Information Classification & Handling Policy¶
Document ID: AUL-POL-04 Version: 1.0 Classification: Internal Owner: Chief Technology Officer / ISSM Effective: TBD-YYYY-MM-DD Next Review: TBD-YYYY-MM-DD
1. Purpose¶
This policy establishes the information classification scheme for Aulendur Labs, Inc. and defines the handling, storage, transmission, and disposal requirements for each classification level. Proper classification protects Controlled Unclassified Information (CUI), ITAR-controlled technical data, and business-sensitive information from unauthorized disclosure, while avoiding over-classification that impedes legitimate work. This policy implements NIST SP 800-171 Rev. 3 controls 03.04.11 (Information Location) and 03.01.22 (Publicly Accessible Content), and supports media protection controls in the 03.08 family.
2. Scope¶
This policy applies to:
- Personnel: All employees, contractors, interns, advisors, and third parties who create, receive, process, store, or transmit Aulendur information.
- Systems: All information systems, storage media (digital and physical), and communication channels used for Aulendur business.
- Data: All information created, received, or maintained by or on behalf of Aulendur Labs, in any format (electronic, paper, verbal).
- Locations: Omaha headquarters, remote work locations, cloud environments (Linode, Cloudflare, AWS, Google Workspace), and third-party facilities.
3. Roles & Responsibilities¶
| Role | Responsibility |
|---|---|
| Chief Executive Officer (CEO) | Approves this policy; resolves classification disputes escalated by the CTO/ISSM. |
| Chief Technology Officer (CTO) / ISSM | Owns this policy; defines classification criteria; audits classification accuracy; approves CUI and ITAR designations. |
| Data Owner | Classifies information under their stewardship; authorizes access based on need-to-know; reviews classifications annually. |
| All Personnel | Apply correct classification markings; handle information per its classification level; report suspected misclassification or spillage. |
4. Policy Statements¶
4.1 Classification Levels¶
4.1.1 Aulendur Labs shall use the following classification levels, in order of increasing sensitivity:
| Level | Description | Examples |
|---|---|---|
| Public | Information approved for unrestricted release. No damage from disclosure. | Published blog posts, marketing materials, public job postings. |
| Internal | Information intended for Aulendur personnel only. Minor business impact if disclosed. | Internal meeting notes, non-sensitive project plans, organizational charts, this policy library. |
| Confidential | Sensitive business information. Significant competitive, financial, or reputational harm if disclosed. | Financial projections, investor materials, unpublished product designs, source code, trade secrets, personnel records. |
| CUI | Controlled Unclassified Information subject to safeguarding requirements per 32 CFR Part 2002 and DFARS 252.204-7012. | Technical data under DTRA SBIR Phase I (MJOLNuR/REINIT), contract deliverables marked CUI, vulnerability assessment results for DoD systems. |
| ITAR | Technical data controlled under the International Traffic in Arms Regulations (22 CFR 120-130). | Defense articles, technical data on the United States Munitions List (USML) related to Aulendur's defense products, if applicable. |
4.1.2 CUI shall be further categorized per the CUI Registry categories applicable to Aulendur's contracts. At minimum, the following CUI categories apply: CTI (Controlled Technical Information), EXPT (Export Controlled), and PRVCY (Privacy) where personnel data is involved in contract performance.
4.1.3 Information shall be classified at the highest applicable level. If information combines elements of multiple classifications (e.g., Confidential source code that also contains CUI), the most restrictive handling requirements shall apply.
4.2 Classification Authority and Process¶
4.2.1 Data Owners shall classify information at the time of creation or receipt. If the appropriate classification is uncertain, the Data Owner shall apply the higher classification and consult the CTO/ISSM within 5 business days.
4.2.2 CUI designation authority rests with the originating government agency. Aulendur shall classify information as CUI only when: (a) the information is received with CUI markings from a government source, (b) the applicable contract or statement of work specifies CUI categories, or (c) the CTO/ISSM determines the information falls within a CUI category based on contract requirements.
4.2.3 ITAR classification shall be determined by the CTO/ISSM with legal counsel from Michael Best as needed. Aulendur shall not self-classify information as ITAR without confirming the technical data falls within a USML category.
4.2.4 Data Owners shall review the classification of their information at least annually and reclassify or declassify as appropriate.
