[Congressional Record Volume 153, Number 1 (Thursday, January 4, 2007)]
[Senate]
[Pages S86-S91]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. AKAKA (for himself and Mr. Lautenberg):
  S. 82. A bill to reaffirm the authority of the Comptroller General to 
audit and evaluate the programs, activities, and financial transactions 
of the intelligence community, and for other purposes; to the Select 
Committee on Intelligence.
  Mr. AKAKA. Mr. President, I rise to introduce ``The Intelligence 
Community Audit Act of 2007,'' with Senator Lautenberg. This 
legislation reaffirms the authority of the Comptroller General of the 
United States and head of the Government Accountability Office (GAO) to 
audit the financial transactions and evaluate the programs and 
activities of the intelligence community (IC).
  Our bill is identical to S. 3968, introduced in the last Congress by 
Senator Lautenberg and myself, and to H.R. 6252, introduced in the 
House by Representative Bennie Thompson.
  The need for more effective oversight and accountability of our 
intelligence community has never been greater. In the war against 
terrorism, intelligence agencies are both the spear and the shield: the 
first line of our attack and of our defense. Failure can bear terrible 
consequences.
  Congress has two responsibilities: the first is to ensure that our 
intelligence community is performing its mission effectively, and the 
second is to ensure that in performing its mission, the intelligence 
community is not violating the constitutional rights of individual 
Americans.
  Yet the ability of Congress to ensure that the intelligence community 
has sufficient resources and capability of performing its mission has 
never been more in question. The establishment of the Department of 
Homeland Security and the passage of the Intelligence Reform and 
Terrorism Prevention Act of 2004 created a new institutional landscape 
littered by new intelligence agencies with ever increasing demands and 
responsibilities. These new agencies became members of an already 
populated club of organizations performing intelligence related 
functions.
  The intelligence community today consists of 19 different agencies or 
components: the Office of the Director of National Intelligence; 
Central Intelligence Agency; Department of Defense; Defense 
Intelligence Agency; National Security Agency; Departments of the Army, 
Navy, Marine Corps, and Air Force; Department of State; Department of 
Treasury; Department of Energy; Department of Justice; Federal Bureau 
of Investigation; National Reconnaissance Office; National Geospatial-
Intelligence Agency; Coast Guard; Department of Homeland Security, and 
the Drug Enforcement Administration.
  Congress too has increased its oversight responsibilities. Committees 
other than the intelligence committees of the House and Senate have 
jurisdiction over such departments as Homeland Security, State, 
Defense, Justice, Energy, Treasury, and Commerce.
  But all of these ``non-intelligence'' committees are restricted in 
their ability to conduct effective oversight of intelligence function 
of the agencies under their jurisdiction because, unfortunately, the 
intelligence community stonewalls the Government Accountability Office 
(GAO) when committees

[[Page S87]]

of jurisdiction request that GAO investigate problems. This is 
happening despite the clear responsibility of Congress to ensure that 
these agencies are operating effectively to protect America.
  It is inconceivable that the GAO--the audit arm of the U.S. 
Congress--has been unable to conduct evaluations of the CIA for over 40 
years. If the GAO had been able to conduct basic auditing functions of 
the CIA, perhaps some of the problems that were so clearly exposed 
following the terrorist attacks in September 2001 would have been 
resolved. And yet, it is extraordinary that five years after 9-11, the 
same problems persist.
  Two recent incidents have made this situation disturbingly clear. At 
a hearing entitled, ``Access Delayed: Fixing the Security Clearance 
Process, Part II,'' before my Subcommittee on Oversight of Government 
Management, the Federal Workforce, and the District of Columbia, on 
November 9, 2005, GAO was asked about steps it would take to ensure 
that the Office of Personnel Management (OPM), the Office of Management 
and Budget, and the intelligence community met the goals and objectives 
outlined in the OPM security clearance strategic plan. Fixing the 
security clearance process, which is on GAO's high-risk list, is 
essential to our national security. But as GAO observed in a written 
response to a question raised by Senator Voinovich, ``while we have the 
authority to do such work, we lack the cooperation we need to get our 
job done in that area.''
  A similar case arose in response to a GAO investigation for the 
Senate Homeland Security Committee and the House Government Reform 
Committee on how agencies are sharing terrorism-related and sensitive 
but unclassified information. The report, entitled ``Information 
Sharing, the Federal Government Needs to Establish Policies and 
Processes for Sharing Terrorism-Related and Sensitive but Unclassified 
Information'' (GAO-06-385), was released in March 2006.
  At a time when Congress is criticized by members of the 9-11 
Commission for failing to implement its recommendations, we should 
remember that improving terrorism information sharing among agencies 
was one of the critical recommendations of the Commission. Moreover, 
the Intelligence Reform and Terrorism Prevention Act of 2004 mandated 
the sharing of terrorism information through the creation of an 
Information Sharing Environment. Yet, when asked by GAO for comments on 
the GAO report, the Office of the Director of National Intelligence 
refused, stating that ``the review of intelligence activities is beyond 
GAO's purview.''
  A Congressional Research Service memorandum entitled, ``Overview of 
`Classified' and `Sensitive but Unclassified' Information,'' concludes, 
``it appears that pseudo-classification markings have, in some 
instances, had the effect of deterring information sharing for homeland 
security.''
  Unfortunately I have more examples that predate the post 9-11 
reforms. Indeed, in July 2001, in testimony, entitled ``Central 
Intelligence Agency, Observations on GAO Access to Information on CIA 
Programs and Activities'' (GAO-01-975T) before the House Committee on 
Government Reform, the GAO noted, as a practical manner, ``our access 
is generally limited to obtaining information on threat assessments 
when the CIA does not perceives [sic] our audits as oversight of its 
activities.''
  The bill I introduce today does not detract from the authority of the 
intelligence committees. In fact, the language makes explicit that the 
Comptroller General may conduct an audit or evaluation of intelligence 
sources and methods or covert actions only upon the request of the 
intelligence committees or at the request of the congressional majority 
or minority leaders. The measure also prescribes for the security of 
the information collected by the Comptroller General.
  As both House Rule 48 and Senate Resolution 400 establishing the 
intelligence oversight committees state, ``Nothing in this [charter] 
shall be construed as amending, limiting, or otherwise changing the 
authority of any standing committee of the, House/Senate, to obtain 
full and prompt access to the product of the intelligence activities of 
any department or agency of the Government relevant to a matter 
otherwise within the jurisdiction of such committee.''
  Despite this clear and unambiguous statement, the ability of non-
intelligence committees to obtain information, no matter how vital to 
improving the security of our nation, has been restricted by the 
various elements of the intelligence community.
  My bill reaffirms the authority of the Comptroller General to conduct 
audits and evaluations--other than those relating to sources and 
methods, or covert actions--relating to the management and 
administration of elements of the intelligence community in areas such 
as strategic planning, financial management, information technology, 
human capital, knowledge management, information sharing, and change 
management for other relevant committees of the Congress.
  As I mentioned earlier in my statement, Congress also has the 
responsibility of ensuring that unfettered intelligence collection does 
not trample civil liberties. New technologies and new personal 
information data bases threaten our individual right to a secure 
private life, free from unlawful government invasion. We must ensure 
that private information collected by the intelligence community is not 
misused and is secure. Intelligence agencies have a legitimate mission 
to protect the country against potential threats. However, Congress' 
role is to ensure that their mission remains legitimate.
  Attached is a detailed description of the legislation that I ask 
unanimous consent be printed in the Record.
  I urge my colleagues to join me in supporting this legislation.
  I ask unanimous consent that the text of the legislation I am 
introducing be printed in the Record.
  There being no objection, the text of the material was ordered to be 
printed in the Record, as follows:

                            Report Language

       Section 1 of the Act provides that the Act may be cited as 
     the ``Intelligence Community Audit Act of 2007''.
       Section 2(a) of the Act adds a new Section (3523a) to title 
     31, United States Code, with respect to the Comptroller 
     General's authority to audit or evaluate activities of the 
     intelligence community. New Section 3523a(b)(1) reaffirms 
     that the Comptroller General possesses, under his existing 
     statutory authority, the authority to perform audits and 
     evaluations of financial transactions, programs, and 
     activities of elements of the intelligence community and to 
     obtain access to records for the purposes of such audits and 
     evaluations. Such work could be done at the request of the 
     congressional intelligence committees or any committee of 
     jurisdiction of the House of Representatives or Senate 
     (including the Committee on Homeland Security of the House of 
     Representatives and the Committee on Homeland Security and 
     Governmental Affairs of the Senate), or at the Comptroller 
     General's initiative, pursuant to the existing authorities 
     referenced in new Section 3523a(b)(1). New Section 
     3523a(b)(2) further provides that these audits and 
     evaluations under the Comptroller General's existing 
     authority may include, but are not limited to, matters 
     relating to the management and administration of elements of 
     the intelligence community in areas such as strategic 
     planning, financial management, information technology, human 
     capital, knowledge management, information sharing, and 
     change management. These audits and evaluations would be 
     accompanied by the safeguards that the Government 
     Accountability Office (GAO) has in place to protect 
     classified and other sensitive information, including 
     physical security arrangements, classification and 
     sensitivity reviews, and restricted distribution of certain 
     products.
       This reaffirmation is designed to respond to Executive 
     Branch assertions that GAO does not have the authority to 
     review activities of the intelligence community. To the 
     contrary, GAO's current statutory audit and access 
     authorities permit it to evaluate a wide range of activities 
     in the intelligence community. To further ensure that GAO's 
     authorities are appropriately construed in the future, the 
     new Section 3523a(e), which is described below, makes clear 
     that nothing in this or any other provision of law shall be 
     construed as restricting or limiting the Comptroller 
     General's authority to audit and evaluate, or obtain access 
     to the records of, elements of the intelligence community 
     absent specific statutory language restricting or limiting 
     such audits, evaluations, or access to records.
       New Section 3523a(c)(1) provides that Comptroller General 
     audits or evaluations of intelligence sources and methods, or 
     covert actions may be undertaken only upon the request of the 
     Select Committee on Intelligence of the Senate, or the 
     Permanent Select Committee on Intelligence of the House of 
     Representatives, or the majority or the minority leader of 
     the Senate or the House of Representatives. This limitation 
     is intended to recognize the heightened sensitivity of audits 
     and evaluations relating to

[[Page S88]]

