[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]



 
PSEUDO-CLASSIFICATION OF EXECUTIVE BRANCH DOCUMENTS: PROBLEMS WITH THE 
TRANSPORTATION SECURITY ADMINISTRATION'S USE OF THE SENSITIVE SECURITY 
                        INFORMATION DESIGNATION

=======================================================================


                                HEARING

                               before the

                 SUBCOMMITTEE ON GOVERNMENT OPERATIONS

                                 of the

                         COMMITTEE ON OVERSIGHT

                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             SECOND SESSION

                               __________

                              MAY 29, 2014

                               __________

                           Serial No. 113-121

                               __________

Printed for the use of the Committee on Oversight and Government Reform


         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform




                  U.S. GOVERNMENT PRINTING OFFICE
88-973                    WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001



              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                 DARRELL E. ISSA, California, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, JR., Tennessee       CAROLYN B. MALONEY, New York
PATRICK T. McHENRY, North Carolina   ELEANOR HOLMES NORTON, District of 
JIM JORDAN, Ohio                         Columbia
JASON CHAFFETZ, Utah                 JOHN F. TIERNEY, Massachusetts
TIM WALBERG, Michigan                WM. LACY CLAY, Missouri
JAMES LANKFORD, Oklahoma             STEPHEN F. LYNCH, Massachusetts
JUSTIN AMASH, Michigan               JIM COOPER, Tennessee
PAUL A. GOSAR, Arizona               GERALD E. CONNOLLY, Virginia
PATRICK MEEHAN, Pennsylvania         JACKIE SPEIER, California
SCOTT DesJARLAIS, Tennessee          MATTHEW A. CARTWRIGHT, 
TREY GOWDY, South Carolina               Pennsylvania
BLAKE FARENTHOLD, Texas              TAMMY DUCKWORTH, Illinois
DOC HASTINGS, Washington             ROBIN L. KELLY, Illinois
CYNTHIA M. LUMMIS, Wyoming           DANNY K. DAVIS, Illinois
ROB WOODALL, Georgia                 PETER WELCH, Vermont
THOMAS MASSIE, Kentucky              TONY CARDENAS, California
DOUG COLLINS, Georgia                STEVEN A. HORSFORD, Nevada
MARK MEADOWS, North Carolina         MICHELLE LUJAN GRISHAM, New Mexico
KERRY L. BENTIVOLIO, Michigan        Vacancy
RON DeSANTIS, Florida

                   Lawrence J. Brady, Staff Director
                John D. Cuaderes, Deputy Staff Director
                    Stephen Castor, General Counsel
                       Linda A. Good, Chief Clerk
                 David Rapallo, Minority Staff Director

                 Subcommittee on Government Operations

                    JOHN L. MICA, Florida, Chairman
TIM WALBERG, Michigan                GERALD E. CONNOLLY, Virginia 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JUSTIN AMASH, Michigan               JIM COOPER, Tennessee
THOMAS MASSIE, Kentucky              MARK POCAN, Wisconsin
MARK MEADOWS, North Carolina


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on May 29, 2014.....................................     1

                               WITNESSES

Ms. Annmarie Lontz, Division Director, Office of Security 
  Services and Assessments, Transportation Security 
  Administration
    Oral Statement...............................................     5
Mr. John Fitzpatrick, Director, Information Security Oversight 
  Office, National Archives and Records Administration
    Oral Statement...............................................     7
    Written Statement............................................     9
Ms. Patrice McDermott, Executive Director Openthegovernment.org 
  Coalition
    Oral Statement...............................................    16
    Written Statement............................................    19

                                APPENDIX

Joint Staff Report Prepared for Chairman Issa and Rep. Cummings..    40
Questions for the Record for Annmarie Lontz, TSA.................    69


PSEUDO-CLASSIFICATION OF EXECUTIVE BRANCH DOCUMENTS: PROBLEMS WITH THE 
TRANSPORTATION SECURITY ADMINISTRATION'S USE OF THE SENSITIVE SECURITY 
                        INFORMATION DESIGNATION

