Managing Sensitive Information: DOJ Needs a More Complete
Staffing Strategy for Managing Classified Information and a Set
of Internal Controls for Other Sensitive Information (20-OCT-06,
GAO-07-83).
The September 11 attacks showed that agencies must balance the
need to protect and share sensitive information to prevent future
attacks. Agencies classify this information or designate it
sensitive but unclassified to protect and limit access to it. The
National Archives' Information Security Oversight Office (ISOO)
assesses agencies' classification management programs, and in
July 2004 and April 2005 recommended changes to correct problems
at the Justice Department (DOJ) and Federal Bureau of
Investigation (FBI). GAO was asked to examine (1) DOJ's and FBI's
progress in implementing the recommendations and (2) the
management controls DOJ components have to ensure the proper use
of sensitive but unclassified designations. GAO reviewed ISOO's
reports and agency documentation on changes implemented and
controls in place, and interviewed security program managers at
DOJ, its components, and ISOO to examine these issues.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-07-83
ACCNO: A62447
TITLE: Managing Sensitive Information: DOJ Needs a More Complete
Staffing Strategy for Managing Classified Information and a Set
of Internal Controls for Other Sensitive Information
DATE: 10/20/2006
SUBJECT: Classified information
Employee training
Government information dissemination
Homeland security
Information classification
Information disclosure
Information management
Information security
Inspection
Internal controls
Policy evaluation
Program management
Reporting requirements
Risk assessment
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-07-83
* [1]Results in Brief
* [2]Background
* [3]DOJ Has Made Progress Implementing ISOO Recommendations but
* [4]DOJ Took Action on 5 of the 10 ISOO Recommendations for Its
* [5]DOJ's Inaction on Staff Resource Issues Impedes Full Impleme
* [6]The FBI Has Begun to Implement All but One of ISOO's Recomme
* [7]Updated and Completed Classification Program Guidance
* [8]Updated Training on Classification and Marking Procedures
* [9]Review the Number of Staff with Classification Decision Auth
* [10]Review and Update Automated Marking Mechanisms
* [11]DOJ Components Lack Specific Guidance, Training, and Oversig
* [12]DOJ Components Lack Specific Guidance for Sensitive but Uncl
* [13]Training and Oversight for Their Designation Programs Are Li
* [14]DOJ Components Report Having Processes in Place for Respondi
* [15]DOJ Components Report Having Central Offices for Receiving I
* [16]All of the Components Report Conducting Supervisory Reviews
* [17]All of the Components Report Communicating with Requesters d
* [18]Conclusions
* [19]Recommendations for Executive Action
* [20]Agency Comments and Our Evaluation
* [21]GAO Contact
* [22]Staff Acknowledgments
* [23]GAO's Mission
* [24]Obtaining Copies of GAO Reports and Testimony
* [25]Order by Mail or Phone
* [26]To Report Fraud, Waste, and Abuse in Federal Programs
* [27]Congressional Relations
* [28]Public Affairs
Report to the Chairman, Committee on the Judiciary, House of
Representatives
United States Government Accountability Office
GAO
October 2006
MANAGING SENSITIVE INFORMATION
DOJ Needs a More Complete Staffing Strategy for Managing Classified
Information and a Set of Internal Controls for Other Sensitive Information
GAO-07-83
Contents
Letter 1
Results in Brief 5
Background 9
DOJ Has Made Progress Implementing ISOO Recommendations but Has Not Yet
Addressed Critical Staff Resource Issues That Limit Its Ability to Address
All Needed Changes 14
The FBI Has Begun to Implement All but One of ISOO's Recommendations 21
DOJ Components Lack Specific Guidance, Training, and Oversight to Ensure
Proper Designation of Sensitive but Unclassified Information 26
DOJ Components Report Having Processes in Place for Responding to
Intragovernmental Information Requests 31
Conclusions 34
Recommendations for Executive Action 35
Agency Comments and Our Evaluation 36
Appendix I Summaries of Related GAO Reports 37
Appendix II Objectives, Scope, and Methodology 43
Appendix III GAO Contact and Staff Acknowledgments 45
Tables
Table 1: Status of DOJ's Implementation of ISOO's Recommendations as of
August 2006 15
Table 2: Status of the FBI's Implementation of ISOO's Recommendations as
of August 2006 22
Table 3: Sensitive but Unclassified Categories Used by Five DOJ Components
28
Figure
Figure 1: DOJ Organizational Chart 13
Abbreviations
ATF Bureau of Alcohol, Tobacco, Firearms and Explosives DEA Drug
Enforcement Administration DEA-S DEA-Sensitive DOJ Department of Justice
EPA Environmental Protection Agency FBI Federal Bureau of Investigation
FOIA Freedom of Information Act FOUO For Official Use Only GSA General
Services Administration ISCAP Interagency Security Classification Appeals
Panel ISOO Information Security Oversight Office LES Law Enforcement
Sensitive LOU Limited Official Use PROPIN Proprietary Information SEPS
Security and Emergency Planning Staff USMS U.S. Marshals Service
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
United States Government Accountability Office
Washington, DC 20548
October 20, 2006
The Honorable F. James Sensenbrenner, Jr. Chairman Committee on the
Judiciary House of Representatives
Dear Mr. Chairman:
According to the former Vice Chair of the National Commission on Terrorist
Attacks Upon the United States (9/11 Commission), the government's single
greatest failure in the lead-up to the September 11, 2001, attacks was the
inability of federal agencies to share information about suspected
terrorists and their activities. Likewise, as we have previously reported,
critical to homeland protection efforts is the ability to share
information among key homeland security stakeholders so they can
coordinate their antiterrorism activities yet also protect sensitive
information from unauthorized access that could compromise our nation's
security.^1 As part of these protection efforts, pursuant to Executive
Order 12958, as amended, the federal government routinely classifies
certain documents and other information critical to our national security
as Top Secret, Secret, or Confidential.^2 These classification levels
indicate the degree of damage that could be reasonably expected from
unauthorized disclosure. Classified information can only be used by
individuals who have an appropriate security clearance and a need to know
and must be safeguarded from unauthorized access and disclosure. A
critical component of balancing the competing interests of the need to
share and the need to protect information is the establishment of clear
policies and procedures to guide decisions on whether information should
be classified.
Reviewing classified information to determine if it must continue to be
restricted or if it can be declassified and be made publicly available and
shared is also a vital part of the classification system. For example,
under a provision in the executive order, all records of a permanent
historical value over 25 years old that contain classified national
security information will be automatically declassified on December 31,
2006, and each year thereafter, and may be available for public
disclosure.^3 Before this date, agencies may review applicable records to
determine if they qualify for certain exemptions--for example, information
about the confidential human sources of intelligence information cannot be
disclosed--if they should be reclassified, or if they should be withheld
for reasons such as concerns about an individual's privacy rights.
^1 GAO, Information Sharing: The Federal Government Needs to Establish
Policies and Processes for Sharing Terrorism-Related and Sensitive but
Unclassified Information, [29]GAO-06-385 (Washington, D.C.: Mar. 17,
2006).
^2 See Exec. Order No. 13292, 68 Fed. Reg. 15,315 (Mar. 28, 2003). See
also 32 C.F.R. pt. 2001.
Government agencies may also designate other types of information
important to their missions, such as law enforcement information critical
to a prosecution, as sensitive but unclassified. Agencies have employed a
number of different sensitive but unclassified designations, such as Law
Enforcement Sensitive, For Official Use Only, and Limited Official Use,
which have associated restrictions on handling and sharing such
information with other government entities and with the public. Sensitive
but unclassified information generally must be safeguarded from public
release and can only be used by those with a need to know. Unlike
classified information, generally, a security clearance is not required
for access to sensitive but unclassified information, and there is no time
limit on the designation indicating when it can be removed.
As part of the post-September 11 efforts to better share information
critical to homeland protection, agencies' classification and sensitive
but unclassified information security programs have come under scrutiny.
In response to congressional requests, we have recently published several
reports assessing various executive branch agencies' programs for
designating and sharing classified and sensitive but unclassified
information. (See app. I for summaries of each of our related reports.)
This work noted that agencies needed to enhance their policies and
procedures governing classified and other sensitive information to help
ensure they were appropriately protecting it. For example, we found that
the Department of Defense's information security program had weaknesses,
such as in the training provided employees on the classification program,
and in the use of self-inspections to monitor program implementation.^4 In
addition, congressional committees have conducted a number of hearings on
agencies' information security efforts that raised issues such as whether
some agencies have been overclassifying documents, thereby restricting
public access to important historical information.
^3 Declassified information may continue to be withheld from public
disclosure for reasons under the Freedom of Information Act (FOIA), 5
U.S.C. S 552, or other legal authority, or may be reclassified in
accordance with the executive order.
^4 GAO, Managing Sensitive Information: DOD Can More Effectively Reduce
the Risk of Classification Errors, [30]GAO-06-706 (Washington, D.C.: June
30, 2006).
The Information Security Oversight Office (ISOO), an office within the
National Archives and Records Administration, is responsible for issuing
directives to implement the executive order that governs classified
information. The office is also responsible for overseeing executive
branch agencies' national security information classification programs for
compliance with the order and implementing directives.^5 The office is not
responsible for overseeing agencies' sensitive but unclassified
information security programs, which is the responsibility of each agency.
ISOO's oversight consists of performing on-site inspections of
classification programs, conducting classified document reviews,
evaluating agency security education and training programs, and
recommending corrective actions to agencies when it finds violations under
the order or directives. According to ISOO, while the order provides it
with the authority to make such recommendations, it cannot require
agencies to implement them.^6 ISOO is also required to report at least
annually to the President on the status of federal agencies' national
security information classification programs.