     intelligence sources and methods, or covert actions.
       The new Section 3523a(c)(2)(A) provides that the results of 
     such audits or evaluations under Section 3523a(c) may be 
     disclosed only to the original requestor, the Director of 
     National Intelligence, and the head of the relevant element 
     of the intelligence community. Since the methods GAO uses to 
     communicate the results of its audits or evaluations vary, 
     this provision restricts the dissemination of GAO's findings 
     under Section 3523a(c), whether through testimony, oral 
     briefings, or written reports, to only the original 
     requestor, the Director of National Intelligence, and the 
     head of the relevant element of the intelligence community. 
     Similarly, under new Section 3523a(c)(2)(B), the Comptroller 
     General may only provide information obtained in the course 
     of such an audit or evaluation to the original requestor, the 
     Director of National Intelligence, and the head of the 
     relevant element of the intelligence community.
       The new Section 3523a(c)(3)(A) provides that 
     notwithstanding any other provision of law, the Comptroller 
     General may inspect records of any element of the 
     intelligence community relating to intelligence sources and 
     methods, or covert actions in order to perform audits and 
     evaluations pursuant to Section 3523a(c). The Comptroller 
     General's access extends to any records which belong to, or 
     are in the possession and control of, the element of the 
     intelligence community regardless of who was the original 
     owner of such information. Under new Section 3523a(c)(3)(B), 
     the Comptroller General may enforce the access rights 
     provided under this subsection pursuant to section 716 of 
     title 31. However, before the Comptroller General files a 
     report pursuant to 31 U.S.C. 716(b)(1), the Comptroller 
     General must consult with the original requestor concerning 
     the Comptroller General's intent to file a report.
       The new Section 3523a(c)(4) reiterates the Comptroller 
     General's obligations to protect the confidentiality of 
     information and adds special safeguards to protect records 
     and information obtained from elements of the intelligence 
     community for audits and evaluations performed under Section 
     3523a(c). For example, pursuant to new Section 
     3523a(c)(4)(B), the Comptroller General is to maintain on 
     site, in facilities furnished by the element of the 
     intelligence community subject to audit or evaluation, all 
     workpapers and records obtained for the audit or evaluation. 
     Under new Section 3523a(c)(4)(C), the Comptroller General is 
     directed, after consulting with the Select Committee on 
     Intelligence of the Senate and the Permanent Select Committee 
     on Intelligence of the House of Representatives, to establish 
     procedures to protect from unauthorized disclosure all 
     classified and other sensitive information furnished to the 
     Comptroller General under Section 3523a(c). Under new Section 
     3523a(c)(4)(D), prior to initiating an audit or evaluation 
     under Section 3523a(c), the Comptroller General shall provide 
     the Director of National Intelligence and the head of the 
     relevant element of the intelligence community with the name 
     of each officer and employee of the Government Accountability 
     Office who has obtained appropriate security clearances.
       The new Section 3523a(d) provides that elements of the 
     intelligence community shall cooperate fully with the 
     Comptroller General and provide timely responses to 
     Comptroller General requests for documentation and 
     information.
       The new Section 3523a(e) makes clear that nothing in this 
     or any other provision of law shall be construed as 
     restricting or limiting the Comptroller General's authority 
     to audit and evaluate, or obtain access to the records of, 
     elements of the intelligence community absent specific 
     statutory language restricting or limiting such audits, 
     evaluations, or access to records.
                                  ____



                               Congressional Research Service,

                                                    July 18, 2006.
     From: Harold C. Relyea, Specialist in American National 
         Government, Government and Finance Division.
     Subject: Overview of ``Classified'' and ``Sensitive but 
         Unclassified'' Information.
       Prescribed in various ways, federal policies may require 
     the protection of, or a privileged status for, particular 
     kinds of information. This memorandom provides a brief 
     introduction to, and overview of, two categories of such 
     information policy. The first category is demarcated largely 
     in a single policy instrument--a presidential executive 
     order--with a clear focus and in considerable detail: the 
     classification of national security information in terms of 
     three degrees of harm the disclosure of such information 
     could cause to the nation, resulting in Confidential, Secret, 
     and Top Secret designations. The second category is, by 
     contrast with the first, much broader in terms of the kinds 
     of information it covers, to the point of even being nebulous 
     in some instances, and is expressed in various instruments, 
     the majority of which are non-statutory: the marking of 
     sensitive but unclassified (SBU) information for protective 
     management, although its public disclosure may be permissible 
     pursuant to the Freedom of Information Act (FOIA). These two 
     categories are reviewed in the discussion set out below.