                              ----------                              


                        Thursday, May 29, 2014,

                  House of Representatives,
             Subcommittee on Government Operations,
              Committee on Oversight and Government Reform,
                                                   Washington, D.C.
    The subcommittee met, pursuant to call, at 10:00 a.m., in 
Room 2154, Rayburn House Office Building, Hon. John Mica 
[chairman of the subcommittee] presiding.
    Present: Representatives Mica, Meadows, Amash, Issa, and 
Connolly.
    Staff Present: Molly Boyl, Majority Deputy General Counsel 
and Parliamentarian; Ashley H. Callen, Majority Deputy Chief 
Counsel for Investigations; Sharon Casey, Majority Senior 
Assistant Clerk; Kate Dunbar, Majority Professional Staff 
Member; Adam P. Fromm, Majority Director of Member Services and 
Committee Operations; Linda Good, Majority Chief Clerk; Ashok 
M. Pinto, Majority Chief Counsel, Investigations; Andrew 
Rezendes, Majority Counsel; Jaron Bourke, Minority Director of 
Administration; Krista Boyd, Minority Deputy Director of 
Legislation/Counsel; Aryele Bradford, Minority Press Secretary; 
Cecelia Thomas, Minority Counsel; and Michael Wilkins, Minority 
Staff Assistant.
    Mr. Mica. Good morning. I would like to welcome everyone to 
the Subcommittee on Government Operations hearing this morning. 
This morning's hearing will cover the subject and the title of 
the hearing, in fact, is Pseudo-Classification of Executive 
Branch Documents: Problems with the Transportation Security 
Administration's Use of Sensitive Security Information 
Designation. That is the title and subject of our hearing 
today.
    The order of business will be first we will hear from 
members with opening statements.
    Mr. Connolly, the ranking Democrat member, is delayed. I 
have asked one of the representatives of the minority side 
staff to sit in until he is able to join us. He has a markup, 
but we do want to proceed with the hearing. We have a long 
legislative day today and we want to conclude and also, of 
course, proceed with this hearing in an orderly fashion. So the 
order of business will be opening statements. We will recognize 
Mr. Connolly when he is able to join us, but we are going to 
proceed with the hearing.
    After that, we have three witnesses this morning. I will 
identify them, they will be sworn in, and we will proceed with 
their testimony.
    And from that point, after we hear from all three 
witnesses, we will go to questions.
    With that, I will begin with my opening statement.
    Again, I thank everyone for joining us today. One of the 
things, Mr. Issa, chairman of the full committee, always states 
is the purpose of our Oversight and Reform Committee is to be 
good stewards of the trust the American people have given the 
responsibility of Congress with, and that is to make certain 
that programs work efficiently, economically, and also in 
concert with the intent of Congress.
    We are stewards of that important trust and it is important 
that a committee such as ours, which dates back to the early 
1800s, when the founding fathers wanted to make certain that 
not only programs that were created worked as intended, but 
also that, when they were funded, they were responsibly funded 
and there was accountability and responsibility. So that is the 
purpose of our committee and this subcommittee's charge, and we 
take that responsibility to protect the rights and also the 
trust of the American people in making certain that the Federal 
bureaucracy, those responsible, operate in an accountable 
manner.
    So, with that, let me start with my opening statement.
    We are actually going to hear the culmination of a 
committee's investigation over the past year and a half into 
problems with the TSA's use of sensitive security information 
designation. The report that has been prepared by the inspector 
general unfortunately confirms the fact that TSA gamed the 
system to use a security classification or those 
classifications to keep Congress and the public from having 
access to key information in order to protect their own turf. 
That is what I believe the report shows. I also believe the TSA 
must end its arbitrary use of sensitive security information 
designation and use of it improperly, and ensure the security 
and accountability the public becomes its primary concern.
    So today we are going to examine the misuse of the 
designation. We will explore the improvements TSA has made, 
some of the report covers some earlier years. We will look at 
that. And we will also see what the agency has done to educate 
staff since the committee's investigation began and address the 
labeling of non-classified information beyond TSA throughout 
the Federal Government, because we found some similar abuses in 
other agencies.
    Pursuant to the Air Transportation Security Act of 1974, 
the Federal Aviation Administration created a category of 
security classification and it is entitled Sensitive Security 
Information, or SSI, as it is commonly called, a category of 
sensitive but, in fact, unclassified information.
    It is important to note that we are not talking about 
classified information today. We are not going to discuss 
classified information. Rather, the subject of this hearing is 
the realm of unclassified information in this particular 
designation, SSI. The SSI designation is a pseudo-
classification and is not afforded the same protection as other 
classified information, such as top secret or secret. The SSI 
regulation restricts the disclosure of information designated 
as SSI because public disclosure would be detrimental to, in 
this case, transportation security.
    When used properly, the SSI designation protects sensitive 
information from public disclosure, which could in some cases 
be detrimental to certain security interests. Because SSI is an 
internal TSA, and again we term it pseudo-classification; 
however, there is potential for misuse of the designation and, 
unfortunately, we have seen that to be the case.
    Bipartisan concerns about TSA's use or misuse of the SSI 
designation have existed since the promulgation of the 
regulation in 2004. Following a congressional request to review 
how TSA used its SSI authority to withhold information from the 
public, GAO released a report in 2005 finding that TSA lacked 
adequate internal controls to provide reasonable assurance that 
the agency is applying the SSI designation consistently.
    In July of 2011, DHS Deputy Secretary Counsel Joseph Mayer 
alleged that subcommittee of this full committee, the chairman, 
Jason Chaffetz, had unlawfully released portions of a DHS 
PowerPoint presentation designated as SSI, and that alleged 
offense, according to, again, DHS, took place during a National 
Security Homeland Defense and Foreign Operations Subcommittee 
hearing, and that is one of the subcommittees I am privileged 
to serve on with Mr. Chaffetz.
    Chairman Issa responded to the allegations to then 
Secretary Napolitano, explaining that Congress is not covered 
by the regulation governing SSI protection. Such a lack of 
understanding or disregard of the SSI designation at the 
highest levels of DHS was concerning.
    The subsequent exchange between the committee and DHS 
prompted a whistleblower at TSA to contact the committee with 
information regarding the misuse of the SSI designation by 
political staff at TSA. Our committee, perhaps more than any 
other, relies on whistleblowers that come forward from the 
Federal Government departments and agencies, and they often 
give us tips and information in identifying waste, fraud, and 
abuse.
    As a result of that whistleblowing information, the 
committee conducted and transcribed interviews with current and 
former TSA SSI office staff and we obtained hundreds of pages 
of documents responsive to formal document requests made to 
TSA.
    I am pleased today to announce that Chairman Issa and 
Ranking Member Cummings are releasing a joint staff report that 
contains our investigation findings and recommendations. We 
look forward to making this report a full committee report and 
we will have it under consideration, I am told, at the next 
full committee business meeting.
    I would like to ask unanimous consent to enter a joint 
staff report into the record at this time. Without objection, 
so ordered.
    Mr. Mica. The witness testimony and documents show that TSA 
officials manipulated SSI designations to prevent the release 
of non-SSI documents. This was first against the advice of 
TSA's SSI office, whose mission is to evaluate information and 
determine whether it qualifies in the very beginning as SSI and 
for that designation. TSA also released SSI documents against 
the advice of career staff at the SSI office.
    While the TSA administrator has the final authority to 
determine whether information is classified as SSI under the 
regulation, the administrator must submit written explanations 
of the SSI decision to the SSI office in a timely fashion. 
Unfortunately, repeated failures by TSA officials to submit 
written determinations supporting the release or withholding of 
SSI caused a rift between senior TSA leadership and the SSI 
office. This rift resulted in the inconsistent application of 
the SSI designation. Such consistency, unfortunately, is also 
shown to be detrimental to the process of protecting sensitive 
transportation security information.
    As a result of the committee's investigation, TSA has made 
some changes and improvements to its processes for the handling 
of this SSI information. We look forward to hearing from the 
witnesses today to hear more about the progress that has been 
made and improvements by the agency.
    TSA's handling of SSI, again, information and use of that 
designation reveals a broader problem, again, of pseudo-
classification of information across Federal departments and 
agencies, so we found in looking at TSA, unfortunately we found 
also extends beyond the borders of that agency, and there are 
broad concerns that agencies, other agencies are using pseudo-
classification designations to make it difficult for requesters 
such as Congress and others to acquire unclassified 
information.
    This raises the possibility that officials may use such 
information labeling to control the release of non-classified 
information for political reasons or purposes, again, some 
serious concerns, and again keeping both the Congress and the 
public from obtaining information of sort of covering their 
turf base or improperly using that designation.
    Limits on pseudo-classifications are needed, in fact, we 
think to provide greater transparency and accountability to the 
public while promoting information security. We have to do 
both. The committee plans to examine this issue in greater 
detail and I look forward to future hearings on our findings.
    I am grateful for the witnesses who are appearing today and 
others who have cooperated with the committee. This has been a 
fully bipartisan effort and investigation, and the product that 
they have produced that will be made part of the record and 
accepted by the full committee is again a work developed by 
both sides of the aisle. So I look forward to hearing testimony 
today and at this time prepared to hear opening statements or 
comments from other members. Mr. Meadows?
    Mr. Meadows. I will be very brief. Thank you, Mr. Chairman, 
for calling this hearing and for this bipartisan effort to 
address this issue.
    Truly, from the witnesses, what I would look for is how we 
can improve the process. I think the American people deserve 
transparency, and any time that that doesn't happen, whether it 
is intentional or not, it gives a level of distrust, and right 
now we need to build back that trust in terms of our 
Government. There are hundreds of thousands of great Federal 
workers, and for each occasion where something like this gets 
classified in a wrong setting or the impression is that we are 
hiding information, it undermines their credibility.
    The American people can handle the truth; we just need to 
make sure that we give them the truth and that we are not doing 
that. So at this point I just look forward to your testimony. I 
thank each one of you for being here, and I thank the chairman 
for his leadership on this particular effort.
    I yield back.
    Mr. Mica. Thank you, Mr. Meadows.
    Members may have seven days to submit opening statements 
for the record.
    When Mr. Connolly returns, he will have adequate time to 
present an opening statement or participate fully in the 
hearing, and we will, as I said, proceed because we do need to 
keep up with the agenda today, a full legislative schedule.
    I will now recognize the first panel that we have.
    We have Ms. Annmarie Lontz. She is the Division Director of 
the Office of Security Services and Assessments at the 
Transportation Security Administration.
    We have Mr. John Fitzpatrick. He is the Director of 
Information Security Oversight Office at the National Archives 
and Records Administration.
    And we have Ms. Patrice McDermott, and she is the Executive 
Director of the Openthegovernment.org Coalition.
    So I would like to first welcome all of our witnesses. I 
don't know if you have been before our committee before or 
testified in Congress. What we normally do is we ask you to try 
to limit your remarks to approximately five minutes. We don't 
have a big panel or hearing today, so we will be a little bit 
lenient with that. But if you have additional documents or 
information or extended testimony you want to be made part of 
the record, just a request to the chair and we will make 
certain it appears in the record.
    We are also an investigative and oversight committee of 
Congress, so, therefore, we swear in our witnesses. So if you 
would stand at this time and be sworn. Raise your right hands.
    Do you solemnly swear or affirm that the testimony you are 
about to give before this subcommittee of Congress is the whole 
truth and nothing but the truth?
    [Witnesses respond in the affirmative.]
    Mr. Mica. All of the witnesses, the record will reflect, 
answered in the affirmative, so we will proceed with our first 
panel.
    Let me first recognize and welcome Annmarie Lontz. Again, 
she is the Division Director of the Office of Security Services 
and Assessments at TSA.
    Welcome, and you are recognized.

                       WITNESS STATEMENTS

                  STATEMENT OF ANNMARIE LONTZ

    Ms. Lontz. Chairman Mica, Ranking Member Connolly, and 
members of the subcommittee, thank you for the opportunity to 
testify today regarding sensitive security information, or SSI, 
and the improvements made by the Transportation Security 
Administration regarding training, designation, and handling.
    As the Division Director for the Security Services and 
Assessments Division for nearly one year, one of my 
responsibilities is overseeing the SSI program office, whose 
charged with the management, consistent application, 
identification, safeguarding, and redaction of SSI. The SSI 
program office is staffed by career professionals with 
significant experience and a comprehensive understanding of SSI 
and its role in transportation security.
    SSI is one of the few types of sensitive, but unclassified, 
information defined by statute. Congress authorized the Federal 
Aviation Administration to designate SSI in the 1970s and the 
FAA promulgated regulations to implement that congressional 
mandate. When TSA was created, Congress also authorized TSA to 
designate information as SSI, and TSA regulations to promulgate 
this mandate are found in 49 CFR Part 1520.
    The SSI designation was designed as a tool to protect 
information obtained or developed in the conduct of security 
activities, recognizing the potential need to share this 
information with non-governmental entities, including airlines 
and other stakeholders.
    When it provideD TSA with SSI designation authority, 
Congress also empowered the administrator of TSA to make final 
determinations on the disclosure of SSI. TSA's management 
directive and associate guidance, which governs the SSI 
program, provides considerations for ensuring that SSI is 
treated in a manner consistent with the regulation. This 
directive requires the release of as much information as 
possible without compromising transportation security, while 
taking into consideration the information's operational use to 
adversaries, the level of detail, the public availability of 
the information, and the age of the record. The goal is to 
redact as little information as possible to protect SSI.
    The SSI program continually evaluates program requirements 
and areas for potential improvement. TSA has undertaken 
significant enhancements to the program's policies, training, 
and management of SSI, including updating the SSI training and 
making it mandatory for all TSA employees and contractors on an 
annual basis, refining the redaction process, developing a 
comprehensive policies and procedures handbook to eliminate 
gaps in previous guidance, defining specific roles and 
responsibilities, improving reference guides for DHS employees 
and contractors, leveraging available technology to improve 
operations and engage personnel, and standardizing the process 
through which the administrator may revoke the SSI designation.
    Training is an integral part of program and process 
improvements made by TSA with regard to SSI. The SSI program 
office has implemented an extensive SSI continuing education 
training program; conducted targeted SSI advanced training and 
awareness activities for key TSA stakeholders, DHS components, 
and other Federal agencies; solidified our internal processes; 
and recruited and trained SSI coordinators throughout TSA.
    TSA supports the efforts made by Mr. Fitzpatrick and the 
National Archives with regard to controlled, unclassified 
information and has been an active participant in the 
development and preparation for implementation of CUI. While 
there is always room for improvement, I believe that TSA has in 
place a robust and mature SSI program for the safeguarding of 
sensitive, but unclassified information and, as a result, SSI 
identification and safeguarding practices are unlikely to 
change upon the implementation of CUI.
    TSA understands the importance of the SSI designation and 
recognizes the value of transparency and the need for the 
public to have access to as much information as possible. We 
will continue to seek out opportunities to further improve how 
SSI is identified, managed, redacted, and safeguarded, and work 
with Mr. Fitzpatrick's office to fulfill the intent of the 
President's Executive Order regarding controlled and classified 
information.
    I look forward to answering any additional questions that 
you may have. Thank you.
    Mr. Mica. Thank you.
    We will now turn to Mr. Fitzpatrick and welcome him and 
recognize him. Thank you.

