“SBU” Must Die
Posted August 8th, 2007 by rybolovI had dinner with Joe last night, and I thought I would add a little bit of fuel on his personal vendetta to rid the world of the concept of “SBU”–Sensitive But Unclassified. Let’s just say that I’m an anti-SBU sympathizer. =)
“SBU” is a pseudo-classification used by the government to say that a bit of information is unclassified but still needs to be protected.
The biggest question is, does the US Government have any data that is unsensitive in any way? Usually not. I’m trying to think of something, and I am drawing a complete blank, unless we want to talk about orders for new black Skilcraft ballpoints and Simple Green. But then again, there’s probably a purchase order involved which probably is sensitive in some way. You could even extrapolate a traffic analysis attack using the quantity of pens ordered to determine how many people work at a specific place (not as effective as using the volume of pizza ordered by the Pentagon during planning for a troop surge as an indicator of pending missions), but when I start to go down that road I put on the tinfoil hat and the thoughts go away. =)
DODD 8500.1 defines SBU as “A term commonly and inappropriately used within the Department of Defense as a synonym for Sensitive Information, which is the preferred term.” Then there is a lengthy definition for Sensitive Information which you can go look up yourself.
Seriously, though, the last thing we need is for people to be making up their own classifications without official limits on what you can and can’t do with it. If you can’t mark it on a document and have people know what the marking means, then it’s not an effective classification. I think SBU meets this description, and that’s why it must die.
We have a classification, it’s called “For Official Use Only”. Use it, folks! =)
Similar Posts:
Posted in Rants, What Doesn't Work | 4 Comments »
August 9th, 2007 at 10:00 am
I am so glad you posted on this.
For some years now, I have seen Sensitive but Unclassfied on the top of official documentation. They don’t like to say Sensitive only and I once had a customer say “For Official Use Only, is too formal.” WTF?
We aren’t baking cakes here. These are government security documents.
Here is a decent resource if you want to learn more:
http://rf-web.tamu.edu/security/SECGUIDE/S2unclas/Fouo.htm#For%20Official
Notice that Department of State allows the SBU designation. I haven’t worked a State contract so I can’t comment on how well it is tolerated.
August 9th, 2007 at 11:20 am
Thanks, Chris. To be brutally honest, I use “SBU” but only because the people I’m working with make me. =)
August 9th, 2007 at 1:18 pm
Same Here–FOUO is the simple standard. And yes, ordering skilcraft pens through Class 2 is FOUO–I’ll just leave it at that! =) If they analyzed how many people worked here by our pen usage, they’d come out with some number equivalent to the population of Ft. Benning (unless they factor in the unnatural things mechanics do with the pens I give them).
August 16th, 2007 at 12:36 pm
Thanks for immortalizing my rant. I have since printed the article and shown it to my guvvies here at State. Funny how many of them agree. It is now taped to the outside of my cube along with your tome on “Controls not in 800-53…”
This rose to the level of insanity when another agency desired to connect to my customer’s network. Duing the ISA negotiation process, we had to address the horrible comingling of “SSI” with “SBU.”
What really put me “up on the governor” was the question asked by the other agency’s government SSO, to wit, “How can we be sure that they will protect our SSI as well as their SBU?”
My head exploded.
These people should be Impaled.
It’s UNclassified.
R/
Vlad the Impaler