Information security

HSTinDepth: Getting a Handle on Controlled Unclassified Information

For those persons who navigate the interesting world of classified or sensitive information, few, if any, would dispute the importance of protecting that information from individuals without a proper clearance or a legitimate “need to know.” One tragic day in 2001 changed the way we think about and share information, including sensitive information not deemed classified by intelligence-community standards.

The idea of Controlled Unclassified Information (CUI) was born out of necessity. The efforts behind CUI began in earnest in 2008 under the President George W. Bush administration as a way for “our Nation’s entire network of defenders to be able to share information more rapidly so those who must act have the information they need.” The attacks on Sept. 11, 2001, illustrated the critical need to share timely and accurate information among an assortment of communities – intelligence, public safety, defense, law enforcement, and state and local governments – resulting in the creation of the U.S. Department of Homeland Security. Under memorandum, the president directed the development of an executive branch CUI Framework.[1]

The President’s Memorandum of May 27, 2009, directed a task force, led by the secretary of Homeland Security and the attorney general, to review the CUI Framework for the management of Sensitive But Unclassified (SBU) terrorism-related information. The task force undertook a 90-day study of the CUI Framework,[2] the organizations managing SBU information in the executive branch, and, by extension, the sharing of that information with non-federal information-sharing partners.