This is the accessible text file for GAO report number GAO-10-251 entitled 'Managing Sensitive Information: Actions Needed to Prevent Unintended Public Disclosures of U.S. Nuclear Sites and Activities' which was released on December 23, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Speaker of the House of Representatives: United States Government Accountability Office: GAO: December 2009: Managing Sensitive Information: Actions Needed to Prevent Unintended Public Disclosures of U.S. Nuclear Sites and Activities: GAO-10-251: GAO Highlights: Highlights of GAO-10-251, a report to the Speaker of the House of Representatives. Why GAO Did This Study: On May 7, 2009, the Government Printing Office (GPO) published a 266- page document on its Web site that provided detailed information on civilian nuclear sites, locations, facilities, and activities in the United States. At the request of the Speaker of the House, this report determines (1) which U.S. agencies were responsible for the public release of this information and why the disclosure occurred, and (2) what impact, if any, the release of the information has had on U.S. national security. In performing this work, GAO analyzed policies, procedures, and guidance for safeguarding sensitive information and met with officials from four executive branch agencies involved in preparing the document, the White House, the House of Representatives, and GPO. What GAO Found: While no single U.S. government agency or office was entirely responsible for the public disclosure of the draft declaration, all of the agencies and offices involved in preparing and publishing the draft declaration share some responsibility for its release. GAO identified several points during the life cycle of the draft document where problems in the process occurred. First, none of the agencies that prepared the draft declaration—the Departments of Energy (DOE) and Commerce, and the Nuclear Regulatory Commission (NRC)—took the added precaution of ensuring that the consolidated draft they helped prepare had a U.S. security designation on each page of the document. Rather, the final version of the document, which they all reviewed, was marked only with the International Atomic Energy Agency’s (IAEA) designation—“ Highly Confidential Safeguards Sensitive.” This marking has no legal significance in the United States. Second, the Department of State, which prepared the draft declaration for transmittal to the White House, sent a transmittal letter to the National Security Council indicating that the contents of the draft declaration should be treated as Sensitive but Unclassified (SBU). Not all federal agencies use this particular marking and, therefore, the marking created confusion for other executive and legislative branch offices that subsequently received the draft declaration on whether the information could be published. Third, the National Security Council, which reviewed the draft declaration on behalf of the White House, did not provide explicit and clear instructions on how to handle the draft declaration to the White House Clerk’s Office. Fourth, the legislative branch offices which reviewed and then transmitted the document to GPO for publication—the House of Representatives’ Parliamentarian and Clerk’s Office—determined incorrectly, in GAO’s view, that the document could be published. Officials from these congressional offices were not familiar with the phrase “Sensitive but Unclassified” and did not know how to safeguard that information. Finally, GPO, which proofread and processed the document for publication, did not raise any concerns about the document’s sensitivity. GAO believes it is important to correct these problems as soon as possible because the United States is required to submit a declaration to IAEA annually. The public release of the draft declaration of civilian nuclear sites and nuclear facilities does not appear to have damaged national security, according to officials from DOE, NRC, and Commerce. Commerce, DOE, and NRC did not assess the national security implications of the draft declaration’s public release because these agencies—plus the Department of Defense—had reviewed the list of civilian nuclear facilities and related activities prior to transmitting it to the White House and Congress to ensure that information of direct national security significance was not included. Information in the draft declaration was limited to civilian nuclear activities, and most nuclear-related information was publicly available on agency Web sites or other publicly available documents. However, according to officials from all of the agencies responsible for compiling this information, the information consolidated in one document made it sensitive and, thus, it should never have been posted to GPO’s Web site. What GAO Recommends: GAO recommends, among other things, that Commerce, DOE, State, and NRC enter into an interagency agreement concerning the designation, marking, and handling of sensitive information in future draft declarations and make any policy or regulatory changes necessary to reach such an agreement. DOE, State, and GPO agreed, while NRC neither agreed nor disagreed, with the recommendations. Commerce, White House Counsel, and the House Offices of the Clerk, Security, and Parliamentarian did not comment on GAO’s recommendations. View [hyperlink, http://www.gao.gov/products/GAO-10-251] or key components. For more information, contact Gene Aloise at (202) 512-3841 or aloisee@gao.gov. [End of section] Contents: Letter: Background: Each of the Federal Agencies and Offices Involved in Preparing and Publishing the Draft Declaration Shares Some Responsibility for Its Release to the Public: Public Release of Draft Declaration Does Not Appear to Have Harmed National Security, According to DOE, NRC, and Commerce Officials: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Comments from the Department of Energy: Appendix II: Comments from the Department of State: Appendix III: Comments from the Government Printing Office: Appendix IV: Comments from the Nuclear Regulatory Commission: Appendix V: Comments from the House of Representatives' Sergeant at Arms: Appendix VI: GAO Contact and Staff Acknowledgments: Figures: Figure 1: Key Dates in the U.S. Implementation of the Additional Protocol: Figure 2: Chronology of Key Events and Involvement of U.S. Government Agencies and Offices That Contributed to the Inadvertent Public Release of the Draft Declaration: Abbreviations: APRS: U.S. Additional Protocol Reporting System: CUI: Controlled Unclassified Information: DOE: Department of Energy: FOIA: Freedom of Information Act: GPO: Government Printing Office: IAEA: International Atomic Energy Agency: NPT: Treaty on the Non-Proliferation of Nuclear Weapons: NRC: Nuclear Regulatory Commission: OUO: Official Use Only: SBU: Sensitive but Unclassified: [End of section] United States Government Accountability Office: Washington, DC 20548: December 15, 2009: The Honorable Nancy Pelosi: Speaker of the House: House of Representatives: Dear Madam Speaker: On May 7, 2009, the Government Printing Office (GPO) published a 266- page document on its Web site that provided detailed information on civilian nuclear sites, locations, facilities, and activities in the United States.[Footnote 1] The document described, among other things, nuclear activities at Department of Energy (DOE) facilities such as Los Alamos, Lawrence Livermore, and Oak Ridge National Laboratories. [Footnote 2] The document also included 14 diagrams of buildings or facilities, 2 of which were marked Official Use Only (OUO). For example, the document provided the building and vault numbers where highly enriched uranium is stored at the Y-12 nuclear production facility near Oak Ridge National Laboratory, as well as a diagram showing the layout of the part of the building where the material is stored.[Footnote 3] According to DOE officials, this information was sensitive because it identified the specific building and vault number, but no classified information was revealed because the diagram does not show a map of the entire Y-12 facility and information about the storage area at Y-12 was already publicly available. The document was a draft of a declaration being prepared pursuant to an agreement known as the Additional Protocol with IAEA.[Footnote 4] The declaration supplements information provided pursuant to the U.S. Safeguards Agreement with IAEA by providing IAEA with a broader range of information on U.S. nuclear and nuclear-related activities. Safeguards allow IAEA to independently verify that quantities of nuclear material declared to the agency have not been diverted for nuclear weapons uses. The Additional Protocol allows IAEA to, among other things, access locations containing nuclear material declared by a country. Within the United States, the Additional Protocol allows IAEA to access a selected number of facilities and locations containing nuclear material. This was the first time the United States had prepared and submitted a declaration to IAEA, and the United States will now be required to submit a declaration to IAEA every year.[Footnote 5] Sixty days before sending the declaration to IAEA, the President is required to send the draft declaration to Congress. Congress had received the first draft declaration on May 5, 2009. On June 1, 2009, the Federation of American Scientists, a nonprofit group that reports on scientific and technological security issues, discovered the draft declaration on GPO's Web site and posted it on the Federation's Web site. On June 2, 2009, multiple media outlets began reporting that the U.S. government had "accidentally" and "mistakenly" posted a list of nuclear sites and a description of their nuclear activities on GPO's Web site. For example, The New York Times reported that a security official found the disclosure of the draft declaration "a one-stop shop for information on U.S. nuclear programs." In response to media inquiries, GPO temporarily removed the document from its Web site, and after consulting with the Clerk of the House of Representatives, permanently did so. In addition to posting the draft report on its Web site, GPO printed over 900 copies of the document and shipped about 240 copies to Congress and some federal agencies. GPO recalled these copies and, as of December 2, 2009, around 670 copies were secured in a safe in its security office. However, it is possible that copies were downloaded from various Web sites. The location of any such downloaded copies is unknown and cannot be accounted for. As of October 2009, copies of the document could still be found on a number of Web sites. We brought this matter to the attention of State officials and provided them with internet addresses for two such sites in late October 2009. A State official subsequently informed us that the department was able to get at least one Web site to remove the information. The disclosure of sensitive information on U.S. nuclear facilities and activities raises concerns about procedures to properly handle and safeguard such sensitive information. In this context, you asked us to determine (1) which U.S. agencies were responsible for the public release of this information and why the disclosure occurred, and (2) what impact, if any, the release of the information has had on U.S. national security. To determine which U.S. agencies were responsible for the disclosure and why the disclosure occurred, we analyzed the policies, procedures, and guidance for safeguarding sensitive information from the departments of Energy and State; the Nuclear Regulatory Commission (NRC); the House of Representatives Clerk's Office; and GPO. We also reviewed transmittal sheets prepared by DOE, State, the House of Representatives' Clerk's Office, and GPO to determine how the document was marked for security purposes as it was distributed and prepared for publication. In addition, to determine how each of these agencies and offices safeguarded and transmitted the document, we interviewed officials from DOE; Commerce; State; NRC; GPO (including the Inspector General's office); and the Clerk's Office, Security Office, and the Office of the Parliamentarian in the House of Representatives. In addition, we asked to meet with the officials from the White House National Security Council and Executive Clerk's Office who had handled and transmitted the draft declaration to Congress so that we could obtain information directly from the individuals responsible for reviewing and handling the document. The White House declined to make these individuals available to us; instead, attorneys from the White House Counsel's office met with those individuals and then conveyed information to us. To determine what impact the release of the information has had on U.S. national security interests, we reviewed the draft declaration to identify potentially sensitive nuclear sites and activities and then interviewed officials from DOE, Commerce, State, and NRC to determine whether any information of direct national security significance was compromised and whether these departments took any actions to enhance security at the declared sites, locations, and facilities. We conducted our work between June 2009 and November 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: Under its Safeguards Agreement with IAEA, the United States submitted a list of civilian nuclear facilities--primarily civilian nuclear power reactors. The Additional Protocol,[Footnote 6] a separate agreement between the United States and IAEA, supplements the United States' Safeguards Agreement with IAEA.