Sensitive But Unclassified (SBU) information, while not classified for national security reasons, necessitates careful administrative control and protection. This category of information warrants safeguarding from public or unauthorized disclosure due to various factors, primarily aligning with exemptions outlined in the Freedom of Information Act (FOIA) and the Privacy Act. Understanding and correctly handling SBU information is crucial for maintaining operational integrity and individual privacy within government and related sectors.
Decoding Sensitive But Unclassified (SBU) Information
SBU information is defined as unclassified data that, nevertheless, requires protection. This need for protection stems from its sensitivity, which, if disclosed, could potentially cause harm or violate privacy. The criteria for designating information as SBU are rooted in exemptions from public disclosure laws. Specifically, SBU information typically falls under categories exempted by the Freedom of Information Act (FOIA), 5 U.S.C. 552, and the Privacy Act, 5 U.S.C. 552a. These legal frameworks recognize certain types of information as needing protection beyond the scope of national security classification.
Categories Typically Designated as SBU
Several types of unclassified information are commonly categorized as SBU due to their sensitive nature. These categories are broad and cover a range of information types, reflecting the diverse reasons why unclassified information might still require protection.
Personal Information
This category includes a wide array of personal details such as personnel records, payroll information, medical records, passport details, adoption records, and any other personal information about individuals. This extends to social security numbers, home addresses, and data related to both employees and members of the public. The sensitivity here is to protect individual privacy and prevent potential misuse of personal data.
Confidential Business Information
SBU also encompasses confidential business information, trade secrets, details of contractor bids or proposals, and source selection information. Protecting this type of information is vital for maintaining fair competition and safeguarding proprietary business interests. Unauthorized disclosure could harm business operations and competitive advantages.
Visa and Immigration Records
Department records related to visa issuance or refusal, permits to enter the United States, and asylum requests are also typically classified as SBU. The sensitive nature of these records pertains to privacy concerns, law enforcement interests, and the integrity of immigration processes.
Law Enforcement and Investigative Information
Information concerning law enforcement activities or ongoing investigations falls under SBU. This protection is necessary to maintain the effectiveness of law enforcement operations, protect sources and methods, and ensure fair legal processes. Premature disclosure could compromise investigations and endanger individuals involved.
Infrastructure Vulnerability and Threat Information
This category includes information that, if disclosed, could reveal vulnerabilities in infrastructure protection or detail threats against persons, systems, operations, or facilities. Examples include usernames, passwords, physical, technical, or network specifics, and sometimes even travel itineraries or meeting schedules. It’s important to note that while this information is sensitive, it doesn’t meet the threshold for national security classification under Executive Order (EO) 13526.
Critical Infrastructure Protection Information
Information not publicly available and related to the protection of critical infrastructure assets, operations, or resources—whether physical or cyber—as defined in the Homeland Security Act, 6 U.S.C. 131(c), is considered SBU. This is to safeguard essential services and national security by preventing exploitation of vulnerabilities in critical infrastructure.
Design and Construction Details
Certain design and construction information is also categorized as SBU. This notably includes details related to diplomatic missions abroad. The Security Classification Guide States specific guidelines for this category, particularly in the Diplomatic Security (DS) Security Classification Guide for the Design and Construction of Overseas Facilities, dated May 2003. This guide emphasizes the protection of graphic depictions of floor plans and specifications for foreign affairs offices and representational housing overseas. Similarly, design and construction drawings and specifications of General Service Administration (GSA) facilities are protected as outlined in GSA Order PBS 3490.1A, dated June 1, 2009.
Attorney-Client and Work Product Privileges
Privileged attorney-client communications related to legal advice and documents constituting attorney work product, created in anticipation of litigation, are also SBU. This protection upholds legal privileges and ensures candid legal counsel without fear of disclosure.
Internal Government Deliberations
Inter or intra-agency communications, including emails, that are part of the internal deliberative processes of the U.S. Government are considered SBU. Disclosure of these communications could harm the decision-making processes within government agencies by chilling open and frank discussions.
Implementing SBU Policies
The policy for handling SBU information is consistently applied across relevant departments and agencies, ensuring a uniform approach to its protection. This standardized implementation helps in maintaining clarity and operational efficiency when dealing with sensitive unclassified data.
Access, Dissemination, and Responsible Release of SBU
Managing access, dissemination, and release of SBU material is a critical aspect of its protection. U.S. citizen direct-hire supervisory employees hold the primary responsibility in this area. All employees are expected to exercise caution and limit access to SBU information to prevent unauthorized or unintended disclosure.
