Managing Sensitive Information: DOD Can More Effectively Reduce
the Risk of Classification Errors (30-JUN-06, GAO-06-706).
Misclassification of national security information impedes
effective information sharing, can provide adversaries with
information to harm the United States and its allies, and incurs
millions of dollars in avoidable administrative costs. As
requested, GAO examined (1) whether the implementation of the
Department of Defense's (DOD) information security management
program, effectively minimizes the risk of misclassification; (2)
the extent to which DOD personnel follow established procedures
for classifying information, to include correctly marking
classified information; (3) the reliability of DOD's annual
estimate of its number of classification decisions; and (4) the
likelihood of DOD's meeting automatic declassification deadlines.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-06-706
ACCNO: A56200
TITLE: Managing Sensitive Information: DOD Can More Effectively
Reduce the Risk of Classification Errors
DATE: 06/30/2006
SUBJECT: Classified defense information
Classified information
Document reclassification
Information classification
Information resources management
Information security
Information security management
Information security regulations
Internal controls
Performance measures
Policies and procedures
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-06-706
* Results in Brief
* Background
* DOD's Information Security Program Lacks Oversight and Consi
* OUSD(I) Oversight of DOD Classification Management Program I
* Classification Management Training Is Inadequate to Substant
* Self-Inspections Lack Rigor
* DOD Has Not Taken Sufficient Action to Ensure That Derivativ
* Results Of OSD Document Review Show Some Questionable Classi
* The Accuracy Of DOD's Classification Decisions Estimate Is Q
* DOD's Ability to Meet All of the Executive Order's Automatic
* Conclusions
* Recommendations for Executive Action
* Agency Comments and Our Evaluation
* Appendix I: Scope and Methodology
* Appendix II: Comments from the Department of Defense
* Appendix III: GAO Contact and Staff Acknowledgments
* GAO Contact
* Acknowledgments
* Order by Mail or Phone
Report to the Chairman, Subcommittee on National Security, Emerging
Threats, and International Relations, Committee on Government Reform,
House of Representatives
United States Government Accountability Office
GAO
June 2006
MANAGING SENSITIVE INFORMATION
DOD Can More Effectively Reduce the Risk of Classification Errors
GAO-06-706
Contents
Letter 1
Results in Brief 4
Background 6
DOD'S Information Security Program Lacks Oversight and Consistent
Implementation 10
Results of OSD Document Review Show Some Questionable Classification
Decisions and Numerous Marking Errors 20
The Accuracy of DOD's Classification Decisions Estimate Is Questionable 23
DOD's Ability to Meet All of the Executive Order's Automatic
Declassification Deadlines Depends on the Actions of Other Federal
Agencies 26
Conclusions 30
Recommendations for Executive Action 31
Agency Comments and Our Evaluation 32
Appendix I Scope and Methodology 34
Appendix II Comments from the Department of Defense 38
Appendix III GAO Contact and Staff Acknowledgments 42
Tables
Table 1: Classification Level and the Expected Impact of Unauthorized
Disclosure 7
Table 2: DOD Component Training Programs for Derivative Classifiers 13
Table 3: Tracking of Security Classification Guides Varies among DOD
Components 17
Table 4: Required Markings on Classified Records 21
Table 5: Examples of Common Marking Errors in OSD Document Sample 22
Figures
Figure 1: DOD's Number of Classification Decisions Compared to Those of
Other Federal Agencies 10
Figure 2: Distribution of Marking Errors Detected in OSD Document Sample
(n = 213 errors) 22
Figure 3: DOD Automatic Declassification Activity in Fiscal Year 2004, as
Measured by the Number of Pages Declassified 27
Figure 4: Locations of Army, Navy, Air Force, and Marine Corps Automatic
Declassification Sites 29
Abbreviations
DOD Department of Defense
GAO Government Accountability Office
ISOO Information Security Oversight Office
OSD Office of the Secretary of Defense
OUSD(I) Office of the Under Secretary of Defense for Intelligence
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
United States Government Accountability Office
Washington, DC 20548
June 30, 2006
The Honorable Christopher Shays Chairman, Subcommittee on National
Security, Emerging Threats, and International Relations Committee on
Government Reform House of Representatives
Dear Mr. Chairman:
The U. S. Government classifies information as Confidential, Secret, or
Top Secret if its unauthorized disclosure could damage the national
security of the United States.1 Since 1940, the classification,
safeguarding, and declassification of national security information have
been prescribed in a series of presidential executive orders. The current
order in effect, Executive Order 12958, Classified National Security
Information, as amended, defines the different security classification
levels, lists the types of information that can be protected, and
describes how to identify and mark classified information.2
According to data compiled by the Information Security Oversight Office
(ISOO), the office responsible for overseeing the government's information
security program, the number of classified records in existence is unknown
because there is no requirement to account for the majority of these
records. However; during the last 5 fiscal years that data are available
(2000 through 2004), federal agencies reported that they created about 110
million new classified records, of which the Department of Defense (DOD)
was responsible for more than half (66.8 million).3 The former DOD Deputy
Under Secretary of Defense for Counterintelligence and Security testified
in 2004 in a congressional hearing that she believed the department
overclassified information, and she estimated that 50 percent of
information may be overclassified, to include overclassification between
the classification levels. An example would be the classifying of
information as Top Secret instead of Secret. The Director of ISOO in the
same hearing testified that information that should not be classified is
increasing, in violation of the Executive Order. According to the
Director, too much classification impedes effective information sharing,
too little classification can provide adversaries with information to harm
the United States and its allies; and misclassification in general causes
the department to incur millions of dollars in avoidable administrative
costs.
1National security signifies the national defense or foreign relations of
the United States.
2Executive Order 12958, Classified National Security Information (1995)
with its last amendment, Executive Order 13292, Further Amendment to
Executive Order 12958, as Amended, Classified National Security
Information (2003).
3See title 44 United States Code, which generally defines a record as a
book, paper, map, photograph, sound or video recording, machine readable
material, computerized, digitized, or electronic information, regardless
of the medium on which it is stored, or other documentary material,
regardless of its physical form or characteristics.
The Under Secretary of Defense for Intelligence is the senior DOD official
responsible for the direction, administration, and oversight of DOD's
information security program.4 DOD's current implementing regulation,
Information Security Program, was issued in January 1997 and augmented
with interim guidance in April 2004 to reflect changes required by
Executive Order 12958, as amended. The regulation has decentralized the
management of the program to the heads of the various DOD components.5
Officials from the Office of the Under Secretary of Defense for
Intelligence (OUSD(I)) told us that they expect to publish an updated
version of the Information Security Program in 2007 to replace the 1997
edition and the interim guidance.
As requested, we examined (1) whether the implementation of DOD's
information security management program effectively minimizes the risk of
misclassification; (2) the extent to which DOD personnel follow
established procedures for classifying information, to include correctly
marking classified information; (3) the reliability of DOD's annual
estimate of its number of classification decisions; and (4) the likelihood
of DOD's meeting automatic declassification deadlines. As part of your
request that we report on DOD's information security program, we also
reported in March 2006 on the Department of Defense and Department of
Energy programs to safeguard unclassified yet sensitive information and we
will report on the status of the Department of Energy's information
security program later this year.6 In similar work, we recently issued a
report on the designation of sensitive security information at the
Transportation Security Administration7 and a report on the executive
branch agencies' current efforts to share sensitive homeland security
information among federal and nonfederal entities, and the challenges
posed by such information sharing.8 Finally, we are currently reviewing
the management of both unclassified yet sensitive information and national
security information within the Department of Justice.
4The Under Secretary of Defense for Intelligence position was established
by the Bob Stump National Defense Authorization Act for Fiscal Year 2003
(Pub. L. No. 107-314 S:901 (Dec. 2, 2002)).
5DOD components include the Office of the Secretary of Defense, the
military departments, the Chairman of the Joint Chiefs of Staff, the
Combatant Commands, the Office of the Inspector General, the Defense
Agencies, the DOD Field Activities, and all other organizational entities
within DOD.
To evaluate whether DOD's information security program effectively
minimizes the risk of misclassification, the reliability of DOD's annual
classification decision estimate, and the likelihood of DOD's meeting
automatic declassification deadlines, we reviewed documentation and met
with officials responsible for setting information security policy and
implementation (such as training and oversight) from the OUSD(I) and nine
DOD components and 10 of their subordinate commands. Collectively, these
nine components are responsible for about 83 percent of the department's
classification decisions. We compared the DOD components' and subordinate
commands' information security policies and practices with the Executive
Order 12958, as amended; the ISOO directive, Classified National Security
Information Directive No. 1; the DOD regulation 5200.1-R, Information
Security Program; and other DOD implementing guidance.
