SUBJECT: SENSITIVE BUT UNCLASSIFIED (SBU) INFORMATION CREATED, PROCESSED, STORED, OR TRANSMITTED IN ELECTRONIC
REFERENCE: USAID/General Notice by IG/SEC dated 11/09/95 USAID announces a change in the implementation of the
policy governing the creation, processing, storage and transmission of Sensitive But Unclassified (SBU) information
in electronic format. This policy change does not apply to classified, i.e., National Security Information or classified
information systems. USAID, in conjunction with the Department of State (DoS) and United States Information Agency
(USIA), has adopted the term "sensitive but unclassified (SBU)" for its sensitive unclassified information.
References in other Federal regulations to "sensitive data" or "sensitive information" are
to be interpreted, for the purposes of this policy, to mean SBU information. For USAID, the term "SBU"
supersedes the terms "sensitive data" or "sensitive information."
USAID's policy is to protect SBU information against unauthorized access or disclosure based on a clearly demonstrated
need to know or need to use. In accordance with the referenced General Notice, "The unauthorized disclosure
of SBU information may result in criminal and/or civil penalties." SBU information in electronic form may
be created, processed, stored, and transmitted, using Agency-approved information systems, including E-mail, under
the following conditions:
- E-mail messages or attachments containing SBU information must never be sent or forwarded to unauthorized recipients.
- All Agency personnel, to include direct hires, contractors, and others entrusted by the Agency with SBU information,
must safeguard such information in a manner commensurate with the sensitivity of the information.
- Reasonable security measures must be implemented to ensure that access to SBU information is restricted to
authorized individuals or groups on the basis of a clearly demonstrated need to know or need to use.
- All users granted access to USAID systems processing SBU information must meet formal authorization requirements
specified in the USAID Automated Directives System (ADS), Chapter 549, Telecommunications Management, Chapter 551,
Automated Information Systems Security, and Handbook 6, Security, Chapter 5, Personnel Security Program
- Optional encryption products approved by the USAID Information System Security Officer (ISSO) may be used for
those instances where concern over disclosure is paramount, to ensure a more robust level of protection for SBU
information from sender to recipient.
- If the Internet is used to transmit SBU information, the information must be encrypted using an encryption
scheme approved by the USAID ISSO.
DEFINITION: SENSITIVE BUT UNCLASSIFIED (SBU)
USAID's General Notice regarding SBU information prescribes compliance with the Department of State's SBU program
as delineated in the Foreign Affairs Manual (FAM). 12 FAM 540 defines SBU as "information which warrants
a degree of protection and administrative control that meets the criteria for exemption from public disclosure
set forth under Sections 552 and 552a of Title 5, United States Code: the Freedom of Information Act and Privacy
Act." 12 FAM 540 also indicates that "SBU information includes, but is not limited to: (1) Medical,
personnel, financial, investigatory, visa, law enforcement, or other information which, if released, could result
in harm or unfair treatment to any individual or group, or could have a negative impact upon foreign policy or
relations; and (2) Information offered under conditions of confidentiality which arises in the course of a deliberative
process (or a civil discovery process), including attorney-client privilege or work product, and information arising
from the advice and counsel of subordinates to policy makers." In the following paragraph, references
are made to the Freedom of Information Act (FOIA), dated 1974. For that Act, certain information can be exempted
from disclosure to the public. While information referred to in the Act is not necessarily SBU information, information
owners who choose to exempt their information for very specific reasons from public disclosure under a FOIA request
are required, by this SBU policy, to consider their exempted data SBU information and protect it accordingly.
The Privacy Act of 1974 declares potentially sensitive "any information, the disclosure of which, could result
in substantial harm, embarrassment, inconvenience or unfairness to any individual." The Freedom of Information
Act (FOIA) conditionally exempts the following information from disclosure: (1) information classified in the interest
of national defense or foreign policy, (2) internal personnel rules and practices of an agency, (3) information
specifically exempted from disclosure by statute, (4) trade secrets and commercial or financial information obtained
from a person and privileged or confidential, (5) inter-agency or intra-agency memoranda or letters reflecting
predecisional attitudes, (6) personnel and medical files and similar files the disclosure of which would constitute
a clearly unwarranted invasion of personal privacy, (7) specified types of law enforcement records or information,
(8) financial institution regulation or supervision reports, and (9) geological and geophysical information and
data concerning wells. Section (3) of the FOIA has been interpreted to include statutes such as the Computer
Security Act of 1987 which defines the phrase sensitive information as "any information, the loss, misuse,
or unauthorized access to or modification of which could adversely affect the national interest or the conduct
of Federal programs ...". Section (5) applies to "inter-agency or intra-agency memoranda or letters
which would not be available by law to a party other than an agency in litigation with the agency." This exemption
was enacted to safeguard the deliberative policy-making process of government. Section (6) covers "personnel
and medical files and similar files, the disclosure of which would constitute a clearly unwarranted invasion of
privacy." This exemption relates to records that contain details about the private lives of individuals.
