Section Three: Protection of Controlled Unclassified Information

Section Three:
Protection of Controlled Unclassified Information
Note: All classified markings contained within this presentation are for training purposes only.
Protection of Controlled Unclassified Information
Controlled Unclassified Information (CUI) is information that
has not been given a security classification but which is
withheld from public disclosure such as:
– Private Information
– Export Controlled Information
– Sensitive But Unclassified (SBU)
– For Official Use Only (FOUO)
– Proprietary Proposal Information
– Company Proprietary / Private Information
– Competition Sensitive
– Personally Identifiable Information (PII)
The loss, theft, or corruption of this information would likely
have a serious or detrimental impact on the execution of
{Company} programs and/or its personnel
Protection of Controlled Unclassified Information
Protected and Unprotected Environments
• Protection measures may vary depending on the
environment in which the information is stored or handled
• Environments are defined as:
– Protected Environment
 Area where {Company} controls access (proximity readers,
security officers, etc.) to help ensure that only authorized
employees, resident subcontractors, and visitors are permitted
‒ Unprotected Environment
 Area where {Company} does not control access to building or
work area (e.g., applicable remote sites and unprotected areas
during business travel such as airplane cabins, coffee shops, etc.)
Protection of Controlled Unclassified Information
Protected and Unprotected Environments (cont.)
• While in unprotected environments individuals must
– Be cognizant of their surroundings while viewing and
processing this information
– Take precautions to avoid unauthorized disclosure or loss
 Use laptop privacy screens and unclassified coversheets
 Encrypt all systems, media, and devices leaving {Company}
facilities (Tailor to your facility’s policy)
– Any loss should be reported to the Security Department
• While in protected environments individuals must
– Attach unclassified coversheet to material (if available/used)
– Store in unlocked file, desk, office, or briefcase, or obscure from
unauthorized viewing as a minimum
Protection of Controlled Unclassified Information
Transmission and Disposition
• When sending or receiving sensitive unclassified
information individuals must
– Implement need-to-know criterion
– Employ available methods of safeguarding data while in transit
(i.e., digital signatures, encryption methods, and classified fax
machines, first class mail, password protected email
attachments, etc.)
• When no longer required, materials containing sensitive
unclassified information will be promptly destroyed
– Cross-cut shred or dispose in shredder bins
– Sanitize IT systems
• Information owner may have additional protection
requirements that will be addressed on a case-by-case basis
Protection of Controlled Unclassified Information
Unclassified Marking Overview
• Controlled unclassified documents should be marked
‒ Bottom labeled appropriately (i.e., “For Official Use Only”)
‒ Outside of the front cover
‒ On each page containing controlled unclassified
‒ Other material (i.e., slides, photos) will be marked to make
recipients aware of the sensitivity
• NOTE: Controlled unclassified material being
transmitted outside the DoD or its contractors facilities
requires a statement explaining the marking
‒ “This document contains information EXEMPT FROM
MANDATORY DISCLOSURE under the FOIA. Exemptions…
(list FOIA exemption being used)… apply”
1. (U//FOUO) I think that my Security Office is great and
provides awesome support. I don’t know what I would
do with out them.
2. This is the best security awareness training I have ever
3. Other agencies, like the State Department may use
“Sensitive But Unclassified” (SBU) to mark CUI.
Protection of Controlled Unclassified Information
Personally Identifiable Information (PII)
Defined as:
– Individual’s first name and last name or first
initial and last name used in combination with
any one or more of the following data
 Social Security Number
 Driver’s license number or state-issued
identification card number
 Financial account number, or credit card
number, with or without any required security
code, access code, personal information
number or password, that would permit access
to a financial account
Protection of Controlled Unclassified Information
Personally Identifiable Information (PII) (cont.)