To assess adherence to procedures in the Executive Order for classifying
information, we reviewed a nonprobability sample of 111 recently
classified documents prepared by five offices within the Office of the
Secretary of Defense (OSD). Because the total number of classified
documents held by DOD is unknown, we did not pursue a probability sampling
methodology to produce results that could be generalized to OSD or DOD. 9
6Managing Sensitive Information: Departments of Energy and Defense
Policies and Oversight Could Be Improved, GAO-06-369 (Washington, D.C.:
Mar. 7, 2006); Managing Sensitive Information: DOE and DOD Could Improve
Their Policies and Oversight, GAO-06-531T (Washington, D.C.: Mar. 14,
2006).
7Transportation Security Administration: Clear Policies and Oversight
Needed for Designation of Sensitive Security Information, GAO-05-677
(Washington, D.C.: June 29, 2005).
8Information Sharing: The Federal Government Needs to Establish Policies
and Processes for Sharing Terrorism-Related and Sensitive but Unclassified
Information, GAO-06-385 (Washington, D.C.: Mar. 17, 2006).
We conducted our work between March 2005 and February 2006 in accordance
with generally accepted government auditing standards. A more thorough
description of our scope and methodology is provided in appendix I.
Results in Brief
A lack of oversight and inconsistent implementation of DOD's information
security program increase the risk of misclassification. DOD's information
security program is decentralized to the DOD component level, and the
OUSD(I) has limited involvement in, and oversight of, components'
information security programs. This office does little monitoring or
evaluating of the DOD components' information security actions. Also,
while some DOD components and subordinate commands appear to manage their
programs effectively, we identified weaknesses in other components' and
subordinate commands' training, self-inspection, and security
classification guide management. For example, all of the DOD components
and subordinate commands that we reviewed offered the compulsory initial
and annual refresher training for personnel eligible to classify
documents. However, classification management training at 8 of the 19
components and subordinate commands we reviewed did not cover fundamental
classification management principles, such as the markings that must
appear on classified information and the process for determining the
duration of classification. Also, the OUSD(I) did not have a process to
confirm whether required self-inspections had been performed or to
evaluate their quality, and did not prescribe in detail what
self-inspections should cover. We found that only 8 of the 19 DOD
components and subordinate commands performed these required
self-inspections. Instead, more than half of the 19 performed less
rigorous staff assistance visits. We also found that some of the DOD
components and subordinate commands that we examined did not routinely
submit copies of their security classification guides, documentation which
identifies what information needs protection and the reason for
classification, to a central library as required. Some did not track their
security classification guides to ensure they were current and reviewed
every 5 years as required. As a result, DOD personnel cannot be assured
that they are using the most current information to derivatively classify
documents. DOD is studying ways to improve its current approach to making
security classification guides readily available, departmentwide. Because
of the lack of oversight and weaknesses in training, self-inspections, and
classification guide management, the Secretary of Defense cannot be
assured that the information security program is effectively limiting the
risk of misclassification across the department.
9Results from nonprobability samples cannot be used to make inferences
about a population, because the chance of being selected as part of a
nonprobability sample cannot be predicted.
Our review of a nonprobability sample of 111 classified DOD documents from
five OSD offices shows that, within these offices, DOD personnel are not
uniformly following established procedures for classifying information, to
include correctly marking classified information. Executive Order 12958,
as amended, lists criteria for what information can be classified, and
which markings are required on classified records. In our review of the
OSD documents, we questioned DOD officials' classification decisions for
29 documents-that is, 26 percent of the sample. The majority of our
questions centered around two problems: the inconsistent treatment of
similar information within the same document, and whether all of the
information marked as classified met established criteria for
classification. We also found that 93 of the 111 documents we examined (84
percent) had at least one marking error, and about half had multiple
marking errors. For example, we found that 25 percent of the 111 documents
had improper declassification instructions, and 42 percent of the
documents failed to provide information about their data sources-such as
the names and dates-as required. While the results from this review cannot
be generalized across DOD, they are indications of the lack of oversight
and inconsistency that we found in DOD's implementation of its information
security program.
The accuracy of DOD's annual estimate of its number of classification
decisions is questionable. Although ISOO issues guidance on how components
should calculate their classification decisions estimate, we found
considerable variance across the department and from year to year in how
this guidance was implemented. For example, DOD components differed in the
types of information they included in the count, the number and types of
lower echelon units included in the count, and decisions as to when to
count and for how long. In fiscal year 2005, OUSD(I) began scrutinizing
the estimates of its components before consolidating and submitting them
to ISOO for inclusion in its annual report to the President.
DOD's ability to meet all of the automatic declassification deadlines in
Executive Order 12958, as amended, depends on the actions of other federal
agencies. DOD components reported being on pace to review their documents
of permanent historical value by December 31, 2006; however, they told us
that they are unlikely to review all of the documents referred to them by
other DOD components and non-DOD agencies before 2010, and special media
(such as audio and video recordings) before 2012, the dates on which these
records are scheduled to be automatically declassified. DOD's progress in
reviewing records that contain classified information belonging to other
federal agencies is hampered by the absence of a federal government
standard for annotating these records, a centralized location within DOD
or the federal government to store these records, and, a common database
that federal agencies can use to track the status of these records. DOD's
ability to remove these impediments without the involvement of other
federal agencies is limited. If DOD fails to complete its review by the
declassification deadlines, it risks inappropriately declassifying
information that should remain classified.
To reduce the risk of misclassification and improve DOD's information
security operations, we are recommending six actions, including several to
increase program oversight and accountability. In commenting on our draft,
DOD agreed with all of our recommendations. DOD also provided technical
comments, which we have included as appropriate. The department's response
is reprinted in appendix II.
Background
Executive Order 12958, Classified National Security Information, as
amended, specifies three incremental levels of
classification-Confidential, Secret, and Top Secret-to safeguard
information pertaining to the following:
o military plans, weapons systems, or operations;
o foreign government information;
o intelligence activities (including special activities),
intelligence sources/methods, cryptology;
o foreign relations/activities of the United States, including
confidential sources;
o scientific, technological, or economic matters relating to
national security, which includes defense against transnational
terrorism;
o United States government programs for safeguarding nuclear
materials or facilities;
o vulnerabilities or capabilities of systems, installations,
infrastructures, projects, plans, or protection services relating
to the national security, which includes defense against
transnational terrorism; or
o weapons of mass destruction.
The requisite level of protection is determined by assessing the damage to
national security that could be expected if the information were
compromised (see table 1).
Table 1: Classification Level and the Expected Impact of Unauthorized
Disclosure
Classification levels Expected impact of unauthorized disclosure
Confidential Damage
Secret Serious damage
Top Secret Exceptionally grave damage
Source: Executive Order 12958, S:1.2, as amended.
Executive Order 12958, as amended, prohibits classifying information so as
to conceal violations of law, inefficiency, or administrative error;
prevent embarrassment to a person, organization, or agency; restrain
competition; or prevent or delay the release of information, which does
not require protection in the interest of national security.
Classification decisions can be either original or derivative. Original
classification is the initial determination that information requires
protection against unauthorized disclosure in the interest of national
security. An original classification decision typically results in the
creation of a security classification guide, which is used by derivative
classifiers and identifies what information should be protected, at what
level, and for how long. Derivative classification is the incorporation,
paraphrasing, or generation of information in new form that is already
classified, and marking it accordingly.10 In 2004, 1,059 senior-level
officials in DOD were designated original classification authorities, and
as such, they were the only individuals permitted to classify information
in the first instance.11 But any of the more than 1.8 million DOD
personnel who possess security clearances potentially have the authority
to classify derivatively. According to DOD, less than 1 percent of the
estimated 63.8 million classification decisions the department made during
fiscal years 2000 through 2004 were original; however, ultimately,
original classification decisions are the basis for 100 percent of
derivative classification decisions.
10The duplication or reproduction of existing classified information is
not derivative classification.
11Information may be originally classified only by the Secretary of
Defense, the secretaries of the military departments, and other officials
who have been specifically designated this authority in writing. By DOD
regulation, delegation of original classification authority shall be
limited to the minimum required for DOD to operate effectively, and to
those officials who have a demonstrable and continuing need to exercise
it.
Executive Order 12958, as amended, assigns ISOO the responsibility for
overseeing agencies' compliance with the provisions of the Executive
Order.12 In this capacity, ISOO (1) performs on-site inspections of agency
information security operations, (2) conducts document reviews, (3)
monitors security education and training programs, and (4) reports at
least annually to the President on the degree to which federal agencies
are complying with the Executive Order. ISOO also issued Classified
National Security Information Directive No. 1 to implement the Executive
Order.13 The Executive Order and the ISOO directive stipulate a number of
specific responsibilities expected of federal agencies, including DOD.
