Issues with Access to Acquisition Data and Information in the Department of Defense: Policy and Practice
Jun 12, 2015
Acquisition data play a critical role in the management of the U.S. Department of Defense's (DoD's) portfolio of weapon systems. Identifying which unclassified but potentially sensitive data require protection as Controlled Unclassified Information (CUI) and how to properly protect them through the use of appropriate markings or labels can be difficult: Management and sharing of these data are subject to the interaction and interpretation of a number of laws, regulations, and policies. Therefore, the Office of the Secretary of Defense asked RAND to evaluate current CUI labeling procedures, practices, and security policies. The authors found that documentation on CUI labeling procedures is incomplete and unclear. To define and establish proper handling procedures for CUI, a function (additional responsibility for a currently existing office with experience using a large number of CUI labels in multiple roles) and reference (a central, authoritative online resource that references all relevant guidance on information management, handling, access, and release for acquisition data) should be established within the Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics.
Because the RAND Corporation operates three federally funded research and development centers (FFRDCs), the authors have an interest in FFRDC access to data. However, the authors believe that the results are valid independent of that interest. They also have firsthand experience with the struggles of DoD personnel managing data and access.
Proprietary Information: Clarifying and Creating Confusion
Origins and Meaning of Commonly Used Controlled Unclassified Information Labels on Acquisition Data
Security Policy and Its Implications for AIR and DAMIR
Conclusions and Options
DoD OGC Legal Opinion Dated February 1999