4.3 Marking Requirements¶
4.3.1 CUI marking shall comply with 32 CFR Part 2002 and DoD Instruction 5200.48. At minimum, CUI documents shall bear: (a) the "CUI" banner marking on each page, (b) the CUI category designation (e.g., "CUI//CTI"), (c) the dissemination control ("CUI//CTI//NOFORN" if applicable), and (d) the designating agency or contract reference. See the CUI Marking Standard (forthcoming) for detailed formatting.
4.3.2 ITAR-controlled documents shall bear the required ITAR restrictive legend per 22 CFR 125.4(b).
4.3.3 Confidential documents shall be marked "CONFIDENTIAL — Aulendur Labs" in the header or footer.
4.3.4 Internal documents shall bear "Internal Use Only" or the equivalent in the document footer. The policy library's default classification is Internal.
4.3.5 Public documents require no marking but shall be approved for public release by the CTO/ISSM before distribution (NIST SP 800-171 R3 03.01.22).
4.3.6 Electronic files shall include classification in the filename or metadata where the file format permits. Email containing CUI shall include "CUI" in the subject line.
4.4 Handling Requirements¶
4.4.1 The following minimum handling requirements apply:
| Requirement | Public | Internal | Confidential | CUI | ITAR |
|---|---|---|---|---|---|
| Storage at rest | No restriction | Aulendur-managed systems | Encrypted (AES-256 or FIPS 140-2/3 validated) | FIPS 140-2/3 validated encryption; CUI Enclave (planned AWS GovCloud) | FIPS 140-2/3 validated encryption; US-person access only; US-based infrastructure |
| Transmission | No restriction | TLS 1.2+ | TLS 1.2+ or equivalent | FIPS 140-2/3 validated encryption in transit (TLS 1.2+ with FIPS cipher suites) | FIPS 140-2/3 validated; US-person access only |
| Access control | None | Aulendur personnel | Need-to-know + Data Owner authorization | Need-to-know + CTO/ISSM authorization + US-person verification for export-controlled CUI | Need-to-know + CTO/ISSM authorization + US-person verification |
| Printing | Unrestricted | Aulendur printers | Retrieve immediately; shred when done | Minimize; retrieve immediately; shred per NIST SP 800-88 | Minimize; retrieve immediately; shred per NIST SP 800-88 |
| Disposal | No restriction | Delete from Aulendur systems | Cryptographic erase or NIST SP 800-88 media sanitization | NIST SP 800-88 Purge or Destroy | NIST SP 800-88 Destroy |
| Sharing external | Permitted | NDA required | NDA + CEO or CTO/ISSM approval | Per contract terms; DD Form 254 if applicable | TAA/MLA required; State Dept. authorization |
4.4.2 CUI shall not be stored on personal devices, personal cloud accounts, or any system outside Aulendur's authorized boundary. At present, authorized CUI storage locations are limited to the planned AWS GovCloud CUI Enclave. Until the enclave is operational, CUI shall be handled per the interim procedures approved by the CTO/ISSM.
[!NOTE] DECISION POINT: The CUI Enclave (AWS GovCloud) is not yet operational. Until it is, CUI received from government sources shall be stored in a segregated, encrypted Google Drive folder with access restricted to CTO/ISSM only, with FIPS 140-2 validated encryption on the endpoint. This is an interim compensating control that should be formalized with a POA&M entry and target date for GovCloud deployment.
4.4.3 ITAR-controlled data shall not be accessed by, disclosed to, or stored in systems accessible to non-US persons, per 22 CFR 120.16 and 22 CFR 125.
4.5 Information Location Tracking¶
4.5.1 The CTO/ISSM shall maintain an inventory of systems and storage locations where CUI and ITAR-controlled data resides (NIST SP 800-171 R3 03.04.11). This inventory shall be documented in the Asset Register (forthcoming) and updated within 5 business days of any change.
4.5.2 CUI and ITAR-controlled data shall not be replicated to unauthorized locations. Automated replication, backup, and synchronization configurations shall be reviewed to verify they do not copy CUI or ITAR data outside the authorized boundary.
4.6 Publicly Accessible Content¶
4.6.1 The CTO/ISSM shall review all information proposed for public release (website, social media, conference presentations, publications, open-source repositories) to verify that no Internal, Confidential, CUI, or ITAR-controlled information is disclosed (NIST SP 800-171 R3 03.01.22).
4.6.2 Public GitHub repositories under the AulendurForge organization shall be reviewed by the CTO/ISSM before initial publication and before each release that adds substantive content. The review shall verify no CUI, ITAR data, credentials, or Confidential information is included.
