image Protecting Sensitive

Protecting Sensitive Unclassified Information



The term sensitive unclassified information as used here is an informal designation applicable to all those types and forms of information that, by law or regulation, require some form of protection but are outside the formal system for classifying national security information.1 As a general rule, all such information may be exempt from release to the public under the Freedom of Information Act. This module reviews the most common types of sensitive unclassified information.2

Department of Defense also uses the term Controlled Unclassified Information (CUI) to refer to certain types of sensitive information within DoD that require controls and protective measures. CUI includes For Official Use Only and information with comparable designations that is received from other agencies, DoD Unclassified Controlled Nuclear Information, "Sensitive Information" as defined in the Computer Security Act of 1987, and DoD technical data.3

Some information that is not formally designated as sensitive is nonetheless inappropriate for putting on a public Internet site. This is discussed in Pre-Publication Review of Public Web Site Content.

Most categories of sensitive unclassified information are defined by federal law, while others such as For Official Use Only are defined by organization policy and some government organizations use different names for this category of information. Most legislative authorities are very specific in identifying the protected category of information, while others are general and leave much discretion to the agency or company.

Procedures for safeguarding sensitive unclassified information depend upon the category of information and, in some cases, vary from one agency or company to another.

Generally speaking, the law provides protection for established categories of protected information only when the owners of the information have taken reasonable or required steps to protect it. These steps are sometimes stated in the law or regulation; however, they are often left up to the information owner to develop internally. Legal history shows that the following elements are key to successful enforcement of an information protection program. The agency or company must have:

  • An established information security policy.
  • A system to identify the specific information to be protected. This should include periodic review of the need to continue protection.
  • Procedures for safeguarding and controlling the protected information so that it is exposed only to those who have a need to know the information and a duty to protect it. The duty to protect may be imposed by law (for some categories) or established by a confidentiality agreement with the employee.
  • A system of warnings and markings that advise of the sensitivity and/or handling requirements.

Procedures for handling the various categories of sensitive unclassified information vary from one agency or company to another. This is due to different legal and/or regulatory requirements for each category and the agency or organization’s implementation of those requirements. Factors affecting the implementation are the degree of sensitivity of the information, nature of the threat to the information, vulnerability of the information, options that are available for protecting the information, and organizational facilities/capabilities for secure handling, storage and transmission.

1. The Department of State uses Sensitive But Unclassified (SBU) as a document designation comparable to For Official Use Only.
2. I
nformation on the various categories of sensitive unclassified information is based on a research report prepared for PERSEREC by John Tippit & Associates.
3. DoD Regulation 5200.1-R, Information Security Program.




The Chroma Group, Ltd.