By using this website you allow us to place cookies on your computer. Please read our Privacy Policy for more details.

"Sensitive But Unclassified" Information and Other Controls: Policy and Options for Scientific and Technical Information

View Publication


 

Publication Date: December 2006

Publisher: Library of Congress. Congressional Research Service

Author(s):

Research Area: Media, telecommunications, and information

Type:

Abstract:

Providing access to scientific and technical information (S&T) for legitimate uses while protecting it from potential terrorists poses difficult policy choices. Federally funded, extramural academic research is to be "classified" if it poses a security threat; otherwise, it is to be "unrestricted." Since the September 11, 2001 terrorist attacks, controls increasingly have been placed on some unclassified research and S&T information, including that used to inform decision making and citizen oversight. These controls include "sensitive but unclassified" (SBU) labels; restrictive contract clauses; visa controls; controlled laboratories; and wider legal restrictions on access to some federal biological, transportation, critical infrastructure, geospatial, environmental impact, and nuclear information. Some professional groups have supported voluntary controls on the conduct or publication of sensitive research. Federal agencies do not have uniform definitions of SBU or consistent policies to safeguard or release it, raising questions about how to identify SBU information, especially S&T information; how to keep it from terrorists, while allowing access for those who need to use it; and how to develop uniform nondisclosure policies and penalties. On December 16, 2005, President Bush instructed federal agencies to standardize procedures to designate, mark, and handle SBU information, and to forward recommendations for government-wide standards to the Director of National Intelligence (DNI). The Information Sharing Environment Implementation Plan, sent to Congress in November 2006, reports that final action will occur during the lst quarter of CY2006.

Following the 2001 terrorist attacks, the Bush Administration issued guidance that reversed the Clinton Administration's "presumption of disclosure" approach to releasing information under Freedom of Information Act (FOIA) and cautioned agencies to consider withholding SBU information if there was a "sound legal basis" to do so. Some agencies contend that SBU information is exempt from disclosure under FOIA, even though such information per se is not exempt under FOIA. The 2002 enactment of the Federal Information Security Management Act (FISMA) rendered moot the definition of SBU that some agencies had used since the passage of the Computer Security Act of 1987, which identified sensitive information by content. FISMA requires agencies to categorize the criticality and sensitivity of all information according to the security control objectives of confidentiality, integrity, and availability across a range of risk levels and to use safeguards based on risk of release. Many federal agencies have not yet fully implemented these new procedures. During the 109th Congress, P.L. 109-90 and P.L. 109-295 focused on management, oversight, and appropriate use of the sensitive security information (SSI) category. Legislative proposals focused on standardizing concepts of "sensitive" information; modifying penalties for disclosure; and clarifying FOIA. During the 110th Congress, additional topics likely to be controversial include limiting the number of persons who can designate SBU; widening the use of risk-based approaches to control; centralizing review, handling, and appeals; and evaluating the impact of federal policies on nongovernmental professional groups' prepublication review and selfpolicing of sensitive research. This report will be updated as necessary.