Official Use Only
Lesley Nelson-Burns
Office of Quality Management (301) 903-4861
Why Official Use Only?
D Consolidates most CUI information within DOE • Includes unclassified controlled information which is not
governed by a DOE-wide directive (e.g., Export Controlled Information, Protected Cooperative Research and Development Information, Applied Technology)
• Does not include D Unclassified Controlled Nuclear Information (UCNI), which is
governed by DOE Order 471.1A and DOE Manual 471.1-1 D Unclassified Naval Nuclear Propulsion Information, which is
Naval Reactors information
D OUO ensures consistent handling and protection of unclassified information throughout the complex
D OUO ensures information is not released through informal methods (posted on a website or sent to a person without a need-to-know the information)
2
What is OUO Information?
Official Use Only
Draft Documents
Attorney-Client
Patent Information
Attorney-Work Applied Technology
Export Controlled Information Source Selection Information
Personally Identifiable Information Intellectual Property
Business Confidential Sensitive Nuclear Technology
Privacy Act Information
Proprietary Information
3
Who has Responsibility for OUO?
D The Office of Classification is responsible for developing DOE’s overall policy and guidelines for identifying and protecting OUO
D The Chief Information Officer (CIO) issues guidance regarding the protection of OUO and other sensitive information on DOE information systems and the identification of PII
D Program Offices determine the specific information within their purview that is OUO
4
Does OUO Mean the Information is Exempt from Release under the FOIA?
D OUO is not a determination that information is FOIA exempt
D OUO is a determination that the information may be FOIA exempt • OUO markings ensure a document is not publicly
released without an appropriate review • If an OUO document is requested under the FOIA, a
FOIA Authorizing Official must determine whether the information must be released
• Only a FOIA Official may determine that information is FOIA exempt
D The threshold for withholding information under the FOIA is higher, FOIA
requires in-depth knowledge of
OUO ≠ FOIA Exempt 5
How is OUO Marked?
6
OUO Marking
D OUO Markings
• Ensures everyone understands a documents must be protected
• Ensures everyone knows how it must
be protected
D Without OUO markings
• Does not require protection
• No recourse if information is released
7
How are OUO Documents Marked?
Front Marking – Determination based on Guidance (Classification/Control Guides)
Exemption Number
Exemption Name
Name AND Organization
OFFICIAL USE ONLY May be exempt from public release under the Freedom of Information Act
(5 U.S.C. 552), exemption number and category: 5, Privileged Information
Department of Energy review required before public release
Name/Org: John Smithson, NA-121 Date: 4/11/07 Guidance (if applicable): CG-SS-4
Date of Determination
Short Name of Guide
Markings are for example purposes only 8
How is a Document Transmitting OUO Marked?
D Required if transmittal document itself does not contain classified or controlled information
D Calls attention to presence of OUO information in attachment
Document transmitted
contains OUO information
Markings are for example purposes only 9
Sample Marking of Document Transmitting OUO
Attachment contains OUO, transmitting document does not contain OUO
XXXXXXX. Xxxx xxxxxx xxxxxxxxx xxx xxxxxxxx xxxx xxxxxxx xxxxxxxxx xxx xxxxxxxxxxx, xxxxxxx, xxx xxxxxxxxxx Xxxxxxxx Xxx Xxxx (XXX) xxxxxxxxxxx. Xxxxx xxxxxxxx xxxxxxx xxxxxxxxx xxxxxxxxxx xxx xxxxxxxxxx xxxxxxxxx. Xxxxxxx X xxxxxxxxx xxx xxxxxxxxxxxx xxx xxxxxxxxxxx xxx xxxxxxx XXX xxxxxxxxxxx; Xxxxxxx XX xxxxxxxxx xxxxxxxxxx XXX xxxxxxxxxxx. Xxx Xxxxxxxxxx Xxxxxxxxxxxx Xxxxxxxx (XXX), Xxxxxxxxxx x, xxxx xxxxx xxxxxxxxxxxx xx xxx Xxxxxx xxx xxxxx xx xxx/xxxxxxxx xxxxxxxxxx xxxxxxxxxxx.
LXX. Xxxxxxxx xxxxxxxxxx xxxx Xxxxxx xxxxxx xx xxxxxxxxx xx Xxxxxxxxxxx Xxxxxxxxxxxxxx xxx Xxxxxxx Xxxxxx xx xxx-xxx-xxxx.
