The categorization of Controlled Unclassified Information (CUI), as defined by the National Institute of Standards and Technology (NIST) Special Publication 800-171, is a critical aspect of cybersecurity for organizations that handle sensitive data. CUI is information that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy. Decontrolling CUI, on the other hand, is the process of removing the CUI designation from information that is no longer considered sensitive or in need of special protection.
Understanding who has the authority to decontrol CUI is vital for organizations seeking to declassify information appropriately. The rules and regulations surrounding CUI are complex, and it's important to navigate the process correctly to ensure compliance with federal requirements.
In this article, we'll provide comprehensive information about who can decontrol CUI and the steps involved in the declassification process. Whether you're an organization seeking to declassify information or a professional looking to understand the complexities of CUI management, this article will serve as a valuable guide.
Transition paragraph from opening section to main content section:
To gain a deeper understanding of the intricacies of CUI declassification, it's essential to examine the roles and responsibilities of various entities involved in the process. In the following sections, we'll delve into the specific authorities authorized to remove CUI designations and the procedures they must follow to ensure compliance.
Who Can Decontrol CUI
The following entities possess the authority to declassify Controlled Unclassified Information (CUI):
- Original classification authority
- Delegated declassification authority
- Senior agency official
- Information owner
- Mandatory review authority
- Automatic declassification authority
- Interagency Security Classification Appeals Panel (ISCAP)
- President of the United States
- Director of National Intelligence
Each of these entities has specific criteria and procedures that must be followed in order to declassify CUI.
Original classification authority
The original classification authority (OCA) is the individual or entity that initially classifies information as CUI. This authority is typically assigned to specific positions or offices within an organization, such as the CEO, CIO, or records manager.
The OCA has the authority to declassify CUI that it originally classified, as well as CUI that has been subsequently disseminated or transferred. In order to declassify CUI, the OCA must determine that the information no longer meets the criteria for classification. This determination must be based on a review of the information itself, as well as any relevant classification guidance or policy.
The OCA must also ensure that declassifying the information will not pose a risk to national security or other protected interests. If the OCA determines that the information can be declassified, it must mark the information as "declassified" and remove any classification markings. The OCA must also notify any recipients of the information that it has been declassified.
In some cases, the OCA may delegate declassification authority to other individuals or entities within the organization. This delegation must be done in writing and must specify the scope of the authority being delegated. The OCA remains ultimately responsible for ensuring that all CUI is declassified properly.
It's important to note that the OCA's authority to declassify CUI is not absolute. In some cases, information that has been declassified by the OCA may be reclassified by a higher authority. Additionally, the President of the United States has the authority to declassify any CUI, regardless of who originally classified it.
Delegated declassification authority
In some cases, the original classification authority (OCA) may delegate declassification authority to other individuals or entities within the organization. This delegation must be done in writing and must specify the scope of the authority being delegated. The OCA remains ultimately responsible for ensuring that all CUI is declassified properly.
Delegated declassification authority is typically granted to individuals or entities who have a need-to-know the classified information and who are authorized to handle it. This may include senior managers, program managers, or other officials who are responsible for making decisions about the release of information.
Individuals or entities with delegated declassification authority must follow the same procedures and requirements as the OCA when declassifying CUI. This includes reviewing the information itself, as well as any relevant classification guidance or policy, to determine if the information still meets the criteria for classification. They must also ensure that declassifying the information will not pose a risk to national security or other protected interests.
If an individual or entity with delegated declassification authority determines that information can be declassified, they must mark the information as "declassified" and remove any classification markings. They must also notify any recipients of the information that it has been declassified.
It's important to note that delegated declassification authority is not absolute. The OCA can revoke the delegation at any time, and the President of the United States has the authority to declassify any CUI, regardless of who originally classified it or who has been delegated declassification authority.
Senior agency official
In addition to the original classification authority (OCA) and individuals or entities with delegated declassification authority, senior agency officials also have the authority to declassify CUI. Senior agency officials are typically the heads of agencies or their designees.
Senior agency officials have the authority to declassify CUI that was originally classified by their agency, as well as CUI that has been subsequently disseminated or transferred. In order to declassify CUI, senior agency officials must follow the same procedures and requirements as the OCA. This includes reviewing the information itself, as well as any relevant classification guidance or policy, to determine if the information still meets the criteria for classification. They must also ensure that declassifying the information will not pose a risk to national security or other protected interests.