The Department of Justice (DOJ), the nation's top law enforcement agency,
is the third largest classifier of information in the executive branch,
following the Department of Defense and the Central Intelligence Agency,
based on information that these agencies reported to ISOO. Furthermore,
one component within DOJ, the Federal Bureau of Investigation (FBI), makes
up 98 percent of the department's total classification decisions. Thus, it
is important that both organizations have effective information
classification programs. In July 2004, ISOO made 10 recommendations to DOJ
to correct deficiencies in its policies and procedures for classifying and
declassifying national security information. For example, ISOO found gaps
in the level of resources DOJ had available to oversee its classification
management program, in its employee training programs, and in the use of
inspections to ensure employees were making proper classification
decisions. In response, ISOO recommended that DOJ provide more resources,
update and more consistently provide employee training, and conduct more
regular inspections of how well its classification management program is
working to correct these deficiencies. Likewise, ISOO made 12
recommendations to the FBI in April 2005 to address deficiencies in that
component's program, including gaps in the guidance employees can use to
make classification decisions, outdated training, and little program
oversight. ISOO recommended that the FBI issue regulations governing the
program, update or create classification and declassification guides to
help employees properly classify information, update employee training,
and use more regular inspections to test program effectiveness.
^5 See 32 C.F.R. pt. 2001.
^6 The executive order does, however, authorize the imposition of
sanctions in the event of a knowing, willful, or negligent violation of
the order or its implementing directives.
In response to your request, this report examines matters related to DOJ's
management of classified and sensitive but unclassified information. More
specifically, we address the following questions:
1. To what extent has DOJ implemented ISOO's recommendations?
2. To what extent has FBI implemented ISOO's recommendations?
3. What policies, procedures, and internal controls are in place
in selected DOJ components to properly use sensitive but
unclassified designations?
4. What processes are in place at selected DOJ components to
respond to intragovernmental requests to share national security
and sensitive but unclassified information?
To determine the extent of changes that DOJ and the FBI have made to
implement ISOO's recommendations and other changes made to improve their
classification management programs, we (1) reviewed the results of ISOO's
audits; (2) obtained supporting documents that addressed these changes,
when available; and (3) discussed challenges that DOJ and FBI managers
responsible for implementing and overseeing these programs faced in making
these changes. While these results cannot be generalized to all classified
documents, we determined the methodology ISOO uses to conduct its reviews
is adequate to support its recommendations.
To determine the extent of policies, procedures, and internal controls
that selected DOJ components have in place for designating information as
sensitive but unclassified, we used our Standards for Internal Control in
the Federal Government to provide criteria to assess the components'
sensitive but unclassified designation practices.^7 We selected five DOJ
components for our review: Bureau of Alcohol, Tobacco, Firearms and
Explosives (ATF); Criminal Division; Drug Enforcement Administration
(DEA); the FBI; and U.S. Marshals Service (USMS). We selected these
components because, on the basis of data we collected as part of our prior
governmentwide assessment of 26 agencies' sensitive but unclassified
information programs, we determined that each of these components had
adopted one or more sensitive but unclassified designations, in addition
to the Limited Official Use designation used across the department.^8 We
reviewed the available data collected on these five components as part of
the governmentwide review. We had determined these data were reliable
enough for our purposes, and we conducted follow-up interviews with each
component's security officials and senior program officials on these
issues.
To determine how selected DOJ components respond to federal
intragovernmental requests for classified and sensitive but unclassified
information, we reviewed supporting documents when available, interviewed
these same security officials, and compared the components' processes for
responding to requests, but we did not independently test the
effectiveness of these processes. We conducted our work from June 2005
through August 2006 in accordance with generally accepted government
auditing standards. More detailed information about our scope and
methodology appears in appendix II.
Results in Brief
At the time of our review, though DOJ had fully or partially implemented 5
of ISOO's 10 recommendations made in 2004 to correct deficiencies in the
department's classification management program, the department's program
remains at risk because DOJ has not addressed the need for more staff, and
this need in turn hinders the department's ability to address remaining
ISOO recommendations and to provide training and oversight of
classification practices across the department and its components.
Specifically, DOJ fully completed action requiring regular program
inspection reports from its components and partially implemented four
other recommendations, including updating classification management
training and taking action to ensure that all security program managers
who handle classified information have security clearances. However, DOJ
disagreed with the recommendation to elevate the position of its security
office within the department, stating that the program managers of that
office already had adequate access to senior leadership. Nevertheless,
ISOO still maintains this change is needed. The department has not
addressed other recommendations that pertained to ensuring that all
employees leaving the agency are briefed on the continued need to protect
classified information, following up on problems identified from
inspections, and monitoring employees' classification practices. Moreover,
the department has not addressed the important issue of insufficient staff
resources to effectively manage and oversee its program. DOJ had one staff
to cover departmentwide training issues and three staff to oversee 3,500
locations under the program. According to the program manager, with these
resources, the security office was reacting to classification issues that
arose rather than being proactive to prevent them. DOJ has not corrected
its resource gap, a problem we also identified in 1993,^9 because the
department's security office did not receive additional resources, as
requested, nor has DOJ reallocated resources from other activities to that
office, according to DOJ security officials, although the department would
not provide additional information on the reasons more funding was not
made available. The security office has asked the governing board of its
Working Capital Fund--an administrative fund that recovers operating costs
by charging components fees for certain services the department provides
them--for fiscal year 2007 funds to provide 9 more staff for the program,
for a total of 22. But the program manager is uncertain whether even these
resources will be sufficient for an effective program, in part because the
security office has not assessed its optimum staffing levels. In addition,
the office does not have a strategy that lays out how it will divide these
resources to address the remaining deficiencies ISOO identified in ways
that reduce the most risks to protecting national security information,
such as whether to focus on addressing training, oversight, or other
program gaps first. In providing technical comments on a draft of the
report, DOJ acknowledged that it has not conducted a formal assessment of
the optimal level of resources its security office needs to administer the
information security program. DOJ also stated that its security office
identified in budget documents how these resources would be allocated to
address the remaining deficiencies identified by ISOO. However, DOJ
provided no evidence of its security office's strategy for allocating the
9 additional staff. Our previous work has identified the importance of
conducting a workforce analysis and developing a strategy to fill
identified staffing gaps, both of which are characteristic of best
practices followed by high-performing organizations.^10
7 GAO, Standards for Internal Control in the Federal Government,
[31]GAO/AIMD-00-21 .3.1 (Washington, D.C.: November 1999).
^8 That review covered 26 agencies, 24 of which are subject to the Chief
Financial Officers Act. The other two, the Federal Energy Regulatory
Commission and the U.S. Postal Service, were included because our previous
experience indicated that they used sensitive but unclassified
designations.
^9 GAO, Document Security: Justice Can Improve Its Controls Over
Classified and Sensitive Documents, [32]GAO/GGD-93-134 (Washington, D.C.:
Sept. 7, 1993).
The FBI had begun or completed actions in response to all but one of the
12 recommendations that ISOO made in its April 2005 report for correcting
deficiencies in the FBI's classification management program guidance,
training, and oversight. If FBI completes all recommendations, this will
help to lower program risk since it makes 98 percent of the classification
decisions at DOJ. At the time of our review, the FBI had issued security
regulations on both its classification management program and its method
of processing program violations, as well as instituted certain program
inspection practices. The FBI had also updated most of its guides to
employees on how to classify information and developed a guide on how to
declassify it--actions ISOO cited as key to helping ensure employees have
current, clear, and consistent guidance to make decisions on what
information to protect and restrict and what information to release and
share. Issuance of its revised primary classification guide was pending at
the time of our review because the agency was awaiting resolution of some
outstanding intelligence-related issues that would affect the guide's
content. Likewise, issuance of its declassification guide was pending
because the agency was responding to comments on the draft from the
Interagency Security Classification Appeals Panel with purview over the
guide.^11 Finally, the FBI disagreed with the need to develop a system
that imposes graduated and significant sanctions for serious
classification management violations committed by repeat offenders,
asserting the agency had penalty provisions in place that achieved this
outcome. Upon review of aspects of the sanctions system FBI has in place,
ISOO officials agreed that the system responds to this recommendation.
^10 GAO, Human Capital: Implementing an Effective Workforce Strategy Would
Help EPA to Achieve Its Strategic Goals, [33]GAO-01-812 (Washington, D.C.:
July 31, 2001).
^11 The Interagency Security Classification Appeals Panel approves,
denies, or amends agency exemptions from automatic declassification. It
also decides on appeals by persons who have filed classification
challenges and appeals by persons or entities who have filed requests for
a mandatory declassification review.
For sensitive but unclassified information, the five components we
reviewed had orders and directives in place to identify the various types
of categories they used and to describe how information should be handled
and protected. However, none of these components had specific guidance,
training, and oversight in place to help ensure employees properly
designate information as sensitive--for example, information shared with
law enforcement agencies to support their criminal investigations or
anti-terrorism activities--and to therefore protect it from unauthorized
access. Without these internal controls, information essential to homeland
protection may be unduly restricted or improperly disclosed. The orders
and directives that components issued do not provide employees with
specific guidance on how to decide whether information should be
designated in this way. For example, manuals developed by the FBI and Drug
Enforcement Administration define the terms "Law Enforcement Sensitive"
and "For Official Use Only," but do not provide criteria and examples
employees can use to decide if information merits these designations. We
also recognized the need for such guidance in our governmentwide
assessment of agencies' designation practices and recommended that the
Office of Management and Budget ensure agencies have this key internal
control in place.^12 This is particularly important for DOJ, since its
components use a variety of designations, such as Law Enforcement
Sensitive and DEA-Sensitive, that may be difficult to distinguish.
According to DOJ program officials, the department is not revising its
guidance now because it is waiting for the results of an interagency
working group--due by the end of December 2006--that was created in
response to a December 2005 presidential memorandum to standardize
designations across the government. We also found that none of the
components provide employees with formal training on using designations or
oversee how their designation practices are working. These gaps are
particularly of concern in three of the components that do not restrict
the number of employees who can make designation decisions and yet do not
provide them guidance and training on how to make them. We recently made
recommendations to the Departments of Energy^13 and Homeland Security^14
to correct similar deficiencies in their designation practices, and the
agencies have agreed to improve their program guidance, training, and
oversight.
^12 [34]GAO-06-385 .
^13 GAO, Managing Sensitive Information: Departments of Energy and Defense
Policies and Oversight Could Be Improved, [35]GAO-06-369 (Washington,
D.C.: Mar. 7, 2006).
