This is the accessible text file for GAO report number GAO-06-369 
entitled 'Managing Sensitive Information: Departments of Energy and 
Defense Policies and Oversight Could Be Improved' which was released on 
March 14, 2006. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Chairman, Subcommittee on National Security, Emerging 
Threats, and International Relations, Committee on Government Reform, 
House of Representatives: 

United States Government Accountability Office: 

GAO: 

March 2006: 

Managing Sensitive Information: 

Departments of Energy and Defense Policies and Oversight Could Be 
Improved: 

GAO-06-369: 

GAO Highlights: 

Highlights of GAO-06-369, a report to the Chairman, Subcommittee on 
National Security, Emerging Threats, and Government Reform, House of 
Representatives: 

Why GAO Did This Study: 

In the interest of national security and personal privacy and for other 
reasons, federal agencies place dissemination restrictions on 
information that is unclassified yet still sensitive. The Department of 
Energy (DOE) and the Department of Defense (DOD) have both issued 
policy guidance on how and when to protect sensitive information. DOE 
marks documents with this information as Official Use Only (OUO) while 
DOD uses the designation For Official Use Only (FOUO). GAO was asked to
(1) identify and assess the policies, procedures, and criteria DOE and 
DOD employ to manage OUO and FOUO information and (2) determine the 
extent to which DOE’s and DOD’s training and oversight programs assure 
that information is identified, marked, and protected according to 
established criteria. 

What GAO Found: 

Both DOE and DOD base their programs on the premise that information 
designated as OUO or FOUO must (1) have the potential to cause 
foreseeable harm to governmental, commercial, or private interests if 
disseminated to the public or persons who do not need the information 
to perform their jobs and (2) fall under at least one of eight Freedom 
of Information Act (FOIA) exemptions. According to GAO’s Standards for 
Internal Control in the Federal Government, policies, procedures, 
techniques, and mechanisms should be in place to manage agency 
activities. However, while DOE and DOD have policies in place, our 
analysis of these policies showed a lack of clarity in key areas that 
could allow for inconsistencies and errors. For example, it is unclear 
which DOD office is responsible for the FOUO program, and whether 
personnel designating a document as FOUO should note the FOIA exemption 
used as the basis for the designation on the document. Also, both DOE’s 
and DOD’s policies are unclear regarding at what point a document 
should be marked as OUO or FOUO and what would be an inappropriate use 
of the OUO or FOUO designation. For example, OUO or FOUO designations 
should not be used to cover up agency mismanagement. In our view, this 
lack of clarity exists in both DOE and DOD because the agencies have 
put greater emphasis on managing classified information, which is more 
sensitive than OUO or FOUO. 

While both DOE and DOD offer training on their OUO and FOUO policies, 
neither DOE nor DOD has an agencywide requirement that employees be 
trained before they designate documents as OUO or FOUO. Moreover, 
neither agency conducts oversight to assure that information is 
appropriately identified and marked as OUO or FOUO. According to 
Standards for Internal Control in the Federal Government, training and 
oversight are important elements in creating a good internal control 
program. DOE and DOD officials told us that limited resources, and in 
the case of DOE, the newness of the program, have contributed to the 
lack of training requirements and oversight. Nonetheless, the lack of 
training requirements and oversight of the OUO and FOUO programs leave 
DOE and DOD officials unable to assure that OUO and FOUO documents are 
marked and handled in a manner consistent with agency policies and may 
result in inconsistencies and errors in the application of the 
programs. 

What GAO Recommends: 

GAO made several recommendations for DOE and DOD to clarify their 
policies to assure the consistent application of OUO and FOUO 
designations and increase the level of management oversight in their 
use. 

DOE and DOD agreed with most of GAO’s recommendations, but partially 
disagreed with its recommendation to periodically review OUO or FOUO 
information. DOD also disagreed that personnel designating a document 
as FOUO should also mark it with the applicable FOIA exemption. 

www.gao.gov/cgi-bin/getrpt?GAO-06-369. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Davi D'Agostino at (202) 
512-5431 or Gene Aloise at (202) 512-3841. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

DOE and DOD Lack Clear OUO and FOUO Guidance in Key Aspects: 

Neither DOE nor DOD Requires Training or Conducts Oversight: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Comments from the Department of Energy: 

Appendix II: Comments from the Department of Defense: 

Appendix III: GAO Contacts and Staff Acknowledgments: 

Table: 

Table 1: FOIA Exemptions: 

Figure: 

Figure 1: DOE's OUO Stamp: 

Abbreviations: 

