CONTROLLED UNCLASSIFIED INFORMATION AND
FOREIGN GOVERNMENT INFORMATION
This chapter deals with two different types of information. The first is U.S. controlled unclassified information (CUI). The AECA (reference b), the FOIA (reference g), and Public Law (PL) 98-94 (1983) (reference j) are the primary statutes that provide the legal basis for the control of CUI. The second is foreign government information, both classified and unclassified. The legal basis for control of foreign government classified information and unclassified information provided in confidence is E.O. 12356 (reference i), which is implemented by DoD 5200.1-R (reference oo). This chapter will discuss policies and procedures for handling both types of information.
B. CONTROLLED UNCLASSIFIED INFORMATION
1. In its simplest form, official U.S. Government information can be considered "controlled information;" it belongs to the U.S. Government. Just as the improper use of a company's proprietary information may damage the company that originated it, so too could the improper use of certain categories of government information likely cause damage to the government or its employees. It is for this reason that the Department of Defense has several policies covering the disclosure of official information. DoD Directive 5400.4 (reference qq) governs testimony, prepared statements and other material provided to congressional committees that the Congress might publish. DoD Directive 5405.2 (reference rr) contains policy concerning release of official information in judicial proceedings. DoD Directive 5230.9 (reference ss) contains policies and procedures for the release of information for publication or public release. DoD Directives 5200.21 (reference tt), 5230.24 (reference l), and 5230.25 (reference k) govern the release of DoD technical information. DoD 5400.7-R (reference h) contains the Department of Defense policies and procedures governing FOIA requests. Official information that meets the standards for security classification is classified and protected in compliance with E.O. 12356 and DoD 5200.1-R.
2. The Congress has stated that the U.S. public generally has the right to know what it's government is doing. Therefore, the FOIA requires that government information be made available to the public, unless the information falls within one or more of nine exemption categories described in the Act and the appropriate U.S. Government official determines that it should be withheld from disclosure. The first category is classified information. The FOIA permits the withholding of any information properly and lawfully classified under the provisions of E.O. 12356. The other eight exemption categories deal with unclassified information.
a. Exemption two permits the withholding of information which pertains solely to the internal rules and practices of a government agency. This exemption has a high and low profile. The high profile permits the withholding of a document which, if released, would allow circumvention of an agency rule, policy, or statute, thereby impeding the agency in the conduct of its mission. The low profile permits withholding if there is no public interest in the document, and it would be an administrative burden to process the request.
b. Exemption three permits the withholding of information that a statute specifically exempts from disclosure by terms that permit no discretion on the issue, or in accordance with criteria established by that statute for withholding or referring to particular types of matters to be withheld.
c. The fourth exemption permits withholding information such as trade secrets and commercial and financial information obtained from a company on a privileged or confidential basis which, if released, would result in competitive harm to the company.
d. The fifth category exempts inter- and intra-agency memoranda which are deliberative in nature. This exemption is appropriate for internal documents which are part of the decision making process and contain subjective evaluations, opinions, and recommendations.
e. Exemption six provides for the withholding of information, the release of which could reasonably be expected to constitute a clearly unwarranted invasion of personal privacy of individuals.
f. The seventh exemption permits withholding records or information compiled for law enforcement purposes that could reasonably be expected to interfere with law enforcement proceedings; would deprive a person of the right to a fair trial or impartial adjudication; could reasonably be expected to constitute an unwarranted invasion of personal privacy of others; disclose the identity of a confidential source; disclose investigative techniques, or could reasonably be expected to endanger the life or physical safety of any individual.
g. The eighth exemption permits withholding records or information contained in or relating to examination, operation or condition reports prepared by, on behalf of, or for the use of any agency responsible for the regulation or supervision of financial institutions.
h. The ninth exemption permits withholding records or information containing geological and geophysical information and data (including maps) concerning wells.
3. It is exemption category three of the FOIA, comprising information exempt from public disclosure pursuant to a statute, which is pertinent to the discussion of CUI. The list of statutes that fall within this exemption is at Appendix C.
