI or controlled unclassified information, and whether it’s CUI or CYA is the more apt descriptor. And Lindy, I feel like this is a topic that’s been coming up a number of places lately. I’ve written about it certainly on ClearanceJobs, and I’ve seen other folks who have been a little spun up about this in the government sector. I think primarily those who have to deal with it on a daily basis and are sort of tired of dealing with it. But is this a topic that you’ve seen come up in your discussions with folks in the industry?

Oh, absolutely. I mean, it’s definitely been a hot topic. We do an FSO survey every year and we, we ask them about pain points and CUI – Iam glad you didn’t call it “kewey” or something – those acronyms, man, they’re weird no matter how you do it. We’ve had it come up for security officers as a pain point for a long time. The disconnect we see, and that’s why I love this show in our chance to kind of have these conversations because you have that wonky security clearance community, right? If you’re a security officer, if you manage controlled unclassified information as a part of your job, and then you have the day-to-day security clearance holder who, because of how the policy is still rolling out, may or may not have heard of CUI or not know what it is. And I think there’s still some, that’s why that’s where some of the confusion comes in.

(01:54)
A lot of these policy changes. It goes out to government agencies first, and then you get industry with the standards. There’s a lot more people working in industry than there are directly for the government. They obviously have a lot more information that could fall under this CUI umbrella. They have information that’s not necessarily classified, but that is sensitive that falls underneath this umbrella. So for me, it comes up for ClearanceJobs primarily, just a lot of ‘what in the heck is this?’ What is going on with it now? What is the current policy? What are the policies that they apply to agencies or to industry? But again, where I think it comes up for me, and I think it’s worth talking about here, is I think probably the average person who’s sitting in a desk with a security clearance right now may or may not have any clue or have heard what CUI is. Is that your experience with the case or how has it come across your desk?

It’s interesting that you bring up industry and contractors because that’s where I see this as the biggest knowledge gap. And I think a lot of contractors are surprised to learn that yes, these policies do apply to them as well when they’re producing or creating documents for the government as part of their contractual duties, just like the Privacy Act and other laws that apply to government information can potentially be applicable to contractors as well. And so contractors are dealing all the time in many cases with privacy act protected information, and yet we find a lot of contractors have no clue what the Privacy Act is or how it applies to them. So CUI certainly is, I think, becoming an increasing issue of privacy Act materials, of course, just one category or subcategory of CUI. There are certainly others. What I’m finding though is it is sort of an overcompensation in effect because to your point, yes, a lot of people aren’t really aware of this, but I think more people are maybe just sort of subliminally aware of the fact that this exists.

(03:48)
They don’t really understand what it is. They don’t know how they’re supposed to handle their responsibilities. And so the default becomes, well, let’s just overdo it. Let’s kind of label everything CUI, and it cracks me up. I’m actually writing an article about this. I think by the time this episode airs, the article may be out on clearance jobs, but this phenomenon that I’ve been seeing the last couple of years of government employees and contractors who literally include in every single email that they produce a disclaimer at the bottom, and you may have seen this that says, this email may contain CUI or even better, this email contains CUI. And it’s funny on one hand because it demonstrates just an utter lack of understanding of what CUI is or depending on how you interpret it, some degree of arrogance.

(04:36)
This attitude of, well, everything I produce is so important that it must be labeled CUI. And yet I think it really just demonstrates a fundamental lack of understanding as to what it is that people are doing. So I think it’s important that we’re having this conversation that people are educating themselves on what their obligations are, not because it’s fun or exciting. Believe me, this is beyond boring. I get it. But because it’s not going away, this is something that really is probably around for the long haul in some form or another and has the potential to have some real ramifications. I’m curious, have you heard any horror stories of people who have gotten hung up on CUI issues, or is this still so new that it kind of hasn’t made it to that point yet?

