Managing Sensitive Information:

Departments of Energy and Defense Policies and Oversight Could Be Improved

GAO-06-369: Published: Mar 7, 2006. Publicly Released: Mar 14, 2006.

Additional Materials:

Contact:

Davi M. Dagostino
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

In the interest of national security and personal privacy and for other reasons, federal agencies place dissemination restrictions on information that is unclassified yet still sensitive. The Department of Energy (DOE) and the Department of Defense (DOD) have both issued policy guidance on how and when to protect sensitive information. DOE marks documents with this information as Official Use Only (OUO) while DOD uses the designation For Official Use Only (FOUO). GAO was asked to (1) identify and assess the policies, procedures, and criteria DOE and DOD employ to manage OUO and FOUO information and (2) determine the extent to which DOE's and DOD's training and oversight programs assure that information is identified, marked, and protected according to established criteria.

Both DOE and DOD base their programs on the premise that information designated as OUO or FOUO must (1) have the potential to cause foreseeable harm to governmental, commercial, or private interests if disseminated to the public or persons who do not need the information to perform their jobs and (2) fall under at least one of eight Freedom of Information Act (FOIA) exemptions. According to GAO's Standards for Internal Control in the Federal Government, policies, procedures, techniques, and mechanisms should be in place to manage agency activities. However, while DOE and DOD have policies in place, our analysis of these policies showed a lack of clarity in key areas that could allow for inconsistencies and errors. For example, it is unclear which DOD office is responsible for the FOUO program, and whether personnel designating a document as FOUO should note the FOIA exemption used as the basis for the designation on the document. Also, both DOE's and DOD's policies are unclear regarding at what point a document should be marked as OUO or FOUO and what would be an inappropriate use of the OUO or FOUO designation. For example, OUO or FOUO designations should not be used to cover up agency mismanagement. In our view, this lack of clarity exists in both DOE and DOD because the agencies have put greater emphasis on managing classified information, which is more sensitive than OUO or FOUO. While both DOE and DOD offer training on their OUO and FOUO policies, neither DOE nor DOD has an agencywide requirement that employees be trained before they designate documents as OUO or FOUO. Moreover, neither agency conducts oversight to assure that information is appropriately identified and marked as OUO or FOUO. According to Standards for Internal Control in the Federal Government, training and oversight are important elements in creating a good internal control program. DOE and DOD officials told us that limited resources, and in the case of DOE, the newness of the program, have contributed to the lack of training requirements and oversight. Nonetheless, the lack of training requirements and oversight of the OUO and FOUO programs leave DOE and DOD officials unable to assure that OUO and FOUO documents are marked and handled in a manner consistent with agency policies and may result in inconsistencies and errors in the application of the programs.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: The Department of Defense (DOD) is issuing a revised information security program regulation as a four-volume manual, DOD Information Security Program, Number 5200.01. Volume 4 of the manual provides guidance on identifying and protecting controlled unclassified information (CUI), which includes For Official Use Only (FOUO) information. Volume 4, enclosure 2 of the manual, entitled "Responsibilities," designates the Office of the Under Secretary of Defense for Intelligence (USD(I)) responsibility for directing, administering, and overseeing DOD's Information Security Program. USD(I) officials--including the Deputy Director for Information Security and Security Oversight--stated that volume 4 of the manual is being coordinated within the department, and a 2010 issue date is anticipated.

    Recommendation: To assure that the guidance governing the FOUO program reflects the necessary internal controls for good program management, the Secretary of Defense should revise the regulations that currently provide guidance on the FOUO program to conform to the 1998 policy memo designating which office has responsibility for the FOUO program.

    Agency Affected: Department of Defense

  2. Status: Closed - Not Implemented

    Comments: Based on follow-up information from DOD, DOD does not intend to implement this recommendation because DOD did not concur with the recommendation.

    Recommendation: To assure that the guidance governing the FOUO program reflects the necessary internal controls for good program management, the Secretary of Defense should revise any regulation governing the FOUO program to require that personnel designating a document as FOUO also mark the document with the FOIA exemption used to determine the information should be restricted.

    Agency Affected: Department of Defense

  3. Status: Closed - Not Implemented

    Comments: The Department of Defense (DOD) non-concurred with this recommendation in 2006. In recent conversations with Under Secretary of Defense for Intelligence (USD(I)) officials, they stated that DOD has no intention of implementing this recommendation.

    Recommendation: To clarify all guidance regarding the OUO and FOUO designations, the Secretaries of Energy and Defense should identify at what point the document should be marked as OUO or FOUO.

    Agency Affected: Department of Defense

  4. Status: Closed - Implemented

    Comments: DOE stated that it had revised its departmental OUO directives on September 15, 2006 to clarify when documents should be marked OUO and what constituted an inappropriate use of OUO.

    Recommendation: To clarify all guidance regarding the OUO and FOUO designations, the Secretaries of Energy and Defense should identify at what point the document should be marked as OUO or FOUO.

    Agency Affected: Department of Defense

  5. Status: Closed - Implemented

    Comments: The Department of Defense (DOD) is issuing a revised information security program regulation as a four-volume manual, DOD Information Security Program, Number 5200.01. Volume 4 of the manual provides guidance on identifying and protecting controlled unclassified information (CUI), which includes For Official Use Only (FOUO) information. Volume 4, enclosure 3 of the manual, entitled "Identification and Protection of CUI," states that information may not be designated CUI to: (1) conceal violations of law, inefficiency, or administrative error; (2) prevent embarrassment to a person, organization, or agency; (3) restrain competition; or (4) prevent or delay the release of information that does not require protection under statute or regulation. The manual further states that information shall not be designated CUI to prevent or avoid its proper classification, and that information that has been disclosed to the public under proper authority may not be subsequently designated or redesignated CUI. USD(I) officials--including the Deputy Director for Information Security and Security Oversight--stated that volume 4 of the manual is being coordinated within the department, and a 2010 issue date is anticipated.