Examples of responsibilities are promulgating internal regulations;
establishing and maintaining security education and self-inspection
programs; conducting periodic declassification reviews; and committing
sufficient resources to facilitate effective information security
operations. The Executive Order and the ISOO directive also require
classifiers to apply standard markings to classified information. For
example, originally classified records must include the overall
classification as well as portion or paragraph marking, a "Classified by"
line to identify the original classifier, a reason for classification, and
a "Declassify on" date line.
Executive Order 12958, as amended, states that information shall be
declassified when it no longer meets the standards for classification.14
The point at which information generally becomes declassified is set when
the decision is made to classify, and it is either linked to the
occurrence of an event, such as the completion of a mission, or to the
passage of time. Classified records that are more than 25 years old and
have permanent historical value are automatically declassified unless an
exemption is granted because their contents could cause adverse national
security repercussions.15
12ISOO is a component of the National Archives and Records Administration
and receives its policy and program guidance from the National Security
Council.
1332 C.F.R. Part 2001 (2003).
14Executive Order 12958, as amended, defines declassification as the
authorized change in the status of information from classified to
unclassified.
The Defense Security Service Academy is responsible for providing security
training, education, and awareness to DOD components, DOD contractors, and
employees of other federal agencies and selected foreign governments. The
academy's 2005 course catalog includes more than 40 courses in general
security and in specific disciplines of information, information systems,
personnel, and industrial security, and special access program security.
These courses are free for DOD employees and are delivered by subject
matter experts at the academy's facilities in Linthicum, Maryland, and at
student sites worldwide via mobile training teams. Some courses are
available through video teleconferencing and the Internet. In fiscal year
2004, more than 16,000 students completed academy courses, continuing an
upward trend over the past 4 years.16
According to ISOO, DOD is one of the most prolific classifiers (original
and derivative combined) among federal government agencies. From fiscal
year 2000 to fiscal year 2004, DOD and the Central Intelligence Agency had
individual classification activity that were each more than all other
federal agencies combined. In 3 of these 5 years, DOD's classification
activity was higher than that of the Central Intelligence Agency's (see
figure 1).
15Records of permanent historical value are Presidential records and
agency records that the U.S. Archivist determines should be maintained
permanently in accordance with title 44 United States Code.
16The actual number of students completing academy courses in fiscal year
2004 is less than 16,000 because some students completed multiple courses.
Figure 1: DOD's Number of Classification Decisions Compared to Those of
Other Federal Agencies
During these same 5 years, DOD declassified more information than any
other federal agency, and it was responsible for more than three-quarters
of all declassification activity in the federal government.
DOD's Information Security Program Lacks Oversight and Consistent Implementation
A lack of oversight and inconsistent implementation of DOD's information
security program are increasing the risk of misclassification. DOD's
information security program is decentralized to the DOD component level,
and OUSD(I) involvement in, and oversight of, components' information
security programs is limited. Also, while some DOD components and
subordinate commands appear to manage their programs effectively, we
identified weaknesses in others' training, self-inspections, and security
classification guide management. As a result, we found that many of the
organizations we reviewed do not fully satisfy federal and DOD
classification management requirements, which contributes to an increased
risk of misclassification. Specifically, most of the components and
subordinate commands we examined did not establish procedures to ensure
that personnel authorized to and actually performing classification
actions are adequately trained to do so, did not conduct rigorous
self-inspections, and did not take required actions to ensure that
derivative classification decisions are based on current, readily
available documentation. According to the ISOO Director, adequate
training, self-inspections, and documentation are essential elements of a
robust information security program and their absence can impede effective
information sharing and possibly endanger national security.17
OUSD(I) Oversight of DOD Classification Management Program Is Limited
As required by Executive Order 12958, OUSD(I) issued a regulation in
January 1997, Information Security Program, outlining DOD's information
security program. This regulation does not specifically identify oversight
responsibilities for OUSD(I), but instead decentralizes the management of
the information security program to the heads of DOD components.
Consequently, according to the DOD regulation, each DOD component is
responsible for establishing and maintaining security training, conducting
self-inspections, and issuing documentation to implement OUSD(I) guidance
and security classification guides. OUSD(I) exercises little oversight
over how the components manage their programs. As a result, OUSD(I) does
not directly monitor components' compliance with federal and DOD training,
self-inspection, and documentation requirements stipulated in Executive
Order 12958, as amended; the ISOO directive; and the DOD regulation. For
example, OUSD(I) does not require components to report on any aspects of
the security management program. Also, OUSD(I) does not conduct or oversee
self-inspections, nor does it confirm whether self-inspections have been
performed or review self-inspection findings. At the time of our review,
OUSD(I)'s involvement consisted of accompanying ISOO on periodic
inspections of select DOD components and subordinate commands that are not
under the four military services. Additionally the DOD implementing
regulation does not describe what self-inspections should cover, such as
the recommended standards in the ISOO directive.
Based on our analysis, we believe that OUSD(I)'s decentralized approach,
coupled with the lack of specificity in the department's implementing
regulation on what components must do to satisfy the Executive Order and
ISOO directive self-inspection requirement, has resulted in wide variance
in the quality of components' information security programs.
17J. William Leonard, Director, ISOO. "The Importance of Basics," remarks
delivered at the National Classification Management Society's Annual
Training Seminar, Reno, Nevada, June 15, 2004.
Classification Management Training Is Inadequate to Substantially Reduce
Improper Classification Practices
Because all cleared personnel have the authority to derivatively classify
information, they are required to have annual refresher training, whether
or not they engaged in derivative classification actions. All of the 19
DOD components and subordinate commands we reviewed offer initial and
annual refresher training for their personnel who are involved with
derivative classification activities, and most track attendance to ensure
that the training is received, as required by the ISOO directive and the
DOD regulation (see table 2).
However, from our analysis of the components' and subordinate commands'
initial and annual refresher training, we determined that only 11 of the
19 components and subordinate commands cover the fundamental
classification principles cited in the ISOO directive, the DOD regulation,
and specifically defined as the minimum training that classifiers must
have in a November 2004 memorandum signed by the Under Secretary of
Defense for Intelligence.18 That is, the training offered by 8 of the
components and subordinate commands does not describe the basic markings
that must appear on classified information, the difference between
original and derivative classification, the criteria that must be met to
classify information, and the process for determining the duration of
classification. Consequently, this training will not provide DOD with
assurance that it will reduce improper classification practices, as called
for in the ISOO directive. We also noted that 14 of the DOD components and
subordinate commands do not assess whether participants understand the
course material by administering a proficiency test.
18Memorandum from Stephen A. Cambone, Under Secretary of Defense for
Intelligence, "Minimum Training Requirements for Original Classification
Authorities and Derivative Classifiers," Nov. 30, 2004.
Table 2: DOD Component Training Programs for Derivative Classifiers
Initial Classification
and annual Participant principles
DOD components and refresher attendance adequately Proficiency
subordinate commands training tracked covered tested
Department of the Army o o o
Army Intelligence and o o o
Security Command
Army Materiel Command o o o
Army Research o o
Development and
Engineering Command
Chief of Naval o
Operations
Naval Sea Systems o
Command
Naval Surface Warfare o o o o
Center, Dahlgren
Division
Naval Air Systems o o
Command
Department of the Air o o
Force
Air Combat Command o o o
Air Force Materiel o o
Command
88th Air Base Wing o o o o
Headquarters, Marine o
Corps
Marine Forces Atlantic o o
Central Command o o
Special Operations o o o o
Command
National o o o o
Geospatial-Intelligence
Agency
Defense Intelligence o o o o
Agency
National Security Agency o o
Source: GAO's analysis of DOD data.
Components and subordinate commands that cover the classification
principles cited in the ISOO directive and the DOD regulation include:
o the Army Intelligence and Security Command, which issues the
Command's A Users Guide to the Classification and Marking of
Documents to personnel;
o the Army Materiel Command, which uses information obtained from
the Defense Security Service Academy to develop its refresher
training on marking classified records;
o the Naval Surface Warfare Center, Dahlgren Division, which
requires personnel to complete an online refresher course and pass
a proficiency test before they can print out a certificate
indicating a passing score;
o the 88th Air Base Wing, which requires personnel to attend four
quarterly briefings each year on relevant classification
management topics;
o the Special Operations Command, which developed an online
refresher course, complete with a proficiency test that must be
passed to receive credit for attending;
o the National Geospatial-Intelligence Agency, which requires
personnel to sign an attendance card indicating that they
completed initial and annual refresher training, and issues them
the agency's Guide to Marking Documents; and
o the Defense Intelligence Agency, which provides personnel a
13-page reference guide that explains how to comply with Executive
Order 12958, as amended.
