a. Exemption two permits the withholding of information which pertains solely to the internal rules and practices of a government agency. This exemption has a high and low profile. The high profile permits the withholding of a document which, if released, would allow circumvention of an agency rule, policy, or statute, thereby impeding the agency in the conduct of its mission. The low profile permits withholding if there is no public interest in the document, and it would be an administrative burden to process the request.

b. Exemption three permits the withholding of information that a statute specifically exempts from disclosure by terms that permit no discretion on the issue, or in accordance with criteria established by that statute for withholding or referring to particular types of matters to be withheld.

c. The fourth exemption permits withholding information such as trade secrets and commercial and financial information obtained from a company on a privileged or confidential basis which, if released, would result in competitive harm to the company.

d. The fifth category exempts inter- and intra-agency memoranda which are deliberative in nature. This exemption is appropriate for internal documents which are part of the decision making process and contain subjective evaluations, opinions, and recommendations.

e. Exemption six provides for the withholding of information, the release of which could reasonably be expected to constitute a clearly unwarranted invasion of personal privacy of individuals.

f. The seventh exemption permits withholding records or information compiled for law enforcement purposes that could reasonably be expected to interfere with law enforcement proceedings; would deprive a person of the right to a fair trial or impartial adjudication; could reasonably be expected to constitute an unwarranted invasion of personal privacy of others; disclose the identity of a confidential source; disclose investigative techniques, or could reasonably be expected to endanger the life or physical safety of any individual.

g. The eighth exemption permits withholding records or information contained in or relating to examination, operation or condition reports prepared by, on behalf of, or for the use of any agency responsible for the regulation or supervision of financial institutions.

h. The ninth exemption permits withholding records or information containing geological and geophysical information and data (including maps) concerning wells.

a. For many years, it has been the policy of the DoD to place distribution statements on documents containing unclassified scientific and technical information which was produced either within DoD or on its behalf by others. Until recent times, however, this policy was only marginally directed toward restricting the disclosure of such information to the public and thus to foreign persons. Moreover, although it was the policy to apply such distribution markings, the practice did not always conform to the policy. The result was that sensitive scientific and technical information occasionally found its way into the public domain -- to include the foreign public.

b. This situation was compounded with the enactment of the FOIA. The FOIA made no provision for exempting unclassified government scientific and technical information from public disclosure, even that information which would be subject to export controls. Although the precise effect of this circumstance on the flow of sensitive U.S. technology overseas is debatable, there can be little doubt that unintended transfers of technology to foreign recipients occurred in this manner.

c. It was not until 1984 that the situation was remedied. Enactment of P.L. 98-94 provided the Secretary of Defense with the authority to withhold from the public critical technologies.

d. To implement PL 98-94, the Department of Defense published DoD Directive 5230.25 and updated the existing DoD Directive 5230.24. The former interprets and amplifies the provisions of the law and establishes procedures both for withholding such information from the public and for allowing dissemination to those persons, inside and outside the U.S. Government, who have a demonstrable need for the information. The latter is a revision and update of the old DoD policy pertaining to the application of distribution statements to unclassified technical documents. A general familiarity with the salient policy and procedural features of these two directives is essential to an overall understanding of the DoD policy governing the control of critical technology.

a. DoD Directive 5230.25 applies to all unclassified technical data with military or space application in the possession of, or under the control of, a DoD component which may not be exported lawfully without approval, authorization or license under the EAA (reference d) or the AECA.

b. Critical technology consists of:

c. Technical data with military or space application is any blueprints, drawings, plans, instructions, computer software and documentation, or other technical information that can be used or be adapted for use to design, engineer, produce, manufacture, operate, repair, overhaul, or reproduce any military or space equipment or technology concerning such equipment.

