NARA Issues Final Rule on Controlled Unclassified Information

CybersecurityA year and four months after its proposed rule, and nearly six years after the Executive Order that called for the standardization of handling requirements for Controlled Unclassified Information (CUI), the National Archives and Record Administration (NARA) issued its final rule on CUI last week (81 FR 63324, September 14, 2016).

The final rule is the outgrowth of Executive Order 13556, Controlled Unclassified Information, 75 FR 68675 (November 4, 2010).  This Executive Order gave NARA the authority to “establish an open and uniform program for managing [unclassified] information that requires safeguarding or dissemination controls” to replace the ad hoc, patchwork approach used by federal agencies in the absence of uniform guidance.  NARA issued a proposed rule on May 5, 2015 (80 FR 26501).  We addressed the proposed rule and the maze of regulations relating to the safeguarding of non-classified government information in a previous article.

With this final rule, NARA seeks to clarify and make uniform the treatment of CUI across the federal government.  In addition to specifying requirements within the final rule itself, NARA is also establishing and maintaining a CUI Registry, which will be the central repository for all guidance, policy, instructions, and information pertaining to CUI.

While the final rule directly applies only to federal agencies, the requirements indirectly extend to government contractors and grantees by virtue of the directive that agencies include the CUI protection requirements in all federal agreements that may involve CUI.  A pending FAR case and anticipated forthcoming regulation will further implement this directive for federal contractors.

In accepting and rejecting comments on the proposed rule for purposes of the final rule, NARA recognized the tension between the dual federal government goals of protecting and sharing information.  NARA’s revisions were designed “to more clearly explain how the different levels of CUI interact, the basis for CUI controls, what levels of controls agencies may impose,” as well as to establish rules pertaining to agency agreements, and marking, destruction, and dissemination of CUI.

After this final rule, information provided by or developed for the government falls into one of four categories, as described below:

  • Classified Information: This refers to information required by Executive Order 13526, “Classified National Security Information,” or predecessor or successor orders, or the Atomic Energy Act of 1954, to be marked with a classification designation to protect it from unauthorized disclosure.
  • CUI Basic: CUI is information created or possessed by or for the government for which a law, regulation, or policy requires or permits safeguarding or dissemination controls.  CUI Basic is the subset of CUI for which no particular controls are specified.  This final rule provides uniform handling controls to be used for CUI Basic, which requires protection at no less than a “moderate” confidentiality standard under the Federal Information Systems Modernization Act (FISMA), 44 U.S.C. 3541, et seq.  CUI Basic documents can be marked simply as “CUI” or “Controlled.”
  • CUI Specified: CUI Specified is that subset of CUI for which applicable law, regulation, or policy provides specific handling controls that differ from the controls that apply to CUI Basic.  Under the final rule, the specified controls are to continue to be used for this subset of CUI and the markings prescribed for these particular categories of information should continue to be used.  Examples of CUI Specified information are information that is export controlled or source selection information.
  • Uncontrolled Unclassified Information: All remaining information that is neither classified nor CUI.  Although not controlled or classified, this information must still be handled as required by FISMA.

The final rule incorporates by reference various Federal Information Processing Standards (FIPS) and National Institute of Standards and Technology (NIST) Special Publications (SP), namely:

  • FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems;
  • FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems;
  • NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations;
  • NIST SP 800-88, Guidelines for Media Sanitation; and
  • NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

These standards must be applied to systems that involve CUI in conjunction with the framework established by FISMA.

The final rule is effective November 14, 2016.  It is not known when the proposed companion FAR clause will be released.  Until that time, agencies will need to address CUI handling requirements in contracts and grants through use of their own language.

Although the final rule specifies that agencies must include in agreements directions to comply with the final rule and the CUI Registry when handling CUI, the absence of uniform agreement language at this point in time may create the same sort of confusion and inconsistency that the final rule is designed to address.  We will carefully monitor release of the proposed FAR rule and any comments thereto in order to provide the most current information to our client federal contractors.