As agencies eye new policies for storing sensitive but unclassified data, updating their IT systems could pose a challenge, one official said.
During a public meeting Thursday, several officials at the National Archives and Records Administration discussed the particulars of a draft rule released earlier this month for controlled unclassified information, or CUI, a broad category that could apply to data on a range of subjects — from copyrights to the Census.
National Archives’ Information Security Oversight Director John Fitzpatrick said some of the most difficult tasks facing agencies once the rule is finalized “relate to changing their IT systems.” In many cases, agencies would be “moving at their own pace” to make updates.
For one, the draft would require agencies to hold the data in IT systems that meet the “moderate” personally identifiable information impact confidentiality level standards established by the National Institute of Standards and Technology. Also, agencies might have to change how they tag and label their information or documents under the rule.
At the same time, Fitzpatrick told FedScoop after the meeting, the rule is meant to dovetail existing rules and regulations, like the Federal Information Security Management Act.
In “those places where it’s about the information type, then the CUI rule should drive,” he said. “If it’s about just having protected systems, then FISMA and all the related instructions” would be the guide.
As it stands, there are more than 100 labels across government for characterizing sensitive but unclassified information, a similar designation that’s currently used. In 2010, President Barack Obama issued an executive order for the National Archives to establish and oversee a program to make CUI uniform.
Under the CUI program, agencies have to select someone to administer the CUI policies and establish an internal oversight mechanism. Agencies would decide what to designate CUI based on categories the rule would establish. Those designations would also need to have a basis in law, regulation or governmentwide policy.
At the meeting, officials also discussed proposed rules that would govern how nonfederal agencies, like contractors or universities, would handle CUI.
The public can still comment on the proposed CUI rules for agencies through July 7, and the National Archives plans to hold other presentations on the rules in the weeks ahead.