[Footnote 7] Under the Additional Protocol, the United States must provide IAEA with a broader range of civilian nuclear and nuclear-related information than that required under the Safeguards Agreement, such as the manufacturing of key nuclear-related equipment; research and development activities related to the nuclear fuel cycle; the use and contents of buildings on a nuclear site; and exports of IAEA-specified, sensitive nuclear-related equipment. The United States must also provide IAEA with access, through on-site inspections, to resolve questions relating to the accuracy and completeness of the information. As a nuclear weapon state party to the Treaty on the Non-Proliferation of Nuclear Weapons, the United States is not obligated by the Treaty to accept IAEA safeguards or to implement an Additional Protocol. However, according to U.S. officials, voluntarily adopting the Additional Protocol underscores U.S support for IAEA's strengthened safeguards system and makes efforts to encourage more countries to adopt the Additional Protocol more effective and credible. In its act implementing the Additional Protocol, Congress prohibited the inclusion of certain information: any classified information; any information that would be deemed restricted data under the Atomic Energy Act; and any information of direct national security significance regarding any location, site, or facility associated with activities of the Department of Defense or DOE. The act also provided that information collected for the purposes of the Additional Protocol would be exempt from disclosure under 5 U.S.C. § 552, which is the Freedom of Information Act. Figure 1 shows a timeline of the U.S. implementation of the Additional Protocol. Figure 1: Key Dates in the U.S. Implementation of the Additional Protocol: [Refer to PDF for image: timeline] June 12, 1998: The United States signed the Additional Protocol. May 9, 2002: The President sent the Additional Protocol to the Senate for its advice and consent for ratification. March 31, 2004: The Senate provided its advice and consent for ratification. December 16, 2006: Congress passed the U.S. Additional Protocol Implementation Act, which required the President to submit the draft declaration to Congress 60 days prior to submitting the declaration to IAEA. February 4, 2008: President Bush signed an Executive Order to implement the Additional Protocol and authorized Commerce, DOE, State, and NRC to collect information about nuclear sites and facilities that would be provided to IAEA. May 3, 2009: The draft declaration was submitted to Congress for a 60-day review. July 3, 2009: The United States sent IAEA the final declaration. Source: GAO. [End of figure] The U.S. government classifies information that it determines could damage the national security of the United States if disclosed publicly.[Footnote 8] Beginning in 1940, classified national defense and foreign relations information has been created, handled, and safeguarded in accordance with a series of executive orders. Executive Order 12958, Classified National Security Information, as amended, is the most recent. It demarcates different security classification levels, the unauthorized disclosure of which could reasonably be expected to cause exceptionally grave damage (Top Secret), serious damage (Secret), or damage (Confidential). Federal agencies also place dissemination restrictions on certain unclassified information. Federal agencies use many different designations to identify this type of information. For example, DOE uses the designation OUO, while State uses SBU. According to a May 2009 presidential memorandum, there are more than 107 unique markings and over 130 different labeling or handling processes and procedures for documents that are unclassified, but are considered sensitive. For example, according to DOE officials, although OUO information is less sensitive than classified information, OUO information may be shared with people lacking security clearances provided that officials determine they have a "need to know." These restrictions are used to indicate that the information, if disseminated to the public or persons who do not need such information to perform their jobs, may cause foreseeable harm to protected governmental, commercial, or privacy interests. Such information includes, for example, sensitive personnel information, such as Social Security numbers and the floor plans for some federal buildings. It may also include information exempted from disclosure under the Freedom of Information Act. Each of the Federal Agencies and Offices Involved in Preparing and Publishing the Draft Declaration Shares Some Responsibility for Its Release to the Public: While no single U.S. government agency or office was entirely responsible for the public disclosure of the draft declaration, all of the agencies and offices involved in preparing and publishing the draft declaration share some responsibility for its public release. We identified several points during the life cycle of the draft document where problems occurred. Specifically, we found that opportunities to improve the secure handling of the document were missed because of the absence of clear interagency guidance, different procedures across the agencies governing the handling and marking of sensitive documents, poor decision making, and a lack of training and adequate security awareness. These missed opportunities occurred between February 2008 and May 2009. Several U.S. government agencies played key roles in preparing and making important decisions regarding the publication of the draft declaration: DOE, Commerce, State, NRC, the White House (the National Security Council and Executive Clerk's Office), the U.S. House of Representatives (Office of the Parliamentarian, Office of Security, and the Clerk's Office), and GPO. Figure 2 is a two-page summary of key dates and events that occurred during the life cycle of the draft declaration, leading up to its inadvertent public release on May 7, 2009. Figure 2: Chronology of Key Events and Involvement of U.S. Government Agencies and Offices That Contributed to the Inadvertent Public Release of the Draft Declaration: [Refer to PDF for image: illustration] Agencies responsible for preparing the draft declaration: Department of Energy: Nuclear Regulatory Commission; Security markings of draft declaration and accompanying documents: OUO: List of nuclear sites and activities; DOE and NRC provided nuclear-related information to Commerce on January 15, 2009, and March 18, 2009, respectively. DOE and NRC marked their contributions as OUO. Department of Commerce: Security markings of draft declaration and accompanying documents: OUO: Commerce consolidated all nuclear-related information into a draft declaration. Transmittal letter and compact disc from Commerce to State identified information in draft declaration as OUO (Highly Confidential Safeguards Sensitive: Draft declaration[A]). April 17, 2009: OUO: Transmittal letter to State. Department of State: Security markings of draft declaration and accompanying documents: SBU: State prepared a transmittal letter for the White House’s National Security Council identifying the information in the draft declaration as “Sensitive but Unclassified.” SBU: State drafted a one-page presidential message with language in the body that explained the contents of the draft declaration were considered “Highly Confidential Safeguards Sensitive,” but the U.S. would regard the information as “Sensitive but Unclassified.” Highly Confidential Safeguards Sensitive: Draft declaration[A]. April 30, 2009: SBU: Transmittal letter to National Security Council. White House: National Security Council; Security markings of draft declaration and accompanying documents: The National Security Council did not provide explicit and clear instructions to the White House Clerk’s Office on how to handle information in the draft declaration. SBU: One-page presidential message; Highly Confidential Safeguards Sensitive: Draft declaration[A]. White House: Clerk's Office; Security markings of draft declaration and accompanying documents: The Clerk’s Office did not provide explicit and clear instructions to the House of Representatives on how to handle information in the draft declaration. On May 5, 2009, the Clerk’s Office sent the one-page presidential message and draft declaration to Congress. SBU: One-page presidential message; Highly Confidential Safeguards Sensitive: Draft declaration[A]. House of Representatives: Parliamentarian; Security markings of draft declaration and accompanying documents: The Parliamentarian read the one-page presidential message and believed the draft declaration could be published because it was unclassified. He sent the documents to the Clerk’s Office to process them for publication by GPO. SBU: One-page presidential message; Highly Confidential Safeguards Sensitive: Draft declaration[A]. House of Representatives: Clerk’s Office; Executive Communications Clerk asks the Director of the Office of Security, the Journal Clerk in Legislative Operations Office, the White House Clerk’s Office and the IAEA whether the draft declaration can be printed. Based on their advice, she decides the document can be printed. Security markings of draft declaration and accompanying documents: The Clerk’s Office read the documents and ordered GPO to print them. May 6, 2009: Transmittal letter to GPO. SBU: One-page presidential message; Highly Confidential Safeguards Sensitive: Draft declaration[A]. Government Printing Office: Security markings of draft declaration and accompanying documents: May 7, 2009: Draft declaration posted on GPO’s Web site. SBU: One-page presidential message; Highly Confidential Safeguards Sensitive: Draft declaration[A]. Source: GAO. [A] The only marking on the draft declaration was IAEA's designation on the top of the document--"Highly Confidential Safeguards Sensitive"-- which has no legal significance in the United States. [End of figure] DOE, NRC, and Commerce Began Collecting Information on Civilian Nuclear Sites to Be Included in the Draft Declaration in Early 2008: After the President signed an executive order in February 2008 to implement the Additional Protocol, DOE, Commerce, and NRC began collecting information on nuclear sites, facilities, and activities to be included in the draft declaration. DOE collected information from national laboratories and nuclear weapons production facilities. NRC, which regulates the civilian use of nuclear materials, collected information from NRC-licensed nuclear facilities, including four civilian nuclear power plants previously selected by IAEA for the application of safeguards.