    Recommendation: To clarify all guidance regarding the OUO and FOUO designations, the Secretaries of Energy and Defense should define what would be an inappropriate use of the designations OUO or FOUO.

    Agency Affected: Department of Energy

  6. Status: Closed - Implemented

    Comments: DOE stated that it had revised its departmental OUO directives on September 15, 2006 to clarify when documents should be marked OUO and what constituted an inappropriate use of OUO.

    Recommendation: To clarify all guidance regarding the OUO and FOUO designations, the Secretaries of Energy and Defense should define what would be an inappropriate use of the designations OUO or FOUO.

    Agency Affected: Department of Defense

  7. Status: Closed - Implemented

    Comments: The Department of Defense (DOD) is issuing a revised information security program regulation as a four-volume manual, DOD Information Security Program, Number 5200.01. Volume 4 of the manual provides guidance on identifying and protecting controlled unclassified information (CUI), which includes For Official Use Only (FOUO) information. Volume 4, enclosure 4 of the manual, entitled "CUI Education and Training ," states that personnel who have access to CUI shall receive, upon initial entry into a position that requires such access, training in CUI policies, principles, and practices that addresses, among other things: (1) the responsibilities of personnel who create or handle CUI; (2) the characteristics that qualify information for designation as CUI and the importance of properly applying CUI markings; (3) the marking and protection requirements for FOUO information and other categories of CUI routinely used; and (4) where to find detailed guidance on marking, handling, storing, transmitting, sharing, and destroying CUI. The manual also requires DOD personnel with access to CUI to complete annual refresher training that reinforces the policies, principles, and procedures covered in the initial CUI training. USD(I) officials--including the Deputy Director for Information Security and Security Oversight--stated that volume 4 of the manual is being coordinated within the department, and a 2010 issue date is anticipated.

    Recommendation: To assure that OUO and FOUO designations are correctly and consistently applied, the Secretaries of Energy and Defense should assure that all employees authorized to make OUO and FOUO designations receive an appropriate level of training before they can mark documents.

    Agency Affected: Department of Energy

  8. Status: Closed - Not Implemented

    Comments: The team contacted Mr. Andrew Weston-Dawkes, the director of the Office of Classification and Information Control. Mr. Weston-Dawkes stated that the situation had not changed since the team last contacted him in the summer of 2008. He explained that the Office of Classification and Information Control drafted a change in the DOE Order governing the marking of documents OUO that would have required employees to have training before marking any documents but that the DOE office of General Counsel objected. He added that there objections remain. Mr. Weston-Dawkes added that the Obama Administration was in the final stages of drafting its own, government-wide policy on this, and that it too would not require that all employees authorized to make OUO and FOUO designations, as well as any other CUI (controlled unclassified information) designations, receive an appropriate level of training before they can mark documents. Mr. Weston-Dawkes expects this executive order to apply government-wide. Accordingly, we are closing this recommendation as unimplemented.

    Recommendation: To assure that OUO and FOUO designations are correctly and consistently applied, the Secretaries of Energy and Defense should assure that all employees authorized to make OUO and FOUO designations receive an appropriate level of training before they can mark documents.

    Agency Affected: Department of Defense

  9. Status: Closed - Implemented

    Comments: The Department of Defense (DOD) is issuing a revised information security program regulation as a four-volume manual, DOD Information Security Program, Number 5200.01. Volume 4 of the manual provides guidance on identifying and protecting controlled unclassified information (CUI), which includes For Official Use Only (FOUO) information. Volume 4, enclosure 2 of the manual, entitled "Responsibilities," requires all DOD organizations to establish and maintain an ongoing oversight program to evaluate and assess the effectiveness and efficiency of their information security program pertaining to CUI. According to the manual, evaluation criteria for the oversight program shall include CUI safeguarding, designation, education and training, and management and oversight; and a periodic review and assessment of CUI products to ensure that the information is being properly marked and handled. USD(I) officials--including the Deputy Director for Information Security and Security Oversight--stated that volume 4 of the manual is being coordinated within the department, and a 2010 issue date is anticipated.

    Recommendation: To assure that OUO and FOUO designations are correctly and consistently applied, the Secretaries of Energy and Defense should develop a system to conduct periodic oversight of OUO and FOUO designations to assure that information is being properly marked and handled.

    Agency Affected: Department of Defense

  10. Status: Closed - Implemented

    Comments: The head of classification oversight for DOE's Office of Security Evaluations, reports that reviews of the appropriateness of OUO designations were incorporated into OSE reviews of classification programs beginning at OSE's review of the Savannah River Site in the summer of 2006, and have been a part of every OSE inspection since -- which would be 6 in 2006 and 7 so far in 2007. This confirms the statement in DOE's September 19, 2006 letter to GAO from the head of the Office of Health, Safety and Security concerning this report, stating that reviews of OUO documents were being incorporated into OSE oversight reviews and self-assessments, and that DOE directives were being revised to reflect this policy change.

    Recommendation: To assure that OUO and FOUO designations are correctly and consistently applied, the Secretaries of Energy and Defense should develop a system to conduct periodic oversight of OUO and FOUO designations to assure that information is being properly marked and handled.

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Sep 26, 2013

Looking for more? Browse all our products here