Parent Policy: Controlled and Prohibited Information Categories
Document #: 10.08.001.002
Berkeley Lab does not generally generate Official Use Only (OUO) materials subject only to approved exceptions below. However, in the course of work, employees in operations (and occasionally researchers) may receive materials marked OUO from colleagues across the Department of Energy. This document provides requirements to adequately manage and protect this data.
Step 1: Avoid using or creating OUO
The best way to protect OUO data is to avoid it. If you receive something marked OUO, it may be related to work that is prohibited at Berkeley Lab. If it is within your work scope, you need to make sure the nature of the information is allowed at Berkeley Lab. Occasionally, collaborators at other institutions will mark material as OUO even when it does not require this designation. Encourage collaborators at other institutions not to use this designation for collaborative research projects or operational purposes. If this fails or if your work needs require it, protect OUO as described below.
Most information at Berkeley Lab is not OUO and should not be labeled as such. Since OUO information requires additional marking and tracking, it is best to avoid creating it unless absolutely necessary. Ask yourself these questions before creating OUO:
Is the OUO essential?
Would the purpose of a document be significantly altered without the OUO information?
Could you reference the OUO instead of including the OUO in your document?
e.g. Referring the reader to the DOE Sensitive Country List instead of including the actual list in your document.
Could you substitute non-OUO information?
e.g. using the name of a fictitious country name in instead of a real country name in examples.
Step 2: Protect OUO if business needs require that you receive it
When possible, encrypt electronic OUO materials during transit and storage.
For physical storage, use locked storage, including locked rooms, where feasible.
Do not share OUO with other Berkeley Lab employees unless there is a business need to do so.
If you use LBNL inter-office mail, mark "To be opened by addressee only."
Ensure that any electronic versions restrict access to authorized users, e.g. using passwords, authentication, or file access controls.
Do not remove OUO markings if you are not the author of the OUO.
Store OUO separately from non-OUO documents where possible.
Do not submit OUO to the Laboratory Publication System.
Delete or destroy OUO materials when the need for the information is complete. For paper copies, a shredder should be used.
OUO at Berkeley Lab
OUO information can either be received by Berkeley Lab staff or, very occasionally and in defined circumstances, be created by Berkeley staff.
Berkeley Lab staff, however, must not receive or generate information that rises above the level of FIPS 199 Low/Low/Low regardless of whether or not it is marked as or is considered to be OUO.
At Berkeley Lab, IT Division (through the IT Policy Coordinator) has the sole authority to designate a document or class of documents as OUO. Functional/Information owners are responsible for identifying new categories/documents that they believe are OUO and seeking the designation from IT Policy (firstname.lastname@example.org) prior to designating or marking it as OUO.
Marking of documents outside the approved categories is a violation of UC and Berkeley Lab policy.
External parties share OUO information with LBL employee (Refer to Step 1 above).
Strongly discouraged because of the implication that LBL is not working on fundamental research.
Occasional receipt of an OUO document is permitted only if the researcher has an understood and approved narrow use case.
DOE sends a form or request for information and asks that the information be marked as OUO (e.g. “please fill out this form and mark it OUO”)
LBL creates a document and marks it as OUO.
Categories of information that may contain items designated as OUO
Column 1 of the following table lists general categories of information that Berkeley Lab has identified as having the potential to be marked as OUO or as being received by Berkeley Lab already designated as OUO. Not all information that falls under the general categories are OUO. Only a small subset of documents and information in each category will actually be OUO. The general categories in column 1 cover not only information in documents but also information that will be used for forms.
Column 2 of the table lists the specific categories and names of documents that may be considered to be marked as OUO by Berkeley Lab staff. Not all documents and information in these specific categories must be marked as OUO.
General Categories of Information
Berkeley Lab staff may occasionally receive documents and information in these general categories, however most documents and forms created within these general categories by Berkeley Lab staff will NOT be OUO.
Specific Categories or Names of Documents
Only documents and information in these specific categories may be considered to be marked as OUO by Berkeley Lab staff.
Personnel Radiation Exposure Records
Occupational and Industrial Accidents
Access Control Records of International Visits, Assignments and Employment at DOE Facilities and Contractor Sites
Radio frequency assignments.
Information related to physical security posture of site
Specific Information related to special security concerns (e.g. security planning for special events and VIP visits)
Specific security information about specialized controls for security areas when shared with DOE.
Results of official investigations when transmitted to DOE, unless the results already have a pertinent marking (e.g. “Law Enforcement Only”)
Information related to the information security or cyber security posture of site.
