Index

APPENDIX C

CONTROLLED UNCLASSIFIED INFORMATION

Section 1

Introduction

1-100 General

a. The requirements of the Information Security Program apply only to information that requires protection to prevent damage to the national security and has been classified in accordance with E.O. 12958 or its predecessors. There are other types of information that require application of controls and protective measures for a variety of reasons. This information is known as "unclassified controlled information." Since classified information and unclassified controlled information exist side-by-side in the work environments-often in the same documents-this appendix is provided as an attempt to avoid confusion and promote proper handling. It covers several types of unclassified controlled information, and provides basic information about the nature of this information and the procedures for identifying and controlling it. In some cases, the appendix refers to other DoD Directives that provide more detailed guidance.

b. The types of information covered in this appendix include "For Official Use Only" information, "Sensitive But Unclassified" (formerly "Limited Official Use") information, "DEA Sensitive Information," "DoD Unclassified Controlled Nuclear Information," "Sensitive Information" as defined in the Computer Security Act of 1987, and information contained in technical documents.

Section 2

For Official Use Only Information.

2-200 Description

a. "For Official Use Only (FOUO)" is a designation that is applied to unclassified information that may be exempt from mandatory release to the public under the Freedom of Information Act (FOIA). The FOIA specifies nine exemptions which may qualify certain information to be withheld from release to the public if, by its disclosure, a foreseeable harm would occur. They are:

b. Information that is currently and properly classified can be withheld from mandatory release under the first exemption category. "For Official Use Only" is applied to information that is exempt under one of the other eight categories. So, by definition, information must be unclassified in order to be designated FOUO. If an item of information is declassified, it can be designated FOUO if it qualifies under one of those other categories. This means that (1) information cannot be classified and FOUO at the same time, and (2) information that is declassified may be designated FOUO, but only if it fits into one of the last eight exemption categories (categories 2 through 9).

c. The FOIA provides that, for information to be exempt from mandatory release, it must fit into one of the qualifying categories and there must be a legitimate Government purpose served by withholding it. Simply because information is marked FOUO does not mean it automatically qualifies for exemption. If a request for a record is received, the information must be reviewed to see if it meets this dual test. On the other hand, the absence of the FOUO marking does not automatically mean the information must be released. Some types of records (for example, personnel records) are not normally marked FOUO, but may still qualify for withholding under the FOIA.

2-201 Markings

a. Information that has been determined to qualify for FOUO status should be indicated by markings when included in documents and similar material. Markings should be applied at the time documents are drafted, whenever possible, to promote proper protection of the information.

b. Unclassified documents and material containing FOUO information shall be marked as follows:

c. Classified documents and material containing FOUO information shall be marked as required by Chapter V of this regulation, with FOUO information identified as follows:

d. Transmittal documents that have no classified material attached, but do have FOUO attachments shall be marked with a statement similar to this one: "FOR OFFICIAL USE ONLY ATTACHMENT."

e. Each part of electrically transmitted messages containing FOUO information shall be marked appropriately. Unclassified messages containing FOUO information shall contain the abbreviation "FOUO" before the beginning of the text.

2-202 Access to FOUO Information

FOUO information may be disseminated within the DoD Components and between officials of the DoD Components and DoD contractors, consultants, and grantees as necessary in the conduct of official business. FOUO information may also be released to officials in other Departments and Agencies of the Executive and Judicial Branches in performance of a valid Government function. (Special restrictions may apply to information covered by the Privacy Act.) Release of FOUO information to Members of Congress is covered by DoD Directive 5400.4, and to the General Accounting Office by DoD Directive 7650.1.

2-203 Protection of FOUO Information

a. During working hours, reasonable steps should be taken to minimize risk of access by unauthorized personnel. After working hours, FOUO information shall be stored in unlocked containers, desks or cabinets if Government or Government-contract building security is provided, or in locked desks, file cabinets, bookcases, locked rooms, or similar items.

b. FOUO documents and material may be transmitted via first class mail, parcel post or-for bulk shipments-fourth class mail. Electronic transmission of FOUO information (voice, data or facsimile) should be by approved secure communications systems whenever practical.

c. Record copies of FOUO documents shall be disposed of in accordance with the Federal Records Act (44 U.S.C. 33) and Component records management directives. Non-record FOUO documents may be destroyed by shredding or tearing into pieces and discarding the pieces in regular trash containers.

