CONTROLLED UNCLASSIFIED INFORMATION
a. The requirements of the Information Security Program apply only to information that requires protection to prevent damage to the national security and has been classified in accordance with E.O. 12958 or its predecessors. There are other types of information that require application of controls and protective measures for a variety of reasons. This information is known as "unclassified controlled information." Since classified information and unclassified controlled information exist side-by-side in the work environments-often in the same documents-this appendix is provided as an attempt to avoid confusion and promote proper handling. It covers several types of unclassified controlled information, and provides basic information about the nature of this information and the procedures for identifying and controlling it. In some cases, the appendix refers to other DoD Directives that provide more detailed guidance.
b. The types of information covered in this appendix include "For Official Use Only" information, "Sensitive But Unclassified" (formerly "Limited Official Use") information, "DEA Sensitive Information," "DoD Unclassified Controlled Nuclear Information," "Sensitive Information" as defined in the Computer Security Act of 1987, and information contained in technical documents.
For Official Use Only Information.
a. "For Official Use Only (FOUO)" is a designation that is applied to unclassified information that may be exempt from mandatory release to the public under the Freedom of Information Act (FOIA). The FOIA specifies nine exemptions which may qualify certain information to be withheld from release to the public if, by its disclosure, a foreseeable harm would occur. They are:
(1) Information which is currently and properly classified.
(2) Information that pertains solely to the internal rules and practices of the agency. (This exemption has two profiles, "high" and "low." The "high" profile permits withholding of a document that, if released, would allow circumvention of an agency rule, policy, or statute, thereby impeding the agency in the conduct of its mission. The "low" profile permits withholding if there is no public interest in the document, and it would be an administrative burden to process the request.)
(3) Information specifically exempted by a statute establishing particular criteria for withholding. The language of the statute must clearly state that the information will not be disclosed.
(4) Information such as trade secrets and commercial or financial information obtained from a company on a privileged or confidential basis that, if released, would result in competitive harm to the company, impair the government's ability to obtain like information in the future, or protect the government's interest in compliance with program effectiveness.
(5) Inter-agency memoranda that are deliberative in nature; this exemption is appropriate for internal documents that are part of the decision making process and contain subjective evaluations, opinions and recommendations.
(6) Information the release of which could reasonably be expected to constitute a clearly unwarranted invasion of the personal privacy of individuals.
(7) Records or information compiled for law enforcement purposes that (a) could reasonably be expected to interfere with law enforcement proceedings; (b) would deprive a person of a right to a fair trial or impartial adjudication; (c) could reasonably be expected to constitute an unwarranted invasion of the personal privacy of others, (d) disclose the identity of a confidential source, (e) disclose investigative techniques and procedures, or (f) could reasonably be expected to endanger the life or physical safety of any individual.
(8) Certain records of agencies responsible for supervision of financial institutions.
(9) Geological and geophysical information concerning wells.
b. Information that is currently and properly classified can be withheld from mandatory release under the first exemption category. "For Official Use Only" is applied to information that is exempt under one of the other eight categories. So, by definition, information must be unclassified in order to be designated FOUO. If an item of information is declassified, it can be designated FOUO if it qualifies under one of those other categories. This means that (1) information cannot be classified and FOUO at the same time, and (2) information that is declassified may be designated FOUO, but only if it fits into one of the last eight exemption categories (categories 2 through 9).
c. The FOIA provides that, for information to be exempt from mandatory release, it must fit into one of the qualifying categories and there must be a legitimate Government purpose served by withholding it. Simply because information is marked FOUO does not mean it automatically qualifies for exemption. If a request for a record is received, the information must be reviewed to see if it meets this dual test. On the other hand, the absence of the FOUO marking does not automatically mean the information must be released. Some types of records (for example, personnel records) are not normally marked FOUO, but may still qualify for withholding under the FOIA.
a. Information that has been determined to qualify for FOUO status should be indicated by markings when included in documents and similar material. Markings should be applied at the time documents are drafted, whenever possible, to promote proper protection of the information.
b. Unclassified documents and material containing FOUO information shall be marked as follows:
(1) Documents will be marked "FOR OFFICIAL USE ONLY" at the bottom of the
front cover (if there is one), the title page (if there is one), the first page, and the
outside of the back cover (if there is one).