All of the components and subordinate commands that we examined provide
their original classification authorities with initial training,
frequently in one-on-one sessions with a security manager. However, only
about half of the components and subordinate commands we examined provide
the required annual refresher training to original classification
authorities.
DOD personnel could take better advantage of the information security
curriculum offered by the Defense Security Service Academy, including
Basic Information Security, Information Security Orientation, Information
Security Management, and Marking Classified Information. For example,
Marking Classified Information is a 2-3 hour no-cost, online course that
explains how to mark classified information in accordance with Executive
Order 12958, as amended, and requires the person taking the course to
complete and pass a proficiency test at the end of the course. The Under
Secretary's memorandum specifically mentioned the academy and its courses
as a way for the components to facilitate their training. Our analysis of
academy attendance data for fiscal years 2003 through 2004 indicates that
of the more than 1.8 million DOD personnel who possessed security
clearances and potentially had the authority to classify documents
derivatively, 4,775 DOD personnel completed an information security
course, and 2,090 DOD personnel completed the Marking Classified
Information course.19, 20
Self-Inspections Lack Rigor
Eleven of the 19 DOD components and subordinate commands we reviewed do
not perform required self-inspections as part of the oversight of their
information security programs. The ISOO directive requires agencies to
perform self-inspections at all organizational levels that originate or
handle classified information. Agencies have flexibility in determining
what to cover in their self-inspections, although ISOO lays out several
standards that it recommends DOD and other agencies consider including,
such as:
o reviewing a sample of records for appropriate classification
and proper markings;
o assessing familiarity with the use of security classification
guides;
o reviewing the declassification program;
o evaluating the effectiveness of security training; and
o assessing senior management's commitment to the success of the
program.
In its Information Security Program regulation, DOD components are
directed to conduct self-inspections based on program needs and the degree
of involvement with classified information; components and subordinate
commands that generate significant amounts of classified information
should be inspected at least annually. "Program needs," "degree of
involvement," and "significant amounts" are not quantified, and components
and subordinate commands have interpreted these phrases differently. For
example, the Marine Corps performs self-inspections annually; the Naval
Sea Systems Command performs self-inspections every 3 years; and
Headquarters, Department of the Army, does not perform them. Navy and Army
officials with whom we spoke cited resource constraints, and, in
particular, staffing shortages, as the reason why inspections were not
performed more often.
19Based on information provided by OUSD(I) for end of fiscal year 2003.
20The actual number of DOD personnel who completed an academy information
security course in fiscal years 2003 and 2004 is less than 4,775 because
some personnel completed multiple courses.
The DOD regulation's chapter on training requires DOD components to
evaluate the quality and effectiveness of security training during
self-inspections; however, none of the 19 components and subordinate
commands we examined does so. Evaluating the quality of training during
self-inspections can identify gaps in personnel's skill and competencies,
and focus efforts to improve existing training.21
Ten of the 19 DOD components and subordinate commands we reviewed perform
staff assistance visits of their lower echelon units in lieu of more
rigorous self-inspections. Staff assistance visits, which typically are
not staffed by inspectors, train the visited organization on how to meet
inspection requirements, and any noted deficiencies are informally briefed
to the local command staff. However, no official report is created for
tracking and resolving deficiencies. According to ISOO officials, staff
assistance visits do not fulfill the inspection requirement specified in
Executive Order 12958, as amended. However, in commenting on a draft of
this report, DOD officials stated that they were unaware of ISOO's
position on staff assistance visits.
Of the 19 DOD components and subordinate commands we reviewed, only 7
conduct periodic document reviews as part of their self-inspections,
although they are required to do so. In addition to revealing the types
and extent of classification and marking errors, a document review can
offer insight into the effectiveness of annual refresher training.
DOD Has Not Taken Sufficient Action to Ensure That Derivative Classification
Decisions Are Based on Current Documentation
DOD has no assurance that personnel who derivatively classify information
are using up-to-date security classification guides; however, our review
showed that more than half of the estimated number of guides at the 17
organizations that could identify the number of guides they had were
tracked for currency and updated at least every 5 years. DOD's approach to
providing personnel access to up-to-date classification guides through a
central library at its Defense Technical Information Center has been
ineffective. OUSD(I) is studying ways to improve the centralized
availability of up-to-date classification guides.
Executive Order 12958, as amended, directs agencies with original
classification authority, such as DOD, to prepare security classification
guides to facilitate accurate and consistent derivative classification
decisions. Security classification guides identify what information needs
protection and the level of classification; the reason for classification,
to include citing the applicable categories in the Executive Order; and
the duration of classification. The ISOO directive and DOD regulation also
require agencies to review their classification guides for currency and
accuracy at least once every 5 years, and to update them as necessary. As
table 3 shows, some DOD components and subordinate commands did not manage
their classification guides to facilitate accurate derivative
classification decisions. Since 2 of the 19 organizations were unable to
provide us with the number of classification guides that they are
responsible for, we could not determine the total number of classification
guides belonging to the components and subordinate commands we reviewed.
However, the remaining 17 organizations estimated their combined total to
be 2,243 classification guides.
21GAO Human Capital: A Guide for Assessing Strategic Training and
Development Efforts in the Federal Government, GAO-04-546G (Washington,
D.C.: Mar. 1, 2004).
Table 3: Tracking of Security Classification Guides Varies among DOD
Components
Estimated
DOD component and subordinate number of
commands guides Process to track guides
Army Unknown Not tracked at this organizational
level.
Intelligence and Security 3 Currency of guides is tracked
centrally. Centralized library has
Command paper and electronic copies.
Army Materiel Command Unknown Not tracked at this organizational
level.
Research, Development, and 65 Currency of guides is tracked
centrally in an automated
Engineering Command database. Some guides are
available online to authorized
users.
Navy/Marine Corpsa 1,100 Centralized library has a paper
copy of each guide. Currency of
guides is not tracked centrally.
Automated database is under
development.
Naval Sea Systems Command 300 Centralized library has a paper
copy of each guide. Currency of
guides is not tracked centrally.
Automated database is under
development.
Naval Surface Warfare Center, 0 Not applicable.
Dahlgren Division
Naval Air Systems Command 200 Currency of guides is tracked
centrally in an automated
database. Centralized library has
a paper copy of each guide.
Marine Forces, Atlantic 0 Not applicable.
Air Force 525 Effort to create electronic
versions of guides that will allow
authorized users' access is
ongoing. Currency of guides is
tracked centrally.
Air Combat Command 0 Not applicable.
Air Force Materiel Command 416 Centralized library has a paper
copy of each guide. Guides are
tracked centrally in an automated
database. Currency of guides not
tracked.
88th Air Base Wing 36 Currency of guides is tracked
centrally in an automated
database. Centralized library has
a paper or electronic copy of each
guide.
Central Command 1 Electronic version of guide
available to authorized users.
Currency of guide is tracked
centrally.
Special Operations Command 30 Centralized library has a paper
copy of each guide. Automated
database is under development that
will allow authorized users to
access electronic version of
guides. Currency of guides tracked
centrally.
National 10 Currency of guides is tracked,
Geospatial-Intelligence many of which are program specific
Agency and require less frequent
updating.
Defense Intelligence Agency 9 Currency of guides is tracked
centrally. Plan is to create
electronic version of each guide
for authorized users to access.
National Security Agency 500 Currency of guides is tracked
centrally. Paper index of guides
maintained.
Source: GAO analysis.
aMarine Corps security classification guides are managed by the Navy.
Of the 13 components and subordinate commands we reviewed that possess
multiple classification guides:
o 10 maintain paper or electronic copies of classification guides
in a central location, or are in the process of doing so;
o 8 track the currency of more than half of their combined
classification guides to facilitate their review, to ensure that
they are updated at least every 5 years, in accordance with the
ISOO directive; and
o 8 either have made or are in the process of making their
classification guides available to authorized users
electronically. These 8 components and subordinate commands
represent over 1,700-more than 75 percent-of the classification
guides belonging to the DOD organizations that we reviewed.
DOD's strategy for providing personnel ready access to up-to-date
security classification guides to use in making derivative
classification decisions has been ineffective for two reasons.
