According to the State Department’s Foreign Affairs Manual (FAM), department employees are allowed to send most Sensitive But Unclassified (SBU) information unencrypted over the Internet only when necessary.
In August 2008, the FAM is amended to further toughen the rules on sending SBU information on non-department-owned systems at non-departmental facilities – such as Clinton’s later use of a private email server. Employees have to:
- ensure that SBU information is encrypted
- destroy SBU information on their personally owned and managed computers and removable media when the files are no longer required
- implement encryption certified by the National Institute of Science and Technology (NIST)
The FBI will later determine that SBU information was frequently and knowingly sent to and from Clinton’s private server, but none of these steps were taken. (Federal Bureau of Investigation, 9/2/2016)