d. DoD Directive 5230.25 does not govern the release of technical data by DoD Components to foreign governments, international organizations or foreign contractors that are carried out under a U.S. Government international program or a U.S. Government approved export authorization. As discussed in Chapter 2, an export authorization is required for commercial exports of this technical data unless it qualifies for an exemption under the ITAR (reference c) or the EAR (reference v). For commercial exports under the EAR and ITAR, the export authorization should contain the access, use and distribution restrictions that apply to critical technology approved for export to foreign governments or their contractors. A Form DSP-83, Non-transfer and Use Certificate, may also be required for the export of classified articles and technical data under the ITAR. For Government programs, the requirements should be included in the sales contract or agreement. See also Chapter 2, Subsection C.1.a.

e. DoD Directive 5230.25 requires that U.S. contractors be certified with the Defense Logistics Agency (DLA) to obtain export controlled technical data from DoD sources. Since Canadian industry is by law a part of the North American Defense Mobilization Base, they are also eligible for certification and access to most of this information on the same basis as U.S. registered contractors. (See subsection 8., below.)

a. DoD Directive 5230.24 requires that all DoD Components that generate or are responsible for technical documents determine their distribution availability and mark them appropriately before primary distribution. Managers of technical programs are required to assign appropriate distribution statements to technical documents generated within their programs to control the secondary distribution of those documents. Therefore, technical data with military or space application also must be marked with a prescribed export warning statement, in addition to other markings authorizing or restricting secondary distribution.

b. The importance of applying this export warning statement is illustrated by the following:

c. In addition to an export warning statement, or even if one is not applicable, all documents produced by or for the Department of Defense must be marked with a prescribed statement governing distribution if they fall within any of the following categories:

d. These distribution statements range from "approved for public release; distribution is unlimited" to "further dissemination only as directed by the controlling DoD office or higher DoD authority." Appendix D contains the export warning statements and a list of required distribution statements for unclassified technical documents, with supporting rationale for choosing the appropriate one.

a. DoD policy currently encourages that the FOUO marking be applied when otherwise exempt information is generated. However, all official information must be reviewed before release to the public, including foreign governments and international organizations and their representatives. The release of the information to foreign nationals requires the consent of the originator.

b. FOUO information must be controlled in a manner sufficient to ensure that unauthorized persons do not gain access. Normally it is sufficient to lock the information in a desk drawer, bookcase, filing cabinet or similar container or a locked room to which only authorized persons have access. A FOUO cover sheet should be used to conceal the information when it is not in use and not secured. It must be encrypted when transmitted electronically. Secure voice and telefax equipment are to be used. This requirement may be waived by the originator of the information to be transmitted. However, it should be recalled that authorized access in some cases is subject to criminal penalties. It may be sent via first-class mail or parcel post. It may be destroyed in any manner that would reasonably preclude easy reconstruction of the contents. Appropriate administrative disciplinary action shall be taken against those responsible for unauthorized disclosure. Unauthorized disclosure of FOUO that is protected by the Privacy Act (5 U.S.C. 552A, (reference uu)) may result in civil or criminal sanctions. See DoD 5400.7-R (reference h). Unauthorized disclosures of technical data controlled by the AECA can result in criminal prosecution.

a. As a condition of receiving DoD- or DND-controlled technical data, the contractor agrees to use the data only in ways mandated by DoD Directive 5230.25 or the TDCR. The contractor must certify that it needs the technical data to bid or perform on a contract with an agency of the U.S. or Canadian Government, as applicable, or for other legitimate business purposes. Other legitimate business purposes include:

b. The contractor also:

c. The Department of Defense also exempts certified Canadian contractors from the need to obtain approval from DoD for unclassified visits to DoD contractor installations to obtain unclassified militarily critical technical data. Canada's Industrial Security Program procedures also allow for direct contractor-to-contractor arrangements for such visits by U.S. certified contractors. As a result, JCO certified U.S. and Canadian contractors may make visit arrangements involving only unclassified technical data directly with a U.S. or Canadian contractor.

d. This program does not extend to company proprietary technical data that is not controlled by DoD or DND. Therefore, it does not govern the private exchange of industry-generated export-controlled technical data. In these cases contractors must follow the guidelines established in U.S. or Canadian export control regulations, as applicable.