Officials at some of the DOD components and subordinate commands
we examined told us that they routinely submit copies of their
classification guides to the Defense Technical Information Center,
as required, while others told us they do not.22 However, because
of the way in which the Defense Technical Information Center
catalogs its classification guide holdings, center officials could
not tell us the names and the number of classification guides it
possesses or is missing. In addition, center officials told us
that they cannot compel original classification authorities to
submit updated versions of their classification guides or report a
change in status, such as a classification guide's cancellation.
When the center receives a new classification guide, it enters up
to three independent search terms in an electronic database to
create a security classification guide index. As of October 2005,
the center had in excess of 4,000 index citations for an estimated
1,400 classification guides, which is considerably fewer than the
estimated 2,234 classification guides that 17 of the 19 components
and subordinate commands reported possessing.
The absence of a comprehensive central library of up-to-date
classification guides increases the potential for
misclassification, because DOD personnel may be relying on
insufficient, outdated reference material to make derivative
classification decisions. Navy and Air Force officials showed us
evidence of classification guides that had not been reviewed in
more than five years, as the ISOO directive and DOD regulation
require. As table 3 shows, several components and subordinate
commands have taken or are taking action to improve derivative
classifiers' access to security classification guides; however,
except for the Air Force, there is no coordination among these
initiatives, and neither the Defense Technical Information Center
nor the OUSD(I) is involved. During our review, OUSD(I) officials
told us that the department is studying how to improve its current
approach to making up-to-date classification guides readily
available, departmentwide.
In our review of a nonprobability sample of 111 classified OSD
documents we questioned DOD officials' classification decisions
for 29 documents-that is, 26 percent of the sample. We also found
that 93 of the 111 documents we examined (84 percent) had at least
one marking error, and about half had multiple marking errors.
Executive Order 12958, as amended, lists criteria for what
information can be classified, and for markings that are required
to be placed on classified records. While the results from this
review cannot be generalized across DOD, they are indications of
the lack of oversight and inconsistency that we found in DOD's
implementation of its information security program.
To determine the extent to which personnel in five OSD offices
followed established procedures for classifying information, we
reviewed 111 documents recently classified by OSD, which revealed
several questionable classification decisions and a large number
of marking errors. In all, we questioned the classification
decisions in 29, comprising 26 percent of the documents in the OSD
sample. The majority of our questions pertained to whether all of
the information marked as classified met established criteria for
classification (16 occurrences), the seemingly inconsistent
treatment of similar information within the same document (10
occurrences), and the apparent mismatch between the reason for
classification and the document's content (5 occurrences). We gave
the OSD offices that classified the documents an opportunity to
respond to our questions, and we received written responses from
the Offices of the Under Secretaries of Defense for Policy;
Comptroller/Chief Financial Officer; and for Acquisition,
Technology, and Logistics; regarding 17 of the 29 documents. In
general, they agreed that several of the documents in question
contained errors of misclassification. For example, we questioned
the need to classify all of the information marked Confidential or
Secret in 13 of the 17 documents. In their written responses, the
three OSD offices agreed that, in 5 of the 13 documents, the
information was unclassified, and in a sixth document the
information should be downgraded from Secret to Confidential. The
OSD offices did not state an opinion on 3 documents. We did not
receive responses to our questions from the other two OSD offices
on the remaining 12 documents.
The Executive Order, ISOO directive, and DOD's regulation together
establish criteria for the markings that are required on
classified records (see table 4).
Table 4: Required Markings on Classified Records
Source: GAO analysis.
The documents included in our document review were created after
September 22, 2003, which is the effective date of ISOO's
Classified National Security Information Directive No. 1 and
almost 6 months after Executive Order 12958 was last amended. The
ISOO directive prescribes a standardized format for marking
classified information that, according to the directive, is
binding except in extraordinary circumstances or as approved by
the ISOO Director.23 To implement classification marking changes
that resulted from the Executive Order and directive, DOD issued
its own interim guidance on April 16, 2004.
Our review revealed that 93 of the 111 OSD documents (84 percent)
had at least one marking error and about half of the documents had
multiple marking errors, resulting in 1.9 errors per document we
reviewed. As figure 2 shows, the marking errors that occurred most
frequently pertained to declassification, the sources used in
derivative classification decisions, and portion marking.
Figure 2: Distribution of Marking Errors Detected in OSD Document
Sample (n = 213 errors)
The most common marking errors that we found in the OSD document
sample, by type of marking error, are listed in table 5.
Table 5: Examples of Common Marking Errors in OSD Document Sample
Source: GAO analysis.
Since ISOO issued its directive in September 2003, it has
completed 19 classified document reviews of DOD components and
subordinate commands.24 The types of marking errors that ISOO
reported finding were similar to what we found among the OSD
documents. Specifically, marking errors associated with
declassification, source, and portion marking represented more
than 60 percent of the errors in both document samples.
The Accuracy of DOD�s Classification Decisions Estimate Is Questionable
DOD's estimate of how many classification decisions it makes each
year is of questionable accuracy. Although ISOO provides DOD
components with guidance as to how they should calculate
classification decisions, we found considerable variance within
the department in how this guidance was implemented. For example,
there was inconsistency regarding which records are included in
the estimate, the number and types of lower echelon units that are
included, when to estimate, and for how long to estimate.
ISOO requires federal agencies to estimate the number of original
and derivative classification decisions they made during the
previous fiscal year, which ISOO includes in its annual report to
the President. Agency estimates are based on counting the number
of Confidential, Secret, and Top Secret original and derivative
classification decisions during a designated time period and
extrapolating an annual rate from them. According to ISOO
guidance, agencies typically count their classification decisions
during a consecutive 2-week period in each of the four quarters of
the fiscal year, for a combined total of 8 weeks.
OUSD(I) officials told us that two highly classified categories of
information, sensitive compartmented information and special
access programs, are included in the count; however, several
components and subordinate commands we examined omit these
categories from their totals. In addition, some components and
subordinate commands-such as the Army's Research, Development, and
Engineering Command and the National Geospatial-Intelligence
Agency-include e-mails in their count, while others-such as the
Defense Intelligence Agency and the Central Command-do not.
Whether or not to include e-mails can dramatically affect counts.
For example, the National Security Agency's classification
estimate declined from 12.5 million in fiscal year 2002 to only 7
in fiscal year 2003. Agency officials attributed this dramatic
drop to e-mails being included in the totals for fiscal year 2002
and not for fiscal year 2003.
Some DOD components and subordinate commands do not query their
entire organization, to encompass all personnel who may be
classifying information. For example, the Defense Intelligence
Agency randomly selects four of its eight directorates to
participate, and the National Security Agency and the Naval Air
Systems Command selects only lower echelon organizations that have
an original classification authority. As a result, these locations
omit an unknown number of derivative classification decisions. The
Navy bases its annual estimate on data covering a 2-week period
from each of its major commands once per year rather than from all
of its commands, four times per year as suggested in ISOO
guidance. For example, during the first quarter, the Marine Corps
is queried, and during the second quarter, the fleet commands are
queried. Also, some of the combatant commands' service components
are not queried at all, such as the Army's component to the
European Command, the Navy's component to the Transportation
Command, the Air Force's component to the Southern Command, and
the Marine Corps' component to the Central Command. In commenting
on a draft of this report, the department correctly points out
that guidance issued by ISOO allows each component to decide who
to include in its classification decisions estimate.
The Special Operations Command and the Central Command both
schedule their counts at the end of the fiscal year; 4 consecutive
weeks at the former, and 8 consecutive weeks at the latter.
Special Operations Command officials told us that the end of the
fiscal year tends to be a slower operational period, thereby
allowing more time to conduct the data collection.
DOD components and subordinate commands convert their estimates in
different ways to project an entire year. Those that conform to
the suggested ISOO format of four 2-week counting periods a year
(that is, 8 weeks) multiply their counts by 6.5 (that is, 8 weeks
x 6.5 = 52 weeks). The Navy, however, multiplies each of its four
separate counts by 429 to account for all of the lower echelon
units not represented in the estimate.25
Our review of DOD's submissions to ISOO of its estimated number of
classification decisions for fiscal years 2000 through 2004,
revealed several anomalies. For example, the National
Reconnaissance Office reported making more than 6 million
derivative and zero original classification decisions during this
5-year period, and the Marine Forces, Atlantic, reported zero
derivative and zero original classification decisions during
fiscal years 2003 and 2004. Subsequent conversations with Marine
Forces, Atlantic, officials indicated that a misunderstanding as
to what constitutes a derivative classification decision resulted
in an underreporting for those 2 years.
