Official Use Only. Lesley Nelson-Burns Office of Quality Management (301)

Transcription

1 Official Use Only Lesley Nelson-Burns Office of Quality Management (301)

2 Why Official Use Only? D D D Consolidates most CUI information within DOE Includes unclassified controlled information which is not governed by a DOE-wide directive (e.g., Export Controlled Information, Protected Cooperative Research and Development Information, Applied Technology) Does not include D Unclassified Controlled Nuclear Information (UCNI), which is governed by DOE Order 471.1A and DOE Manual D Unclassified Naval Nuclear Propulsion Information, which is Naval Reactors information OUO ensures consistent handling and protection of unclassified information throughout the complex OUO ensures information is not released through informal methods (posted on a website or sent to a person without a need-to-know the information) 2

3 What is OUO Information? Official Use Only Draft Documents Attorney-Client Patent Information Export Controlled Information Source Selection Information Business Confidential Privacy Act Information Attorney-Work Applied Technology Personally Identifiable Information Intellectual Property Sensitive Nuclear Technology Proprietary Information 3

4 Who has Responsibility for OUO? D D The Office of Classification is responsible for developing DOE s overall policy and guidelines for identifying and protecting OUO The Chief Information Officer (CIO) issues guidance regarding the protection of OUO and other sensitive information on DOE information systems and the identification of PII D Program Offices determine the specific information within their purview that is OUO 4

5 Does OUO Mean the Information is Exempt from Release under the FOIA? D D D OUO is not a determination that information is FOIA exempt OUO is a determination that the information may be FOIA exempt OUO markings ensure a document is not publicly released without an appropriate review If an OUO document is requested under the FOIA, a FOIA Authorizing Official must determine whether the information must be released Only a FOIA Official may determine that information is FOIA exempt The threshold for withholding information under the FOIA is higher, requires in-depth knowledge of FOIA OUO FOIA Exempt 5

6 How is OUO Marked? 6

7 OUO Marking D OUO Markings Ensures everyone understands a documents must be protected Ensures everyone knows how it must be protected D Without OUO markings Does not require protection No recourse if information is released 7

8 How are OUO Documents Marked? Front Marking Determination based on Guidance (Classification/Control Guides) Exemption Number Exemption Name Name AND Organization OFFICIAL USE ONLY May be exempt from public release under the Freedom of Information Act (5 U.S.C. 552), exemption number and category: 5, Privileged Information Department of Energy review required before public release Name/Org: John Smithson, NA-121 Date: 4/11/07 Guidance (if applicable): CG-SS-4 Date of Determination Short Name of Guide Markings are for example purposes only 8

9 How is a Document Transmitting OUO Marked? D Required if transmittal document itself does not contain classified or controlled information D Calls attention to presence of OUO information in attachment Document transmitted contains OUO information Markings are for example purposes only 9

10 Sample Marking of Document Transmitting OUO XXX XXXXXX XX XXXXXXX XXXXX XXXXXXXXXXXX XXXXXX Attachment contains OUO, transmitting document does not contain OUO XXXXXXX. Xxxx xxxxxx xxxxxxxxx xxx xxxxxxxx xxxx xxxxxxx xxxxxxxxx xxx xxxxxxxxxxx, xxxxxxx, xxx xxxxxxxxxx Xxxxxxxx Xxx Xxxx (XXX) xxxxxxxxxxx. Xxxxx xxxxxxxx xxxxxxx xxxxxxxxx xxxxxxxxxx xxx xxxxxxxxxx xxxxxxxxx. Xxxxxxx X xxxxxxxxx xxx xxxxxxxxxxxx xxx xxxxxxxxxxx xxx xxxxxxx XXX xxxxxxxxxxx; Xxxxxxx XX xxxxxxxxx xxxxxxxxxx XXX xxxxxxxxxxx. Xxx Xxxxxxxxxx Xxxxxxxxxxxx Xxxxxxxx (XXX), Xxxxxxxxxx x, xxxx xxxxx xxxxxxxxxxxx xx xxx Xxxxxx xxx xxxxx xx xxx/xxxxxxxx xxxxxxxxxx xxxxxxxxxxx. LXX. Xxxxxxxx xxxxxxxxxx xxxx Xxxxxx xxxxxx xx xxxxxxxxx xx Xxxxxxxxxxx Xxxxxxxxxxxxxx xxx Xxxxxxx Xxxxxx xx xxx-xxx-xxxx. Document transmitted contains OUO Information Markings are for example purposes only 10

