CUI for intelligence data

[cdmgtri]

NIEM 5.0 RC1 did not take into account any of our comments pointing out issues using NIEM’s CUI for intelligence data:

1. Possible duplication of or conflict between ISM attributes and NIEM CUI attributes in commingled NIEM document.

2. Cross-domain processes will experience significant performance hits with complex NIEM CUI schema objects that can be repeated an infinite number of times.

3. cui:LimitedDisseminationControlDLONLYText is still just text, not something like NTK that can be used by automated systems.

   • Also allows multiple cui:LimitedDisseminationControlDLONLYText; unclear what that means.

4. Using very complex XML objects for data that is intended to be short text in the CUI “block” elements of cui:DecontrolEvent and cui:DecontrolContactInformation.

5. NIEM CUI schema does not appear to be compatible with core IC and DoD XML standards, which will limit the ability to use NIEM CUI for data exchange in these communities.

   • NIEM not compatible with IC-TDF, IC-EDH, ERM.
   • NIEM does not implement business logic, e.g., as Schematron rules.

6. NIEM assumes standalone CUI data.

   • Needs to assume multiple use cases as follows: (1) Commingled content, this will require both NSS (National Security Systems) and CUI marking. (2) Life-cycle dynamics where CUI moves into NSS (e.g., technology maturation/application), or NSS moves into CUI. (3) Aggregation and compilation use cases as defined in DODI 5200.34 or applicable SCG. (4) Data analytics where content may be composed apriori - this leads to the case of CUI content becoming comingled in ways that were not considered at the time the original content was produced.

Feedback submitted for RC2 via email

[cchipman6]

Per CUI meeting 9Oct20: Limit cui:LimnitedDisseminationControlDLONLYText to maxOccurs="1". No other changes required to support this issue.