Section 1526 of the fiscal 2022 National Defense Authorization Act (NDAA) required the Pentagon to assess DoD’s controlled unclassified information (CUI) program 180 days after the enactment of the NDAA, as part of the law’s requirement for the Pentagon to create a cybersecurity framework for the U.S. defense industrial base.
By press time on July 14, DoD had not responded to an email query about whether the Pentagon has established such a cybersecurity framework with the CUI assessment.
The cybersecurity framework would go beyond the DoD Cybersecurity Maturity Model Certification 2.0 that the Pentagon adopted in November, 2021 to help prevent adversaries from gaining access to defense systems information held by contractors (Defense Daily, Nov. 4, 2021).
The CUI assessment language stemmed from an amendment last year to the NDAA by Rep. Steven Horsford (D-Nev.), a member of the House Armed Services Committee’s strategic forces and tactical air and land forces panels.
Section 1526 of the fiscal 2022 NDAA modifies Section 1648 of Section 1648 of the fiscal year 2020 NDAA and requires the Pentagon CUI assessment to include the definitions of CUI and For Official Use Only (FOUO), policies for protecting information in those categories, an explanation of the CUI program, recommended regulatory or policy changes to ensure “consistency and clarity” in CUI identification and marking requirements, circumstances that would designate commercial information as CUI, and “examples or scenarios to illustrate information that is and is not CUI.”
In a Feb. 23 letter to Defense Secretary Lloyd Austin, Democratic leaders of the House Oversight and Reform Committee expressed concern that DoD and the armed services “have inappropriately limited access to information related to military weapon systems by marking the information as controlled unclassified information (CUI).”
“As DoD works to protect sensitive details about U.S. military weapon systems, the department must strike a balance to ensure that sensitive information is handled appropriately, while information in the public interest is not kept secret,” according to the letter from Committee Chairwoman Carolyn Maloney (D-N.Y.), Rep. Steven Lynch (D-Mass.), chairman of the committtee’s national security panel; Rep. Gerald Connolly (D-Va.), chairman of the committee’s government operations panel; and Rep. Katie Porter (D-Calif.).
“Increased secrecy will result in less transparency and accountability regarding the efficacy of these [weapon] systems,” the letter said.
Annual reports by the Pentagon Director of Operational Test and Evaluation (DOT&E), created by Congress in 1983, have customarily included detailed reports on weapon systems, including their deficiencies, but the CUI designation has the potential to remove such systems from full public scrutiny.
For example, the program for the Lockheed Martin [LMT] F-35 fighter has said that the four Category 1B deficiencies remaining on the fifth-generation jet qualify as CUI, and thus the program declined to identify them or elaborate on planned fixes (Defense Daily, July 7). Category 1B deficiencies are those that represent a critical impact to mission readiness, while more serious Category 1A deficiencies are those that entail a risk to life or the loss of the aircraft.
The legislators’ Feb. 23 letter said that the public version of the fiscal 2021 DOT&E annual report excludes certain information on the F-35, the Lockheed Martin CH-53K and HH-60W helicopters, and the Army’s chosen suppliers for M1158 7.62 mm ammunition, although such information resided in the DOT&E fiscal 2020 report.
The letter asked DoD to deliver a justification of each CUI designation in the non-public version of the fiscal 2021 DOT&E annual report and a list of the parties responsible for each such CUI designation.
Former President Obama’s Executive Order 13556 on Nov. 4, 2010 created the CUI designation. DoD has said that “CUI policy provides a uniform marking system across the federal government that replaces a variety of agency-specific markings, such as FOUO, LES [Law Enforcement Sensitive], SBU [Sensitive But Unclassified], etc.” and that the establishment of CUI “was a watershed moment in the department’s information security program, formally acknowledging that certain types of UNCLASSIFIED information are extremely sensitive, valuable to the United States, sought after by strategic competitors and adversaries, and often have legal safeguarding requirements.”