                 STATEMENT OF JOHN FITZPATRICK

    Mr. Fitzpatrick. Thank you, Chairman Mica. Thank you for 
inviting me to testify before you today. I am John Fitzpatrick, 
the Director of the Information Security Oversight Office, 
which we call ISOO, at the National Archives and Records 
Administration.
    My office is responsible to the President for policy and 
oversight of the government-wide security classification 
system, its companions for industry and for non-Federal 
partners, and for the controlled unclassified information 
program. At ISOO, we lead efforts to standardize and assess the 
management of classified and controlled unclassified 
information through oversight of department and agency policy 
and practice.
    I will focus today on the controlled unclassified 
information, or CUI, program, its policy objectives and current 
state of development.
    Executive Order 13556 establishes a uniform system to 
manage the Executive Branch's sensitive unclassified 
information that requires safeguarding and/or dissemination 
controls pursuant to Federal law regulation or government-wide 
policy. The Executive Order designated the National Archives 
and Records Administration as the executive agent for the 
program, and the Archivist of the United States subsequently 
tasked ISOO with this mission.
    Among the program's policy objectives is the promotion of 
openness and transparency. The CUI program will replace the 
current confusing and inefficient patchwork of agency-specific 
practices with a single open and uniform system of policies, 
procedures, and markings. This new framework is intended to 
both enhance interagency trust and remove impediments to 
authorized information sharing through increased clarity of 
guidance and consistency of practices.
    ISOO maintains a publicly available registry of all 
categories and subcategories of information that meet the 
Executive Order's standard for protection, providing links to 
the text of authorizing laws, regulations, and government-wide 
policies. There are currently 22 categories and 85 
subcategories of such information, ranging from sensitive 
nuclear and critical infrastructure information to personal 
privacy and business proprietary data, as well as a host of 
other information types. Sensitive security information, or 
SSI, is one such subcategory. It is properly authorized as CUI 
according to the terms of the Executive Order.
    The CUI registry also contains all policies and guidance 
related to CUI. This serves to enhance openness and 
transparency by making the Government basis for establishing 
information controls available for all to see. These policies 
and procedures are being developed in consultation with 
affected departments and agencies. We also actively seek 
feedback from State, local, tribal, private sector, as well as 
public interest groups. Just this month we began the formal 
Federal regulatory process and will follow that process through 
agency and public comment to produce a final Federal rule.
    The relationship between the CUI program and the Freedom of 
Information Act, or FOIA, also serves the goals of openness and 
transparency. Executive Order 13556 draws a bright line between 
the two, stating that the mere fact that information is 
designated as CUI shall not have a bearing on determinations 
pursuant to any law requiring the disclosure of information or 
permitting disclosure as a matter of discretion.
    In short, CUI markings and status should not serve as a 
basis to improperly withhold information from the public, 
including under the FOIA. This point has been clarified in 
guidance we have issued in tandem with the Department of 
Justice's Office of Information Policy, and we have educated 
agencies on this subject. To further minimize unnecessary 
control, the Executive Order requires that if there is 
significant doubt about whether information meets the standard 
for CUI, it shall not be designated as such.
    The CUI program also seeks strong accountability and 
oversight. Executive departments and agencies have appointed 
senior agency officials and program managers responsible for 
program implementation within each agency. These officials are 
responsible for drafting agency implementing policies, training 
their employees on program requirements, and establishing a 
robust self-inspection program to ensure ongoing compliance. 
Our office will oversee these agency actions by reviewing 
agency policies, conducting onsite inspections, and requiring 
agencies to periodically report on the program status.
    We have begun, and will continue, to incorporate CUI 
program progress with ISOO's other reports, which are made 
public. Taken together, these requirements will help ensure the 
program is properly and successfully implemented.
    In conclusion, ISOO has established a reputation in 
government for effective oversight and sustainment of 
constructive relationships with our agency partners. We are 
well on our way to establishing a stable and robust CUI program 
for government.
    Thank you very much for your time and attention, and I will 
be happy to answer your questions.

    [Prepared statement of Mr. Fitzpatrick follows:]

    [GRAPHIC] [TIFF OMITTED]

    Mr. Mica. Thank you for your testimony, Mr. Fitzpatrick.
    We will now turn to Ms. McDermott. She is the Director of 
Openthegovernment.org Coalition. Welcome, and you are 
recognized.

