Transcript DHS Personnel Security

Department of Homeland Security
Office of Security
Administrative Security Division
For Official Use Only (FOUO)
MD 11042.1
Meegan Kriley, Security Specialist
June 1, 2005
Administrative Security Division
Our Responsibilities
Mission
To safeguard information and assets vital to the security and
integrity of the homeland.
Vision
To establish and maintain a vital, robust, credible, and
proactive program for the administration and management of
programs associated with the protection of classified and
sensitive but unclassified information.
Administrative Security Division
 Classified
 Confidential (C)
 Secret (S)
 Top Secret (TS)
 Sensitive But Unclassified (SBU)
For Official Use Only (FOUO)
Sensitive Security Information (SSI)
Protected Critical Infrastructure Information (PCII)
Sensitive But Unclassified Information (SBU)
Examples:
 For Official Use Only (FOUO) - DHS MD 11042.1
 Sensitive Security Information (SSI) – 49 USC 40119
 Protected Critical Infrastructure Information (PCII/CII) – 6 USC
131(3)
 Law Enforcement Sensitive (LES)
 Other Similar Terms Used For Information That Is Considered
Sensitive, But Does Not Meet E.O. 12958, As Amended,
Standards For Classification
 Privacy Act Information
For Official Use Only (FOUO)
Definition (from MD 11042.1):
Used within DHS to identify unclassified information of a sensitive
nature, not otherwise categorized by statute or regulation, the
unauthorized disclosure of which could adversely impact a person’s
privacy or welfare, the conduct of Federal program, or other programs
or operations essential to the national interest.
Information impacting the National Security of the United States and
classified Confidential, Secret, or Top Secret under Executive Order
12958, “Classified National Security Information,’ as amended, or its
predecessor or successor orders, is not to be considered FOUO.
For Official Use Only (FOUO)
Designation Categories (11)
 Exempt under FOIA
 Exempt under Privacy Act
 Protected by treaty, statute or other
agreement
 Could be sold for profit
 Would result in physical risk to
personnel
 It is internal systems data
 Data revealing the security posture
of a system
 Reveals security vulnerabilities
 Indicates intentions or capabilities
of operations
 Overly revealing of developing or
current technology
 Marked in a similar manner from
another department or agency
For Official Use Only (FOUO)
Designation Authority
Categories:
 Any DHS employee, detailee, or contractor, can mark
information falling within one or more of the categories’ as
FOUO.
Without Categories:
 Officials occupying supervisory or managerial positions are
authorized to designate other information, not listed and
originating under their jurisdiction, as FOUO.
For Official Use Only (FOUO)
Duration
 Information marked FOUO will retain its designation until
determined otherwise by the originator.
 Duration markings are not required.
 FOUO marking does not automatically exempt information
from release under FOIA.
For Official Use Only (FOUO)
Marking
 Mark bottom of ALL document pages:
“FOR OFFICIAL USE ONLY”
 FOUO Cover Sheet
Department of Homeland Security
FOR OFFICIAL USE ONLY
The attached materials contain
Department of Homeland Security
Information that is “For Official Use
Only.”
The attached materials will be handled and
safeguarded in accordance with DHS
management directives governing
protection and dissemination of such
information.
MD11042.1
 Front Page, Back Page, individual pages
 Portion markings are not required if there is no classified
information in the document
 Optional:
WARNING: This document is FOR OFFICIAL USE ONLY
(FOUO). It is to be controlled, stored, handled, transmitted,
distributed, and disposed of in accordance with DHS policy relating
to FOUO Information.
For Official Use Only (FOUO)
Handling / Storage
 When unattended, FOUO information will be stored in a locked
filing cabinet, locked desk drawer, a locked overhead storage
compartment such as systems furniture credenza, or a similar locked
compartment.
 Information can also be stored in a room or area that has sufficient
physical access control measures to afford adequate protection and
prevent unauthorized access by members of the public, visitors, or
other persons without a need-to-know, such as a locked room or an
area where access is controlled by a guard, cipher lock, or card
reader.
For Official Use Only (FOUO)
Handling / Transmittal
 No clearance is needed for access; however, there has to be a ‘need to
know’.
 Stored in a locked drawer or file, unless otherwise protected from
unauthorized access.
 Not stored with classified unless there is a correlation.
 Mailed First Class Mail with the U.S. Postal Service, or a commercial
delivery service such as DHL.
For Official Use Only (FOUO)
Handling / Transmittal
 Use of secure phone and faxes for transmittal although not required,
is encouraged.
 FOUO transmitted over email should be protected by
encryption. When encryption is impractical or unavailable transmit
over regular email channels.
 FOUO should not be posted to public websites.
For Official Use Only (FOUO)
Destruction
 Hard copy FOUO materials will be destroyed by shredding, burning,
pulping, or pulverizing, sufficient to assure destruction beyond
recognition & reconstruction. After destruction, materials may be
disposed of with normal waste.
 Electronic storage media shall be sanitized appropriately by
overwriting or degaussing. After destruction, materials may be
disposed of with normal waste.
For Official Use Only (FOUO)
Incident Reporting
 Incidents on DHS IT systems will be reported to the organizational
element’s Computer Security Incident Response Center.
 Suspicious or inappropriate requests for information shall be reported
to the DHS Office of Security.
 At the originator’s request, an inquiry will be conducted by the local
security official or other designee to determine the cause and affect of
the incident and, if any, the appropriate administrative or disciplinary
actions.
For Official Use Only (FOUO)
Example
FIRST PAGE and INTERNAL PAGES – Mark
“FOR OFFICIAL USE ONLY”
TITLE PAGE
1
SAMPLE
CONFIDENTIAL
DEPARTMENT
For Official Use Only (FOUO) Classification of
Of
Classification of
Information
HOMELAND SECURITY
Information
Information designated as
FOUO will be sufficiently
marked so that persons having
access to it are aware of its
sensitivity and protection
requirements.
June 1, 2005
Training Class
2
SECRET
3
SECRET
OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY
FRONT COVER, TITLE PAGE, and OUTSIDE
BACK COVER – Mark the bottom “FOR
OFFICIAL USE ONLY”
FOR OFFICIAL USE ONLY
For Official Use Only
FOR OFFICIAL USE ONLY
QUIZ
 What is the term used within DHS to identify unclassified
information of a sensitive nature, not otherwise categorized by statute
or regulation?
 For Official Use Only (FOUO)
 Who can mark information FOUO?
 ANY DHS employee, detailee, or contractor can mark information
falling within one or more of the categories cited
 How can FOUO materials be transmitted?
 U.S. Postal Service First Class, DHL, or inter-office mail
 Where can you find answers regarding questions on DHS FOUO?
 MD 11042.1
 DHS Office of Security – Administrative Security Division
DHS Office of Security Customer Service Center
(202) 692-4432
[email protected]
(202) 358-1426
[email protected]