Managing Sensitive Information: DOE and DOD Could Improve Their
Policies and Oversight (14-MAR-06, GAO-06-531T).
In the interest of national security and personal privacy and for
other reasons, federal agencies place dissemination restrictions
on information that is unclassified yet still sensitive. The
Department of Energy (DOE) and the Department of Defense (DOD)
have both issued policy guidance on how and when to protect
sensitive information. DOE marks documents with this information
as Official Use Only (OUO) while DOD uses the designation For
Official Use Only (FOUO). GAO was asked to (1) identify and
assess the policies, procedures, and criteria DOE and DOD employ
to manage OUO and FOUO information; and (2) determine the extent
to which DOE's and DOD's training and oversight programs assure
that information is identified, marked, and protected according
to established criteria.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-06-531T
ACCNO: A48977
TITLE: Managing Sensitive Information: DOE and DOD Could Improve
Their Policies and Oversight
DATE: 03/14/2006
SUBJECT: Confidential communication
Confidential information
Employee training
Evaluation criteria
Information access
Information management
Internal controls
Policy evaluation
Program evaluation
Policies and procedures
Transparency
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-06-531T
* DOE and DOD Lack Clear OUO and FOUO Guidance in Key Aspects
* Neither DOE nor DOD Requires Training or Conducts Oversight
* OUO and FOUO Training Is Generally Not Required
* Oversight of OUO and FOUO Programs Is Lacking
* GAO Contacts and Staff Acknowledgments
* GAO's Mission
* Obtaining Copies of GAO Reports and Testimony
* Order by Mail or Phone
* To Report Fraud, Waste, and Abuse in Federal Programs
* Congressional Relations
* Public Affairs
Testimony
Before the Subcommittee on National Security, Emerging Threats, and
International Relations, Committee on Government Reform, House of
Representatives
United States Government Accountability Office
GAO
For Release on Delivery Expected at 2:00 p.m. EST
Tuesday, March 14, 2006
MANAGING SENSITIVE INFORMATION
DOE and DOD Could Improve Their Policies and Oversight
Statement of Davi M. D'Agostino, Director Defense Capabilities and
Management, and Gene Aloise, Director Natural Resources and Environment
GAO-06-531T
Mr. Chairman and Members of the Subcommittee:
We are pleased to be here today to discuss our work on how the Departments
of Energy (DOE) and Defense (DOD) use the designations Official Use Only
(OUO) and For Official Use Only (FOUO), respectively, to manage
information that is unclassified but sensitive. My testimony today is
based on our report issued earlier this month entitled Managing Sensitive
Information: Departments of Energy and Defense Policies and Oversight
Could Be Improved ( GAO-06-369 ). This report (1) identified and assessed
the policies, procedures, and criteria that DOE and DOD employ to manage
OUO and FOUO information; and (2) determined the extent to which DOE's and
DOD's training and oversight programs assure that information is
identified and marked according to established criteria.
In summary, both DOE and DOD base their programs on the premise that
information designated as OUO or FOUO must (1) have the potential to cause
foreseeable harm to governmental, commercial, or private interests if
disseminated to the public or persons who do not need the information to
perform their jobs; and (2) fall under at least one of eight Freedom of
Information Act (FOIA) exemptions.1 (See the appendix for a list and
description of the exemptions of FOIA.) Both agencies have policies in
place to implement their programs. However, our analysis of these policies
showed a lack of clarity in key areas that could allow inconsistencies and
errors to occur. Specifically:
o It is unclear which DOD office is responsible for the FOUO
program, and whether personnel designating a document as FOUO
should note the FOIA exemption used as the basis for the
designation on the document.
o Both DOE's and DOD's policies are unclear regarding at what
point a document should be marked as OUO or FOUO and what would be
an inappropriate use of the OUO or FOUO designation. For example,
OUO or FOUO designations should not be used to conceal agency
mismanagement.