11 How is an containing OUO Marked? D First line of message Insert OUO before text D If attachment to message is OUO Message must so indicate Attachment must be marked correctly 11

12 Protecting OUO 12

13 Who May have Access to OUO? D Anyone needing the information to perform his/her job or other DOE-authorized activity No security clearance required Not limited to DOE employees No requirement for US citizenship D Some OUO may have additional access restrictions (Export Controlled Information, Source Selection Information, etc.) D Determination made by person possessing document not person wanting the document 13

14 What are the Cyber Security Requirements for OUO? D D D D Since the OUO Manual was published, the Office of the Chief Information Officer issued Technical and Management Requirements, Protection of Sensitive Unclassified Information, Including Personally Identifiable Information (TMR-22) TMR-22 requires senior management to develop Program Cyber Security Plans (PCSP) which are consistent with TMR-22 The DOE HQ PSCP requires HQ to follow TMR-22 If not with DOE HQ, recommend following TMR-22 requirements until you receive clarification from local 14 cyber security

15 What are the Cyber Security Requirements for OUO? D TMR-22 (and DOE HQ) Requirements OUO must be encrypted during transmission (If person receiving OUO does not have Entrust, contact cyber security for approved alternate method of transmission) OUO on portable/mobile devices and removable media (e.g., CDROMS, thumb drives) must be encrypted 15

16 How is OUO Transmitted by phone? D Transmitting over voice circuits Use encryption whenever possible If unavailable and other encrypted means not feasible alternative, regular voice circuits allowed 16

17 How is OUO Transmitted? D Transmitting by hand between facilities or within a facility May be handcarried Must control access to document 17

18 How is OUO Transmitted? D Transmitting by mail inside facility Place in sealed, opaque envelope or wrapping with recipient s address, and TO BE OPENED BY ADDRESSEE ONLY TO BE OPENED BY ADDRESSEE ONLY on outside 18

19 How is OUO Transmitted? D Transmitting by mail outside facility Place in sealed, opaque envelope or wrapping with recipient s address, return address, and TO BE OPENED BY ADDRESSEE ONLY on outside (same requirements as inside facility, but must include return address) U.S. mail First Class, Express, Certified, Registered Any commercial carrier 19

20 How is OUO Protected? D In Use Take reasonable precautions to prevent access by persons who don t need the information to do their jobs For example, don t read an OUO document in a public place (in the cafeteria, on public transportation) 20

21 How is OUO Protected? D Storing With internal building security during non-duty hours - Unlocked file cabinet, desk, briefcase, etc. No internal building security during non-duty hours - Locked room or locked file cabinet, desk, briefcase, etc. 21

22 How is OUO Protected? D Copying No permission from originator needed Make minimum number of copies Mark and protect copies 22

23 How is OUO Protected? D Destroying Strip-cut shredder with strips no more than ¼ wide Any other method approved by local security office 23

24 Protection Requirements D Apply to DOE OUO documents AND Other-agency CUI documents 24

25 What are Inappropriate Uses of OUO? D OUO must not be used to Conceal violations of law, inefficiency, or administrative error Prevent embarrassment to an organization or agency Prevent or delay the release of information that does not meet the criteria to be designated as OUO 25

26 Are There Penalties for Misuse of OUO? D Imposed if person Intentionally releases OUO information from document marked OUO Intentionally or negligently releases an OUO document Intentionally does not mark a document known to contain OUO information Intentionally marks a document OUO known not to contain OUO information 26

27 What Penalties are Possible? D Examples of penalties (DOE ) Supervisor Verbal admonishment Written reprimand Suspension Termination 27

28 Directives OUO Directives Issued 4/9/03 DOE Order DOE Manual DOE Guide Requirements and responsibilities Detailed instructions for implementing requirements Assists an employee in deciding whether information falls under one of the eight FOIA exemptions 28

29 Contacts Lesley Nelson-Burns Office of Quality Management (301) or Or the Outreach Hotline (301)