全球智库信息集成服务系统

Identifying Which Sensitive Unclassified Information in Defense Acquisition Requires Protection and How to Properly Protect It Through the Use of Appropriate Markings and Security Policy Can Be Problematic

• The current environment in which acquisition data are protected and shared can be characterized by many organizations promulgating policy on overlapping and interrelated topics, policies that are relatively new and change frequently, and an ill-defined Controlled Unclassified Information (CUI) policy. Those who originate the policies do not fund their implementation, meaning that a new or changed policy is effectively an unfunded requirement for information system managers.
• The authors were unable to find any single document that collects and describes the most commonly used CUI labels in the Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics. Some of these labels are legacy markings and practices that are not aligned with draft CUI policy. As a result, acquisition documentation with CUI may be mislabeled.
• Proprietary information (PROPIN) is a special class of CUI that relates to information and data developed by a private entity but shared with the government. Substantial confusion exists within DoD about what information is truly proprietary, who can have access to it, and how to grant access when needed. While there are some laws and policy that describe PROPIN, no single source describes the processes and procedures.
• Security policies tend to be one-size-fits-all, which does not reflect the unique characteristics of each information system. Originators of security policies do not fund their implementation, meaning that a new or changed policy is effectively an unfunded requirement for system managers.