Viewable by the world

Parent Policy: Controlled and Prohibited Information Categories
Document #: 10.08.001.002

Berkeley Lab does not generally generate Official Use Only (OUO) materials subject only to approved exceptions below. However, in the course of work, employees in operations (and occasionally researchers) may receive materials marked OUO from colleagues across the Department of Energy. This document provides requirements to adequately manage and protect this data.

Guidance for Bay Area Site Office staff on transmitting limited OUO to LBL is available here.

Step 1: Avoid using or creating OUO

The best way to protect OUO data is to avoid it. If you receive something marked OUO, it may be related to work that is prohibited at Berkeley Lab. If it is within your work scope, you need to make sure the nature of the information is allowed at Berkeley Lab. Occasionally, collaborators at other institutions will mark material as OUO even when it does not require this designation. Encourage collaborators at other institutions not to use this designation for collaborative research projects or operational purposes. If this fails or if your work needs require it, protect OUO as described below.

Most information at Berkeley Lab is not OUO and should not be labeled as such. Since OUO information requires additional marking and tracking, it is best to avoid creating it unless absolutely necessary. Ask yourself these questions before creating OUO:

  1. Is the OUO essential?

    1. Would the purpose of a document be significantly altered without the OUO information?

  2. Could you reference the OUO instead of including the OUO in your document?

    1. e.g. Referring the reader to the DOE Sensitive Country List instead of including the actual list in your document.

  3. Could you substitute non-OUO information?

    1. e.g. using the name of a fictitious country name in instead of a real country name in examples.

Step 2: Protect OUO if business needs require that you receive it

  1. When possible, encrypt electronic OUO materials during transit and storage.

  2. For physical storage, use locked storage, including locked rooms, where feasible.

  3. Do not share OUO with other Berkeley Lab employees unless there is a business need to do so.

    1. If you use LBNL inter-office mail, mark "To be opened by addressee only."

  4. Ensure that any electronic versions restrict access to authorized users, e.g. using passwords, authentication, or file access controls.

  5. Do not remove OUO markings if you are not the author of the OUO.

  6. Store OUO separately from non-OUO documents where possible.

  7. Do not submit OUO to the Laboratory Publication System.

  8. Delete or destroy OUO materials when the need for the information is complete. For paper copies, a shredder should be used.

OUO at Berkeley Lab

OUO information can either be received by Berkeley Lab staff or, very occasionally and in defined circumstances, be created by Berkeley staff.

Berkeley Lab staff, however, must not receive or generate information that rises above the level of FIPS 199 Low/Low/Low regardless of whether or not it is marked as or is considered to be OUO.

At Berkeley Lab, IT Division (through the IT Policy Coordinator) has the sole authority to designate a document or class of documents as OUO. Functional/Information owners are responsible for identifying new categories/documents that they believe are OUO and seeking the designation from IT Policy ([email protected]) prior to designating or marking it as OUO.   

Marking of documents outside the approved categories is a violation of UC and Berkeley Lab policy.

Generating OUO

Scenario

Operations

Science

External parties share OUO information with LBL employee (Refer to Step 1 above).

  • Prohibited except for categories in column 1 of the Table below.

  • Exceptions must be requested from [email protected].

  • Strongly discouraged because of the implication that LBL is not working on fundamental research.

  • Occasional receipt of an OUO document is permitted only if the researcher has an understood and approved narrow use case.

  • Persistent receipt of documents marked OUO requires a consultation with Laboratory Counsel and IT Policy.

DOE sends a form or request for information and asks that the information be marked as OUO (e.g. “please fill out this form and mark it OUO”)

  • Acceptable if the information falls within the categories in column 1 of the Table below.  

  • Exceptions must be requested from [email protected].

  • Prohibited except for the situation in which an individual transmits their own personal PII or related to a known temporary instance described above.

LBL creates a document and marks it as OUO.

  • See below.

  • Prohibited without an identified exception from Laboratory Counsel and [email protected].

Other

  • Prohibited without an identified exception from Laboratory Counsel and [email protected].

Categories of information that may contain items designated as OUO

Column 1 of the following table lists general categories of information that Berkeley Lab has identified as having the potential to be marked as OUO or as being received by Berkeley Lab already designated as OUO. Not all information that falls under the general categories are OUO. Only a small subset of documents and information in each category will actually be OUO. The general categories in column 1 cover not only information in documents but also information that will be used for forms.

Column 2 of the table lists the specific categories and names of documents that may be considered to be marked as OUO by Berkeley Lab staff. Not all documents and information in these specific categories must be marked as OUO.

General Categories of Information

Berkeley Lab staff may occasionally receive documents and information in these general categories, however most documents and forms created within these general categories by Berkeley Lab staff will NOT be OUO.

Specific Categories or Names of Documents

Only documents and information in these specific categories may be considered to be marked as OUO by Berkeley Lab staff.

Personnel Radiation Exposure Records

  • Individually identifiable dosimetry records transmitted by Berkeley Lab to DOE under the Privacy Act.

Occupational and Industrial Accidents

  • No known documents generated by Berkeley Lab fall in this category.  

Access Control Records of International Visits, Assignments and Employment at DOE Facilities and Contractor Sites

  • Detailed access authorizations and reviews for Foreign Nationals from T4 countries (i.e. T4 “packets”)

Radio frequency assignments.

  • Specific information regarding emergency and law enforcement radio frequencies allocated by the FCC as guided by DOE and the FCC.

Information related to physical security posture of site

  • Identified appendices to Site Security Plan with specific information about discrete security protections.

  • Specific Information related to special security concerns (e.g. security planning for special events and VIP visits)

  • Specific security information about specialized controls for security areas when shared with DOE.

