? on U / FOUO

[RedFox24]

OK here is my question presented to the best of my ability to express such.

I have had/taken/passed the CAP on line U / FOUO training a long time ago so it escapes me now exactly whom wrote/sponsored/authored/endorsed the training.  Other than CAP radio stuff and information passed with the base for encampment planning purposes I have never come upon anything that was U / FOUO so my question that follows has never been a concern.   

Was that training a CAP training or was that a US Government training?  As in does my CAP FOUO count/require/duplicate/imply U / FOUO for any other US Government agency using FOUO?

So lets say that:  You are given a document that is clearly marked U / FOUO by a person who is 1)  not in or affiliated with CAP/USAF or any military branch  2)  has nothing to do with CAP/USAF missions or such 3)  have no idea you have U / FOUO training and 4) you have no idea that they have had the training. 

What is your responsibility or obligation under your CAP FOUO training at this point? 

Just curious...............

[cnitas]

 
I suppose it depends on the nature of what in in the document. 

Is it is a cadet training plan for next weekend, or is it a manual on us warfighting tactics?

Unclassified means unclassified.  If the information is unrelated to you, your squadron, or your business, just throw it away.

[RiverAux]

I'm beginning to see that printed on CAP documents as a matter of routine.

The training was CAP training and not relevant to anyone else. 

[es_g0d]

Only things that should be FOUO should be marked as such.  Marking everything to that level just makes it painful in the long run.

Other examples of information that is FOUO are social security numbers.  They're not classified, but if you have a roster with that number on it then you need to protect that information for (hopefully) obvious reasons. 

I think a reasonable litmus test might be, "would you want this information posted on a website?"  If that's ok, then don't bother making it FOUO. 

Thankfully, we deal with precious little FOUO in CAP.

[MikeD]

Other federal agencies define FOUO as SBU (Sensitive but Unclassified) and it's a PITA...  Data needs to be encrypted at all times, you need to like set up the printer so that there's a long enough delay for you to get to the printer before it prints, kept in a locked door in a locked room, etc.

[Short Field]

You just hit a personal pet peeve of mine.   IMHO, the CAP OPSEC training did not do a good job of explaining FOUO and Critical Information and just confuses the issue.  It lumps a lot of stuff together without giving a clear description of each type of information.  It does not make a clear distinction between Critical Information and FOUO.  To the best of my understanding (and review of the OPSEC briefing slides and video), FOUO is used for (1) CAP radio frequencies, (2) some CAP missions, and (3) non-classified but sensitive DoD information.  As examples, the briefing specifically identifies CAP radio frequencies and exercise/operational plans.   IIRC, a older version of the briefing identified the missions/exercises as being with the USAF, not your monthly SAREX.

Pay attention to where the briefing lists what publicly accessible web sites will NOT contain.  The list includes FOUO information, Sensitive Information, Plans, Planned Deployments, and Personal Information (SSANs and Home phone numbers).  That implies that FOUO is NOT Sensitive Information, Plans, Planned Deployments, and Personal Information (SSANs and Home phone numbers).  The briefing states that FOUO will be stored in a LOCKED desk, room, or cabinet unless Government or Government-contract building security is provided.  Electronic FOUO transmission should be by approved SECURE comms systems.  Your e-mail account and internet based websites are NOT secure comm systems.  

Bottom Line:  If you get something marked FOUO by e-mail, then it is either not FOUO or the person sending it to needs to be reported for a security violation.   Critical Information that is not FOUO still needs to be protected - but that just means don't broadcast it to the world.  Critical Information should be limited to only people with a need to know.  That is what the OPSEC training is all about.  I am now seeing emails from people in our wing who have included the U/FOUO statement as part of their signature tag on all their emails.  Duh....rant over.

[RedFox24]

Short Field, I hear you loud and clear, which is why I am asking the question. 

OK let me take this a step further with two different scenarios.