[Footnote 9] DOE and NRC provided nuclear- related information to Commerce on January 15, 2009, and March 18, 2009, respectively. Commerce collected information from private nuclear- related industries not regulated by DOE or NRC, such as the location, operational status, and production capacity of conventional uranium mines. Commerce then consolidated all nuclear-related information from its offices, as well as from DOE and NRC, into a draft U.S. declaration for final interagency approval and transmittal to State. The process for collecting and consolidating this information from the three agencies took several months. Commerce, in consolidating and formatting the information in the draft declaration, did not mark the document with an official U.S. government security marking. The only marking on the draft declaration was IAEA's designation on the top of the document--"Highly Confidential Safeguards Sensitive"--which has no legal significance in the United States. To consolidate and properly format the information, Commerce established and managed a central database, known as the U.S. Additional Protocol Reporting System (APRS). IAEA provided a software program for this database that standardizes the information sent to IAEA by each member state and helps IAEA assess the completeness of the information. Before transmitting data to Commerce or adding data to the APRS, each agency reviewed the information it collected for accuracy, data consistency, and national security concerns. Each agency also reviewed the information to ensure that no classified information was being disclosed. The agencies had agreed that the information in the U.S. declaration would not be classified, as required by the U.S. Additional Protocol Implementation Act; that an unclassified database could be used to process the information; and that the data were sensitive and would be restricted to authorized personnel only. When Commerce and NRC added information to APRS, IAEA-supplied software automatically marked the top of each page of the draft declaration as "Highly Confidential Safeguards Sensitive." IAEA uses this designation to ensure the document's appropriate handling and control. According to IAEA officials, Highly Confidential Safeguards Sensitive information is the agency's highest classification level. This type of information, if released, could cause grave damage to IAEA interests. When IAEA receives a document from a country with this classification, it cannot publicly disclose the information in the document because, in some instances, its release could disclose confidential business information, create potential security issues, or identify reporting discrepancies between countries. Distribution of this information is limited and released on a need-to-know basis. Since this IAEA marking has no legal significance in the United States, DOE, Commerce, and NRC treated the information as OUO. These agencies use OUO markings to provide a warning that information in a document is sensitive and is generally only to be released to those with a need to know, regardless of their security clearance. DOE, NRC, and Commerce took steps to safeguard the information that each contributed to the draft declaration. Specifically, before DOE and NRC submitted data to Commerce in January and March 2009, respectively: * DOE marked the top and bottom of each page it submitted to Commerce with nuclear information from the national laboratories and production facilities as OUO and added a statement that the information may be exempt from public release under the Freedom of Information Act. * NRC officials hand carried a compact disc containing its nuclear- related information to Commerce, rather than electronically sending the information. Commerce officials also safeguarded the information by password protecting APRS and sending State the draft declaration through secure e-mail that included a transmittal letter explaining that the contents were considered OUO. In addition, they hand carried a compact disc to State that was marked with "For Official Use Only/Not For Public Release/IAEA Highly Confidential Safeguards Protected" hand written on the disc. Although each agency designated the information it contributed as OUO, the document--which was produced from each agency's contributions--did not have any U.S. government security markings. The agencies reviewed the draft declaration multiple times, but no agency marked the pages containing information it had contributed to the full draft declaration as OUO. Once all the information was consolidated, the 266-page document was not marked OUO or any other security designation recognized in the United States that would have clearly indicated that the data were sensitive, restricted to authorized personnel only, and not releasable to the public. The only OUO markings were next to site diagrams of two DOE facilities found on two different pages of the draft declaration. According to Commerce officials, while the IAEA software template automatically adds the IAEA designation, it does not add a U.S. security designation to the top and bottom of each page and does not allow Commerce to modify the IAEA designation or add U.S. security markings. They stated that the only way to mark the draft document as OUO would have been to print out each page, stamp the U.S. designation by hand, and then scan the document back in as a new electronic file. Furthermore, according to DOE officials, the agencies wanted to submit a draft declaration to Congress that was identical to the final declaration submitted to IAEA. Providing Congress with a draft declaration that had both the IAEA and U.S. security markings would not have been an exact representation of the declaration sent to IAEA. However, there were no requirements in the U.S. Additional Protocol Implementation Act binding U.S. agencies to submit a declaration free of any additional U.S. security markings. Even after Commerce circulated the draft declaration to DOE, NRC, and the Department of Defense for a final interagency review in late March 2009 to ensure no information of national security significance was included in the draft before submission to State, agency officials did not raise any concerns about the draft declaration's lack of a U.S. security designation. According to DOE, Commerce, and NRC officials, they assumed that the draft declaration would never be publicly released and that, once delivered to IAEA, it would be properly safeguarded. As a result, they saw no need to add an additional U.S. government security marking. In Mid-April 2009, Commerce Sent the Draft Declaration to State for Transmittal to the White House: Commerce sent the consolidated draft declaration to State on April 17, 2009. State prepared the draft declaration for transmittal to the White House. In completing the draft declaration for transmittal, State prepared a letter to the National Security Council asking it to treat the contents of the draft declaration as SBU. Unlike DOE, Commerce, and NRC, State does not use the OUO designation, but rather the SBU designation. State's guidance governing the use and handling of SBU documents is similar to that of the other agencies for handling OUO. [Footnote 10] State also prepared a draft message from the President to Congress that would accompany the draft declaration. In describing the purpose and contents of the document and the classification level of the information, State wrote in the draft presidential message, "the IAEA classification of the enclosed declaration is 'Highly Confidential Safeguards Sensitive'; however, the United States regards this information as 'Sensitive but Unclassified'." The two-page transmittal letter described the contents of the draft declaration and the top and bottom was clearly marked SBU, accompanied by a footnote explaining that the draft declaration was exempt from disclosure under the Freedom of Information Act. State completed its review of the draft declaration and accompanying transmittal documentation in mid-April 2009 and sent the "package" to the Executive Secretary of the National Security Council on April 30, 2009. The White House's National Security Council and Executive Clerk's Office Did Not Provide Explicit and Clear Instructions on How to Safeguard the Draft Declaration When It Sent the Document to Congress: In early May 2009, the National Security Council completed its review of the draft declaration and presidential message and provided the documents to the Executive Clerk of the White House for transmission to Congress. The National Security Council, which reviewed these documents on behalf of the White House, did not add explicit and clear instructions in the presidential message on how to handle the draft declaration, such as whether or not it should be published, when it sent the documents to the White House Clerk's Office, which transmitted the documents to Congress. The National Security Council also did not include a transmittal letter, as other executive branch agencies had, with instructions on how to handle the draft declaration. Attorneys from the Office of the White House Counsel provided two reasons why the National Security Council did not feel it was necessary to take these additional measures to protect the document from disclosure. First, counsel stated that they did not think Congress would publish the report and the National Security Council and the Executive Clerk's Office followed their standard practice for transmitting unclassified documents, which does not involve using a transmittal letter or modifying text in the presidential message.[Footnote 11] However, attorneys from the Office of the White House Counsel did not provide us with any written guidance on how these offices usually handle documents that are unclassified, but are considered sensitive, such as those marked SBU, and should not be publicly released. In addition, attorneys from the Office of the White House Counsel told us that the Executive Clerk's Office does not have written guidance on how it transmits documents to Congress. Second, counsel pointed out that the draft declaration was an unusual and unique document because it was the first time that the United States had prepared a draft declaration and submitted it to Congress. After reviewing the draft declaration and presidential message it received from State, the National Security Council sent the White House Clerk's Office a final draft of the presidential message and the 266- page draft declaration. The last two paragraphs of the presidential message stated: "The IAEA classification of the enclosed declaration is 'Highly Confidential Safeguards Sensitive;' however, the United States regards this information as 'Sensitive but Unclassified.' Nonetheless, under Public Law 109-401, information reported to, or otherwise acquired by, the United States Government under this title or under the U.S.-IAEA Additional Protocol shall be exempt from disclosure under section 552 of title 5, United States Code." The language in the presidential message prepared by State and used by the National Security Council did not clearly and explicitly state that the information was not to be published, and the additional legal citations did not clarify how to handle the document.