U.S. Government Sensitive but Unclassified Information

New report from the GAO: "GAO-06-385 - The Federal Government Needs to Establish Policies and Processes for Sharing Terrorism-Related and Sensitive but Unclassified Information," March 2006:

Federal agencies report using 56 different sensitive but unclassified designations (16 of which belong to one agency) to protect sensitive information--from law or drug enforcement information to controlled nuclear information--and agencies that account for a large percentage of the homeland security budget reported using most of these designations. There are no governmentwide policies or procedures that describe the basis on which agencies should use most of these sensitive but unclassified designations, explain what the different designations mean across agencies, or ensure that they will be used consistently from one agency to another. In this absence, each agency determines what designations to apply to the sensitive but unclassified information it develops or shares. For example, one agency uses the Protected Critical Infrastructure Information designation, which has statutorily prescribed criteria for applying, sharing and protecting the information, whereas 13 agencies designate information For Official Use Only, which does not have similarly prescribed criteria. Sometimes agencies used different labels and handling requirements for similar information and, conversely, similar labels and requirements for very different kinds of information. More than half of the agencies reported encountering challenges in sharing such information. For example, DHS said that sensitive but unclassified information disseminated to its state and local partners had, on occasion, been posted to public Internet sites or otherwise compromised, potentially revealing possible vulnerabilities to business competitors.

Here's the list:

Table 2: Sensitive but Unclassified Designations in Use at Selected Federal Agencies

Designation Agencies using designation

1 Applied Technology *Department of Energy (DOE)
2 Attorney-Client Privilege Department of Commerce (Commerce), *DOE
3 Business Confidential *DOE
4 Budgetary Information Environmental Protection Agency (EPA)
5 Census Confidential Commerce
6 Confidential Information Protection and Statistical Efficiency Act Information (CIPSEA) Social Security Administration (SSA)
7 Computer Security Act Sensitive Information (CSASI) Department of Health and Human Services (HHS)
8 Confidential Department of Labor
9 Confidential Business Information (CBI) Commerce, EPA
10 Contractor Access Restricted Information (CARI) HHS
11 Copyrighted Information *DOE
12 Critical Energy Infrastructure Information (CEII) Federal Energy Regulatory Commission (FERC)
13 Critical Infrastructure Information Office of Personnel Management (OPM)
14 DEA Sensitive Department of Justice (DOJ)
15 DOD Unclassified Controlled Nuclear Information Department of Defense (DOD)
16 Draft EPA
17 Export Controlled Information *DOE
18 For Official Use Only (FOUO) Commerce, DOD, Department of Education, EPA, General Services Administration, HHS, DHS, Department of Housing and Urban Development (HUD), DOJ, Labor, OPM, SSA, and the Department of Transportation (DOT)
19 For Official Use Only‹Law Enforcement Sensitive DOD
20 Freedom of Information Act (FOIA) EPA
21 Government Confidential Commercial Information *DOE
22 High-Temperature Superconductivity Pilot Center Information *DOE
23 In Confidence *DOE
24 Intellectual Property *DOE
25 Law Enforcement Sensitive Commerce, EPA, DHS, DOJ, HHS, Labor, OPM
26 Law Enforcement Sensitive/Sensitive DOJ
27 Limited Distribution Information DOD
28 Limited Official Use (LOU) DHS, DOJ, Department of Treasury
29 Medical records EPA
30 Non-Public Information FERC
31 Not Available National Technical Information Service Commerce
32 Official Use Only (OUO) DOE, SSA, Treasury
33 Operations Security Protected Information (OSPI) HHS
34 Patent Sensitive Information *DOE
35 Predecisional Draft *DOE
36 Privacy Act Information *DOE, EPA
37 Privacy Act Protected Information (PAPI) HHS
38 Proprietary Information *DOE, DOJ
39 Protected Battery Information *DOE
40 Protected Critical Infrastructure Information (PCII) DHS
41 Safeguards Information Nuclear Regulatory Commission (NRC)
42 Select Agent Sensitive Information (SASI) HHS
43 Sensitive But Unclassified (SBU) Commerce, HHS, NASA, National Science Foundation (NSF), Department of State, U.S. Agency for International Development (USAID)
44 Sensitive Drinking Water Related Information (SDWRI) EPA
45 Sensitive Information DOD, U.S. Postal Service (USPS)
46 Sensitive Instruction SSA
47 Sensitive Internal Use *DOE
48 Sensitive Unclassified Non-Safeguards Information NRC
49 Sensitive Nuclear Technology *DOE
50 Sensitive Security Information (SSI) DHS, DOT, U.S. Department of Agriculture (USDA)
51 Sensitive Water Vulnerability Assessment Information EPA
52 Small Business Innovative Research Information *DOE
53 Technical Information DOD
54 Trade Sensitive Information Commerce
55 Unclassified Controlled Nuclear Information (UCNI) DOE
56 Unclassified National Security-Related *DOE

