USCG Office of Security Policy and Management Sensitive But Unclassified (SBU) Information.

USCG Office of Security Policy and Management

Sensitive But Unclassified (SBU)

Information


Objectives• Define Sensitive But Unclassified

(SBU) information• Properly mark SBU information• Identify the methods of properly

safeguarding SBU information• Describe the proper methods of

destroying SBU information• List the steps to take in the event of an

incident involving SBU information


References

• For Official Use Only (FOUO)

– MD 11042.1, Safeguarding Sensitive But Unclassified (FOUO) Information

• Sensitive Security Information (SSI)

– MD 11056.1; 49 CFR Part 15 and 1520

• Protected Critical Infrastructure Information (PCII)

– 6 CFR Part 29


• Is concerned with information - other than classified information - that requires some type of control or protective measure.

• This information is generally known as “Sensitive But Unclassified (SBU)” information.

• USCG uses FOUO, SSI & LES

Sensitive But Unclassified Information

OUO SSI

FOUO

DEA Sensitive

LES


Caveats Used by Various Agenciesto Identify Sensitive Information

• Official Use Only (OUO)

• Law Enforcement Sensitive (LES)

• Limited Official Use (LOU)

• DEA Sensitive

• Many others used by government agencies


For Official Use Only (FOUO) Information

• A DHS term used to Identify unclassified information of a sensitive nature, not otherwise categorized by statute or regulation, the unauthorized disclosure of which could adversely impact a person’s privacy or welfare, the conduct of Federal program, or other programs or operations essential to the national interest.

(As described in DHS MD11042.1)


• For Official Use Only (FOUO)

- Retains the FOUO designation until determined otherwise by someone with jurisdiction over the information

- Does not require declassification markings

- Will not be posted to public websites

- No clearance needed for access; however, there has to be a ‘need-to-know’

For Official Use Only (FOUO) Information


“A determination made by an authorized holder of the information that a prospective recipient requires access to the information in order to perform or assist in a lawful and authorized governmental function.”*

*DHS MD 11042.1

What is “Need-to-Know”?


Examples of FOUO• System security data, such as threat assessments,

system security plans, contingency plans, risk management plans, etc.

• Reviews or reports illustrating or disclosing facility infrastructure or vulnerabilities, such as blueprints and schematics

• Information that could threaten Operations Security (OPSEC), such as indicators of government intentions, capabilities, operations, or activities


Any USCG employee may designate/mark information as FOUO as long as it falls into one or more of the 11 categories: (As described in DHS MD11042.1)

Officials occupying supervisory or managerial positions may designate information

originating under their jurisdiction as FOUO if information does not meet any of the 11 categories on determining FOUO.

Who can designate information as FOUO?


General Handling Procedures

• Types of FOUO may be more sensitive than others; i.e., Information that could:

• Reveal sensitive sources and methods of operations

• Cause loss of life of an informant

• Compromise an important law enforcement operation

• Determining safeguards in excess of the minimum– Use sound judgment, coupled with evaluating the risk,

vulnerabilities, and potential damage to personnel or property as the basis


Marking FOUO Information

For Official Use For Official Use OnlyOnly

SECRETSECRET

SECRET

FOR OFFICIAL USE ONLY

CONFIDENTIAL

Classification ofInformation

Information designated as FOUO will be sufficiently

marked so that persons having access to it are aware of its sensitivity and protection

requirements.


11

TITLE PAGE

For Official Use Only (FOUO)Classification of

Information3


OFFICIAL USE ONLY

2


FIRST PAGE and INTERNAL PAGES – – Mark “FOR OFFICIAL USE ONLY”

FIRST PAGE and INTERNAL PAGES – – Mark “FOR OFFICIAL USE ONLY”

FRONT COVER, TITLE PAGE, and OUTSIDE BACK COVER – Mark the bottom “FOR OFFICIAL USE ONLY”

SAMPLE

DEPARTMENT Of

HOMELAND SECURITY

June 1, 2005

For Official Use Only (FOUO)Classification of Information



Marked For Official Use only to alert holder or

viewerFor Official Use Only

For Official Use Only

Marking FOUO Information


Expanded Markings for Non-USCG Holders

WARNING: This document is FOR OFFICIAL USE ONLY (FOUO). It contains information exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is also controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DHS policy relating to FOUO information and is not to be released to the public or other personnel who do not have a valid “need-to-know” without prior approval of an authorized DHS official..