Other examples of DOD component data submissions during this
5-year time period that had either a disproportionate reporting of
original versus derivative classification decisions or a
significant change in counts from 1 year to the next include:
o DOD reported in fiscal year 2004 that,
departmentwide, about 4 percent of its classification
decisions were original, yet the Defense Advanced
Research Projects Agency and the Joint Forces Command
both reported that more than 70 percent of their
classification decisions were original.
o DOD reported in fiscal year 2003, that
departmentwide, less than 2 percent of its
classification decisions were original, yet the Joint
Staff and the European Command both reported more
than 50 percent of their classification decisions
were original.
o DOD reported in fiscal year 2002 that,
departmentwide, less than 1 percent of its
classification decisions were original, yet the
Office of the Secretary of Defense and the Southern
Command both reported more than 20 percent of their
classification decisions were original.
o DOD reported an increase in the number of original
classification decisions during the fiscal year 2002
through 2004 period, from 37,320 to 47,238 (about a
27 percent increase), to 198,354 (about a 300 percent
increase). However, during this same 3-year period,
the Navy's trend for original classification
decisions was from 1,628 to 16,938 (about a 900
percent increase) to 1,898 (about a 90 percent
decrease); and the Army's trend was from 10,417 to
2,056 (about an 80 percent decrease) to 133,791
(about a 6,400 percent increase).
DOD reported a 75 percent decrease in the total number of
classification decisions (that is, original and derivative) from
fiscal year 2002 to fiscal year 2004, yet several DOD components
reported a significant increase in overall classification
decisions during this same time period, including the Defense
Threat Reduction Agency (a 20,107 percent increase), the Southern
Command (1,998 percent increase), Defense Intelligence Agency (a
1,202 percent increase), and the National Geospatial-Intelligence
Agency (a 354 percent increase).
OUSD(I) has decided to discontinue the practice of DOD components
submitting their classification decisions estimates directly to
ISOO. Beginning with the fiscal year 2005 estimates, OUSD(I) will
scrutinize the classification decision estimates of its components
before consolidating and submitting them to ISOO. Properly
conducted, OUSD(I)'s review could improve the accuracy of these
estimates, if methodological inconsistencies are reduced.
DOD�s Ability to Meet All of the Executive Order�s Automatic
Declassification Deadlines Depends on the Actions of Other
Federal Agencies
Army, Navy, and Air Force classification officials told us that
the military services are on pace to meet the target date of 2006
for reviewing their own classified documents that qualify for
automatic declassification, and for referring records that contain
classified information belonging to other agencies to those
agencies-an assertion endorsed by ISOO in its 2004 report to the
President. However, these officials told us that they are less
likely to meet the target date of 2009 for reviewing records
referred to them, and of 2011 for reviewing special media (such as
audio and video recordings). DOD's ability to satisfy the 2009 and
2011 target dates depends, to a great extent, on the actions of
other federal agencies.
We limited our review of DOD's automatic declassification program
to the four military services because, as figure 3 shows, they
performed 85 percent of all the declassification within DOD in
fiscal year 2004.
Figure 3: DOD Automatic Declassification Activity in Fiscal Year
2004, as Measured by the Number of Pages Declassified
Executive Order 12958, as amended, stipulates that on December 31,
2006, and on December 31 of every year thereafter, classified
records that are (1) at least 25 years old and (2) of permanent
historical value shall in general be automatically declassified,
whether or not they have been reviewed. The Executive Order sets a
record's date of origination as the time of original
classification, and it also exempts certain types of information
from automatic declassification, such as information related to
the application of intelligence sources and methods. The automatic
declassification deadline for records containing information
classified by more than one agency, such as the Army and the Air
Force or the Army and the Central Intelligence Agency, is December
31, 2009, and for special media it is December 31, 2011. For the
most part, only the originating agency can declassify its own
information. Consequently, if the Army discovers classified
information that was originated by the U.S. State Department, the
Army must alert the State Department and refer the information to
the State Department for resolution. The Executive Order describes
special media as microforms, motion pictures, audiotapes,
videotapes, or comparable media that make its review for possible
declassification exemptions "more difficult or costly."26 The ISOO
directive mirrors these requirements and directs ISOO, in
conjunction with its parent organization, the National Archives
and Records Administration, and other concerned agencies to
develop a standardized process for referring records containing
information classified by more than one agency across the federal
government.
Army, Navy/Marine Corps, and Air Force classification officials
told us that they face a variety of challenges impacting their
ability to meet the target dates of 2009 for reviewing records
referred to them, and of 2011 for reviewing special media. Based
on information provided by officials from the military services
and the National Archives and Records Administration who are
responsible for the automatic declassification effort, it appears
that three obstacles hinder their progress toward meeting these
deadlines. DOD's ability to remove these obstacles without the
involvement of other federal agencies is limited. First, there is
no federal government standard for annotating classified records
that contain information classified by more than one agency. For
example, two non-DOD agencies both annotate their records with a
"D" and an "R," but for opposite purposes. That is, one of the
agencies uses a "D" to denote "deny automatic declassification"
and an "R" to denote "release," while the other agency uses a "D"
to denote "declassify" and an "R" to denote "retain." The National
Archives and Records Administration and various interagency
working groups and task forces have sought a federal government
standard, but National Archives officials told us that they were
not optimistic that agencies would reach agreement soon. According
to these officials, the lack of a federal government standard has
contributed to the inadvertent release of classified information.
Second, there is no central location within DOD or the federal
government for storing records eligible for automatic
declassification that contain information classified by multiple
DOD components or non-DOD agencies. To review records originated
by the four military services, agencies must send personnel
trained to evaluate information for declassification suitability
to as many as 14 different sites where the records are stored. For
example, the Air Force has records eligible for automatic
declassification at storage sites located in Ohio, Alabama, and
Texas (see figure 4). National Archives officials pointed out that
consolidating the records at fewer sites may be more efficient,
and likely more cost-effective.
22Section C2.5.3.4 of DOD 5200.1-R, Information Security Program, January
1997 requires original classification authorities to submit two copies of
each approved security classification guide to the center, except for
guides containing highly sensitive information. According to DOD
declassification officials, less than 5 percent of the department's
classification guides are classified at the Top Secret level, or contain
Sensitive Compartmented Information or Special Access Program information.
Results of OSD Document Review Show Some Questionable Classification Decisions
and Numerous Marking Errors
Originally Derivatively
Marking requirement classified record classified record
Overall classification level of record x x
cited
Portion markings present x x
"Declassify on" line completed x x
"Classified by" line completed x
Executive Order authorized "reason x
for" classification cited
"Derived from" line completed x
2332 C.F.R. S:2001.20 (2003).
Types of marking errors Examples of marking errors
Inaccurate or incomplete o source not provided; therefore, unable
declassification instructions to determine
o discontinued exemption codes
o formerly restricted data exempt
o originating agency's determination
required
Inaccurate or incomplete o title of source document omitted
"derived from" line o date of source document omitted
o "classified by" line incorrectly
inserted
Inaccurate or incomplete o entire pages not marked
portion marking o individual paragraphs not marked
o section titles not marked
o subject line not marked
Inaccurate "reason for" o section 1.6., not section 1.4. of
classification cited Executive Order cited
o section 1.6. without a subsection
cited
Inaccurate overall o not releasable to foreign nationals
classification level caveat not included in portion markings
o releasable to the United States of
America, Canada, and the United Kingdom
caveat present in portion marking, but
not included in page marking
The Accuracy of DOD's Classification Decisions Estimate Is Questionable
24The five OSD offices that participated in our document review did not
participate in any of the ISOO document reviews.
25429 is derived from the formula 26 x 33 -: 2 = 429, where 26 represents
the number of 2-week counting periods in a year, 33 is a multiplier to
account for those commands among the Navy's 3,960 commands that are not
counted, and 2 is a divisor to account for those commands that have no
classification activity, such as dental clinics and commissaries.
DOD's Ability to Meet All of the Executive Order's Automatic Declassification
Deadlines Depends on the Actions of Other Federal Agencies
26Executive Order 12958, as amended, S:3.3.(e)(2).
Figure 4: Locations of Army, Navy, Air Force, and Marine Corps Automatic
Declassification Sites
A third factor that may cause DOD to miss meeting the Executive Order
deadlines is the lack of a common database that federal government
agencies can use to track the status of records containing information
classified by more than one agency. The ISOO directive allows federal
government agencies to utilize electronic databases to notify other
agencies of their referrals; however, agencies have created their own
databases that operate independently of one another. In commenting on a
draft of this report, DOD officials stated that, despite the lack of
federal government standards, the department has been a leading proponent
of working collaboratively with other federal agencies to meet automatic
declassification deadlines. We cannot confirm the accuracy of DOD's
characterization because DOD's relationship with other agencies involved
in automatic declassification was not part of our review.