^14 GAO, Transportation Security Administration: Clear Policies and
Oversight Needed for Designation of Sensitive Security Information,
[36]GAO-05-677 (Washington, D.C.: June 29, 2005).
All of the components in our review reported having processes for
responding to intragovernmental requests for national security or
sensitive but unclassified information from Congress, executive agencies,
and other federal sources, and we found that the processes are consistent
with federal internal control standards. For example, the components
reported having specified clear lines of authority and responsibility for
responding to intragovernmental requests. According to agency officials in
the components, these inquiries come through central offices and are to be
forwarded to subject matter experts with the relevant knowledge to
determine whether information can be disseminated. These experts use
consultation with other knowledgeable agency personnel, such as their
general counsels; professional judgment on the nature and sensitivity of
the information; and any available policies and procedures when
considering how to respond to requests. In addition, a unit
supervisor--such as a Section Chief--is to review the response before it
is released to the requester. Finally, all of the components reported
communicating with requesters at various points during the response
process to, for instance, clarify their requests or explain why
information cannot be released.
We are recommending that the Attorney General determine the staff resource
level required for carrying out the responsibilities of the department's
classification management program, including full implementation of ISOO's
recommendations, and devise a strategy to make resources available and use
them most effectively. For sensitive but unclassified information, we are
recommending that the Attorney General ensure that DOJ components have
internal controls in place--namely, specific guidance, training, and
oversight--once the interagency working group has completed its efforts.
Background
The U.S. government classifies information that it determines could
reasonably be expected to damage the national security of the United
States if disclosed publicly. Since 1940, the classification of official
secrets has been governed by policies and procedures flowing from
executive orders issued by presidents, largely based on authority granted
under Article II of the Constitution. Current classification and
declassification requirements are mandated by Executive Order 12958,
Classified National Security Information, as amended.^15 The order
establishes the basis for classifying national security information at one
of three levels--Top Secret, Secret, or Confidential--depending on the
degree of damage that unauthorized disclosure of this information could
reasonably be expected to cause to the national security of the United
States.^16 Pursuant to the executive order, designated individuals, called
original classifiers, exercise original classification authority, meaning
they can classify national security information for the first time. Such
individuals, including the President, agency heads, and other government
officials that have been delegated this authority determine the degree of
damage that disclosure could cause, decide on a classification level for
the information, and attempt to establish a date or event for its
declassification.
Declassification is a vital part of the classification system because it
prompts the change in status of the information from classified to
unclassified, which may make it available for others to access and use,
such as members of the general public, researchers, historians, or other
parties. Under the automatic declassification provision of the executive
order, all records of a permanent historical value over 25 years old that
contain classified national security information will be automatically
declassified on December 31, 2006, and each year thereafter, and may be
available for public disclosure, unless an agency head or senior agency
official determines that these records fall within an exemption that
permits continued classification as approved by the President or the
Interagency Security Classification Appeals Panel.^17 Examples of
exemptions include information that, if released, could be expected to
seriously impair relations between the United States and a foreign
government; undermine diplomatic activities of the United States; identify
a human intelligence source; or violate a statute, treaty, or
international agreement. Information that is automatically declassified as
of December 31, 2006, will not necessarily enter the public domain.
According to ISOO officials, declassified information may continue to be
withheld from public disclosure for reasons under the Freedom of
Information Act (FOIA) or other legal authority or may be reclassified in
accordance with the executive order.^18
15 See Exec. Order No. 13292, 68 Fed. Reg. 15,315 (Mar. 28, 2003). See
also 32 C.F.R. pt. 2001.
^16 The executive order describes the degree of damage to the United
States that unauthorized disclosure of national security information
reasonably could be expected to cause as exceptionally grave damage,
serious damage, or damage and the corresponding levels for classifying
this information as Top Secret, Secret, or Confidential, respectively. The
order also defines national security as national defense or foreign
relations of the United States.
^17 Pursuant to section 3.3 of the executive order, automatic
declassification will occur whether or not the records have been reviewed.
The order also requires ISOO to implement directives and perform oversight
inspections of executive branch agencies' national security information
classification programs to ensure these programs are in compliance with
the order. When the oversight inspections result in findings of
noncompliance with the order, ISOO recommends corrective actions to the
agencies. However, according to ISOO, it cannot require agencies to
implement the recommended corrective actions.
According to ISOO, DOJ is the third largest classifier of information in
the executive branch, although this represents about 2 percent of all
executive branch classification decisions during fiscal years 2000 through
2004, as the vast majority of classified information originates in the
Department of Defense. Nevertheless, DOJ is responsible for a large volume
of classified information, some of which if improperly disclosed could
harm the national security of the United States. The majority
(approximately 98 percent) of classification activity within DOJ occurs at
the FBI.
DOJ also designates certain information as sensitive but unclassified and
prescribes specific requirements for handling and sharing this information
to ensure that harm is not caused to governmental, commercial, or privacy
interests as a result of disclosing it to the public or persons who do not
need such information to perform their jobs. DOJ components in our review
use a number of sensitive but unclassified designations, such as Law
Enforcement Sensitive, For Official Use Only, and Limited Official Use, to
identify information as sensitive but unclassified. Such information at
DOJ could include that which is critical to a criminal prosecution. As
such, the department would protect this information from inappropriate
dissemination by designating it Law Enforcement Sensitive and applying
prescribed dissemination and handling procedures that correspond with the
designation. Information designated as sensitive but unclassified remains
so indefinitely, unless it is reviewed, for example, pursuant to a request
under FOIA. That act requires federal agencies to disclose records
requested in writing by any person unless one or more of the nine
exemptions and three exclusions authorize the agency to withhold the
requested information. For example, law enforcement records may be
withheld if their release could reasonably be expected to interfere with
enforcement proceedings.
^18 See, e.g., 5 U.S.C. S 552.
Within DOJ, the Office of Information Safeguards and Security Oversight,
which is part of the Security and Emergency Planning Staff (SEPS), is
responsible for developing security policy and administering and
overseeing the department's programs for managing classified and sensitive
but unclassified information. This office currently has a total of 13
staff, of which 1 is responsible for policy development and training, and
3 are responsible for program oversight. The remaining 9, among other
things, administer the department's sensitive compartmented information
program,^19 reviews information technology security policies developed by
the department's Chief Information Officer, and ensures the development
and implementation of departmentwide policies and procedures that govern
certain security related activities. Figure 1 shows an excerpt of DOJ's
organizational chart that features the offices responsible for
classification management.
^19 Sensitive compartmented information is classified information
concerning or derived from intelligence sources, methods, or analytical
processes. This information is required to be handled within formal access
control systems established by the Director of the Central Intelligence
Agency.
Figure 1: DOJ Organizational Chart
At the component level, security program managers are responsible for
implementing component-specific security activities, such as conducting
internal inspections and training employees on their responsibilities in
relation to DOJ's security programs. In total, there are approximately 40
security program managers and alternates, 33 of which conduct these duties
on a part-time basis.
DOJ shares classified and sensitive but unclassified information with
those who have a need to know this information, such as with other law
enforcement agencies at all levels of government. One manner in which DOJ
shares this information is in response to requests it receives from other
federal entities, such as Congress, other executive agencies, and
legislative agencies.
DOJ Has Made Progress Implementing ISOO Recommendations but Has Not Yet
Addressed Critical Staff Resource Issues That Limit Its Ability to Address All
Needed Changes
Although DOJ has completed or partially completed half of ISOO's 10
recommendations, it has not implemented the other half, primarily because
of resource constraints, according to DOJ. This has been a long-standing
problem in the program, as our prior work shows, but DOJ reported that it
is seeking additional resources from an administrative fund in fiscal year
2007. The ISOO recommendations were to correct, among other things,
resource constraints, a lack of sufficient training on how to classify
information, and inadequate oversight to ensure its classification
management practices were working well. DOJ is not certain that the
additional resources will be enough for an effective program. However, it
has not assessed the optimum resources it needs or developed a strategy to
use available resources most effectively to resolve remaining
deficiencies.
DOJ Took Action on 5 of the 10 ISOO Recommendations for Its Classification
Management Program
ISOO made 10 recommendations to DOJ in July 2004 aimed at resolving
deficiencies in DOJ's classification management program, and, at the time
of our review, the department had completed or partially addressed half of
the recommendations, as table 1 shows.
Table 1: Status of DOJ's Implementation of ISOO's Recommendations as of
August 2006
ISOO's recommendations to DOJ
Fully implemented
1. Consider requiring components to file self-inspection reports of
their security classification programs as a matter of course, not just
when there are significant findings.
Partially implemented
2. Require all security program managers to hold security clearances at
the level appropriate for the activity of their offices, including
managing classified information.
3. Take steps to ensure required refresher training is received by
everyone in all components and that this training includes how to
properly decide to classify and mark information.
4. Ensure all security program managers receive regular and consistent
training on classification practices.
5. Take steps to properly track security violations, including handling
classified information, throughout the department, analyze the
violations for trends, and incorporate the findings into its security
education and training program.
Not implemented
6. Commit sufficient resources to effectively implement its
departmental classification management and security program as called
for in Executive Order 12958, as amended.
7. Enforce the requirement that staff, when they terminate employment,
be briefed on their continued information security responsibilities.
8. Develop a follow up mechanism to ensure security program managers
perform annual internal inspections of classification management and
security programs as required by DOJ's Security Program Operating
Manual.
9. Review classified documents, after DOJ staff have received training
on marking requirements, to determine if staff are properly applying
the required markings, and review classified documents on a regular
basis, such as during annual and recurring inspections, to ensure
proper classification decisions and practices.
Disagreed with recommended change
10. Examine the placement of DOJ's departmental security
office--Security and Emergency Planning Staff--within the department's
organizational structure and consider repositioning it to afford it
higher visibility and increased stature in the implementation of the
classified information security program at DOJ.
Source: GAO analysis of DOJ information.
Through SEPS, DOJ had implemented 1 recommendation to require that each of
its components file self-inspection reports on its classification
management program as a matter of course by including this requirement in
its May 2005 revised Security Program Operating Manual. DOJ also built in
the requirement that all components submit inspection reports for each
fiscal year no later than October 15 of the following fiscal year, but at
the time of our review, a SEPS official noted that none of the components
had submitted inspection reports for fiscal year 2005.
