DRAFT
A UK MOD Short Guide to
The UK Government’s New Security Classification System
The Old System:
UNCLASSIFIED / PROTECT / RESTRICTED / CONFIDENTIAL / SECRET / TOP SECRETThe New System:
OFFICIAL[1] / SECRET / TOP SECRETKey Points:
- Going from six classifications to three.
- The removal of UNCLASSIFIED reasserts the fact that allGovernment information has value and should be handled with appropriate care.
- Individuals will have more discretion within OFFICIAL than in the old RESTRICTED domain.
- No direct read-across from old to new system within HMG.
- In certain areas a direct comparison is required for dealing with Industry, International Partners and legacy issues.
The New System (from 2 Apr 14):
Tier One / Tier Two / Tier ThreeOFFICIAL[2] / SECRET / TOP SECRET
Information Handling Guidance – Marking, Sharing, Transmission and Storage (UK officials, partners, industry):
MOD will not mark documents “OFFICIAL”(However, other Government departments may.
There is no difference in handling if marked or unmarked) / Marked “OFFICIAL - SENSITIVE” / Marked “SECRET” / Marked
“TOP SECRET”
Information to be handled with appropriate care.
The document does notnormally carry any handling instructions but may do so if the originator thinks it is needed. / Information to be handled with greater care.
Can include National caveats[3]. Can include only three additional descriptors if further handling instructions required
PERSONAL[4]
COMMERCIAL[5]
LIMITED CIRCULATION[6] / Except for the reduction in ‘descriptors’ (detailed to the left) – No Change
National caveats, codewords and any special handling instructions remain / As SECRET
Sharing Information: Author/owner or recipient to determine.
Remote working:User to determine but ensure information cannot be overlooked.
IT Transmission of Information: User discretion but in most circumstances HMG approved IT systems / devices.
Storage: User discretion but in most circumstances, HMG approved IT systems / devices. or physical ‘standard’ lock & key. / Sharing (no descriptor): HMG author/owner or HMG recipient to determineon a clear ‘need to know’ basis.
External organisations to seek HMG authority to share (or already authorised under MoU etc)
Sharing (with descriptor): HMG author/owner to determine on a clear ‘need to know’ basis.
All recipients to seek HMG author /owner authority to share (or already authorised under MoU etc)
Remote working (All): User to determine but not normally allowed unless suitably configured devices/services are used; essential that information cannot be overlooked.
Transmission: HMG approved IT systems / devices. or in priority circumstances, originator approval needed if no approved IT.
Storage:HMG approved IT systems / devices, or physical ‘standard’ lock & key. If descriptor/caveat used then mandatory ‘locked-down’ team sites / folders with authorised access lists, are required. / No change to current policy / No change to current policy
The New System (from 2 Apr 14):
OFFICIAL[7] / SECRET / TOP SECRETLEGACY DOCUMENTS or LEGACY PHYSICAL ASSETS
UNCLASSIFIED / PROTECT / RESTRICTED / CONFIDENTIAL / SECRET / TOP SECRETUnless an HMG author / owner or HMG recipient reassesses the information, data or asset, it retains original markings and handling caveats / descriptors, and Sy control measures / Unless originator reassesses information, data or asset, it retains original markings and handling caveats / descriptors, and Sy control measures
Sharing Information:Any author/owner or recipient to determine.
Transmission of Information: Over any system
Storage: Any system / Sharing Information: HMG author/owner or HMG recipient to determine. External organisationsto seek approval
Transmission of Information: HMG approved IT systems / devices mandated.
Storage: Legacy (or post 2 Apr 14) HMG approved IT systems / devices mandatory or legacy
RESTRICTED physical security measures. / Sharing Info: No change
Transmission of Information: Legacy[8] ‘CONFIDENTIAL’ system or Tier Two IT system mandated.
Storage: Legacy ‘CONFIDENTIAL’ IT system or Tier Two system mandated.
