Official Use Only

Lesley Nelson-Burns

Office of Quality Management (301) 903-4861

Lesley.nelson-burns@hq.doe.gov 1

Why Official Use Only?

D Consolidates most CUI information within DOE • Includes unclassified controlled information which is not

governed by a DOE-wide directive (e.g., Export Controlled Information, Protected Cooperative Research and Development Information, Applied Technology)

• Does not include D Unclassified Controlled Nuclear Information (UCNI), which is

governed by DOE Order 471.1A and DOE Manual 471.1-1 D Unclassified Naval Nuclear Propulsion Information, which is

Naval Reactors information

D OUO ensures consistent handling and protection of unclassified information throughout the complex

D OUO ensures information is not released through informal methods (posted on a website or sent to a person without a need-to-know the information)

2

What is OUO Information?

Official Use Only

Draft Documents

Attorney-Client

Patent Information

Attorney-Work Applied Technology

Export Controlled Information Source Selection Information

Personally Identifiable Information Intellectual Property

Business Confidential Sensitive Nuclear Technology

Privacy Act Information

Proprietary Information

3

Who has Responsibility for OUO?

D The Office of Classification is responsible for developing DOE’s overall policy and guidelines for identifying and protecting OUO

D The Chief Information Officer (CIO) issues guidance regarding the protection of OUO and other sensitive information on DOE information systems and the identification of PII

D Program Offices determine the specific information within their purview that is OUO

4

Does OUO Mean the Information is Exempt from Release under the FOIA?

D OUO is not a determination that information is FOIA exempt

D OUO is a determination that the information may be FOIA exempt • OUO markings ensure a document is not publicly

released without an appropriate review • If an OUO document is requested under the FOIA, a

FOIA Authorizing Official must determine whether the information must be released

• Only a FOIA Official may determine that information is FOIA exempt

D The threshold for withholding information under the FOIA is higher, FOIA

requires in-depth knowledge of

OUO ≠ FOIA Exempt 5

How is OUO Marked?

6

OUO Marking

D OUO Markings

• Ensures everyone understands a documents must be protected

• Ensures everyone knows how it must

be protected

D Without OUO markings

• Does not require protection

• No recourse if information is released

7

How are OUO Documents Marked?

Front Marking – Determination based on Guidance (Classification/Control Guides)

Exemption Number

Exemption Name

Name AND Organization

OFFICIAL USE ONLY May be exempt from public release under the Freedom of Information Act

(5 U.S.C. 552), exemption number and category: 5, Privileged Information

Department of Energy review required before public release

Name/Org: John Smithson, NA-121 Date: 4/11/07 Guidance (if applicable): CG-SS-4

Date of Determination

Short Name of Guide

Markings are for example purposes only 8

How is a Document Transmitting OUO Marked?

D Required if transmittal document itself does not contain classified or controlled information

D Calls attention to presence of OUO information in attachment

Document transmitted

contains OUO information

Markings are for example purposes only 9

Sample Marking of Document Transmitting OUO

Attachment contains OUO, transmitting document does not contain OUO

XXXXXXX. Xxxx xxxxxx xxxxxxxxx xxx xxxxxxxx xxxx xxxxxxx xxxxxxxxx xxx xxxxxxxxxxx, xxxxxxx, xxx xxxxxxxxxx Xxxxxxxx Xxx Xxxx (XXX) xxxxxxxxxxx. Xxxxx xxxxxxxx xxxxxxx xxxxxxxxx xxxxxxxxxx xxx xxxxxxxxxx xxxxxxxxx. Xxxxxxx X xxxxxxxxx xxx xxxxxxxxxxxx xxx xxxxxxxxxxx xxx xxxxxxx XXX xxxxxxxxxxx; Xxxxxxx XX xxxxxxxxx xxxxxxxxxx XXX xxxxxxxxxxx. Xxx Xxxxxxxxxx Xxxxxxxxxxxx Xxxxxxxx (XXX), Xxxxxxxxxx x, xxxx xxxxx xxxxxxxxxxxx xx xxx Xxxxxx xxx xxxxx xx xxx/xxxxxxxx xxxxxxxxxx xxxxxxxxxxx.

LXX. Xxxxxxxx xxxxxxxxxx xxxx Xxxxxx xxxxxx xx xxxxxxxxx xx Xxxxxxxxxxx Xxxxxxxxxxxxxx xxx Xxxxxxx Xxxxxx xx xxx-xxx-xxxx.

