For Official Use Only (FOUO) is an information security designation used by some governments.
Among U.S. government information, FOUO was primarily used by the U.S. Department of Defense as a handling instruction for Controlled Unclassified Information (CUI) which may be exempt from release under exemptions two to nine of the Freedom of Information Act (FOIA). [1] It is one of the various sub-categorizations for strictly unclassified information which, on 24 February 2012, was officially consolidated as CUI.
Other departments continuing the use of this designation include the Department of Homeland Security. [2]
On 24 February 2012, the Under Secretary of Defense for Intelligence published the publicly available DoDM 5200.01 DoD Information Security Program, a four-volume manual consolidating all marking of information on used by the U.S. Department of Defense. [3] Most of the information regarding FOUO was in the now-superseded fourth volume, but the second volume also contains guidelines on FOUO information.
On 6 March 2020, the DoD replaced DoDM 5200.01 Volume 4 with DoDM 5200.48 - Controlled Unclassified Information (CUI). The term "FOUO" had been defined in DoDM 5200.01 Vol 4. It is no longer in the replacement document except as a reference to not requiring a "U" marking in the banner or footer signifying unclassified information as was required with the "old FOUO marking" (para 3.4.b.(1)).
For Official Use Only (FOUO) was one of five categories of the Dissemination Limiting Marker (DLM) defined by the Australian Government Information Security Management Guidelines. [4] The guidelines state that FOUO should only be used on unclassified information, when its compromise may cause limited damage to national security, Australian Government agencies, commercial entities or members of the public. However unlike the United States usage, the presence or absence of an FOUO marker expressly does not provide any information about the document's status under the Freedom of Information Act. Since 2018 this has been replaced by OFFICIAL:Sensitive.
VS-Nur für den Dienstgebrauch(short VS-NfD)(FOR OFFICIAL USE ONLY) is one of four secrecy designations in use by the Federal Republic of Germany.
It is denoted at the top of each document in either black or blue text reading "VS-NUR FÜR DEN DIENSTGEBRAUCH," which is always written in Upper case. [5]
Classified information is material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance and need to know. Mishandling of the material can incur criminal penalties.
A security clearance is a status granted to individuals allowing them access to classified information or to restricted areas, after completion of a thorough background check. The term "security clearance" is also sometimes used in private organizations that have a formal process to vet employees for access to sensitive information. A clearance by itself is normally not sufficient to gain access; the organization must also determine that the cleared individual needs to know specific information. No individual is supposed to be granted automatic access to classified information solely because of rank, position, or a security clearance.
The National Security Archive is a 501(c)(3) non-governmental, non-profit research and archival institution located on the campus of the George Washington University in Washington, D.C. Founded in 1985 to check rising government secrecy. The National Security Archive is an investigative journalism center, open government advocate, international affairs research institute, and the largest repository of declassified U.S. documents outside the federal government. The National Security Archive has spurred the declassification of more than 15 million pages of government documents by being the leading non-profit user of the U.S. Freedom of Information Act (FOIA), filing a total of more than 70,000 FOIA and declassification requests in its over 35+ years of history.
The Non-classified Internet Protocol (IP) Router Network (NIPRNet) is an IP network used to exchange unclassified information, including information subject to controls on distribution, among the private network's users. The NIPRNet also provides its users access to the Internet.
Redaction or sanitization is the process of removing sensitive information from a document so that it may be distributed to a broader audience. It is intended to allow the selective disclosure of information. Typically, the result is a document that is suitable for publication or for dissemination to others rather than the intended audience of the original document.
The Information Security Oversight Office (ISOO) is responsible to the President for policy and oversight of the government-wide security classification system and the National Industrial Security Program in the United States. The ISOO is a component of the National Archives and Records Administration (NARA) and receives policy and program guidance from the National Security Council (NSC).
Sensitive But Unclassified (SBU) is a designation of information in the United States federal government that, though unclassified, often requires strict controls over its distribution. SBU is a broad category of information that includes material covered by such designations as For Official Use Only (FOUO), Law Enforcement Sensitive (LES), Sensitive Homeland Security Information, Sensitive Security Information (SSI), Critical Infrastructure Information (CII), etc. It also includes Internal Revenue Service materials like individual tax records, systems information, and enforcement procedures. Some categories of SBU information have authority in statute or regulation while others, including FOUO, do not.
Operations security (OPSEC) is a process that identifies critical information to determine whether friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.
The United States government classification system is established under Executive Order 13526, the latest in a long series of executive orders on the topic of classified information beginning in 1951. Issued by President Barack Obama in 2009, Executive Order 13526 replaced earlier executive orders on the topic and modified the regulations codified to 32 C.F.R. 2001. It lays out the system of classification, declassification, and handling of national security information generated by the U.S. government and its employees and contractors, as well as information received from other governments.
Special access programs (SAPs) in the U.S. Federal Government are security protocols that provide highly classified information with safeguards and access restrictions that exceed those for regular (collateral) classified information. SAPs can range from black projects to routine but especially-sensitive operations, such as COMSEC maintenance or presidential transportation support. In addition to collateral controls, a SAP may impose more stringent investigative or adjudicative requirements, specialized nondisclosure agreements, special terminology or markings, exclusion from standard contract investigations (carve-outs), and centralized billet systems. Within the Department of Defense, SAP is better known as "SAR" by the mandatory Special Access Required (SAR) markings.
Classified information in the United Kingdom is a system used to protect information from intentional or inadvertent release to unauthorised readers. The system is organised by the Cabinet Office and is implemented throughout central and local government and critical national infrastructure. The system is also used by private sector bodies that provide services to the public sector.
Sensitive security information (SSI) is a category of United States sensitive but unclassified information obtained or developed in the conduct of security activities, the public disclosure of which would constitute an unwarranted invasion of privacy, reveal trade secrets or privileged or confidential information, or be detrimental to the security of transportation. It is not a form of classification under Executive Order 12958 as amended. SSI is not a security classification for national security information. The safeguarding and sharing of SSI is governed by Title 49 Code of Federal Regulations (CFR) parts 15 and 1520. This designation is assigned to information to limit the exposure of the information to only those individuals that "need to know" in order to participate in or oversee the protection of the nation's transportation system. Those with a need to know can include persons outside of TSA, such as airport operators, aircraft operators, railroad carriers, rail hazardous materials shippers and receivers, vessel and maritime port owners and operators, foreign vessel owners, and other persons.
The combination of the Bravo and Zulu nautical signal flags, i.e., Bravo Zulu, also referred to as "BZ," is a naval signal, typically conveyed by flaghoist or voice radio, meaning "Well Done" with regard to actions, operations or performance. In addition to the British Royal Navy, it has also been used as part of vernacular slang within the U.S. Navy, NATO, and other Allied naval forces. It can be combined with the "negative" signal, spoken or written as NEGAT, to say "NEGAT Bravo Zulu" to convey "not well done" for a given action.
The Defense Technical Information Center is the repository for research and engineering information for the United States Department of Defense (DoD). DTIC's services are available to DoD personnel, federal government personnel, federal contractors and selected academic institutions. The general public can access unclassified information through its public website.
Controlled Unclassified Information (CUI) is a category of unclassified information within the U.S. Federal government. The CUI program was created by President Obama’s Executive Order 13556 to create a streamlined method for information sharing and safeguarding. The Information Security Oversight Office (ISOO) acts as the Executive Agent (EA) of the National Archives and Records Administration (NARA), and is responsible for oversight of the CUI program. The ISOO monitors the implementation of the CUI program by executive branch agencies. CUI will replace agency specific labels such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and Law Enforcement Sensitive (LES) on new data and some data with legacy labels will also qualify as Controlled Unclassified Information. Federal contractors who handle CUI will be required to self-assess with the Cybersecurity Maturity Model Certification (CMMC) under the Cyber AB.
Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was used to evaluate, classify, and select computer systems being considered for the processing, storage, and retrieval of sensitive or classified information.
Managed Trusted Internet Protocol Service (MTIPS) was developed by the US General Services Administration (GSA) to allow US Federal agencies to physically and logically connect to the public Internet and other external connections in compliance with the Office of Management and Budget's (OMB) Trusted Internet Connection (TIC) Initiative.
Lightweight Portable Security (LPS) or Trusted End Node Security (TENS) was a Linux LiveCD (or LiveUSB) distribution. The application Encryption Wizard, originally bundled with TENS is still actively maintained. LPS and its successor TENS was developed and publicly distributed by the United States Department of Defense’s Air Force Research Laboratory The live CD is designed to serve as a secure end node. The Air Force Research Laboratory actively maintained LPS and TENS from 2007 to 2021. It can run on almost any x86_64 computer (PC or Mac). LPS boots only in RAM, creating a pristine, non-persistent end node. It supports DoD-approved Common Access Card (CAC) readers, as required for authenticating users into PKI-authenticated gateways to access internal DoD networks.
The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework and assessor certification program designed to increase the trust in measures of compliance to a variety of standards published by the National Institute of Standards and Technology.