I've already written about SSI (Sensitive Security Information).

Posted on May 19, 2006 at 7:52 AM • 20 Comments

Comments

radiantmatrixMay 19, 2006 9:01 AM

I'm heartened to see the government implementing a finer-grained information classification system. It demonstrates that there are still people within our .gov capable of performing real and reasonable risk assesments.

another_bruceMay 19, 2006 9:48 AM

i don't share radiantmatrix's optimism about this. building more cubbyholes in a cabinet doesn't necessarily make it a smarter cabinet.
how much of this classified information is classified because our national security would be threatened, versus the proprietary interests of "state and local partners" needing protection from "business competitors"?
i got a hoot out of item 5, the "census confidential". i did a census gig long, long ago, and we were told during the training that census information was absolutely sacrosanct. now i come to find it's being posted on publicly accessible websites.
census contracting is very much like security contracting or any other federal contracting. the primary focus isn't to benefit the taxpayers, but the contractors instead, and the ones on the inside naturally don't want their information, particularly the terms and size of their contracts, to be made public. it's just a goddamn gravy train, and we're all paying for the coal to make it go.

DMay 19, 2006 10:19 AM

While I mostly agree with another_bruce (I think we definitely need fewer classifications and scrutiny for assigning any classification to data and documents), I think the points about census data are off a bit.

Detailed census data (Names, address, family members, etc) should most definitely be treated as "sacrosanct" for my privacy. The overall statistics are and should be publicly available.

The only way business interests could be served here is if the stats were "required" to be private thus allowing a contractor to license/sell that data.

-D

Little AcornMay 19, 2006 11:36 AM

There is a great need for clarity and transparency as to what information an agency is allowed to have access to in the first place, and having got access to that information exactly with what other agencies it can share that information. Personal information acquired for what may well be bona-fide reasons gets passed from one agency to another until anyone on the street can purchase it for a few hundred dollars.

*** What I want to be when I grow up: a tall tree, or the itching powder in Big Brother's jockstrap! ***
*** Freedom's Friends: titter with Tiffany (www.nearlyperfectprivacy.blogspot.com) and weep with Witness (www.witness.org) ***

WatkinsGMay 19, 2006 11:41 AM

...the core problem is WHY the vast hordes of Federal bureaucrats & politicians have all this private citizen information at all {??}

There is no legal authority under the U.S. Constitution for most of this data activity.

This is not an administrative record-keeping 'problem' within the government -- it is a core political issue about the scope of the largest & most powerful central-government in human history.

A mere administrative 'tweaking' of the
" policies and processes for sensitive but unclassified information " is like opening an umbrella for protection against a hurricane.

The staggering 'collection' of sensitive government data is the fundamental problem -- not how it is to be handled after the fact.

derfMay 19, 2006 11:43 AM

Thing to remember is these are gubment workers. Many can't seem to remember that the CD tray isn't an automatic coffee cup holder, much less remember that Sensitive Drinking Water Related Information requires different handling procedures than an email requesting one's presence at the water cooler.

