'Sensitive But Unclassified' Information and Other Controls: Policy and Options for Scientific and Technical Information [Updated December 29, 2006] [open pdf - 482KB]
"Following the 2001 terrorist attacks, the Bush Administration issued guidance that reversed the Clinton Administration's "presumption of disclosure" approach to releasing information under Freedom of Information Act (FOIA) and cautioned agencies to consider withholding SBU information if there was a "sound legal basis" to do so. Some agencies contend that SBU information is exempt from disclosure under FOIA, even though such information per se is not exempt under FOIA. The 2002 enactment of the Federal Information Security Management Act (FISMA) rendered moot the definition of SBU that some agencies had used since the passage of the Computer Security Act of 1987, which identified sensitive information by content. FISMA requires agencies to categorize the criticality and sensitivity of all information according to the security control objectives of confidentiality, integrity, and availability across a range of risk levels and to use safeguards based on risk of release. Many federal agencies have not yet fully implemented these new procedures. During the 109th Congress, P.L. 109-90 and P.L. 109-295 focused on management, oversight, and appropriate use of the sensitive security information (SSI) category. Legislative proposals focused on standardizing concepts of "sensitive" information; modifying penalties for disclosure; and clarifying FOIA. During the 110th Congress, additional topics likely to be controversial include limiting the number of persons who can designate SBU; widening the use of risk-based approaches to control; centralizing review, handling, and appeals; and evaluating the impact of federal policies on nongovernmental professional groups' prepublication review and self policing of sensitive research. This report will be updated as necessary."
CRS Report for Congress, RL33303