Guidelines for Internal and External Circulation
Generally, SBU material can be circulated within the Executive Branch, including to locally employed staff (LE Staff), when necessary for official U.S. Government functions. However, specific laws, regulations, or agreements might impose further restrictions on certain types of SBU information. For instance, information protected under the Privacy Act has stricter distribution rules, limited to a “need-to-know” basis within the Department and restricted from external distribution except under specific statutory exemptions or “routine uses.”
Pre-Distribution Verification
Before distributing any SBU information, employees must verify that the distribution is permissible and, if required, specifically authorized. This step is crucial to ensure compliance with all applicable regulations and to prevent inadvertent breaches of security protocols.
Marking and Awareness
Whenever practical, SBU information must be marked to alert recipients to its specific controls. While certain documents like standard forms and medical records may not be suitable for marking, many others, such as emails, cables, and memoranda, should be marked according to established guidelines. These markings serve as constant reminders of the information’s sensitive nature and the need for careful handling.
Handling NOFORN Information
SBU information not authorized for release to non-U.S. citizens, including LE Staff, must be marked SBU/NOFORN (Not for release to foreign nationals). This designation indicates a higher level of restriction and necessitates stricter handling procedures to prevent dissemination to foreign entities.
Confidentiality and Foreign Relations
It is vital to understand that the SBU label cannot substitute for classification when dealing with information obtained from or exchanged with a foreign government or international organization where public release would violate confidentiality or harm foreign relations. In such cases, classification is necessary to ensure appropriate protection under FOIA and other access laws.
Unencrypted Transmission with Authorization
In situations where an individual has explicitly authorized their personal information to be sent unencrypted over unsecured electronic mediums like the Internet, fax, or wireless phone, the transmission may proceed without adherence to standard SBU provisions. However, obtaining explicit authorization is crucial in these scenarios.
Employee Obligations and Rights
These SBU provisions align with broader employee obligations, rights, and liabilities, reinforcing a cohesive framework for responsible information handling within government service.
SBU Handling Procedures: Ensuring Data Protection
The handling, processing, transmission, and storage of SBU information require methods that minimize the risk of unauthorized disclosure, regardless of the medium used.
Safeguarding During Travel and Temporary Duty
Employees traveling or on temporary duty (TDY) must take extra precautions to safeguard SBU information from unauthorized access. This applies whether the information is in paper form, on electronic media like CDs or diskettes, or on portable digital devices such as laptops or PDAs. Secure storage and handling are essential during travel to maintain data integrity.
Fax, Mail, Storage, and Destruction Protocols
Specific protocols govern fax transmission, mailing, storage, and destruction of SBU information to maintain its confidentiality and prevent unauthorized access.
Secure Transmission Considerations
Transmitting SBU information over unencrypted electronic point-to-point links like VoIP, telephones, or faxes carries inherent risks of interception by unintended recipients. Employees should evaluate if the sensitivity of the information warrants using secure fax, phone, or encrypted communication methods for enhanced protection. When using non-secure fax, confirming an authorized recipient at the receiving end is mandatory.
Mailing Guidelines
SBU information can be sent via the U.S. Postal Service (USPS) or commercial delivery services. When mailing SBU information (excluding SBU/NOFORN) to overseas posts, using unclassified registered pouch or a Military Postal Facility (MPF) via USPS is preferred. If foreign mail services are necessary, they are permitted. Except when using a pouch, mail packaging must not reveal its contents or SBU status.
Secure Storage Practices
During non-duty hours, SBU information and removable electronic media in U.S. Government facilities must be secured in a locked office or suite, or a locked container. Outside government facilities, employees must ensure positive accountability and protect SBU information from unauthorized access, such as by storing it in a locked briefcase or desk in a home office. Leaving SBU unsecured in unoccupied hotel rooms or unattended public spaces is strictly prohibited. Custodians of medically privileged information must ensure its secure storage when not in use.
Proper Destruction Methods
Destroying SBU documents requires methods that prevent reconstruction or unauthorized access. Acceptable methods include shredding, burning, or other techniques consistent with law and regulation.
Automated Information System (AIS) Processing and Transmission
Processing SBU information on Department Automated Information Systems (AIS) is governed by specific requirements. These requirements ensure that AIS systems provide adequate security controls to protect SBU data. For regular transmissions of SBU information outside the Department network to specific officials or personal addresses, employees should seek guidance on implementing secure technical solutions, such as Public Key Infrastructure (PKI) programs.
Electronic Transmission Via the Internet: Risks and Precautions
Electronic transmission of SBU information via the internet demands careful consideration due to inherent security risks.
General Policy and Secure Methods
The Department’s general policy mandates conducting day-to-day operations on authorized AIS with appropriate security controls, including nonrepudiation, authentication, and encryption. Approved secure methods for transmitting SBU information should be used whenever available and practical.