4.7 Spillage Response¶
4.7.1 If CUI or ITAR-controlled data is discovered in an unauthorized location (a "spillage"), the discovering individual shall: (a) stop further distribution, (b) notify the CTO/ISSM within 1 hour, and (c) not attempt to delete the data without CTO/ISSM direction.
4.7.2 The CTO/ISSM shall follow the CUI Spillage Procedure (forthcoming) to contain, sanitize, and report the spillage. CUI spillage may constitute a cyber incident reportable under DFARS 252.204-7012.
5. Standards & Procedures Referenced¶
The following companion documents implement this policy:
- CUI Handling Policy (forthcoming)
- Export Control Policy (ITAR/EAR) (forthcoming)
- Data Retention & Disposal Policy (forthcoming)
- CUI Marking Standard (forthcoming)
- CUI Spillage Procedure (forthcoming)
- Asset Register —
registers/asset-register.md(forthcoming)
6. Compliance & Enforcement¶
Violations of this policy may result in disciplinary action up to and including termination of employment or contract, civil penalties, and criminal prosecution where applicable. Mishandling of CUI may trigger DFARS 252.204-7012 incident reporting obligations. Unauthorized export of ITAR-controlled data may result in criminal penalties under 22 USC 2778 (up to $1,000,000 fine and 20 years imprisonment per violation). Suspected violations shall be reported to the CTO/ISSM.
7. Exceptions¶
Exceptions to this policy require written approval per the Policy Exception & Waiver Policy (forthcoming). Exceptions involving CUI or ITAR handling shall additionally require CEO approval. Exceptions are time-bounded (maximum 90 calendar days for CUI/ITAR matters), backed by compensating controls, and tracked in the Exception Register.
8. Definitions¶
| Term | Definition |
|---|---|
| CUI | Controlled Unclassified Information, per 32 CFR Part 2002. |
| CTI | Controlled Technical Information — technical data with military or space application subject to DoD distribution controls (DFARS 252.204-7012). |
| ITAR | International Traffic in Arms Regulations (22 CFR 120-130). |
| EAR | Export Administration Regulations (15 CFR 730-774). |
| USML | United States Munitions List — the list of defense articles, defense services, and related technical data controlled by ITAR. |
| Data Owner | The individual or role accountable for the classification, protection, and authorized use of a defined data set. |
| Need-to-know | A determination that a person requires access to specific information to perform their assigned duties. |
| Spillage | The unauthorized transfer of classified or controlled information to a system or location not authorized for that level of information. |
| US Person | A US citizen, lawful permanent resident, or protected individual as defined in 8 USC 1324b(a)(3). |
| FIPS 140-2/3 | Federal Information Processing Standards for cryptographic module validation. |
| NIST SP 800-88 | Guidelines for Media Sanitization — the standard for sanitization of storage media. |
9. References¶
- NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- 32 CFR Part 2002, Controlled Unclassified Information
- DoD Instruction 5200.48, Controlled Unclassified Information
- DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
- ITAR (22 CFR 120-130), International Traffic in Arms Regulations
- EAR (15 CFR 730-774), Export Administration Regulations
- NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization
- NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations
10. Control Mappings¶
| Framework | Control ID | Control Title | Coverage |
|---|---|---|---|
| NIST SP 800-171 R3 | 03.04.11 | Information Location | Full |
| NIST SP 800-171 R3 | 03.01.22 | Publicly Accessible Content | Full |
| NIST SP 800-171 R3 | 03.08.01 | Media Storage | Partial — physical media details in AUL-POL-11 |
| NIST SP 800-171 R3 | 03.08.02 | Media Access | Partial — physical media details in AUL-POL-11 |
| NIST SP 800-171 R3 | 03.08.04 | Media Marking | Partial — detailed marking in AUL-POL-23 and AUL-STD-07 |
| CMMC 2.0 L2 | SC.L2-3.13.16 | Data at Rest | Supports — encryption requirements detailed in AUL-POL-21 |
| NIST SP 800-53 R5 | RA-2 | Security Categorization | Full |
| NIST SP 800-53 R5 | MP-2 | Media Access | Partial |
| NIST SP 800-53 R5 | MP-3 | Media Marking | Partial |
| NIST SP 800-53 R5 | AC-22 | Publicly Accessible Content | Full |
| NIST SP 800-53 R5 | SA-4(12) | Information Location | Full |
11. Revision History¶
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | TBD-YYYY-MM-DD | J. Gershenson | Initial issue. |
© Aulendur Labs, Inc. 2026. Internal use only unless otherwise classified.