Warning: This document is For Official Use Only…..


Duration

• FOUO retains the designation until determined otherwise by someone with jurisdiction over the information.

• Declassification markings are not applicable.


Access

• Access is based on “Need-To-Know”

• Where there is an uncertainty about the requestor’s need-to-know– The holder of the information will request

dissemination instructions from their next-level supervisor or the information's originator.

• Security clearance is not required for access to FOUO information


Dissemination• Take precautions to prevent unauthorized access

– FOUO will not be disseminated orally, visually, or electronically to unauthorized personnel

• Disseminate to other agencies as determined necessary for official business:– Federal, state, tribal, local government, law enforcement

officials • Establish a “Need-To-Know”

– When requested by an official from another government agency and there’s no coordinated official governmental activity, a written request will be made to the applicable USCG program office for release determination


Dissemination

• Discussing FOUO over non-secure methods

– Use of a Secure Telephone Unit (STU III) or Secure Telephone Equipment (STE) is encouraged, but not required


Safeguarding

• During working hours

–Keep under personal control• Use FOUO coversheets • Turn the document over

– Minimize access


Safeguarding

• After working hours

– Store in a locked file cabinet, locked desk drawer, or locked overhead storage compartment

– Store in a room or area that has sufficient access control measures to afford adequate protection to prevent unauthorized access such as a locked room or area with a guard, cipher lock, or card reader


Safeguarding• Information Technology systems that store FOUO:

– Will be certified and accredited for operation

– Laptop computers and other media containing FOUO will be stored and protected to prevent loss, theft, unauthorized access and disclosure

– Consult DHS Information Technology Security Program Handbook for Sensitive Systems, Publication 4300A, for more information


Internet/Intranet

• FOUO will not be posted on a USCG or any other internet (public) website

• FOUO may be posted on the USCG intranet or other government controlled network– Remember that access to the information is on a

“need-to-know” basis. The official must determine that the information applies to all personnel in an official capacity

• FOUO will not be sent to personal e-mail accounts


Transmission• Transmission within the U.S. and its territories:

– Placed in a single opaque envelope or container and sealed to prevent inadvertent opening and to show evidence of tampering

– Mailed -US Postal Service (First class mail)

– Overnight - Accountable commercial delivery service (e.g. FedEx, United Parcel Service, etc.)

– Inter-office mail system – is authorized provided it is afforded sufficient protection to prevent unauthorized access (e.g., sealed envelope)


Transmission

• Facsimile - by secure communications, whenever practical but not required

– Coordinate with the recipient to ensure the materials faxed will not be left unattended or subject to possible unauthorized disclosure

• E-Mail –should be protected by encryption or transmitted within secure communication systems

– If impractical or unavailable, FOUO may be transmitted over regular e-mail channels. Using “Password Protect Attachment” is encouraged


Destruction

• Methods of destruction

– “Paper Products” will be destroyed by shredding, burning, pulping, pulverizing

• Discard the pieces in regular trash or recycle receptacles

• Contact your local security personnel for additional guidance

– Electronic Media• Sanitizing by overwriting or degaussing

• Contact your local IT security personnel for additional guidance


Incident Reporting

• Report loss or compromise, suspected compromise, or unauthorized disclosure of FOUO to the local security official.

• Incidents involving USCG IT systems will be reported to the Computer Incident Response Center


Let’s check your knowledge!


Information that requires additionalcontrols and protective measures

What is Sensitive But Unclassified information?


True or False

FOUO can be transmitted via Parcel Service (UPS).

True


True or False

Access to FOUO is determined by the recipient of the information.

False. The determination is made by the “holder” of the information.


What are the proper destruction methods for SBU Information?

• Burning, Shredding, Pulping, and Pulverizing beyond recognition then disposing into regular trash


Summary

• Sensitive But Unclassified (SBU) information definition

• SBU information marking

• Safeguarding SBU information

• Destroying SBU information

• Incidents involving SBU information.


QUESTIONS?

POINT OF CONTACT:

Judy Petsch, CISSP

Information Security Specialist

202-372-3707

USCG Office of Security Policy and Management Sensitive But Unclassified (SBU) Information.

Documents

Transcript of USCG Office of Security Policy and Management Sensitive But Unclassified (SBU) Information.