Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
An Information Security Guide for the Center for Collaborative Systems for Security, Safety, and Regional Resilience (CoSSaR) at the University of Washington. It provides guidance on handling sensitive information that requires protection against unauthorized disclosure, including information designated “Sensitive But Unclassified” (SBU) under current control programs, which will ultimately be transitioned to protect information under the new Controlled Unclassified Information (CUI) regime. The guide provides direction for identifying and properly handling the three categories of CUI/SBU information most likely to be encountered by the CoSSaR community.
Typology: Study notes
1 / 32
This page cannot be seen from the preview
Don't miss anything!
Issued and Approved by: Dr. Mark Haselkorn, PhD. Director of CoSSaR August 15 , 2015 Date
i Table 1 : Version Control Version Change Effective Date Version 1.0 Initial Version 8 - 15 - 2015 Table 2 : Table of Changes Version # Date Section Paragraph Description
iv
Table 1: Version Control ................................................................................................ i Table 2: Table of Changes ............................................................................................. i Table 3: FOUO General Guidance .............................................................................. 13 Table 4: LES General Guidance ................................................................................. 15 Table 5: SSI General Guidance .................................................................................. 17
This guide is approved by the Director of the Center for Collaborative, Safety, Security, and Regional Resilience at the University of Washington. It is issued to provide guidance to Federally directed CoSSaR activities in accordance with Executive Order 13556, Department of Homeland Security Management Directive Numbers 11042.1 and 11056.1, Department of Defense Manual Number 5200.01 (Volume 4), 49 CFR 1520.5, and University of Washington security directives.
This document provides security guidance for the use of CUI/SBU information associated with the CoSSaR program. This guide and reference authorities (listed in Section 1.2) shall be cited as the basis for recognizing, categorizing, marking, handling, processing, transmitting, and disseminating of CUI/SBU and materials. If a conflict exists between this guide and reference authorities, the reference authority takes precedence.
This guide is effective immediately upon release.
The Office of Primary Responsibility (OPR) for this guide is: Program Manager Center for Collaborative, Safety, Security, and Regional Resilience (CoSSaR) 310 Sieg Hall, Box 352315 University of Washington Seattle, WA 98195 Phone: (206) 543- 4640 Fax: (206) 543- 8858 E-Mail: CoSSaR@uw.edu The office of secondary responsibility for this guide is: University Facility Security Officer 1013 NE 40th St., Box 355640 Seattle, WA 98105 Phone: (206) 543- 1315 Fax: (206) 543- 1732 E-Mail: uwfso@uw.edu
One goal of CoSSaR is to produce relevant analytic products for Puget Sound area stakeholders that may be disseminated to the widest audience possible at the uncontrolled UNCLASSIFIED level. In the conduct of their work, CoSSaR researchers may, however, be given CUI/SBU information - or they may create it by compilation. To properly control information, it is essential for researchers to recognize CUI/SBU information. When gathering information, it is required that CoSSaR researchers document when the information they receive is CUI/SBU information. All information marked as CUI/SBU by any Federal agency shall be marked and handled in accordance with this Information Security Guide within the CoSSaR project. It is the responsibility of each CoSSaR researcher to ask if information gathered in verbal interviews is either uncontrolled or CUI/SBU information. Department of Homeland Security (DHS) Management Directive 11042.1 states “Any DHS employee, detailee, or contractor, can mark information falling within one or more of the categories as FOUO.” Therefore, acting as grantees or contractors to DHS, CoSSaR researchers may designate information falling into the categories below as “FOUO” to maintain protection of the information. Additionally, “DHS Officials occupying supervisory or managerial positions are authorized to designate other information, not listed and originating under their jurisdiction, as FOUO.” If CoSSaR personnel believe that information meets the criteria for CUI/SBU information, the material should be sent to the sponsor team via DHS using approved CUI/SBU information transmission methods (see section 4.3) for final determination. In the interim, the material shall be protected as if it were CUI/SBU information until a final determination is made by DHS.
This guide is designated UNCLASSIFIED and subject to public release under the Federal Freedom of Information Act and Washington RCW Chapter 42.56 Public Records Act.