(2) Pages of the document that contain FOUO information shall be marked "FOR OFFICIAL USE ONLY" at the bottom.
(3) Material other than paper documents (for example, slides, computer media, films, etc.) shall bear markings which alert the holder or viewer that the material contains FOUO information.
(4) FOUO documents and material transmitted outside the Department of Defense must bear an expanded marking on the face of the document so that non-DoD holders understand the status of the information. A statement similar to this one should be used:
This document contains information exempt from mandatory disclosure under the FOIA.
Exemption(s) ____ apply.
c. Classified documents and material containing FOUO information shall be marked as required by Chapter V of this regulation, with FOUO information identified as follows:
(1) Overall markings on the document shall follow the rules in Chapter 5. No special
markings are required on the face of the document because it contains FOUO information.
(2) Portions of the document shall be marked with their classification as required by Chapter 5. If there are unclassified portions that contain FOUO information, they shall be marked with "FOUO" in parentheses at the beginning of the portion. Since FOUO information is, by definition, unclassified, the "FOUO" is an acceptable substitute for the normal "U."
(3) Pages of the document that contain classified information shall be marked as required by Chapter 5. Pages that contain FOUO information but no classified information will be marked "FOR OFFICIAL USE ONLY" at the top and bottom.
d. Transmittal documents that have no classified material attached, but do have FOUO attachments shall be marked with a statement similar to this one: "FOR OFFICIAL USE ONLY ATTACHMENT."
e. Each part of electrically transmitted messages containing FOUO information shall be marked appropriately. Unclassified messages containing FOUO information shall contain the abbreviation "FOUO" before the beginning of the text.
2-202 Access to FOUO Information
FOUO information may be disseminated within the DoD Components and between officials of the DoD Components and DoD contractors, consultants, and grantees as necessary in the conduct of official business. FOUO information may also be released to officials in other Departments and Agencies of the Executive and Judicial Branches in performance of a valid Government function. (Special restrictions may apply to information covered by the Privacy Act.) Release of FOUO information to Members of Congress is covered by DoD Directive 5400.4, and to the General Accounting Office by DoD Directive 7650.1.
2-203 Protection of FOUO Information
a. During working hours, reasonable steps should be taken to minimize risk of access by unauthorized personnel. After working hours, FOUO information shall be stored in unlocked containers, desks or cabinets if Government or Government-contract building security is provided, or in locked desks, file cabinets, bookcases, locked rooms, or similar items.
b. FOUO documents and material may be transmitted via first class mail, parcel post or-for bulk shipments-fourth class mail. Electronic transmission of FOUO information (voice, data or facsimile) should be by approved secure communications systems whenever practical.
c. Record copies of FOUO documents shall be disposed of in accordance with the Federal Records Act (44 U.S.C. 33) and Component records management directives. Non-record FOUO documents may be destroyed by shredding or tearing into pieces and discarding the pieces in regular trash containers.
2-204 Further Guidance
Further guidance on one type of FOUO information is contained in DoD 5400.11-R, Department of Defense Privacy Program.
Sensitive But Unclassified and Limited Official Use Information
Sensitive But Unclassified (SBU) information is information originated within the Department of State that warrants a degree of protection and administrative control and meets the criteria for exemption from mandatory public disclosure under the Freedom of Information Act. Before 26 May 1995, this information was designated and marked "Limited Official Use (LOU)." The LOU designation will no longer be used.
The Department of State does not require that SBU information be specifically marked, but does require that holders be made aware of the need for controls. When SBU information is included in DoD documents, they shall be marked as if the information were For Official Use Only. There is no requirement to remark existing material containing SBU information.
3-302 Access to SBU Information
Within the Department of Defense, the criteria for allowing access to SBU information are they same as those used for FOUO information.
3-303 Protection of SBU Information
Within the Department of Defense, SBU information shall be protected as required for FOUO information.