Conclusions
The Under Secretary of Defense for Intelligence has delegated the
execution and oversight of information security to the DOD component
level. This decentralized approach, coupled with inconsistency in the
implementation of components' information security programs, has resulted
in wide variance in the quality of these programs. For example, the
OUSD(I) does not directly monitor components' compliance with federal and
DOD training, self-inspection, and documentation requirements stipulated
in Executive Order 12958, as amended; the ISOO directive; and the DOD
regulation. Inadequate classification management training,
self-inspections, and security classification guide documentation among
the various DOD components increase the risk of (1) poor classification
decisions and marking errors, similar to what we observed in our OSD
document review; (2) restricting access to information that does not pose
a threat to national security; and (3) releasing information to the
general public that should still be safeguarded.
OUSD(I) oversight could reduce the likelihood of classification errors.
For example, if OUSD(I) ensured that components evaluated the quality and
effectiveness of training and periodically included document reviews in
their self-inspections, prevalent classification errors could be addressed
through annual refresher training that derivative classifiers complete.
Evaluating the quality of training can assist components in targeting
scarce resources on coursework that promotes learning and reduces
misclassification. Although the results of our review of a sample of OSD
documents cannot be generalized departmentwide, we believe these results
coupled with the weaknesses in training, self-inspections, and
documentation that we found at numerous components and subordinate
commands increases the likelihood that documents are not being classified
in accordance with established procedures.
DOD's estimate of how many original and derivative classification
decisions it makes annually is unreliable because it is based on data from
the DOD components that were derived using different assumptions about
what should be included and about data collection and estimating
techniques. Still, this estimate is reported to the President and to the
public, and it is routinely cited in congressional testimony by DOD
officials and freedom of information advocates as authoritative. During
our review, OUSD(I) decided to resume its practice of reviewing
components' classification estimates before they are submitted to ISOO. If
properly implemented, this review could improve data reliability to some
extent, but only if it addresses the underlying lack of uniformity in how
the individual DOD components are collecting and manipulating their data
to arrive at their estimates.
The automatic declassification provision in Executive Order 12958, as
amended, requires agencies generally to declassify records that are 25
years old or more and that no longer require protection. The Army,
Navy/Marine Corps, and Air Force reported they are on track to review all
of the documents they classified before the deadline; however, they are
less likely to complete their review of the untold number of records
containing information classified by other DOD components and non-DOD
agencies by the deadlines set in the Executive Order. As the deadlines
pass and these records are automatically declassified, information that
could still contain national security information becomes more vulnerable
to disclosure. DOD's ability to meet these deadlines is jeopardized both
by conditions beyond and conditions within its direct control. For
example, DOD cannot require non-DOD agencies to adopt a national standard
for annotating classified records, but it can take action to streamline
the process of reviewing records containing information classified by more
than one DOD component.
Recommendations for Executive Action
To reduce the risk of misclassification and create greater accountability
across the department, we recommend that the Secretary of Defense direct
the Under Secretary of Defense for Intelligence to
o establish a centralized oversight process for monitoring
components' information security programs to ensure that they
satisfy federal and DOD requirements. This oversight could include
requiring components to report on the results of self-inspections
or other actions, targeted document reviews, and/or reviews by the
DOD Inspector General and component audit agencies.
o to issue a revised Information Security Program regulation to
ensure that
o those personnel who are authorized to and who
actually perform classification actions, receive
training that covers the fundamental classification
principles as defined in the Under Secretary's
memorandum of November 30, 2004 and that completion
of such training is a prerequisite for these
personnel to exercise this authority;
o the frequency, applicability, and coverage of
self-inspections, and the reporting of inspection
results are based on explicit criteria; and
o authorized individuals can access up-to-date
security classification guides necessary to
derivatively classify information accurately.
To support informed decision making with regard to information security,
we recommend that the Secretary of Defense direct the Under Secretary of
Defense for Intelligence to institute quality assurance measures to ensure
that components implement consistently the DOD guidance on estimating the
number of classification decisions, thereby increasing the accuracy and
reliability of these estimates.
To assist DOD in its efforts to meet automatic declassification deadlines,
we recommend that the Secretary of Defense direct the Under Secretary of
Defense for Intelligence to evaluate the merits of consolidating records
eligible for automatic declassification that contain information
classified by multiple DOD components at fewer than the current 14
geographically dispersed sites.
Agency Comments and Our Evaluation
In commenting on a draft of this report, DOD concurred with all six
recommendations; however, the department expressed concern that we did not
accurately portray the Navy's program for managing its security
classification guides. Upon further review, we modified table 3 in the
report and accompanying narrative to indicate that the Navy (1) does have
a centralized library containing paper copies of its security
classification guides, and (2) is developing an automated database to make
its classification guides available to authorized users electronically. We
disagree with the department's assertion that the Navy is tracking its
classification guides to ensure that they are reviewed at least once every
5 years for currency and are updated accordingly. Based on our discussions
with Navy information security officials, including the Retrieval and
Analysis of Navy (K)lassified Information (RANKIN) Program Manager, and
observing a demonstration of the spreadsheet used to catalog security
classification guide holdings, we saw no evidence to suggest that currency
of guides is being systematically tracked. With respect to our fifth
recommendation that focuses on how DOD estimates the number of
classification decisions it makes each year, we endorsed the department's
decision to continue scrutinizing its components' estimates before
consolidating and submitting them to ISOO. However, we continue to believe
that OUSD(I) should augment its after-the-fact review with measures to
ensure that components follow a similar process to derive their
classification decisions estimates, such as standardizing the types of
records to be included. Adopting a consistent methodology across the
department and from year to year should improve the reliability and
accuracy of this estimate that is reported to the President.
DOD also provided technical comments for our consideration in the final
report, which we incorporated as appropriate. DOD's formal comments are
reprinted in appendix II.
We are sending copies of this report to the Secretaries of Defense, the
Army, the Navy, and the Air Force; the Commandant of the Marine Corps; and
the Directors of the Defense Intelligence Agency, the National
Geospatial-Intelligence Agency, and the National Security Agency. We will
also make copies available to others upon request. In addition, this
report will be available at no charge on the GAO Web site at
http://www.gao.gov . If you or your staff have any questions concerning
this report, please contact me at (202) 512-5431 or [email protected] .
Contact points for our Offices of Congressional Relations and Public
Affairs may be found on the last page of this report. GAO staff who made
major contributions to this report are listed in appendix III.
Sincerely yours, Davi M. D'Agostino Director, Defense Capabilities and
Management
Appendix I: Scope and Methodology
To conduct our review of the Department of Defense's (DOD's) information
security program, we met with officials and obtained relevant
documentation from the following DOD components and subordinate commands:
o Department of the Army, Office of the Deputy Chief of Staff for
Intelligence, Arlington, Virginia;
o U.S. Army Intelligence and Security Command, Fort
Belvoir, Virginia;
o U.S. Army Materiel Command, Fort Belvoir,
Virginia;
o U.S. Army Research, Development and Engineering
Command, Aberdeen Proving Ground, Maryland;
o Department of the Navy, Office of the Chief of Naval
Operations, Arlington, Virginia;
o Naval Sea Systems Command, Washington, D.C.;
o Naval Surface Warfare Center Dahlgren Division,
Dahlgren, Virginia;
o Naval Air Systems Command, Patuxent River,
Maryland;
o Department of the Air Force Air and Space Operations,
Directorate of Security Forces, Information Security Division,
Rosslyn, Virginia;
o Air Force Air Combat Command, Langley Air Force
Base, Virginia;
o Air Force Materiel Command, Wright-Patterson Air
Force Base, Ohio;
o 88th Security Forces Squadron, Wright-Patterson
Air Force Base, Ohio;
o Headquarters, U.S. Marine Corps, Arlington, Virginia;
o U.S. Marine Forces, Atlantic, Norfolk Naval Base,
Virginia;
o Headquarters, U.S. Central Command, MacDill Air Force Base,
Florida;
o Headquarters, U.S. Special Operations Command, MacDill Air
Force Base, Florida;
o National Geospatial-Intelligence Agency, multiple sites in the
Washington, D.C. metropolitan area;
o Defense Intelligence Agency, Washington, D.C.;
o National Security Agency, Fort Meade, Maryland; and
o Headquarters, Defense Technical Information Center, Fort
Belvoir, Virginia.
The information security programs of these nine components, collectively,
were responsible for about 83 percent of the department's classification
decisions each of the last 3 fiscal years that data are available (2002
through 2004). We selected the information security programs of three
Army, three Navy, three Air Force, and one Marine Corps subordinate
command because they had among the largest number of classification
decisions for their component during the fiscal year 2002 through 2004
time period.
