Issues with Access to Acquisition Data and Information in the Department of Defense

A Closer Look at the Origins and Implementation of Controlled Unclassified Information Labels and Security Policy

Megan McKernan, Jessie Riposo, Jeffrey A. Drezner, Geoffrey McGovern, Douglas Shontz, Clifford A. Grammich

ResearchPublished Dec 19, 2016

Acquisition data play a critical role in the management of the U.S. Department of Defense's (DoD's) portfolio of weapon systems. Identifying which unclassified but potentially sensitive data require protection as Controlled Unclassified Information (CUI) and how to properly protect them through the use of appropriate markings or labels can be difficult: Management and sharing of these data are subject to the interaction and interpretation of a number of laws, regulations, and policies. Therefore, the Office of the Secretary of Defense asked RAND to evaluate current CUI labeling procedures, practices, and security policies. The authors found that documentation on CUI labeling procedures is incomplete and unclear. To define and establish proper handling procedures for CUI, a function (additional responsibility for a currently existing office with experience using a large number of CUI labels in multiple roles) and reference (a central, authoritative online resource that references all relevant guidance on information management, handling, access, and release for acquisition data) should be established within the Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics.

Because the RAND Corporation operates three federally funded research and development centers (FFRDCs), the authors have an interest in FFRDC access to data. However, the authors believe that the results are valid independent of that interest. They also have firsthand experience with the struggles of DoD personnel managing data and access.

Key Findings

Identifying Which Sensitive Unclassified Information in Defense Acquisition Requires Protection and How to Properly Protect It Through the Use of Appropriate Markings and Security Policy Can Be Problematic

  • The current environment in which acquisition data are protected and shared can be characterized by many organizations promulgating policy on overlapping and interrelated topics, policies that are relatively new and change frequently, and an ill-defined Controlled Unclassified Information (CUI) policy. Those who originate the policies do not fund their implementation, meaning that a new or changed policy is effectively an unfunded requirement for information system managers.
  • The authors were unable to find any single document that collects and describes the most commonly used CUI labels in the Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics. Some of these labels are legacy markings and practices that are not aligned with draft CUI policy. As a result, acquisition documentation with CUI may be mislabeled.
  • Proprietary information (PROPIN) is a special class of CUI that relates to information and data developed by a private entity but shared with the government. Substantial confusion exists within DoD about what information is truly proprietary, who can have access to it, and how to grant access when needed. While there are some laws and policy that describe PROPIN, no single source describes the processes and procedures.
  • Security policies tend to be one-size-fits-all, which does not reflect the unique characteristics of each information system. Originators of security policies do not fund their implementation, meaning that a new or changed policy is effectively an unfunded requirement for system managers.

Recommendations

  • A more robust, central authoritative source for Controlled Unclassified Information (CUI) data labeling, access, and management (including monitoring and challenging document originators) should be established by the Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics (OUSD[AT&L]). The U.S. Department of Defense should also train its workforce on the new CUI labeling procedures when they are released and implemented.
  • To define and establish proper handling procedures for CUI, a function (additional responsibility for a currently existing office with experience using a large number of CUI labels in multiple roles) and reference (a central, authoritative online resource that references all relevant guidance on information management, handling, access, and release for acquisition data) should be established within OUSD(AT&L).

Order a Print Copy

Format
Paperback
Page count
80 pages
List Price
$24.00
Buy link
Add to Cart

Topics

Document Details

  • Availability: Available
  • Year: 2016
  • Print Format: Paperback
  • Paperback Pages: 80
  • Paperback Price: $24.00
  • Paperback ISBN/EAN: 978-0-8330-9596-1
  • DOI: https://doi.org/10.7249/RR1476
  • Document Number: RR-1476-OSD

Citation

RAND Style Manual
McKernan, Megan, Jessie Riposo, Jeffrey A. Drezner, Geoffrey McGovern, Douglas Shontz, and Clifford A. Grammich, Issues with Access to Acquisition Data and Information in the Department of Defense: A Closer Look at the Origins and Implementation of Controlled Unclassified Information Labels and Security Policy, RAND Corporation, RR-1476-OSD, 2016. As of October 15, 2024: https://www.rand.org/pubs/research_reports/RR1476.html
Chicago Manual of Style
McKernan, Megan, Jessie Riposo, Jeffrey A. Drezner, Geoffrey McGovern, Douglas Shontz, and Clifford A. Grammich, Issues with Access to Acquisition Data and Information in the Department of Defense: A Closer Look at the Origins and Implementation of Controlled Unclassified Information Labels and Security Policy. Santa Monica, CA: RAND Corporation, 2016. https://www.rand.org/pubs/research_reports/RR1476.html. Also available in print form.
BibTeX RIS

This research was sponsored by the Office of the Secretary of Defense and conducted within the Acquisition and Technology Policy Center of the RAND National Defense Research Institute, a federally funded research and development center sponsored by the Office of the Secretary of Defense, the Joint Staff, the Unified Combatant Commands, the Navy, the Marine Corps, the defense agencies, and the defense Intelligence Community.

This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.