[Footnote 12] According to attorneys from the Office of the White House Counsel, the White House clerks who transmitted the document to Congress read the presidential message and noticed its reference to the draft declaration as SBU. However, while the White House clerks have security clearances and have received training on how to handle unclassified, sensitive, and classified documents, they do not normally see SBU documents and did not have the authority or responsibility to determine whether Congress could print the document. Attorneys from the Office of the White House Counsel told us the draft declaration was an unusual and unique document because of the IAEA classification markings and the reference to the information as SBU. The White House clerks transmit only unclassified documents. The National Security Council does not transmit documents that cannot be printed, such as classified documents, to the White House clerks. Instead, the National Security Council transmits those documents directly to congressional committee staff with the appropriate clearances. Because the clerks received the draft declaration from the National Security Council, the clerks transmitted the presidential message and the draft declaration to Congress just as they had received it from the National Security Council--without a transmittal sheet or SBU markings on the top or bottom of any page. Congressional Offices That Reviewed and Transmitted the Draft Declaration Determined Incorrectly That the Document Could be Published: Congressional offices that reviewed and then transmitted the draft declaration to GPO for publication--the House of Representatives' Office of the Parliamentarian and Clerk's Office--determined, incorrectly in our view, that the document could be published. The draft declaration passed through several congressional offices. First, on May 5, 2009, the Executive Clerk of the White House formally delivered the presidential message and draft declaration while the House was in session. The Parliamentarian read the presidential message and decided the message should be referred to the House Committee on Foreign Affairs and ordered it printed as a House of Representatives document. The Parliamentarian told us that while he received security training on classification issues, he did not recall ever seeing a presidential message that just mentioned the SBU designation and did not know how that type of information should be safeguarded. The Parliamentarian believed that the draft declaration could be published because it was unclassified. According to the Parliamentarian, sensitive and classified messages and documents are usually not delivered to the floor of the House, but rather are transmitted by secure courier and referred directly to the appropriate committee for handling and storage. In addition, while the Parliamentarian read the presidential message--the one-page message from the President to Congress that described the purpose and contents of the draft declaration--he did not read the draft declaration, which listed U.S. civilian nuclear sites and activities. Staff in the Office of the Parliamentarian do not routinely read enclosures accompanying a presidential message, according to the House Parliamentarian. Second, the Office of the Parliamentarian gave the document to the House of Representatives' Clerk's Office to process it for referral to the House Committee on Foreign Affairs and prepare it for transmission to and publication by GPO. After reading the President's message and seeing the IAEA markings on the draft declaration, the Executive Communications Clerk, who works in the Clerk's Office, told us she was confused about the classification level of the document and whether it could be published. As a result, the Clerk locked the document in a safe while she sought clarification and guidance from the following sources before sending the draft declaration to GPO for publication: * The Journal Clerk in the House of Representatives' Legislative Operations Office. On May 5, 2009, this clerk had received the documents from the Office of the Parliamentarian and stamped the documents acknowledging receipt from the White House before providing the documents to the Executive Communications Clerk. According to the Executive Communications Clerk, the Journal Clerk told her she could print the document because it was unclassified. * The House of Representatives' Security Office. The Security Office Director reviewed the document on May 5, 2009, but did not take custody of it or make inquiries on its proper handling and safeguarding. Instead, the Security Office Director told the Executive Communications Clerk to obtain clarification from IAEA--incorrectly assuming that IAEA was the classifier of the document--and the White House Clerk's Office. The Security Office stated that it was not required to take custody of the document and the Executive Communications Clerk did not request that the Security Office store the document or help her in contacting the agencies and offices that transmitted the document. However, the Security Office did not raise concerns with the House Clerk's Office about publicly releasing 266 pages of information on U.S. nuclear sites and activities and, in our view, missed an opportunity to be more directly involved in ensuring that the document was not publicly released without explicit authorization from the agencies that designated the information as SBU. * An IAEA official located in New York. According to the Executive Communications Clerk, this official told her on May 5, 2009, that IAEA member states have discretion on how to treat information provided to IAEA and publication of the declaration is a decision left to each member state. In July 2009, we interviewed IAEA officials in the Department of Safeguards in Vienna, Austria. This department is responsible for reviewing all Additional Protocol agreements between the agency and member states. These officials told us that the Executive Communications Clerk received correct information from IAEA's New York office, but the appropriate inquiry should have been directed to their office in Vienna. * The White House Clerk's Office. The White House Clerk's Office and the Executive Communications Clerk disagreed in their recollections of the advice the White House clerk provided to the House of Representatives. According to attorneys from the Office of the White House Counsel, the White House Clerk's office told the Executive Communications Clerk that the document was unclassified but did not make a legal judgment or provide any advice on whether the document should be printed. However, according to the Executive Communications Clerk, the White House Clerk's office referred her to the penultimate paragraph in the presidential message stating that the United States regards the information as SBU as justification for printing the document. According to the Executive Communications Clerk, the White House Clerk's justification for going forward with the printing was that the document was unclassified. On the basis of advice from these various offices, on May 6, 2009, the Executive Communications Clerk ordered GPO to print the presidential message and the draft declaration. GPO Did Not Raise Concerns about Publishing the Draft Declaration: GPO, which edited and processed the document for publication, did not raise any concerns about the document's sensitivity. On May 6, 2009, GPO received a request from the House of Representatives' Executive Communications Clerk to print the presidential message and draft declaration by 7:00 a.m. on May 7, 2009. The transmittal page from the Clerk did not include any special handling instructions and ordered the documents to be printed. The presidential message, which contained the language that the contents of the draft declaration should be treated as SBU, was typeset and proofread twice by GPO production employees. According to an August 2009 GPO Inspector General's report, GPO production employees are not required to read and proof for meaning, but merely to check for proper characters and format.[Footnote 13] The 266-page draft declaration was digitally scanned, rather than typed and proofread. While "Highly Confidential Safeguards Sensitive" was marked on nearly every page of the draft declaration, the GPO Inspector General found that no GPO employees raised any concerns during the processing of the document. According to the GPO Inspector General's report, GPO employees who reviewed the scanned copy looked for page numbers and format, without proofreading or reviewing the document text or markings. GPO officials told us that GPO rarely prints sensitive or classified documents. They told us that GPO relies on its customers to identify sensitive documents and notify it of special instructions, given the high volume of print requests. However, the August 2009 GPO Inspector General's report found that GPO does not have procedures for identifying potentially sensitive documents and safeguarding them. In addition, most employees had not received education or training for recognizing or identifying sensitive documents or information. Although the GPO Inspector General found no wrongdoing on the part of GPO or its employees, it made several recommendations to improve GPO's process for handling sensitive information and preventing the inadvertent disclosure of such information in the future. These recommendations included: * establishing a protocol with customer agencies on clearly identifying sensitive information that may be published and developing written procedures for handling such information; * establishing written procedures for verifying any requests for publishing documents that are clearly identified or marked as being of a sensitive or otherwise restricted nature; * updating GPO guidance to define "sensitive information" and how to specifically recognize, mark, and safeguard such information; and: * developing and conducting ongoing training of GPO employees on how to recognize, handle, and safeguard sensitive information and documents. During the course of our review, officials from several of the federal agencies and offices told us that it would be helpful if there was a standardized marking system for documents that are sensitive but are unclassified. In fact, the term sensitive but unclassified was very confusing for several officials who handled the draft declaration. To help clarify, a May 2008 presidential memorandum had adopted the phrase "Controlled Unclassified Information" (CUI) as a single designation for all information previously labeled SBU or with another similar marking. This memorandum also charged the National Archives and Records Administration with implementing a framework for CUI terrorism-related information, which is not expected to be in place until 2013. Despite these efforts, a May 27, 2009, presidential memorandum found that there is still no uniformity across federal agencies on rules to implement safeguards for information that is deemed SBU. The memorandum noted that agencies use SBU as a designation for federal government documents and information that are sufficiently sensitive to warrant some level of protection, but that do not meet the standards for national security classification. With each agency implementing its own protections for categorizing and handling SBU material, the memorandum stated that there are more than 107 unique markings and over 130 different labeling or handling processes and procedures for SBU information. The 2009 memorandum directed the creation of a Task Force to review agencies' current procedures for categorizing and sharing SBU information, to track the progress federal agencies are making to implement the framework for CUI terrorism-related information, and to recommend whether the CUI framework should be extended to apply to all SBU information. Public Release of Draft Declaration Does Not Appear to Have Harmed National Security, According to DOE, NRC, and Commerce Officials: The inadvertent public release of the draft declaration of civilian nuclear sites and nuclear facilities does not appear to have damaged national security, according to officials from DOE, NRC, and Commerce. Information in the draft declaration was limited to civilian nuclear activities, and most nuclear-related information was publicly available on agency Web sites or in other published documents, according to officials from the three agencies. However, officials from all of the agencies that compiled this information told us the information--all of which was considered unclassified--was sensitive because it was consolidated into one document and should never have been posted to GPO's Web site. Commerce, DOE, and NRC did not formally assess the impact of the public release of the information on U.S. national security. According to DOE, NRC, and Commerce