In addition, while both DOE and DOD offer training on their OUO
and FOUO policies, neither DOE nor DOD has an agencywide
requirement that employees be trained before they designate
documents as OUO or FOUO. Moreover, neither agency conducts
oversight to assure that information is appropriately identified
and marked as OUO or FOUO. This lack of training requirements and
oversight leaves DOE and DOD officials unable to assure that OUO
and FOUO documents are marked and handled in a manner consistent
with agency policies and may result in inconsistencies and errors
in the application of the programs.
We recommended that both agencies clarify their policies and
guidance to identify at what point a document should be marked as
OUO or FOUO and to define inappropriate uses of these
designations. We also recommended that DOD clarify its policies as
to which office is responsible for the FOUO program and that it
require personnel designating a document as FOUO also to note the
FOIA exemption they used to determine that the information should
be restricted. With regard to training and management oversight,
we recommended that both DOE and DOD require personnel to be
trained before they can designate information as OUO or FOUO, and
that they develop a system to conduct periodic oversight of OUO or
FOUO designations to assure that their policies are being
followed.
In commenting on our draft report, DOE and DOD agreed with most of
our recommendations, but DOD disagreed that personnel designating
a document as FOUO should also mark the document with the FOIA
exemption used to determine that the information should be
restricted. DOD expressed concern that an individual may apply an
incorrect or inappropriate FOIA exemption and thus cause other
documents that are created from the original to also carry the
incorrect FOIA exemption or that the incorrect designation could
cause problems if a denial is litigated. However, we believe that
citing the applicable FOIA exemptions when marking a document will
cause the employee to consider the exemptions and make a
thoughtful determination that the information fits within the
framework of the FOUO designation. Also, when the public requests
documents, before DOD releases or denies release of the documents,
FOIA experts review them, at which time an incorrect initial
designation should be corrected. Our recommendation was intended
to better assure appropriate consideration of the FOIA exemptions
at the beginning of the process and we continue to believe that
this recommendation has merit.
Both DOE and DOD have established offices, designated staff, and
promulgated policies to provide a framework for the OUO and FOUO
programs. However, their policies lack sufficient clarity in
important areas, which could result in inconsistencies and errors.
DOE policy clearly identifies the office responsible for the OUO
program and establishes a mechanism to mark the FOIA exemption
used as the basis for the OUO designation on a document. However,
our analysis of DOD's FOUO policies shows that it is unclear which
DOD office is responsible for the FOUO program, and whether
personnel designating a document as FOUO should note the FOIA
exemption used as the basis for the designation on the document.
Also, both DOE's and DOD's policies are unclear regarding at what
point a document should be marked as OUO or FOUO, and what would
be an inappropriate use of the OUO or FOUO designation. In our
view, this lack of clarity exists in both DOE and DOD because the
agencies have put greater emphasis on managing classified
information, which is more sensitive than OUO or FOUO information.
DOE's Office of Security issued an order, a manual, and a guide in
April 2003 to detail the requirements and responsibilities for
DOE's OUO program and to provide instructions for identifying,
marking, and protecting OUO information.2 DOE's order established
the OUO program and laid out, in general terms, how sensitive
information should be identified and marked, and who is
responsible for doing so. The guide and the manual supplement the
order. The guide provides more detailed information on the
applicable FOIA exemptions to help staff decide whether
exemption(s) may apply, which exemption(s) may apply, or both. The
manual provides specific instructions for managing OUO
information, such as mandatory procedures and processes for
properly identifying and marking this information. For example,
the employee marking a document is required to place on the front
page of the document an OUO stamp that has a space for the
employee to identify which FOIA exemption is believed to apply;
the employee's name and organization; the date; and, if
applicable, any guidance the employee may have used in making this
determination.3 According to one senior DOE official, requiring
the employee to cite a reason why a document is designated as OUO
is one of the purposes of the stamp, and one means by which DOE's
Office of Classification encourages practices consistent with the
order, guide, and manual throughout DOE. Figure 1 shows the DOE
OUO stamp.
Figure 1: DOE's OUO Stamp
Source: DOE.