                 STATEMENT OF PATRICE MCDERMOTT

    Ms. McDermott. Thank you very much and thank you, Chairman 
Mica and Vice Chair Meadows, for the opportunity to speak today 
on the continued use of sensitive but unclassified markings in 
the Executive Branch, three and one-half years after the 
issuance of President Obama's Executive Order.
    My name, as you said, is Patrice McDermott, and I am the 
Executive Director of Openthegovernment.org, a coalition of 
nearly 90 organizations dedicated to openness and 
accountability. My remarks here today do not necessarily 
represent the positions of all of our partner organizations.
    Let me start with a little history on the issue of the use 
of sensitive but unclassified markings in the Executive Branch.
    In May 2008, President Bush issued a presidential 
memorandum with a stated intent to standardize control markings 
and handling procedures across the information sharing 
environment, a term codified in the Intelligence Reform and 
Terrorism Prevention Act of 2004, to indicate the intelligence, 
law enforcement, defense, homeland security, and foreign 
affairs communities. The CUI Council called for in the 
memorandum was a subcommittee of the Information Sharing 
Council within the Office of the Director of National 
Intelligence and, therefore, entirely outside any public access 
or accountability.
    That memorandum did nothing to rein in the use of what were 
called sensitive but unclassified markings. In fact, the memo 
allowed agencies to continue to make control determinations as 
a matter of department policy, meaning that the public was 
given no notice or chance to comment on the proposal.
    Under President Bush's proposed framework, control 
designations could easily have been treated as simply another 
level of classification, reducing the public's access to 
critical information.
    On November 3rd, 2010, President Obama issued the Executive 
Order on controlled unclassified information, 13556. The order 
limits control markings to those, as Mr. Fitzpatrick noted, 
based on government-wide policy, as well as statute or 
regulation. This is an enormous victory for openness. This 
limitation will, when fully enacted, both significantly limit 
the number and end the spiraling proliferation of agency policy 
markings, most particularly for official use only.
    Organizations working on government openness and 
accountability and on whistleblower protections welcome the 
release of the Executive Order, which rescinded the Bush 
Administration memorandum and which requires standardizing and 
limiting the use of control markings on unclassified 
information. The openness community applauded the Obama 
Administration for making this an open government document, 
when it could easily have become quite the opposite.
    Earlier drafts of the Obama order would have allowed 
agencies to continue using the designations that were not based 
in either statute or regulation. Previous drafts would have 
created a system of sanctions which the openness community was 
concerned would impede needed sharing and could lead to 
repercussions outside current law for whistleblowers. The new 
order has none of this language, reflecting its role as a 
government-wide information policy.
    A key aspect of the order is that it makes clear, as Mr. 
Fitzpatrick noted, that a CUI marking has no bearing on the 
decision to disclose information under the Freedom of 
Information Act or on the disclosure to the legislative or 
judicial branches of the U.S. Government. Finally, the order 
involved the public in consultation on the implementation of 
the new framework.
    It was significant that the process in the Obama 
Administration began in a manner not dissimilar to that under 
the Bush Administration. While we did have opportunities to 
meet with government officials involved in the work on CUI and 
there were officials involved who were deeply committed to 
government transparency, the early discussions and drafts were 
led by the National Security staff and based on a report from a 
task force led by the attorney general and the secretary of 
Homeland Security. They came to this with an approach quite 
similar to that of the Bush Administration, that this was about 
controlling dissemination of and access to sensitive but 
unclassified information to those with a recognized need to 
know.
    We had numerous meetings and were able to review drafts in 
the meetings, and we provided extensive comments. Finally, we 
were presented with what government officials considered the 
final draft and we were asked for our headline. We responded 
that the headline of the openness and whistleblower communities 
would be Obama Creates Fourth Level of Classification. 
Apparently, this derailed the train that had been moving down 
the track. At some point in this time frame, OMB also became 
involved in the process. The draft that came out next took what 
essentially had been a National Security-driven effort and 
turned it into what it properly was, a government-wide 
information management policy.
    So the agency policy markings are to be ended. The question 
for us is when. Regrettably, here is where the rub comes in. 
The CUI staff worked extraordinarily hard, with very limited 
resources, to create the registry of approved CUI categories 
and subcategories that was released in November 2011. It is 
accompanied, however, with a ``reminder from the executive 
agent'' which says existing practices for sensitive 
unclassified information remain in effect until the CUI marking 
implementation deadline TBD, to be determined.
    Again I want to stipulate that the CUI staff housed that 
ISOO have been very open. They have initiated meetings with our 
communities and have been willing to meet with us at our 
request. They have taken our concerns and our comments on 
various implementation drafts very seriously and have made 
changes along the way.
    Our concern is that the process is, from our perspective, 
at least, a long way behind schedule. We suspect this is due to 
the intransigence and resistance from some agencies, and the 
adjudication the CUI staff had to do with them. The executive 
agent expect the CFR, which is now at OIRA and about to go out 
for agency comment, to become effective in April 2015. That 
begins an extended progress, in six month segments, of agencies 
only then beginning to develop the budget, IT, and training 
toward a requirement of which they will have been aware for 
almost five years.
    Agencies will not begin to implement CUI practices or to 
phase out obsolete practices until April 2016, and not until 
2017 and beyond, into the next decade, will agencies finally 
begin to eliminate old markings and assure use of only new 
markings that are on the registry. The executive agency 
indicates an expectation that this process will extend into 
2018, 2019, and beyond, well beyond the end of the current 
Administration.
    What does this mean in practice? The President was clear 
that the mere fact that information is designated as CUI shall 
have no bearing on determinations pursuant to any law requiring 
disclosure of information or permitting disclosure as a matter 
of discretion. Agencies, however, continue to use not CUI 
registry markings, but the existing practices, especially FOUO.
    I will stop here, as I am well over time, but I do have 
some examples, if I have time in the questioning.
    Mr. Mica. If you would like, we will grant you an 
additional minute or two.
    Ms. McDermott. Okay, good. Thank you.
    So, as an example, the Project on Government Oversight 
recently reported on a DOD IG report that the Pentagon labeled 
FOUO. It says in such cases, the DOD IG will only post the 
report's title or summary on its website. The complete report 
must be requested through FOIA. POGO was fortunate enough to 
have obtained the contract overbilling report through non-FOIA 
means, but they are still waiting on requests for two other DOD 
IG reports. Both of these reports are unfavorable assessments 
of other Defense contracting programs.
    And just this morning there is a story in The Guardian by 
Jason Leopold that quotes from internal NSA emails about both 
journalist and citizen requests under FOIA. They dismiss the 
citizen requests pretty summarily and note that journalists are 
a little harder to get rid of. And one of the officials is 
quoted as saying the classified and FOUO we can deny; the rest 
we may have to process.
    Well, according to the Executive Order, they are not 
allowed to deny, to withhold stuff just because it is marked 
FOUO. But it is apparently a continuing attitude throughout the 
Government, and we are as frustrated as you are and very 
concerned that this attitude will continue for many years to 
come.
    Thank you for the opportunity to speak to you on this 
important issue. I am happy to answer any questions you might 
have.
    [Prepared statement of Ms. McDermott follows:]
    [GRAPHIC] [TIFF OMITTED] T8973.008
    