It’s still so new that it hasn’t made it to that point yet. But your example of folks putting in their signature block is the perfect example that I give for how it’s going to go very poorly very soon as these agencies start to label everything. The issue is we’re kind of in, as I understand it, and this is not my wheelhouse or expertise, but we are in a bit of a gap right now where we have kind of this overarching policy, but not a lot of nuts and bolts around enforcement like we had with CMMC and some of the cyber regulations too. CUI is periphery to all of that going on saying, Hey, the government really wants to protect more information. We know that our adversaries are after things that aren’t just classified, so we want to create protections. The hammer’s not there, so people are just looking at a whole lot of nails, but the hammer is eventually going to start coming.

(06:08)
And if you are labeling everything CUI, yeah, I just think there’s going to be issues down the road caused by the current status that we have with confusion. While I think it’s an important effort, I do hate it in the sense that we have such an over classification problem, and Congress is looking into this right now with their legislation. They’re saying, Hey, yeah, we’re classifying too much. We’re not protecting what is classified. So we have top secret documents that are posted on a discord server allegedly. So I have to remember, there’s an attorney still in the conversation allegedly. And yet we’re also throwing labels on a lot more stuff and potentially creating penalties around that. And again, I’m not seeing enforcement of that yet. I haven’t seen anybody get in trouble, but based on how it’s rolling out, I think they’re paving the path for a lot of people to get in trouble.

I 100% agree with both those sentiments. To your latter point, sort of paving the path, as I sort of wound down my law practice over the past year representing federal employees and contractors, I was starting to see this very, I would say still uncommon, but alarming pattern where some, I would say rogue security folks were waking up to the idea that this could be a very potent weapon to use against people who they didn’t like or who maybe were making disclosures or complaints about things in the workplace that were inconvenient, things like that. And so we did see a very small handful of cases in the last year or two of my law practice where it was sort of a game of gotcha. The government couldn’t find any reason to necessarily get rid of somebody, but they would use this as a low hanging fruit, and they would just sort of almost seem as they were making it up as they went along, like, oh, well, we found this issue with you mishandling, CUI , and the person was going, what is CUI?

(08:01)
I’ve never even heard of this. It’s definitely, you’re right. Paving the path, I think is a great way to describe it. And so I think all federal employees and contractors need to be wary and aware of this issue if for no other reason than self-preservation. I also agree with you a hundred percent philosophically, we have a huge over classification problem, and I am no fan of obfuscation and withholding information from the public. I’m a huge fan of government transparency. So philosophically, I don’t like the C UI program. I understand the intent behind it and obviously predating it. There were things, there were a smorgasbord of other acronyms that agencies were using, and this was designed to consolidate all of those and say, we’re going to get rid of the old sensitive but unclassified S B U, and we’re going to get rid of the other markers and designators that agencies were using that were also causing confusion.

(08:55)
So that’s good. But at the same time, I mean, yes, we do have to wonder if it’s contributing to this paranoia problem and this overclassification problem. And also the big irony of it to your earlier point is when people don’t understand it and they are labeling everything as CUI, that’s not, it does also have the potential to go the reverse way. Because just as you can potentially be setting yourself up for problems, rather by not complying with CUI, you can be doing the same by over marking things and improperly labeling things CUI that aren’t, because when you do that, it necessarily obfuscates things like congressional oversight. And obviously in this day and age, that is something that I think both political parties are very fond of, depending on who’s in power, and that is something that I could also foresee becoming a problem.

(09:46)
So bottom line, my recommendation for folks on this issue is and has been for years the same. Go and educate yourself on the CUI policies before you start putting yourself in a position where you’re going to potentially get nailed for doing something wrong that you don’t even understand. So go online is stuff is pretty easy to find. The CUI Registry run by the National Archives and Records Administration, NARA, they are sort of the final word on what qualifies as CUI. There are also some agency specific policies that supplement it, most notably at the Department of Defense. And so do your due diligence, get out there, do some research, do some reading. If you don’t understand something or you’re not sure if it’s applicable at your particular agency, go have a conversation with your security office and get that ball rolling because ultimately you don’t want to be left holding the bag.

My biggest takeaway here is they should not be allowed to create these policies unless they create training programs around them. Because what you end up is a lot of people that end up doing dumb things because they don’t understand that policy is put in place.