                    security classified information

       Current security classification arrangements, prescribed by 
     an executive order of the President, trace their origins to a 
     March 1940 directive issued by President Franklin D. 
     Roosevelt as E.O. 8381. This development was probably 
     prompted somewhat by desires to clarify the authority of 
     civilian personnel in the national defense community to 
     classify information, to establish a broader basis for 
     protecting military information in view of growing global 
     hostilities, and to manage better a discretionary power 
     seemingly of increasing importance to the entire executive 
     branch. Prior to this 1940 order, information had been 
     designated officially secret by armed forces personnel 
     pursuant to Army and Navy general orders and regulations. The 
     first systematic procedures for the protection of national 
     defense information, devoid of special markings, were 
     established by War Department General Orders No. 3 of 
     February 1912. Records determined to be ``confidential'' were 
     to be kept under lock, ``accessible only to the officer to 
     whom intrusted.'' Serial numbers were issued for all such 
     ``confidential'' materials, with the numbers marked on the 
     documents, and lists of same kept at the offices from which 
     they emanated. With the enlargement of the armed forces after 
     the entry of the United States into World War I, the registry 
     system was abandoned and a tripartite system of 
     classification markings was inaugurated in November 1917 with 
     General Order No. 64 of the General Headquarters of the 
     American Expenditionary Force.
       The entry of the United States into World War II prompted 
     some additional arrangements for the protection of 
     information pertaining to the nation's security. Personnel 
     cleared to work on the Manhattan Project for the production 
     of the atomic bomb, for instance, in committing themselves 
     not to disclose protected information improperly, were 
     ``required to read and sign either the Espionage Act or a 
     special secrecy agreement,'' establishing their awareness of 
     their secrecy obligations and a fiduciary trust which, if 
     breached, constituted a basis for their dismissal.
       A few years after the conclusion of World War II, President 
     Harry S. Truman, in February 1950, issued E.O. 10104, which, 
     while superseding E.O. 8381, basically reiterated its text, 
     but added a fourth Top Secret classification designation to 
     existing Restricted, Confidential, and Secret markings, 
     making American information security categories consistent 
     with those of our allies. At the time of the promulgation of 
     this order, however, plans were underway for a complete 
     overhaul of the classification program, which would result in 
     a dramatic change in policy.
       E.O. 10290, issued in September 1951, introduced three 
     sweeping innovations in security classification policy. 
     First, the order indicated the Chief Executive was relying 
     upon ``the authority vested in me by the Constitution and 
     statutes, and as President of the United States'' in issuing 
     the directive. This formula appeared to strengthen the 
     President's discretion to make official secrecy policy: it 
     intertwined his responsibility as Commander in Chief with the 
     constitutional obligation to ``take care that the laws be 
     faithfully executed.'' Second, information was now classified 
     in the interest of ``national security,'' a somewhat new, but 
     nebulous, concept, which, in the view of some, conveyed more 
     latitude for the creation of official secrets. It replaced 
     the heretofore relied upon ``national defense'' standard for 
     classification. Third, the order extended classified 
     authority to nonmilitary entitie throughout the executive 
     branch, to be exercised by, presumably, but not explicitly 
     limited to, those having some role in ``national 
     security'' policy.
       The broad discretion to create official secrets granted by 
     E.O. 10290 engendered widespread criticism from the public 
     and the press. In response, President Dwight D. Eisenhower, 
     shortly after his election to office, instructed Attorney 
     General Herbert Brownell to review the order with a view to 
     revising or rescinding it. The subsequent recommendation was 
     for a new directive, which was issued in November 1953 as 
     E.O. 10501. It withdrew classification authority from 28 
     entities, limited this discretion in 17 other units to the 
     agency head, returned to the ``national defense'' standard 
     for applying secrecy, eliminated the ``Restricted'' category, 
     which was the lowest level of protection, and explicitly 
     defined the remaining three classification areas to prevent 
     their indiscriminate use.
       Thereafter, E.O. 10501, with slight amendment, prescribed 
     operative security classification policy and procedure for 
     the next two decades. Successor orders built on this reform. 
     These included E.O. 11652, issued by President Richard M. 
     Nixon in March 1972, followed by E.O. 12065, promulgated by 
     President Jimmy Carter in June 1978. For 30 years, these 
     classification directives narrowed the bases and discretion 
     for assigning official secrecy to executive branch documents 
     and materials. Then, in April 1982, this trend was reversed 
     with E.O. 12356, issued by President Ronald Reagan. This 
     order expanded the categories of classifiable information, 
     mandated that information falling within these categories be 
     classified, authorized the reclassification of previously 
     declassified documents, admonished classifiers to err on the 
     side classification, and eliminated automatic 
     declassification arrangements.
       President William Clinton returned security classification 
     policy and procedure to the reform trend of the Eisenhower, 
     Nixon, and Carter Administrations with E.O. 12958 in April 
     1995. Adding impetus to the development and issuance of the 
     new order were

[[Page S89]]

     changing world conditions: the democratization of many 
     eastern European countries, the demise of the Soviet Union, 
     and the end of the Cold War. Accountability and cost 
     considerations were also significant influences. In 1985, the 
     temporary Department of Defense (DOD) Security Review 
     Commission, chaired by retired General Richard G. Stilwell, 
     declared that there were ``no verifiable figures as to the 
     amount of classified material produced in DOD and in defense 
     industry each year.'' Nonetheless, it concluded that ``too 
     much information appears to be classified and much at higher 
     levels than is warranted.'' In October 1993, the cost of the 
     security classification program became clearer when the 
     General Accounting Office (GAO) reported that it was ``able 
     to identify government-wide costs directly applicable to 
     national security information totaling over $350 million for 
     1992.'' After breaking this figure down--it included only $6 
     million for declassification work--the report added that 
     ``the U.S. government also spends additional billions of 
     dollars annually to safeguard information, personnel, and 
     property.'' E.O. 12958 set limits for the duration of 
     classification, prohibited the reclassification of properly 
     declassified records, authorized government employees to 
     challenge the classification status of records, reestablished 
     the balancing test of E.O. 12065 weighing the need to protect 
     information vis-a-vis the public interest in its disclosure, 
     and created two review panels--one on classification and 
     declassification actions and one to advise on policy and 
     procedure.
       Most recently, in March 2003, President George W. Bush 
     issued E.O. 13292, amending E.O. 12958. Among the changes 
     made by this order were adding infrastructure vulnerabilities 
     or capabilities, protection services relating to national 
     security, and weapons of mass destruction to the categories 
     of classifiable information; easing the reclassification of 
     declassified records; postponing the automatic 
     declassification of protected records 25 or more years old, 
     beginning in mid-April 2003 to the end of December 2006; 
     eliminating the requirement that agencies prepare plans for 
     declassifying records; and permitting the Director of Central 
     Intelligence to block declassification actions of the 
     Interagency Security Classification Appeals Panel, unless 
     overruled by the President.
       The security classification program has evolved during the 
     past 66 years. One may not agree with all of its rules and 
     requirements. but attention to detail in its policy and 
     procedure result in a significant management regime. The 
     operative executive order, as amended, defines its principal 
     terms. Those who are authorized to exercise original 
     classification authority are identified. Exclusive categories 
     of classifiable information are specified, as are the terms 
     of the duration of classification, as well as classification 
     prohibitions and limitations. Classified information is 
     required to be marked appropriately along with the identity 
     of the original classifier, the agency or office of origin, 
     and a date or event for declassification. Authorized holders 
     of classified information who believe that its protected 
     status is improper are ``encouraged and expected'' to 
     challenge that status through prescribed arrangements. 
     Mandatory declassification reviews are also authorized to 
     determine if protected records merit continued classification 
     at their present level, a lower level, or at all. 
     Unsuccessful classification challenges and mandatory 
     declassification reviews are subject to review by the 
     Intragency Security Classification Appeals Panel. General 
     restrictions on access to classified information are 
     prescribed, as are distribution controls for classified 
     information. The Information Security Oversight Office (ISOO) 
     within the National Archives and Records Administration 
     (NARA) is mandated to provide central management and 
     oversight of the security classification program. If the 
     director of this entity finds that a violation of the order 
     or its implementing directives has occurred, it must be 
     reported to the head of the agency or to the appropriate 
     senior agency official so that corrective steps, if 
     appropriate, may be taken
       While Congress, thus far, has elected not to create 
     statutorily mandated security classification policy and 
     procedures, the option to do so has been explored in the 
     past, and its legislative authority to do so has been 
     recognized by the Supreme Court. Congress, however, has 
     established protections for certain kinds of information--
     such as Restricted Data in the Atomic Energy Acts of 1946 and 
     1954, and inte1ligence sources and methods in the National 
     Security Act of 1947--which have been realized through 
     security classification arrangements. It has acknowledged 
     properly applied security classification as a basis for 
     withholding records sought pursuant to the Freedom of 
     Information Act. Also, with a view to efficiency and economy, 
     as well as effective records management, committees of 
     Congress, on various occasions, have conducted oversight of 
     security classification policy and practice, and have been 
     assisted by GAO and CRS in this regard.