1.  Say I got a U / FOUO document of some government agency from a person who is not with that agency.  If I read the answers so far, then I just throw it in the trash and carry on.  I means nothing to me, I am not with that Gov Agency and am not interested in the document.  So even though I am FOUO "compliant" with CAP it means nothing outside CAP?

Example:  I am given a document from a government agency that is marked FOUO by a business man whom I am doing business with, showing me how some situation could effect my business.  Neither he nor I are employed or contracted by that Gov Agency. 

2.  Say I am given a FOUO CAP document from a person who is not in CAP/USAF. Then what?  This does mean something to me as a CAP member but what is my responsibility at this point with a non CAP member.

Example:  I am given a CAP frequency list from a non CAP member, find the Region Comms Plan on a Website, read our new frequencies in a magazine or on a blog with the discussion of what FOUO means in relationship to the document they posted.  You tell the squadron, group or wing DC and their answers is "that's an old list".  Well it might be, then again it matches the list you can down load from E Services...............So...........

So, (U) unclassified means just that. 

FOUO means official use within the context of me being able to see the information when some one higher up the chain deems me "in the need to know". 

Otherwise, I have no obligation to be "secure" or "responsible" for anyone else misuse of U / FOUO because the document or information is neither sensitive or secure. 

Regardless of or from whom the document comes from, inside or outside of CAP, my FOUO training with R Lee only applies to what command deems necessary for me to know.....and I am to safe guard what they give or tell me............not what others might give me that is FOUO.

Clear as mud?

Maybe I am asking to much or thinking to much, but it makes me wonder if our FOUO training really means anything outside of CAP Command deciding whom they want to tell what to. 

[cnitas]

I think in your example, you throw it in the unlocked trashcan.  You do not hold a security clearance and the information is unclassified.  If it is truly sensitive information and you have a 'need to know' you treat it as such. 

What is your answer in this case?:
Suppose someone hands you a document clearly labeled 'TOP SECRET' - 'American Red Cross CEO Eyes Only' - 'Destroy after Use'

You of course immediatly fold the document so it cannot be read, but now you have a problem.

You got the document through a trusted non-AOPA source and you have no security clearance.   Does your FOUO training compel you to do anything? 

[jb512]

Open and read it first.

[desertengineer1]

CAP did an extremely poor job of implementing FOUO, and IMHO, the mandate of U//FOUO is even worse.

Social Security numbers are Privacy Act.  Frequencies are FOUO (OPSEC).

I've tried to correct the misconceptions and misinformation constantly over the years - in both military (unit security manager) and CAP.  I don't know whhere the breakdown is.  Could be lack of leaders who are formally trained in DoD 5200-22R (or AFI 31-401).  Could be the herding instinct.  Could be that no one really cares and they want to be lazy - take the easy way instead of the right way (my vote).

I cringe every time I see a document with such markings.

FOUO is NOT a classification.  Let me repeat that again.  IT IS NOT A CLASSIFICATION STATEMENT.  Why can't people get this simple concept?  How many times do I have to repeat this?

http://www.hropensacola.navy.mil/hropdirectives/hropinst5720.1.pdf

FOUO signifies the information meets exemption(s) for release under FOIA.  Handling instructions, per DoD 5200-22R (and others in the same seiries) require handling instructions stated seperately by the originator of the information.  In other words, if you are to follow the REAL rules, you have to specify handling instructions.

For the "U", I got nothing.  Again, I've been hounding everyone about this for years.  It's already unclassified.  Why are you marking it U//FOUO.  You as an organization look like a collection of idiots to Security folk when you mandate such.

This is like me calling you one afternoon and saying, "Hey, Mike, let's go to lunch in my car car".

See this:  http://afsf.lackland.af.mil/Organization/AFXOF/Interim%20Guidance-Safeguard-Atch%202.pdf

Of course, if anyone cares enough to actually read the rules, you can go here to the -1R: 

http://www.dtic.mil/whs/directives/corres/pdf/520001r.pdf


Frequencies are another issue which we did an even more sad job of explaining.  Frequencies are deemed Critical Information items (reference AFI 10-701), or "CI".  As with Privacy Act infomation, the OPSEC process final steps require organizations to identify and protect CI, by developing local policies (OI's here in the AF side).  CAP's continuing mistake is to not inform or train members of the OPSEC evaluation and reporting process we follow as a requirement of AFI 10-701.  This, in-turn, accelerates the misinformation and rumor mills.

