Do Not Include Sensitive Security Information

FAA websites will not contain the following types of sensitive information, unless there is a compelling reason:

1. Classified records
2. Internal personnel rules and procedures
3. Sensitive unclassified information marked
   • For Official Use Only
   • Sensitive Security Information
   • By other agencies, for example, Sensitive But Unclassified (SBU), Limited Official Use (LOU), Official Use Only (OUO)
4. Trade secret and proprietary information
5. Information protected by an international treaty
6. Export controlled information
7. Procurement sensitive information, for example,
   • Source evaluation information
   • Technical proposals and seller quotes
   • Negotiating positions
8. Personal information about FAA staff, this would include all items covered by the Privacy Act of 1974, including
   • Home addresses and phone numbers
   • Social Security Numbers (SSNs)
   • Detailed biographical information that could be used for social engineering
   • Information on family members
9. Schedules of FAA executives and their exact location including whether they are on or off the property
10. Information on preparation of hazardous materials or toxins
11. Sensitive information about homeland security, for example,
    • Protected Critical Infrastructure Information (PCII)
    • Sensitive Homeland Security Information (SHSI)
12. Investigative records
13. FAA enforcement actions
14. Medical records and information about individuals
15. Sensitive legal information, for example
    • Deliberative process information
    • Attorney work product information
    • Attorney-client information
16. Financial records not approved for public release
17. Information on our physical security and information security procedures
18. Information on FAA identification, credentials, and badges, including pictures of badges and credentials
19. Information about our network and information system infrastructure, for example,
    • Passwords or pass phrases
    • Address ranges
    • Naming conventions
    • Access numbers
    • Network configurations and designs
    • Operating system information used on specific servers, for example, vendor, product, and version
    • Internet Protocol Addresses
    • Telephone numbers for dial-up computer connections
    • IT system capabilities or limits
    • System security plans, risk analyzes, system vulnerabilities, procedures, and control methods
    • System compromise information
    • System security auditing logs
20. Information that specifies or implies physical security or information security vulnerabilities
21. Plans, maps, diagrams, aerial photographs, and architectural plans of FAA facilities
22. Information on disaster recovery or continuity of operations plans except as needed to inform the public of their roles and actions during and after disasters
23. Details on emergency response procedures, for example,
    • Contingency plans
    • Air traffic procedures for handling emergencies, such as, hijackings
    • Evacuation routes
    • Personnel responsible for emergency response
24. Copyrighted material without the written permission of the owner
25. Privacy or security policies pointing out the types of security measures in place to the degree that they may be useful to an attacker.

If you have questions, please contact your Web Liaison.