Q-53 Program Monthly Training: Protection of Controlled Unclassified Information Note: All markings contained within this presentation are for training purposes only.

Protection of Controlled Unclassified Information Overview

• Controlled Unclassified Information (CUI) is information that has not been given a security classification but which is withheld from public disclosure such as:

– Private Information – Export Controlled Information – Sensitive But Unclassified (SBU) – For Official Use Only (FOUO) – Proprietary Proposal Information – Company Proprietary / Private Information – Competition Sensitive

– Personally Identifiable Information (PII) • The loss, theft, or corruption of this information would likely

have a serious or detrimental impact on the execution of JBM programs and/or its personnel

• Protection measures may vary depending on the environment in which the information is stored or handled

• Environments are defined as:

– Protected Environment

Area where JBM or Lockheed Martin control access (proximity readers, security officers, etc.) to help ensure that only authorized employees, resident subcontractors, and visitors are permitted entry.

‒ Unprotected Environment

Area where JBM or Lockheed Martin does not control access to building or work area (e.g., applicable remote sites and unprotected areas during business travel such as airplane cabins, coffee shops, etc.).

Protection of Controlled Unclassified Information Protected and Unprotected Environments

• While in unprotected environments individuals must

– Be cognizant of their surroundings while viewing and processing this information

– Take precautions to avoid unauthorized disclosure or loss

Use laptop privacy screens and unclassified coversheets

Encrypt all systems, media, and devices leaving JBM facilities (Tailor to your facility’s policy)

– Any loss should be reported to the Security Department

• While in protected environments individuals must

– Attach unclassified coversheet to material (if available/used)

– Store in unlocked file, desk, office, or briefcase, or obscure from unauthorized viewing as a minimum

Protection of Controlled Unclassified Information Protected and Unprotected Environments (cont.)

• When sending or receiving sensitive unclassified information individuals must

– Implement need-to-know criterion

– Employ available methods of safeguarding data while in transit (i.e., digital signatures, encryption methods, and classified fax machines, first class mail, password protected email attachments, etc.)

• When no longer required, materials containing sensitive unclassified information will be promptly destroyed

– Cross-cut shred or dispose in shredder bins

– Sanitize IT systems

• Information owner may have additional protection requirements that will be addressed on a case-by-case basis

Protection of Controlled Unclassified Information Transmission and Disposition

• Controlled unclassified documents should be marked accordingly: ‒ Bottom labeled appropriately (i.e., “For Official Use Only”) ‒ Outside of the front cover ‒ On each page containing controlled unclassified

information ‒ Other material (i.e., slides, photos) will be marked to make

recipients aware of the sensitivity

• NOTE: Controlled unclassified material being transmitted outside the DoD or its contractors facilities requires a statement explaining the marking ‒ “This document contains information EXEMPT FROM

MANDATORY DISCLOSURE under the FOIA. Exemptions… (list FOIA exemption being used)… apply” FOR OFFICIAL USE ONLY

MEMORANDUM FROM: DS/ISP/APB TO: INR/EUR SUBJECT: (U) SECURITY AWARENESS TRAINING 1. (U//FOUO) I think that my Security Office is great and provides awesome support. I don’t know what I would do with out them. 2. This is the best security awareness training I have ever received. 3. Other agencies, like the State Department may use “Sensitive But Unclassified” (SBU) to mark CUI.

Protection of Controlled Unclassified Information Unclassified Marking Overview

Protection of Controlled Unclassified Information Personally Identifiable Information (PII)

• Defined as:

– Individual’s first name and last name or first initial and last name used in combination with any one or more of the following data elements:

Social Security Number

Driver’s license number or state-issued identification card number

Financial account number, or credit card number, with or without any required security code, access code, personal information number or password, that would permit access to a financial account

Protection of Controlled Unclassified Information Personally Identifiable Information (PII) (cont.)