CAP needs to either formally follow 10-701 or discard it: 

http://www.e-publishing.af.mil/shared/media/epubs/AFI10-701.pdf

See my previous rant here:

http://captalk.net/index.php?topic=147.40

[jimmydeanno]

For the "U", I got nothing.  Again, I've been hounding everyone about this for years.  It's already unclassified.  Why are you marking it U//FOUO.  You as an organization look like a collection of idiots to Security folk when you mandate such.

Please see example: http://www.firearmscoalition.org/images/news/hsa-rightwing-extremism-09-04-07.pdf
(Please note that I am not commenting on the study itself, but the bottom of the cover)

This document, released by the DHS states "UNCLASSIFIED // FOR OFFICIAL USE ONLY" on the bottom.  Also states U//FOUO before any of the text. Does that make them look like a collection of idiots?

Either way, I think that there is very little if anything that the average CAP member would come into contact with that would be labeled with anything.  In all honesty I think we've gone off the deep end with OPSEC, etc.  Because we haven't provided real training on the subject nobody knows exactly what it means so everyone is hyper sensitive and wants to stamp everything FOUO. 

I get e-mails from people in CAP for Wing Conferences, etc that say "UNCLASSIFIED // FOUO" - give me a break, it's a wing conference.

I've said this before, but I used to work on Langley AFB.  I had to attend OPSEC training before I could start my job.  It consisted of a 10 slide powerpoint printed off.  I sat down, the lady said, "read this and when you're done sign here."  That's it, 5 minutes of my time.

Those 10 slides were more than enough to tell me that if it says "SECRET" on it I shouldn't pass it around.  It also made it quite clear that I wasn't someone who would be doing the classification, so just look for the right colors.

YMMV.

[heliodoc]

^^^^ :clap: :clap:

AGAIN CAP needs to follow 'the rules" by the AFI

CAP also needs someone at NHQ with REAL FOUO background to diseminate (sp) the real deal rather than every CAPtalker assuming they KNOW what is FOUO

AND whether its UNCLAS or FOUO is just throwing in the trash can going to do it???

With all the security risks.......shred or rip into small pieces.... I would think CAPers would know how to do that....

[heliodoc]

Yep jimmydeanno

CAP HAS gone overboard on FOUO ....Wing Conference docs FOUO??? WTF?  Wow

This is type of thing that makes CAP look like the Keystone Kops

CAP and FOUO ??   really??

[RedFox24]

Then if I may be so bold as to say:  Once again NHQ and others along the chain want to play "military", be "military" and act more important then we/they are, who have no concept of what they are talking about or doing in the name of "looking good" for someone else.

As I suspected, FOUO was just another check box on the membership sqrt and another gross waste of my time that I will never get back from CrAP (I think my wife would approve of me using her r here).

Out.

[desertengineer1]

Please see example: http://www.firearmscoalition.org/images/news/hsa-rightwing-extremism-09-04-07.pdf
(Please note that I am not commenting on the study itself, but the bottom of the cover)

This document, released by the DHS states "UNCLASSIFIED // FOR OFFICIAL USE ONLY" on the bottom.  Also states U//FOUO before any of the text. Does that make them look like a collection of idiots?

Yes, it does.  It broadcasts to everyone that the organization isn't following DoD rules, either by ignorance or "I'll do what I want to because I said so" factors.

It doesn't meet DoD directives.