4. Within the list, it is the first statutory exemption, PL 98-94 that is of primary interest in the context of the export or disclosure of unclassified information in international defense programs.
a. For many years, it has been the policy of the DoD to place distribution statements on documents containing unclassified scientific and technical information which was produced either within DoD or on its behalf by others. Until recent times, however, this policy was only marginally directed toward restricting the disclosure of such information to the public and thus to foreign persons. Moreover, although it was the policy to apply such distribution markings, the practice did not always conform to the policy. The result was that sensitive scientific and technical information occasionally found its way into the public domain -- to include the foreign public.
b. This situation was compounded with the enactment of the FOIA. The FOIA made no provision for exempting unclassified government scientific and technical information from public disclosure, even that information which would be subject to export controls. Although the precise effect of this circumstance on the flow of sensitive U.S. technology overseas is debatable, there can be little doubt that unintended transfers of technology to foreign recipients occurred in this manner.
c. It was not until 1984 that the situation was remedied. Enactment of P.L. 98-94 provided the Secretary of Defense with the authority to withhold from the public critical technologies.
d. To implement PL 98-94, the Department of Defense published DoD Directive 5230.25 and updated the existing DoD Directive 5230.24. The former interprets and amplifies the provisions of the law and establishes procedures both for withholding such information from the public and for allowing dissemination to those persons, inside and outside the U.S. Government, who have a demonstrable need for the information. The latter is a revision and update of the old DoD policy pertaining to the application of distribution statements to unclassified technical documents. A general familiarity with the salient policy and procedural features of these two directives is essential to an overall understanding of the DoD policy governing the control of critical technology.
5. DoD Directive 5230.25, "Withholding Of Unclassified Technical Data From Public Disclosure"
a. DoD Directive 5230.25 applies to all unclassified technical data with military or space application in the possession of, or under the control of, a DoD component which may not be exported lawfully without approval, authorization or license under the EAA (reference d) or the AECA.
b. Critical technology consists of:
(1) Arrays of design and manufacturing know-how (including technical data);
(2) Keystone manufacturing, inspection and test equipment;
(3) Keystone materials; and
(4) Goods accompanied by sophisticated operation, application or maintenance know-how that would make a significant contribution to the military potential of any country or combination of countries and that may prove detrimental to the security of the United States (also referred to as militarily critical technology).
c. Technical data with military or space application is any blueprints, drawings, plans, instructions, computer software and documentation, or other technical information that can be used or be adapted for use to design, engineer, produce, manufacture, operate, repair, overhaul, or reproduce any military or space equipment or technology concerning such equipment.
d. DoD Directive 5230.25 does not govern the release of technical data by DoD Components to foreign governments, international organizations or foreign contractors that are carried out under a U.S. Government international program or a U.S. Government approved export authorization. As discussed in Chapter 2, an export authorization is required for commercial exports of this technical data unless it qualifies for an exemption under the ITAR (reference c) or the EAR (reference v). For commercial exports under the EAR and ITAR, the export authorization should contain the access, use and distribution restrictions that apply to critical technology approved for export to foreign governments or their contractors. A Form DSP-83, Non-transfer and Use Certificate, may also be required for the export of classified articles and technical data under the ITAR. For Government programs, the requirements should be included in the sales contract or agreement. See also Chapter 2, Subsection C.1.a.
e. DoD Directive 5230.25 requires that U.S. contractors be certified with the Defense Logistics Agency (DLA) to obtain export controlled technical data from DoD sources. Since Canadian industry is by law a part of the North American Defense Mobilization Base, they are also eligible for certification and access to most of this information on the same basis as U.S. registered contractors. (See subsection 8., below.)
6. DoD Directive 5230.24, "Distribution Statements On Technical Documents"
a. DoD Directive 5230.24 requires that all DoD Components that generate or are responsible for technical documents determine their distribution availability and mark them appropriately before primary distribution. Managers of technical programs are required to assign appropriate distribution statements to technical documents generated within their programs to control the secondary distribution of those documents. Therefore, technical data with military or space application also must be marked with a prescribed export warning statement, in addition to other markings authorizing or restricting secondary distribution.
b. The importance of applying this export warning statement is illustrated by the following:
(1) Regardless of any other distribution statements on the document, the export warning statement is the only one which has the legal basis (the AECA or EAA) to support an exemption to the FOIA for unclassified technical information.
(2) This is the only statement which puts all holders on clear notice that transfer of such unclassified technical information to foreign recipients without proper U.S. Government authorization is a violation of law.
c. In addition to an export warning statement, or even if one is not applicable, all documents produced by or for the Department of Defense must be marked with a prescribed statement governing distribution if they fall within any of the following categories:
(1) Research, development, test or evaluation (RDT&E).
(2) Engineering, production, or logistics.
(3) Operation, use, or maintenance.
d. These distribution statements range from "approved for public release; distribution is unlimited" to "further dissemination only as directed by the controlling DoD office or higher DoD authority." Appendix D contains the export warning statements and a list of required distribution statements for unclassified technical documents, with supporting rationale for choosing the appropriate one.