DOD: Department of Defense: 
DOE: Department of Energy: 
FOIA: Freedom of Information Act: 
FOUO: For Official Use Only: 
OUO: Official Use Only: 

United States Government Accountability Office: 

Washington, DC 20548: 

March 7, 2006: 

The Honorable Christopher Shays: 
Chairman: 
Subcommittee on National Security, Emerging Threats, and International 
Relations: 
Committee on Government Reform: 
House of Representatives: 

Dear Mr. Chairman: 

In the interest of protecting national security, the federal government 
routinely classifies certain documents and other information as Top 
Secret, Secret, or Confidential. In addition to classified information, 
federal agencies also place dissemination restrictions on unclassified 
but sensitive information. These restrictions are used to indicate that 
the information, if disseminated to the public or persons who do not 
need such information to perform their jobs, may cause foreseeable harm 
to protected governmental, commercial, or privacy interests. Such 
information includes, for example, sensitive personnel information, 
such as Social Security numbers, and the floor plans for some federal 
buildings. The Department of Energy (DOE) and the Department of Defense 
(DOD) use the designations Official Use Only (OUO) and For Official Use 
Only (FOUO), respectively, to identify information that is unclassified 
but sensitive. According to both DOE and DOD officials, it is unknown 
how many documents containing OUO and FOUO information exist, but a DOE 
official stated that there were many millions of pages of OUO material. 
Congressional concern has recently arisen that some government 
officials may be improperly designating certain documents as 
unclassified but sensitive, which unnecessarily limits their 
dissemination to the public. 

DOE's and DOD's OUO and FOUO programs are largely based on the 
exemption provisions of the Freedom of Information Act (FOIA), which 
establishes the public's legal right of access to government 
information, as well as the government's right to restrict public 
access to certain types of unclassified information.[Footnote 1] FOIA 
identifies nine categories of information that are generally exempt 
from public release, including law enforcement records and proprietary 
information, although only eight of these categories are applicable to 
OUO and FOUO programs.[Footnote 2] 

This report responds in part to your request that we review the broad 
issues regarding information classification management at DOE and DOD. 
As agreed with your office, to respond to your request, we will issue 
three reports on this subject. This report discusses OUO and FOUO 
programs at DOE and DOD. In addition, in June 2006, we will issue two 
separate reports on DOE's and DOD's management of information 
classified as Top Secret, Secret, or Confidential, which is separate 
from the agencies' OUO and FOUO programs. In this report, we will (1) 
identify and assess the policies, procedures, and criteria DOE and DOD 
employ to manage OUO and FOUO information and (2) determine the extent 
to which DOE's and DOD's training and oversight programs assure that 
information is identified, marked, and protected according to 
established criteria. 

We also recently issued a report on the designation of sensitive 
security information at the Transportation Security 
Administration.[Footnote 3] Finally, we are currently reviewing the 
management of Sensitive but Unclassified information within the 
Department of Justice, the agency's current efforts to share sensitive 
homeland security information among federal and nonfederal entities, 
and the challenges posed by such information sharing. 

To identify and assess the policies and procedures DOE and DOD use to 
manage OUO and FOUO information, we reviewed and analyzed FOIA and 
DOE's and DOD's current applicable policies, regulations, orders, 
manuals, and guides. We compared these to the objectives and 
fundamental concepts of internal controls defined in Standards for 
Internal Control in the Federal Government.[Footnote 4] To determine 
the extent to which these agencies' internal controls assure that 
information is identified and marked according to established criteria, 
we reviewed the training provided to staff at both agencies and the 
oversight conducted on the OUO and FOUO programs. We compared these 
efforts with the standards for training and oversight envisioned in 
Standards for Internal Control in the Federal Government. We also 
interviewed officials from DOE and DOD in Washington, D.C; at DOE field 
locations in Los Alamos and Albuquerque, New Mexico, Oak Ridge, 
Tennessee, and the Savannah River Site in South Carolina; and at 
several DOD field locations. These locations were selected based on the 
large amounts of activity in classifying and controlling information. 
According to agency officials, there is no listing or identifiable 
universe of OUO or FOUO documents maintained by the agencies. Because 
of this limitation, we did not sample documents marked OUO or FOUO. 

We performed our work from April 2005 through January 2006 in 
accordance with generally accepted government auditing standards. 