officials, it was not necessary to do so because the agencies reviewed the list of civilian nuclear facilities and related activities on multiple occasions to ensure that no information of direct national security significance was included and that no classified information was contained in the declaration prior to transmitting it to the White House and Congress. Consolidated List of Civilian Nuclear Facilities and Activities Contained in the Draft Declaration Is Considered Sensitive and Was Never Meant to be Made Public: According to U.S. government officials, the draft declaration in totality represents a consolidated list of hundreds of U.S. civilian nuclear facilities and activities that never should have been publicly released. These officials asserted that it could be potentially problematic if such a consolidated list of facilities and activities found its way into the hands of individuals who had malicious or malevolent intentions. For example, agency officials told us, in several instances, the draft declaration contained maps showing detailed diagrams of civilian reactor facilities or buildings storing nuclear materials at national laboratories. The draft declaration included 14 diagrams of buildings or facilities, 2 of which were marked OUO. For example, the declaration provided the building and vault numbers where highly enriched uranium is stored at the Y-12 nuclear production facility, as well as a diagram showing the layout of the part of the building where the material is stored. According to DOE officials, this information was sensitive because it identified the specific building and vault number, but no classified information was revealed because the diagram does not show a map of the entire Y-12 facility and the specific location of a vault at the Y-12 complex. Of the other 12 diagrams, 1 was of a plutonium oxide storage area at DOE's Savannah River site and 11 were of civilian nuclear facilities. The pages containing these diagrams did not have any markings: Highly Confidential Safeguards Sensitive, OUO, or any other U.S. designation. The 11 diagrams of civilian nuclear facilities accompanied information on 8 NRC licensed commercial sites--4 reactors and 4 fuel fabrication facilities. For example, the draft declaration included a site map of the Turkey Point reactor in Florida and a diagram identifying the building where spent fuel is stored. According to NRC officials, the information and diagrams related to the facilities in the draft declaration are not classified because they do not specify the quantities and types of nuclear materials held at these facilities. However, the information is sensitive because it includes commercially sensitive data, such as the actual annual production, rather than the more general and publicly available information on how much material the facility is licensed to produce. According to DOE and State officials, the release of the information could be problematic for the United States because other countries could scrutinize the completeness and accuracy of the information and potentially pressure IAEA to do more rigorous inspections of the facilities listed. Inspections of nuclear facilities with nuclear materials and nuclear-related activities are the cornerstone of IAEA's data collection efforts and provide the ability to independently verify information in countries' Additional Protocol declarations. Potential pressure to conduct more comprehensive inspections of U.S. facilities could divert time and resources from more rigorous inspections in countries and facilities of proliferation concern, such as Iran or Syria. Agencies Did Not Assess National Security Implications of Disclosure of Draft Declaration: Commerce, DOE, State, and NRC did not undertake any assessments after the draft declaration was released to determine its impact on U.S. national security. According to officials from these agencies, no such assessment was necessary because all of the agencies involved in the development of the draft declaration (as well as the Department of Defense) had fully reviewed the consolidated list of civilian nuclear facilities and related activities on multiple occasions to ensure that no information of direct national security significance was included and that no classified information was contained in the declaration prior to transmitting it to the White House and Congress. DOE, which provided most of the information in the draft declaration, had three separate levels of security review and approvals for the information it submitted for the document. First, the national laboratories' counterintelligence, export controls, and security offices reviewed the information submitted for the declaration. Second, the national laboratories' site managers reviewed the information, and each site manager certified to DOE that the national laboratory had completed vulnerability assessments on the national security impact of releasing the information to IAEA and that the facilities were ready for IAEA inspections. Finally, program managers and security officers at DOE headquarters reviewed the contents. According to DOE officials, at all levels of review, officials from the national laboratories and DOE concluded that no information detrimental to national security was included in the document. NRC and Commerce reported information about facilities' activities and locations that was mostly, if not all, publicly available. State obtained additional confirmation from DOE, Commerce, NRC, and the Department of Defense that the draft declaration contained no classified or national security information before sending it to the White House. According to agency officials, there was no requirement to conduct a formal assessment of any possible security concerns arising from the declaration's publication because classified information was not released. A formal assessment is required only if there is a release of information that could harm U.S. national security. DOE and NRC did seek assurances after the release of the draft declaration from officials at the national laboratories and civilian nuclear facilities that physical security at those locations was sufficient. DOE asked the national laboratories to review their security procedures and ensure that the facilities were secure. Based on these assessments, DOE officials told us they did not increase security at any site. NRC contacted every NRC licensee and agreement states with licensees included in the draft declaration to notify them of the disclosure of information[Footnote 14]. Agreement states notified their affected licensees. NRC and agreement states' licensees reviewed their security procedures to make sure there were no vulnerabilities. According to NRC, the only NRC facility to express concern was Turkey Point in Florida because of its spent fuel pool. NRC officials told us that the location of this facility was already publicly disclosed, and satellite images show the building that houses the spent fuel pool. Turkey Point operators reviewed their security procedures and determined the procedures they had in place were sufficient, even with the release of the draft declaration. Conclusions: The draft declaration listing civilian nuclear sites and activities under the terms of the Additional Protocol was the first of its kind prepared by the United States for IAEA and sent to Congress for review. However, the draft declaration contained sensitive civilian nuclear information that, when taken in its totality, needed to be properly handled and safeguarded. Protecting sensitive information from inadvertent public disclosure is a critical function of all federal entities that possess, handle, or transmit such information. Since the United States is required to submit a draft declaration to Congress and then send the declaration to IAEA every year, there is an opportunity to address the problems that occurred to ensure that this inadvertent disclosure does not occur again. A more systematic, well-coordinated approach by all of the agencies that handled the draft declaration would have reduced the chances of publicly releasing sensitive information--particularly if the document had been clearly identified as not for public release. We found several critical points where opportunities to improve safeguards over the document were missed due to: the absence of clear interagency guidance, different procedures across the agencies governing the handling and marking of sensitive documents, poor decision making, and the lack of training and adequate security awareness. No agency or office that was involved with the production or transmittal of the draft declaration ensured that the final document was marked with any U.S. security designation. DOE, NRC, and Commerce marked the information they submitted for the draft declaration as OUO. However, none of these agencies took the added precaution of ensuring that the consolidated draft declaration maintained the OUO designation on each page of the document once the IAEA marking was placed on the document. Further contributing to the subsequent confusion over how to handle the draft declaration was State's use of the SBU marking. Many officials focused on the unclassified portion of the marking and determined, incorrectly in our view, that the document could be made public. We believe that it would have been a simple matter to clearly state in the presidential message that the draft declaration was not meant for public dissemination. Furthermore, the White House failed to take measures to ensure that the draft declaration was not published. Attorneys from the Office of the White House Counsel did not provide us with any written guidance on how the National Security Council and the Executive Clerk's Office usually handle documents that are unclassified, but are considered sensitive, such as those marked SBU, that should not be publicly released. However, counsel did indicate that individuals with the National Security Council and White House Clerk's office handled the draft declaration according to White House practices. In our view, these practices, as best as we understand them, are not sufficient to prevent similar problems from occurring in the future. In addition, legislative branch officials did not properly safeguard the draft declaration and did not properly handle the information. In particular, we believe that the House of Representatives Security Office Director should have been more directly involved in resolving conflicting and confusing information regarding the classification of the draft declaration. Conversely, the Executive Communications Clerk is to be commended for taking actions to do everything in her power--at her level of responsibility--to pursue the right course of action. Finally, in our view, GPO officials also share responsibility for the public disclosure of the draft declaration. Although the August 2009 GPO Inspector General's report assigns no wrongdoing to either GPO or its employees, GPO officials should have had procedures in place to prevent such a release from occurring. Thus, we agree with the Inspector General's proposed recommendations and we encourage GPO to implement them as expeditiously as possible. Recommendations for Executive Action: To ensure that corrective actions are taken to prevent the inadvertent public disclosure of sensitive information in future draft declarations or other documents prepared for IAEA by multiple U.S. agencies, we are making the following four recommendations: * The Secretaries of Commerce, Energy, and State, and the Chairman of the NRC should enter into an interagency agreement concerning the designation, marking, and handling of such information, and make any policy or regulatory changes necessary to reach such an agreement. This agreement should be revised, as necessary, to take into account future direction from the President or the Controlled Unclassified Information Council regarding standardization of the procedures for designating, marking, and handling documents that are unclassified but are not intended for public release. * The Secretary of State