video overview

IIr Associates, Inc.
Publisher of The Virginia Engineer

Print-Publishing Services
Web Site Design-Coding-Hosting
Business Consulting

Phone: (804) 779-3527

Handling and Protecting Sensitive But Unclassified Information
April 2007

Handling and Protecting Sensitive But Unclassified Information
Knowing The Risks and Uncertainty Involved

By J. Michael Littlejohn and J. R. Steele

Since 9/11, dealing with information security issues has become more difficult in the construction world. Construction contractors, project managers, design-build firms, and subcontractors on major federal, state, and local government projects are increasingly seeing project documents designated as: “Critical Infrastructure Information” (CII), “Sensitive Security Information” (SSI), or “Sensitive But Unclassified” (SBU). In addition, these indicators are often times accompanied with contract clauses, Non-Disclosure Agreements, and/or certifications that require adequate protection of this information during the course of the project. Many contractors, engineers, and architects working on federal projects are familiar with the procedures and requirements for handling information classified by the federal government as “Confidential,” “Secret,” or “Top Secret.” However, responsibilities in handling sensitive but unclassified information is not so clear. Moreover, sensitive information is frequently shared with state, local municipalities, subcontractors, and consultants during the course of the project making management and protection of this information even more of a challenge. This lack of clarity combined with the fact that disclosure of this information can result in dire consequences should be of great concern for contracting, engineering, and architectural businesses.

What Is Sensitive But Unclassified Information?

For companies used to dealing with federal contracts, classified material handling is governed by the National Industrial Security Operating Manual (NISPOM). The government has determined that classified material is the type of information that if released could compromise national security. All federal agencies use the NISPOM and contractors, subcontractors, consultants, and employees who have access to classified information must first complete a background check and be granted an appropriate security clearance. Additionally, the NISPOM sets forth specific guidelines for the protection and storage of classified information. In general, the NISPOM guarantees a certain level of uniformity within the government when dealing with this classified material.

Unfortunately, this is not the case for Sensitive But Unclassified (SBU) type information. SBU information is not governed by the NISPOM and unlike classified material, there is no uniform definition or guidance for the method of maintaining, protecting, and disseminating SBU information. Therefore, the major issue faced by contractors, engineers, and architects, is that SBU information takes several forms and is defined by federal and state agencies in a myriad of ways. In the federal government context for example, the Department of Defense (DOD) commonly refers to SBU information as For Official Use Only (FOUO). The FOUO term encompasses information that deals with national security or confidential business information. The Department of Homeland Security (DHS) has several categories of SBU, including Critical Infrastructure Information, Sensitive Security Information, and Sensitive Homeland Security Information (SHSI) that can also range from security related documents to audits of contractors financial information. By some accounts there are over 100 designations for sensitive information in the federal government. To make matters worse, several states have passed legislation which either defines or instructs the state agencies to define what SBU information is. Therefore, depending on the source of a contract, a company may be faced with various rules and regulations governing the use of SBU information.

Critical Infrastructure Information

Contractors, engineers, and architects are most likely going to be exposed to sensitive information when they are dealing with federal and state projects that have been deemed “critical infrastructure.” The term “critical infrastructure” has been used in a variety of ways. The federal government has described critical infrastructure as assets and systems that might not be considered items of national defense, but are nonetheless so important that their destruction would have a “debilitating impact” on the economic security or defense of the United States (See Critical Infrastructures: What Makes Infrastructure Critical?, CRS Report for Congress, January 29, 2003). The term has also been commonly used to refer to computer and communication networks. It has additionally been used to describe water supplies, power production, electrical transmission and distribution, emergency services, banking systems, mass transit systems, major transportation facilities, ports, utilities, and gas and oil pipe lines. In Virginia, the Virginia Department of Transportation (VDOT) notes that critical infrastructure could include, “Tunnel and Bridge-Tunnel Facilities, Ferries, Smart Traffic Centers, VDOT Central Office, District Offices, Data Systems, Security Systems, and the Information Technology Infrastructure”(See CII/SSI Guide for Vendors and Contractors, Virginia Department of Transportation 2005 (“VDOT CII/SSI Guide”)). Therefore, a substantial amount of critical infrastructure is either owned by private business and/or operated by states and localities.

Requirements for Protecting Sensitive Information

Due to the lack of coordinated federal effort on defining and providing uniform protection guidelines for SBU information there is no uniform requirement followed by agencies across government. In fact, some agencies have very specific policies while others are relatively silent on the handling and protection of SBU information. For example, the Department of Homeland Security now requires contractors and subcontractors to sign Non-Disclosure Agreements on certain projects in which the individual must certify his familiarity with the meaning of SBU and agree to protect sensitive information. On the state side of things, several states have enacted legislation since September 11, 2001 that address information protection. For instance, Virginia, Florida, Alabama, Arizona, Iowa, Maine, Maryland, Nevada, New York, and Texas have all passed laws addressing critical infrastructure and/or sensitive information protection. Consequently, contractors, engineers, and architects may have to deal with both federal and state requirements to protect information when dealing with a government-sponsored construction project.