With regard to DOD, its regulations are unclear regarding which
DOD office controls the FOUO program. Although responsibility for
the FOUO program shifted from the Director for Administration and
Management to the Office of the Assistant Secretary of Defense,
Command, Control, Communications, and Intelligence (now the Under
Secretary of Defense, Intelligence) in October 1998, this shift is
not reflected in current regulations. Guidance for DOD's FOUO
program continues to be included in regulations issued by both
offices. As a result, which DOD office has primary responsibility
for the FOUO program is unclear. According to a DOD official, on
occasion this lack of clarity causes personnel who have FOUO
questions to contact the wrong office. A DOD official said that
the department began coordination of a revised Information
Security regulation covering the FOUO program at the end of
January 2006. The new regulation will reflect the change in
responsibilities and place greater emphasis on the management of
the FOUO program.
DOD currently has two regulations, issued by each of the offices
described above, containing similar guidance that addresses how
unclassified but sensitive information should be identified,
marked, handled, and stored.4 Once information in a document has
been identified as for official use only, it is to be marked FOUO.
However, unlike DOE, DOD has no departmentwide requirement to
indicate which FOIA exemption may apply to the information, except
when it has been determined to be releasable to a federal
governmental entity outside of DOD. We found, however, that one of
the Army's subordinate commands does train its personnel to put an
exemption on any documents that are marked as FOUO, but does not
have this step as a requirement in any policy. In our view, if DOD
were to require employees to take the extra step of marking the
exemption that may be the reason for the FOUO designation at the
time of document creation, it would help assure that the employee
marking the document had at least considered the exemptions and
made a thoughtful determination that the information fit within
the framework of the FOUO designation. Including the FOIA
exemption on the document at the time it is marked would also
facilitate better agency oversight of the FOUO program, since it
would provide any reviewer/inspector with an indication of the
basis for the marking.
In addition, both DOE's and DOD's policies are unclear as to the
point at which the OUO or FOUO designation should actually be
affixed to a document. If a document might contain information
that is OUO or FOUO but it is not so marked when it is first
created, the risk that the document could be mishandled increases.
DOE policy is vague about the appropriate time to apply a marking.
DOE officials in the Office of Classification stated that their
policy does not provide specific guidance about at what point to
mark a document because such decisions are highly situational.
Instead, according to these officials, the DOE policy relies on
the "good judgment" of DOE personnel in deciding the appropriate
time to mark a document. Similarly, DOD's current Information
Security regulation addressing the FOUO program does not identify
at what point a document should be marked. In contrast, DOD's
September 1998 FOIA regulation, in a chapter on FOUO, states that
"the marking of records at the time of their creation provides
notice of FOUO content and facilitates review when a record is
requested under the FOIA."5 In our view, a policy can provide
flexibility to address highly situational circumstances and also
provide specific guidance and examples of how to properly exercise
this flexibility.
In addition, we found that both DOE's and DOD's OUO and FOUO
programs lack clear language identifying examples of inappropriate
usage of OUO or FOUO markings. Without such language, DOE and DOD
cannot be confident that their personnel will not use these
markings to conceal mismanagement, inefficiencies, or
administrative errors, or to prevent embarrassment to themselves
or their agency.6
While both DOE and DOD offer training to staff on managing OUO and
FOUO information, neither agency requires any training of its
employees before they are allowed to identify and mark information
as OUO or FOUO, although some staff will eventually take OUO or
FOUO training as part of other mandatory training. In addition,
neither agency has implemented an oversight program to determine
the extent to which employees are complying with established
policies and procedures.
While many DOE units offer training on DOE's OUO policy, DOE does
not have a departmentwide policy that requires OUO training before
an employee is allowed to designate a document as OUO. As a
result, some DOE employees may be identifying and marking
documents for restriction from dissemination to the public or
persons who do not need to know the information to perform their
jobs, and yet may not be fully informed as to when it is
appropriate to do so. At DOE, the level of training that employees
receive is not systematic and varies considerably by unit, with
some requiring OUO training at some point as a component of other
periodic employee training, and others having no requirements at
all.
