The Department of Defense Inspector General (DoDIG) recently released its “Audit of the DoD’s Implementation and Oversight of the Controlled Unclassified Information [CUI] Program” (DODIG-2023-078). The audit highlights some of DoD’s challenges in implementing the CUI Program and provides recommendations on how to make the program work better. The DoD’s response to the DoDIG’s audit recommendations will likely impact federal contractors working on contracts that handle CUI, including increased oversight and auditing, as well as increased training and reporting requirements.
What is CUI?
CUI is information created or possessed for the government that requires safeguarding or dissemination controls according to applicable laws, regulations, and government‑wide policies; CUI is not classified information. This audit was requested by the Senate Armed Services Committee due to “concern that DoD Components were using limited dissemination controls [LDCs] without having a legitimate rationale, thereby limiting transparency.” Essentially, Congress wasn’t as concerned with the improper dissemination of CUI, but rather with DoD’s over-marking and use of the CUI Program to limit access to information.
Before summarizing the important findings of the audit, let’s briefly review the history of the government-wide CUI Program, and DoD’s implementation thereof, starting with Executive Order 13556 issued in 2010.
EO 13556 aimed to standardize the way the entire executive branch handled unclassified information that requires safeguarding or dissemination controls. Prior to the establishment of the CUI Program, there were dozens of different programs and marking protocols administered by different agencies and DoD components, such as the most popular: For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and Law Enforcement Sensitive (LES). The CUI Program, administered primarily by the National Archives, attempts to reduce the many marking and dissemination programs into a single, government-wide program, although many will note that these markings persist in some pockets of government, despite over a decade of regulatory intent.
DoD, for its part, most recently issued DoD Instruction 5200.48, which clarified previous DoD policy and established “the DoD CUI Program requirements for designating, marking, handling, and decontrolling CUI,” as well as created a requirement for CUI training. The DoD Office of the Under Secretary of Defense for Intelligence and Security (OUSD(I&S)) promulgated the guidance but left the implementation of the CUI Program to the various DoD components.
The audit found:
- DoD components did not effectively oversee the implementation of guidance to ensure that CUI documents and emails contained the required markings.
- DoD components did not effectively oversee DoD and contractor personnel’s completion of the appropriate CUI training.
- This implementation and oversight failure occurred because the DoD components did not have mechanisms in place to ensure that CUI documents and emails included the required markings, and the OUSD(I&S) did not require the DoD components to test, as part of their annual reporting process, a sample of CUI documents to verify whether the documents contained the required markings.
- In addition, not all of the DoD components and contracting officials tracked whether their personnel completed the required CUI training.
- The use of improper or inconsistent CUI markings and the lack of training can increase the risk of the unauthorized disclosure of CUI or unnecessarily restrict the dissemination of information and create obstacles to authorized information sharing.
- Furthermore, the DoD will not meet the intent of Executive Order 13556 to standardize the way the executive branch handles CUI.
In sum, DoDIG found that DoD components routinely either over-marked information that was not properly considered CUI or improperly marked information that was CUI. A lack of training and tracking mechanisms compounded both findings. The DoDIG made 14 recommendations for improvement, six of which remain “unresolved” pending additional comments and coordination with DoD management, meaning that a revised version of the audit report will be expected later this year that incorporates management comments and tracks the resolution of outstanding recommendations.
Why Are the Audit Findings Important?
For defense contractors, these audit findings are important because they have real-world impact on contractors’ responsibilities and potential expenses under Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204‑7012, which requires contractors that maintain CUI to implement security controls specified in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800‑171. Contractors responsible for the physical and cybersecurity safeguarding of CUI on their systems are reliant on DoD Component Program offices to properly identify and notify contractors of DoD CUI at the time of contract award and throughout the life of the contract when handling CUI. DoDI 5200.48 also requires contractors who handle CUI to receive initial and annual refresher training that meets certain CUI learning objectives. The audit notes that while contractors were more compliant with their training responsibilities, the DoD components were not auditing or tracking these training requirements, which increased risk of noncompliance.
If DoD components prioritize their CUI Programs and follow the recommendations of the DoDIG audit, this could result in increased programmatic and contracting offices’ focus on the information safeguarding compliance regime, NIST controls, and CUI training for contractors.
For contractors who believe that customer CUI Programs are over-marking information and data — unnecessarily increasing compliance burdens and limiting transparency — this audit provides substantive and rhetorical support to push-back on over-marked information during requests to decontrol.
The government-wide CUI Program is over a decade old and continues to evolve, be refined, and experience growing pains. This DoDIG audit is another milestone in the CUI Program’s growth and refinement.
This audit is also timely. As recent high-profile classified information leak prosecutions have made the news there has been an increased focus on all levels of sensitive information safeguarding, including CUI.
Improving the management of the CUI Program is particularly important because the CUI regime operates in the liminal space where both Congress and interested parties want a perfect balance between protection of proper CUI and heightened transparency for everything else. This goldilocks conundrum for the CUI Program will continue to generate friction between all parties: Congressional and IG oversight, agencies implementing and managing the CUI Program, contractors managing and safeguarding data, and the public and media pursuing open and transparent government ideals.
For more information and other updates and alerts regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point.