Agencies use the Sensitive But Unclassified (SBU) designation when information is not classified but still needs to be protected. While both classified and SBU information are considered sensitive and have various restrictions on access and disclosure, the differences between the two are found in the degree of sensitivity, the rules for access and protection, and the level of damage that could result from unauthorized disclosure.
Within the SBU designation, there are multiple markings that are used – just to keep everyone on their toes. Some of the markings can overlap within and across agencies. The information’s subject matter and intended audience are the primary factors for determining the appropriate designation.
Out of the 100 different types of SBU, here are just five examples:
For Official Use Only (FOUO)
Identifies information or material that, although unclassified, may be inappropriate for public release. It can be a kind of a catch-all designation when in doubt.
Law Enforcement Sensitive (LES)
Is considered sensitive, unclassified information that disclosure of could cause harm to law enforcement activities or jeopardize investigations or operations.
Sensitive Security Information (SSI)
Disclosure of this information would be considered an invasion of personal privacy; reveal a trade secret or privileged or confidential commercial or financial information; or be detrimental to the safety of passengers in transportation.
Limited Official Use (LOU)
Is a Department of Justice (DOJ) term for unclassified information of a sensitive, proprietary or personally private nature which must be protected against release to unauthorized individuals.
Critical Infrastructure Information (CII)
Is information not customarily in the public domain and related to the security of critical infrastructure or protected systems.
Enter CUI
Executive Order 13556 outlines the issues with SBU information, and how inconsistencies in applying marking and safeguarding procedures creates confusion. It outlined a new designation, Controlled Unclassified Information (CUI), and created categories and subcategories to “serve as exclusive designations for identifying unclassified information throughout the executive branch that requires safeguarding or dissemination controls.”
The Executive Order was signed in 2010 but is still being implemented across industry. SBU information will be categorized into two areas – CUI Basic or CUI Specified.
How to Protect SBU?
We live in a very digital world, so protecting SBU information is important – especially as industry begins to enforce new guidelines related to the protection of CUI. Classified information is the priority, but SBU information protection is crucial to the mission. SBU information may not have special carrying instructions, but here are a few things to consider about transferring SBU information:
Printed copies. Consider where you are taking SBU documents. Be sure they are shredded or filed when you are done with them.
Email. It’s a connected world out there. Don’t send anything from the office to your personal email. At this point, most of us have mobile devices or VPN capabilities. Don’t risk sending any documents to your personal email, particularly SBU information.
Thumb drives. Not all facilities have personal drive restrictions, so for those that allow thumb drives, be careful what you store on them and where they go. Transferring information onto a thumb drive made Edward Snowden a well-known name.
Clearly, when it comes to SBU information, it is better to be safe than sorry. Whatever term your agency uses, be careful to follow guidelines and common sense when handling information.