DOD similarly has no departmentwide training requirements before
staff are authorized to identify, mark, and protect information as
FOUO. The department relies on the individual services and field
activities within DOD to determine the extent of training that
employees receive. When training is provided, it is usually
included as part of a unit's overall security training, which is
required for many but not all employees. There is no requirement
to track which employees received FOUO training, nor is there a
requirement for periodic refresher training. Some DOD components,
however, do provide FOUO training for employees as part of their
security awareness training.
Neither DOE nor DOD knows the level of compliance with OUO and
FOUO program policies and procedures because neither agency
conducts any oversight to determine whether the OUO and FOUO
programs are being managed well. According to a senior manager in
DOE's Office of Classification, the agency does not review OUO
documents to assess whether they are properly identified and
marked. This condition appears to contradict the DOE policy
requiring the agency's senior officials to assure that the OUO
programs, policies, and procedures are effectively implemented.
Similarly, DOD does not routinely conduct oversight of its FOUO
program to assure that it is properly managed.
Without oversight, neither DOE nor DOD can assure that staff are
complying with agency policies. We are aware of at least one
recent case in which DOE's OUO policies were not followed. In
2005, several stories appeared in the news about revised estimates
of the cost and length of the cleanup of high-level radioactive
waste at DOE's Hanford Site in southeastern Washington. This
information was controversial because this multibillion-dollar
project has a history of delays and cost overruns, and DOE was
restricting a key document containing recently revised cost and
time estimates from being released to the public. This document,
which was produced by the U.S. Army Corps of Engineers for DOE,
was marked Business Sensitive by DOE. However, according to a
senior official in the DOE Office of Classification, Business
Sensitive is not a recognized marking in DOE. Therefore, there is
no DOE policy or guidance on how to handle or protect documents
marked with this designation. This official said that if
information in this document needed to be restricted from release
to the public, then the document should have been stamped OUO and
the appropriate FOIA exemption should have been marked on the
document.
In closing, the lack of clear policies, effective training, and
oversight in DOE's and DOD's OUO and FOUO programs could result in
both over- and underprotection of unclassified yet sensitive
government documents. Having clear policies and procedures in
place can mitigate the risk of program mismanagement and can help
DOE and DOD management assure that OUO or FOUO information is
appropriately marked and handled. DOE and DOD have no systemic
procedures in place to assure that staff are adequately trained
before designating documents OUO or FOUO, nor do they have any
means of knowing the extent to which established policies and
procedures for making these designations are being complied with.
These issues are important because they affect DOE's and DOD's
ability to assure that the OUO and FOUO programs are identifying,
marking, and safeguarding documents that truly need to be
protected in order to prevent potential damage to governmental,
commercial, or private interests.
Mr. Chairman, this concludes GAO's prepared statement. We would be
happy to respond to any questions that you or Members of the
Subcommittee may have.
For further information on this testimony, please contact either
Davi M. D'Agostino at (202) 512-5431 or [email protected] , or
Gene Aloise at (202) 512-3841 or [email protected] . Contact points
for our Offices of Congressional Relations and Public Affairs may
be found on the last page of this statement. Individuals making
key contributions to this testimony included Ann Borseth, David
Keefer, Kevin Tarmann, and Ned Woodward.
Sources: FOIA and GAO analysis.
aAs noted earlier in this report, classified information is not
included in DOE's and DOD's OUO and FOUO programs.
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in
meeting its constitutional responsibilities and to help improve
the performance and accountability of the federal government for
the American people. GAO examines the use of public funds;
evaluates federal programs and policies; and provides analyses,
recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
The fastest and easiest way to obtain copies of GAO documents at
no cost is through GAO's Web site ( www.gao.gov ). Each weekday,
GAO posts newly released reports, testimony, and correspondence on
its Web site. To have GAO e-mail you a list of newly posted
products every afternoon, go to www.gao.gov and select "Subscribe
to Updates."