Executive Order 13556 "Controlled Unclassified Information" established the CUI program, which is a system that standardizes and simplifies the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government- wide policies. Although President Obama signed Executive Order 13556 in 2009, many Federal agencies have yet to complete the transition to the CUI standard. As a result, much of the guidance for the previous “Sensitive But Unclassified” (SBU) regime remains in place. This guide applies to certain types of CUI/SBU information for which Executive Branch agencies require applications of controls and protective measures for a variety of reasons. FOUO and LES are designations applied by DHS to CUI/SBU information, which may be exempt from mandatory release to the public under Section 552 of Title 5, U.S.C., “Freedom of Information Act (FOIA)” or “The Privacy Act”. SSI is the designation applied by DHS to CUI/SBU information obtained or developed in the conduct of security activities as defined in 49 C.F.R. Section 1520.5.
other personnel who do not have a valid need-to-know without prior approval of an authorized DHS official. 4.2.3 LAW ENFORCEMENT SENSITIVE (LES) In unclassified documents containing LES information, the phrase “Law Enforcement Sensitive” shall accompany the phrase “FOR OFFICIAL USE ONLY” at the bottom of the outside of the front cover, the title page (if there is one), and the outside of the back cover (if there is one). Each page containing FOUO-LES information shall be marked “FOR OFFICIAL USE ONLY Law Enforcement Sensitive” at the bottom. Portions of unclassified documents that contain FOUO-LES information shall be marked with the parenthetical notation “(FOUO-LES)” at the beginning of the portion. If an unclassified portion of a classified document contains FOUO-LES information, the portion marking (U//FOUO-LES) shall be used. The cover sheet of each document containing LES should be marked with the following warning: (U) WARNING: LAW ENFORCEMENT SENSITIVE. The information in this document marked FOUO-LES is the property of the Department of Homeland Security and may be distributed within the Federal Government (and its contractors) to law enforcement, public safety and protection, and intelligence officials and individuals with a need to know. Distribution to other entities without prior DHS authorization is prohibited. Precautions shall be taken to ensure this information is stored and destroyed in a manner that precludes unauthorized access. Information bearing the FOUO-LES marking may not be used in legal proceedings without prior authorization from the originator. Recipients are prohibited from posting information marked FOUO-LES on a website or unclassified network.
To identify unclassified information with an “SSI” caveat in a title, heading, paragraph, or bullet, precede the portion with “(U//SSI)”. If a document contains “(U)”, “U//FOUO”, “(U//LES)”, and “(U//SSI)”, the overall classification of the document is “UNCLASSIFIED// LAW ENFORCEMENT SENSITIVE and SENSITIVE SECURITY INFORMATION”. Individual paragraphs and sections properly marked as “Unclassified” or “(U)” may be shared freely, but other information properly marked as FOUO, LES, or SSI within a document can only be shared with authorized recipients who have a valid “need-to- know”. The cover sheet of each document containing SSI should be marked with the following warning: (U) WARNING: This record contains SENSITIVE SECURITY INFORMATION that is controlled under 49 CFR parts 15 and 1520. No part of this record may be disclosed to persons without a “need to know”, as defined in 49 CFR parts 15 and 1520, except with the written permission of the Administrator of the Transportation Security Administration or the Secretary of Transportation. Unauthorized release may result in civil penalty or other action. For U.S. government agencies, public disclosure is governed by 5 U.S.C. 552 and 49 CFR parts 15 and 1520. 4.2.5 ORIGINATION INFORMATION Designator or originator information & markings, downgrading instructions, & date/event markings are not required on FOUO, LES, or SSI documents. 4.2.6 REMOVAL OF CUI MARKINGS AND DESIGNATION Removal of CUI/SBU information markings can only be accomplished by the originator or other competent authority. DO NOT remove any CUI/SBU information markings
CUI/SBU information should not be posted to public websites. a. SSI may be posted on approved government-controlled or – sponsored encrypted or otherwise protected portals, such as the Homeland Security Information Network (HSIN), USCG HomePort, or TSA’s WebBoards. Such posting shall be in accordance with guidance published or approved by the TSA SSI Office and appropriate IT security offices.
CoSSaR may disseminate CUI/SBU information to its employees and subcontractors who have a need for the information to complete work assigned in connection with CoSSaR projects. CoSSaR seeks to provide its CUI/SBU information-designated analytic products the widest distribution among Puget Sound area stakeholders with a legitimate “need to know”. a. The CoSSaR Program Manager will seek permission from its DHS sponsor team to release reports containing CUI/SBU information to each individual stakeholder requesting the information. b. The CoSSaR Project Manager will also comply with University procedures for the release of CUI/SBU information by submitting a University Access Request Form to release CUI/SBU information to regional stakeholders. C. The CoSSaR Project Manager will maintain a log recording the release of all CoSSaR products and reports containing CUI/SBU information to third parties.
Hard copy CUI/SBU materials will be destroyed by shredding, burning, pulping, or pulverizing, sufficient to assure destruction beyond recognition and reconstruction. After destruction, materials may be disposed of with normal waste.
Electronic storage media shall be sanitized appropriately by overwriting or degaussing. After destruction, materials may be disposed of with normal waste. Paper products containing CUI/SBU materials will not be disposed of in regular trash or recycling receptacles unless the materials have first been destroyed as specified above.
The loss, compromise, suspected compromise, or unauthorized disclosure of CUI/SBU information will be reported to the CoSSaR program’s DHS sponsor team and the University of Washington Office of Sponsored Programs within one business day of the discovery of the incident. Incidents on UW IT systems will also be reported to the University Facility Security Officer at 206- 543 - 1315 or uwfso@uw.edu via the system’s Information Technology Manager (http://ciso.washington.edu/report/ ). Coordinate reporting through the HCDE IT Manager for incidents on the HCDE server or the APL IT Manager for incidents on APL-hosted servers. Suspicious or inappropriate requests for CUI/SBU information by any means (e.g., email or verbally) shall be reported to the DHS sponsor team via the CoSSaR Program Manager and the UW Office of Sponsored Programs. If the disclosure or compromise could result in physical harm to an individual(s) or the compromise of a planned ongoing operation, additional notifications to appropriate DHS management personnel will be made without delay. In the event of an unauthorized disclosure, CoSSaR will request an inquiry by the University Facility Security Officer to determine the cause and effect of the incident and suggested corrective actions to prevent recurrence.
FOIA (5 USC 552) Exemption 7: Law enforcement information
See Law Enforcement Sensitive Matrix for further guidance FOIA (5 USC 552) Exemption 8: Matters/information for regulators or supervisors of financial institutions
FOIA (5 USC 552) Exemption 9: Geological information and data, including maps, concerning wells
Privacy Act (5 USC 552a) § (j)(2): Material reporting investigative efforts pertaining to the enforcement of criminal law, including efforts to prevent, control, or reduce crime or to apprehend criminals.
See Law Enforcement Sensitive Matrix for further guidance International and domestic information protected by treaty, statute, regulation, or other agreement.
Information that could result in physical risk to personnel.
System security data revealing the security posture of a system. FOUO For example: threat assessments, system security plans, contingency plans, risk management plans, Business Impact Analysis studies, etc… Information that reveals security vulnerabilities, whether to persons, systems, or facilities. SSI See Sensitive Security Information Matrix for further guidance
The following matrix has been compiled to assist CoSSaR personnel to recognize information that requires control as “Law Enforcement Sensitive”. The list contains abridged descriptions. Appendix B contains the full descriptions of Law Enforcement Sensitive exclusions to the FOIA as delineated by the US Department of Justice. Table 4 : LES General Guidance Law Enforcement Sensitive – Exemption 7 of FOIA ( 5 USC 552) Topic Marking Remarks Information that could reasonably be expected to interfere with enforcement proceedings
Information that would deprive a person of a right to a fair trial or an impartial adjudication
Information that could reasonably be expected to constitute an unwarranted invasion of personal privacy
Information that could reasonably be expected to disclose the identity of a confidential source
Including a State, local, or foreign agency or authority or any private institution which furnished information on a confidential basis, and, in the case of a record or information compiled by a criminal law enforcement authority in the course of a criminal investigation, or by an agency conducting a lawful national security intelligence investigation,
