Managing Sensitive Information:

DOD Can More Effectively Reduce the Risk of Classification Errors

GAO-06-706: Published: Jun 30, 2006. Publicly Released: Jun 30, 2006.

Additional Materials:

Contact:

Davi M. Dagostino
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Misclassification of national security information impedes effective information sharing, can provide adversaries with information to harm the United States and its allies, and incurs millions of dollars in avoidable administrative costs. As requested, GAO examined (1) whether the implementation of the Department of Defense's (DOD) information security management program, effectively minimizes the risk of misclassification; (2) the extent to which DOD personnel follow established procedures for classifying information, to include correctly marking classified information; (3) the reliability of DOD's annual estimate of its number of classification decisions; and (4) the likelihood of DOD's meeting automatic declassification deadlines.

A lack of oversight and inconsistent implementation of DOD's information security program are increasing the risk of misclassification. DOD's information security program is decentralized to the DOD component level, and the Office of the Under Secretary of Defense for Intelligence (OUSD(I)), the DOD office responsible for DOD's information security program, has limited involvement with, or oversight of, components' information security programs. While some DOD components and their subordinate commands appear to manage effective programs, GAO identified weaknesses in others in the areas of classification management training, self-inspections, and classification guides. For example, training at 9 of the 19 components and subordinate commands reviewed did not cover fundamental classification management principles, such as how to properly mark classified information or the process for determining the duration of classification. Also, OUSD(I) does not have a process to confirm whether self-inspections have been performed or to evaluate their quality. Only 8 of the 19 components performed self-inspections. GAO also found that some of the DOD components and subordinate commands that were examined routinely do not submit copies of their security classification guides, documentation that identifies which information needs protection and the reason for classification, to a central library as required. Some did not track their classification guides to ensure they were reviewed at least every 5 years for currency as required. Because of the lack of oversight and weaknesses in training, self-inspection, and security classification guide management, the Secretary of Defense cannot be assured that the information security program is effectively limiting the risk of misclassification across the department. GAO's review of a nonprobability sample of 111 classified documents from five offices within the Office of the Secretary of Defense shows that, within these offices, DOD personnel are not uniformly following established procedures for classifying information, to include mismarking. In a document review, GAO questioned DOD officials' classification decisions for 29--that is, 26 percent of the sample. GAO also found that 92 of the 111 documents examined (83 percent) had at least one marking error, and more than half had multiple marking errors. While the results from this review cannot be generalized across DOD, they are consistent with the weaknesses GAO found in the way DOD implements its information security program. The accuracy of DOD's classification decision estimates is questionable because of the considerable variance in how these estimates are derived across the department, and from year to year. However, beginning with the fiscal year 2005 estimates, OUSD(I) will review estimates of DOD components. This additional review could improve the accuracy of DOD's classification decision estimates if methodological inconsistencies also are reduced.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In response to our recommendation, Under Secretary of Defense for Intelligence (USD(I)) annually issues guidance to Department of Defense (DOD) components on how they are to estimate the number of classification decisions made. This guidance describes what the components should count (e.g., photographs) and not count (e.g., e-mail replies) in their estimates, how to sample their population of classification decisions to derive an estimate, and how to report their estimates on the standard federal form. The guidance also identifies a USD(I) official who components can contact for additional information. The requirement for components to calculate their classification decision estimates in accordance with instructions provided by USD(I) is contained in volume 1, enclosure 2 of DOD's Information Security Program manual, Number 5200.01. USD(I) officials--including the Deputy Director for Information Security and Security Oversight--stated that volume 1 of the manual is being coordinated within the department, and a 2010 issue date is anticipated.

    Recommendation: To support informed decision making with regard to information security, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence to institute quality assurance measures to ensure that components implement consistently the DOD guidance on estimating the number of classification decisions, thereby increasing the accuracy and reliability of these estimates.

    Agency Affected: Department of Defense

  2. Status: Closed - Implemented

    Comments: The Department of Defense (DOD) is issuing a revised information security program regulation as a four-volume manual, DOD Information Security Program, Number 5200.01. Volume 1, enclosure 6 of the manual, entitled "Security Classification Guides," requires responsible original classification authorities to issue security classification guides for each system, plan, program, or project involving classified information as early as practical, and revise whenever necessary to promote effective derivative classification. Further, original classification authorities are required to distribute security classification guides to those DOD organizations and activities that may classify information the guide covers, as well as to the Defense Technical Information Center, which serves as a repository of DOD scientific and technical documents. The Center is required to maintain an on-line index of security classification guides that will facilitate their accessibility. Under Secretary of Defense for Intelligence (USD(I)) officials--including the Deputy Director for Information Security and Security Oversight--stated that volume 1 of the manual is being coordinated within the department, and a 2010 issue date is anticipated.