Results in Brief: 

Both DOE and DOD base their programs on the premise that information 
designated as OUO or FOUO must (1) have the potential to cause 
foreseeable harm to governmental, commercial, or private interests if 
disseminated to the public or persons who do not need the information 
to perform their jobs and (2) fall under at least one of eight FOIA 
exemptions. According to Standards for Internal Control in the Federal 
Government, policies, procedures, techniques, and mechanisms should be 
in place to manage agency activities. However, while DOE and DOD have 
policies in place, our analysis of these policies showed a lack of 
clarity in key areas that could allow for inconsistencies and errors. 
For example, it is unclear which DOD office is responsible for the FOUO 
program, and whether personnel designating a document as FOUO should 
note the FOIA exemption used as the basis for the designation on the 
document. Also, both DOE's and DOD's policies are unclear regarding at 
what point a document should be marked as OUO or FOUO and what would be 
an inappropriate use of the OUO or FOUO designation. For example, OUO 
or FOUO designations should not be used to cover up agency 
mismanagement. In our view, this lack of clarity exists in both DOE and 
DOD because the agencies have put greater emphasis on managing 
classified information, which is more sensitive than OUO or FOUO 
information. 

While both DOE and DOD offer training on their OUO and FOUO policies, 
neither DOE nor DOD has an agencywide requirement that employees be 
trained before they designate documents as OUO or FOUO. Moreover, 
neither agency conducts oversight to assure that information is 
appropriately identified and marked as OUO or FOUO. According to 
Standards for Internal Control in the Federal Government, training and 
oversight are important elements in creating a good internal control 
program. DOE and DOD officials told us that limited resources, and in 
the case of DOE, the newness of the program, have contributed to the 
lack of training requirements and oversight. Nonetheless, the lack of 
training requirements and oversight of the OUO and FOUO programs leaves 
DOE and DOD officials unable to assure that OUO and FOUO documents are 
marked and handled in a manner consistent with agency policies and may 
result in inconsistencies and errors in the application of the 
programs. 

We are recommending that DOE and DOD clarify their policies to assure 
the consistent application of OUO and FOUO designations and increase 
the level of management oversight in their use. In commenting on a 
draft of this report, DOE and DOD agreed with most of our 
recommendations. Both DOE and DOD disagreed with our recommendation to 
periodically review information to determine if it continues to require 
an OUO or FOUO designation. Based on their comments, we modified the 
report and our recommendation to focus on the need for periodic 
oversight of the OUO and FOUO programs. 

Also, DOD disagreed with our draft report recommendation that personnel 
designating a document as FOUO also mark the document with the FOIA 
exemption used to determine the information should be restricted. We 
believe that the practice of citing the applicable FOIA exemption(s) 
will not only increase the likelihood that the information is 
appropriately marked as FOUO, but will also foster consistent 
application of the marking throughout DOD. Therefore, we continue to 
believe our recommendation has merit. 

DOE and DOD Lack Clear OUO and FOUO Guidance in Key Aspects: 

Both DOE and DOD have established offices; designated staff; and 
promulgated policies, manuals, and guides to provide a framework for 
the OUO and FOUO programs. However, based on our assessment of the 
policies governing both DOE's and DOD's programs, their policies to 
assure that unclassified but sensitive information is appropriately 
identified and marked lack sufficient clarity in important areas that 
could allow for inconsistencies and errors. DOE policy clearly 
identifies the office responsible for the OUO program and establishes a 
mechanism to mark the FOIA exemption used as the basis for the OUO 
designation on a document. However, our analysis of DOD's FOUO policies 
shows that it is unclear which DOD office is responsible for the FOUO 
program, and whether personnel designating a document as FOUO should 
note the FOIA exemption used as the basis for the designation on the 
document. Also, both DOE's and DOD's policies are unclear regarding at 
what point a document should be marked as OUO or FOUO, and what would 
be an inappropriate use of the OUO or FOUO designation. In our view, 
this lack of clarity exists in both DOE and DOD because the agencies 
have put greater emphasis on managing classified information, which is 
more sensitive than OUO or FOUO information. 

DOE's OUO program was created in 2003 and DOD's FOUO program has been 
in existence since 1968. Both programs use the exemptions in FOIA for 
designating information in a document as OUO or FOUO. Table 1 outlines 
these exemptions. 

Table 1: FOIA Exemptions: 

Exemption: 1. Classified in accordance with an executive order[A]; 
Examples: Classified national defense or foreign policy information. 

Exemption: 2. Related solely to internal personnel rules and practices 
of an agency; 
Examples: Routine internal personnel matters, such as performance 
standards and leave practices; internal matters the disclosure of which 
would risk the circumvention of a statute or agency regulation, such as 
law enforcement manuals. 

Exemption: 3. Specifically exempted from disclosure by federal statute; 
Examples: Nuclear weapons design (Atomic Energy Act); tax return 
information (Internal Revenue Code). 