                 Sensitive but Unclassified Information

       The widespread existence and use of information control 
     markings other than those prescribed for the security 
     classification of information came to congressional attention 
     in March 1972 when a subcommittee of what is now the House 
     Committee on Government Reform launched the first oversight 
     hearings on the administration and operation of the Freedom 
     of Information Act (FOIA). Enacted in 1966, FOIA had become 
     operative in July 1967. In the early months of 1972, the 
     Nixon Administration was developing new security 
     classification policy and procedure, which wou1d be 
     prescribed in E.O. 11652, issued in early March. Preparatory 
     to this hearing, the panel had surveyed the departments and 
     agencies in August 1971, asking, among other questions, 
     ``What legend is used by your agency to identify records 
     which are not classifiable under Executive Order 10501 [the 
     operative order at the time] but which are not to be made 
     available outside the government?'' Of 58 information control 
     markings identified in response to this question, the most 
     common were For Official Use Only (11 agencies); Limited 
     Official Use (nine agencies); Official Use Only (eight 
     agencies); Restricted Data (five agencies); Administratively 
     Restricted (four agencies); Formerly Restricted Data (four 
     agencies); and Nodis, or no dissemination (four agencies). 
     Seven other markings were used by two agencies in each case. 
     A CRS review of the agency responses to the control markings 
     question prompted the following observation.
       Often no authority is cited for the establishment or origin 
     of these labels; even when some reference is provided it is a 
     handbook, manual, administrative order, or a circular but not 
     statutory authority. Exceptions to this are the Atomic Energy 
     Commission, the Defense Department and the Arms Control and 
     Disarmament Agency. These agencies cite the Atomic Atomic 
     Energy Act, N.A.T.O. related laws, and international 
     agreements as a basis for certain additional labels. The Arms 
     Control and Disarmament Agency acknowledged it honored and 
     adopted State and Defense Department labels.
       Over three decades later, it appears that approximately the 
     same number of these information control markings are in use; 
     that the majority of them are administratively, not 
     statutorily, prescribed; and that many of them have an 
     inadequate management regime, particularly when compared with 
     the detailed arrangements which govern the management of 
     classified information. A recent press account illustrates 
     another problem. In late January 2005, GCN Update, the 
     online, electronic news service of Government Computer News, 
     reported that ``dozens of classified Homeland Security 
     Department documents'' had been accidently made available on 
     a public Internet site for several days due to an apparent 
     security glitch at the Department of Energy. Describing the 
     contents of the compromised materials and reactions to the 
     breach, the account stated the ``documents were marked `for 
     official use only,' the lowest secret-level classification.'' 
     The documents, of course, were not security classified, 
     because the marking cited is not authorized by E.O. 12958. 
     Interestingly, however, in view of the fact that this 
     misinterpretation appeared in a story to which three 
     reporters contributed, perhaps it reflects, to some extent, 
     the current confusion of these information control markings 
     with security classification designations.
       Broadly considering the contemporary situation regarding 
     information control markings, a recent information security 
     report by the JASON Program Office of the MITRE Corporation 
     proffered the following assessment.
       The status of sensitive information outside of the present 
     classification system is murkier than ever. . . . ``Sensitive 
     but unclassified'' data is increasingly defined by the eye of 
     the beholder. Lacking in definition, it is correspondingly 
     lacking in policies and procedures for protecting (or not 
     protecting) it, and regarding how and by whom it is generated 
     and used.
       A contemporaneous Heritage Foundation report appeared to 
     agree with this appraisal, saying:
       The process for classifying secret information in the 
     federal government is disciplined and explicit. The same 
     cannot be said for unclassified but security-related 
     information for which there is no usable definition, no 
     common understanding about how to control it, no agreement on 
     what significance it has for U.S. national security, and no 
     means for adjudicating concerns regarding appropriate levels 
     of protection.
       Concerning the current Sensitive but Unclassified (SBU) 
     marking, a 2004 report by the Federal Research Division of 
     the Library of Congress commented that guidelines for its 
     use are needed, and noted that ``a uniform legal 
     definition or set of procedures applicable to all Federal 
     government agencies does not now exist.'' Indeed, the 
     report indicates that SBU has been utilized in different 
     contexts with little precision as to its scope or meaning, 
     and, to add a bit of chaos to an already confusing 
     situation, is ``often referred to as Sensitive Homeland 
     Security Information.''
       Assessments of the variety, management, and impact of 
     information control markings, other than those prescribed for 
     the classification of national security information, have 
     been conducted by CRS, GAO, and the National Security 
     Archive, a private sector research and resource center 
     located at The George Washington University. In March 2006, 
     GAO indicated that, in a recent survey, 26 federal agencies 
     reported using 56 different information control markings to 
     protect sensitive information other than classified national 
     security material. That same month, the National Security 
     Archive offered that, of 37 agencies surveyed, 24 used 28 
     control markings based on internal policies, procedures, or 
     practices, and eight used 10 markings based on statutory 
     authority. These