Drug Enforcement Administration Sensitive Information
DEA Sensitive information is unclassified information that is originated by the Drug Enforcement Administration and requires protection against unauthorized disclosure to protect sources and methods of investigative activity, evidence, and the integrity of pretrial investigative reports. The Administrator and certain other officials of the DEA have been authorized to designate information as DEA Sensitive; the Department of Defense has agreed to implement protective measures for DEA Sensitive information in its possession. Types of information to be protected include:
a. Information and material that is investigative in nature;
b. Information and material to which access is restricted by law;
c. Information and material that is critical to the operation and mission of the DEA; and
d. Information and material the disclosure of which would violate a privileged relationship.
a. Unclassified documents containing DEA Sensitive information shall be marked "DEA Sensitive" at the top and bottom of the front cover (if there is one), the title page (if there is one), and the outside of the back cover (if there is one).
b. In unclassified documents, each page containing DEA Sensitive information shall be marked "DEA Sensitive" top and bottom. Classified documents containing DEA Sensitive information shall be marked as required by Chapter 5, except that pages containing DEA Sensitive information but no classified information will be marked "DEA Sensitive" top and bottom.
c. Portions of DoD documents that contain DEA Sensitive information shall be marked "(DEA)" at the beginning of the portion. This applies to classified, as well as unclassified documents. If a portion of a classified document contains both classified and DEA Sensitive information, the "DEA" marking shall be included along with the parenthetical classification marking.
4-402 Access to DEA Sensitive Information
Access to DEA Sensitive information shall be granted only to persons who have a valid need-to-know for the information. A security clearance is not required. DEA Sensitive information in the possession of the Department of Defense may not be released outside the Department without authorization by the DEA.
4-403 Protection of DEA Sensitive Information
a. DEA Sensitive material may be transmitted within CONUS by first class mail. Transmission outside CONUS must be by a means approved for transmission of Secret material. Non-government package delivery and courier services may not be used. The material shall be enclosed in two opaque envelopes or containers, the inner one marked "DEA Sensitive" on both sides. Electronic transmission of DEA Sensitive information within CONUS should be over secure communications circuits whenever possible; transmission outside CONUS must be over approved secure communications circuits.
b. Reproduction of DEA Sensitive information and material shall be limited to that required for operational needs.
c. DEA Sensitive material shall be destroyed by a means approved for destruction of Confidential material.
DoD Unclassified Controlled Nuclear Information
DoD Unclassified Controlled Nuclear Information (DoD UCNI) is unclassified information on security measures (including security plans, procedures and equipment) for the physical protection of DoD Special Nuclear Material (SNM), equipment, or facilities. Information is Designated DoD UCNI only when it is determined that its unauthorized disclosure could reasonably be expected to have a significant adverse effect on the health and safety of the public or the common defense and security by increasing significantly the likelihood of the illegal production of nuclear weapons or the theft, diversion, or sabotage of DoD SNM, equipment, or facilities. Information may be designated DoD UCNI by the Heads of the DoD Components and individuals to whom they have delegated the authority.
a. Unclassified documents and material containing DoD UCNI shall be marked as follows:
(1) The face of the document and the outside of the back cover (if there is one) shall
be marked "DoD Unclassified Controlled Nuclear Information."
(2) Portions of the document that contain DoD UCNI shall be marked with "(DoD UCNI)" at the beginning of the portion.
b. Classified documents and material containing DoD UCNI shall be marked in accordance with Chapter V, except that:
(1) Pages with no classified information but containing DoD UCNI shall be marked
"DoD Unclassified Controlled Nuclear Information" at the top and bottom.
(2) Portions of the document that contain DoD UCNI shall be marked with "(DoD UCNI)" at the beginning of the portion-in addition to the classification marking, where appropriate.
c. Material other than paper documents (for example, slides, computer media, films, etc.) shall bear markings that alert the holder or viewer that the material contains DoD UCNI.
d. Documents and material containing DoD UCNI and transmitted outside the Department of Defense must bear an expanded marking on the face of the document so that non-DoD holders understand the status of the information. A statement similar to this one should be used:
DEPARTMENT OF DEFENSE
UNCLASSIFIED CONTROLLED NUCLEAR INFORMATION
EXEMPT FROM MANDATORY DISCLOSURE
(5 U.S.C. 552(b)(3), as authorized by 10 U.S.C. 128)
e. Transmittal documents that have DoD UCNI attachments shall bear a statement: "The attached document contains DoD Unclassified Controlled Nuclear Information (DoD UCNI)."