Legacy Phys Sy measures, moving to Tier Two as soon as practicable. / No Change
HMG approved IT systems / devices for Tier Two mandated. / No Change
HMG approved IT systems / devices for Tier Three mandated.
SHARING WITH INTERNATIONAL PARTNERS
The New UKSystem (from 2 Apr 14):
Tier One / Tier Two / Tier ThreeOFFICIAL[9] / SECRET / TOP SECRET
INTERNATIONAL CLASSIFICATIONS – International Information being receivedbyUK
UNCLASSIFIEDUK will treat as OFFICIAL / RESTRICTED
UK will treat as OFFICIAL – SENSITIVE but with slightly less discretion (as mandated in international agreements (see below) / CONFIDENTIAL
No UK equivalent
UK will treat as SECRET[10] / SECRET
UK will treat as SECRET / TOP SECRET
UK will treat as TOP SECRET
Sharing Information: Author/owner or recipient to determine.
Remote working:User to determine but ensure information cannot be overlooked.
IT Transmission of Information: User discretion but in most circumstances HMG approved IT systems / devices.
Storage: User discretion but in most circumstances, HMG approved IT systems / devices. or physical ‘standard’ lock & key. / Sharing: HMG recipient to determine on a clear ‘need to know’ basis.
External organisations to seek HMG authority to share
Remote working: Not permitted unless suitably configured devices/services are used; essential that information cannot be overlooked.
Transmission: Mandatory HMG approved IT systems / devices.
Storage: HMG approved IT systems / devices, or physical ‘standard’ lock & key. / Sharing Info: No change
Transmission of Information: Legacy[11] ‘CONFIDENTIAL’ system or Tier Two IT system mandated.
Storage: Legacy ‘CONFIDENTIAL’ IT system or Tier Two system mandated.
Legacy Phys Sy measures moving to Tier Two as soon as practicable. / Sharing Info: No change
.
HMG approved IT systems / devices for Tier Two mandated / No Change
HMG approved IT systems / devices for Tier Three mandated
1
V2.5 dated Wednesday, 21Aug 2013
[1]The majority of routine HMG business will be conducted in this space. The aim is to have all Tier 1 HMG IT to have Foundation Grade Encryption (or suitable alternative control) and allow considerably more remote working and use of additional mobile IT devices.
[2]The majority of routine HMG business will be conducted in this space. The aim is to have all Tier 1 HMG IT to have Foundation Grade Encryption (or suitable alternative control) and allow considerably more remote working and use of additional mobile IT devices.
[3] Eg: UK EYES ONLY, FIVE EYES, UK/US EYES ONLY etc
[4] OFFICIAL-SENSITIVE PERSONAL Information which MOD has a legal duty to protect under the Data Protection Act. Note: this does not mean that every individual piece of personal date is SENSITIVE. See GSC FAQ 3
[5] OFFICIAL-SENSITIVE COMMERCIAL Information which is SENSITIVE and can only be shared with appropriate contract companies under HMG contracting policies or legal requirement.
[6] The document circulation is limited to that described in the ‘distribution List’ and must be ‘locked down within a controls ‘team site or ‘file folder’
[7]The majority of routine HMG business will be conducted in this space. The aim is to have all Tier 1 HMG IT to have Foundation Grade Encryption (or suitable alternative control) and allow considerably more remote working and use of additional mobile IT devices.
[8] Legacy IT systems accredited for Confidential to be reassessed in line with CIO policy
[9]The majority of routine HMG business will be conducted in this space. The aim is to have all Tier 1 HMG IT to have Foundation Grade Encryption (or suitable alternative control) and allow considerably more remote working and use of additional mobile IT devices.
[10] When UK receive a CONFIDENTIAL document from an international partner it may require to be dual marked eg UK SECRET / NATO CONFIDENTIAL, in order that we do not potentially confuse our partners by sending back a document which they may interpret as INTERNATIONAL SECRET when it is in fact only INTERNATIONAL CONFIDENTIAL.
[11] Legacy IT systems accredited for Confidential to be reassessed in line with CIO policy