We’ve talked a lot on this blog about protecting controlled unclassified information, and we’ve mentioned in places some other kinds of information, like classified and secret information, covered defense information, and other protected information.
There’s one thing all of this information has in common: it’s generated by the United States government. Whether it’s information on US citizens, US businesses, or US governmental programs and organizations, all of the protections – CMMC, FedRAMP, StateRAMP, and more – relate to information from the United States.
So, what if you’re a contractor working with the government in a position where you aren’t just handling US information but information from outside the US? How is that information classified and handled, and what do you need to do to control it properly?
Two kinds of information are relevant here: NATO information and more general Foreign Government Information.
What is Foreign Government Information?
Foreign government information is at once a somewhat sensible classification and somewhat broader than you might expect. FGI includes information received from foreign governments or international organizations that is to be held in confidence. But, it also includes information that the United States has provided to foreign governments. In this way, it encompasses more information than you might expect, as US-based information that is shared with other governments can be classified as FGI.
All of this generally falls under the header of CNSI, or Classified National Security Information. This information can be divided into three tiers:
- Information that could cause “damage” if it is released is classified as CONFIDENTIAL.
- Information that could cause “serious damage” if it is released is classified as SECRET.
- Information that could cause “exceptionally grave damage” if it is released is classified as TOP SECRET (though this label can only be applied by agents of the United States Trade Organization.)
What these specific damages mean and how they are determined is not generally up to us as contractors. We simply need to handle information the way it is presented to us.
One caveat to this classification system is that information that is marked as controlled by the foreign government that issued it may be re-marked by US Government officials to classify it in terms familiar to government contractors. After all, we contractors should not be expected to know the ins and outs of the information classification systems of every foreign government in the world, right? This holds doubly true with information that is not marked in English.
“FGI shall be re-marked if needed to ensure the protective requirements are clear. FGI may retain its original classification if it is in English. However, when the foreign government marking is not in English, or when the foreign government marking requires a different degree of protection than the same U.S. classification designation, a U.S. marking that results in a degree of protection equivalent to that required by the foreign government shall be applied.”
All of this is generally applicable to information that comes from or is delivered to a foreign government and is controlled in some fashion.
What is NATO Information?
NATO information is effectively a subset of FGI. NATO is the North Atlantic Treaty Organization and includes Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxemburg, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States as members.
NATO Information is information generated by NATO as an organization or for NATO as an organization. It is also information that has been generated by a NATO member nation for release to NATO rather than release to a specific country or organization. This information is controlled by NATO regulations rather than the regulations of any given entity. The exception is if additional restrictions are specified by the originator of the information prior to release to NATO.
NATO information can be classified into many different levels.
- NU – NATO Unclassified. This is information that is the property of NATO but does not require classification in other ways. It’s freely accessible as long as access to the information would not be detrimental to NATO.
- ATOMAL. This is a special classification relating specifically to atomic energy information and is generally marked using an ATOMAL variation of the other classification levels.
- NR – NATO Restricted. This is information that, if disclosed, would be disadvantageous to NATO’s interests. The security standards for NATO Restricted are similar to those of CUI but require classified channels for transmitting the information.
- NC – NATO Confidential. This is the step above NR, with information that, if disclosed, would be damaging to NATO interests.
- NS – NATO Secret. This is a step above NC for information that would seriously damage NATO if disclosed.
- CTS – NATO Cosmic Top Secret. This is the most seriously classified information generated as part of NATO. The use of the word “Cosmic” is a unique indicator that the information is part of NATO rather than a member state’s own version of TOP SECRET classification.
How is FGI and NATO Information Controlled?
Fortunately, when it comes to handling FGI, NATO information, and similar information, there’s not a lot that you need to do.
That’s not to say that you can be lax with handling these types of information. Rather, it means that all of this information has roughly equivalent levels of security for domestic information, and the way you handle that information is largely identical.
In other words, if the FGI you’re given is on par with domestic CUI, you handle it using all of the same care and controls as you would handle CUI. If the information is classified at a SECRET level, you would handle it with the same care and level of control as you would domestic SECRET information. This is what the purpose of re-marking the information is.
Much of the controls, authority, and frameworks for handling this information come from the Department of Defense. Directives such as DoD Directive 5110.04, DoD Instruction 5025.01, and DoD Directive 5100.55 are all applicable.