USAID clarifies the SBU term by giving the following USAID-specific examples of information that are always
considered SBU information: procurement source evaluation and source selection, company proprietary, investigative,
restricted scientific/technical information, and travel plans of USAID employees to or through a high or critical
terrorist threat environment. The following categories of information are considered potential SBU information:
legal, financial, budget projections, medical, contractual, procurement, intellectual property, agency-critical
or foreign government. Each creator or handler of potential SBU information must make the sensitive/non-sensitive
determination on a case-by-case basis.
1. USAID-approved systems are authorized to be used to create, process, and store SBU information. However, users
must evaluate their own processing environments and then choose appropriate safeguards to protect SBU information
stored in electronic form. The following are approved safeguards for electronically storing SBU information. Select
from the following general list of appropriate security measures or contact the USAID (ISSO) for solutions to particular
or unusual problems.
- Store SBU information on servers in directories or files restricted for private use;
- Store SBU information on servers in system directories or files restricted to authorized application users;
- Store SBU information on servers in encrypted directories or files when using public directories or files,
when other access controls are not available, or when additional control is required;
- Store SBU information on diskettes, removable hard drives, or other removable media, and then protect SBU information
by safeguarding the media through encryption or physical access controls required by IG/SEC for the protection
of printed SBU information;
- Store SBU information on a non-removable hard drive computer system protected on the basis of need to know
by a strong system setup password or other security system approved by USAID's ISSO; or
- Store SBU information on a non-removable hard drive PC system and protect the entire system through physical
access controls required by IG/SEC for the protection of SBU information in hard copy.2. When printing or displaying
SBU information on a workstation screen, users must continuously monitor printers or workstation screens to prevent
need-to-know security violations.
3. Users who have access to SBU information resident on a networked system must not leave their workstations unattended
while logged into the system. Screen-saver passwords are allowed to be used in a network environment, but not in
a standalone PC environment, in lieu of logging off during normal work hours, if a strong password is selected.
Users must log off the network when leaving for the day. Exiting the Windows environment or a Windows-based program
does not log the user off of the network.
4. USAID-approved systems are authorized to be used to transmit SBU information. However, users must evaluate
their own environments and then choose appropriate means to protect SBU information transmitted in electronic form.
For those circumstances that warrant additional controls due to the sensitive nature of the information, the following
are approved methods for transmitting SBU information. Select from the following general list or contact the USAID
(ISSO) for solutions to particular or unusual problems:
- Department of State (DoS) Diplomatic Cable System;
- DoS Diplomatic Courier Service (see referenced General Notice for details on special handling requirements
for SBU in non-electronic form);
- U.S. Mail (see referenced General Notice for details on special handling requirements for SBU in non-electronic
- Encrypted transmission paths (point-to-point and link-encryption) provided by the Diplomatic Telecommunications
Service Program Office (DTS-PO) or approved by the USAID ISSO; or
- Optional message encryption products approved by the USAID ISSO for the transmission of SBU information.5.
The transmission of SBU information in or attached to an E-mail message is allowed, when the precautions listed
below are followed:
- Always review a message and its attachments for SBU content and correct addressing before transmitting E-mail;
- Never send or forward an SBU message to an unauthorized recipient;
- Use encryption products approved by the USAID ISSO in those instances where concern over disclosure is paramount,
to ensure a more robust level of protection for SBU information from sender to recipient;
- Review all distribution lists and nested lists to ensure that all recipients of an E-mail message have a defined
need to know for the information;
- Consider using means other than E-mail to transmit SBU information;
- Follow the recommendations in paragraph 1 above for the proper storage of the information, when receiving SBU
- Destroy SBU information in accordance with procedures established in the USAID ADS, when no longer needed;
- Recognize the likelihood (risk) that it is possible for E-mail information to be erroneously sent or forwarded
to an unauthorized recipient.6. If the Internet is used to transmit SBU information, the information must be encrypted
using an encryption scheme approved by the USAID ISSO.
7. The ISSO reserves the right to require additional protection for accessing SBU information, e.g., strong user
authentication, if the Agency risk environment is found to be different or changes significantly in the future.
8. In accordance with 12 FAM (Foreign Affairs Manual) 545 and the referenced General Notice, "The unauthorized
disclosure of SBU information may result in criminal and/or civil penalties. Supervisors may take disciplinary
action, as appropriate."
9. SBU information is unclassified, not classified, information. Users are prohibited from creating, processing,
storing, or transmitting classified information via USAID unclassified systems. Provisions relating to handling,
storage, transmission, destruction, and incident/violation reporting of classified information do not pertain to
SBU information. However, report SBU security incidents to the USAID ISSO and IG/SEC.
POINT OF CONTACT: Questions regarding this notice should be directed to the Information Systems Security
Officer (ISSO) for USAID via e-mail or telephone at (202) 712-4559.