Providing Necessary Security for Sensitive, FOUO, and Similar Publications
Prepared by Fred Antoun
Background In the post-9/11 world, using one of many agency-created, non-classified designations such as Sensitive, but Unclassified, For Official Use Only (FOUO), Sensitive, Official Use, etc., has created a significant National Security problem, because no attendant preproduction, production, or post production security requirements were attached to those non-classified designations. A few examples of the types of publications which, if obtained by Al Qaeda or a terrorist organization, could be used to gain significant and even deadly advantage are: training manuals and guidelines for the Transportation Security Agencies’ airport employees; Border Patrol manuals and handbooks; Customs security publications; publications showing the location of various critical infrastructure facilities; and a publication providing methodologies for surveillance of suspected terrorists within the United States. This information should not be readily accessible to the general public and available to our enemies throughout the world.
The Government Publication Security Group set up by Printing Industries of America’s GPIC section was not successful attempting to resolve the problem two years ago. The Department of Homeland Security felt that it was up to each agency to handle their requirements. GPO, the gateway through which almost all government publications pass, indicated that it did not have the authority to impose security requirements on materials and publications that the agency had not classified, and had not requested specific security measures in the contract or production process. The net result was that nothing happened, and Sensitive and FOUO publications and information got into the public domain, and even appeared for sale on eBay. This problem continues today.1
In an attempt to reduce the 80+ non-classified established by individual Agencies, the Office of the Director for National Intelligence has sent the White House a streamlined list of non-classified designations which it hopes will be mandated as exclusive non-classified designations government-wide (by Executive Order).
The Security Problem There are simply no standardized security requirements for Sensitive, FOUO, and similarly designated material that should be produced in a secure environment, limiting the leaking or dissemination of the information or publication. Very few agency non-classified publications come to GPO with a request for specific security programs or security requirements, with the notable exception of IRS, Social Security and a few other jobs. This is not someone else’s problem. We in the publishing, printing and optical disk community must accept a role in protecting information, whenever its release into the wrong hands could cause damage or death.
The Solution As the publishers and disseminators of this information, we can use GPO’s procurement authority and system to promptly adopt optional security requirements that an agency customer can ask to be incorporated into job requirements for Sensitive, FOUO, etc. 2
Possible Implementation A committee of interested agencies and the GPO could, utilizing GPO’s expertise in working with agencies to develop and implement security programs, develop two levels of security for Sensitive but not classified, FOUO, and similar documents. These levels of security would be offered to agency customers as a check block type choice on Jacket and Program print order ordering forms submitted to GPO by the ordering agency. GPO could then set up a system under which it approves vendors for the production of this type of intermediate security work after review of security plans and procedures submitted by the vendor. With a pool of vendors capable and approved to produce work at the required security level, there would be no delay in the production of orders.
These security measures would not, according to the Office of the Director for National Intelligence or the Information Security Oversight Office require any approval from anyone other than the ordering agency. In other words, once the security requirements are agreed to by the group and published, a simple check mark choosing that security level is all that is required by the ordering customer, since it is not a classification determination or classified security program.
In the event that a publication is slated for printing during the classification process because of a scheduling issue, there is nothing to prevent the agency from requesting production in an approved classified facility, rather than have no or limited security on a publication or information which will or may be classified.
Conclusion Solving the security problem for Sensitive, but not classified, FOUO, and other similarly designated government publications and information should be a top priority. We should no longer be in a situation where government print contractors and the public question how government publications/information relating to National Security could be produced without security requirements.
1. The lack of security is compounded by the fact that there is no penalty for reproducing or disseminating government publications or information that is not classified or subject to another specific restriction.
2. The White House may consider Sensitive, but non-classified and FOUO production security requirements, but their adoption may be some time away, if ever. If, at some time in the future, uniform nationwide security requirements for sensitive but non-classified type information are promulgated, it would be a simple matter to change the GPO requirements. In the meantime, however, we have the opportunity to address this issue now.
See Latest May 2007 Workgroup Memo