To examine whether DOD's implementation of its information security
management program in the areas of training, self-inspections, and
security classification guide management effectively minimizes the risk of
misclassification, we compared the DOD components' and subordinate
commands' policies and practices with federal and DOD requirements,
including Executive Order 12958, Classified National Security Information,
as amended; Information Security Oversight Office (ISOO) Directive 1,
Classified National Security Information; and DOD Information Security
Program regulation 5200.1-R. Additionally, we visited the Defense Security
Service Academy in Linthicum, Maryland, to discuss DOD training issues,
and the Defense Technical Information Center at Fort Belvoir, Virginia, to
discuss the availability of current security classification guides. We
also met with officials from the Congressional Research Service, the
Federation of American Scientists, and the National Classification
Management Society to obtain their perspectives on DOD's information
security program and on misclassification of information in general.
To assess the extent to which DOD personnel in five offices of the Office
of the Secretary of Defense (OSD) followed established procedures for
classifying information, to include correctly marking classified
information, we examined 111 documents classified from September 22, 2003
to June 30, 2005. Because the total number of classified documents held by
DOD is unknown, we could not pursue a probability sampling methodology to
produce results that could be generalized to either OSD or DOD. The
September 22, 2003 start date was selected because it coincides with when
the ISOO directive that implements the Executive Order went into effect.
OSD was selected among the DOD components because it has been the
recipient of fewer ISOO inspections than most of the other DOD components,
and we expected comparatively greater compliance with the Executive Order
since DOD's implementing regulation, DOD 5200.1-R, was published by an OSD
office. We selected the following five OSD offices located in Washington,
D.C. to sample:
o Office of the Director of Program Analysis and Evaluation;
o Office of the Under Secretary of Defense for Policy;
o Office of the Under Secretary of Defense for Acquisition,
Technology and Logistics;
o Office of the Assistant Secretary of Defense for Networks and
Information Integration/Chief Information Officer; and
o Office of the Under Secretary of Defense Comptroller/Chief
Financial Officer.
These five offices were responsible for 84 percent of OSD's reported
classification decisions (original and derivative combined) during fiscal
year 2004. According to the Pentagon Force Protection Agency, the office
responsible for collecting data on classification activity for OSD, we
obtained 100 percent of these five office's classification decisions
during the 21-month time period. Two GAO analysts independently reviewed
each document using a 16-item checklist that we developed based on
information in the Executive Order, and feedback from ISOO classification
management experts. 1 GAO analysts who participated in the document review
completed the Defense Security Service Academy's online Marking Classified
Information course and passed the embedded proficiency test.
Each document was examined for compliance with classification procedures
and marking requirements in the Executive Order. The two analysts'
responses matched in more than 90 percent of the checklist items. On those
infrequent occasions where the analysts' responses were dissimilar, a
third GAO analyst conducted a final review. We examined the rationale
cited by the classifier for classifying the information, and whether
similar information within the same document and across multiple documents
was marked in the same manner. We also performed Internet searches on
official U.S. Government Web sites to determine if the information had
been treated as unclassified. For those documents that we identified as
containing questionable classification decisions, we met with security
officials from the applicable OSD offices to obtain additional information
and documentation.
To assess the reliability of DOD's annual classification decisions
estimate and the existence of material inconsistencies, we compared the
guidance issued by ISOO and the Office of the Under Secretary of Defense
for Intelligence on methods to derive this estimate with how DOD
components and subordinate commands implemented this guidance. We also
scrutinized the data to look for substantial changes in the data estimates
reported by DOD components during fiscal years 2002 through 2004.
To determine the likelihood of DOD's meeting automatic declassification
deadlines contained in Executive Order 12958, as amended, we met with
officials from the Army, Navy/Marine Corps, and Air Force declassification
offices. We decided to focus exclusively on the four military services,
because, collectively they were responsible for more than 85 percent of
the department's declassification activity during fiscal year 2004. We
also met with ISOO officials to discuss their evaluation of DOD's progress
towards meeting the Executive Order deadlines. To increase our
understanding of the impediments that federal agencies in general, and DOD
in particular, face with regard to satisfying automatic declassification
deadlines, we met with declassification officials from the National
Archives and Records Administration in College Park, Maryland.
112 of the 16 checklist items applied to originally classified documents,
and 13 of the 16 checklist items applied to derivatively classified
documents.
We met with ISOO officials to discuss the assignment's objectives and
methodology, and received documents on relevant information security
topics, including inspection reports.
We conducted our work from March 2005 through February 2006 in accordance
with generally accepted government auditing standards.
Appendix II: Comments from the Department of Defense
Appendix III: GAO Contact and Staff Acknowledgments
GAO Contact
Davi M. D'Agostino (202) 512-5431 or [email protected] .
Acknowledgments
Ann Borseth, Mattias Fenton, Adam Hatton, Barbara Hills, David Keefer,
David Mayfield, Jim Reid, Terry Richardson, Marc Schwartz, Cheryl
Weissman, and Jena Whitley made key contributions to this report.
(350684)
GAO's Mission
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548
Public Affairs
Paul Anderson, Managing Director, [email protected] (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
D.C. 20548
www.gao.gov/cgi-bin/getrpt?GAO-06-706.
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Davi M. D'Agostino at (202) 512-5431 or
[email protected].
Highlights of GAO-06-706, a report to the Chairman, Subcommittee on
National Security, Emerging Threats, and International Relations,
Committee on Government Reform, House of Representatives
June 2006
MANAGING SENSITIVE INFORMATION
DOD Can More Effectively Reduce the Risk of Classification Errors
Misclassification of national security information impedes effective
information sharing, can provide adversaries with information to harm the
United States and its allies, and incurs millions of dollars in avoidable
administrative costs. As requested, GAO examined (1) whether the
implementation of the Department of Defense's (DOD) information security
management program, effectively minimizes the risk of misclassification;
(2) the extent to which DOD personnel follow established procedures for
classifying information, to include correctly marking classified
information; (3) the reliability of DOD's annual estimate of its number of
classification decisions; and (4) the likelihood of DOD's meeting
automatic declassification deadlines.
What GAO Recommends
To reduce the risk of misclassification and improve DOD's information
security operations, GAO is recommending six actions, including several to
increase program oversight and accountability. In reviewing a draft of
this report, DOD concurred with GAO's recommendations. DOD also provided
technical comments, which we have included as appropriate.
A lack of oversight and inconsistent implementation of DOD's information
security program are increasing the risk of misclassification. DOD's
information security program is decentralized to the DOD component level,
and the Office of the Under Secretary of Defense for Intelligence
(OUSD(I)), the DOD office responsible for DOD's information security
program, has limited involvement with, or oversight of, components'
information security programs. While some DOD components and their
subordinate commands appear to manage effective programs, GAO identified
weaknesses in others in the areas of classification management training,
self-inspections, and classification guides. For example, training at 9 of
the 19 components and subordinate commands reviewed did not cover
fundamental classification management principles, such as how to properly
mark classified information or the process for determining the duration of
classification. Also, OUSD(I) does not have a process to confirm whether
self-inspections have been performed or to evaluate their quality. Only 8
of the 19 components performed self-inspections. GAO also found that some
of the DOD components and subordinate commands that were examined
routinely do not submit copies of their security classification guides,
documentation that identifies which information needs protection and the
reason for classification, to a central library as required. Some did not
track their classification guides to ensure they were reviewed at least
every 5 years for currency as required. Because of the lack of oversight
and weaknesses in training, self-inspection, and security classification
guide management, the Secretary of Defense cannot be assured that the
information security program is effectively limiting the risk of
misclassification across the department.
GAO's review of a nonprobability sample of 111 classified documents from
five offices within the Office of the Secretary of Defense shows that,
within these offices, DOD personnel are not uniformly following
established procedures for classifying information, to include mismarking.
In a document review, GAO questioned DOD officials' classification
decisions for 29-that is, 26 percent of the sample. GAO also found that 92
of the 111 documents examined (83 percent) had at least one marking error,
and more than half had multiple marking errors. While the results from
this review cannot be generalized across DOD, they are consistent with the
weaknesses GAO found in the way DOD implements its information security
program.
The accuracy of DOD's classification decision estimates is questionable
because of the considerable variance in how these estimates are derived
across the department, and from year to year. However, beginning with the
fiscal year 2005 estimates, OUSD(I) will review estimates of DOD
components. This additional review could improve the accuracy of DOD's
classification decision estimates if methodological inconsistencies also
are reduced.
*** End of document. ***