Through SEPS, DOJ has partially implemented 2 other recommendations.
First, in response to ISOO's recommendation that security program managers
hold security clearances at levels appropriate for the activity of their
office, SEPS reported that all of its component security program managers
who handle classified information had security clearances, but SEPS was
considering revising the order on security programs and responsibilities
to include a requirement for these managers to hold clearances. Second, as
of April 2006, SEPS reported that it has taken steps to make refresher
training, including how to mark classified documents, available to all
staff in all DOJ components. According to DOJ security officials, SEPS has
developed a computer-based refresher training module, which is estimated
to be available to employees by December 2006.
DOJ disagreed with an ISOO recommendation to examine the placement of SEPS
within the department's organizational structure and consider
repositioning it to afford it higher visibility and increased stature.
DOJ's Assistant Attorney General for Administration informed ISOO that
SEPS's reporting to the Deputy Assistant Attorney General for
Administration does not hinder it from fulfilling its responsibilities,
and SEPS's director has access to the department's senior leadership
whenever needed. However, ISOO still maintains this change is needed.
DOJ's Inaction on Staff Resource Issues Impedes Full Implementation of ISOO's
Recommendations
ISOO reported that SEPS lacked sufficient staff resources to effectively
implement DOJ's classification management program and recommended that
measures be taken to correct this deficiency. ISOO's recommendation to DOJ
on resources for classification management is consistent with the
executive order governing classified information that requires agency
heads to commit the resources necessary to effectively implement a
national security information program. The order also requires the senior
agency official--who is designated by the agency head to direct and
administer the agency's classified national security information
program--in part, to establish and maintain programs to (1) train and
educate employees on the need to properly classify and mark national
security information and prevent unnecessary access to and unauthorized
disclosure of classified information; and (2) provide oversight of the
program through mechanisms such as ongoing internal inspections. These
requirements are also consistent with federal standards for internal
control.
ISOO reported that SEPS's lack of resources is particularly significant
because of DOJ's large volume of classification activity--especially when
SEPS is compared to security offices at other federal agencies of similar
size and structure. DOJ, the third largest classifier of information in
the federal government, has 13 full-time positions devoted to information
security. Four of the 13 are dedicated to DOJ's classification management
training and program oversight departmentwide, 1 to provide and oversee
training across the department and components and 3 to conduct security
compliance reviews at DOJ's 3,500 locations. DOJ does have security
program managers at each of its components to provide training and program
oversight for that component that helps to supplement departmental
activity. Nevertheless, in comparison, the Department of Energy, the fifth
largest classifier, has 23 full-time positions, and the Department of
State, the fourth largest classifier of information, has 8 full-time
positions to cover its classification management program at headquarters
alone, according to ISOO.
SEPS did not receive additional resources, as requested, nor did DOJ
reallocate resources to SEPS from other activities, according to DOJ
security officials, although they would not provide additional information
explaining the reasons why funds were not made available. This problem is
longstanding. In 1993, for example, we reported that limited staff
resources in SEPS's Security Compliance Review Group affected its ability
to conduct compliance reviews of all DOJ locations in overseeing the
department's security program.^20 In addition, during 1991 and 1992, the
group had 6 employees to conduct reviews of 1,300 DOJ locations compared
to half as many staff to cover almost three times as many locations today.
Moreover, in 1993, we reported that DOJ requested, but was not authorized,
additional staff, and we recommended that the Attorney General direct
SEPS's Security Compliance Review Group to explore other alternatives for
selecting and conducting these annual reviews to maximize the use of its
limited resources. In response, DOJ devised a strategy to use components'
security specialists to help with compliance reviews and their inspection
reports to target locations to review. As a result, DOJ reported that the
number of compliance, follow-up, and unscheduled reviews increased.
However, at the time of our review, SEPS indicated that security program
officials only perform oversight of their components' security programs.
Despite the progress reported after our 1993 report, ISOO found over 10
years later that DOJ was not able to compensate for its lack of resources
and provide sufficient oversight.
^20 [37]GAO/GGD-93-134 .
As a result of these staff resource limitations, DOJ security officials
stated that SEPS had only been able to partially implement 2 ISOO
recommendations and had not taken steps to address 3 others. DOJ had
partially responded to ISOO's recommendation that department security
program managers be given consistent and regular training they need to
understand their responsibilities for managing their respective
component's classification activities. SEPS agreed to provide training to
these managers in two ways: (1) an annual conference, at which attendance
is not required, that the department has hosted since 2003 and (2)
detailed training workshops on handling and safeguarding classified
information, such as marking documents, conducting self-inspections, and
managing classification programs, which are provided only upon request.
However, DOJ does not have a mechanism, as called for in our federal
internal control standards, and sufficient staff, as ISOO noted in its
report, to ensure all security program managers consistently receive the
training they need. In addition, SEPS has implemented a database to track
security incidents departmentwide, such as classification program
violations, as ISOO recommended. However, SEPS officials reported that
they have not been able to monitor security violations and incidents to
identify patterns and trends and incorporate these lessons learned into
the department's security education and training program because they lack
the staff to do so.
The three recommendations SEPS had not taken any action on primarily
related to monitoring aspects of the classification management program.
First, ISOO found that SEPS was not conducting frequent reviews of the
department's compliance with the security program, as a whole, and that
the components were not supplementing these department-level reviews by
conducting self-inspections of compliance with their security programs on
a frequent and consistent basis to ensure that sound security practices
are maintained. SEPS's team of three reviewers was responsible for
conducting security program compliance reviews at an estimated 3,500 DOJ
facilities currently located worldwide. ISOO also found that SEPS had not
established a mechanism to ensure that components were conducting the
self-inspections. ISOO recommended that DOJ correct these deficiencies.
Second, ISOO also found that classified documents were not always marked
as required. Over half of the 81 classified documents that ISOO reviewed
did not meet the marking requirements of the executive order. The most
frequent marking errors consisted of a lack of, or incomplete, portion
markings (27 documents) and missing, incomplete, or improper
declassification instructions (23 documents). Therefore, ISOO recommended
that DOJ review classified documents on a regular basis to determine if
staff are properly applying the marking requirements after employees have
been trained on these requirements. According to SEPS officials, because
of related resource constraints, the office had not taken action to
institute these reviews.
Third, DOJ had not taken action on ISOO's recommendation that employees
receive security debriefings upon leaving the department. ISOO reported
that such termination briefings are essential to informing employees that
were leaving the agency of their continuing responsibility to protect
classified security information. This recommendation is consistent with
the executive order and implementing directives, federal standards for
internal control, and DOJ's own Security Program Operating Manual. DOJ
reported that it enforces this requirement by checking to see if
components are providing the briefings when SEPS conducts components'
security compliance reviews. However, ISOO found that SEPS did not conduct
these reviews frequently enough to ensure that sound security practices
are maintained. Furthermore, DOJ officials concurred with ISOO's position
on this matter and attributed the department's insufficient reviews to its
resource limitations. As an alternative, ISOO suggested to us that DOJ
might coordinate with its human resources department to establish a system
to track whether employees received the termination briefings before
departure.
To address its resource constraints, SEPS expects to add 9 more staff-- 5
full-time employees and 4 contract employees--to the 13 it currently has
on board, pending the department's Customer Advisory Board approval of
funds from its Working Capital Fund. This fund is an administrative
account generally intended to recover operating costs by having the
department charge components fees for common administrative services--such
as financial, telecommunications, and personnel services--that the
department provides to them.^21 DOJ officials were not certain how all 9
staff would be divided across the training, oversight, technical security
policy reviews, and other functions within SEPS. A SEPS official said that
3 of the 9 staff are to be allocated to oversight but noted that while the
additional staff would help, they most likely would still not be enough to
implement an effective classification management program. However,
although DOJ includes SEPS in its departmentwide workforce analysis, that
office has not separately determined the optimal level of resources needed
to administer an effective security program. This is an important first
step to resolving its resource constraints and complying with ISOO's
recommendations.
In addition, SEPS does not have a strategy that lays out how it can best
use anticipated resources to address the remaining deficiencies ISOO
identified in ways that reduce the most risks to protecting national
security information, such as whether to focus on addressing training,
oversight, or other program gaps first. According to the program manager,
with only 4 staff to cover departmentwide training and oversight issues,
the office had not been able to be more proactive and strategic, achieving
more comprehensive monitoring to prevent problems, and instead had to be
more reactive and address classification concerns as they arose. In
providing technical comments on a draft of the report, DOJ acknowledged
that it has not conducted a formal assessment of the optimal level of
resources SEPS needs to administer the information security program. DOJ
also stated that SEPS identified in budget documents how the 9 additional
staff would be allocated to address the remaining deficiencies identified
by ISOO. However, DOJ provided no evidence of SEPS's strategy for
allocating these additional staff.
Our previous work notes the importance of having a workforce analysis and
developing a strategy to fill staffing gaps, both of which are
characteristic of best practices followed by high-performing
organizations. In A Model of Strategic Human Capital Management, we
highlighted the importance of identifying current and future staffing
needs, including the appropriate number of employees and the correct mix
of skills, for maximizing the value of employees and managing risk.^22
Also, we have emphasized that an essential element of effective workforce
planning is aligning human capital strategies to eliminate gaps.^23 We
have previously recommended that specific agencies adopt these practices.
For instance, in a 2001 review of the Environmental Protection Agency
(EPA), we recommended that EPA direct its major program offices to perform
workforce analyses and then focus hiring and recruitment to fill any
identified gaps.^24 Similarly, we recommended in 2003 that the Government
Printing Office complete a workforce analysis to identify gaps in skills
and competencies and develop strategies to address any gaps.^25 SEPS might
benefit from adopting these human capital practices as part of a broad
strategy to respond to ISOO's recommendations.
^21 Established in 1975, the Working Capital Fund is a revolving fund
authorized by law to finance a cycle of operations where the costs for
goods or services provided are charged back to the recipient. The funds
received are available for expenses and equipment necessary for
maintenance and operation of such administrative services as the Attorney
General, with the approval of OMB, determines may be performed more
advantageously as central services. See 28 U.S.C. S 527. The fund is
governed by an eight member Customer Advisory Board, which is chaired by
the Assistant Attorney General for Administration, who is also the general
manager of the fund.