Exemption: 4. Privileged or confidential trade secrets, commercial, or 
financial information; 
Examples: Scientific and manufacturing processes (trade secrets); sales 
statistics, customer and supplier lists, profit and loss data, and 
overhead and operating costs (commercial/financial information). 

Exemption: 5. Interagency or intra-agency memoranda or letters that are 
normally privileged in civil litigation; 
Examples: Memoranda and other documents that contain advice, opinions, 
or recommendations on decisions and policies (deliberative process); 
documents prepared by an attorney in contemplation of litigation 
(attorney work-product); confidential communications between an 
attorney and a client (attorney- client). 

Exemption: 6. Personnel, medical, and similar files the disclosure of 
which would constitute a clearly unwarranted invasion of personal 
privacy; 
Examples: Personal details about a federal employee, such as date of 
birth, marital status, and medical condition. 

Exemption: 7. Records compiled for law enforcement purposes where 
release either would or could harm those law enforcement efforts in one 
or more ways listed in the statute; 
Examples: Witness statements; information obtained in confidence in the 
course of an investigation; identity of a confidential source. 

Exemption: 8. Certain records and reports related to the regulation or 
supervision of financial institutions; 
Examples: Bank examination reports and related documents. 

Exemption: 9. Geographical and geophysical information and data, 
including maps, concerning wells; 
Examples: Well information of a technical or scientific nature, such as 
number, locations, and depths of proposed uranium exploration drill-
holes. 

Sources: FOIA and GAO analysis. 

[A] As noted earlier in this report, classified information is not 
included in DOE's and DOD's OUO and FOUO programs. 

[End of table] 

The Federal Managers Financial Improvement Act of 1982 states that 
agencies must establish internal administrative controls in accordance 
with the standards prescribed by the Comptroller General.[Footnote 5] 
The Comptroller General published such standards in Standards for 
Internal Control in the Federal Government, which sets out management 
control standards for all aspects of an agency's operation. These 
standards are intended to provide reasonable assurance of meeting 
agency objectives, and should be recognized as an integral part of each 
system that management uses to regulate and guide its operations. One 
of the standards of internal control--internal control activities-- 
states that appropriate policies, procedures, techniques, and 
mechanisms should exist with respect to each of the agency's activities 
and are an integral part of an agency's planning, implementing, and 
reviewing. 

DOE's Office of Security issued an order, a manual, and a guide in 
April 2003 to detail the requirements and responsibilities for DOE's 
OUO program and to provide instructions for identifying, marking, and 
protecting OUO information.[Footnote 6] According to DOE officials, the 
agency issued the order, manual, and guide to provide guidance on how 
and when to identify information as OUO and eliminate various 
additional markings, such as Patent Caution or Business Sensitive, for 
which there was no law, regulation, or DOE directive to inform staff 
how such documents should be protected. The overall goal of the order 
was to establish a policy consistent with criteria established in FOIA. 
DOE's order established the OUO program and laid out, in general terms, 
how sensitive information should be identified and marked, and who is 
responsible for doing so. The guide and the manual supplement the 
order. The guide provides more detailed information on the eight 
applicable FOIA exemptions to help staff decide whether exemption(s) 
may apply, which exemption(s) may apply, or both. The manual provides 
specific instructions for managing OUO information, such as mandatory 
procedures and processes for properly identifying and marking this 
information. For example, the employee marking a document is required 
to place on the front page of the document an OUO stamp that has a 
space for the employee to identify which FOIA exemption is believed to 
apply; the employee's name and organization; the date; and, if 
applicable, any guidance the employee may have used in making this 
determination.[Footnote 7] According to one senior DOE official, 
requiring the employee to cite a reason why a document is designated as 
OUO is one of the purposes of the stamp, and one means by which DOE's 
Office of Classification encourages practices consistent with the 
order, guide, and manual throughout DOE. Figure 1 shows the DOE OUO 
stamp. 

Figure 1: DOE's OUO Stamp: 

[See PDF for image] 

Source: DOE. 

[End of figure] 

The current DOD regulations are unclear regarding which DOD office 
controls the FOUO program. Although responsibility for the FOUO program 
was shifted from the Director for Administration and Management to the 
Office of the Assistant Secretary of Defense, Command, Control, 
Communications, and Intelligence (now the Under Secretary of Defense, 
Intelligence) in October 1998, this shift is not reflected in current 
regulations. Guidance for DOD's FOUO program continues to be included 
in regulations issued by both offices. As a result, there is currently 
a lack of clarity regarding which DOD office has primary responsibility 
for the FOUO program. According to a DOD official, this lack of clarity 
causes personnel who have FOUO questions to contact the wrong office. 
The direction provided in Standards for Internal Control in the Federal 
Government states that an agency's organizational structure should 
clearly define key areas of authority and responsibility. A DOD 
official said that they began coordination of a revised Information 
Security regulation covering the FOUO program at the end of January 
2006. The new regulation will reflect the change in responsibilities 
and place greater emphasis on the management of the FOUO program. 

