Protecting Sensitive

Protecting Sensitive But Unclassified Information


Sensitive but unclassified (SBU) information is subject to controls outside the formal system for classifying national security information. This module reviews the most common types of SBU information that require some degree of protection. All such information may be exempt from release to the public under the Freedom of Information Act.

Some information that is not formally designated as sensitive is nonetheless inappropriate for putting on a public Internet site. This is discussed in Pre-Publication Review of Public Web Site Content.

Most categories of SBU information are defined by federal law, while others such as For Official Use Only are defined by organization policy. Most legislative authorities are very specific in identifying the protected category of information, while others are general and leave much discretion to the agency or company.

Procedures for safeguarding SBU information depend upon the category of information and, in some cases, vary from one agency or company to another.

Generally speaking, the law provides protection for established categories of protected information only when the owners of the information have taken reasonable or required steps to protect it. These steps are sometimes stated in the law or regulation, however, they are often left up to the information owner to develop internally. Legal history shows that the following elements are key to successful enforcement of an information protection program. The agency or company must have:

  • An established information security policy.
  • A system to identify the specific information to be protected. This should include periodic review of the need to continue protection.
  • Procedures for safeguarding and controlling the protected information so that it is exposed only to those who have a need to know the information and a duty to protect it. The duty to protect may be imposed by law (for some categories) or established by a confidentiality agreement with the employee.
  • A system of warnings and markings that advise of the sensitivity and/or handling requirements.

Procedures for handling the various categories of SBU information vary from one agency or company to another. This is due to different legal and/or regulatory requirements for each category and the agency or organization’s implementation of those requirements. Factors affecting the implementation are the degree of sensitivity of the information, nature of the threat to the information, vulnerability of the information, options that are available for protecting the information, and organizational facilities/capabilities for secure handling, storage and transmission.

Information on the various categories of sensitive but unclassified information is based on a research report prepared for DSS/Security Research Center by John Tippit & Associates.