should clearly indicate in the text whether the presidential message and attached documents, if any, should be printed and made publicly available when preparing presidential communications to Congress for documents to be presented to IAEA. * The Executive Office of the President should consider revising any written guidance and/or practices it has and conduct staff training for handling and safeguarding sensitive information in future declarations or other documents between the United States and IAEA before it needs to issue its next declaration in May 2010. * GPO's public printer should implement, as expeditiously as possible, the recommendations from the agency's August 2009 Inspector General report in order to improve the security culture and reduce the possibility of future postings of sensitive information to the GPO Web site. Agency Comments and Our Evaluation: We provided a draft of this report to DOE, State, GPO, NRC, Commerce, Office of the White House Counsel, and the House of Representatives' Sergeant at Arms and Offices of the Clerk and Parliamentarian for comment. DOE, State, GPO, NRC and the House of Representatives Sergeant at Arms provided written comments, which are presented in appendixes I, II, III, IV and V, respectively. State and the Office of the White House Counsel provided technical comments which we incorporated as appropriate. Commerce and the House Offices of the Clerk and Parliamentarian reviewed, but did not provide comments on our draft report. DOE, State, and GPO agreed with our recommendations. NRC neither agreed nor disagreed with our recommendations, but did provide technical comments which we incorporated as appropriate. In response to our recommendation involving an interagency agreement to designate, mark, and handle sensitive information provided to IAEA on U.S. nuclear sites and activities, DOE noted that the interagency agreement would specifically address the marking and handling of future draft declarations and other documents provided to IAEA under U.S. safeguards agreements. The interagency agreement will not address broader, governmentwide standards on how to mark and handle all unclassified, but sensitive information. These standards will be developed by the Controlled Unclassified Information Council or other entity designated by the President. This is consistent with our recommendation. As we state in our report, the interagency agreement should be a corrective action to prevent the inadvertent public disclosure of sensitive information in future draft declarations or other documents prepared for IAEA by multiple U.S. agencies, rather than addressing broader, governmentwide standards on how to mark and handle all unclassified but sensitive information. The House of Representatives' Sergeant at Arms did not comment on our recommendations but provided three points of clarification regarding the Office of Security's role in reviewing and transmitting the draft declaration. First, the House Sergeant at Arms stated that, contrary to what we stated in our draft report, the House Security Office made no determination as to whether the draft document could be published and did not provide the House Clerk's office with any direction or legal advice regarding this matter. Second, according to the House Sergeant at Arms, the House Security Office properly advised the House Clerk's office to contact IAEA regarding the handling of the draft document. Third, the House Sergeant at Arms stated that the House Security Office did not need to take control of the draft document, nor was the Security Office requested to take control of the document. In addition, the Security Office does not have the authority to order a House of Representatives office or entity to store a document with the Security Office. Regarding the first point, we believe that given the sensitive nature of the draft document--and commensurate with its role and responsibilities--the House Security Office should have, at a minimum, raised concerns with the House Clerk's Office about publicly releasing 266 pages of information on U.S. nuclear sites and activities and advised the House Clerk not to print the document without explicit authorization from the agencies that designated the information SBU. While we do not dispute the statement that the House Security Office did not provide any advice or direction regarding the printing of the document, we believe that it would have been appropriate for this Office to play a more assertive role because the House Clerk sought advice and guidance in determining whether the document could be printed. However, based on these comments, we modified the text of the report to reflect the claims made by the House Security Office. Specifically, we removed reference to the Security Office on page 16 to avoid inferences that the Security Office provided direction or legal advice to the Clerk's Office that it could print the document. Regarding the second point, the House Office of Security has misconstrued what we stated in the draft report. While there was nothing inherently wrong with the Office of Security suggesting that the Clerk's Office contact IAEA about the document, IAEA did not prepare, transmit, or mark the document. As we noted in our report, the U.S. agencies that prepared the draft declaration placed the IAEA markings on the document. The presidential message explained that the draft declaration was prepared by the United States and would be submitted to IAEA. Because the IAEA markings on the document have no legal significance in the United States, the presidential message further explained that information in the document should be treated as SBU and was exempt from disclosure. IAEA was not the originating agency for the information. As a result, it continues to be our view that the Director of the House Office of Security did not provide the correct advice to the House Clerk on who she should contact to obtain authorization on releasing SBU information. Finally, regarding the matter of physical custody of the document, we do not dispute Security Office's claim that it was not required--nor did it have the authority--to take control of the document. However, we believe that it would have been prudent for that office to take physical control of the document as a precautionary measure until a determination was made concerning whether or not the document could be published. The Director of the Office of Security missed opportunities to prevent the document's release and should have been more directly involved in resolving conflicting and confusing information regarding the dissemination of the draft declaration. However, we modified the text on page 17 to include information about the Security Office's physical custody requirements and the assistance the House Clerk requested from the Security Office. As agreed with your office, unless you publicly announce the contents of this report earlier, we plan no further distribution of it until eight days from date of this report. At that time, we will send copies of this report to the Secretaries of Commerce, Energy, and State; the Chairman of the Nuclear Regulatory Commission; the House of Representatives' Parliamentarian, Clerk, and Sergeant at Arms; the Executive Clerk of the White House; the Public Printer of the Government Printing Office; and interested congressional committees. In addition, the report will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (202) 512-3841 or aloisee@gao.gov. Contact points for our Office of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix VI. Sincerely yours, Signed by: Gene Aloise: Director, Natural Resources and Environment: [End of section] Appendix I: Comments from the Department of Energy: Department of Energy: National Nuclear Security Administration: Washington, DC 20585: December 2, 2009: Mr. Gene Aloise: Director, Natural Resources and Environment: U.S. Government Accountability Office: Washington, D.C. 20458: Dear Mr. Aloise: The National Nuclear Security Administration (NNSA) appreciates the opportunity to review the Government Accountability Office's GAO) report, Managing Sensitive Information. Actions Needed to Prevent Unintended Public Disclosures of U.S. Nuclear Sites and Activities, GA0- 10-251. We understand that the Speaker of the House asked GAO to perform a review on GPO's release of Sensitive Nuclear Information. Specifically, GAO was asked to determine which U.S. agencies were responsible for the public release of this information and why the disclosure occurred, and (2) what impact, if any, the release of the information has had on U.S. national security. NNSA agrees with the report and the recommendations. Regarding the first recommendation concerning an interagency agreement, we agree that better coordination needs to occur. The development of any protocols should be specific to the marking and handling of documents that contain unclassified information that should not be publicly released pursuant to the U.S. Safeguards Agreement with the International Atomic Energy Agency. The development of broader standards for Controlled Unclassified Information (CUI) should remain the responsibility of the Executive Agent and CUI Council designated by the President and will take appropriate action to meet GAO's concerns. If you have any questions concerning this response, please contact JoAnne Parker, Acting Director, Policy and Internal Controls Management at 202-586-1913. Sincerely, Signed by: Michael C. Kane: Associate Administrator for Management and Administration: cc: Deputy Administrator for Defense Nuclear Nonproliferation: Associate Administrator for Defense Nuclear Security: [End of section] Appendix II: Comments from the Department of State: United States Department of State: Assistant Secretary and Chief Financial Officer: Washington, DC 20520: December 7, 2009: Ms. Jacquelyn Williams-Bridgers: Managing Director: International Affairs and Trade: Government Accountability Office: 441 G Street, N.W. Washington, D.C. 20548-0001: Dear Ms. Williams-Bridgers: We appreciate the opportunity to review your draft report, "Managing Sensitive Information: Actions Needed to Prevent Unintended Public Disclosures of U.S. Nuclear Sites and Activities," GAO Job Code 361127. The enclosed Department of State comments are provided for incorporation with this letter as an appendix to the final report. If you have any questions concerning this response, please contact Jim LaFemina, Deputy Director, Strategic Planning and Outreach, International Security and Nonproliferation at (202) 647-9501. Sincerely, Signed by: James L. Millette: cc: GAO - Glen Levis: ISN - Vann Van Diepen: OIG - Mark Duda: [End of letter] Department of State Comments on GAO Draft Report: Managing Sensitive Information: Actions Needed to Prevent Unintended Public Disclosures of U.S. Nuclear Sites and Activities (GAO-10-251, GAO Code 361127): Thank you for the opportunity to comment on your draft report entitled "Managing Sensitive Information: Actions Needed to Prevent Unintended Public Disclosures of U.S. Nuclear Sites and Activities." The Department of State has long been a strong supporter of improving the protection and security of sensitive information, and is eager to cooperate in efforts to make this process more effective. The Department of State endorses the main findings and conclusions of the GAO report. We believe that GAO's assessment of the events leading up to the unintended public disclosure of U.S. nuclear sites and activities is both accurate and balanced. The Department of State agrees fully with the recommendations contained in the report and has been working with the interagency Controlled Unclassified Information (CUI) Council to develop standards for the designation, marking, and handling of terrorism information, which includes "weapons of mass destruction" information based on the Implementing the Recommendations of the 9/11 Act of 2007. The Department of State will continue to work with the interagency to develop appropriate policies for designating, marking, and handling this kind of information. The Department of State