• Protection measures: ‒ Maintain a need-to-know principle

‒ Utilize Unclassified protection coversheets and notice labels (if available/used) When at rest, hand carrying, sending via interoffice mail, or faxing (external mail,

only use coversheets)

– Use classified copiers or printers without hard drives, if available If unavailable, device hard drives must be destroyed or sanitized when no longer

used by JBM

‒ Lock in a cabinet, desk, or office, or properly destroy if no longer required

‒ Use proper disposal and destruction methods Destruction Bags (If used, maintain positive control at all times)

Classified Shredders

Approved unclassified shredder bins

‒ Use data encryption for internal and external transmittal

– Use password protected screensavers (Always lock your system when leaving your work area)

– When possible, whole disk encryption should be implemented on systems containing this information

Protection of Controlled Unclassified Information Export Control

• Export-controlled material

– Must be controlled as sensitive information and marked accordingly to maintain U.S. national security interest

– Cannot be disclosed to or accessed by foreign nationals or representatives of a foreign entity

• U.S. persons employed by Foreign entities are treated as Foreign representatives themselves for the purpose of export compliance

– Approval or a license must be obtained from the Department of State for items controlled by the International Traffic in Arms Regulations (ITAR), or the Department of Commerce for items controlled by the Export Administration Regulations (EAR)

• If the U.S. State Department has not issued an Export License (based on a Technical Assistance Agreement or Manufacturing License Agreement), a violation of ITAR has occurred

– Per the International Traffic in Arms Regulations (ITAR), Technical data in any form that pertains to the U.S. Munitions List (a list of defense-related articles or services) is “export controlled”

• A defense article or service is specifically designed, developed, configured, adapted or modified for a military application and does not have predominant civil applications

• The export of information or material is defined as – Shipping or transporting technical data or hardware out of the U.S. – Transferring control or disclosing hardware, technical data, technology,

software, electronic data to a foreign person (whether in the U.S. or abroad) – Providing a Defense Service or Technical Assistance to a Foreign Person – Providing site visits/tours to Foreign Persons where export controlled

technical data is disclosed • A foreign person is

– Any individual representing or working for a foreign corporation, agency or division of a foreign government and can include

• U.S. Citizens • U.S. Permanent Residents (e.g., Green Card) • Foreign Nationals or visitors • "Protected Individuals" (e.g., Refugee or Asylee)

• ITAR violations can result in – Hefty fines and/or debarment from international business arrangements and

U.S. Government contracts – Personal criminal liability – Violation of the JBM Standards of Conduct, which may result in disciplinary

action to include suspension, termination and/or criminal prosecution • Prior to the export of technical data or hardware, contact your local

Export Control Officer

Protection of Controlled Unclassified Information Export Control (cont.)

• Trade Show export and security guidance

‒ Foreign citizens attend trade shows and export laws still apply

‒ If you engage in conversation with someone that you expect is not a U.S. person please use the following guidance: Be alert to overly inquisitive people asking about the type of work you

do, business information about your company, or about your personal life

Never provide anyone with more information than is absolutely necessary to accomplish your objectives

Do not share any contractual, classified, Controlled Unclassified Information (CUI) such as For Official Use Only (FOUO), or company proprietary information with anyone who does not have a legitimate need for the information

Information coming to your attention that you believe, suggests the existence of, or potential for espionage, compromise of classified information, or terrorism must be promptly reported to Security

Report any suspected attempts to gain information or other suspicious circumstances to your local Security Department

Protection of Controlled Unclassified Information Export Control (cont.)

• What marketing activities can JBM employees engage in without a license? ‒ Discuss JBM products without providing technology or technical data ‒ Distribute brochures that have been approved for public release ‒ Receive technical data from a foreign customer ‒ Discuss business terms and conditions ‒ Discuss the statement of work, without technical information (yes

we can do that, no we cannot do that) ‒ Transfer data that is publicly available (catalog, anything on web site) ‒ Discuss basic information on function or purpose ‒ Provide general system descriptions ‒ Discuss general capabilities ‒ Do not bring any ITAR hardware that has not been pre-approved by

the customer and TCO ‒ Be aware of social engineering and remain vigilant

Protection of Controlled Unclassified Information Export Control (cont.)