Issues with Access to Acquisition Data and Information in the Department of Defense: Considerations for Implementing the Controlled Unclassified Information Reform Program

McKernan, Megan; Riposo, Jessie; McGovern, Geoffrey; Shontz, Douglas; Ahtchi, Badreddine

This report provides a closer look at the current state of the Controlled Unclassified Information (CUI) program as well as how new CUI rules might affect DoD acquisition data management. We found a high degree of overlap in the content of past and present CUI labels used for acquisition data, but the problem going forward is translating new policy into practice.

Read Online

Issues with Access to Acquisition Data and Information in the Department of Defense

Considerations for Implementing the Controlled Unclassified Information Reform Program

by Megan McKernan, Jessie Riposo, Geoffrey McGovern, Douglas Shontz, Badreddine Ahtchi

View related products

Download

Download eBook for Free

Format	File Size	Notes
PDF file	0.9 MB	Use Adobe Acrobat Reader version 10 or higher for the best experience.

Purchase

Purchase Print Copy

	Format	List Price	Price
Add to Cart	Paperback62 pages	$21.00	$16.80 20% Web Discount

Research Questions

How far along is the DoD acquisition community in adopting the federal CUI reform effort, and what are the potential challenges to that implementation?
What are the challenges in managing aggregation of DoD acquisition data?

Acquisition data play a critical role in the management of the U.S. Department of Defense's (DoD's) portfolio of weapon systems. Controlled Unclassified Information (CUI) labels are one of the key methods for protecting sensitive information from disclosure along with appropriate information security. Mandatory U.S. government–wide policies governing handling of unclassified acquisition information exist because of concerns about exploitation by sophisticated adversaries. Executive Order 13556, signed by then–President Barack Obama on November 4, 2010, established a government-wide program for managing CUI, which includes personally identifiable information, proprietary business information, and law enforcement investigation information, among others. As the CUI executive agent, the National Archives and Records Administration is responsible for addressing over 100 ways of characterizing CUI, which it has done in the September 2016 CUI Federal Register. The rules in this register came into effect on November 14, 2016. This report provides a closer look at the current state of the CUI program as well as how the new CUI rules might affect DoD acquisition data management. We found a high degree of overlap in the content, if not the nomenclature, of past and present CUI labels used for acquisition data, but the problem going forward is translating policy into practice.

Key Findings

Implementation of the new Controlled Unclassified Information (CUI) program is destined to be disruptive.
Given the emphasis on the importance and specificity of labeling information, training is likely to be extensive, including both Department of Defense (DoD) employees and contractors.
Implementation is currently unfunded, and it is not clear how much of a financial burden implementation will be on those who need to implement.
Several commonly used labels on acquisition information are no longer permitted, which will leave DoD employees and contractors looking for the next "FOUO."

Recommendations

Identify a point-of-contact within the Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics (OUSD[AT&L]) to help advise and transition to the new marking regime.
Actively engage in discussions with the Undersecretary of Defense for Intelligence (USD[I]) during the revision of the DoD CUI policy.
Work closely with the National Archives and Records Administration as needed to understand some of the current guidance that has been issued at the federal level.
Hold small working groups with the military services and DoD functions (e.g., Comptroller, etc.) in order to further understand the implications of this effort.
Begin to work to identify training resource requirements.
Wait to implement until USD(I) completes the guidance per USD(I)'s strong recommendation.
Carefully monitor changes to both the Controlled Unclassified Information (CUI) registry and any potential changes to the overall federal CUI strategy by the Trump administration.
In regard to data aggregation, Deputy Director, Enterprise Information in OUSD(AT&L) should consider using the NIST's aggregation tool described in Chapter Three as a mechanism for systematically combing through the information systems that it currently manages for potential aggregation.

Chapter One

Introduction
Chapter Two

Overview and Analysis of the Current CUI Reform Effort
Chapter Three

Overview of Aggregation of Acquisition Information
Chapter Four

Conclusions and Options
Appendix

Overview of NARA Categories of Importance to the DoD Acquisition Community

Research conducted by

RAND National Security Research Division

This research was sponsored by the Office of the Secretary of Defense and conducted within the Acquisition and Technology Policy Center of the RAND National Defense Research Institute, a federally funded research and development center sponsored by the Office of the Secretary of Defense, the Joint Staff, the Unified Combatant Commands, the Navy, the Marine Corps, the defense agencies, and the defense Intelligence Community.

This report is part of the RAND Corporation Research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.

A New Approach to U.S. Security Policy in the Middle East

Wait Times for Veterans Scheduling Health Care Appointments

Elon Musk May Have a Point About Bots on Twitter

Putin's Latest Threats, U.S. Policy in the Middle East, Disaster Recovery: RAND Weekly Recap

Addressing Vaccine Hesitancy with Research

The Policy Currents Podcast

Improving Psychological Wellbeing and Work Outcomes in the UK

Managing Escalation in Crisis and War

Getting to Know Military Caregivers and Their Needs

Planning for the Rising Costs of Dementia