e. The U.S.-Canada Joint Certification Program pamphlet (reference ww) contains additional information, procedures and restrictions. This pamphlet is available from:

a. Foreign government information is defined by Executive Order 12356 as:

b. Foreign government information must retain its original classification, or be assigned a U.S. classification designation that will provide protection equivalent to that provided by the furnishing government or organization.

c. E.O. 12356 states that there is a presumption of damage to national security in the event of unauthorized disclosure of foreign government information. Therefore, foreign government unclassified information that is provided in confidence is to be classified at least CONFIDENTIAL but higher whenever the damage criteria for SECRET or TOP SECRET are met. Unclassified foreign government information provided in confidence, must be classified by an

original classification authority. If there is uncertainty concerning whether the information is to be handled "in confidence", the providing government or international organization should be consulted to reach agreement on controls to be applied.

d. When unclassified foreign government "in confidence" information is involved in an international program, program documentation (e.g., the MOU or PSI) should include procedures on handling the information.

a. Foreign government designations for classified information generally parallel U.S. security classification designations. However, some foreign governments have a fourth level of classification, RESTRICTED, for which there is no equivalent U.S. classification. When foreign information is received, it is to be marked with the equivalent U.S. classification and the country of origin in English, unless it is already so marked. Foreign Government RESTRICTED information is to be marked CONFIDENTIAL in addition to the identity of the country of origin. Classified foreign government information and unclassified foreign government information provided in confidence that is marked with a U.S. classification pursuant to DoD 5200.1-R must be transferred through government-to-government channels. Foreign government classification designations and U.S. equivalents are at Appendix E.

b. U.S. documents that contain foreign government information must be marked with a notation that states "THIS DOCUMENT CONTAINS FOREIGN GOVERNMENT INFORMATION." In addition, the portions containing foreign government information must be marked to identify the classification level and country of origin (e.g., UK-C or UK-R). The foreign government document or authority on which the classification is based, in addition to the identification of any U.S. classification authority, must be identified on the "Classified by" line. A continuation sheet should be used for multiple sources, if necessary. The "Declassify on" line will contain "ORIGINATING AGENCY'S DETERMINATION REQUIRED" or "OADR." A U.S. document marked as described herein cannot be downgraded below the highest level of foreign government information contained in the document or be declassified without the written permission of the foreign government or international organization that originated the information.

c. Security clearances issued by the U.S. Government are valid for access to classified foreign government information of a comparable level. Access to foreign government RESTRICTED information requires a U.S. Government CONFIDENTIAL clearance.

d. Foreign government information or material classified TOP SECRET, SECRET, or CONFIDENTIAL must be stored in the manner required for U.S. information of the same level by DoD 5200.1-R and the NISPOM (reference aa). Foreign government information or material classified RESTRICTED must be stored in the same manner as U.S. CONFIDENTIAL information. To avoid inadvertent compromise, foreign government classified material must be stored in a manner that will avoid commingling with other material. For small volumes of material, separate files in the same vault, container, or drawer will suffice.

e. Holders of foreign government information classified TOP SECRET, SECRET or CONFIDENTIAL must establish procedures to account for this material in a manner such that it can be located at all times. They must ensure that access is limited to only those persons who require access for the purpose for which the information was furnished by the providing government.

f. Foreign government information can not be disclosed to nationals of third countries, including intending citizens, or to any other third party, or used for other than the purpose for which the foreign government provided it without the originating government's written consent. Government agencies must submit requests for other uses or further disclosure to the originating government. Contractors will submit their requests through the contracting U.S. Government agency for U.S. contracts and the Cognizant Security Office (CSO) for direct commercial contracts.

g. The ITAR requires a license for the commercial export or reexport of foreign government information unless the information is exported to the original source of import.

h. The transmission of foreign government information within the United States among U.S. Government agencies and U.S. contractors and between U.S. contractors with a need to know, must be in accordance with DoD 5200.1-R and the NISPOM.

i. The international transfer of foreign government classified information must be through government-to-government channels in compliance with Chapter 6 of this handbook.