If a senior agency official determines that information can be declassified, they must mark the information as "declassified" and remove any classification markings. They must also notify any recipients of the information that it has been declassified.
Senior agency officials also have the authority to delegate declassification authority to other individuals or entities within their agency. This delegation must be done in writing and must specify the scope of the authority being delegated. The senior agency official remains ultimately responsible for ensuring that all CUI is declassified properly.
It's important to note that the authority of senior agency officials to declassify CUI is not absolute. The OCA can revoke the delegation at any time, and the President of the United States has the authority to declassify any CUI, regardless of who originally classified it or who has been delegated declassification authority.
Information owner
The information owner is the individual or entity that is responsible for the creation, maintenance, and dissemination of CUI. Information owners may be individuals, such as authors or researchers, or they may be organizations, such as government agencies or private companies.
-
Determining classification status:
Information owners are responsible for determining the classification status of the information they create or handle. This includes identifying the specific classification level (e.g., Top Secret, Secret, Confidential) and any special handling instructions.
-
Applying classification markings:
Information owners are responsible for applying the appropriate classification markings to CUI. These markings must be applied in a consistent and standardized manner in accordance with applicable regulations and guidance.
-
Safeguarding CUI:
Information owners are responsible for safeguarding CUI from unauthorized disclosure or access. This includes implementing appropriate security measures, such as access controls, encryption, and physical security.
-
Declassifying CUI:
Information owners may also have the authority to declassify CUI that they originally classified or that has been subsequently disseminated or transferred to them. To declassify CUI, information owners must follow the same procedures and requirements as the original classification authority (OCA).
In some cases, information owners may delegate declassification authority to other individuals or entities within their organization. This delegation must be done in writing and must specify the scope of the authority being delegated. The information owner remains ultimately responsible for ensuring that all CUI is declassified properly.
Mandatory review authority
Mandatory review authorities are individuals or entities that are responsible for reviewing CUI that has been classified for more than a specified period of time. The purpose of mandatory review is to ensure that CUI remains classified only as long as necessary and that it is declassified when it no longer meets the criteria for classification.
Mandatory review authorities are typically established by statute or executive order. In the United States, the mandatory review authority is the Information Security Oversight Office (ISOO), which is part of the National Archives and Records Administration (NARA).
ISOO is responsible for conducting mandatory reviews of CUI that has been classified for more than 25 years. ISOO may also conduct mandatory reviews of CUI that has been classified for less than 25 years if there is reason to believe that the information no longer meets the criteria for classification.
To conduct a mandatory review, ISOO requests the classified information from the agency that originally classified it. The agency then reviews the information and determines whether it should be declassified. If the agency determines that the information should be declassified, it will mark the information as "declassified" and remove any classification markings. The agency will also notify any recipients of the information that it has been declassified.
Mandatory review is an important part of the CUI declassification process. It helps to ensure that CUI is declassified when it is no longer necessary to protect it from unauthorized disclosure.
Automatic declassification authority
Automatic declassification authority is a specific type of declassification authority that allows certain CUI to be declassified automatically after a specified period of time. This type of authority is typically granted to CUI that has a short shelf life or that is not considered to be particularly sensitive.
-
Executive Order 13526:
Executive Order 13526, signed by President Barack Obama in 2009, established a system of automatic declassification for certain types of CUI. Under this order, CUI that is classified at the Confidential level or below is automatically declassified after 10 years, unless the OCA takes action to extend the classification period.
-
Other statutes and regulations:
Other statutes and regulations may also grant automatic declassification authority for specific types of CUI. For example, the Atomic Energy Act of 1954 automatically declassifies certain types of nuclear information after 25 years.
-
Agency policies and procedures:
Some agencies may also have their own policies and procedures for automatic declassification of CUI. These policies and procedures may vary depending on the agency's mission and the sensitivity of the information involved.
-
Public interest:
In some cases, CUI may be declassified automatically if it is in the public interest to do so. For example, CUI may be declassified automatically if it is necessary to protect public health or safety, or if it is necessary to ensure the accountability of government officials.
Automatic declassification authority is an important part of the CUI declassification process. It helps to ensure that CUI is declassified when it is no longer necessary to protect it from unauthorized disclosure.