The FBI Has Begun to Implement All but One of ISOO's Recommendations
The FBI has begun or completed actions on all but one of ISOO's
recommendations to correct several deficiencies ISOO identified in the
FBI's classification management program.^26 These deficiencies included
outdated policy guides for classifying information, insufficient training
and program oversight, and improper marking of classified information. In
its April 2005 final report, ISOO recommended that the FBI take 12
associated corrective actions. As of August 2006, the FBI had fully
implemented 4 and had actions under way to implement 7 more, as shown in
table 2.
^22 GAO, A Model of Strategic Human Capital Management, [38]GAO-02-373SP
(Washington, D.C.: Mar. 15, 2002).
^23 GAO, Human Capital: Key Principles for Effective Strategic Workforce
Planning, [39]GAO-04-39 (Washington, D.C.: Dec. 11, 2003).
^24 [40]GAO-01-812 .
^25 GAO, Government Printing Office: Advancing GPO's Transformation Effort
through Strategic Human Capital Management, [41]GAO-04-85 (Washington,
D.C.: Oct. 20, 2003).
^26 ISOO made 12 recommendations to FBI in its April 2005 report. FBI
security officials indicated that the agency did not agree with one of the
recommendations--develop a graduated sanctions system with significant
sanctions for repeat offenders--because FBI's Office of Professional
Responsibility had already issued offense and penalty tables that cover
security violations. In addition, FBI's Security Policy Manual describes
the consequences that individuals will be subjected to for disclosing
classified information to unauthorized persons, such as sanctions
identified in the Offense Table and Penalty Guidelines Relating to the
Disciplinary Process, effective November 1, 2004.
Table 2: Status of the FBI's Implementation of ISOO's Recommendations as
of August 2006
ISOO's recommendations to the FBI
Fully implemented
1. Promulgate regulations to implement the classification management
requirements of the executive order and ISOO's directive.
2. Institute both annual self-inspections of the classification
management program by the chief security officers and staff assistance
visits by the Security Division.
3. Publish and promulgate regulations for processing security
violations, such as the unauthorized disclosure of classified
information.
4. Require that the Security and Inspection Divisions collaborate at
least annually to evaluate the effectiveness of security inspections,
which include reviews of classification program compliance, determine
locations to be inspected, and make changes to their inspection
checklist.
Partially implemented
5. Complete the update of the classification guides to encompass the
FBI's expanded mission and to meet the requirements of the executive
order.
6. Develop a declassification guide, required by the executive order,
to permit exemptions from automatic declassification requirements and
submit it for approval.
7. Ensure that all employees receive sufficient annual refresher
training on classification management practices on a continuing basis.
8. Update the FBI's outdated training for those staff with authority to
originally classify information so as to reflect the current executive
order.
9. Provide refresher training in marking requirements to address
discrepancies ISOO noted in its document review, and when the update of
its primary classification guide is implemented, train all classifiers
on its use and on the standards for classification.
10. Review the number of staff with original classification authority
in the Records Management Division, examine their role in classifying
and declassifying information, and review the number of staff with this
authority in the FBI as a whole to determine if the number can be
reduced.
11. Review and update the FBI's automated marking mechanisms (macros)
in its electronic systems to ensure they are applying up-to-date
markings.
Disagreed with recommended change
12. Develop a system that imposes graduated sanctions on those staff
who repeatedly violate program requirements.
Source: GAO analysis of FBI information.
The FBI implemented 3 of ISOO's recommendations--those addressing security
regulations, self-inspections, and the processing of security
violations--by issuing its Security Policy Manual in December 2005, laying
out responsibilities, policies, and procedures for implementing its
classification management program. For a fourth completed
recommendation--evaluating the effectiveness of security
inspections--FBI's Security Division recently established the requirement
that chief security officers conduct annual self-inspections of their
divisions' classification management programs and that Security Division
staff conduct site visits to provide assistance where the head of the
Security Division or another FBI division deems necessary.
As to the remaining 8 recommendations, the FBI disagreed with 1--to
develop a graduated sanctions system for employees who repeatedly commit
program violations--because it said that its Office of Professional
Responsibility already had a system in place to apply such sanctions. Upon
review of aspects of the sanctions system FBI has in place, ISOO officials
agreed that it responds to this recommendation. The remaining 7
recommendations have been partially implemented, as discussed below.
Updated and Completed Classification Program Guidance
ISOO reported that the guides the FBI had in place to help employees make
classification decisions neither contained current information nor
reflected changes in the FBI's mission, particularly the increase in its
intelligence capacity after the terrorist attacks of September 11, 2001.
ISOO recommended the guides be updated. One had not been revised for 9
years, even though ISOO's directive implementing the executive order
governing classified information calls for updates at least every 5 years.
Classification guides are key to helping ensure employees have current,
clear, and consistent guidance to make decisions about what information
needs to be protected and restricted and what information can be released
and shared, according to ISOO. FBI had complied with this recommendation
for most of its guides. Security officials stated that although it had
drafted an update of its primary classification guide, entitled Foreign
Counterintelligence Investigations Classification Guide, it had not yet
been issued because ongoing discussions between the FBI and DOJ's Office
of Intelligence Policy and Review about various intelligence-related
issues will affect the guide's content. As of August 2006, the FBI
officials did not know when these issues would be resolved.
ISOO also found that the FBI lacked a guide for how to declassify
documents, as the executive order requires and recommended that the FBI
develop such a guide and submit it to the Interagency Security
Classification Appeals Panel (ISCAP) for approval. According to FBI
security officials, the guide has been drafted but not issued because the
bureau was responding to panel comments on the draft. This guide is
important because, among other things, it was to formally establish those
exemptions the FBI could use when reviewing records to comply with the
December 31, 2006, automatic declassification mandate. Delays in issuing
the guide and establishing exemptions make it difficult for FBI to have
time to complete its review because of the volume of records it has to
address, which could be as many as 110 million records, according to
bureau estimates. ISOO noted that the FBI has taken positive steps to try
to meet the date, such as drafting its declassification guide, identifying
information that it could present to ISCAP for exemption from the
automatic declassification requirement, and authorizing bulk
declassification of documents.^27 But even with these initiatives, the
bureau could still have up to 30 million records to review, which is why
delays in issuing the guide and establishing exemptions may hinder
completion of this review. As a result, some information that should
remain protected could be available for public release, although the FBI
could still try to reclassify it, deny release to protect individual
privacy rights, or deny release for other reasons, such as to protect the
identity of individuals who provide intelligence information to the
government.
Updated Training on Classification and Marking Procedures
ISOO reported that although the FBI had some very sound training tools and
to some extent provided excellent training, it was not thorough and
offered consistently across the bureau. Specifically, ISOO reported that
the amount and level of refresher training varied considerably among the
FBI divisions, noting that the Counterintelligence and Counterterrorism
Divisions' training was substantial and met the requirements of the
executive order, in contrast to the Office of Intelligence, which did not
provide adequate training as its refresher training included only a few
minutes on security awareness. ISOO recommended that the FBI ensure that
all employees with security clearances receive sufficient annual refresher
training on the classification program. In response, FBI security
officials stated that the agency has instituted a security awareness
program that includes the refresher training, which is offered
continuously rather than annually. The training is provided through means
such as posting security tips as well as classification and marking
materials on the FBI's intranet; having chief security officers distribute
security awareness materials to employees; and providing live
presentations and webcasts to all employees on classifying and marking
practices. Although FBI has made this material available, it acknowledged
that it does not have a system in place to track and ensure that all
employees have received the information because, according to FBI,
tracking would be administratively burdensome considering the methods used
to convey the information, which is not consistent with ISOO's directive.
The directive requires agencies to maintain records of the training
programs offered and employees' participation in them.
^27 All requests for exemptions from automatic declassification are to be
submitted to the Interagency Security Classification Appeals Panel, which
is composed of senior-level representatives from various agencies that
handle the largest volume of classified information, at least 180 days
before the automatic declassification date. All exemptions are to be
approved, denied, or amended by this panel.
ISOO also noted that the FBI had outdated and insufficient training
materials for those staff who are the primary classifiers of information,
known as original classification authorities. ISOO found that the FBI's
practice of waiting for these classifiers to contact the Security Division
with questions about their responsibilities does not ensure they have a
complete understanding of their role, as well as the executive order and
implementing directives, and that this was critical since these
individuals determine whether information meets the standards of potential
damage to national security and should be classified. ISOO recommended
that the FBI update this training, and the FBI expects to do so but is
waiting until its classification and declassification guides are issued so
that it can cover them in the training. FBI security program managers
point out that more and more, these individuals are making
declassification rather than classification decisions, and have been
getting some training on their responsibilities for these decisions
through one-on-one training, electronic communications, and participation
in related training programs.
In almost half of the 575 classified FBI documents ISOO reviewed, it found
marking errors. For example, ISOO found that portions of 110 documents (19
percent) appeared to be unnecessarily classified, while another 8 (1
percent) were clearly overclassified. To help eliminate these
discrepancies, ISOO recommended that employees be provided refresher
training on marking requirements and classifiers be trained in the updated
classification guide when implemented. Otherwise, an ISOO official said,
without proper guidance, employees tend to take a conservative approach
and err on the side of classifying information. As we noted, the FBI has
incorporated marking requirements in the refresher training and does plan
to provide training on the new guides.
Review the Number of Staff with Classification Decision Authority
ISOO also recommended that the FBI review the number, roles, and
responsibilities of those staff with original classification authority to
determine if the number could be reduced. ISOO made this recommendation,
in part, because it found that the percentage of staff with this authority
within the FBI's Records Management Division, a support office, was higher
than that for other executive branch agencies. According to FBI security
officials, the number of staff with this authority has been reduced in the
Records Management Division and in the FBI as a whole. However, they said
they will still have to re-examine the role of original classification
authorities once the new guides are approved and issued.