2-204 Further Guidance

Further guidance on one type of FOUO information is contained in DoD 5400.11-R, Department of Defense Privacy Program.

Section 3

Sensitive But Unclassified and Limited Official Use Information

3-300 Description

Sensitive But Unclassified (SBU) information is information originated within the Department of State that warrants a degree of protection and administrative control and meets the criteria for exemption from mandatory public disclosure under the Freedom of Information Act. Before 26 May 1995, this information was designated and marked "Limited Official Use (LOU)." The LOU designation will no longer be used.

3-301 Markings

The Department of State does not require that SBU information be specifically marked, but does require that holders be made aware of the need for controls. When SBU information is included in DoD documents, they shall be marked as if the information were For Official Use Only. There is no requirement to remark existing material containing SBU information.

3-302 Access to SBU Information

Within the Department of Defense, the criteria for allowing access to SBU information are they same as those used for FOUO information.

3-303 Protection of SBU Information

Within the Department of Defense, SBU information shall be protected as required for FOUO information.

Section 4

Drug Enforcement Administration Sensitive Information

4-400 Description

DEA Sensitive information is unclassified information that is originated by the Drug Enforcement Administration and requires protection against unauthorized disclosure to protect sources and methods of investigative activity, evidence, and the integrity of pretrial investigative reports. The Administrator and certain other officials of the DEA have been authorized to designate information as DEA Sensitive; the Department of Defense has agreed to implement protective measures for DEA Sensitive information in its possession. Types of information to be protected include:

4-401 Markings

a. Unclassified documents containing DEA Sensitive information shall be marked "DEA Sensitive" at the top and bottom of the front cover (if there is one), the title page (if there is one), and the outside of the back cover (if there is one).

b. In unclassified documents, each page containing DEA Sensitive information shall be marked "DEA Sensitive" top and bottom. Classified documents containing DEA Sensitive information shall be marked as required by Chapter 5, except that pages containing DEA Sensitive information but no classified information will be marked "DEA Sensitive" top and bottom.

c. Portions of DoD documents that contain DEA Sensitive information shall be marked "(DEA)" at the beginning of the portion. This applies to classified, as well as unclassified documents. If a portion of a classified document contains both classified and DEA Sensitive information, the "DEA" marking shall be included along with the parenthetical classification marking.

4-402 Access to DEA Sensitive Information

Access to DEA Sensitive information shall be granted only to persons who have a valid need-to-know for the information. A security clearance is not required. DEA Sensitive information in the possession of the Department of Defense may not be released outside the Department without authorization by the DEA.

4-403 Protection of DEA Sensitive Information

a. DEA Sensitive material may be transmitted within CONUS by first class mail. Transmission outside CONUS must be by a means approved for transmission of Secret material. Non-government package delivery and courier services may not be used. The material shall be enclosed in two opaque envelopes or containers, the inner one marked "DEA Sensitive" on both sides. Electronic transmission of DEA Sensitive information within CONUS should be over secure communications circuits whenever possible; transmission outside CONUS must be over approved secure communications circuits.

b. Reproduction of DEA Sensitive information and material shall be limited to that required for operational needs.

c. DEA Sensitive material shall be destroyed by a means approved for destruction of Confidential material.

Section 5

DoD Unclassified Controlled Nuclear Information

5-500 Description

DoD Unclassified Controlled Nuclear Information (DoD UCNI) is unclassified information on security measures (including security plans, procedures and equipment) for the physical protection of DoD Special Nuclear Material (SNM), equipment, or facilities. Information is Designated DoD UCNI only when it is determined that its unauthorized disclosure could reasonably be expected to have a significant adverse effect on the health and safety of the public or the common defense and security by increasing significantly the likelihood of the illegal production of nuclear weapons or the theft, diversion, or sabotage of DoD SNM, equipment, or facilities. Information may be designated DoD UCNI by the Heads of the DoD Components and individuals to whom they have delegated the authority.