also agrees with GAO's recommendation to clearly indicate whether or not any presidential message or attached documents that will be presented to the IAEA should be printed and made publicly available when preparing presidential communications to the Congress. The Office of Multinational Security Agreements within the Bureau of International Security and Nonproliferation will work closely with the necessary bureaus and offices within the Department to see that this becomes standard procedure for transmitting such documents. [End of section] Appendix III Comments from the Government Printing Office: Note: GAO comments supplementing those in the report text appear at the end of this appendix. Memorandum: U.S. Government Printing Office: Quality Assurance: Keeping America Informed: [hyperlink, http://www.gpo.gov] Date: December 2, 2009: Subject: Review of Draft report "Managing Sensitive Information—Actions Needed to Prevent Unintended Public Disclosures of U.S. Nuclear Sites and Activities." Reply to the Attention of: Reynold Schweickhardt, Chief Technology Officer, U.S. Government Printing Office (GPO). To: Gene Aloise, Director, Natural Resources and Environment, General Accountability Office (GAO): Comments: GPO would like to thank you for the opportunity to review GAO's draft copy of this report and appreciates the opportunity to provide feedback. GAO has recommended GPO implement four recommendations put forth by GPO's Office of Inspector General (OM) in their report of August 2009. The Public Printer has concurred with these recommendations and GPO will be taking the appropriate actions to implement the recommendations as outlined by the Public Printer. The 010 recommendations and the Public Printer's response can be found in Appendix A. We would also like to submit the following notes for your consideration: In the Highlights section of the draft, the final sentence of the first paragraph mentions that GAO "...met with officials from DOE, NRC, Commerce, State, the White House, and the House of Representatives." We would like mention that GAO also met with GPO. [See comment 1] The first paragraph on page 3 states that GPO shipped copies "to Congress and some federal agencies" and "recalled these copies and secured them..." A table with the current status of the printed copies can be found in Appendix B. [See comment 2] If desired, GPO would welcome the opportunity to review these comments with you or your staff. [End of memo] The following are GAO's comments to the Government Printing Office letter dated December 2, 2009. GAO Comments: 1. We added GPO to the Highlights page as one of the agencies and offices we met with to discuss why the disclosure of the draft declaration occurred. 2. We modified the text on page 3 to include the most recent data on the status of the printed copies of the draft declaration, based on information contained in the technical appendix provided by GPO. [End of section] Appendix IV: Comments from the Nuclear Regulatory Commission: Note: GAO comments supplementing those in the report text appear at the end of this appendix. United States: Nuclear Regulatory Commission: Washington, D.C. 20555-0001: December 2, 2009: Gene Aloise: Director, Natural Resources and Environment: Government Accountability Office: 441 G St., NW: Washington, D.C. 20548: Dear Mr. Aloise: This letter is in response to your November 16, 2009 request to Mr. Bill Borchardt, the U.S. Nuclear Regulatory Commission's (NRC's) Executive Director for Operations, for agency comments on the draft Government Accountability Office (GAO) report "Managing Sensitive Information: Actions Needed to Prevent Unintended Public Disclosures of U.S. Nuclear Sites and Activities" (GAO-10-251). The NRC has no objections to the report; however, the agency suggests the following editorial change for GAO's consideration for incorporation in the final report. At the bottom of page 4 and top of page 5, under the Background section, we recommend that the current language "... and exports of sensitive and other key nuclear-related equipment" be modified to read "... and exports of specific nuclear-related equipment," We believe that this change would indicate to the reader that the nuclear-related equipment being reported is equipment specified by the International Atomic Energy Agency to be reported and not just equipment that the U.S. might consider as sensitive or key. [See comment 1] The NRC appreciates the opportunity to comment on GAO-10-251. Sincerely, Signed by: Martin J. Virgilio: Deputy Executive Director for Materials, Waste, Research, State, Tribal and Compliance Programs: Office of the Executive Director for Operations: [End of letter] See comment 1. The following is GAO's comment to the Nuclear Regulatory Commission letter dated December 2, 2009. GAO Comment: 1. We modified the text on the bottom of page 4 in the Background section to clarify that under the Additional Protocol, the U.S. must declare exports of sensitive nuclear-related equipment specified by IAEA. [End of section] Appendix V: Comments from the House of Representatives' Sergeant at Arms: Note: GAO comments supplementing those in the report text appear at the end of this appendix. Office Of The Sergeant At Arms: Wilson Livengood: Sergeant At Arms: U.S. House of Representatives: H-124 Capitol: Washington, DC 20515-6634: 202-225-2456: December 2, 2009: Gene L. Dodaro: Acting Comptroller General of the United States: General Accountability Office: 441 G Street, N.W. Washington, D.C. 20548: Dear Mr. Dodaro: Thank you very much for providing GAO's draft report "Managing Sensitive Information: Actions Needed to Prevent Unintended Public Disclosures of U.S. Nuclear Sites and Activities" for comment. After reviewing the draft report, there are some items in the draft that I believe require clarification. 1. The House Security Office did not make an incorrect determination that the document could be published. On page 17 of the draft report, a determination is made that the I louse Security Office, along with the Parliamentarian and the Clerk's office, made an incorrect determination that the document could be published. However, the Security Office made no determination as to whether the document could be published or not. [See comment 1] As the draft report states at page 18, the Director of the Security Office reviewed the document on May 5, 2009. The document contained a security marking that was placed on the document by the IAEA that stated: "Highly Confidential Safeguards Sensitive." This has no legal significance in the United States, as the report acknowledges. [See comment 2] Also, none of the U.S. agencies that reviewed the document prior to it being forwarded to the Parliamentarian's office properly marked the document with a classification designation. See Draft Report at 13. The National Security Council did not include a transmittal letter, which would have included handling instructions, to the White House Clerk's office which subsequently forwarded the document to the House of Representatives. See Draft Report at 15. The only indication as to the nature of the document was in the presidential message that indicated "sensitive but unclassified," See Draft Report at 15. [See comment 3] Upon being presented with the document, the Security Office did not recognize the designation placed upon it by the IAEA. Therefore, the Director of the Security Office advised the Clerk's office to contact the IAEA for guidance as to what the IAEA's classification meant. [See comment 4] In addition, the Clerk's office was advised to contact the White House for printing guidance as it was the U.S. entity that forwarded document to the House with the designation in the presidential message of "sensitive but unclassified." The Security Office would have made the same inquiries if it had been the entity that was in control of the document or had been requested to make the inquiries on behalf of the Clerk's office. At no time did the Security Office provide direction or legal advice that the document could be printed and the report should be corrected to accurately reflect this. [See comment 5] 2. The Security Office properly advised the Clerk's office to contact IAEA. The draft report indicates that the IAEA was the only entity that marked the document with any type of language pertaining to how to properly handle the document. The only other indication that the House had as to the nature of the document was in the presidential message that accompanied the document. [See comment 6] The draft report concludes: "No agency or office that was involved with the production or transmittal of the draft declaration ensured that the final document was marked with any U.S. security designation." See Draft Report at 26. While agencies did internally mark the document, none of the agencies took the added precaution of ensuring that the consolidated draft have a recognized U.S. Government classification. Since the only marking on the document was the IAEA designation, it is logical to determine what meaning, and handling procedures, its markings were designed to convey. Therefore, I would request that the reference to the Security Office improperly determining that IAEA classified the document be removed. [See comment 7] 3. The House Security Office did not need to take control of the document nor was the Security Office requested to take control over the document. The draft report states that: "The Security Office Director reviewed the document on May 5, 2009 but did not take custody of it or make inquiries on its proper handling and safeguarding." See Draft Report at 18. [See comment 8] House offices are not required to relinquish custody and control of sensitive or classified documents to the House Security Office for storage. If requested, the Security Office does provide that service. The Office does not have the authority to order an entity to store the document with the Security Office. [See comment 9] Every week, the Security Office provides security, education and awareness training for House staff including the proper methods for handling sensitive or classified information. This information was shown to the GAO investigators during their investigation. During the presentation to GAO, the House Security Office showed GAO that any "other common document designation" is treated as confidential or classified information and it should not be released without authorization from the originating agency. The Clerk's office did not request that the Security Office store the document. As the report states, the Clerk's office was seeking advice on handling a document whose classification level, if any, unclear. However, upon being presented with the document, the Director of the Security Office did inquire as to how the Clerk's office stored and handled the document within the confines of its office. Upon being informed of the Clerk's internal storage procedures, and those procedures being in accordance with the training that the Security Office had provided to the Clerk's staff, there was no need for the Security Office to suggest that it take custody of the document. [See comment 10] If the procedures that the Clerk's office employed to store the document were deficient, the Security Office would have advised the Clerk's office to allow the Security Office to store the document on the Clerk's behalf. Therefore, I would request that the reference on page I 8 of the draft report stating that the Security Office did not take custody of the document or inquire as to its handling and safeguarding be removed from the draft or clarified to acknowledge that the Security Office did inquire as to the Clerk's handling of the document. [See comment 11] 4. The Director of the House Security Office acted properly. While the Security Office was created to serve, in part, the role of a repository for classified material, there is no mandatory requirement that Member, Committee or other House entities store classified material with the Security Office. In fact, it was designed specifically for those offices that did not have the proper means to