Document transmitted contains OUO Information

Markings are for example purposes only 10

XXX XXXXXX XX XXXXXXX XXXXX XXXXXXXXXXXX XXXXXX

How is an E-mail containing OUO Marked?

D First line of message • Insert “OUO” before text

D If attachment to message is OUO • Message must so indicate • Attachment must be marked

correctly

11

12

Protecting OUO

Who May have Access to OUO?

D Anyone needing the information to perform his/her job or other DOE-authorized activity • No security clearance required • Not limited to DOE employees • No requirement for US citizenship

D Some OUO may have additional access restrictions (Export Controlled Information, Source Selection Information, etc.)

D Determination made by person possessing document – not person wanting the document

13

What are the Cyber Security Requirements for OUO?

D Since the OUO Manual was published, the Office of the Chief Information Officer issued Technical and Management Requirements, Protection of Sensitive Unclassified Information, Including Personally Identifiable Information (TMR-22)

D TMR-22 requires senior management to develop Program Cyber Security Plans (PCSP) which are consistent with TMR-22

D The DOE HQ PSCP requires HQ to follow TMR-22

D If not with DOE HQ, recommend following TMR-22 requirements until you receive clarification from local 14

cyber security

What are the Cyber Security Requirements for OUO?

D TMR-22 (and DOE HQ)

Requirements • OUO must be encrypted

during transmission (If person receiving OUO does not have Entrust, contact cyber security for approved alternate method of transmission)

• OUO on portable/mobile devices and removable media (e.g., CDROMS, thumb drives) must be encrypted

15

How is OUO Transmitted by phone?

D Transmitting over voice circuits

• Use encryption whenever possible

• If unavailable and other encrypted means not feasible alternative, regular voice circuits allowed

16

How is OUO Transmitted?

D Transmitting by hand between facilities or within a facility

• May be hand- carried

• Must control access to document

17

How is OUO Transmitted?

D Transmitting by mail – inside facility • Place in sealed,

opaque envelope or wrapping with recipient’s address, and

• “TO BE OPENED BY ADDRESSEE ONLY” on outside

18

TO BE OPENED BY ADDRESSEE ONLY

How is OUO Transmitted?

D Transmitting by mail – outside facility • Place in sealed, opaque

envelope or wrapping with recipient’s address, return address, and “TO BE OPENED BY ADDRESSEE ONLY” on outside (same requirements as inside facility, but must include return address)

• U.S. mail – First Class, Express, Certified, Registered

• Any commercial carrier 19

How is OUO Protected?

D In Use

• Take reasonable precautions to prevent access by persons who don’t need the information to do their jobs

• For example, don’t read an OUO document in a public place (in the cafeteria, on public transportation)

20

How is OUO Protected?

D Storing

• With internal building security during non-duty hours - Unlocked file cabinet, desk, briefcase, etc.

• No internal building security during non-duty hours - Locked room or locked file cabinet, desk, briefcase, etc.

21

How is OUO Protected?

D Copying

• No permission from originator needed

• Make minimum number of copies

• Mark and protect copies

22

How is OUO Protected?

D Destroying

• Strip-cut shredder with strips no more than ¼” wide

• Any other method approved by local security office

23

Protection Requirements

D Apply to • DOE OUO documents

AND

• Other-agency CUI documents

24

What are Inappropriate Uses of OUO?

D OUO must not be used to • Conceal violations of law, inefficiency,

or administrative error • Prevent embarrassment to an

organization or agency • Prevent or delay the release of

information that does not meet the criteria to be designated as OUO

25

Are There Penalties for Misuse of OUO?

D Imposed if person • Intentionally releases OUO information from

document marked “OUO”

• Intentionally or negligently releases an OUO document

• Intentionally does not mark a document known to contain OUO information

• Intentionally marks a document “OUO” known not to contain OUO information

26

What Penalties are Possible?

D Examples of penalties (DOE 3750.1)

• Verbal admonishment

• Written reprimand

• Suspension

• Termination

27

Supervisor

Directives

OUO Directives Issued 4/9/03

DOE Order 471.3 Requirements and responsibilities

DOE Manual 471.3-1 Detailed instructions for implementing requirements

DOE Guide 471.3-1 Assists an employee in deciding whether information falls under one of the eight FOIA exemptions

28

Contacts

Lesley Nelson-Burns Office of Quality Management

(301) 903-4861 or lesley.nelson-burns@hq.doe.gov

Or the Outreach Hotline (301) 903-7567

outreach@hq.doe.gov

29