We’ve talked a lot on this blog about protecting controlled unclassified information, and we’ve mentioned in places some other kinds of information, like classified and secret information, covered defense information, and other protected information.
There’s one thing all of this information has in common: it’s generated by the United States government. Whether it’s information on US citizens, US businesses, or US governmental programs and organizations, all of the protections – CMMC, FedRAMP, StateRAMP, and more – relate to information from the United States.
So, what if you’re a contractor working with the government in a position where you aren’t just handling US information but information from outside the US? How is that information classified and handled, and what do you need to do to control it properly?
Two kinds of information are relevant here: NATO information and more general Foreign Government Information.
Foreign government information is at once a somewhat sensible classification and somewhat broader than you might expect. FGI includes information received from foreign governments or international organizations that is to be held in confidence. But, it also includes information that the United States has provided to foreign governments. In this way, it encompasses more information than you might expect, as US-based information that is shared with other governments can be classified as FGI.
All of this generally falls under the header of CNSI, or Classified National Security Information. This information can be divided into three tiers:
What these specific damages mean and how they are determined is not generally up to us as contractors. We simply need to handle information the way it is presented to us.
One caveat to this classification system is that information that is marked as controlled by the foreign government that issued it may be re-marked by US Government officials to classify it in terms familiar to government contractors. After all, we contractors should not be expected to know the ins and outs of the information classification systems of every foreign government in the world, right? This holds doubly true with information that is not marked in English.
“FGI shall be re-marked if needed to ensure the protective requirements are clear. FGI may retain its original classification if it is in English. However, when the foreign government marking is not in English, or when the foreign government marking requires a different degree of protection than the same U.S. classification designation, a U.S. marking that results in a degree of protection equivalent to that required by the foreign government shall be applied.”
All of this is generally applicable to information that comes from or is delivered to a foreign government and is controlled in some fashion.
NATO information is effectively a subset of FGI. NATO is the North Atlantic Treaty Organization and includes Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxemburg, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkiye, the United Kingdom, and the United States as members.
NATO Information is information generated by NATO as an organization or for NATO as an organization. It is also information that has been generated by a NATO member nation for release to NATO rather than release to a specific country or organization. This information is controlled by NATO regulations rather than the regulations of any given entity. The exception is if additional restrictions are specified by the originator of the information prior to release to NATO.
NATO information can be classified into many different levels.
Fortunately, when it comes to handling FGI, NATO information, and similar information, there’s not a lot that you need to do.
That’s not to say that you can be lax with handling these types of information. Rather, it means that all of this information has roughly equivalent levels of security for domestic information, and the way you handle that information is largely identical.
In other words, if the FGI you’re given is on par with domestic CUI, you handle it using all of the same care and controls as you would handle CUI. If the information is classified at a SECRET level, you would handle it with the same care and level of control as you would domestic SECRET information. This is what the purpose of re-marking the information is.
Much of the controls, authority, and frameworks for handling this information come from the Department of Defense. Directives such as DoD Directive 5110.04, DoD Instruction 5025.01, and DoD Directive 5100.55 are all applicable.
In broad terms, the driving force is the principle of least access. As few people as possible should have access to information that is in any way controlled, with scaling requirements for access, logging, and tracking that information the higher it is on the scale.
As far as FGI that is not part of NATO information but is part of an agreement, treaty, bilateral exchange, or other obligation with the United States, that FGI is controlled in the same fashion under the contents of 32 CFR 2001.54.
Essentially, the only difference is that information received from a foreign government is typically marked with information about the originating government.
Not particularly.
Once a system is approved to handle FGI or NATO information, all of the usual security controls apply as relevant to the tier of classification of the information. If the US-equivalent information requires a specific kind of access control, so too would the FGI-equivalent version of that information.
Sometimes, specific controls, access lists, restrictions, or other controls are placed on specific information. This is handled on a case-by-case basis and is not broadly applicable to entire classes of information.
Broadly, the only thing that needs to happen when handling FGI or NATO information is a refresher of the training your staff – at least those who handle the information or could potentially have access to it – undergo. While the information is generally handled the same way as normal domestic information, the difference is important in cases of sharing that information with relevant governments and third-party organizations.
When in doubt, refer to the original information provider for more details and guidance on how to handle specific information from an external entity.
This is an interesting question.
Obviously, if the information being burned to storage media is FGI or NATO information, the media needs to be appropriately marked and handled.
What if it isn’t FGI, though? This is where things get tricky. There is no specific guidance on whether or not to mark that media as potentially FGI. However, a conservative view of the situation is to mark it because there could be system information or metadata you don’t realize is being transferred, which could inadvertently contain or reveal FGI.
If your systems are properly configured and segmented, this shouldn’t be an issue; information that is not FGI may not even be on the same hardware or systems as information that includes FGI. However, if your operations require mixing this information (such as making it more broadly accessible along with other reference documentation), then it may be useful to include those disclosures and labels.
There is no assigned process for determining whether or not to mark this kind of external storage media just because it interacted with a system that contains FGI. In the end, it comes down to using your best judgment and erring on the side of caution to avoid inadvertent disclosure of FGI to parties that shouldn’t have it.
In general, you don’t need isolated systems just for the FGI or NATO information you handle. Again, you treat it essentially the same as any other CUI or classified information you handle as part of your operations. If that means isolated systems, then so be it. Usually, though, it just means relevant access controls.
A huge part of modern information security is identifying the people who have access to information, only granting people access to information as they need it – and revoking access when it is no longer relevant – as well as making sure that robust logging is kept. You want to be able to see who has access to what information at any given time, but also who accesses information and when, as well as from where. If an authorized user account accesses information from, say, an IP address that it shouldn’t, it can be a red flag of a compromised account or a breach of best practices.
Broadly speaking, access control for CUI and domestic information is the same as access control for FGI and NATO information, but with different roles for different users who have access to information as relevant to your operations.
You are required to ensure that NATO and non-NATO information is filed separately. Similarly, ATOMAL and non-ATOMAL information also must be filed separately.
What constitutes separate is a lower bar than you might expect, however. For example, the NATO security awareness briefing says:
“This may be accomplished by using a separate security container or, to conserve storage space, by using separate drawers or file dividers in the same security container holding U.S. classified material.”
In general, this means keeping information on the same system, as long as it’s controlled according to its classification, is fine. Meet the baselines and make sure you aren’t in violation of any common information control rules, and you’re essentially where you need to be.
At Ignyte, helping others secure information is our specialty. Whether it’s using the Ignyte Platform to help record, audit, and implement the security controls necessary to achieve compliance with a framework, to operating as a 3PAO for the purposes of auditing your systems and gaining you the authority to operate with the government, we’re in your corner.
With us, you can:
And, of course, you can always reach out and ask any questions you may have directly at any time. Just send us a message, and we’ll get back to you as soon as possible with a reply. We’re always here to help.
*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/security/nato-foreign-government-information/