    [GRAPHIC] [TIFF OMITTED] T8973.009
    
    [GRAPHIC] [TIFF OMITTED] T8973.010
    
    [GRAPHIC] [TIFF OMITTED] T8973.011
    
    Mr. Mica. Well, thank you.
    We will withhold questions for a minute. We have been 
joined by our ranking member, Mr. Connolly, and I would like to 
recognize him at this time.
    Mr. Connolly. Thank you, Mr. Chairman. Again, my regrets 
for being late. I had a markup at the House Foreign Affairs 
Committee on a North Korea sanctions bill I am coauthor of, and 
I had to be there for my own bill. So forgive me for being 
tardy in coming to this hearing.
    Thank you all for participating and thanks, Mr. Chairman, 
for holding this hearing examining the categories of controlled 
unclassified information, CUI, particularly the Transportation 
Security Administration's designation of sensitive security 
information, SSI.
    Pseudo-classification designations are often vague and 
involve undefined markings that prevent interagency sharing or 
delay public access to information, as Ms. McDermott was just 
telling us. The Executive Branch's use of pseudo-classification 
designations is a longstanding national security challenge, and 
it certainly encompasses many administrations of both parties 
and transcends partisan division.
    The 9/11 Commission observed, in its final report 
officially on the September 11, 2001 terrorist attacks, that 
excessive barriers to information sharing among Federal 
agencies and between Federal agencies and local law authority 
agencies actually contributed to the confusion, if not to the 
actual successful prevention of the tragedy. That is pretty 
strong stuff. Simply put, the Government agencies keep too many 
secrets from other Government agencies and the public, and that 
is both bad for public safety and, in my view, can compromise 
national security unintentionally.
    Our committee has been concerned with the effects of 
pseudo-classification for many years. This committee requested 
that the GAO study the matter and, in 2006, during the Bush 
Administration, GAO reported that the problems posed by 
excessive and inappropriate use of CUI remain pervasive, 
pervasive, across the Federal Government.
    Our committee's concern, Mr. Chairman, about the TSA's 
utilization of SSI designations dates back to 2008, six years 
ago, when former Chairman Waxman and Ranking Member Tom Davis, 
my predecessor, initiated a bipartisan inquiry questioning 
TSA's release of SSI to CNN for use in a news story, when the 
agency had asked GAO not to publicly disclose the same type of 
information, seemingly a contradiction in policy.
    Further, conflict over the proper handling of SSI continued 
in 2011, when the U.S. Department of Homeland Security 
expressed serious concern over the disclosure of SSI by a 
member of this committee, the Oversight Committee, at a public 
hearing.
    As recently as 2012, the Controlled Unclassified 
Information Office within the National Archives and Records 
Administration found: ``Historically, executive departments and 
agencies have employed ad hoc agency-specific policies, 
procedures and markings to safeguard and control the 
dissemination of sensitive but unclassified information.'' ``As 
a result,'' it found, ``more than 100 different policies and 
markings have evolved for handling such information across the 
Executive Branch.'' It goes on: ``This inefficient confusing 
patchwork system has resulted in inconsistent markings and 
safeguarding of documents, led to unclear or unnecessarily 
restrictive dissemination policies, and created impediments to 
authorized information sharing.''
    Fortunately, the Obama Administration has taken steps to 
try to get CUI policies under control. I was pleased that 
President Obama issued the November 4th, 2010 Executive Order 
13556 on CUI that mandated that NARA establish categories and 
subcategories to serve as the exclusive designations for 
identifying unclassified information that requires safeguarding 
or dissemination controls pursuant to statute, regulations, or 
government-wide policy.
    In April 2012, TSA Administrator John Pistole issued a new 
SSI handbook applicable to all TSA personnel that established 
standard operating procedures for handling SSI and consolidated 
and clarified SSI policy guidance. These new policies include 
standardizing policies for the revocation of SSI, creating a 
system for reporting breaches, and improving employee training 
on how to handle SSI.
    In closing, Mr. Chairman, it is my hope that the 
stakeholders gathered here today will recognize we all have a 
shared goal with respect to increasing transparency and 
strengthening aviation security, and that balancing these 
interests need not be a zero sum proposition, it is either 
transparency or it is keep it close to the vest and nobody 
knows what anyone else is doing.
    I want to thank our witnesses for participating in this 
morning's hearing and, Mr. Chairman, I look forward to 
examining, together with you, how we can better ensure CUI is 
effectively, consistently, and appropriately managed across the 
entire Federal Government.
    Thank you. I yield back.
    Mr. Mica. Thank you, Mr. Connolly.
    We will go right to questions. I want to lead off on some 
of the points that the ranking member articulated. First of 
all, he cited the Executive Order 13556 which President Obama 
issued, and I think you spoke about it too, Ms. McDermott, and 
had some good intent, but it has had no bearing on decisions to 
disclose information pursuant to FOIA or disclosures to 
judicial or legislative bodies such as this committee. Despite 
this, Ms. McDermott, are you currently observing Federal 
agencies that use existing practices to thwart release of 
unclassified information?
    Ms. McDermott. As I mentioned--yes?
    Mr. Mica. I am just asking you to confirm again what you 
said.
    Ms. McDermott. Oh. Yes.
    Mr. Mica. Mr. Connolly brought this up, but you are seeing 
that.
    Ms. McDermott. But I would also note that----
    Mr. Mica. And how prevalent is the practice today?
    Ms. McDermott. Okay. I don't know that it is all that 
prevalent. We do know examples, but you usually only hear when 
there is a problem. I mean, you can't disprove a negative, but 
if agencies aren't doing it, there is no way to know.
    Mr. Mica. And you cited some problems. What agencies is 
this prevalent or have you seen?
    Ms. McDermott. The Department of Defense Inspector 
General's Office and the FOIA folks at NSA.
    Mr. Mica. Okay. Is there anything more that can be done? We 
have an Executive Order. What do you think? Now, TSA, we will 
get to them in a minute; they have issued a handbook. But what 
do you see government-wide?
    Ms. McDermott. Well, I think government-wide the process 
has been moving forward in terms of the work that the executive 
agent, the CUI Office, has been doing. I think, from our 
perspective, the problem is that somewhere along the line time 
has been lost and we feel that the process is taking longer 
than we anticipated and that I think probably the President 
anticipated.
    Since the issuance of the Executive Order, we are already 
now four years out, and the rule is just going out for comment. 
We had seen earlier versions in 2011 and then not again until 
2013, and then again this year. So the process, our sense is 
that it is being slowed by at least some agencies who--again, 
this is my perspective and my community's--who don't want to 
see this because it will control their ability to use these 
markings as they see fit. But I think it is our sense from 
talking to CUI staff that there are a lot of agencies also that 
are fully onboard, ready to go, and who will move forward 
quickly.
    Mr. Mica. Well, that is a perfect sequence to ask Ms. Lontz 
why did it take four years for TSA, after the management 
directive, to roll out the handbook? Now, Mr. Connolly also 
spoke of successive TSA and finally getting a handbook, but it 
took four years and you just testified that they have been 
slow-rolling this, Ms. McDermott. So what is happening that 
took four years to do this in TSA?
    Ms. Lontz. Mr. Chairman, so the joint decision to move the 
SSI program into the Office of Law Enforcement and Federal Air 
Marshal Service from the Office of Intelligence, that occurred 
in December of 2010, and Mr. Pistole did sign our TSA 
management directive in April of 2012.
    Mr. Mica. The structural placement was also almost four 
years ago, but it has still taken almost four years to get, 
again, the handbook on SSI.
    Ms. Lontz. So the handbook is a comprehensive resource of 
74 pages, and it is a guide to all employees.
    Mr. Mica. So they did about 20 pages a year.
    Ms. Lontz. We do annual training on SSI to all employees at 
TSA.
    Mr. Mica. The handbook was just issued, so has that just 
begun?
    Ms. Lontz. So the annual training occurs and also began in 
2012, so each employee at TSA has received it now at least 
twice. So the program office itself has a standard operating 
procedure that is a 40-page document that they use daily in the 
practice of reviewing documents, and we also have standardized 
the way that requests are made so that it is documented 
appropriately, and we also have incident reporting tools for 
the agency to utilize.
    Mr. Mica. Now, tell me again where the SSI office falls, 
under what jurisdiction was it set?
    Ms. Lontz. So it originally was with the Office of 
Intelligence. It is now under the Office of Law Enforcement 
Federal Air Marshal Service.
    Mr. Mica. And why does it fall under that particular one? 
It seems like Intelligence would be the logical one. Why was it 
removed and what is the advantage to have it under law 
Enforcement?
    Ms. Lontz. So we felt that it more closely aligned to the 
duties and responsibilities of the chief security officer, and 
the chief security officer is part of the Office of Law 
Enforcement.
    Mr. Mica. And how many FOIA requests does TSA receive in a 
year, do you have any idea, for instance, 2013 FOIA requests?
    Ms. Lontz. I can tell you to date we have received 72 
requests, just under about 10,000 pages to review this year.
    Mr. Mica. Just this year.
    Ms. Lontz. Correct.
    Mr. Mica. But you don't have a figure for a number received 
in 2013?
    Ms. Lontz. I don't.
    Mr. Mica. Maybe you could provide that to the committee.
    Ms. Lontz. Certainly.
    Mr. Mica. What percentage of FOIA requests to TSA are 
denied or redacted due to the targeted information carrying the 
SSI designation, do you have any idea?
    Ms. Lontz. I don't have an idea on that. We review all FOIA 
request material that is sent to our office. Each review is 
done the same as it would be for any other request that would 
come through SSI, and it is all memorialized in a memorandum of 
what was reviewed and what the findings were, and then it is 
returned back to the FOIA office.
    Mr. Mica. Has the TSA implemented proper protocols to 
ensure that the TSA administrator is documenting support for 
releasing SSI prior to releasing the information?
    Ms. Lontz. So there is a process for revocation as well, 
and it must be in writing, and it should be in the interest of 
security, of course.
    Mr. Mica. Do you know if there is compliance now? I mean, 
it was pretty spotty. The reports were spotty as to compliance 
with that requirement, again, prior to releasing the 
information. Do you know where we are on that now? In almost 
every instance is that complied with?
    Ms. Lontz. Yes, sir. So Mr. Pistole is our administrator 
and he is the designated authority on the release, so anything 
that would be released would go through his office.
    Mr. Mica. Well, it sounds like TSA has cleaned up some of 
the problems.
    Ms. McDermott, you have been observing this. Is that your 
observation or assessment?
    Ms. McDermott. We have been really looking more at the CUI 
process and the rollout of the rule relating to the Executive 
Order, how it is being implemented. I have colleagues who work 
more at agency level, so I really can't speak to that.
    Mr. Mica. Okay. You have not had any specific observation 
or have you found improvement in that regard, Mr. Fitzpatrick, 
from TSA?
    Mr. Fitzpatrick. So our office does not look at or have 
authority to look at the specific transactional actions of 
release or withholding under the FOIA or any other statute. 
What we look at is management approach to an authorized 
category, which SSI is, and how is it managed within the 
organization and are its procedures for safeguarding 