Review and Update Automated Marking Mechanisms
ISOO also found missing, incomplete, or improper declassification markings
in 176 of the documents (31 percent), but for most of these documents,
about 80 percent, the errors were due to the fact that the FBI's automated
marking mechanism (computer macro) was erroneously applying outdated codes
that exempted information from being declassified. ISOO recommended that
the FBI review and update its macro to ensure it is applying current
codes, and FBI security officials reported they are testing updated macros
and expect to implement them by the end of September 2006.
DOJ Components Lack Specific Guidance, Training, and Oversight to Ensure Proper
Designation of Sensitive but Unclassified Information
The five components we reviewed had orders and directives in place to
identify the various types of categories of sensitive but unclassified
information they used and to describe how information should be handled
and protected. However, none of these components had specific guidance in
place to help ensure employees properly designate information as
sensitive. DOJ indicated that it is waiting for the results of a
governmentwide working group that will determine what designations
agencies are to use before considering any modifications to how it manages
this type of information. In addition to a lack of specific guidance, the
components do not have other key internal controls in place to provide
reasonable assurance that designations are being consistently
applied--specifically, formal training on how to make decisions on when to
apply the designations or perform oversight, such as assessments of how
well their practices are working. Having these controls--specific
guidance, training, and oversight--in place is important, considering that
these components share information formally and informally with various
federal and nonfederal entities, such as state and local law enforcement
agencies. Without such controls, errors could occur and materials could be
restricted unnecessarily or information that should be withheld could be
disseminated.
DOJ Components Lack Specific Guidance for Sensitive but Unclassified Decision
Making
All five DOJ components in our review developed general policy guidelines,
such as orders and directives, in addition to a 1982 order, Control and
Protection of Limited Official Use Information, which established a
departmentwide policy for protecting sensitive but unclassified
information. However, the five DOJ components we reviewed do not have
specific guidance to help employees determine how to apply their sensitive
but unclassified designations. Additionally, our governmentwide review of
agencies' sensitive but unclassified designation practices also points to
the importance of having formal, written guidance to give agency personnel
a consistent understanding of whether and when to apply such designations,
and we recommended in our March 2006 report that the Office of Management
and Budget ensure agencies have this internal control in place. Written
guidance is important because, according to the Standards for Internal
Control in the Federal Government, information must be communicated in a
suitable form and in a timely manner to those within an organization who
need it to carry out their responsibilities. Furthermore, on the basis of
our previous recommendations, other federal agencies have taken
initiatives to enhance their guidance for their sensitive but unclassified
designation processes. For example, earlier this year, the Department of
Energy agreed with a recommendation we made to clarify its guidance on
this subject and said that it is also planning ways to explicitly define
for its employees what would be an inappropriate application of the
sensitive but unclassified designations so that information is properly
designated and handled.^28 Similarly, in part because of our past
recommendation to the Department of Homeland Security's Transportation
Security Administration, that office has begun to develop internal
guidance that expands its existing regulations for sensitive security
information--a category of sensitive but unclassified information--by
providing personnel with examples of the types of information that should
fall within various categories of sensitive security information.^29 By
taking similar actions, DOJ could reduce the likelihood of errors and
inconsistencies in applying the sensitive but unclassified designations
throughout the department.
The existing policy guidelines for the five components we reviewed do not
provide employees the level of specificity needed to adequately guide
their decision making on applying the designation. For example, in its
policy, the Drug Enforcement Administration's (DEA) definition of
sensitive information includes any information and materials that are
investigative in nature, critical to the operation and mission of the
agency, would violate a privileged relationship, or have its access
restricted by law. However, the policy provides no explanation, guidance,
or examples of the information that would meet any of these criteria, for
instance, information that could be categorized as critical to DEA's
mission. Similarly, the FBI's Intelligence Policy Manual sets forth
definitions of various sensitive but unclassified categories, such as Law
Enforcement Sensitive and For Official Use Only, but does not have
specific guidance for designating documents, such as identifying the
criteria for determining whether text in a document should be Law
Enforcement Sensitive because, for example, it is associated with an
ongoing criminal investigation. Finally, neither DEA nor FBI guidance
contains examples of inappropriate applications of sensitive but
unclassified designations. Without explicit language identifying
appropriate and inappropriate use of the designation, DOJ components
cannot be confident that their personnel are making correct and consistent
decisions.
^28 [42]GAO-06-369 .
^29 [43]GAO-05-677 .
Moreover, the components in our review use five different sensitive but
unclassified designations, as table 3 shows.
Table 3: Sensitive but Unclassified Categories Used by Five DOJ Components
Criminal
FBI DEA USMS ATF Division
Limited Official Limited Official Limited Limited Limited
Use (LOU) Use (LOU) Official Use Official Use Official Use
(LOU) (LOU) (LOU)
For Official Use Law Enforcement
Only (FOUO) Sensitive (LES) Law For Official Law
Enforcement Use Only Enforcement
Law Enforcement DEA-Sensitive Sensitive (FOUO) Sensitive
Sensitive (LES) (DEA-S) (LES) (LES)
Law
Proprietary Enforcement
Information Sensitive
(PROPIN) (LES)
Source: GAO analysis of information provided by DOJ components.
Within a single DOJ component, employees could be confronted with making
decisions on the sensitive but unclassified designation that might involve
up to four categories, each with its own unique definition and
safeguarding requirements, yet not have specific guidance on the types of
information that merit each designation. For example, an employee at DEA
can designate information Limited Official Use (LOU), Law Enforcement
Sensitive, or DEA Sensitive (DEA-S), and each has different requirements.
DEA requires administrative controls and additional safeguards for storage
and transmission of DEA-S information that is equivalent to those for
classified information. This means that DEA-S information must be locked,
for example, in a General Services Administration (GSA)-approved security
container when not in the custody of an individual with a need to know
that information. The LOU category, however, carries less stringent
handling requirements that do not, for example, involve storing documents
in a GSA-approved locked cabinet. Consequently, in such an instance,
information that would warrant the DEA-S protection may not be adequately
safeguarded from unintended disclosure. This underscores the need for
employees to have specific guidance and examples to use to be able to
clearly determine which information should be protected under these
categories.
According to DOJ security officials, additional changes affecting the
departmentwide guidance on sensitive but unclassified policies and
procedures have been suspended pending the results of efforts connected to
a December 2005 presidential memorandum.^30 This calls for, among other
things, the development of standardized procedures across the federal
government for designating, marking, and handling sensitive but
unclassified information, in part, to promote effective and efficient use
and sharing of this information. In general, the memorandum requires
executive departments and agencies to inventory and assess their sensitive
but unclassified procedures and determine the underlying authority for
each procedure. For example, it mandated the submission of recommendations
to the President for standardizing sensitive but unclassified procedures
across the federal government for homeland security, law enforcement, and
terrorism information, and the recommendations are expected by the end of
December 2006. Once governmentwide standards have been established and a
final decision is made on what sensitive but unclassified designations DOJ
and its components will use, it will be important for them to develop
specific guidance for employees that provides them with a clear
understanding about when to apply each designation to ensure information
is properly designated.
^30 Memorandum for the Heads of Executive Departments and Agencies:
Guidelines and Requirements in Support of the Information Sharing
Environment, December 16, 2005.
Training and Oversight for Their Designation Programs Are Limited for Selected
DOJ Components
Federal internal control standards discuss the need for both training and
continuous program oversight as necessary elements to ensure effective
program implementation. However, training for the sensitive but
unclassified designation process is lacking for the five DOJ components we
reviewed. Although the Criminal Division and DEA offer training on
handling and protecting sensitive but unclassified documents and material
as part of periodic security awareness briefings, this training does not
cover how to decide what information merits the designation. Specifically,
security officials at the Criminal Division reported that the unit's
classification briefing includes a section on sensitive but unclassified
information. However, this training only provides employees with a
definition of the various categories of information, such as grand jury
information, informant and witness information, and investigative
material, and not specific guidance on how to determine if specific
information qualifies for one of these categories. Similarly, DEA provides
employees computer-based training and briefings but only to convey
information on handling, but not designating, sensitive but unclassified
information. Without such training, employees may be at higher risk of
improperly designating or not designating information as sensitive but
unclassified. We have previously recommended that other agencies develop
training to cover designation of sensitive but unclassified information,
and all have agreed to initiate such training.^31
In addition to having limited training programs, none of the components we
reviewed have formally established policies and procedures regarding how
they will monitor employees' appropriate and consistent application of
sensitive but unclassified designations. Federal internal control
standards call for, among other things, ensuring that ongoing
oversight--such as self-inspections and supervisory reviews--occurs in the
course of normal operations. The lack of such internal controls over
sensitive but unclassified designations increases the potential that
different components could designate the same information differently
without detecting inconsistencies. Some components told us they rely on
their unit's periodic security compliance reviews to assess how sensitive
but unclassified information is handled and protected. However, some of
these reviews have been conducted at up to 3-year intervals and, according
to DEA security officials, are not designed to verify the accuracy of
employees' sensitive but unclassified decisions. On the basis of our
previous work, other agencies have acknowledged the role of effective
oversight procedures for the designation process and have taken actions to
implement our recommendations to strengthen their procedures. For example,
the Department of Defense and the Department of Energy, in response to our
recommendations, have agreed to include oversight reviews of the sensitive
but unclassified process as part of their routine security oversight
assessments. Without similar actions, DOJ does not have reasonable
assurance that the designations are applied accurately and consistently
throughout the department.
^31 See [44]GAO-06-369 and [45]GAO-05-677 .
The lack of guidance, training, and oversight is of particular concern in
three of the five components we reviewed because these components do not
limit the number of employees who can designate information as sensitive
but unclassified. ATF and DEA restrict those authorized to make
designations to a limited number of senior level employees. At the other
components, however, any employee at any level is authorized to make these
decisions. For example, at the FBI, any employee or contractor in the
course of performing assigned duties may designate information Law
Enforcement Sensitive. Yet in these components, employees do not have
guides to consult and adequate training to help them make decisions on
which information warrants a sensitive but unclassified designation, and
the agencies do not have processes in place to oversee employee decision
making in these instances. This increases the risk of inadvertent
disclosure of information that should be protected or unintentional
restriction of information needed to assist other governmental entities
involved in criminal investigations or antiterrorism activities, or the
unwarranted withholding of information from the public.