Specific and detailed information about the operation and settings of cyber security systems which could reasonably allow an attacker to bypass or disable these systems.
Cyber security Incident Reports when transmitted to DOE.
Biological Use Agreements that involve animals
Information regarding highly regulated types of property.
Specific information on precious metal inventories and locations transmitted to DOE.
Specific information on controlled substance inventories and locations, such as narcotics, when transmitted to DOE.
Predecisional or pre-publication R&D information shared with Berkeley Lab researchers in an advisory capacity (for example, because they are on a program review committee) - this area does not include research conducted by LBL.
Contact email@example.com if you believe your information is OUO yet does not fall into one of the approved categories. IT Policy approval is required for any additions or changes to this table.
Identifying new categories of OUO
OUO information is agency records that have been marked OUO by its author and meet the following two criteria:
Have the potential to damage governmental, commercial, or private interests if disseminated to persons who do not need the information to perform their jobs or other DOE-authorized activities.
Fall under at least one of eight Freedom of Information Act (FOIA) exemptions (exemptions 2 through 9).
Note: Information is not automatically considered OUO if it meets these two criteria. The author has the discretion to not mark information as OUO, however information that does not meet these two criteria must not be marked as OUO.
In practice, OUO information generated by Berkeley Lab must:
Be an agency record as defined by Freedom of Information Act (FOIA), implying US government ownership,
Fall under a FOIA exemption,
Meet the notion of “creating potential damage” if shared for non-DOE activities,
Falls within one of the categories list in this document, and
Be designated OUO by its author.
IT Division (through the IT Policy Coordinator) has the sole authority to designate a document or class of documents as OUO. Functional/Information owners are responsible for identifying new categories/documents that they believe are OUO and seeking the designation from IT Policy prior to designating or marking it as OUO.
Marking of documents outside the approved categories is a violation of UC and LBL policy.
Do not mark information as OUO when it is not OUO. When in doubt, ask.
OUO information does not need to be marked if others (aside from system administrators) do not have access to it.
Mark information as OUO only when it is being transmitted or delivered to another individual, e.g. email, fax, mail.
Contact firstname.lastname@example.org for questions about properly marking OUO.
The words “OFFICIAL USE ONLY” or “OUO” must:
Be at the bottom of every page, or
Only at the bottom of pages containing OUO information.
The first page of an OUO document must have the following text block:
OFFICIAL USE ONLY May be exempt from public release under the Freedom of Information Act (5 U.S.C. 552), exemption number and category: ___________________
Department of Energy review required before public release.
Name/Org: ________________________________________ Date: ____________
Guidance (if applicable):____________________________________________________
Exemption numbers and categories
The only FOIA exemption numbers and categories are:
- Exemption 3: Statutory Exemption
Exemption 4: Commercial / Proprietary
Exemption 5: Privileged Information
Exemption 6: Personal Privacy
Exemption 7: Law Enforcement
Exemption 9: Wells
If the OUO does not fit into one of these categories, it is most likely not OUO and must not be marked as OUO.
Name is the document author’s name, not the name of the document or of the OUO information.
Mark this field N/A unless there is DOE program-specific OUO guidance specifically declaring this information to be OUO.
OFFICIAL USE ONLY May be exempt from public release under the Freedom of Information Act (5 U.S.C. 552), exemption number and category: 3 - Statutory Exemption
Department of Energy review required before public release.
Name/Org: Ernest Orlando Lawrence / LBNL Date: August 8, 2015
Guidance (if applicable): N/A
Sending OUO via email is not prohibited, but it is not recommended. One can quickly lose track of OUO in emails due to forwards, cc’s and replies.
If OUO is sent via email, then the following are required:
- The first line of an e-mail message must contain the abbreviation "OUO."
Do not cite FOIA exemption number or name, or DOE guidance.
If the e-mail does not contain OUO, but an attachment contains OUO, the message must indicate which attachment is OUO.
Attachments that contain OUO must be marked as OUO.
- Use only opaque envelopes.
Seal the envelope.
Write "To be opened by addressee only." on envelopes containing OUO.
Scratch out this marking or destroy the envelope if it no longer contains OUO.
Include a return address if OUO is being sent externally.
The cover page must state:
Document(s) transmitted contain(s) OUO information.
Removing OUO markings
The following individuals may remove OUO markings from an OUO document:
FOIA Authorizing Official
To remove OUO markings, one must:
Cross out OUO front, page, and any supplemental markings, and
Replace the front page marking with the following text box.
DOES NOT CONTAIN
OFFICIAL USE ONLY INFORMATION
Name/Org: ______________________ Date: ______________
Contact email@example.com for more information about OUO.