5-502 Access to DoD UCNI
Access to DoD UCNI shall be granted only to persons who have a valid need-to-know for the information and are specifically eligible for access under the provisions of DoD Directive 5210.83, Department of Defense Unclassified Controlled Nuclear Information (DoD UCNI).
5-503 Protection of DoD UCNI
a. During working hours, reasonable steps should be taken to minimize risk of access by unauthorized personnel. After working hours, DoD UCNI may be stored in unlocked containers, desks or cabinets if Government or Government-contract building security is provided, or in locked buildings, rooms, desks, file cabinets, bookcases, or similar items.
b. DoD UCNI may be transmitted by first class mail in a single, opaque envelope or wrapping. Except in emergencies, electronic transmission of DoD UCNI shall be over approved secure communications circuits.
c. Record copies of DoD UCNI documents shall be disposed of in accordance with the
Federal Records Act (44 U.S.C. 33) and Component records management directives. Non-record
DoD UCNI documents may be destroyed by shredding or tearing into pieces and discarding the
pieces in regular trash containers.
Sensitive Information (Computer Security Act of 1987)
a. The Computer Security Act of 1987 established requirements for protection of certain information in Federal Government automated information systems (AIS). This information is referred to as "sensitive" information, defined in the Act as: "Any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy."
b. Two aspects of this definition deserve attention. First, the Act applies only to unclassified information that deserves protection. Second, unlike most other programs for protection of information, the Act is concerned with protecting the availability and integrity, as well as the confidentiality of information. Much of the information which fits the Act's definition of "sensitive" falls within the other categories of information discussed in this Appendix. Some does not.
There is no specific marking authorized for designation of "sensitive" information. If the information fits within one of the other categories of information described in this Appendix, the appropriate marking requirements apply.
6-602 Access to Sensitive Information
If sensitive information falls within one of the other categories of information described in this Appendix, the specific limitations on access for the appropriate category shall be applied. If it does not, access to the information shall be limited only to those with a valid need for such access in order to perform a legitimate organizational function, as dictated by common-sense principles of security management.
6-603 Protection of Sensitive Information
Information on DoD AIS systems that is determined to be "sensitive" within the meaning of the Computer Security Act of 1987 shall be provided protection that is:
a. Determined after thorough consideration of the value and sensitivity of the
information and the probable adverse impact of loss of its availability, integrity or
b. In compliance with applicable DoD policy and requirements for security of information within automated systems;
c. Commensurate with the degree of protection required for the category of information described in this Appendix to which it belongs (if any); and
d. Based on sound application of risk management techniques and procedures.
6-604 Further Guidance
Further guidance is found in DoD Directive 5200.28, Security Requirements for Automated Data Processing (ADP) Systems, and related publications.
DoD Directive 5230.24 requires distribution statements to be placed on technical documents, both classified and unclassified. These statements facilitate control, distribution and release of these documents without the need to repeatedly refer questions to the originating activity. The originating office may, of course, make case-by-case exceptions to distribution limitations imposed by the statements.
7-701 Text of the Statements
Distribution Statement A
Approved for public release; distribution is unlimited.
Distribution Statement B
Distribution authorized to U.S. Government
agencies only; [reason]; [date].
Other requests for this document shall be referred to [controlling DoD office].
Distribution Statement C
Distribution authorized to US Government agencies and their contractors; [reason]; [date].
Other requests for this document shall be referred to [controlling DoD
Distribution Statement D
Distribution authorized to the DoD and US DoD contractors only; [reason]; [date].
Other requests for this document shall be referred to [controlling DoD
Distribution Statement E
Distribution authorized to DoD Components only; [reason]; [date].
Other requests for this document shall be referred to [controlling DoD
Distribution Statement F
Further distribution only as directed by [controlling DoD office] or
higher DoD authority; [date].
Distribution Statement X
Distribution authorized to US Government agencies and private individuals or enterprises eligible to obtain
export-controlled technical data in accordance with DoD Directive 5230.25; [date].
Controlling DoD office is [controlling DoD office].