chevron-down Created with Sketch Beta.

Privacy and Controlled Unclassified Information

Robert S. Metzger

Federal regulations require departments and agencies to protect the confidentiality, integrity, and availability of information types known as “controlled unclassified information” (CUI). Safeguarding requirements are specified in the Federal Information Security Modernization Act (FISMA) of 2014. The Department of Defense requires its suppliers to protect the confidentiality of “covered defense information,” which includes all CUI categories. The National Institute of Standards and Technology (NIST) is the source of controls and enhancements used to protect CUI on federal information systems.

There are numerous types of CUI. Regulations define CUI as information that laws, regulations, or government-wide policies require to have safeguarding or dissemination controls. The National Archives and Records Administration (NARA) maintains a “registry” of CUI, which includes 20 “Organizational index groupings.” “Privacy” is one of the 20 groupings.

Individuals whose personal records are collected, hosted, or processed by the federal government benefit from the records’ designation as CUI because protection is required by federal law. One such law, the Privacy Act of 1974, restricts the government’s collection, use, and dissemination of personal information. The problem is that these measures do not reach information types outside CUI categories or encompass records in the possession of commercial entities, which, by definition, never become “records” of a federal agency. Thus, the current federal system would benefit significantly by incorporating concepts from other regimes, such as the General Data Protection Regulation (GDPR) of the European Union (EU).

Reach of federal privacy measures. Increasingly, forms of information that concern individuals or implicate their privacy interests are collected without ever being furnished to the federal government or included in a “system of records” as regulated by the Privacy Act. Information generated through social media or consumer web interaction, for example, or captured through operation of autonomous sensors such as used by Internet of things (IoT) technologies, impacts privacy and civil liberty interests of hundreds of millions of U.S. persons. Only if the non-federal entity operates a “system of records” for a federal agency or uses or operates an information system “on behalf of” a federal agency does the full range of federal protections apply.

As practiced by the federal government today, privacy is subordinate to security. The principal purpose of FISMA, the NARA CUI Rule, and the NIST safeguards, as well as that of current federal security regulations applicable to contractors, is to ensure that federal agencies protect the confidentiality, integrity, and availability of information types where this is required by operation of federal law, regulation, or government-wide policy.

Too often, individuals whose personal and privacy interests are exposed are uninformed entirely about the collection of information and its use, or receive a meaningless “notice” of a breach followed by uninformed “consent.”

The IoT as a “forcing function.” There is no assurance that individuals whose data are harvested from IoT devices are even aware of what systems collect information from or about them, or how, by whom, or for what that information is used—much less that these individuals have approved such collection or use. Should a security breach occur, these individuals are exposed to adverse personal consequences even though they may never have had a clue that information about them was being collected by persons—or “things.” Nothing in contemporary statutory or regulatory obligations even contemplates, much less protects, new information types, as collectible through the IoT, that can be used or abused to affect, impair, or injure the personal privacy interests of individuals.

The GDPR is a different paradigm. The GDPR applies to the processing of personal data of subjects residing in the EU, regardless of where the processing takes place or the location of the company with custody over the data. U.S. and multinational companies may be subject to the GDPR. The relationship between privacy and security under the GDPR and the importance of the individual, as opposed to the organization, differ profoundly from that in the United States.

The federal regime for protection of CUI has a primary compliance objective for the organization, with some protection of individual privacy as an included but subordinate benefit. The GDPR seeks protection of privacy—and security is a means to achieve that goal.

The subject of the GDPR is personal data. The GDPR provides an expansive definition of the personal data that impose obligations on enterprises that are “controllers” or “processors” and that are to be protected and subject to many enumerated individual rights.

There is some overlap between the types of CUI in the NARA registry and the categories of personal data protected under the GDPR. In every case, the CUI definitions are written not to cast a “broad net” to capture the interests of the actually affected individuals, but to conform to specific federal laws, regulations, or government-wide policies.

The GDPR takes a completely different approach. The GDPR is agnostic to technologies and endorses no specific or control regime. The GDPR is strategic and seeks to achieve high-level privacy objectives that have no generally applicable U.S. counterpart. The GDPR includes a right of erasure. For this purpose, a data controller “shall take reasonable steps, including technical measures.” The GDPR requires security of processing, which involves “technical and organizational measures appropriate to risk.” The GDPR requires an “impact assessment,” which calls for “security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance.” The GDPR imposes obligations on data processors and controllers to “implement appropriate technical and organizational measures to ensure” compliance. The GDPR is silent on methods, standards, and practices. Instead, the emphasis is on discrete objectives, and it is the responsibility of data controllers and processors to select and implement technical measures sufficient to achieve these ends.

There is no effective or demonstrated enforcement mechanism of U.S. contract requirements to safeguard CUI. Rarely has the federal government sought damages from a contractor that failed to fulfill security requirements. And, if it did, damages would be difficult to quantify, and any damages recovered would inure to the benefit of the government, not any individuals whose data are compromised. This is a far cry from the GDPR, which states, at Article 82, that any person who has suffered “material or non-material damage” as a result of infringement of the GDPR “shall have the right to receive compensation from the controller or processor for the damage suffered.”


This article is an abridged and edited version of one that originally appeared on page 16 of The SciTech Lawyer, Spring 2019 (15:3).

For more information or to obtain a copy of the periodical in which the full article appears, please call the ABA Service Center at 800/285-2221.


PERIODICALS: The SciTech Lawyer, quarterly magazine; Jurimetrics|Online, quarterly scholarly journal; SciTech E-Merging News, quarterly electronic newsletter featuring up-to-date substantive practice perspectives and news on Section activities.

CLE AND OTHER PROGRAMS: The Section offers a variety of CLE and learning opportunities through webinars and in-person meetings and events.

RECENT BOOKS: Automated Vehicle Law: Legal Liability, Regulation, and Data Security; Biotechnology and the Law, 2d ed.; The Internet of Things: Legal Issues, Policy, and Strategies; Blockchain for Business Lawyers.

Download the PDF of this article

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

Robert S. Metzger is a shareholder of Rogers Joseph O’Donnell, PC, a law firm that has specialized in public contracts for more than 35 years.