Nancy Flynn, Founder and Executive Director, The ePolicy Institute™
Federal agencies are obligated to protect the privacy of the public and the integrity of government information. To that end, best practices call for the establishment of a Sensitive & Classified Information Policy, governing the acquisition, use, disclosure, retention, and deletion of individual and government information. Policy should apply to hard-copy documents, verbal conversations, and electronic communications conducted via government-provided and personally owned systems, sites, accounts, and devices. Failure to manage sensitive and classified information lawfully could spark unauthorized access to government records, congressional hearings, Freedom of Information Act (FOIA) lawsuits, and an erosion of public confidence.
Comply with Myriads of Federal Laws & Regulations
When it comes to information management, federal agencies must adhere, foremost, to the Federal Records Act (FRA), which is overseen by the National Archives and Records Administration (NARA). FRA requires agency heads to supervise records management. NARA assigns agency records officers (AROs) the task of incorporating policies and procedures into records management programs. Agency heads and AROs should work together to ensure 100 percent compliance with the Privacy Act of 1974, Federal Information Security Management Act (FISMA), National Institute of Standards and Technology (NIST), and other laws and regulations impacting sensitive and classified information, as well as other government records.
Six Types of Sensitive & Classified Information
Federal agencies and employees are required to recognize and protect six types of sensitive and classified information:
- Personally identifiable information (PII).
- Confidential classified information.
- Secret classified information.
- Top secret classified information.
- Controlled unclassified information (CUI).
- CUI categorized as sensitive personally identifiable information (SPII).
Three Policies Support Sensitive & Classified Information
- Sensitive & Classified Information Policy.
- Data Breach Notification Policy.
- Controlled unclassified information (CUI) Policy.
Shield Classified Information with Sensitive & Classified Information Policy
The U.S. government uses three levels of classification to designate how sensitive a piece of information is. Sensitivity levels are based on how much national security damage could be done if information were unlawfully disclosed without authorization. The government’s three levels of classified information are confidential (C), secret (S), and top secret (TS). Federal agencies are obligated to mark classified information as C, S, or TS. Employees are required to guard against unauthorized disclosure of sensitive and classified material by complying with Sensitive & Classified Information Policy and participating in mandatory policy training.
Safeguard PII with Data Breach Notification Policy
Personally identifiable information (PII) is any information about an individual that can be used to distinguish or trace that person’s identity, either on its own or combined with other information. PII includes names, phone numbers, Social Security numbers (SSNs), and other personal information that could inflict harm if it fell into the wrong hands. Because the government is expected to shield information entrusted to it by the American people, the law requires government agencies to protect PII from data breaches and theft. Specifically, the privacy and security of individuals’ data is guaranteed by the federal Privacy Act of 1974, FISMA, and data breach notification laws in all 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. To help ensure the safety of PII, federal agencies must establish Data Breach Notification Policy and Rules & Consequences Policy for employees handling PII. Mandatory PII training also is required.
Protect SPII with Controlled Unclassified Information (CUI) Policy
Sensitive personally identifiable information (SPII) is a subset of PII that falls into the controlled unclassified information (CUI) category. SPII is information that could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual if lost, compromised, or disclosed without authorization. SPII includes any grouping of information containing an individual’s name or other unique identifiers, plus one or more of the following: Truncated SSN (last four digits only); date of birth; citizenship or immigration status; ethnic or religious affiliation; sexual orientation; criminal history; medical information; or system authentication information (mother’s maiden name, account passwords, personal identification numbers). To protect SPII, federal agencies must: (1) Establish CUI Policy; (2) appoint a senior agency official (SAO) for CUI; and (3) conduct CUI training.
Adopt the 3Es of Sensitive & Classified Information Management
To help protect the privacy of the public and the integrity of government information, federal agencies should adopt the 3Es of sensitive and classified information management:
- Establish best practices-based policies and procedures including Sensitive & Classified Information Policy; Data Breach Notification Policy; Rules & Consequences Policy for employees handling PII; CUI Policy; and Record Retention Policy.
- Educate employees about privacy risks, government rules, and individual roles. Adhere to the government’s mandatory training requirements for employees handling sensitive and classified information, PII, and CUI. Structure training to ensure each type of information is handled in compliance with federal guidelines and agency policies.
- Enforce policies through a combination of disciplinary action, workforce training, and best-in-class technology solutions designed to manage content, use, and records.
Nancy Flynn is the founder of The ePolicy Institute, the world’s leading electronic policy writing and training firm. Trusted for her knowledge and integrity, Nancy Flynn is a go-to media source who serves as an expert witness in policy-related litigation. Visit ePolicyInstitute.com to learn more.