[[Page S90]]

     numbers are important in terms of the variety of such 
     markings. GAO explained this dimension of the management 
     problem.
       [T]here are at least 13 agencies that use the designation 
     For Official Use Only [FOUO], but there are at least five 
     different definitions of FOUO. At least seven agencies or 
     agency components use the term Law Enforcement Sensitive 
     (LES), including the U.S. Marshals Service, the Department of 
     Homeland Security (DHS), the Department of Commerce, and the 
     Office of Personnel Management (OPM). These agencies gave 
     differing definitions for the term. While DHS does not 
     formally define the designation, the Department of Commerce 
     defines it to include information pertaining to the 
     protection of senior government officials, and OPM defines it 
     as unclassified information used by law enforcement personnel 
     that requires protection against unauthorized disclosure to 
     protect the sources and methods of investigative activity, 
     evidence, and the integrity of pretrial investigative 
     reports.
       Apart from the numbers, however, is another aspect of the 
     management problem, which GAO described in the following 
     terms.
       There are no governmentwide policies or procedures that 
     describe the basis on which agencies should use most of these 
     sensitive but unclassified designations, explain what the 
     different designations mean across agencies, or ensure that 
     they will be used consistently from one agency to another. In 
     this absence, each agency determines what designations to 
     apply to the sensitive but unclassified information it 
     develops or shares.
       These markings also have implications in another regard. 
     The importance of information sharing for combating terrorism 
     and realizing homeland security was emphasized by the 
     National Commission on Terrorist Attacks Upon the United 
     States. That the variously identified and marked forms of 
     sensitive but unclassified (SBU) information could be 
     problematic with regard to information sharing was recognized 
     by Congress when fashioning the Homeland Security Act of 
     2002. Section 892 of that statute specifically directed the 
     President to prescribe and implement procedures for the 
     sharing of information by relevant federal agencies, 
     including the accommodation of ``homeland security 
     information that is sensitive but unclassified.'' On July 29, 
     2003, the President assigned this responsibility largely to 
     the Secretary of Homeland Security. Nothing resulted. The 
     importance of information sharing was reinforced two years 
     later in the report of the Commission on the Intelligence 
     Capabilities of the United States Regarding Weapons of Mass 
     Destruction. Congress again responded by mandating the 
     creation of an Information Sharing Environment (ISE) when 
     legislating the Intelligence Reform and Terrorism Prevention 
     Act of 2004. Preparatory to implementing the ISE provisions, 
     the President issued a December 16, 2005, memorandum 
     recognizing the need for standardized procedures for SBU 
     information and directing department and agency officials to 
     take certain actions relative to that objective. In May 2006, 
     the newly appointed manager of the ISE agreed with a March 
     GAO assessment that, oftentimes, SBU information, designated 
     as such with some marking, was not being shared due to 
     concerns about the ability of recipients to adequately 
     protect it. In brief, it appears that pseudo-classification 
     markings have, in some instances, had the effect of deterring 
     information sharing for homeland security purposes.
       Congressional overseers have probed executive use and 
     management of information control markings other than those 
     prescribed for the classification of national security 
     information, and the extent to which they result in ``pseudo-
     classification'' or a form of overclassification. Relevant 
     remedial legislation proposed during the 109th Congress 
     includes two bills (H.R. 2331 and H.R. 5112) containing 
     sections which would require the Archivist of the United 
     States to prepare a detailed report regarding the number, 
     use, and management of these information control markings and 
     submit it to specified congressional committees, and to 
     promulgate regulations banning the use of these markings and 
     otherwise establish standards for information control 
     designations established by statute or an executive order 
     relating to the classification of national security 
     information. A section in the Department of Homeland Security 
     appropriations legislation (H.R. 5441), as approved by the 
     House, would require the Secretary of Homeland Security to 
     revise DHS MD (Management Directive) 11056 to include (1) 
     provision that information that is three years old and not 
     incorporated in a current, active transportation security 
     directive or security plan shall be determined automatically 
     to be releasable unless, for each specific document, the 
     Secretary makes a written determination that identifies a 
     compelling reason why the information must remain Sensitive 
     Security Information (SS1); (2) common and extensive examples 
     of the individual categories of SSI cited in order to 
     minimize and standardize judgment in the application of SSI 
     marking; and (3) provision that, in all judicial proceedings 
     where the judge overseeing the proceedings has adjudicated 
     that a party needs to have access to SSI, the party shall be 
     deemed a covered person for purposes of access to the SSI at 
     issue in the case unless TSA or DHS demonstrates a compelling 
     reason why the specific individual presents a risk of harm to 
     the nation. A May 25, 2006, statement of administration 
     policy on the bill strongly opposed the section, saying it 
     ``would jeopardize an important program that protects 
     Sensitive Security Information (SSI) from public release by 
     deeming it automatically releaseable in three years, 
     potentially conflict with requirements of the Privacy and 
     Freedom of Information Acts, and negate statutory provisions 
     providing original jurisdiction for lawsuits challenging. the 
     designation of SSI materials in the U.S. Courts of Appeals.'' 
     The statement further indicated that the section would create 
     a burdensome review process'' for the Secretary of Homeland 
     Security and would result in different statutory requirements 
     being applied to SSI programs administered by the Departments 
     of Homeland Security and Transportation.''
                                  ____



                               Congressional Research Service,

                              Washington, DC., September 14, 2006.
     From: Alfred Cumming, Specialist in Intelligence and National 
         Security, Foreign Affairs, Defense, and Trade Division.
     Subject: Congressional Oversight of Intelligence.
       This memorandum examines the intelligence oversight 
     structure established by Congress in the 1970s, including the 
     creation of the congressional select intelligence committees 
     by the U.S. House of Representatives and the Senate, 
     respectively. It also looks at the intelligence oversight 
     role that Congress reserved for congressional committees 
     other than the intelligence committees; examines certain 
     existing statutory procedures that govern how the executive 
     branch is to keep the congressional intelligence committees 
     informed of U.S. intelligence activities; and looks at the 
     circumstances under which the two intelligence committees are 
     expected to keep congressional standing committees, as well 
     as both chambers, informed of intelligence activities.
       If can be of further assistance, please call at 707-7739.