The first copy of each printed report is free. Additional copies
are $2 each. A check or money order should be made out to the
Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are
discounted 25 percent. Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM
Washington, D.C. 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax:
(202) 512-6061
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail:
[email protected] Automated answering system: (800) 424-5454 or
(202) 512-7470
Gloria Jarmon, Managing Director, [email protected] (202) 512-4400
U.S. Government Accountability Office, 441 G Street NW, Room 7125
Washington, D.C. 20548
Paul Anderson, Managing Director, [email protected] (202)
512-4800 U.S. Government Accountability Office, 441 G Street NW,
Room 7149 Washington, D.C. 20548
1Freedom of Information Act (5 U.S.C. sec. 552). FOIA exemption 1 solely
concerns classified information, which is governed by Executive Order; DOE
and DOD do not include this category in their OUO and FOUO programs since
the information is already restricted by each agency's classified
information procedures. In addition, exemption 3 addresses information
specifically exempted from disclosure by statute, which may or may not be
considered OUO or FOUO. Information that is classified or controlled under
a statute, such as Restricted Data or Formerly Restricted Data under the
Atomic Energy Act, is not also designated as OUO or FOUO.
DOE and DOD Lack Clear OUO and FOUO Guidance in Key Aspects
2DOE Order 471.3, Identifying and Protecting Official Use Only
Information, contains responsibilities and requirements; DOE Manual
471.3-1, Manual for Identifying and Protecting Official Use Only
Information, provides instructions for implementing requirements; and DOE
Guide 471.3-1, Guide to Identifying Official Use Only Information,
provides information to assist staff in deciding whether information could
be OUO.
3DOE classification guides used for managing classified information
sometimes include specific guidance on what information should be
protected and managed as OUO. When such specific guidance is available to
the employee, he or she is required to mark the document accordingly.
4DOD 5400.7-R, DOD Freedom of Information Act Program (Sept. 4, 1998); DOD
5200.1-R, Information Security Program (Jan. 14, 1997); and interim
changes to DOD 5200.1-R, Information Security Regulation, Appendix 3:
Controlled Unclassified Information (Apr. 16, 2004).
Neither DOE nor DOD Requires Training or Conducts Oversight
OUO and FOUO Training Is Generally Not Required
5DOD 5400.7-R, C4.1.4, p.43.
6Similar language is included in DOD's policies regarding protection of
national security information (DOD 5200.1-R, Information Security Program
(Jan. 14, 1997), sec. C2.4.3.1). DOE's policy for protecting national
security information (DOE M 475.1-1A) makes reference to Executive Order
12958, Classified National Security Information, as amended, which also
has similar language.
Oversight of OUO and FOUO Programs Is Lacking
GAO Contacts and Staff Acknowledgments
Appendix: FOIA Exemptions
Exemption Examples
1. Classified in accordance Classified national defense or foreign policy
with an executive ordera information
2. Related solely to Routine internal personnel matters such as
internal personnel rules and performance standards and leave practices;
practices of an agency internal matters the disclosure of which
would risk the circumvention of a statute or
agency regulation, such as law enforcement
manuals
3. Specifically exempted Nuclear weapons design (Atomic Energy Act);
from disclosure by federal tax return information (Internal Revenue
statute Code)
4. Privileged or Scientific and manufacturing processes (trade
confidential trade secrets, secrets); sales statistics, customer and
commercial, or financial supplier lists, profit and loss data, and
information overhead and operating costs
(commercial/financial information)
5. Interagency or Memoranda and other documents that contain
intra-agency memoranda or advice, opinions, or recommendations on
letters that are normally decisions and policies (deliberative
privileged in civil process); documents prepared by an attorney
litigation in contemplation of litigation (attorney
work-product); confidential communications
between an attorney and a client
(attorney-client)
6. Personnel, medical, and Personal details about a federal employee
similar files the disclosure such as date of birth, marital status, and
of which would constitute a medical condition
clearly unwarranted invasion
of personal privacy
7. Records compiled for law Witness statements; information obtained in
enforcement purposes where confidence in the course of an investigation;
release either would or identity of a confidential source
could harm those law
enforcement efforts in one
or more ways listed in the
statute
8. Certain records and Bank examination reports and related
reports related to the documents
regulation or supervision of
financial institutions
9. Geographical and Well information of a technical or scientific
geophysical information and nature, such as number, locations, and depths
data, including maps, of proposed uranium exploration drill-holes
concerning wells
(350822)
GAO's Mission
Obtaining Copies of GAO Reports and Testimony
Order by Mail or Phone
To Report Fraud, Waste, and Abuse in Federal Programs
Congressional Relations
Public Affairs
www.gao.gov/cgi-bin/getrpt? GAO-06-531T .
