The IT Law Wiki


Sensitive but unclassified information (also written as sensitive, but unclassified) (SBU) is

information that has not been classified by a federal law enforcement agency which pertains to significant law enforcement cases under investigation and criminal intelligence reports that require dissemination criteria to only those persons necessary to further the investigation or to prevent a crime or terrorist act. The designation controlled unclassified information has replaced "sensitive but unclassified information.[1]
information the disclosure, loss, misuse, alteration, or destruction of which could adversely affect national security or other Federal Government interests. National security interests are those unclassified matters that relate to the national defense or the foreign relations of the U.S. Government. Other government interests are those related, but not limited to the wide range of government or government-derived economic, human, financial, industrial, agricultural, technological, and law enforcement information, as well as the privacy or confidentiality of personal or commercial proprietary information provided to the U.S. Government by its citizens.[2]
[a] [d]esignation of information in the United States federal government that, though unclassified, often requires strict controls over its distribution. SBU is a broad category of information that includes material covered by such designations as For Official Use Only (FOUO), Law Enforcement Sensitive (LES), Sensitive Homeland Security Information, Security Sensitive Information (SSI), Critical Infrastructure Information (CII), etc. Some categories of SBU information have authority in statute or regulation (e.g. SSI, CII) while others, including FOUO, do not. As of May 9, 2008, the more appropriate terminology to use is Controlled Unclassified Information (CUI).[3]


Even before the terrorist attacks of 2001, federal agencies used the label SBU to safeguard from public disclosure information that does not meet standards for classification in Executive Order 12958 or National Security Decision Directive 189. Executive Order 13292 may widen the scope of scientific and technological information to be classified to deter terrorism. SBU has not been defined in statutory law.

When using the term, some agencies refer to definitions for controlled information, such as “sensitive,” in the Computer Security Act of 1987, and to information exempt from disclosure in the Freedom of Information Act (FOIA) and the Privacy Act of 1974. The identification of information to be released pursuant to these laws may be discretionary, subject to agency interpretation and risk analysis.

Pub. L. No. 107-296 required the President to issue guidance on safeguarding SBU homeland security information, a function assigned to the Secretary of the Department of Homeland Security in Executive Order 13311.

DHS Sensitive Systems Policy Directive 4300A refers to this designation as an "obsolete designation."[4] The term has been replaced with "sensitive information."



See also[]