                               Background

       In the wake of congressional investigations into 
     Intelligence Community activities in the mid-1970s, the U.S. 
     Senate in 1976 created a select committee on intelligence to 
     conduct more effective oversight on a continuing basis. The 
     U.S. House of Representatives established its own 
     intelligence oversight committee the following year.
       Until the two intelligence committees were created, other 
     congressional standing committees--principally the Senate and 
     House Armed Services and Appropriations committees--shared 
     responsibility for overseeing the intelligence community. 
     Although willing to cede primary jurisdiction over the 
     Central Intelligence Agency (CIA) to the two new select 
     intelligence committees, these congressional standing 
     committees wanted to retain jurisdiction over the 
     intelligence activities of the other departments and agencies 
     they oversaw. According to one observer, the standing 
     committees asserted their jurisdictional prerogatives for two 
     reasons--to protect ``turf,'' but also to provide ``a hedge 
     against the possibility that the newly launched experiment in 
     oversight might go badly.''


             intelligence committees; statutory obligations

       Under current statute, the President is required to ensure 
     that the congressional intelligence committees are kept 
     ``fully and currently informed'' of U.S. intelligence 
     activities, including any ``significant anticipated 
     intelligence activity,'' and the President and the 
     intelligence committees are to establish any procedures as 
     may be necessary to carry out these provisions.
       The statute, however, stipulates that the intelligence 
     committees in turn are responsible for alerting the 
     respective chambers or congressional standing committees of 
     any intelligence activities requiring further attention. The 
     intelligence committees are to carry out this 
     responsibility in accordance with procedures established 
     by the House of Representatives and the Senate, in 
     consultation with the Director of National Intelligence, 
     in order to protect against unauthorized disclosure of 
     classified information, and all information relating to 
     sources and methods.
       The statute stipulates that: ``each of the congressional 
     intelligence committees shall promptly call to the attention 
     of its respective House, or to any appropriate committee or 
     committees of its respective House, any matter relating to 
     intelligence activities requiring the attention of such House 
     or such committee or committees.
       This provision was included in statute after being 
     specifically requested in a letter from then Senate Foreign 
     Relations Chairman Frank Church and Ranking Minority Member 
     Jacob Javits in an Apr. 30, 1980 letter to then-intelligence 
     committee Chairman Birch Bayh and Vice Chairman Barry 
     Goldwater.


          Intelligence Committee Obligations Under Resolution

       In an apparent effort to address various concerns relating 
     to committee jurisdiction, the House of Representatives and 
     the Senate, in the resolutions establishing each of the 
     intelligence committees, included language preserving 
     oversight roles for those standing committees with 
     jurisdiction over matters affected by intelligence 
     activities.
       Specifically, each intelligence committee's resolution 
     states that: ``Nothing in this [Charter] shall be construed 
     as prohibiting or otherwise restricting the authority of any 
     other committee to study and review any intelligence activity 
     to the extent that such activity directly affects a matter 
     otherwise within the jurisdiction of such committee.''

[[Page S91]]

       Both resolutions also stipulate that:

     Nothing in this [charter] shall be construed as amending, 
     limiting, or otherwise changing the authority of any standing 
     committee of the [House/Senate] to obtain full and prompt 
     access to the product of the intelligence activities of any 
     department or agency of the Government relevant to a matter 
     otherwise within the jurisdiction of such committee.

       Finally, both charters direct that each intelligence 
     committee alert the appropriate standing committees, or the 
     respective chambers, of any matter requiring attention. The 
     charters state:
       The select committee, for the purposes of accountability to 
     the [House/Senate] shall make regular and periodic reports to 
     the [House/Senate] on the nature and extent of the 
     intelligence activities of the various departments and 
     agencies of the United States. Such committee shall promptly 
     call to the attention of the [House/Senate] or to any other 
     appropriate committee or committees of the [House/Senate] any 
     matters requiring the attention of the [House/Senate] or such 
     other appropriate committee or committees.


                         Cross-over Membership

       Both resolutions also direct that the membership of each 
     intelligence committee include members who serve on the four 
     standing committees that historically have been involved in 
     intelligence oversight. The respective resolutions designate 
     the following committees as falling in this category: 
     Appropriations, Armed Services, Judiciary, and the Senate 
     Foreign Relations Committee and the House International 
     Relations Committee.
       Although each resolution directs that such cross-over 
     members be designated, neither specifies whether cross-over 
     members are to play any additional role beyond serving on the 
     intelligence committees. For example, neither resolution 
     outlines whether cross-over members are to inform colleagues 
     on standing committees they represent. Rather, each 
     resolution directs only that the ``intelligence committee'' 
     shall promptly call such matters to the attention of standing 
     committees and the respective chambers if the committees 
     determine that they require further attention by those 
     entities.


                          Summary Conclusions

       Although the President is statutorily obligated to keep the 
     congressional intelligence committees fully and currently 
     informed of intelligence activities, the statute obligates 
     the intelligence committees to inform the respective 
     chambers, or standing committees, of such activities, if 
     either of the two committees determine that further oversight 
     attention is required.
       Further, resolutions establishing the two intelligence 
     committees make clear that the intelligence committees share 
     intelligence oversight responsibilities with other standing 
     committees, to the extent that certain intelligence 
     activities affect matters that fall under the jurisdiction of 
     a committee other than the intelligence committees.
       Finally, the resolutions establishing the intelligence 
     committees provide for the designation of ``cross-over'' 
     members representing certain standing committees that played 
     a role in intelligence oversight prior to the establishment 
     of the intelligence committees in the 1970s. The resolutions, 
     however, do not specify what role, if any, these ``cross-
     over'' members play in keeping standing committees on which 
     they serve informed of certain intelligence activities. 
     Rather, each resolution states that the respective 
     intelligence committee shall make that determination.
                                  ____


                                 S. 82

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Intelligence Community Audit 
     Act of 2007''.