dissemination, control, and marking, how are they promulgated 
and will they be consistent with the forthcoming rule. So the 
retention of information under a separate authorization is not 
within our oversight purview but, rather, the administration of 
the security program.
    Mr. Mica. Well, I asked Ms. McDermott before about the 
prevalence of the pseudo-classifications in other agencies. 
Would you like to comment on that?
    Mr. Fitzpatrick. Yes, I would, because I think we have both 
described the scope of the Executive Order. When it shifted 
from the Bush Administration's focus on homeland security and 
counterterrorism information to any type of information for 
which control is authorized under law government-wide policy or 
government-wide regulation. That is a vast amount of 
information, and while it does provide the opportunity to 
define the universe of CUI and to identify that which is not 
authorized for withholding or retention, so that is a primary 
division of the universe of unclassified information into two 
halves.
    The half that is authorized is substantial. As I mentioned 
in my testimony, there are 22 categories, 85 subcategories, so 
we have organized information in a plain English sort of way to 
describe categories and subcategories, but there are 314 unique 
citations in law, government-wide policy, or Federal regulation 
that authorize control of unclassified information. Four of 
those apply to the SSI category; many of those categories and 
subcategories have multiple citations in law and regulation.
    So what we have discovered in the time that it takes to 
sort of understand the scope of the Executive Order and to 
build this registry is that the Legislative and Executive 
Branch, in almost equal measure, have authorized agencies to 
assert control over information types of a very broad range. 
One hundred fifty-seven of those controls are in statute, 129 
in Federal regulation, and 28 in government-wide policy of the 
type of an OMB circular, something that would have come out of 
the Executive Office of the President.
    So that is a lot of information, a lot of agencies that are 
authorized to withhold this information. So our program is 
created to identify which those are so that you can know which 
information types aren't, and then to establish handling and 
marking procedures of a uniform nature rather than I think the 
ranking member indicated the 100-plus marking types and bins 
that information had been put on and labeled, to have a uniform 
control marking.
    I am sympathetic to the amount of time that this is taking. 
When you understand the scope of this and how many agencies 
have this type of information, to try to understand all of 
their practices today in order to create a uniform baseline 
that all will observe, it is a very time-consuming effort.
    Mr. Mica. Well, unfortunately, today we are just talking 
about unclassified information, and, you know, this is an 
important issue because Government information and the 
management of it can be manipulated and agencies use it to 
cover their own tracks, to keep information from Congress and 
from the American people, and that is just in an unclassified 
category, and then trying to set the parameters for that. Then 
you have so many agencies that have participated and then 
trying to make certain there is some objective evaluation of 
what they are using these classifications for and denying 
Congress or the public or information getting out.
    The classified is a whole different one with TSA. I would 
like to see, at some time, information on the failure of 
performance of TSA. Most of that has been kept in a classified 
realm, declassified on a periodic basis, so I think the public 
deserves to know the performance of some of the people who are 
supposed to provide important transportation security. That has 
been kept under wraps or some things have been put under 
classified wraps to keep their performance secret, and there 
are definite reasons to do that.
    I know in the past some classified information has been 
released and I have flipped out a couple of times when I saw it 
in the paper and actually asked agencies to go after folks who 
had released the information, because it can be very harmful. 
But, by the same token, there is some other information, I 
think, that the public should know that deals with the 
performance of agencies.
    Now we have, it is not classified, but we are seeing the 
secret lists of the VA and people trying to cover up again 
their poor performance, and that was outrageous by any 
standard.
    Well, it is an interesting subject. Difficult to get a 
total handle on, but we are trying to make some sense out of it 
in a bipartisan fashion. Part of the report goes back, I 
noticed, some time and predates current practices, but this is 
a meat and potatoes hearing where we have been, where we are, 
and where we are going. So I thank you all.
    Let me yield to Mr. Connolly for questions.
    Mr. Connolly. Thank you, Mr. Chairman. Actually, to me, it 
is kind of a thought-provoking panel and discussion, but to 
your very last point, so here we are looking at the operations 
of government, can we improve them and make them better and 
more efficient, better serve our public. There is not a single 
member of the press at the press table, not one.
    Mr. Mica. Nobody is interested.
    Mr. Connolly. And in the system of reward and punishment, 
there is not a lot of reward for what we are doing today, Mr. 
Chairman, but virtue is its own reward, I guess, right?
    But thank you for being here, because it is actually kind 
of an important topic.
    The chairman talked a little bit about the misuse of types 
of information for various and sundry purposes, either hiding 
it from the public and/or Congress or deliberately getting it 
out there when you shouldn't.
    Ms. Lontz, we issued a committee staff report today that 
found TSA for years had issues with consistently implementing 
its policies for designating and undesignating information as 
sensitive security information. The committee heard from a 
former director of TSA's SSI Office, Andrew Colsky, that TSA's 
Office of Public Affairs released information strategically in 
what he described as security theater. He said, ``If they felt 
they needed to do something to get it in the press to change 
the public perception, that was more important than the 
security concerns involved.''
    That same director said that the release of SSI by the 
Office of Public Affairs decreased when the personnel changed 
in 2009 with the new administration.
    What is the current relationship between the SSI Office and 
the Office of Public Affairs, and how disputes regarding SSI, 
how are they resolved?
    Ms. Lontz. Certainly. So the relationship really of the SSI 
Office to really any of the other directorates, we operate 
autonomously. We receive in information that needs review and 
we do that and review in accordance with all of the 
requirements and then return it. We do not engage regularly 
with any of those offices other than to be the recipient and 
provide our service and provide it back. So there isn't any 
direct back and forth between the Office of Public Affairs and 
our SSI Office other than the service that we provide.
    Mr. Connolly. Well, but what are the systems in place for 
ensuring, the chairman cited it, that someone misuses 
information for entirely a PR purpose? It did happen at your 
agency before your time. What are the mechanisms in place to 
ensure that there is an understanding, to pick an office, 
between the Public Affairs Office and the SSI Office that the 
misuse of such information for perhaps a noble reason, but 
nonetheless the misuse of information is protected, that that 
practice is controlled?
    Ms. Lontz. So we did some significant training with the 
various offices after 2010, or actually after 2012. We did 
specific training in offices like the Office of Chief Counsel, 
Office of Public Affairs to provide them with in-depth 
understanding of what SSI is and is not. So they have received 
more than just the annual training that all TSA employees 
receive so that they have a greater knowledge of what we would 
consider SSI and how to handle it properly.
    Mr. Connolly. Mr. Fitzpatrick, you honed in on my reference 
to the fact that we have 100 different standards, apparently, 
maybe more. Ms. McDermott, I welcome your comment as well. When 
one looks at a statistic like that, I often ask the question, 
rhetorically, What could go wrong with that? If the public were 
watching this hearing, I think they would get a headache from 
all the acronyms and maybe lose sight, easy to lose sight of, 
well, what is the context here? What is it we really are 
concerned about?
    We are not just concerned about juridical processes. We are 
concerned about preserving that which must be preserved, 
concerned about proper information sharing and encouraging 
that, instead of people hoarding information that should be 
shared, and trying to have a streamlined system so that rules 
of engagement are clear-cut and everybody adheres to them. How 
are we doing on that? I mean, how much progress since the 
Executive Order, and to what extent has the Executive Order 
encouraged such progress, are we getting to have a more uniform 
standard across the Federal family?
    Mr. Fitzpatrick. So thank you, because that is the 
wheelhouse of building a CUI program, is to address those very 
things. Let me put some of these numbers into context.
    That number, 117 different markings, actually comes from an 
appendix of the report that Patrice mentioned that the attorney 
general and the secretary of Homeland Security provided 
President Obama in the year before the Executive Order was 
issued, and they took an inventory. How many different ways are 
we marking things? How confused is this? You quoted one of my 
office's reports, a Confused Inefficient Patchwork.
    So what is in play or what the practices were allowing 
1,000 flowers to bloom? An agency could and did make up its own 
rules and there was no canopy type of guidance that said it had 
to follow some stricture or some consistency across government. 
So you had people marking any kind of information with a 
special marking. Maybe it was just sensitive, do not 
disseminate; limited distribution; source selection 
information; help related information. Some of these are 
instructions and some of these are categories of information.
    So what the Obama Order does is it says, okay, the only 
ones that are authorized for some type of control are the ones 
where a deliberative process, a statute, regulation, or 
government-wide policy, has already provided that authority; 
everything else is not permitted to have some control. So it 
said, executive agent, find out what that universe of 
information is, put a registry together and put it out on the 
internet so everybody can understand what have we done through 
statute and regulation to provide these authorities, and then 
work with agencies to come up with practices that will be 
uniform, one set of markings, one set of handling requirements.
    We are in touch with 150-plus government entities to try to 
find out what kind of information do they have, what kind of 
resources do they have, what kind of practices do they have. 
There is a lot in common; put it in a locked drawer. Some of 
this guidance the lock has to be this kind of lock, the drawer 
has to be this kind of drawer; wrap it in one envelope, two 
envelopes, three envelopes. Again, 1,000 flowers blooming. So 
we are creating a single baseline and these are represented in 
the draft rule that we have mentioned, finally getting enough 
interagency agreement to say that would work for us to put it 
into practice and for agencies to implement.
    The category types that remain are information types that 
you would expect every agency to handle: privacy, financial. 
Agencies that handle taxpayer information, there is a specific 
regime for protecting taxpayer information. SSI is an example. 
Another good example that exists only in a particular space in 
government activity is unclassified controlled nuclear 
information. So Energy, Defense, Transportation, they handle 
nuclear materials; that is special stuff. So we have catalogued 
across the whole of Government agency practice and our attorney 
and other resources have put that together in this registry 
that says 314 unique citations, 157 laws that say the secretary 
