I and few of my fellow employees were asking if it was okay to put FOUO (NSA issued) documents on SharePoint. The main justification was that its password protected (which is correct).
But its a hosted site so we don't have ultimate control over the server.
Thoughts?
Ask your security officer, or your contact/security officer at the NSA (the originator).
(When it comes to handling of classified or FOUO material, you probably should not be following security advice from the Internet anyway...)
Apparently, FOUO often means that it contains personally identifying information that should not be made public. A cynical part of me says that FOUO also seems to be used where disclosure of the information to the public could be embarrassing to some government employee. Either way, FOUO means that the information isn't very sensitive. (If disclosure actually posed a danger to national security, it would be classified Secret or higher, not marked FOUO. The primary purpose of FOUO is to make sure the public doesn't read about it in the newspapers.) Regardless, breaching confidential information or embarrassing a powerful government employee can be a career-limiting move. So, your primary concern should be to your own job security. Think about this from a CYA perspective: what do you need to do, to make sure you won't be blamed if the information gets leaked?
The standard way to CYA is to make it someone else's decision. Find someone else who is responsible for making these decisions, ask them what they want done, document what they told you, and then do what they told you, whatever it is. That way, you can't be blamed: you were just following instructions, it's someone else's fault.
You can argue that since you can't get to the sharepoint without entering a password, that it is effectively password protected.
NSA used to mark the employee newsletter FOUO and circulate it to employee's families. Very loose control of FOUO. There is precious little regulatory support for FOUO or CUI, and what there is differs greatly between Agencies. Less than a month after election the President quashed the effort to reform CUI and nothing has happened since then.
@DW's answer is effectively correct. Check with the information owner and the system owner. Determine what their policies are, because they're probably much more useful and effective than the internet.
In this case they gave us the clear for sharepoint.
FOUO (For Official Use Only) in the United States has a very specific meaning and purpose. Although the designation is widely used in both federal and state agencies, in an information security context the marking is meant to prevent the disclosure of the information under the Freedom of Information Act (FOIA).
There are nine specific exemptions and the first exemption (Exemption 1) is for classified documents, meaning documents which have a National Security Classification issued by a Original Classification Authority. For those Original Classification Authority designating a document or other information as FOUO generally protects sensitive but unclassified information.
Exemption 2: "related solely to the internal personnel rules and practices of an agency." Meant to prevent excessive requests about "matter in which the public could not reasonably be expected to have an interest." Ex: sand types used in paper weights.
Exemption 3: Laws which specifically exempt a type or category of information from FOIA.
Exception 4: "trade secrets and commercial or financial information obtained from a person and privileged or confidential." This is generally information originating from a commercial or individual source which has value to that source. Ex: A secret family recipe for Tiramisu which was recorded while collecting evidence against a mob boss.
Exemption 5: "inter-agency or intra-agency memoranda or letters which would not be available by law to a party other than an agency in litigation with the agency." Ex: No requests of performance evaluations for 'under-performing' managers.
Exemption 6: "personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy." Ex: The bedwetting habits of FBI informants.
Exemption 7: (A) could reasonably be expected to interfere with enforcement proceedings (B) would deprive a person of a right to a fair trial or an impartial adjudication (C) could reasonably be expected to constitute an unwarranted invasion of personal privacy (D) could reasonably be expected to disclose the identity of a confidential source Ex: What type of sheets FBI informants wet.
Exemption 8:"contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions." Ex: Why Lehman Brothers was too big to fail.
Exemption 9:"geological and geophysical information and data, including maps, concerning oil wells." Ex: Why NASA has so much land in florida.
References:
