IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

USAID/General Notice
M/IRM
2/3/97

POLICY

SUBJECT: SENSITIVE BUT UNCLASSIFIED (SBU) INFORMATION CREATED, PROCESSED, STORED, OR TRANSMITTED IN ELECTRONIC FORMAT

REFERENCE: USAID/General Notice by IG/SEC dated 11/09/95 USAID announces a change in the implementation of the policy governing the creation, processing, storage and transmission of Sensitive But Unclassified (SBU) information in electronic format. This policy change does not apply to classified, i.e., National Security Information or classified information systems. USAID, in conjunction with the Department of State (DoS) and United States Information Agency (USIA), has adopted the term "sensitive but unclassified (SBU)" for its sensitive unclassified information. References in other Federal regulations to "sensitive data" or "sensitive information" are to be interpreted, for the purposes of this policy, to mean SBU information. For USAID, the term "SBU" supersedes the terms "sensitive data" or "sensitive information."

POLICY
USAID's policy is to protect SBU information against unauthorized access or disclosure based on a clearly demonstrated need to know or need to use. In accordance with the referenced General Notice, "The unauthorized disclosure of SBU information may result in criminal and/or civil penalties." SBU information in electronic form may be created, processed, stored, and transmitted, using Agency-approved information systems, including E-mail, under the following conditions:

  • E-mail messages or attachments containing SBU information must never be sent or forwarded to unauthorized recipients.
  • All Agency personnel, to include direct hires, contractors, and others entrusted by the Agency with SBU information, must safeguard such information in a manner commensurate with the sensitivity of the information.
  • Reasonable security measures must be implemented to ensure that access to SBU information is restricted to authorized individuals or groups on the basis of a clearly demonstrated need to know or need to use.
  • All users granted access to USAID systems processing SBU information must meet formal authorization requirements specified in the USAID Automated Directives System (ADS), Chapter 549, Telecommunications Management, Chapter 551, Automated Information Systems Security, and Handbook 6, Security, Chapter 5, Personnel Security Program
  • Optional encryption products approved by the USAID Information System Security Officer (ISSO) may be used for those instances where concern over disclosure is paramount, to ensure a more robust level of protection for SBU information from sender to recipient.
  • If the Internet is used to transmit SBU information, the information must be encrypted using an encryption scheme approved by the USAID ISSO.


    DEFINITION: SENSITIVE BUT UNCLASSIFIED (SBU)
    USAID's General Notice regarding SBU information prescribes compliance with the Department of State's SBU program as delineated in the Foreign Affairs Manual (FAM). 12 FAM 540 defines SBU as "information which warrants a degree of protection and administrative control that meets the criteria for exemption from public disclosure set forth under Sections 552 and 552a of Title 5, United States Code: the Freedom of Information Act and Privacy Act." 12 FAM 540 also indicates that "SBU information includes, but is not limited to: (1) Medical, personnel, financial, investigatory, visa, law enforcement, or other information which, if released, could result in harm or unfair treatment to any individual or group, or could have a negative impact upon foreign policy or relations; and (2) Information offered under conditions of confidentiality which arises in the course of a deliberative process (or a civil discovery process), including attorney-client privilege or work product, and information arising from the advice and counsel of subordinates to policy makers." In the following paragraph, references are made to the Freedom of Information Act (FOIA), dated 1974. For that Act, certain information can be exempted from disclosure to the public. While information referred to in the Act is not necessarily SBU information, information owners who choose to exempt their information for very specific reasons from public disclosure under a FOIA request are required, by this SBU policy, to consider their exempted data SBU information and protect it accordingly.
    The Privacy Act of 1974 declares potentially sensitive "any information, the disclosure of which, could result in substantial harm, embarrassment, inconvenience or unfairness to any individual." The Freedom of Information Act (FOIA) conditionally exempts the following information from disclosure: (1) information classified in the interest of national defense or foreign policy, (2) internal personnel rules and practices of an agency, (3) information specifically exempted from disclosure by statute, (4) trade secrets and commercial or financial information obtained from a person and privileged or confidential, (5) inter-agency or intra-agency memoranda or letters reflecting predecisional attitudes, (6) personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy, (7) specified types of law enforcement records or information, (8) financial institution regulation or supervision reports, and (9) geological and geophysical information and data concerning wells. Section (3) of the FOIA has been interpreted to include statutes such as the Computer Security Act of 1987 which defines the phrase sensitive information as "any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs ...". Section (5) applies to "inter-agency or intra-agency memoranda or letters which would not be available by law to a party other than an agency in litigation with the agency." This exemption was enacted to safeguard the deliberative policy-making process of government. Section (6) covers "personnel and medical files and similar files, the disclosure of which would constitute a clearly unwarranted invasion of privacy." This exemption relates to records that contain details about the private lives of individuals.