may withhold or must control or may disseminate.
    Mr. Connolly. That you have to take into account.
    Mr. Fitzpatrick. Right. So we are trying to wrap an 
umbrella over this vast authorized practice.
    Now, identifying the authorized practice allows you to 
identify the unauthorized and discontinue the unauthorized, and 
that is naturally where Patrice and her Coalition's interest 
lies, with the ability to regulate the authorized practice 
across global organizations with however many Federal employees 
have to be trained. It is a daunting effort, and it can't start 
until the flag is waived. The flag gets waived when the rule is 
final. So we are in the process right now with the rule out for 
agency comment; it will then go out through public review and 
comment and keep going.
    Mr. Connolly. But let me follow up on something the 
chairman--and I am going to call on you, Ms. McDermott. I just 
want to stay with this, but I will ask you to comment as well, 
if the chairman will allow.
    Mr. Mica. Go right ahead.
    Mr. Connolly. Thank you, Mr. Chairman.
    I want to follow up on something the chairman made a point 
of, though; and he and I share this characteristic. In politics 
and public policy, sometimes patience is a real virtue. 
Sometimes it is not; sometimes impatience is a virtue because 
it gets things done and moving. And sometime it strikes the 
chairman, and me as well, that we move at a glacial pace in the 
Federal Government, when we need to be moving with more 
alacrity.
    You make a very good point; this is a daunting, big 
challenge. It may not seem it. It sounds simple. Let's have 
some simple rules of engagement we all adhere to and move on so 
that Ms. McDermott can get the information she needs. Well, not 
so fast; not so simple; there are all kinds of intruding laws 
and regulations; there are 100-plus different practices we have 
to kind of rein in and look at. But the chairman pointed out 
the Executive Order, however well intentioned, was four years 
ago. Here we are four years later and we are at the draft rule 
stage.
    So what was the time line for implementing this and how are 
we doing in trying to meet those metrics?
    Mr. Fitzpatrick. Certainly. The Executive Order laid out a 
few deadlines for agency consideration and then the deadlines, 
I will say, stopped. The first year essentially was to define 
the universe of information that is CUI. So agencies were given 
six months to make submissions. What are the categories that 
you feel meet this threshold of having a basis in law, 
government-wide policy, or regulation, and how would you 
describe them and how can we put them together in a registry? 
Agencies produced 2,200 submissions. So if you get an idea of 
what agencies feel their authority ought to be, and that came 
from, I will say, not the 150 agencies we deal with now, but 
some dozens of them submitted 2,200 individual 3x5 cards saying 
I can control this, I can control this, I can control this.
    Mr. Connolly. Can I interject, if I may?
    Mr. Fitzpatrick. Yes.
    Mr. Connolly. Just an ironic observation, Mr. Chairman. The 
press may not think this is all that interesting, but clearly 
Federal officials did, because it affects how they operate.
    Mr. Fitzpatrick. Absolutely. And it affects a level of 
latitude they felt they had to do as they pleased, or wished, 
or felt was most effective for them.
    Mr. Connolly. Right.
    Mr. Fitzpatrick. And, instead, this umbrella of constraint 
was, I will say, beginning to be spread.
    So 2,200 submissions, many of them the same types; 
personnel information, privacy information, budget information. 
But many of them simply my agency directive says I can do this, 
so they submitted it. Well, that is below the threshold. That 
did not make it into the registry. So the production of the 
registry, putting the registry out on the rolls.
    We then began an inventory of practices to say what do you 
do with this information today and how do you safeguard it? How 
do you provide information systems security for it? How does 
dissemination control work? How far and wide are complex are 
your agency directives and instructions so we know how much is 
going to have to be torn down and rebuilt?
    We took a shot at, as Patrice mentioned, a draft rule 
through our interagency council that basically the interagency 
choked on. We put all of the principles of CUI and sort of in 
the nature that we have been discussing them today and all of 
the how-to's of the CUI in the same document. That was, I will 
just say, ineffective and did not succeed the interagency 
coordination process. We had to rewrite it so that we could 
separate the two.
    And what is going around the agencies now is this set of 
principles in the rule which point to practices and authorities 
that the CUI Council, under the executive agent's coordination, 
will issue. So you have a draft rule, and the draft 
supplemental guidance says here is what marking and 
dissemination mean; here is what the constraints are on 
agencies; and then over in a separate document here is how to 
do it.
    Mr. Connolly. Thank you.
    Mr. Fitzpatrick, my time is up. The chairman has graciously 
agreed to allow Ms. McDermott to also comment because I don't 
want to impose on my colleagues, and I see the distinguished 
chairman is here as well.
    Thank you, Mr. Chairman.
    Ms. McDermott. So, yes, we are aware of and support all of 
the work that they have been doing. We do feel, though, that 
there has been some, the chairman called it slow-rolling. I 
might call it, because of its loss of control by the agencies, 
it is foot dragging, it is throwing some sand. But, again, that 
is from an entirely outside perspective.
    I do want to go back to two points that you made, though. 
This was about the need to protect information and also to 
share it. And one of the things that we have been very 
concerned about all along is that where it is appropriate and 
where the statute or the regulation allows it, that there be 
put time limits on these markings so that they don't continue 
to be used passed when they are authorized to be used. And that 
is a whole big issue of how you unmark something that has been 
marked.
    The other thing that we are very, very concerned about is 
that, in terms of the sharing, both sharing and protecting, 
that these markings, it needs to be clear, they need to be 
clearly marked, any documents, so that somebody who shares a 
document with the public, certainly shares it with Congress, 
shares it with the Judicial Branch, although those are already 
covered under the Executive Order.
    If it is not marked, they cannot be held accountable for 
inappropriately sharing information. This is like, you know, 
something that was part of the Intelligence Authorization Act 
that President Clinton vetoed back toward the end of his thing 
that said any document that is classifiable, you can be held 
criminally liable for releasing. Well, no, you can't, because 
that could be anything. So that is a very big concern of ours, 
to protect whistleblowers, but also to allow useful sharing 
throughout the Government of information as it needs to be 
protected and of information that doesn't need this kind of 
protection.
    Mr. Mica. Thank you.
    Let me yield now to the chair of the full committee, Mr. 
Issa, who has joined us. Mr. Issa.
    Mr. Issa. Thank you, and thank you for being here.
    The fact is this is probably the one nearest and dearest to 
my heart of all the hearings. You might wonder why. Well, the 
CUI Council, how do I know it is not a CYA council? I am 
serious, Mr. Fitzpatrick. I am the beneficiary of 20 months of 
having subpoenaed documents that are unclassified held and not 
delivered to this committee, even though they were subject to 
subpoena, because they were unclassified but embarrassing. In 
those 2,200 different classifications, did you see that 
classification, unclassified but embarrassing?
    Ms. Lontz, is that one that you plan on using?
    Ms. Lontz. No, sir.
    Mr. Issa. You use it every day. Transportation Safety uses 
it all the time. We subpoena documents and, Ms. McDermott, I 
know you are on our side, but, quite frankly, when you say it 
is already covered, no, it isn't. This Administration 
systematically does not reply honestly and fully with even 
subpoenas of the various committees. That is just a fact. It is 
a reality. One of the things that we have seen is that the best 
way to get evidence, unclassified evidence is we depose 
somebody, and on the evening before we are going to depose 
them, we get a ration of documents that are somehow responsive 
to it.
    The fact is this is near and dear to my heart because I 
don't think you should have a right to any of them. I think the 
whole idea that there is anything below secret is hogwash. I 
think the idea that other than personally identifiable 
information, meaning information is sensitive because it 
doesn't truly belong to the Government to release, such as your 
email address, even if it is a Government one, being released 
to the entire public; your birthday; personal information about 
your home. We can all agree that that information is not 
secret, but, by definition, shouldn't be released. Do we agree 
with that?
    Is there really any other area that people get to see 
without a background check, people get to handle without 
knowing whether they are pedophiles, whether they are drunks, 
whether they are going through personal traumas in their lives, 
etcetera, etcetera? In other words, we have no security on them 
other than they are a Federal employee or a Federal contractor. 
They get to see all this information and then, when Congress 
subpoenas it, we don't even get it. Is there anyone that is 
going to justify those 2,200 categories here today? I would 
love to hear it. Ms. Lontz?
    I mean, I am thrilled to hear that there are 2,200 requests 
for unclassified information to be withheld. Of that 2,200, I 
will take out of it as many as you say include personal 
identifiable information. Give me another one.
    Mr. Fitzpatrick. If I may clarify that number.
    Mr. Issa. Please.
    Mr. Fitzpatrick. And understand that you entered midstream. 
Twenty-two hundred was the number of individual submissions 
that came in from agencies where they thought they had some 
authority.
    Mr. Issa. A lot of redundancy.
    Mr. Fitzpatrick. There is a lot of redundancy and a lot of 
it did not meet the threshold established in the Executive 
Order that authority can only be established if it has been 
granted by law through the Federal regulations or through 
government-wide policy. Those numbers, there are 2,200 high 
level categories, 85 subcategories based on 314 individual 
citations of either law, regulation, or policy.
    So while I do not dispute the characterization of agencies' 
desire to withhold information to their advantage, what is 
authorized under the CUI program is only information in these 
categories, these narrow 2,200 and 85 subcategories, can be 
safeguarded or dissemination control. Their disclosure through 
other processes, or the eventual decontrol, are matters of 
discretion.
    Mr. Issa. We fully understand that, but understand that the 
President signed the Data Act just a few days ago. That Act 
intends on making across Government the vast majority of 
information that exists in our databases searchable, 
addressable, downloadable, which would include a system in 
which, because of the strength of the metadata, you would be 
able to exclude personally identifiable information.
    But essentially, and we are not talking about emails for a 
moment; we will leave those aside, the intent of it would be to 
open up all of Government, to make you able to say that a 
particular data point is not to be released, such as personally 
identifiable information, locations or times, certain things 
like that, predictive information about events that have not 
yet occurred.
    If we are going to open that up, we can't have these levels 
of classification because it will essentially close 
systematically all these databases, won't it?
    Ms. McDermott, you really don't care about hunks of paper 
being delivered anymore; you really care about the data wealth 
being mined in order to get real information, don't you? Isn't 
that really the modern America?
    Ms. McDermott. That is part of modern America. But we 
actually are still very concerned about the paper getting 
delivered to nonprofit organizations that make it available to 
