Information systems are certified and accreditated by the officer of authorization to operate under the approved Security Mode of Operation, which determines the baseline controls. There are four types of security modes:
Classification Levels and Categories
In the environment of mandatory access control (MAC), data can be classified into different hierarchical levels (Confidential, Secret, and Top Secret) and non-hierarchical categories in terms of sensitivity.
What is Formal Access Approval?
- Users must have the clearance/authorization and need-to-know (per official duties) to get access to a certain level of classified data.
- However, they must have formal access approval to access the categorized (compartmented) data.
- A category is “a grouping of classified or sensitive (but) unclassified information to which an additional restrictive label is applied for signifying that personnel are granted access to the information only if they have formal access approval or other applicable authorization (e.g., proprietary information, for official use only, compartmented information).” (DODD 5200.28, March 21, 1988)
- Sensitive compartmented information (SCI), special access program (SAP) information, or other compartment information is a special category.
Sensitive But Unclassified (SBU)
Sensitive But Unclassified (SBU) is a designation of information in the United States federal government that, though unclassified, often requires strict controls over its distribution. SBU is a broad category of information that includes material covered by such designations as:
- For Official Use Only (FOUO),
- Law Enforcement Sensitive (LES),
- Sensitive Homeland Security Information,
- Sensitive Security Information (SSI),
- Critical Infrastructure Information (CII), etc.
It also includes Internal Revenue Service materials like individual tax records, systems information, and enforcement procedures. Some categories of SBU information have authority in statute or regulation (e.g. SSI, CII) while others, including FOUO, do not.
Sensitive Compartmented Information (SCI)
Sensitive compartmented information (SCI) is a type of United States classified information concerning or derived from sensitive intelligence sources, methods, or analytical processes. All SCI must be handled within formal access control systems established by the Director of National Intelligence.
SCI is not a classification. SCI clearance has sometimes been called “above Top Secret,” but information at any classification level may exist within an SCI control system. When “decompartmentalized” this information is treated the same as collateral information at the same classification level.
Special Access Programs (SAPs)
Special Access Programs (SAPs) in the U.S. Federal Government are security protocols that provide highly classified information with safeguards and access restrictions that exceed those for regular (collateral) classified information. SAPs can range from black projects to routine but especially-sensitive operations, such as COMSEC maintenance or Presidential transportation support. In addition to collateral controls, a SAP may impose more stringent investigative or adjudicative requirements, specialized nondisclosure agreements, special terminology or markings, exclusion from standard contract investigations (carve-outs), and centralized billet systems. Within the Department of Defense, SAP is better known as “SAR” by the mandatory Special Access Required (SAR) markings.