Note: All classified markings contained within this presentation are for training purposes only.
Protection of Controlled Unclassified Information
Overview
• Controlled Unclassified Information (CUI) is information that has not been given a security classification but which is withheld from public disclosure such as:
– Private Information
– Export Controlled Information
– Sensitive But Unclassified (SBU)
– For Official Use Only (FOUO)
– Proprietary Proposal Information
– Company Proprietary / Private Information
– Competition Sensitive
– Personally Identifiable Information (PII)
• The loss, theft, or corruption of this information would likely have a serious or detrimental impact on the execution of
{Company} programs and/or its personnel
Protection of Controlled Unclassified Information
Protected and Unprotected Environments
• Protection measures may vary depending on the environment in which the information is stored or handled
• Environments are defined as:
– Protected Environment
Area where {Company} controls access (proximity readers, security officers, etc.) to help ensure that only authorized employees, resident subcontractors, and visitors are permitted entry
‒ Unprotected Environment
Area where {Company} does not control access to building or work area (e.g., applicable remote sites and unprotected areas during business travel such as airplane cabins, coffee shops, etc.)
Protection of Controlled Unclassified Information
Protected and Unprotected Environments (cont.)
• While in unprotected environments individuals must
– Be cognizant of their surroundings while viewing and processing this information
– Take precautions to avoid unauthorized disclosure or loss
Use laptop privacy screens and unclassified coversheets
Encrypt all systems, media, and devices leaving {Company} facilities (Tailor to your facility’s policy)
– Any loss should be reported to the Security Department
• While in protected environments individuals must
– Attach unclassified coversheet to material (if available/used)
– Store in unlocked file, desk, office, or briefcase, or obscure from unauthorized viewing as a minimum
Protection of Controlled Unclassified Information
Transmission and Disposition
• When sending or receiving sensitive unclassified information individuals must
– Implement need-to-know criterion
– Employ available methods of safeguarding data while in transit
(i.e., digital signatures, encryption methods, and classified fax machines, first class mail, password protected email attachments, etc.)
• When no longer required, materials containing sensitive unclassified information will be promptly destroyed
– Cross-cut shred or dispose in shredder bins
– Sanitize IT systems
• Information owner may have additional protection requirements that will be addressed on a case-by-case basis
Protection of Controlled Unclassified Information
Unclassified Marking Overview
• Controlled unclassified documents should be marked accordingly:
‒ Bottom labeled appropriately (i.e., “For Official Use Only”)
‒ Outside of the front cover
‒ On each page containing controlled unclassified information
‒ Other material (i.e., slides, photos) will be marked to make recipients aware of the sensitivity
• NOTE: Controlled unclassified material being transmitted outside the DoD or its contractors facilities requires a statement explaining the marking
‒ “This document contains information EXEMPT FROM
MANDATORY DISCLOSURE under the FOIA. Exemptions…
(list FOIA exemption being used)… apply”
MEMORANDUM
FROM: DS/ISP/APB
TO: INR/EUR
SUBJECT: (U) SECURITY AWARENESS TRAINING
1. (U//FOUO) I think that my Security Office is great and provides awesome support. I don’t know what I would do with out them.
2. This is the best security awareness training I have ever received.
3. Other agencies, like the State Department may use
“Sensitive But Unclassified” (SBU) to mark CUI.
FOR OFFICIAL USE ONLY
Protection of Controlled Unclassified Information
Personally Identifiable Information (PII)
• Defined as:
– Individual’s first name and last name or first initial and last name used in combination with any one or more of the following data elements:
Social Security Number
Driver’s license number or state-issued identification card number
Financial account number, or credit card number, with or without any required security code, access code, personal information number or password, that would permit access to a financial account
Protection of Controlled Unclassified Information
Personally Identifiable Information (PII) (cont.)
• Protection measures:
‒ Maintain a need-to-know principle
‒ Utilize Unclassified protection coversheets and notice labels (if available/used)
When at rest, hand carrying, sending via interoffice mail, or faxing (external mail, only use coversheets)
– Use classified copiers or printers without hard drives, if available
If unavailable, device hard drives must be destroyed or sanitized when no longer used by {Company}
‒ Lock in a cabinet, desk, or office, or properly destroy if no longer required
‒ Use proper disposal and destruction methods
Destruction Bags (If used, maintain positive control at all times)
Classified Shredders
Approved unclassified shredder bins
‒ Use data encryption for internal and external transmittal
– Use password protected screensavers (Always lock your system when leaving your work area)
– When possible, whole disk encryption should be implemented on systems containing this information
Protection of Controlled Unclassified Information
Export Control
• Export-controlled material
– Must be controlled as sensitive information and marked accordingly to maintain
U.S. national security interest
– Cannot be disclosed to or accessed by foreign nationals or representatives of a foreign entity
• U.S. persons employed by Foreign entities are treated as Foreign representatives themselves for the purpose of export compliance
– Approval or a license must be obtained from the Department of State for items controlled by the International Traffic in Arms Regulations (ITAR), or the
Department of Commerce for items controlled by the Export Administration
Regulations (EAR)
• If the U.S. State Department has not issued an Export License (based on a Technical
Assistance Agreement or Manufacturing License Agreement), a violation of ITAR has occurred
– Per the International Traffic in Arms Regulations (ITAR), Technical data in any form that pertains to the U.S. Munitions List (a list of defense-related articles or services) is “ export controlled ”
• A defense article or service is specifically designed, developed, configured, adapted or
modified for a military application and does not have predominant civil applications
Protection of Controlled Unclassified Information
Export Control (cont.)
• The export of information or material is defined as
– Shipping or transporting technical data or hardware out of the U.S.
– Transferring control or disclosing hardware, technical data, technology, software, electronic data to a foreign person (whether in the U.S. or abroad)
– Providing a Defense Service or Technical Assistance to a Foreign Person
– Providing site visits/tours to Foreign Persons where export controlled technical data is disclosed
• A foreign person is
– Any individual representing or working for a foreign corporation, agency or division of a foreign government and can include
• U.S. Citizens
• U.S. Permanent Residents (e.g., Green Card)
• Foreign Nationals or visitors
• "Protected Individuals" (e.g., Refugee or Asylee)
• ITAR violations can result in
– Hefty fines and/or debarment from international business arrangements and U.S.
Government contracts
– Personal criminal liability
– Violation of the {Company} Standards of Conduct, which may result in disciplinary action to include suspension, termination and/or criminal prosecution
• Prior to the export of technical data or hardware, contact your local Export
Control Officer
Protection of Controlled Unclassified Information
Export Control (cont.)
• Trade Show export and security guidance
‒ Foreign citizens attend trade shows and export laws still apply
‒ If you engage in conversation with someone that you expect is not a
U.S. person please use the following guidance:
Be alert to overly inquisitive people asking about the type of work you do, business information about your company, or about your personal life
Never provide anyone with more information than is absolutely necessary to accomplish your objectives
Do not share any contractual, classified, Controlled Unclassified
Information (CUI) such as For Official Use Only (FOUO), or company proprietary information with anyone who does not have a legitimate need for the information
Information coming to your attention that you believe, suggests the existence of, or potential for espionage, compromise of classified information, or terrorism must be promptly reported to Security
Report any suspected attempts to gain information or other suspicious circumstances to your local Security Department
Protection of Controlled Unclassified Information
Export Control (cont.)
• What marketing activities can {Company} employees engage in without a license?
‒
‒
‒
‒
‒
‒
‒
‒
‒
‒
‒
Discuss {Company} products without providing technology or technical data
Distribute brochures that have been approved for public release
Receive technical data from a foreign customer
Discuss business terms and conditions
Discuss the statement of work, without technical information (yes we can do that, no we cannot do that)
Transfer data that is publicly available (catalog, anything on web site)
Discuss basic information on function or purpose
Provide general system descriptions
Discuss general capabilities
Do not bring any ITAR hardware that has not been pre-approved by the customer and TCO
Be aware of social engineering and remain vigilant