In addition, the increased requirements for protection of SBU information has resulted in the inclusion of contract clauses in both federal and state level contracts. Several federal and state agencies are requiring the contracting party to sign a Non-Disclosure Agreement in order to prevent the disclosure of critical infrastructure and/or sensitive information. Not surprisingly, there appears to be no uniform Non-Disclosure Agreement that is being used by federal and state agencies. Therefore, it is imperative that when contracting with a state or federal agency any Non-Disclosure Agreement should be closely scrutinized because violation of these agreements can result in legal action and severe consequences.

In Virginia, the state legislature increased the protection of certain records in 2003 and 2004 by amending the Virginia Freedom of Information Act. The law exempts certain information relating to public safety from public disclosure. For example, the amendments provide a method for restricting the disclosure of records relating to critical infrastructure, engineering or architectural records that reveal the location or operation of security equipment and systems, elevators, ventilation, fire protection, emergency, electrical, telecommunications or utility equipment and systems of any public building, structure or information storage facilities (See VA. CODE 2.2-3705.2 – Exclusions to application of chapter, records relating to public safety).

As a result of this state legislation, and similar federal legislation, the Virginia Department of Transportation, where appropriate, now requires its contractors to sign Non-Disclosure Agreements and conduct finger-print based background checks in order to protect Critical Infrastructure Information and/or Sensitive Security Information dissemination. VDOT has also released guidance on how to handle, store, and disseminate CII and SSI type information (See VDOT CII/SSI Guide). The guide notes that a company could have access to sensitive information in the form of documents and drawings, physical structures, and computer based systems. Moreover, VDOT states that any person guilty of a willful violation of the Non-Disclosure Agreement could be removed from the VDOT program, excluded from future VDOT work, and be legally liable for the consequences of disclosure. The guidance to contractors describes how to protect the information, but managing the risks of disclosure is not entirely clear from the publication. VDOT, does note that contractors can release SBU information to business partners and subcontractors on a legitimate need-to-know basis, but its definition of “need-to-know” is far from clear. Additionally, VDOT requires a party contracting with VDOT to retain a signed Non-Disclosure Agreement copy in its files for 24 months. VDOT requires that the Non-Disclosure Agreement be signed by an officer of the company.


The protection of sensitive but unclassified information will continue to be an issue for companies involved in major transportation, infrastructure, communication, and homeland security projects. Businesses should recognize the risk involved in handling this type of information and be proactive with steps to avoid unauthorized disclosures. Problems with handling this information could result in the loss of contracts, suspension, debarment, corporate embarrassment, third party lawsuits, or possibly civil or criminal penalties. The following are several suggestions for individuals and companies dealing with this type of information.

– Review Requests for Proposals and contract documents to determine whether the project will require access to and protection of sensitive information. – Flow down appropriate clauses to subcontractors, suppliers, and consultants requiring them to comply with applicable regulations governing the protection of the sensitive information. – Require certifications or Non-Disclosure Agreements from subcontractors, suppliers, and consultants where appropriate. – Coordinate with or obtain advance approval from the federal or state contracting official regarding the release of sensitive information to subcontractors, suppliers, or consultants to ensure that the agency is aware of who has access to the information. – Store the sensitive information in accordance with the most stringent requirements of federal or state law for the type of information handled. – Obtain advance approval from the state or federal contracting authority of appropriate storage for the level of sensitivity of the information. – Make sure the equipment in which you store sensitive information is secure and not easily compromised by unauthorized individuals. – At project closeout, obtain certifications from subcontractors, suppliers, consultants and employees that all records containing sensitive information have been returned or destroyed. – Investigate and report in a timely manner any unauthorized disclosures of sensitive information to the appropriate federal or state officials. ##

Note: This article does not constitute legal advice or legal opinion and should not be relied upon for any dispute. Legal advice should always be obtained from qualified legal counsel.

About the Authors

J. Michael Littlejohn is a shareholder with the national law firm of Akerman Senterfitt Wickwire Gavin ( in its Tysons Corner, Virginia, office. Mr. Littlejohn focuses his practice on government contracts, construction, and disaster preparedness and recovery.

J. R. Steele is an associate with the national law firm of Akerman Senterfitt Wickwire Gavin in its Tysons Corner, Virginia, office. Mr. Steele’s practice is devoted to construction, government contracts, and real estate law.

For questions or additional information on this topic, please contact them at (703)790-8750,, or

  ------   Guest Article Archive  -----  
The Virginia Engineer on facebook
The Virginia Engineer RSS Feed