     SEC. 2. COMPTROLLER GENERAL AUDITS AND EVALUATIONS OF 
                   ACTIVITIES OF ELEMENTS OF THE INTELLIGENCE 
                   COMMUNITY.

       (a) Reaffirmation of Authority; Audits of Intelligence 
     Community Activities.--Chapter 35 of title 31, United States 
     Code, is amended by inserting after section 3523 the 
     following:

     ``Sec. 3523a. Audits of intelligence community; audit 
       requesters

       ``(a) In this section, the term `element of the 
     intelligence community' means an element of the intelligence 
     community specified in or designated under section 3(4) of 
     the National Security Act of 1947 (50 U.S.C. 401a(4)).
       ``(b) Congress finds that--
       ``(1) the authority of the Comptroller General to perform 
     audits and evaluations of financial transactions, programs, 
     and activities of elements of the intelligence community 
     under sections 712, 717, 3523, and 3524, and to obtain access 
     to records for purposes of such audits and evaluations under 
     section 716, is reaffirmed; and
       ``(2) such audits and evaluations may be requested by any 
     committee of jurisdiction (including the Committee on 
     Homeland Security of the House of Representatives and the 
     Committee on Homeland Security and Governmental Affairs of 
     the Senate), and may include matters relating to the 
     management and administration of elements of the intelligence 
     community in areas such as strategic planning, financial 
     management, information technology, human capital, knowledge 
     management, information sharing (including information 
     sharing by and with the Department of Homeland Security), and 
     change management.
       ``(c)(1) The Comptroller General may conduct an audit or 
     evaluation of intelligence sources and methods or covert 
     actions only upon request of the Select Committee on 
     Intelligence of the Senate or the Permanent Select Committee 
     on Intelligence of the House of Representatives, or the 
     majority or the minority leader of the Senate or the House of 
     Representatives.
       ``(2)(A) Whenever the Comptroller General conducts an audit 
     or evaluation under paragraph (1), the Comptroller General 
     shall provide the results of such audit or evaluation only to 
     the original requestor, the Director of National 
     Intelligence, and the head of the relevant element of the 
     intelligence community.
       ``(B) The Comptroller General may only provide information 
     obtained in the course of an audit or evaluation under 
     paragraph (1) to the original requestor, the Director of 
     National Intelligence, and the head of the relevant element 
     of the intelligence community.
       ``(3)(A) Notwithstanding any other provision of law, the 
     Comptroller General may inspect records of any element of the 
     intelligence community relating to intelligence sources and 
     methods, or covert actions in order to conduct audits and 
     evaluations under paragraph (1).
       ``(B) If in the conduct of an audit or evaluation under 
     paragraph (1), an agency record is not made available to the 
     Comptroller General in accordance with section 716, the 
     Comptroller General shall consult with the original requestor 
     before filing a report under subsection (b)(1) of that 
     section.
       ``(4)(A) The Comptroller General shall maintain the same 
     level of confidentiality for a record made available for 
     conducting an audit under paragraph (1) as is required of the 
     head of the element of the intelligence community from which 
     it is obtained. Officers and employees of the Government 
     Accountability Office are subject to the same statutory 
     penalties for unauthorized disclosure or use as officers or 
     employees of the intelligence community element that provided 
     the Comptroller General or officers and employees of the 
     Government Accountability Office with access to such records.
       ``(B) All workpapers of the Comptroller General and all 
     records and property of any element of the intelligence 
     community that the Comptroller General uses during an audit 
     or evaluation under paragraph (1) shall remain in facilities 
     provided by that element of the intelligence community. 
     Elements of the intelligence community shall give the 
     Comptroller General suitable and secure offices and 
     furniture, telephones, and access to copying facilities, for 
     purposes of audits and evaluations under paragraph (1).
       ``(C) After consultation with the Select Committee on 
     Intelligence of the Senate and with the Permanent Select 
     Committee on Intelligence of the House of Representatives, 
     the Comptroller General shall establish procedures to protect 
     from unauthorized disclosure all classified and other 
     sensitive information furnished to the Comptroller General or 
     any representative of the Comptroller General for conducting 
     an audit or evaluation under paragraph (1).
       ``(D) Before initiating an audit or evaluation under 
     paragraph (1), the Comptroller General shall provide the 
     Director of National Intelligence and the head of the 
     relevant element with the name of each officer and employee 
     of the Government Accountability Office who has obtained 
     appropriate security clearance and to whom, upon proper 
     identification, records, and information of the element of 
     the intelligence community shall be made available in 
     conducting the audit or evaluation.
       ``(d) Elements of the intelligence community shall 
     cooperate fully with the Comptroller General and provide 
     timely responses to Comptroller General requests for 
     documentation and information.
       ``(e) Nothing in this section or any other provision of law 
     shall be construed as restricting or limiting the authority 
     of the Comptroller General to audit and evaluate, or obtain 
     access to the records of, elements of the intelligence 
     community absent specific statutory language restricting or 
     limiting such audits, evaluations, or access to records.''.
       (b) Technical and Conforming Amendment.--The table of 
     sections for chapter 35 of title 31, United States Code, is 
     amended by inserting after the item relating to section 3523 
     the following:


``3523a. Audits of intelligence community; audits and requesters.''.
                                 ______