    Recommendation: To reduce the risk of misclassification and create greater accountability across the department, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence to to issue a revised Information Security Program regulation to ensure that authorized individuals can access up-to-date security classification guides necessary to derivatively classify information accurately.

    Agency Affected: Department of Defense

  3. Status: Closed - Implemented

    Comments: The Department of Defense (DOD) is issuing a revised information security program regulation as a four-volume manual, DOD Information Security Program, Number 5200.01. Volume 1, enclosure 2 of the manual, entitled "Responsibilities," requires DOD organizations to establish and maintain a self-inspection and oversight program to evaluate their information security programs. According to the manual, the frequency of self-inspections shall be based on program needs and classification activity; will cover, at a minimum, original and derivative classification, declassification, safeguarding, education and training, and management and oversight; and the results of these self-inspections shall be submitted to either the Information Security Oversight Office--which is part of the National Archives and Records Administration--and/or the Under Secretary of Defense for Intelligence (USD(I)) at least annually. USD(I) officials--including the Deputy Director for Information Security and Security Oversight--stated that volume 1 of the manual is being coordinated within the department, and a 2010 issue date is anticipated.

    Recommendation: To reduce the risk of misclassification and create greater accountability across the department, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence to to issue a revised Information Security Program regulation to ensure that the frequency, applicability, and coverage of self-inspections, and the reporting of inspection results are based on explicit criteria.

    Agency Affected: Department of Defense

  4. Status: Closed - Implemented

    Comments: The Department of Defense (DOD) is in the process of issuing a revised information security program regulation as a four-volume manual, DOD Information Security Program, Number 5200.01. Volume 3, enclosure 5 of the manual, entitled 'Security Education and Training,' includes training on fundamental classification principles that meet the intent of our recommendation. Specifically, enclosure 5 requires the heads of DOD organizations to ensure that all personnel granted access to classified information receives, prior to gaining initial access to classified information, training in the proper and complete classification markings, and how those markings are to be applied. Under Secretary of Defense for Intelligence (USD(I)) officials--including the Deputy Director for Information Security and Security Oversight--stated that volume 3 of the manual is being coordinated within the department, and a 2010 issue date is anticipated.

    Recommendation: To reduce the risk of misclassification and create greater accountability across the department, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence to to issue a revised Information Security Program regulation to ensure that those personnel who are authorized to and who actually perform classification actions, receive training that covers the fundamental classification principles as defined in the Under Secretary's memorandum of November 30, 2004 and that completion of such training is a prerequisite for these personnel to exercise this authority.

    Agency Affected: Department of Defense

  5. Status: Closed - Implemented

    Comments: In response to our recommendation, Office of the Under Secretary of Defense for Intelligence (USD(I)) officials--including the Deputy Director for Information Security and Security Oversight--stated that they recently established the Department of Defense (DOD) Security Oversight and Assessment Program. Under this program, USD(I) is selecting DOD components for oversight and assessment visits to identify best practices and lessons learned for trend analysis and program improvement, and to evaluate the relevance, effectiveness, and efficiency of DOD information security policies. For example, subsequent to our report, USD(I) began issuing guidance to DOD components for estimating the number of annual classification decisions they made, thereby increasing the accuracy and reliability of these estimates. Additionally, DOD is issuing a revised information security program regulation as a four-volume manual, DOD Information Security Program, Number 5200.01. Volume 1, enclosure 3 of the manual, entitled DOD Information Security Program Overview,assigns the USD(I) responsibility for directing, administering, and overseeing the DOD Information Security Program.

    Recommendation: To reduce the risk of misclassification and create greater accountability across the department, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence to establish a centralized oversight process for monitoring components' information security programs to ensure that they satisfy federal and DOD requirements. This oversight could include requiring components to report on the results of self-inspections or other actions, targeted document reviews, and/or reviews by the DOD Inspector General and component audit agencies.

    Agency Affected: Department of Defense

  6. Status: Closed - Implemented

    Comments: Under Secretary of Defense for Intelligence (USD(I)) officials--including the Deputy Director for Information Security and Security Oversight--stated that since our report was issued in 2006 the Department of Defense (DOD) has eliminated 1 of its 14 automatic declassification sites that contain information classified by multiple DOD components. Further, in January 2010 DOD began pilot-phase operations of the DOD Joint Referral Center, co-located with the Army Declassification Activity near Fort Belvoir, Virginia, to evaluate processes for the expedited clearing of declassification referrals in a joint, collaborative manner. If the pilot yields positive results, USD(I) officials indicated that it could lead to further consolidation of automatic declassification sites.

    Recommendation: To assist DOD in its efforts to meet automatic declassification deadlines, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence to evaluate the merits of consolidating records eligible for automatic declassification that contain information classified by multiple DOD components at fewer than the current 14 geographically dispersed sites.

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Looking for more? Browse all our products here