In broad terms, the driving force is the principle of least access. As few people as possible should have access to information that is in any way controlled, with scaling requirements for access, logging, and tracking that information the higher it is on the scale.
As far as FGI that is not part of NATO information but is part of an agreement, treaty, bilateral exchange, or other obligation with the United States, that FGI is controlled in the same fashion under the contents of 32 CFR 2001.54.
Essentially, the only difference is that information received from a foreign government is typically marked with information about the originating government.
Are there any specific requirements for user access to a system approved for FGI?
Not particularly.
Once a system is approved to handle FGI or NATO information, all of the usual security controls apply as relevant to the tier of classification of the information. If the US-equivalent information requires a specific kind of access control, so too would the FGI-equivalent version of that information.
Sometimes, specific controls, access lists, restrictions, or other controls are placed on specific information. This is handled on a case-by-case basis and is not broadly applicable to entire classes of information.
Broadly, the only thing that needs to happen when handling FGI or NATO information is a refresher of the training your staff – at least those who handle the information or could potentially have access to it – undergo. While the information is generally handled the same way as normal domestic information, the difference is important in cases of sharing that information with relevant governments and third-party organizations.
When in doubt, refer to the original information provider for more details and guidance on how to handle specific information from an external entity.
When transferring data from a system containing FGI to external media, does that media need to be marked as containing FGI?
This is an interesting question.
Obviously, if the information being burned to storage media is FGI or NATO information, the media needs to be appropriately marked and handled.
What if it isn’t FGI, though? This is where things get tricky. There is no specific guidance on whether or not to mark that media as potentially FGI. However, a conservative view of the situation is to mark it because there could be system information or metadata you don’t realize is being transferred, which could inadvertently contain or reveal FGI.
If your systems are properly configured and segmented, this shouldn’t be an issue; information that is not FGI may not even be on the same hardware or systems as information that includes FGI. However, if your operations require mixing this information (such as making it more broadly accessible along with other reference documentation), then it may be useful to include those disclosures and labels.
There is no assigned process for determining whether or not to mark this kind of external storage media just because it interacted with a system that contains FGI. In the end, it comes down to using your best judgment and erring on the side of caution to avoid inadvertent disclosure of FGI to parties that shouldn’t have it.
Does FGI need to be in isolated systems or are access controls enough to protect it?
In general, you don’t need isolated systems just for the FGI or NATO information you handle. Again, you treat it essentially the same as any other CUI or classified information you handle as part of your operations. If that means isolated systems, then so be it. Usually, though, it just means relevant access controls.
A huge part of modern information security is identifying the people who have access to information, only granting people access to information as they need it – and revoking access when it is no longer relevant – as well as making sure that robust logging is kept. You want to be able to see who has access to what information at any given time, but also who accesses information and when, as well as from where. If an authorized user account accesses information from, say, an IP address that it shouldn’t, it can be a red flag of a compromised account or a breach of best practices.
Broadly speaking, access control for CUI and domestic information is the same as access control for FGI and NATO information, but with different roles for different users who have access to information as relevant to your operations.
Does NATO information require special segregation?
You are required to ensure that NATO and non-NATO information is filed separately. Similarly, ATOMAL and non-ATOMAL information also must be filed separately.
What constitutes separate is a lower bar than you might expect, however. For example, the NATO security awareness briefing says:
“This may be accomplished by using a separate security container or, to conserve storage space, by using separate drawers or file dividers in the same security container holding U.S. classified material.”
In general, this means keeping information on the same system, as long as it’s controlled according to its classification, is fine. Meet the baselines and make sure you aren’t in violation of any common information control rules, and you’re essentially where you need to be.
Helping You Secure Controlled Information
At Ignyte, helping others secure information is our specialty. Whether it’s using the Ignyte Platform to help record, audit, and implement the security controls necessary to achieve compliance with a framework, to operating as a 3PAO for the purposes of auditing your systems and gaining you the authority to operate with the government, we’re in your corner.
With us, you can:
- View our list of frameworks and reach out for a demo of the Ignyte Platform.
- Read our blog for more information on a variety of information security topics.
- Listen to our podcast on emerging risks and trends in cybersecurity.
And, of course, you can always reach out and ask any questions you may have directly at any time. Just send us a message, and we’ll get back to you as soon as possible with a reply. We’re always here to help.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.