Risks of Unencrypted Internet Transmission
Transmissions from the Department’s OpenNet to non-U.S. Government internet addresses (and even other .gov or .mil addresses) often traverse the internet unencrypted unless specifically routed through secure means. Employees must be aware of the sensitivity of the information and mandated security controls, evaluating security risks to determine if more secure transmission methods are necessary.
Conditions for Unencrypted Internet Transmission
In the absence of a Department-provided secure method and with a valid business need, unencrypted internet transmission of SBU information may be considered, but only after careful deliberation of several critical points:
Prohibited Information
Specifically, the security classification guide states that SBU information within categories 12 FAM 541 paragraph b(7)(a) and (b) – relating to design and construction details – must never be sent unencrypted via the Internet.
Vulnerability to Unauthorized Access
Unencrypted information transmitted via the Internet is inherently susceptible to access by unauthorized personnel. This vulnerability underscores the need for caution and secure alternatives whenever possible.
Multi-Point Communication Risks
Internet email transmissions are typically multi-point communications routed through paths of least resistance, potentially involving multiple foreign and U.S. controlled Internet service providers (ISPs). This routing increases exposure and potential interception risks.
ISP Server Residence
Once SBU information resides on an ISP server, it remains there until overwritten, creating a window of vulnerability.
Compromise of Confidentiality and Integrity
Unencrypted email transmissions are at risk of compromising both information confidentiality and integrity, highlighting the need for secure transmission methods.
Risks on Personally Owned Computers
SBU information on personally owned computers connected to the Internet is generally more vulnerable to cyber attacks and compromise compared to government-owned computers.
Global Accessibility of the Internet
The Internet’s global accessibility, lacking physical or traditional territorial boundaries, magnifies risks, especially when transmissions pass through foreign ISPs or servers.
Targeted Technology Risks
Current technology can target specific email addresses, suffixes, and content of unencrypted messages, increasing the risk of focused interception.
Prohibited Public Internet Posting
SBU information must never be posted on any public Internet website, discussed in public chat rooms, or any other public forum online. This prohibition is absolute to prevent broad, uncontrolled dissemination.
Auto-Forwarding Preclusion
To prevent inadvertent transmission of prohibited SBU information over the Internet, AIS users must not use “auto-forward” functions to send emails outside the Department’s network.
Handling SBU on Publicly Available Computers
SBU information created or downloaded to publicly available non-U.S. Government-owned computers, such as Internet kiosks, should be removed immediately when no longer needed to minimize exposure risks.
Security Measures for Personally Owned Computers
Users processing SBU information on personally owned computers must ensure adequate security. This includes disabling unencrypted wireless access, maintaining physical security, using anti-virus and spyware software, and keeping operating system and software security patches, virus definitions, firewall versions, and spyware definitions current.
Secure Transmission Between Department Facilities
All SBU transmissions between Department facilities must be encrypted to meet current National Institute of Standards and Technology (NIST), DS, and Information Technology Change Control Board standards. This encryption requirement ensures a secure channel for inter-departmental SBU communication.
SBU/NOFORN: Enhanced Protection for Sensitive Data
SBU/NOFORN information represents a subset of SBU data that requires even stricter protection. This category is designated for information prohibited from dissemination to non-U.S. citizens, indicated by the NOFORN caveat.
Elevated Protection Requirements
SBU/NOFORN information demands a higher degree of protection compared to standard SBU information. Consequently, specific, stringent procedures must be followed:
-
System Authorization: Process and transmit SBU/NOFORN information only on systems authorized by the Department for classified information transmission, storage, and processing. This ensures handling within secure, approved environments.
-
Encrypted Communication: Fax or discuss SBU/NOFORN information over telephone lines only via encrypted telephone lines. Secure communication channels are mandatory to prevent interception.
-
Secure Mailing Procedures: Mail SBU/NOFORN information to posts via classified pouch or to a MPF via USPS registered mail. USPS registered mail must be packaged discreetly, without disclosing contents or SBU/NOFORN status.
-
Enhanced Off-Duty Security: Secure SBU/NOFORN information during non-duty hours following the same rigorous guidelines as for CONFIDENTIAL information. This level of security mirrors that of classified data, reflecting the sensitivity of NOFORN information.
-
Department-Approved Destruction: Destroy SBU/NOFORN documents using Department-approved methods, such as shredding, burning, or other techniques consistent with laws and regulations for destroying classified information. This ensures complete and secure disposal.
By adhering to these comprehensive guidelines, individuals and organizations can effectively manage and protect Sensitive But Unclassified (SBU) information, ensuring both operational security and individual privacy. Understanding directives from security classification guides and implementing robust handling procedures are paramount in maintaining data integrity and preventing unauthorized disclosures.