7. FOR OFFICIAL USE ONLY Marking. If unclassified information is determined upon review to qualify for an exemption under FOIA exemption categories two through nine, the Department of Defense policy is to mark the data FOR OFFICIAL USE ONLY (FOUO), in addition to any other required distribution or control markings described in DoD Directive 5230.24 or other applicable regulations.
a. DoD policy currently encourages that the FOUO marking be applied when otherwise exempt information is generated. However, all official information must be reviewed before release to the public, including foreign governments and international organizations and their representatives. The release of the information to foreign nationals requires the consent of the originator.
b. FOUO information must be controlled in a manner sufficient to ensure that unauthorized persons do not gain access. Normally it is sufficient to lock the information in a desk drawer, bookcase, filing cabinet or similar container or a locked room to which only authorized persons have access. A FOUO cover sheet should be used to conceal the information when it is not in use and not secured. It must be encrypted when transmitted electronically. Secure voice and telefax equipment are to be used. This requirement may be waived by the originator of the information to be transmitted. However, it should be recalled that authorized access in some cases is subject to criminal penalties. It may be sent via first-class mail or parcel post. It may be destroyed in any manner that would reasonably preclude easy reconstruction of the contents. Appropriate administrative disciplinary action shall be taken against those responsible for unauthorized disclosure. Unauthorized disclosure of FOUO that is protected by the Privacy Act (5 U.S.C. 552A, (reference uu)) may result in civil or criminal sanctions. See DoD 5400.7-R (reference h). Unauthorized disclosures of technical data controlled by the AECA can result in criminal prosecution.
8. U.S.-Canada Joint Certification Program. The Joint Certification Program (JCP) benefits both U.S. and Canadian defense and high technology industries by facilitating their access to unclassified critical technology in the possession or under the control of the U.S. Department of Defense or the Canadian Department of National Defence (DND). Certification under the JCP establishes the eligibility of a U.S. or Canadian contractor to receive technical data governed, in the United States, by DoD Directive 5230.25 and, in Canada, by the Technical Data Control Regulations (TDCR) (reference vv). The U.S./Canada Joint Certification Office (JCO), located at the Defense Logistics Services Center (DLSC), Battle Creek, Michigan, manages the JCP.
a. As a condition of receiving DoD- or DND-controlled technical data, the contractor agrees to use the data only in ways mandated by DoD Directive 5230.25 or the TDCR. The contractor must certify that it needs the technical data to bid or perform on a contract with an agency of the U.S. or Canadian Government, as applicable, or for other legitimate business purposes. Other legitimate business purposes include:
(1) Providing or seeking to provide equipment or technology to a foreign government with the prior approval of the U.S. or Canadian Government, as applicable;
(2) Bidding or preparing to bid on a sale of surplus property;
(3) Selling or producing products for the U.S. or Canadian commercial domestic marketplace, or for the commercial foreign market place, providing that any required export license is obtained from the appropriate U.S. or Canadian licensing authority;
(4) Engaging in scientific research in a professional capacity for either of the two defense establishments; or
(5) Acting as a subcontractor for a concern described in (1) through (4).
b. The contractor also:
(1) Certifies that the person who will receive the data on behalf of the contractor is a U.S. citizen or person lawfully admitted into the United States for permanent residence and is located in the United States.
(2) Acknowledges its responsibilities under U.S. export control laws and regulations and agrees that it will not disseminate any export-controlled technical data subject to this Directive in violation of such laws and regulations.
(3) Agrees that it will not provide unauthorized access to export-controlled technical data subject to DoD Directive 5230.25 to persons other than its employees or persons acting on its behalf.
(4) Certifies to the best of its knowledge and belief that no person employed by it, or acting on its behalf, who will have access to the technical data, who is debarred, suspended, or otherwise ineligible from performing on U.S. Government contracts; or has violated U.S. export control laws or previous certifications under DoD Directive 5230.25.
(5) Certifies it is not debarred, suspended, or otherwise determined ineligible by the U.S. Government to perform on U.S. Government contracts, has not been convicted of violations of export control laws and has not been disqualified under the provisions of DoD Directive 5230.25.
c. The Department of Defense also exempts certified Canadian contractors from the need to obtain approval from DoD for unclassified visits to DoD contractor installations to obtain unclassified militarily critical technical data. Canada's Industrial Security Program procedures also allow for direct contractor-to-contractor arrangements for such visits by U.S. certified contractors. As a result, JCO certified U.S. and Canadian contractors may make visit arrangements involving only unclassified technical data directly with a U.S. or Canadian contractor.
d. This program does not extend to company proprietary technical data that is not controlled by DoD or DND. Therefore, it does not govern the private exchange of industry-generated export-controlled technical data. In these cases contractors must follow the guidelines established in U.S. or Canadian export control regulations, as applicable.
