- How far along is the DoD acquisition community in adopting the federal CUI reform effort, and what are the potential challenges to that implementation?
- What are the challenges in managing aggregation of DoD acquisition data?
Acquisition data play a critical role in the management of the U.S. Department of Defense's (DoD's) portfolio of weapon systems. Controlled Unclassified Information (CUI) labels are one of the key methods for protecting sensitive information from disclosure along with appropriate information security. Mandatory U.S. government–wide policies governing handling of unclassified acquisition information exist because of concerns about exploitation by sophisticated adversaries. Executive Order 13556, signed by then–President Barack Obama on November 4, 2010, established a government-wide program for managing CUI, which includes personally identifiable information, proprietary business information, and law enforcement investigation information, among others. As the CUI executive agent, the National Archives and Records Administration is responsible for addressing over 100 ways of characterizing CUI, which it has done in the September 2016 CUI Federal Register. The rules in this register came into effect on November 14, 2016. This report provides a closer look at the current state of the CUI program as well as how the new CUI rules might affect DoD acquisition data management. We found a high degree of overlap in the content, if not the nomenclature, of past and present CUI labels used for acquisition data, but the problem going forward is translating policy into practice.
- Implementation of the new Controlled Unclassified Information (CUI) program is destined to be disruptive.
- Given the emphasis on the importance and specificity of labeling information, training is likely to be extensive, including both Department of Defense (DoD) employees and contractors.
- Implementation is currently unfunded, and it is not clear how much of a financial burden implementation will be on those who need to implement.
- Several commonly used labels on acquisition information are no longer permitted, which will leave DoD employees and contractors looking for the next "FOUO."
- Identify a point-of-contact within the Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics (OUSD[AT&L]) to help advise and transition to the new marking regime.
- Actively engage in discussions with the Undersecretary of Defense for Intelligence (USD[I]) during the revision of the DoD CUI policy.
- Work closely with the National Archives and Records Administration as needed to understand some of the current guidance that has been issued at the federal level.
- Hold small working groups with the military services and DoD functions (e.g., Comptroller, etc.) in order to further understand the implications of this effort.
- Begin to work to identify training resource requirements.
- Wait to implement until USD(I) completes the guidance per USD(I)'s strong recommendation.
- Carefully monitor changes to both the Controlled Unclassified Information (CUI) registry and any potential changes to the overall federal CUI strategy by the Trump administration.
- In regard to data aggregation, Deputy Director, Enterprise Information in OUSD(AT&L) should consider using the NIST's aggregation tool described in Chapter Three as a mechanism for systematically combing through the information systems that it currently manages for potential aggregation.
Table of Contents
Overview and Analysis of the Current CUI Reform Effort
Overview of Aggregation of Acquisition Information
Conclusions and Options
Overview of NARA Categories of Importance to the DoD Acquisition Community
This research was sponsored by the Office of the Secretary of Defense and conducted within the Acquisition and Technology Policy Center of the RAND National Defense Research Institute, a federally funded research and development center sponsored by the Office of the Secretary of Defense, the Joint Staff, the Unified Combatant Commands, the Navy, the Marine Corps, the defense agencies, and the defense Intelligence Community.
This report is part of the RAND Corporation research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.
Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.
The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.