Document transmitted contains OUO Information
Markings are for example purposes only 10
XXX XXXXXX XX XXXXXXX XXXXX XXXXXXXXXXXX XXXXXX
How is an E-mail containing OUO Marked?
D First line of message • Insert “OUO” before text
D If attachment to message is OUO • Message must so indicate • Attachment must be marked
correctly
11
12
Protecting OUO
Who May have Access to OUO?
D Anyone needing the information to perform his/her job or other DOE-authorized activity • No security clearance required • Not limited to DOE employees • No requirement for US citizenship
D Some OUO may have additional access restrictions (Export Controlled Information, Source Selection Information, etc.)
D Determination made by person possessing document – not person wanting the document
13
What are the Cyber Security Requirements for OUO?
D Since the OUO Manual was published, the Office of the Chief Information Officer issued Technical and Management Requirements, Protection of Sensitive Unclassified Information, Including Personally Identifiable Information (TMR-22)
D TMR-22 requires senior management to develop Program Cyber Security Plans (PCSP) which are consistent with TMR-22
D The DOE HQ PSCP requires HQ to follow TMR-22
D If not with DOE HQ, recommend following TMR-22 requirements until you receive clarification from local 14
cyber security
What are the Cyber Security Requirements for OUO?
D TMR-22 (and DOE HQ)
Requirements • OUO must be encrypted
during transmission (If person receiving OUO does not have Entrust, contact cyber security for approved alternate method of transmission)
• OUO on portable/mobile devices and removable media (e.g., CDROMS, thumb drives) must be encrypted
15
How is OUO Transmitted by phone?
D Transmitting over voice circuits
• Use encryption whenever possible
• If unavailable and other encrypted means not feasible alternative, regular voice circuits allowed
16
How is OUO Transmitted?
D Transmitting by hand between facilities or within a facility
• May be hand- carried
• Must control access to document
17
How is OUO Transmitted?
D Transmitting by mail – inside facility • Place in sealed,
opaque envelope or wrapping with recipient’s address, and
• “TO BE OPENED BY ADDRESSEE ONLY” on outside
18
TO BE OPENED BY ADDRESSEE ONLY
How is OUO Transmitted?
D Transmitting by mail – outside facility • Place in sealed, opaque
envelope or wrapping with recipient’s address, return address, and “TO BE OPENED BY ADDRESSEE ONLY” on outside (same requirements as inside facility, but must include return address)
• U.S. mail – First Class, Express, Certified, Registered
• Any commercial carrier 19
How is OUO Protected?
D In Use
• Take reasonable precautions to prevent access by persons who don’t need the information to do their jobs
• For example, don’t read an OUO document in a public place (in the cafeteria, on public transportation)
20
How is OUO Protected?
D Storing
• With internal building security during non-duty hours - Unlocked file cabinet, desk, briefcase, etc.
• No internal building security during non-duty hours - Locked room or locked file cabinet, desk, briefcase, etc.
21
How is OUO Protected?
D Copying
• No permission from originator needed
• Make minimum number of copies
• Mark and protect copies
22
How is OUO Protected?
D Destroying
• Strip-cut shredder with strips no more than ¼” wide
• Any other method approved by local security office
23
Protection Requirements
D Apply to • DOE OUO documents
AND
• Other-agency CUI documents
24
What are Inappropriate Uses of OUO?
D OUO must not be used to • Conceal violations of law, inefficiency,
or administrative error • Prevent embarrassment to an
organization or agency • Prevent or delay the release of
information that does not meet the criteria to be designated as OUO
25
Are There Penalties for Misuse of OUO?
D Imposed if person • Intentionally releases OUO information from
document marked “OUO”
• Intentionally or negligently releases an OUO document
• Intentionally does not mark a document known to contain OUO information
• Intentionally marks a document “OUO” known not to contain OUO information
26
What Penalties are Possible?
D Examples of penalties (DOE 3750.1)
• Verbal admonishment
• Written reprimand
• Suspension
• Termination
27
Supervisor
Directives
OUO Directives Issued 4/9/03
DOE Order 471.3 Requirements and responsibilities
DOE Manual 471.3-1 Detailed instructions for implementing requirements
DOE Guide 471.3-1 Assists an employee in deciding whether information falls under one of the eight FOIA exemptions
28
Contacts
Lesley Nelson-Burns Office of Quality Management
(301) 903-4861 or [email protected]
Or the Outreach Hotline (301) 903-7567
29