Protection measures:
Maintain a need-to-know principle
Utilize Unclassified protection coversheets and notice labels (if
When at rest, hand carrying, sending via interoffice mail, or faxing (external mail,
only use coversheets)
Use classified copiers or printers without hard drives, if available
If unavailable, device hard drives must be destroyed or sanitized when no longer
used by {Company}
Lock in a cabinet, desk, or office, or properly destroy if no longer required
Use proper disposal and destruction methods
Destruction Bags (If used, maintain positive control at all times)
Classified Shredders
Approved unclassified shredder bins
Use data encryption for internal and external transmittal
Use password protected screensavers (Always lock your system when leaving
your work area)
When possible, whole disk encryption should be implemented on systems
containing this information
Protection of Controlled Unclassified Information
Export Control
Export-controlled material
Must be controlled as sensitive information and marked accordingly to maintain
U.S. national security interest
Cannot be disclosed to or accessed by foreign nationals or representatives of a
foreign entity
Approval or a license must be obtained from the Department of State for items
controlled by the International Traffic in Arms Regulations (ITAR), or the
Department of Commerce for items controlled by the Export Administration
Regulations (EAR)
U.S. persons employed by Foreign entities are treated as Foreign representatives
themselves for the purpose of export compliance
If the U.S. State Department has not issued an Export License (based on a Technical
Assistance Agreement or Manufacturing License Agreement), a violation of ITAR has
Per the International Traffic in Arms Regulations (ITAR), Technical data in any
form that pertains to the U.S. Munitions List (a list of defense-related articles or
services) is “export controlled”
A defense article or service is specifically designed, developed, configured, adapted or
modified for a military application and does not have predominant civil applications
Protection of Controlled Unclassified Information
Export Control (cont.)
The export of information or material is defined as
Shipping or transporting technical data or hardware out of the U.S.
Transferring control or disclosing hardware, technical data, technology, software,
electronic data to a foreign person (whether in the U.S. or abroad)
Providing a Defense Service or Technical Assistance to a Foreign Person
Providing site visits/tours to Foreign Persons where export controlled technical data
is disclosed
A foreign person is
Any individual representing or working for a foreign corporation, agency or division
of a foreign government and can include
ITAR violations can result in
U.S. Citizens
U.S. Permanent Residents (e.g., Green Card)
Foreign Nationals or visitors
"Protected Individuals" (e.g., Refugee or Asylee)
Hefty fines and/or debarment from international business arrangements and U.S.
Government contracts
Personal criminal liability
Violation of the {Company} Standards of Conduct, which may result in disciplinary
action to include suspension, termination and/or criminal prosecution
Prior to the export of technical data or hardware, contact your local Export
Control Officer
Protection of Controlled Unclassified Information
Export Control (cont.)
• Trade Show export and security guidance
‒ Foreign citizens attend trade shows and export laws still apply
‒ If you engage in conversation with someone that you expect is not a
U.S. person please use the following guidance:
 Be alert to overly inquisitive people asking about the type of work you
do, business information about your company, or about your personal
 Never provide anyone with more information than is absolutely
necessary to accomplish your objectives
 Do not share any contractual, classified, Controlled Unclassified
Information (CUI) such as For Official Use Only (FOUO), or company
proprietary information with anyone who does not have a legitimate
need for the information
 Information coming to your attention that you believe, suggests the
existence of, or potential for espionage, compromise of classified
information, or terrorism must be promptly reported to Security
 Report any suspected attempts to gain information or other suspicious
circumstances to your local Security Department
Protection of Controlled Unclassified Information
Export Control (cont.)
• What marketing activities can {Company} employees engage in
without a license?
Discuss {Company} products without providing technology or
technical data
Distribute brochures that have been approved for public release
Receive technical data from a foreign customer
Discuss business terms and conditions
Discuss the statement of work, without technical information (yes
we can do that, no we cannot do that)
Transfer data that is publicly available (catalog, anything on web site)
Discuss basic information on function or purpose
Provide general system descriptions
Discuss general capabilities
Do not bring any ITAR hardware that has not been pre-approved by
the customer and TCO
Be aware of social engineering and remain vigilant

similar documents