journalists, to that sort of thing.
    Mr. Issa. Let me explain one thing to you that I have 
learned the hard way in five years in the, if you will, 
leadership of this committee. Until today, if I subpoena the 
EPA for emails, they send out to the people they think may have 
responsive information asking them to voluntarily look through 
and see if they have something that we would be interested in, 
and then they get to submit it.
    That is a systematic system of exclusion of at least 
unclassified but embarrassing information. Only through direct 
access are you ever going to get what you want versus getting 
the paper they want to give you and then searching through it 
saying, if this exists, where is this other piece, and then 
having to--how many times do you reapply again and again 
because a tranche of information tells you that they are not 
giving you it all?
    Ms. McDermott. I would love, if I may, respond just on the 
email part of it.
    Mr. Issa. Please.
    Ms. McDermott. Regrettably, that experience about asking 
people to search their hard drives is because until very 
recently, because of regulations that were promulgated by NARA 
back in the 1990s, agencies were not required to organize their 
email. They were not required to treat it as records of 
offices; they could treat it all the same. And what has 
happened over time is that it is on people's hard drives; it 
has not been centrally collected.
    It is unfortunately true that that agencies don't know how 
much email they have that is responsive. And it is not just 
Congress that gets this response; it is our colleagues in the 
nonprofit world who ask agencies for responsive email and they 
say we will look, but it is going to take a long time.
    Mr. Issa. Yes, we were told by the IRS commissioner just 
the other day that it could take two years to respond to our 
questions, far longer than the IRS gives you in an audit to 
respond to theirs.
    Let me just close quickly with a question. If we are going 
to have classifications below secret, and this committee, among 
its jurisdictions, controls basically the question of people 
holding clearances, how many categories of cleared people are 
we going to have to decide what level of background 
investigation, what level of denial?
    If somebody is going to look at unclassified information 
that has some pseudo-classification level that keeps the public 
from seeing it, do I need to know whether they are currently on 
probation, whether they have DUIs, whether or not they are 
convicted pedophiles? And if so, how do I come up with all 
those classifications? How many will I need, Mr. Fitzpatrick? 
Cleared information, cleared people, right?
    Mr. Fitzpatrick. It actually requires no specific personal 
security vetting for access to controlled unclassification 
information.
    Mr. Issa. So, in summation, what you are telling me is 
below secret we can deny the public, through a maze of 
different processes, access to information, while allowing 
people who happen to work for the Government, either as 
contractors or as Federal employees, to have unfettered access, 
even if they have things which would make us question that 
access, right?
    Mr. Fitzpatrick. Well, no. The standard is only for that 
information which requires a safeguard or dissemination control 
and is accompanied by a lawful Government purpose, regardless 
of your status, in Government or outside of Government.
    Mr. Issa. So tax cheats at the IRS get access to my tax 
information, while even if I have been persecuted directly by 
the IRS, I can't get that. I understand what you are saying. I 
question in this hearing whether or not you are going down a 
road of any sensibility.
    If you can't tell me who should be excluded within 
Government from seeing information, if you can't tell me what 
level we should put as a requirement for people to be cleared 
for that information below secret, because we have rules for 
secret and top secret, then I question whether or not you can 
create any category other than personal identifiable 
information is on a need to know basis, and other than personal 
identifiable information I question whether or not you really 
can do the process that you are asking.
    And I think Mr. Connolly said it very well during his 10 
minutes, which I have equaled nearly. The fact is we have 
waited too long, and it has been four years since an Executive 
Order, and this committee has a responsibility to ultimately 
say you are not getting it done; we may need to preempt you. 
And rulemaking is not lawmaking, it just looks like it.
    Mr. Chairman, rulemaking is not lawmaking; it just looks 
like it. I am going to close on that. Thank you.
    Mr. Mica. Thank you. I liked your CYA versus CUI 
description. Very appropriate sometimes.
    Waiting most patiently, one of our outstanding junior 
members, Mr. Meadows. You are recognized.
    Mr. Meadows. The chairman here says I have a lot of gray 
hair for a junior member, but thank you for your testimony.
    Mr. Fitzpatrick, let me pick up, because as we start to 
hear 2,200, we start to hear regulations. Everybody is going to 
want to have a piece of that turf. And I guess my concern is if 
we are going about this new classification, how many rules and 
regulations are we going to eliminate? I mean, out of the 170, 
I think your testimony, how many of those rules and 
regulations? Are we going to be able to eliminate half of 
those?
    Mr. Fitzpatrick. So we will go to a single marking system. 
So in the 117, the list of labels that were previously used, 
they varied across whether it said sensitive protect, restrict; 
all sorts of unauthorized types of markings. We propose a 
marking system that simply says controlled.
    Mr. Meadows. Based on what criteria?
    Mr. Fitzpatrick. Based on its presence in the registry, 
which means there is either a law that says the secretary is 
authorized to protect that or there is a Federal regulation 
that says this information may be controlled.
    Mr. Meadows. But according to your testimony, you said it 
should be based on statutory exemptions in FOIA or other 
applicable laws, policies, and regulations. Now, the concern I 
have with policies is any agency can make up any policy, and it 
undermines the whole effort of what you are trying to do.
    Mr. Fitzpatrick. So that portion of my testimony, and I 
acknowledge that those words are there, applies to instruction 
to agencies not to confuse, not to utilize the fact that 
something is marked CUI as somehow disposing a decision to 
withhold information under FOIA. The Executive Order and our 
guidance say clearly FOIA and other applicable laws that govern 
disclosure are what will govern your decision. Simply because 
it is marked controlled SSI doesn't then predispose, okay, then 
I can withhold it under FOIA. Our instructions and the 
Executive Order say it might be marked CUI so that you know it 
needs to be in a desk draw, it needs to have a cover sheet, it 
needs to be given to someone with a lawful government purpose. 
But if a FOIA request comes in on that, then the FOIA rules 
apply.
    Mr. Meadows. All right, so on a scale of 1 to 10, with 10 
being the most confident, how confident are you that what you 
are about to put in place will get rid of the politics, the 
CYA, the political aspect of trying to keep documents from 
Congress and from the American people? Scale of 1 to 10, how 
confident?
    Mr. Fitzpatrick. The CUI program, I am going to say, sits 
next to, but not a part of, the disclosure regime. So however 
confident, however much or little confidence you have in that 
disclosure regime----
    Mr. Meadows. Well, it hasn't been working too well so far, 
so, going forward, how confident are you?
    Mr. Fitzpatrick. So I am confident you will have the basis 
to explain, and those seeking information will have the basis 
to contest, the presence or absence of authorized by law or 
regulation, an authorized withholding basis or not. So an 
example----
    Mr. Meadows. That is a great answer to a question I didn't 
ask, but from politics, and getting politics and complete 
transparency, on a scale of 1 to 10, how confident are you?
    Mr. Fitzpatrick. I am an optimist. I will give you a 6.5.
    Mr. Meadows. Okay.
    Mr. Fitzpatrick. It will be better. It won't be everything.
    Mr. Meadows. All right.
    So, Ms. Lontz, let me go to you, because you talked about 
training earlier. On the training aspect of it, you mentioned 
that they have been given this handbook that talks about 
seventy some odd pages that is very specific. How confident are 
you that we are covering all the issues in terms of the 
thoroughness of the training and that the new model is going to 
be followed?
    Ms. Lontz. So in TSA, I can say that I am very confident 
that the new measures we have put in place have significantly 
improved the way we handle SSI. It is much more consistent; 
there is a memorialization of any and all SSI reviews that are 
done. It is comprehensive in the training; we can customize it, 
as I explained earlier, depending on various programs so they 
get a more in-depth understanding of what SSI is and is not. So 
I am very confident that the new measures----
    Mr. Meadows. So how are you reinforcing that? I mean, going 
forward, because if it is in a handbook, I don't know about 
everybody here, but most of the handbooks I have gotten over my 
54 years, I haven't read them, or at least I haven't read all 
of them. And we may have somebody here that does that, and I 
know my good friend and colleague from Virginia is astonished 
at that revelation.
    Mr. Connolly. I have read every handbook ever.
    Mr. Meadows. No doubt. No doubt.
    So how do we reinforce it? Do you make it part of their 
evaluation? If they get a bonus, is it part of that in terms of 
saying that you have been following this? How do we reinforce 
it? I see one of your staffers shaking his head yes behind you.
    Ms. Lontz. I think our senior leadership does a very good 
job of ensuring that SSI, the importance of SSI, the job that 
the TSA does impacts aviation and transportation security. We 
do have to be very concerned with protecting SSI information. 
We also ensure that it is not just a once a year, there is an 
online training course you need to take. We have SSI Awareness 
Week at TSA where there are a sundry activities and things that 
remind our personnel of the importance of SSI. So it isn't just 
a handbook that goes on the shelf and we say, hey, we have 
this. We really do impress upon our personnel the importance.
    Mr. Meadows. Well, I am going to close with this 
encouragement in terms of any help that you might be able to 
give this committee. Ultimately we have two objectives. One is 
to get the politics out of it, to speed up the process and 
become transparent with the American people. And if you see 
areas that need to be addressed, it is incumbent upon you to 
get that to this committee, because in a bipartisan way we will 
work to not only put forth legislation to clear it up, but to 
make sure that the American people get it, because right now 
the request even from a member of Congress gets thwarted at so 
many different levels based on so many different regulations, 
policies, and I don't knows that it is unacceptable. So we look 
forward to your recommendations.
    I yield back, Mr. Chairman. Thank you.
    Mr. Mica. Well, thank you, Mr. Meadows. Thank you, Ranking 
Member Connolly.
    And I want to thank our three witnesses, Ms. Lontz, Mr. 
Fitzpatrick, and Ms. McDermott, for your testimony. We have 
additional questions and we will probably be submitting some to 
the witnesses today.
    Mr. Connolly moves that we keep the record open for seven 
additional days. Without objection, so ordered.
    Again I thank you. We have raised some very interesting 
points, trying to work together to improve this process and the 
question of classification and various categories, making 
certain that Government information is made available both to 
the public and the Congress in a responsible fashion. Some 
enlightening information. It looks like we still have a ways to 
go and keeping this moving forward in a positive fashion as 
intended.
    There being no further business today before the Government 
Operations Subcommittee, the hearing is adjourned. Thank you.
    [Whereupon, at 11:40 a.m., the subcommittee was adjourned.]


                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record

[GRAPHIC] [TIFF OMITTED] 
                                 