e. The U.S.-Canada Joint Certification Program pamphlet (reference ww) contains additional information, procedures and restrictions. This pamphlet is available from:
U.S./Canada Joint Certification Office (JCO) Defense Logistics Services Center (DLSC)
74 N. Washington Avenue
Battle Creek, Michigan 49017-3084
C. FOREIGN GOVERNMENT INFORMATION
a. Foreign government information is defined by Executive Order 12356 as:
(1) Information provided to the United States by a foreign government or international organization of foreign governments or an element thereof with the expectation, expressed or implied, that the information, its source or both are to be held in confidence; or
(2) Information produced by the United States under an arrangement with a foreign government or international organization of foreign governments or any of their elements, requiring that the information, the arrangement or both be held in confidence.
b. Foreign government information must retain its original classification, or be assigned a U.S. classification designation that will provide protection equivalent to that provided by the furnishing government or organization.
c. E.O. 12356 states that there is a presumption of damage to national security in the event of unauthorized disclosure of foreign government information. Therefore, foreign government unclassified information that is provided in confidence is to be classified at least CONFIDENTIAL but higher whenever the damage criteria for SECRET or TOP SECRET are met. Unclassified foreign government information provided in confidence, must be classified by an
original classification authority. If there is uncertainty concerning whether the information is to be handled "in confidence", the providing government or international organization should be consulted to reach agreement on controls to be applied.
d. When unclassified foreign government "in confidence" information is involved in an international program, program documentation (e.g., the MOU or PSI) should include procedures on handling the information.
a. Foreign government designations for classified information generally parallel U.S. security classification designations. However, some foreign governments have a fourth level of classification, RESTRICTED, for which there is no equivalent U.S. classification. When foreign information is received, it is to be marked with the equivalent U.S. classification and the country of origin in English, unless it is already so marked. Foreign Government RESTRICTED information is to be marked CONFIDENTIAL in addition to the identity of the country of origin. Classified foreign government information and unclassified foreign government information provided in confidence that is marked with a U.S. classification pursuant to DoD 5200.1-R must be transferred through government-to-government channels. Foreign government classification designations and U.S. equivalents are at Appendix E.
b. U.S. documents that contain foreign government information must be marked with a notation that states "THIS DOCUMENT CONTAINS FOREIGN GOVERNMENT INFORMATION." In addition, the portions containing foreign government information must be marked to identify the classification level and country of origin (e.g., UK-C or UK-R). The foreign government document or authority on which the classification is based, in addition to the identification of any U.S. classification authority, must be identified on the "Classified by" line. A continuation sheet should be used for multiple sources, if necessary. The "Declassify on" line will contain "ORIGINATING AGENCY'S DETERMINATION REQUIRED" or "OADR." A U.S. document marked as described herein cannot be downgraded below the highest level of foreign government information contained in the document or be declassified without the written permission of the foreign government or international organization that originated the information.
c. Security clearances issued by the U.S. Government are valid for access to classified foreign government information of a comparable level. Access to foreign government RESTRICTED information requires a U.S. Government CONFIDENTIAL clearance.
d. Foreign government information or material classified TOP SECRET, SECRET, or CONFIDENTIAL must be stored in the manner required for U.S. information of the same level by DoD 5200.1-R and the NISPOM (reference aa). Foreign government information or material classified RESTRICTED must be stored in the same manner as U.S. CONFIDENTIAL information. To avoid inadvertent compromise, foreign government classified material must be stored in a manner that will avoid commingling with other material. For small volumes of material, separate files in the same vault, container, or drawer will suffice.
e. Holders of foreign government information classified TOP SECRET, SECRET or CONFIDENTIAL must establish procedures to account for this material in a manner such that it can be located at all times. They must ensure that access is limited to only those persons who require access for the purpose for which the information was furnished by the providing government.
f. Foreign government information can not be disclosed to nationals of third countries, including intending citizens, or to any other third party, or used for other than the purpose for which the foreign government provided it without the originating government's written consent. Government agencies must submit requests for other uses or further disclosure to the originating government. Contractors will submit their requests through the contracting U.S. Government agency for U.S. contracts and the Cognizant Security Office (CSO) for direct commercial contracts.
g. The ITAR requires a license for the commercial export or reexport of foreign government information unless the information is exported to the original source of import.
h. The transmission of foreign government information within the United States among U.S. Government agencies and U.S. contractors and between U.S. contractors with a need to know, must be in accordance with DoD 5200.1-R and the NISPOM.
i. The international transfer of foreign government classified information must be through government-to-government channels in compliance with Chapter 6 of this handbook.