 |
Protecting SensitiveProtecting
Sensitive Unclassified Information
|
The term sensitive unclassified information
as used here is an informal designation applicable to all those types and forms of information that, by law or
regulation, require some form of protection but are outside the formal system for classifying national security
information.1 As a general rule, all such information may be exempt from release to the public
under the Freedom of Information Act. This module reviews the most common types of
sensitive unclassified information.2
Department of Defense also uses the term
Controlled Unclassified Information (CUI) to refer to certain types of
sensitive information within DoD that require controls and protective
measures. CUI includes For Official Use Only and information with
comparable designations that is received from other agencies, DoD
Unclassified Controlled Nuclear Information, "Sensitive
Information" as defined in the Computer Security Act of 1987, and DoD
technical data.3
Some information that is not formally
designated as sensitive is nonetheless inappropriate for putting on a public Internet
site. This is discussed in Pre-Publication Review of
Public Web Site Content.
Most categories of sensitive
unclassified information are
defined by federal law, while others such as For Official Use Only are defined by
organization policy and some government organizations use different names
for this category of information. Most legislative authorities are very specific in identifying the
protected category of information, while others are general and leave much discretion to
the agency or company.
Procedures for safeguarding sensitive
unclassified information
depend upon the category of information and, in some cases, vary from one agency or
company to another.
Generally speaking, the law provides
protection for established categories of protected information only when the owners of the
information have taken reasonable or required steps to protect it. These steps are
sometimes stated in the law or regulation, however, they are often left up to the
information owner to develop internally. Legal history shows that the following elements
are key to successful enforcement of an information protection program. The agency or
company must have:
Procedures for
handling the various categories of sensitive unclassified information vary from one agency or company to
another. This is due to different legal and/or regulatory requirements for each category
and the agency or organization’s implementation of those requirements. Factors
affecting the implementation are the degree of sensitivity of the information, nature of
the threat to the information, vulnerability of the information, options that are
available for protecting the information, and organizational facilities/capabilities for
secure handling, storage and transmission.
Reference
1. The Department of State uses Sensitive
But Unclassified (SBU) as a document designation comparable to For Official
Use Only.
2. Information on the various categories of sensitive unclassified information is
based on a research report prepared for PERSEREC by John Tippit &
Associates.
3. DoD Regulation 5200.1-R, Information Security Program.
|