Interagency Security Classification Appeals Panel (ISCAP)
The Interagency Security Classification Appeals Panel (ISCAP) is an independent panel that reviews appeals of classification decisions made by original classification authorities (OCAs). ISCAP is composed of senior representatives from various government agencies, including the Department of Defense, the Department of State, and the Central Intelligence Agency.
Individuals or entities who believe that CUI has been improperly classified or that a classification decision was made in error may file an appeal with ISCAP. ISCAP will review the appeal and make a recommendation to the OCA regarding whether the classification decision should be upheld, modified, or reversed.
ISCAP has the authority to declassify CUI that it determines has been improperly classified. ISCAP may also recommend that the OCA declassify CUI that it believes is no longer necessary to protect from unauthorized disclosure.
ISCAP plays an important role in ensuring that CUI is classified and declassified properly. ISCAP's independent review process helps to ensure that classification decisions are made in a fair and impartial manner and that CUI is declassified when it is no longer necessary to protect it from unauthorized disclosure.
To file an appeal with ISCAP, individuals or entities must submit a written request to the ISCAP Secretariat. The request must include the following information:
- The name and contact information of the appellant.
- A description of the CUI that is the subject of the appeal.
- The classification level of the CUI.
- The date of the classification decision.
- The reasons why the appellant believes the classification decision was improper or in error.
ISCAP will review the appeal and make a recommendation to the OCA within 90 days of receiving the request. The OCA is not bound by ISCAP's recommendation, but it must give great weight to ISCAP's findings and recommendations.
President of the United States
The President of the United States has the ultimate authority to declassify any CUI, regardless of who originally classified it or who has been delegated declassification authority. This authority is derived from the President's constitutional powers as Commander-in-Chief and Chief Executive.
The President may declassify CUI by issuing an executive order, a written directive, or an oral statement. The President may also delegate declassification authority to other individuals or entities, such as the heads of executive agencies or the Director of National Intelligence.
The President's declassification authority is not absolute. The President cannot declassify CUI that has been classified by statute. Additionally, the President must consider the potential harm to national security and other protected interests before declassifying CUI.
The President's declassification authority is an important part of the CUI declassification process. It allows the President to declassify CUI that is no longer necessary to protect from unauthorized disclosure, even if the OCA or other declassification authorities are unwilling or unable to do so.
In recent years, there have been calls for the President to declassify more CUI, especially CUI related to historical events or government misconduct. However, the President has been reluctant to declassify CUI, citing concerns about national security and the need to protect sensitive information.
Director of National Intelligence
The Director of National Intelligence (DNI) has the authority to declassify CUI that was originally classified by the intelligence community. The DNI may also declassify CUI that has been subsequently disseminated or transferred to the intelligence community.
The DNI's declassification authority is derived from Executive Order 12333, which was signed by President Ronald Reagan in 1981. Executive Order 12333 established the National Security Council (NSC) as the principal body for overseeing the classification and declassification of national security information. The NSC is chaired by the President and includes the Vice President, the Secretary of State, the Secretary of Defense, and the DNI.
The DNI is responsible for developing and implementing policies and procedures for the classification and declassification of national security information within the intelligence community. The DNI also oversees the Intelligence Community Declassification Center (ICDC), which is responsible for reviewing and declassifying CUI that is no longer necessary to protect from unauthorized disclosure.
The DNI's declassification authority is an important part of the CUI declassification process. It allows the DNI to declassify CUI that is no longer necessary to protect from unauthorized disclosure, even if the OCA or other declassification authorities are unwilling or unable to do so.
In recent years, there have been calls for the DNI to declassify more CUI, especially CUI related to intelligence activities and surveillance programs. However, the DNI has been reluctant to declassify CUI, citing concerns about national security and the need to protect sensitive information.
FAQ
The following are some frequently asked questions about who can declassify Controlled Unclassified Information (CUI):
Question 1: Who is the original classification authority (OCA)?
Answer: The OCA is the individual or entity that initially classifies information as CUI. This authority is typically assigned to specific positions or offices within an organization, such as the CEO, CIO, or records manager.
Question 2: Who can be granted delegated declassification authority?