    EXAMPLES
    USAID clarifies the SBU term by giving the following USAID-specific examples of information that are always considered SBU information: procurement source evaluation and source selection, company proprietary, investigative, restricted scientific/technical information, and travel plans of USAID employees to or through a high or critical terrorist threat environment. The following categories of information are considered potential SBU information: legal, financial, budget projections, medical, contractual, procurement, intellectual property, agency-critical or foreign government. Each creator or handler of potential SBU information must make the sensitive/non-sensitive determination on a case-by-case basis.

    RECOMMENDED SAFEGUARDS
    1. USAID-approved systems are authorized to be used to create, process, and store SBU information. However, users must evaluate their own processing environments and then choose appropriate safeguards to protect SBU information stored in electronic form. The following are approved safeguards for electronically storing SBU information. Select from the following general list of appropriate security measures or contact the USAID (ISSO) for solutions to particular or unusual problems.

  • Store SBU information on servers in directories or files restricted for private use;
  • Store SBU information on servers in system directories or files restricted to authorized application users;
  • Store SBU information on servers in encrypted directories or files when using public directories or files, when other access controls are not available, or when additional control is required;
  • Store SBU information on diskettes, removable hard drives, or other removable media, and then protect SBU information by safeguarding the media through encryption or physical access controls required by IG/SEC for the protection of printed SBU information;
  • Store SBU information on a non-removable hard drive computer system protected on the basis of need to know by a strong system setup password or other security system approved by USAID's ISSO; or
  • Store SBU information on a non-removable hard drive PC system and protect the entire system through physical access controls required by IG/SEC for the protection of SBU information in hard copy.2. When printing or displaying SBU information on a workstation screen, users must continuously monitor printers or workstation screens to prevent need-to-know security violations.


    3. Users who have access to SBU information resident on a networked system must not leave their workstations unattended while logged into the system. Screen-saver passwords are allowed to be used in a network environment, but not in a standalone PC environment, in lieu of logging off during normal work hours, if a strong password is selected. Users must log off the network when leaving for the day. Exiting the Windows environment or a Windows-based program does not log the user off of the network.

    4. USAID-approved systems are authorized to be used to transmit SBU information. However, users must evaluate their own environments and then choose appropriate means to protect SBU information transmitted in electronic form. For those circumstances that warrant additional controls due to the sensitive nature of the information, the following are approved methods for transmitting SBU information. Select from the following general list or contact the USAID (ISSO) for solutions to particular or unusual problems:
     

  • Department of State (DoS) Diplomatic Cable System;
  • DoS Diplomatic Courier Service (see referenced General Notice for details on special handling requirements for SBU in non-electronic form);
  • U.S. Mail (see referenced General Notice for details on special handling requirements for SBU in non-electronic form);
  • Encrypted transmission paths (point-to-point and link-encryption) provided by the Diplomatic Telecommunications Service Program Office (DTS-PO) or approved by the USAID ISSO; or
  • Optional message encryption products approved by the USAID ISSO for the transmission of SBU information.5. The transmission of SBU information in or attached to an E-mail message is allowed, when the precautions listed below are followed:
  • Always review a message and its attachments for SBU content and correct addressing before transmitting E-mail;
  • Never send or forward an SBU message to an unauthorized recipient;
  • Use encryption products approved by the USAID ISSO in those instances where concern over disclosure is paramount, to ensure a more robust level of protection for SBU information from sender to recipient;
  • Review all distribution lists and nested lists to ensure that all recipients of an E-mail message have a defined need to know for the information;
  • Consider using means other than E-mail to transmit SBU information;
  • Follow the recommendations in paragraph 1 above for the proper storage of the information, when receiving SBU information electronically;
  • Destroy SBU information in accordance with procedures established in the USAID ADS, when no longer needed; and
  • Recognize the likelihood (risk) that it is possible for E-mail information to be erroneously sent or forwarded to an unauthorized recipient.6. If the Internet is used to transmit SBU information, the information must be encrypted using an encryption scheme approved by the USAID ISSO.


    7. The ISSO reserves the right to require additional protection for accessing SBU information, e.g., strong user authentication, if the Agency risk environment is found to be different or changes significantly in the future.

    8. In accordance with 12 FAM (Foreign Affairs Manual) 545 and the referenced General Notice, "The unauthorized disclosure of SBU information may result in criminal and/or civil penalties. Supervisors may take disciplinary action, as appropriate."

    9. SBU information is unclassified, not classified, information. Users are prohibited from creating, processing, storing, or transmitting classified information via USAID unclassified systems. Provisions relating to handling, storage, transmission, destruction, and incident/violation reporting of classified information do not pertain to SBU information. However, report SBU security incidents to the USAID ISSO and IG/SEC.

    POINT OF CONTACT: Questions regarding this notice should be directed to the Information Systems Security Officer (ISSO) for USAID via e-mail or telephone at (202) 712-4559.