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Davi D'Agostino at (202) 512-5431 or Gene
Aloise at (202) 512-3841.
Highlights of GAO-06-531T , a testimony to the Chairman, Subcommittee on
National Security, Emerging Threats, and International Relations,
Committee on Government Reform, House of Representatives
March 14, 2006
MANAGING SENSITIVE INFORMATION
DOE and DOD Could Improve Their Policies and Oversight
In the interest of national security and personal privacy and for other
reasons, federal agencies place dissemination restrictions on information
that is unclassified yet still sensitive. The Department of Energy (DOE)
and the Department of Defense (DOD) have both issued policy guidance on
how and when to protect sensitive information. DOE marks documents with
this information as Official Use Only (OUO) while DOD uses the designation
For Official Use Only (FOUO). GAO was asked to
(1) identify and assess the policies, procedures, and criteria DOE and DOD
employ to manage OUO and FOUO information; and
(2) determine the extent to which DOE's and DOD's training and oversight
programs assure that information is identified, marked, and protected
according to established criteria.
What GAO Recommends
In its report issued earlier this month, GAO made several recommendations
for DOE and DOD to clarify their policies to assure the consistent
application of OUO and FOUO designations and increase the level of
management oversight in their use. DOE and DOD agreed with most of GAO's
recommendations, but partially disagreed with its recommendation to
periodically review OUO or FOUO information. DOD also disagreed that
personnel designating a document as FOUO should mark it with the
applicable FOIA exemption.
As GAO reported earlier this month, both DOE and DOD base their programs
on the premise that information designated as OUO or FOUO must (1) have
the potential to cause foreseeable harm to governmental, commercial, or
private interests if disseminated to the public or persons who do not need
the information to perform their jobs; and (2) fall under at least one of
eight Freedom of Information Act (FOIA) exemptions. While DOE and DOD have
policies in place to manage their OUO or FOUO programs, our analysis of
these policies showed a lack of clarity in key areas that could allow
inconsistencies and errors to occur. For example, it is unclear which DOD
office is responsible for the FOUO program, and whether personnel
designating a document as FOUO should note the FOIA exemption used as the
basis for the designation on the document. Also, both DOE's and DOD's
policies are unclear regarding at what point a document should be marked
as OUO or FOUO and what would be an inappropriate use of the OUO or FOUO
designation. For example, OUO or FOUO designations should not be used to
conceal agency mismanagement. In our view, this lack of clarity exists in
both DOE and DOD because the agencies have put greater emphasis on
managing classified information, which is more sensitive than OUO or FOUO.
In addition, while both DOE and DOD offer training on their OUO and FOUO
policies, neither DOE nor DOD has an agencywide requirement that employees
be trained before they designate documents as OUO or FOUO. Moreover,
neither agency conducts oversight to assure that information is
appropriately identified and marked as OUO or FOUO. DOE and DOD officials
told us that limited resources, and in the case of DOE, the newness of the
program, have contributed to the lack of training requirements and
oversight. Nonetheless, the lack of training requirements and oversight of
the OUO and FOUO programs leaves DOE and DOD officials unable to assure
that OUO and FOUO documents are marked and handled in a manner consistent
with agency policies and may result in inconsistencies and errors in the
application of the programs.
*** End of document. ***