DOJ Components Report Having Processes in Place for Responding to
Intragovernmental Information Requests
Information may be shared among federal entities through both formal and
informal channels. One method for sharing information among Congress,
executive agencies, and other federal entities is in response to formal
requests from one federal entity to another. Each of the components in our
review reported having processes in place for responding to
intragovernmental requests for classified and sensitive but unclassified
information, and the processes are consistent with federal internal
control standards, although we did not independently test the
effectiveness of these controls. For example, all of the components have
central offices for receiving intragovernmental requests, involve subject
matter experts in determining whether information can be disseminated, and
conduct supervisory reviews of responses prior to release.
DOJ Components Report Having Central Offices for Receiving Intragovernmental
Information Requests and Involving Subject Matter Experts in Determining How to
Respond
Information may be shared among federal entities through both formal and
informal channels. For instance, four of the DOJ components in our review
reported that their employees share information informally with their
counterparts at other federal agencies as part of everyday operations.
Intragovernmental information requests are another, more formal method for
sharing information. Four of the five components reported having central
offices for receiving such requests from both Congress and executive
agencies. DEA has a central office for receiving congressional, but not
executive agency, requests. The use of central offices is consistent with
federal standards for internal control, which note the importance of
having clearly defined areas of responsibility in an organization. For
example, USMS's Office of Congressional Affairs receives requests from
Congress, while its Executive Secretariat receives executive agency
requests. After a component's central office receives a request, it
reviews the request to determine which subcomponent office has the
knowledge necessary to respond and forwards it to that office.
From there, all of the components report using internal subject matter
experts who have the relevant expertise to identify and assess material
that would be used to respond to a request. This is also consistent with
federal internal control standards that discuss the importance of ensuring
that tasks are performed by the right employees. The subject matter
experts rely on various resources as they decide how to respond. For
example, these individuals might consult with other knowledgeable agency
personnel. ATF employees may consult subject matter experts, such as the
Office of Chief Counsel, and USMS staff may consult with the Office of
General Counsel and division security officers.
Subject matter experts may consider several factors as they determine how
to respond to a request, according to program officials at the components.
At ATF, for instance, different factors are taken into account for
different types of information, such as investigative records, tax
information, or criminal informant records. DEA experts consider the
content and sensitivity of the information, how the information will be
used by the receiving entity, and the time frame for providing a response
to determine how to respond to a request. In addition, at the Criminal
Division, subject matter experts use their professional judgment to
determine which factors to consider.
ATF, the Criminal Division, and the FBI reported having documented
processes to guide their staff in responding to intragovernmental
information requests, although these documents do not provide detailed
guidance because components decide on how to respond on a case-by-case
basis. For instance, the Criminal Division cited the Departmental
Executive Secretariat Correspondence Policy, Procedures, and Style Manual
as providing written guidelines on responding to intragovernmental
requests, although this manual does not include any guidance on what
factors to consider during the decision-making process or how to determine
whether information may be released to a requester. According to the
components, the response process may differ for various reasons, such as
the nature of the request and the requester's needs. For example, for a
classified information request, a component may communicate with the
requester to determine if an unclassified version of the information would
satisfy the requester's information needs. Therefore, formal written
policies may not always be helpful, given the need for a case-by-case
approach to responses.
All of the Components Report Conducting Supervisory Reviews of Responses
After the subject matter experts have determined how to respond to the
information request, all of the components report conducting a supervisory
review before releasing the response; this corresponds to federal internal
control standards that highlight the importance of management reviews for
achieving effective results. At the FBI, a response may also undergo a
review to determine if the information should continue to carry any
classification or sensitive but unclassified designation after it is
released. DEA and Criminal Division have processes for supervisory review
that may vary depending on the nature of the request, according to
officials at those components. At the Criminal Division, for instance,
designated officials in the division determine who should review the
information based on the nature of the request; reviews may be conducted
by the Section Chief, Office Director, the Chief of Staff, and the Deputy
Chief of Staff, among others. At DEA, the review process varies depending
on which office owns the information that is responsive to the request and
the nature of the request. According to DEA, executive agencies' requests
that may be satisfied by information that is not sensitive may be approved
by a unit chief, but the release of a response that contains sensitive
information may require the approval of a section chief. Similarly,
responses with highly sensitive information, such as information related
to ongoing investigations or undercover operations, may require the
approval of a senior executive at DEA.
All of the Components Report Communicating with Requesters during the Response
Process, but the Level of Communication Varies by Request
All of the components reported that they communicated with requesters
during the response process, which is consistent with federal internal
control standards that note the importance of communicating with external
stakeholders. Depending on the component, different offices communicate
with requesters. At the FBI, the Office of Congressional Affairs may
contact the congressional committee that requested information to obtain
clarification about what is being requested. At the Criminal Division and
DEA, however, experts within the relevant program office will contact the
requester directly if clarification is needed. According to DEA officials,
if the program office finds that the responsive information is classified
or sensitive but unclassified, it may contact the requester to determine
whether an unclassified or nonsensitive version of the information would
be sufficient. For example, DEA might offer to provide an overview of an
investigation, rather than a detailed description of the law enforcement
techniques used during the investigation. All of the components reported
that they inform requesters if information will be withheld or redacted
prior to release. At the FBI, redacted information is usually assigned a
deletion code, which explains the reason for the redaction, and according
to agency officials, it provides congressional requesters with a deletion
code sheet that describes the reasons for any redactions.
Conclusions
DOJ and FBI have made progress in implementing ISOO recommendations that
help to strike a balance between the need to protect and the need to share
critical information. FBI was taking action on almost all of ISOO's
recommendations, and if it completes them, this will help to lower program
risk, since FBI makes 98 percent of the classification decisions at DOJ.
On the other hand, DOJ's program will remain at risk until DOJ addresses
the most critical recommendation--providing sufficient resources. This is
important because DOJ sets policy, provides training, and conducts
oversight of classification management across the department and its
components. SEPS's efforts to resolve staff limitations by acquiring
additional resources through DOJ's Working Capital Fund may still not
guarantee its needs are met because it is not certain it will get these
resources, and even if it does, the security office does not know the
optimum number of staff resources required to carry out its
responsibilities. Furthermore, DOJ has not provided evidence of how SEPS
will use the anticipated resources to perform various functions or of
SEPS's strategy for how best to use these resources to address the
remaining deficiencies ISOO identified in ways that reduce the most risks
to protecting national security information, such as whether to focus on
addressing training, oversight, or other program gaps first. Developing a
strategy, based on thoughtful workforce analysis and identification of
gaps, would give SEPS a solid foundation on which to base its resource
decisions to help perform its responsibilities, including implementing the
remaining ISOO recommendations.
Moreover, without policies and procedures to provide specific guidance,
training, and oversight for managing sensitive but unclassified
information, DOJ cannot have reasonable assurance that this information is
properly restricted or disclosed. Although DOJ is waiting for the results
of the interagency working group before proceeding with additional changes
to its program, it is important that DOJ ensures that its sensitive but
unclassified designation practices provide its employees with the tools
they need to apply designations appropriately. These tools include
specific guidance, systematic training, and effective internal controls
for overseeing compliance with policies and guidance. Identifying and
designating documents properly is vital for not only preventing potential
damage to governmental, commercial, or private interests, but also for
sharing information, particularly with law enforcement entities that need
it to protect the homeland.
Recommendations for Executive Action
To strengthen DOJ's management of classified information, we recommend
that the Attorney General direct the SEPS director to take the following
two actions:
o determine the resource level needed to ensure that it can
effectively carry out the office's responsibilities, including
full implementation of the ISOO recommendations; and
o devise a strategy for making resources available and for using
them most effectively to address remaining deficiencies in ways
that reduce the most risk to proper management of classified
information, such as determining whether to address training,
oversight, or other program deficiencies first.
In addition, to help ensure that sensitive but unclassified designations
are correctly and consistently applied, we recommend that once the
interagency working group has determined the standard set of sensitive but
unclassified designations for the federal government, the Attorney General
ensure that the department and its various components take the following
three actions:
o establish specific guidance for applying the designations they
will use,
o ensure that all employees authorized to make the designations
have the necessary training before they can designate documents,
and
o set internal controls for overseeing sensitive but unclassified
designations to help ensure that they are properly applied.
Agency Comments and Our Evaluation
We provided a draft of this report to DOJ for review and comment. DOJ
provided only written technical comments on the draft, which we
incorporated, as appropriate. In providing these comments, DOJ stated that
it generally agreed with the report and recommendations, and upon receipt
of the final report, it will provide a response to our recommendations
directly to Congress, as required by statute.
As agreed with your office, unless you publicly release its contents
earlier, we plan no further distribution of this report until 30 days from
its issue date. At that time, we will send copies of this report to the
appropriate congressional committees and subcommittees, the Attorney
General, and other interested parties. We will also make copies available
to others upon request. In addition, this report will be available at no
charge on the GAO Web site at http://www.gao.gov .
If you or your staff have any questions concerning this report, please
contact me at (202) 512-6510 or [email protected] . Contact points for
our Offices of Congressional Relations and Public Affairs may be found on
the last page of this report. GAO staff who made major contributions to
this report are listed in appendix III.
Sincerely yours,
Eileen Larence
Director, Homeland Security and Justice Issues
Appendix I: Summaries of Related GAO Reports
This appendix summarizes the results of several related recently issued
reports on agencies' programs for sharing classified and sensitive
information and designating information as sensitive but unclassified. In
June 2006, we issued two reports: one on the Department of Defense's
classification management program and its effectiveness in minimizing
classification errors^1 and the other on the status of the Department of
Energy's classification management program.^2 We also issued two reports
in March 2006: one on programs to safeguard sensitive but unclassified
information at the Departments of Defense and Energy^3 and the other on
the federal government's efforts to share terrorism-related and other
sensitive but unclassified information among federal and nonfederal
entities.^4 In June 2005, we issued a report on the designation of
sensitive security information at the Transportation Security
Administration.^5 These reports noted that policies and procedures
governing classified and sensitive information require a number of
enhancements to help ensure the effectiveness of information security
programs. The highlights page for each of these reports is attached for
more information.