Sleepless in SeattleMay 19, 2006 11:55 AM

> Sensitive but Unclassified Information

What does that mean? It's not a secret, but it must be kept secret?

AnonymousMay 19, 2006 12:03 PM

> revealing possible vulnerabilities
> to business competitors.

I don't quite have a handle on the idea of the federal government having business competitors. Is this like USPS vs FedEx? The Army vs. Blackwater?

Nigel SedgwickMay 19, 2006 2:49 PM

For the UK, from many many years ago, and predating various official changes, I remember:

SECRET: disclosure would cause harm to the national interest

TOP SECRET: disclosure would cause serious harm to the national interest.

Best regards

BelgranoRMay 19, 2006 4:01 PM

The most revealing aspect of the report, and of the "drop dead" mentality of the new ODNI is the comment in the report that: "ODNI
declined to comment on our report, indicating that the subject matter
is outside GAO’s purview," which is absurd.

BOB!!May 19, 2006 7:42 PM

@anonymous and another_bruce

The business competitors referred to are not competitors of the US.gov or their "state and local partners" - they are the business competitors of companies who share their proprietary information with the US.gov and expect that the US.gov won't further share that proprietary info with other companies.

meMay 19, 2006 7:50 PM

@sleepless in seattle

Sensitive but unclassified along with the other ones like UCNI basically means that its important information to the interests of the country, but not so important it needs to be classified. Often it is handled somewhat like secret or equiv. data in that it is still a crime to disclose it, the information is still controlled, but a clearance is not required to view it. It's often a step up from OUO and a step down from secret.

@Bruce
While DOE may contain 16 unclassified specifications, in practice only 2 are used: ouo and ucni. Basically everything is one or the other, or its classified as requiring an l or a q clearance.

meMay 19, 2006 7:51 PM

Also, OUO or sometimes called FOUO or U/FOUO (official user only, for official use only, unclassified/for official use only) is in use by basically every form of the government.

VanceMay 20, 2006 1:16 AM

The reason for many of these is to mark information that is not important to national security, but is not publicly releasable because it falls under one of the exemptions of the Freedom of Information Act (http://www.usdoj.gov/04foia/foi-act.htm). For example, if I manufacture paint, pollution control regulations may require me to provide the details of my formulation to the EPA. Exemption 4 means that my competitor can't just submit a FOIA request to EPA to find out what my secret recipe is.

Another reason is to designate information protected by the Privacy Act. Under the act, personal information can only be collected for limited purposes, which are spelled out in a Federal Register notice for each particular system of records (http://www.gpoaccess.gov/privacyact/). The notice also specifies what safeguards are used to protect the information and with whom it may be shared. Law enforcement files tend to live outside the Privacy Act, however.

Bruce SchneierMay 20, 2006 3:21 PM

"I'm heartened to see the government implementing a finer-grained information classification system. It demonstrates that there are still people within our .gov capable of performing real and reasonable risk assesments."

You're confusing two things. There is a classification system, which categorizes information horizontally, according to the rules by which is must be kept secure. There is also something called "need to know," which classifies information vertically by category. What works best is a few levels of classification and a very finely grained need-to-know system.

What we have here is just silly.

RvnPhnxMay 22, 2006 12:46 PM

@D
"Detailed census data (Names, address, family members, etc) should most definitely be treated as 'sacrosanct' for my privacy. The overall statistics are and should be publicly available."

Umm... Ok, we don't want to just "post" your data out there so that any stalker in the world can really make your day--that we agree on. There is something else about "Detailed census data" however--without it geneological research just isn't even remotely feasible. Perhaps this stuff needs a 25 to 50-year "cooling" period before release in the public record. (Sounds like a perfect chance to screw up yet something else...the current time frame is longer than this, BTW)
Granted, with great moronisms like counting (in an absolute manner) students where they go to college (but aren't permitted to have de-facto residency status, as state schools wouldn't get to charge them as much) and prisoners where they stay during their terms, we probably have a few other things which more desperately need fixing.
Remember, the purpose of the census, as established by the Constitution, is to allocate representatives--something they seem to have enough trouble with.

@Bruce
"What works best is a few levels of classification and a very finely grained need-to-know system."

I'm guess you know this by doing. In any case, there seems to have been for a long time a tendency to decide in government that anything which the people don't "have a need to know" in the immediate future is something which they don't have a right to know. This is how "need to know" goes horribly wrong on a daily basis in what is probably a world-wide phenomenon. The other problem with over compartmentalization has already been mentioned in the abstract: there are too many danged designations with too many rules--of which too many are apparently horribly vague to the point of being nearly useless. Unfortunately we find that we have to codify what should be taken as common sense--which just worsesns the problem. Oh the great wonder of Government.

John David GaltMay 22, 2006 4:46 PM

The most scary thing about overclassification (and Bush's wiretapping program, and other recent "emergency" measures) is that the administration demands -- and often gets -- immunity from the most important check on government's abuse of power: a public trial by jury. If this goes on, the only way to get back our constitutional form of government will be the ultimate one: Locke's "right of revolution". I still hope that won't be necessary, but that hope grows dimmer by the day.

FOIA RequesterMay 23, 2006 10:16 PM

Vance is wrong about FOUO (and such) being "exempt from the Freedom of Information Act". 99% of the time, the documents that are marked FOUO are not exempt, and must be released under FOIA. (FOIA requires a line-by-line review at the time the citizen asks, anyway; a prior marking does not suffice, nor can a whole document be excluded by a single mark. Even classified documents mark the classification of each paragraph, allowing the unclassified paragraphs to be easily released.) You'll see a lot of FOUO documents in places like EPIC's web site; they came out under FOIA despite their FOUO marking. However, the agencies often make the citizen go to court to enforce this release, rather than doing what the law requires and handing over the document within 20 days.

FOUO really means "I'm important". Government employees mark it on as many things as possible, the same way dogs mark as many trees and walls as they can.

Tim LevinJanuary 10, 2007 7:28 PM

It is my understanding that in at least some government contexts, exemption from FOIA is the only intended use for FOUO, based on several DoD sources I have seen, including DoD 5400.7-R:

C4.1.1. General. Information that has not been given a security classification
pursuant to the criteria of an Executive Order, but which may be withheld from the
public because disclosure would cause a foreseeable harm to an interest protected by
one or more FOIA Exemptions 2 through 9 (see Chapter C3.) shall be considered as
being for official use only (FOUO). *****No other material shall be considered FOUO and
FOUO is not authorized as an anemic form of classification to protect national security
interests.**** [emphasis added]

I believe this restriction is to help minimize the costs to the public of over-marking. In practice, however, FOUO seems to be used widely to mean "I'm important," as indicated by ROIA Requester, or as a means to (incorrectly) prevent general distribution. It is also required by regulation that all privacy act info *must* be marked FOUO.

Tim LevinJanuary 10, 2007 7:28 PM

It is my understanding that in at least some government contexts, exemption from FOIA is the only intended use for FOUO, based on several DoD sources I have seen, including DoD 5400.7-R:

C4.1.1. General. Information that has not been given a security classification
pursuant to the criteria of an Executive Order, but which may be withheld from the
public because disclosure would cause a foreseeable harm to an interest protected by
one or more FOIA Exemptions 2 through 9 (see Chapter C3.) shall be considered as
being for official use only (FOUO). *****No other material shall be considered FOUO and
FOUO is not authorized as an anemic form of classification to protect national security
interests.**** [emphasis added]

I believe this restriction is to help minimize the costs to the public of over-marking. In practice, however, FOUO seems to be used widely to mean "I'm important," as indicated by ROIA Requester, or as a means to (incorrectly) prevent general distribution. It is also required by regulation that all privacy act info *must* be marked FOUO.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..