5-501 Markings

a. Unclassified documents and material containing DoD UCNI shall be marked as follows:

b. Classified documents and material containing DoD UCNI shall be marked in accordance with Chapter V, except that:

c. Material other than paper documents (for example, slides, computer media, films, etc.) shall bear markings that alert the holder or viewer that the material contains DoD UCNI.

d. Documents and material containing DoD UCNI and transmitted outside the Department of Defense must bear an expanded marking on the face of the document so that non-DoD holders understand the status of the information. A statement similar to this one should be used:

DEPARTMENT OF DEFENSE

UNCLASSIFIED CONTROLLED NUCLEAR INFORMATION

EXEMPT FROM MANDATORY DISCLOSURE

(5 U.S.C. 552(b)(3), as authorized by 10 U.S.C. 128)

e. Transmittal documents that have DoD UCNI attachments shall bear a statement: "The attached document contains DoD Unclassified Controlled Nuclear Information (DoD UCNI)."

5-502 Access to DoD UCNI

Access to DoD UCNI shall be granted only to persons who have a valid need-to-know for the information and are specifically eligible for access under the provisions of DoD Directive 5210.83, Department of Defense Unclassified Controlled Nuclear Information (DoD UCNI).

5-503 Protection of DoD UCNI

a. During working hours, reasonable steps should be taken to minimize risk of access by unauthorized personnel. After working hours, DoD UCNI may be stored in unlocked containers, desks or cabinets if Government or Government-contract building security is provided, or in locked buildings, rooms, desks, file cabinets, bookcases, or similar items.

b. DoD UCNI may be transmitted by first class mail in a single, opaque envelope or wrapping. Except in emergencies, electronic transmission of DoD UCNI shall be over approved secure communications circuits.

c. Record copies of DoD UCNI documents shall be disposed of in accordance with the Federal Records Act (44 U.S.C. 33) and Component records management directives. Non-record DoD UCNI documents may be destroyed by shredding or tearing into pieces and discarding the pieces in regular trash containers.

Section 6

Sensitive Information (Computer Security Act of 1987)

6-600 Description

a. The Computer Security Act of 1987 established requirements for protection of certain information in Federal Government automated information systems (AIS). This information is referred to as "sensitive" information, defined in the Act as: "Any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy."

b. Two aspects of this definition deserve attention. First, the Act applies only to unclassified information that deserves protection. Second, unlike most other programs for protection of information, the Act is concerned with protecting the availability and integrity, as well as the confidentiality of information. Much of the information which fits the Act's definition of "sensitive" falls within the other categories of information discussed in this Appendix. Some does not.

6-601 Markings

There is no specific marking authorized for designation of "sensitive" information. If the information fits within one of the other categories of information described in this Appendix, the appropriate marking requirements apply.

6-602 Access to Sensitive Information

If sensitive information falls within one of the other categories of information described in this Appendix, the specific limitations on access for the appropriate category shall be applied. If it does not, access to the information shall be limited only to those with a valid need for such access in order to perform a legitimate organizational function, as dictated by common-sense principles of security management.

6-603 Protection of Sensitive Information

Information on DoD AIS systems that is determined to be "sensitive" within the meaning of the Computer Security Act of 1987 shall be provided protection that is:

6-604 Further Guidance

Further guidance is found in DoD Directive 5200.28, Security Requirements for Automated Data Processing (ADP) Systems, and related publications.

Section 7

Technical Documents

7-700 General

DoD Directive 5230.24 requires distribution statements to be placed on technical documents, both classified and unclassified. These statements facilitate control, distribution and release of these documents without the need to repeatedly refer questions to the originating activity. The originating office may, of course, make case-by-case exceptions to distribution limitations imposed by the statements.

7-701 Text of the Statements

Distribution Statement A

Approved for public release; distribution is unlimited.

Distribution Statement B

Distribution authorized to U.S. Government

agencies only; [reason]; [date].

Other requests for this document shall be referred to [controlling DoD office].

Distribution Statement C

Distribution authorized to US Government agencies and their contractors; [reason]; [date].

Other requests for this document shall be referred to [controlling DoD office].

Distribution Statement D

Distribution authorized to the DoD and US DoD contractors only; [reason]; [date].

Other requests for this document shall be referred to [controlling DoD office].

Distribution Statement E

Distribution authorized to DoD Components only; [reason]; [date].

Other requests for this document shall be referred to [controlling DoD office].

Distribution Statement F

Further distribution only as directed by [controlling DoD office] or higher DoD authority; [date].

Distribution Statement X

Distribution authorized to US Government agencies and private individuals or enterprises eligible to obtain

export-controlled technical data in accordance with DoD Directive 5230.25; [date].

Controlling DoD office is [controlling DoD office].