See again:

http://www.hropensacola.navy.mil/hropdirectives/hropinst5720.1.pdf
(Example of a GREAT policy letter that follows DoD 5200 to the letter.  DoD mandates the law.  Organizations mandate compliance by OI's and policy letters - if not specified individually. Refer to AFI 10-701.  "Commanders will ....")

http://afsf.lackland.af.mil/Organization/AFXOF/Interim%20Guidance-Safeguard-Atch%202.pdf
(Another GREAT example of an attempt by a unit [presumably the USM] to do the right thing instead of the easy, wrong thing.  Hats off to whoever wrote this.  It is absolutely correct.)

http://www.dtic.mil/whs/directives/corres/pdf/520001r.pdf
(The founding 5200 directive.  One should NEVER do anything relating to security before reading and understanding this series)

http://www.e-publishing.af.mil/shared/media/epubs/AFI10-701.pdf

AF OPSEC Program.  Note the chapter on OPSEC Unit Assessments - this is where the CAP frequency policy came from.  I assume (because no one I've asked knows) the frequency policy came out of some assessment somewhere (CAP-USAF or AFNORTH) and frequencies were added to the CI list.  Would have been nice if NHQ actually explained why in the policy letter.  Again, easy vs. right.

[Short Field]

With all the security risks.......shred or rip into small pieces.... I would think CAPers would know how to do that....

:clap:  :clap:  :clap:  Shred or burn and you never have to worry.  DoD 5200 was my bible for several decades.  We marked paragraphs and pages Unclassified when they were in a classified document.   Unclassified documents were never marked Unclassified.

[Captain Morgan]

OK here is my question presented to the best of my ability to express such.

I have had/taken/passed the CAP on line U / FOUO training a long time ago so it escapes me now exactly whom wrote/sponsored/authored/endorsed the training.  Other than CAP radio stuff and information passed with the base for encampment planning purposes I have never come upon anything that was U / FOUO so my question that follows has never been a concern.   

Was that training a CAP training or was that a US Government training?  As in does my CAP FOUO count/require/duplicate/imply U / FOUO for any other US Government agency using FOUO?

So lets say that:  You are given a document that is clearly marked U / FOUO by a person who is 1)  not in or affiliated with CAP/USAF or any military branch  2)  has nothing to do with CAP/USAF missions or such 3)  have no idea you have U / FOUO training and 4) you have no idea that they have had the training. 

What is your responsibility or obligation under your CAP FOUO training at this point? 

Just curious...............

Like maybe a recent HSA document that's been in the news? ...

[N Harmon]

It broadcasts to everyone that the organization isn't following DoD rules, either by ignorance or "I'll do what I want to because I said so" factors.

How about, isn't following DoD rules because it isn't part of DoD (DHS is a separate department in the executive branch).

Civil Air Patrol, on the other hand, should be adopting DoD policy. Not just because we would avoid having to reinvent the wheel, but because it demonstrates that we take OpSec seriously and that we can be trusted with sensitive information.

[Larry Mangum]

Either way, I think that there is very little if anything that the average CAP member would come into contact with that would be labeled with anything. 

Actually there are a few things that we do that could be considered CI information.  When we fly intercept missions in support of the Western Air Defense Sector, we are provided information that is not to be disseminated to the public or discussed openly as it could potentially, compromise the sorties. Especially when it is suppose to be a no notice exercise of the alert crews. 

The same could be said in regards to Counter Drug, in regards to frequencies and operations.

So while CAP may have handled the training rather poorly, we in fact are privy, depending upon your row to information that could compromise an exercise or operation all the time.

[PhoenixRisen]

So, on my squadron's website, I've got a password-protected member's only section.  The login page contains the standard 18 United States Code Section 2511 warning required by CAPR 110-1.

Within this section, I've a roster for our membership which contains names, addresses, phonenumbers, etc.  According to the OPSEC briefing, "Personal Information" is it's own bullet under "information not to be stored in publically accessable areas" - which it's not.

Am I good here?  Do I need to put some form of marking somewhere?  Mark the whole page?  Mark just the area with the rosters?  The documents themselves?  If something needs to be marked somewhere - should I just stick with what CAP says (i.e. U//FOUO), despite the discussion on the redundancy and stupidity of that specific qualification)?