  • Results of official investigations when transmitted to DOE, unless the results already have a pertinent marking (e.g. “Law Enforcement Only”)

Information related to the information security or cyber security posture of site.

  • Specific and detailed information about the operation and settings of cyber security systems which could reasonably allow an attacker to bypass or disable these systems.

  • Cyber security Incident Reports when transmitted to DOE.

Biological Use Agreements that involve animals

  • No documents approved to be marked as OUO in this category.

Information regarding highly regulated types of property.

  • Specific information on precious metal inventories and locations transmitted to DOE.

  • Specific information on controlled substance inventories and locations, such as narcotics, when transmitted to DOE.

Predecisional or pre-publication R&D information shared with Berkeley Lab researchers in an advisory capacity (for example, because they are on a program review committee) - this area does not include research conducted by LBL.

  • No documents approved for creation in this category.   

Contact [email protected] if you believe your information is OUO yet does not fall into one of the approved categories. IT Policy approval is required for any additions or changes to this table.

Identifying new categories of OUO

OUO information is agency records that have been marked OUO by its author and meet the following two criteria:

  1. Have the potential to damage governmental, commercial, or private interests if disseminated to persons who do not need the information to perform their jobs or other DOE-authorized activities.

  2. Fall under at least one of eight Freedom of Information Act (FOIA) exemptions (exemptions 2 through 9).

Note: Information is not automatically considered OUO if it meets these two criteria. The author has the discretion to not mark information as OUO, however information that does not meet these two criteria must not be marked as OUO.

In practice, OUO information generated by Berkeley Lab must:

  1. Be an agency record as defined by Freedom of Information Act (FOIA), implying US government ownership,

  2. Fall under a FOIA exemption,

  3. Meet the notion of “creating potential damage” if shared for non-DOE activities,

  4. Falls within one of the categories list in this document, and

  5. Be designated OUO by its author.

Marking OUO

IT Division (through the IT Policy Coordinator) has the sole authority to designate a document or class of documents as OUO. Functional/Information owners are responsible for identifying new categories/documents that they believe are OUO and seeking the designation from IT Policy prior to designating or marking it as OUO.   

Marking of documents outside the approved categories is a violation of UC and LBL policy.

  • Do not mark information as OUO when it is not OUO. When in doubt, ask.

  • OUO information does not need to be marked if others (aside from system administrators) do not have access to it.

  • Mark information as OUO only when it is being transmitted or delivered to another individual, e.g. email, fax, mail.

Contact [email protected] for questions about properly marking OUO.

Documents

  1. The words “OFFICIAL USE ONLY” or “OUO” must:

    1. Be at the bottom of every page, or

    2. Only at the bottom of pages containing OUO information.

  2. The first page of an OUO document must have the following text block:

OFFICIAL USE ONLY May be exempt from public release under the Freedom of Information Act (5 U.S.C. 552), exemption number and category: ___________________

Department of Energy review required before public release.

Name/Org: ________________________________________          Date: ____________

Guidance (if applicable):____________________________________________________

Exemption numbers and categories

The only FOIA exemption numbers and categories are:

  • Exemption 3: Statutory Exemption

  • Exemption 4: Commercial / Proprietary

  • Exemption 5: Privileged Information

  • Exemption 6: Personal Privacy

  • Exemption 7: Law Enforcement

  • Exemption 9: Wells

If the OUO does not fit into one of these categories, it is most likely not OUO and must not be marked as OUO.

Name/Org

Name is the document author’s name, not the name of the document or of the OUO information.

Guidance

Mark this field N/A unless there is DOE program-specific OUO guidance specifically declaring this information to be OUO.

Example

OFFICIAL USE ONLY May be exempt from public release under the Freedom of Information Act (5 U.S.C. 552), exemption number and category: 3 - Statutory Exemption

Department of Energy review required before public release.

Name/Org: Ernest Orlando Lawrence / LBNL          Date: August 8, 2015

Guidance (if applicable): N/A

E-mail

Sending OUO via email is not prohibited, but it is not recommended. One can quickly lose track of OUO in emails due to forwards, cc’s and replies.

If OUO is sent via email, then the following are required:

  1. The first line of an e-mail message must contain the abbreviation "OUO."

    1. Do not cite FOIA exemption number or name, or DOE guidance.

  2. If the e-mail does not contain OUO, but an attachment contains OUO, the message must indicate which attachment is OUO.

  3. Attachments that contain OUO must be marked as OUO.


If at all possible, encrypt the attachment itself with a password which is communicated separately.

Mail

  1. Use only opaque envelopes.

  2. Seal the envelope.

  3. Write "To be opened by addressee only." on envelopes containing OUO.

  4. Scratch out this marking or destroy the envelope if it no longer contains OUO.

  5. Include a return address if OUO is being sent externally.

Faxing

The cover page must state:

Document(s) transmitted contain(s) OUO information.

Google Drive

Certain types of OUO may be stored in Google Drive when the Drive is configured to specific security settings. Before storing OUO in Drive, request help from [email protected]

Removing OUO markings

The following individuals may remove OUO markings from an OUO document:

  1. Author

  2. Author’s supervisor

  3. FOIA Authorizing Official

To remove OUO markings, one must:

  1. Cross out OUO front, page, and any supplemental markings, and

  2. Replace the front page marking with the following text box.

DOES NOT CONTAIN

OFFICIAL USE ONLY INFORMATION

Name/Org: ______________________                              Date: ______________

Related Documents

Contact

Contact [email protected] for more information about OUO.

Policy Implementing Document

This document helps implement a Laboratory policy in the Requirements and Policies Manual.

Feedback

Send feedback to [email protected].



  • No labels