Answer: In some cases, the OCA may delegate declassification authority to other individuals or entities within the organization. This delegation must be done in writing and must specify the scope of the authority being delegated.
Question 3: Who are senior agency officials?
Answer: Senior agency officials are typically the heads of agencies or their designees. They have the authority to declassify CUI that was originally classified by their agency, as well as CUI that has been subsequently disseminated or transferred.
Question 4: Who is the information owner?
Answer: The information owner is the individual or entity that is responsible for the creation, maintenance, and dissemination of CUI. Information owners may be individuals, such as authors or researchers, or they may be organizations, such as government agencies or private companies.
Question 5: Who is the mandatory review authority?
Answer: Mandatory review authorities are individuals or entities that are responsible for reviewing CUI that has been classified for more than a specified period of time. The purpose of mandatory review is to ensure that CUI remains classified only as long as necessary and that it is declassified when it no longer meets the criteria for classification.
Question 6: Who has automatic declassification authority?
Answer: Automatic declassification authority is a specific type of declassification authority that allows certain CUI to be declassified automatically after a specified period of time. This type of authority is typically granted to CUI that has a short shelf life or that is not considered to be particularly sensitive.
Question 7: Who is the Interagency Security Classification Appeals Panel (ISCAP)?
Answer: ISCAP is an independent panel that reviews appeals of classification decisions made by original classification authorities (OCAs). ISCAP is composed of senior representatives from various government agencies, including the Department of Defense, the Department of State, and the Central Intelligence Agency.
Question 8: Who is the President of the United States?
Answer: The President of the United States has the ultimate authority to declassify any CUI, regardless of who originally classified it or who has been delegated declassification authority. This authority is derived from the President's constitutional powers as Commander-in-Chief and Chief Executive.
Question 9: Who is the Director of National Intelligence?
Answer: The Director of National Intelligence (DNI) has the authority to declassify CUI that was originally classified by the intelligence community. The DNI may also declassify CUI that has been subsequently disseminated or transferred to the intelligence community.
These are just some of the most frequently asked questions about who can declassify CUI. For more information, please consult the relevant laws, regulations, and policies.
The following tips may be helpful for those who are seeking to declassify CUI:
Tips
The following are some tips for those who are seeking to declassify Controlled Unclassified Information (CUI):
Tip 1: Determine if you have the authority to declassify the information.
Only certain individuals and entities have the authority to declassify CUI. These individuals and entities include the original classification authority (OCA), individuals or entities with delegated declassification authority, senior agency officials, information owners, mandatory review authorities, and the President of the United States. If you are not sure whether you have the authority to declassify the information, you should consult with your supervisor or legal counsel.
Tip 2: Follow the proper procedures for declassifying the information.
There are specific procedures that must be followed when declassifying CUI. These procedures vary depending on who is declassifying the information and the type of information being declassified. For more information on the declassification procedures, please consult the relevant laws, regulations, and policies.
Tip 3: Consider the potential consequences of declassifying the information.
Before you declassify CUI, you should carefully consider the potential consequences of doing so. Declassifying information may have a negative impact on national security or other protected interests. You should also consider the impact that declassifying the information may have on the individuals or entities who are mentioned in the information.
Tip 4: Keep a record of your declassification actions.
It is important to keep a record of your declassification actions. This record should include the date of declassification, the classification level of the information before and after declassification, and the reasons for declassifying the information. This record will help you to demonstrate that you followed the proper procedures for declassifying the information.
By following these tips, you can help to ensure that CUI is declassified properly and in a timely manner.
The following conclusion summarizes the main points of the article:
Conclusion
In this article, we have discussed the various individuals and entities that have the authority to declassify Controlled Unclassified Information (CUI). We have also provided tips for those who are seeking to declassify CUI.
It is important to remember that the declassification of CUI is a serious matter with potentially far-reaching consequences. Only authorized individuals and entities should declassify CUI, and they should follow the proper procedures for doing so.
The goal of the CUI declassification process is to ensure that information is declassified as soon as it is no longer necessary to protect it from unauthorized disclosure. This process helps to ensure that the public has access to information that is important to their understanding of government activities and decision-making.
We hope that this article has been helpful in providing you with a better understanding of who can declassify CUI and the process for doing so.
If you have any questions about the CUI declassification process, please consult with your supervisor or legal counsel.