store classified material. If a Member, Committee or other House entity had the proper storage protocols in place, there would be no need for the Security Office to intervene and suggest that it take custody of the document. The Clerk's office did not request that the Security Office take custody of the document. They merely sought advice as to the classification of the document. The Director provided that advice. In addition, the Clerk's office did not request assistance in contacting the entities that were responsible for the creation and transmittal of the document. [See comment 12] In addition, the Director inquired as to that office's internal handling of the document. Since the document was being properly stored, there was no need for the Security Office to take control. The Director of House Security followed proper procedure. I would request that the reference to the Director of the Security Office be removed or, in the alternative, modified to accurately reflect the role that the Director's position and the Security Office play in the House. [See comment 13] Also, I would suggest a recommendation that would require Member offices and other non-Committee House entities that are not equipped to properly store sensitive or classified material to relinquish custody of such material to the Security Office. [See comment 14] Thank you very much for providing me the opportunity to comment on the draft report. Please feel free to contact William McFarland at (202) 226-2044 if you should have any other questions. Sincerely, Signed by: Wilson Livingood: Sergeant at Arms: [End of letter] The following are GAO's comments to the House of Representatives Sergeant at Arms letter dated December 2, 2009. GAO Comments: 1. We have modified the text on page 16 by removing a reference to the Security Office to clarify that it did not make a determination as to whether the document could be published. 2. The Sergeant at Arms is incorrect when he states that IAEA marked the document "Highly Confidential Safeguards Sensitive." As we state in our report, U.S. agencies that prepared the declaration marked the document, not IAEA. U.S. agencies used an IAEA-supplied software to mark the document with the highest IAEA security marking to put IAEA on notice, once it received the document, that it should be properly safeguarded against disclosure. However, the draft declaration is a U.S. document and should not have been publicly disclosed. 3. We agree that U.S. agencies and offices that prepared and transmitted the document prior to sending it to the House of Representatives missed opportunities to better mark the document and avoid confusion about whether it should have been published. However, the presidential message that accompanied the draft declaration explained that the United States regarded the information as SBU. The presidential message also explained that the information was exempt from disclosure under FOIA. In our view, the information in the presidential message should have been sufficient to put the House Security Office on notice that the information should be treated as SBU and should not be published or publicly released without a more rigorous inquiry. 4. See comment 2. 5. See comment 1. 6. While there was nothing inherently wrong with the Office of Security suggesting that the Clerk's Office contact IAEA about the document, IAEA did not prepare, transmit, or mark the document. IAEA was not the originating agency for the information. As a result, it continues to be our view that the Director of the House Office of Security did not provide the correct advice to the House Clerk on who she should have contacted to obtain authorization on releasing SBU information. 7. As we noted in our report, U.S. agencies that prepared the draft declaration placed the IAEA marking on the document. The presidential message explained that the draft declaration was prepared by the United States and would be submitted to IAEA. IAEA was not the originating agency for the information. 8. We have modified the text on page 17 to clarify that the Security Office was not required to take custody and control of the document. 9. See comment 8. 10. We have modified the text on page 17 to clarify that the Security Office was not required to take custody and control of the document. However, given the unfamiliar markings and 266 pages of detailed information on U.S. nuclear sites and activities, we believe that it would have been prudent to take positive physical control of the document as a precautionary measure until a determination was made concerning whether or not the document could be published. The Director of the Office of Security missed opportunities to prevent the document's release and he should have been more directly involved in resolving conflicting and confusing information regarding the classification of the draft declaration. 11. See comment 8. 12. We have modified the text on page 17 to clarify that the Security Office was not required to take custody and control of the document and the Executive Communications Clerk did not request that the Security Office take custody of the document or assist her in contacting the agencies and offices that transmitted the document. 13. We have modified the text on page 17 to clarify the Security Office's document custody requirements and what was asked of the Security Office by the House Clerk. However, we believe that given the sensitive nature of the draft document--and commensurate with its role-- the House Security Office should have, at a minimum, raised concerns with the House Clerk's Office about publicly releasing 266 pages of information on U.S. nuclear sites and activities and advised the House Clerk not to print the document without a more rigorous inquiry as to whether it should have been published. 14. We believe that the recommendation suggested by the Sergeant at Arms to require Member offices and other non-Committee House entities that are not equipped to properly store sensitive or classified data to relinquish custody of such material to the House Security Office would involve a change in House rules and procedures that is beyond the scope of our review. [End of section] Appendix VI: GAO Contact and Staff Acknowledgments: GAO Contact Gene Aloise (202) 512-3841 or aloisee@gao.gov. Staff Acknowledgments In addition to the contact named above, Glen Levis, Assistant Director, Antoinette Capaccio, Leland Cogliani; Ralph Dawn, Karen Keegan; Tim Persons; and Carol Herrnstadt Shulman made significant contributions to this report. [End of section] Footnotes: [1] GPO is a legislative branch agency and the federal government's primary centralized resource for gathering, cataloging, producing, providing, and preserving published information in all its forms. GPO was directed to publish a presidential message along with the document. The message explained that the document would be provided to the International Atomic Energy Agency (IAEA) and that the IAEA classification of the document was "Highly Confidential Safeguards Sensitive," but the United States regarded the information as "Sensitive but Unclassified" (SBU). [2] DOE manages the largest laboratory system of its kind in the world. Originally created to design and build atomic bombs under the Manhattan Project, these laboratories have since expanded to conduct research in many disciplines--from high-energy physics to advanced computing facilities throughout the nation. [3] The Y-12 complex was constructed as part of the World War II Manhattan Project. Y-12's mission includes, among other things, the production/rework of nuclear weapons components and the receipt, storage, and protection of special nuclear materials. [4] IAEA, an autonomous international organization affiliated with the United Nations, was established in Vienna, Austria, in 1957. The agency has the dual role of promoting the peaceful uses of nuclear energy by transferring nuclear science and technology through its nuclear science and applications and technical cooperation programs, and verifying, through its safeguards program, that nuclear materials subject to safeguards are not diverted to nuclear weapons or other proscribed purposes. As of October 2009, 24 non-nuclear weapon states that were parties to the Treaty on the Non-Proliferation of Nuclear Weapons (NPT) did not have comprehensive safeguards agreements with IAEA in force. In addition, India, Israel, and Pakistan are not parties to the NPT. As a result, they also do not have comprehensive safeguards agreements with IAEA. [5] Beginning in 2010, the United States is required to submit a declaration annually to IAEA by May 15. [6] The agreement is formally known as The Protocol Additional to the Agreement between the United States of America and the International Atomic Energy Agency for the Application of Safeguards in the United States of America. As of October 2009, 93 countries, including the United States, have an Additional Protocol which has entered into force and another 33 have signed the agreement. [7] GAO, Nuclear Nonproliferation: IAEA Has Strengthened Its Safeguards and Nuclear Security Programs, but Weaknesses Need to be Addressed, [hyperlink, http://www.gao.gov/products/GAO-06-93] (Washington, D.C.: Oct. 7, 2005). [8] In Executive Order 12958, as amended, "national security" means the national defense or foreign relations of the United States. [9] The United States, along with four other nuclear weapons states that are parties to the NPT (China, France, the Russian Federation, and the United Kingdom) are not obligated by the NPT to accept IAEA safeguards. However, each nuclear weapons state, including the United States, has voluntarily entered into legally binding safeguards agreements with IAEA, and have submitted designated nuclear materials and facilities to IAEA safeguards to demonstrate to the non-nuclear weapons states their willingness to share in the administrative and commercial costs of safeguards. [10] State guidance for classified and sensitive information defines SBU as information that is not classified for national security reasons, but that warrants/requires administrative control and protection from public or other unauthorized disclosure for other reasons. [11] As evidenced by a May 2009 memorandum on Classified Information and Controlled Unclassified Information, the President is generally committed to broad implementation of a framework for the standardization of treatment and the facilitation of information sharing that is not classified, but may still merit protection from public disclosure. [12] Public Law 109-401 refers to the United States Additional Protocol Implementation Act, and section 552 of Title 5 refers to the Freedom of Information Act (FOIA). The United States Additional Protocol Implementation Act exempted the information collected for the declaration from disclosure under FOIA. However, FOIA was only marginally relevant to Congress' handling of the document because FOIA only applies to agencies responding to requests for specific pieces of information and Congress is not an agency, nor was there a request for this information. Exemption under FOIA may be one criterion that an agency uses in its own determination as to whether to treat a document as OUO or SBU, but the agencies had already decided to treat the draft declaration as OUO/SBU and, ultimately, it was the draft declaration's OUO/SBU status that should have governed whether or not it was to be published, not its exemption under FOIA. [13] GPO, Management Implication Report Publication of House Document 111-37 on U.S. Nuclear Sites, August 3, 2009, [hyperlink, http://www.gpo.gov/pdfs/ig/investigations/MIR_HD_111-37.pdf] (assessed Nov. 12, 2009). [14] Under the Atomic Energy Act of 1954, NRC has the authority to give primary regulatory authority to states (called agreement states) under certain conditions. As of October 1, 2009, NRC has relinquished its licensing, inspection, and enforcement authority to 37 agreement states while NRC continues to issue licenses in the remaining 13 states. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: