[Infowarrior] - Security absurdity: US in sensitive information quagmire

Richard Forno rforno at infowarrior.org
Mon Sep 13 21:20:03 CDT 2010 

Security absurdity: US in sensitive information quagmire

Feds have over 100 ways of classifying, 230 ways of handling sensitive information

By Layer 8 on Mon, 09/13/10 - 11:09am.

http://www.networkworld.com/community/node/66215

Protecting and classifying sensitive information such as social security numbers shouldn't be that hard, but perhaps not surprisingly the US government has taken complicating that task to an art form.

It seems that designating, safeguarding, and disseminating such important information involves over 100 unique markings and at least 130 different labeling or handling routines, reflecting a disjointed, inconsistent, and unpredictable system for protecting, sharing, and disclosing sensitive information, according to the watchdogs at the Government Accountability Office.

The GAO noted the security classification mess in a report that looked at the challenges government contractors face in protecting private information last week.  That report found that at least three federal agencies were not fully safeguarding private information increasing the risk of unauthorized disclosure or misuse. Part of the problem was the way such information is handled.

And as you might imagine, this is not a new problem.  In 2006 the GAO reported on a survey of federal agencies that showed 26 were using 56 different designations to protect information they deemed critical to  their missions-such as law-enforcement sensitive, sensitive security information, and unclassified controlled nuclear information. Because of the many different and sometimes confusing and contradictory ways that agencies identify and protect sensitive but unclassified information, the sharing of information about possible threats to homeland security has been difficult, the GAO stated.  

It seems the problem has only grown worse since then, despite efforts to streamline and simplify the process. Without trying to define what exactly each one of these designations mean, here are just 50 of the ways sensitive but unclassified is carved up.

 

1. SENSITIVE

2. DO NOT DISSEMINATE

3. SBU-NF

4. SBU/ NOFORN

5. UNLIMITED RIGHTS

6. GOVERNMENT PURPOSE RIGHTS

7. LIMITED RIGHTS

8. RESTRICTED RIGHTS

9. SPECIAL LICENSE RIGHTS

10. PRE-EXISTING MARKINGS

11. COMMERCIAL MARKINGS

12. CLOSE HOLD

13. RSEN

14. PREDECISIONAL PRODUCT

15. SOURCE SELECTION SENSITIVE

16. DEA SENSITIVE (DEAS)

17. SENSITIVE (SENS)

18. COPYRIGHT (DATE) (OWNER)

19. DELIBERATE PROCESS PRIVILEGE

20. RELIDO

21. EYES ONLY

22. BANK SECRECY ACT INFORMATION (BSA)

23. ACQUISITION SENSITIVE

24. ATTORNEY WORK PRODUCT

25. LIMITED ACCESS

26. RESTRICTED ACCESS

27. MEDICAL RECORDS

28. LAN INFRASTRUCTURE

29. IT SECURITY RELATED

30. LAN BACKUP SENSITIVE INFORMATION

31. SOURCE SELECTION INFORMATION

32. TRADE SECRET

33. ATTORNEY CLIENT

34. BUDGETARY INFORMATION

35. PRE-DECISIONAL

36. FOR INTERNAL USE ONLY

37. NOT FOR DISTRIBUTION SAFEGUARDS INFORMATION (SGI)

38. AGENCY INTERNAL USE ONLY (U//AIUO)

 39. TRADE SENSITIVE INFORMATION

40. SENSITIVE BUT UNCLASSIFIED (SBU)

41. HEALTH RELATED INFORMATION (EM)

42. NO DISTRIBUTION (NODIS OR ND)

43. LAW ENFORCEMENT SENSITIVE (LES)

44. EXCLUSIVE DISTRIBUTION (EXDIS OR XD)

45. FOR OFFICIAL USE ONLY (FOUO)

 46. SENSITIVE STUDENT RECORDS (STR)

47. CONFIDENTIAL BUSINESS INFORMATION (CBI)

48. LIMITED OFFICIAL USE (LOU)

49. LIMITED DISTRIBUTION

50. LIMITED DISTRIBUTION (LIMDIS)

More information about the Infowarrior mailing list