^1 [48]GAO-06-706 .
^2 GAO, Managing Sensitive Information: Actions Needed to Ensure Recent
Changes in DOE Oversight Do Not Weaken an Effective Classification System,
[49]GAO-06-785 (Washington, D.C.: June 30, 2006).
^3 [50]GAO-06-369 .
^4 [51]GAO-06-385 .
^5 [52]GAO-05-677 .
Appendix II: Objectives, Scope, and Methodology
This report responds to the following questions:
1. To what extent has the Department of Justice (DOJ) implemented
the Information Security Oversight Office's (ISOO)
recommendations?
2. To what extent has the Federal Bureau of Investigation (FBI)
implemented ISOO's recommendations?
3. What policies, procedures, and internal controls are in place
in selected DOJ components to properly use sensitive but
unclassified designations?
4. What processes are in place at selected DOJ components respond
to intragovernmental requests to share national security and
sensitive but unclassified information?
To determine the extent of changes DOJ and the FBI have made to implement
ISOO's recommendations, published in July 2004 and April 2005, we reviewed
the results of ISOO's audits; obtained supporting documents, when
available, such as DOJ and FBI policy directives, orders, and guidance;
and interviewed DOJ and FBI managers responsible for implementing and
overseeing these programs. Although the results of ISOO's reviews are not
necessarily generalizable to all classified documents at DOJ and the FBI,
we assessed the methodology ISOO used to conduct its reviews and
determined that it is adequate to support its recommendations. We also
compared ISOO's recommendations and DOJ's and FBI's classified information
practices to Executive Order 12958, as amended;^1 ISOO's Directive No. 1,
entitled Classified National Security Information;^2 and our Standards for
Internal Control in the Federal Government, as appropriate. We did not
assess the effectiveness of the security education and training programs
at DOJ and the FBI.
To determine the extent of policies, procedures, and internal controls
that selected DOJ components have in place for designating information as
sensitive but unclassified, we used our Standards for Internal Control in
the Federal Government to provide criteria against which we assessed
components' sensitive but unclassified designation policies and
procedures. Moreover, we reviewed DOJ-specific data collected as part of
GAO's governmentwide review of 26 agencies' programs on sensitive but
unclassified information.^3 These data consisted of written responses to a
set of questions about the agencies' policies, procedures, and internal
controls and any written documentation provided in support of these
responses, such as policy and training manuals. We selected the five DOJ
components included in this review--Bureau of Alcohol, Tobacco, Firearms
and Explosives; Criminal Division; Drug Enforcement Administration; the
FBI; and U.S. Marshals Service--because data collected as part of a GAO
governmentwide review of sensitive but unclassified information indicated
that each of these DOJ components had adopted one or more of this type of
designation in addition to the departmentwide Limited Official Use
designation. We conducted follow-up interviews with security officials and
senior program officials in these five components to supplement
information gathered as part of GAO's governmentwide review. We also
examined individual components' written policies and procedures on
sensitive but unclassified information, when available.
^1 See Exec. Order No. 13292, 68 Fed. Reg. 15,315 (Mar. 28, 2003).
^2 See 32 C.F.R. pt. 2001.
To determine how selected DOJ components respond to federal
intragovernmental requests for classified and sensitive but unclassified
information, we obtained documentation of their response processes from
the five components, when available, and interviewed security officials
and senior program officials. We compared their processes for responding
to these requests to identify similarities and differences within and
across the components and reviewed supporting documents, when available.
We did not independently test the effectiveness of the processes
components described to us.
We conducted our work from June 2005 through August 2006 in accordance
with generally accepted government auditing standards.
^3 Twenty-six agencies were included in that review--24 of which are
subject to the Chief Financial Officers Act and two others, the Federal
Energy Regulatory Commission and the U.S. Postal Service because our
previous experience with these agencies indicated that they used sensitive
but unclassified designations.
Appendix III: GAO Contact and Staff Acknowledgments
GAO Contact
Eileen Larence (202) 512-6510 or [email protected]
Staff Acknowledgments
In addition to the contact named above, Glenn Davis, Assistant Director;
Cynthia Auburn; Kathryn Godfrey; David Hudson; Thomas Lombardi; Mary
Martin; Terry Richardson; and Susan Tieh made key contributions to this
report.
(440421)
GAO's Mission
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail:
[email protected] Automated answering system: (800) 424-5454 or (202)
512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548
Public Affairs
Paul Anderson, Managing Director, [email protected] (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
www.gao.gov/cgi-bin/getrpt?GAO-07-83 .
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Eileen Larence, (202) 512-6510,
[email protected].
Highlights of [61]GAO-07-83 , a report to the Chairman, Committee on the
Judiciary, House of Representatives
October 2006
MANAGING SENSITIVE INFORMATION
DOJ Needs a More Complete Staffing Strategy for Managing Classified
Information and a Set of Internal Controls for Other Sensitive Information
The September 11 attacks showed that agencies must balance the need to
protect and share sensitive information to prevent future attacks.
Agencies classify this information or designate it sensitive but
unclassified to protect and limit access to it. The National Archives'
Information Security Oversight Office (ISOO) assesses agencies'
classification management programs, and in July 2004 and April 2005
recommended changes to correct problems at the Justice Department (DOJ)
and Federal Bureau of Investigation (FBI). GAO was asked to examine (1)
DOJ's and FBI's progress in implementing the recommendations and (2) the
management controls DOJ components have to ensure the proper use of
sensitive but unclassified designations. GAO reviewed ISOO's reports and
agency documentation on changes implemented and controls in place, and
interviewed security program managers at DOJ, its components, and ISOO to
examine these issues.
[62]What GAO Recommends
GAO recommends that DOJ assess its optimum resource needs, develop a
strategy to meet them and use available resources effectively to implement
all recommendations, and implement internal controls to ensure proper use
of sensitive but unclassified designations. DOJ generally agreed with
GAO's recommendations and provided technical comments; we included them as
appropriate.
At the time of GAO's review, DOJ and FBI had made progress implementing
ISOO's recommendations aimed at correcting deficiencies in their programs
to properly classify information. FBI had taken action on 11 of 12
recommendations, including issuing security regulations governing its
program and updating most of the classification guides that employees use
to help them decide what information should be classified. FBI is also
correcting deficiencies in its training and oversight activities. If FBI
completes all recommendations, this will help to lower program risk since
it makes 98 percent of DOJ's classification decisions. DOJ had taken
action on 5 of 10 recommendations, including fixing problems with outdated
and insufficient training and insufficient monitoring of components'
programs. DOJ, however, has taken no action on the most important
recommendation, addressing its staff shortages, which continue to place
its program at risk given that it sets policy, provides training, and
oversees classification practices departmentwide. DOJ said it did not have
staff resources to address other shortcomings in its training and
oversight activities that ISOO recommended it correct. DOJ is trying to
address its resource constraints, a long-standing problem that GAO
identified as early as 1993, by requesting additional funds from an
administrative account in fiscal year 2007. However, DOJ does not know the
optimum number of staff it needs for the program because it has not
assessed its needs. It also does not have a strategy that identifies how
it will use additional resources to address remaining deficiencies so as
to reduce the highest program risks, such as whether to first address
training, oversight, or other program gaps.
For sensitive but unclassified information, the five components in our
review --Bureau of Alcohol, Tobacco, Firearms and Explosives; Criminal
Division; Drug Enforcement Administration; FBI; and U.S. Marshals
Service--had orders and directives that identified and defined the various
designations components were using, such as Law Enforcement Sensitive, to
protect information, such as information critical to a criminal
prosecution. But the components did not have specific guides, with
examples, to help employees decide whether information merits a sensitive
but unclassified designation. Furthermore, none of the components had
training to help employees make these decisions or oversight of their
designation practices. Without these controls, DOJ cannot reasonably
ensure that information is properly restricted or disclosed and that
designations are consistently applied. GAO recently identified similar
problems at several other agencies and recommended that they implement
such controls, and the agencies agreed to do so. According to security
officials, DOJ is waiting for the results of an interagency working group
established to set governmentwide standards for sensitive but unclassified
information before considering additional changes in its sensitive but
unclassified practices or those of its components. The final results from
the working group are due by the end of December 2006. Once
standardization is realized, it is important for DOJ to ensure that
sensitive but unclassified practices across the agency provide employees
with the tools they need to apply designations appropriately.
References
Visible links
29. http://www.gao.gov/cgi-bin/getrpt?GAO-06-385
30. http://www.gao.gov/cgi-bin/getrpt?GAO-06-706
31. http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21
32. http://www.gao.gov/cgi-bin/getrpt?GAO/GGD-93-134
33. http://www.gao.gov/cgi-bin/getrpt?GAO-01-812
34. http://www.gao.gov/cgi-bin/getrpt?GAO-06-385
35. http://www.gao.gov/cgi-bin/getrpt?GAO-06-369
36. http://www.gao.gov/cgi-bin/getrpt?GAO-05-677
37. http://www.gao.gov/cgi-bin/getrpt?GAO/GGD-93-134
38. http://www.gao.gov/cgi-bin/getrpt?GAO-02-373SP
39. http://www.gao.gov/cgi-bin/getrpt?GAO-04-39
40. http://www.gao.gov/cgi-bin/getrpt?GAO-01-812
41. http://www.gao.gov/cgi-bin/getrpt?GAO-04-85
42. http://www.gao.gov/cgi-bin/getrpt?GAO-06-369
43. http://www.gao.gov/cgi-bin/getrpt?GAO-05-677
44. http://www.gao.gov/cgi-bin/getrpt?GAO-06-369
45. http://www.gao.gov/cgi-bin/getrpt?GAO-05-677
48. http://www.gao.gov/cgi-bin/getrpt?GAO-06-706
49. http://www.gao.gov/cgi-bin/getrpt?GAO-06-785
50. http://www.gao.gov/cgi-bin/getrpt?GAO-06-369
51. http://www.gao.gov/cgi-bin/getrpt?GAO-06-385
52. http://www.gao.gov/cgi-bin/getrpt?GAO-05-677
61. http://www.gao.gov/cgi-bin/getrpt?GAO-07-83
*** End of document. ***