DOD currently has two regulations, issued by each of the offices 
described above, containing similar guidance that addresses how 
unclassified but sensitive information should be identified, marked, 
handled, and stored.[Footnote 8] Once information in a document has 
been identified as FOUO, it is to be marked For Official Use Only. 
However, unlike DOE, DOD has no departmentwide requirement to indicate 
which FOIA exemption may apply to the information, except when it has 
been determined to be releasable to a federal governmental entity 
outside of DOD. We found, however, that one of the Army's subordinate 
commands does train its personnel to put an exemption on any documents 
that are marked as FOUO, but does not have this step as a requirement 
in any policy. In our view, if DOD were to require employees to take 
the extra step of marking the exemption that may be the reason for the 
FOUO designation at the time of document creation, it would help assure 
that the employee marking the document has at least considered the 
exemptions and made a thoughtful determination that the information 
fits within the framework of the FOUO designation. Including the FOIA 
exemption on the document at the time it is marked would also 
facilitate better agency oversight of the FOUO program since it would 
provide any reviewer/inspector with an indication of the basis for the 
marking. 

Both DOE's and DOD's policies are unclear at what point to actually 
affix the OUO or FOUO designation to a document. If a document is not 
marked at creation, but might contain information that is OUO or FOUO 
and should be handled as such, it creates a risk that the document 
could be mishandled. DOE policy is vague about the appropriate time to 
apply a marking. DOE officials in the Office of Classification stated 
that their policy does not provide specific guidance about at what 
point to mark a document because such decisions are highly situational. 
Instead, according to these officials, the DOE policy relies on the 
"good judgment" of DOE personnel in deciding the appropriate time to 
mark a document. Similarly, DOD's current Information Security 
regulation addressing the FOUO program does not identify when a 
document should be marked. In contrast, DOD's September 1998 FOIA 
regulation, in a chapter on FOUO, states that "the marking of records 
at the time of their creation provides notice of FOUO content and 
facilitates review when a record is requested under the FOIA." In our 
view, a policy can provide flexibility to address highly situational 
circumstances and also provide specific guidance and examples of how to 
properly exercise this flexibility. 

In addition, we found both DOE's and DOD's OUO and FOUO programs lack 
clear language identifying examples of inappropriate use of OUO or FOUO 
markings. According to Standards for Internal Control in the Federal 
Government, agencies should have sufficient internal controls in place 
to mitigate risk and assure that employees are aware of what behavior 
is acceptable and what is unacceptable. Without explicit language 
identifying inappropriate use of OUO or FOUO markings, DOE and DOD 
cannot be confident that their personnel will not use these markings to 
conceal mismanagement, inefficiencies, or administrative errors or to 
prevent embarrassment to themselves or their agency.[Footnote 9] 

Neither DOE nor DOD Requires Training or Conducts Oversight: 

Standards for Internal Control in the Federal Government discusses the 
need for both training and continuous program monitoring as necessary 
components of a good internal control program. However, while both DOE 
and DOD offer training to staff on managing OUO and FOUO information, 
neither agency requires any training of its employees before they are 
allowed to identify and mark information as OUO or FOUO, although some 
staff will eventually take OUO or FOUO training as part of other 
mandatory training. In addition, neither agency has implemented an 
oversight program to determine the extent to which employees are 
complying with established policies and procedures. DOE and DOD 
officials told us that limited resources, and in the case of DOE, the 
newness of the program, have contributed to the lack of training 
requirements and oversight. 

OUO and FOUO Training Is Generally Not Required: 

While many DOE units offer training on DOE's OUO policy, DOE does not 
have a departmentwide policy that requires OUO training before an 
employee is allowed to designate a document as OUO. As a result, some 
DOE employees may be identifying and marking documents for restriction 
from dissemination to the public or persons who do not need to know the 
information to perform their jobs and yet may not be fully informed as 
to when it is appropriate to do so. At DOE, the level of training that 
employees receive is not systematic and varies considerably by unit, 
with some requiring OUO training at some point as a component of other 
periodic employee training, and others having no requirements at all. 
For example, most of DOE's approximately 10,000 contractor employees at 
the Sandia National Laboratories in Albuquerque, New Mexico, are 
required to complete OUO training as part of their annual security 
refresher training. In contrast, according to the senior classification 
official at Oak Ridge, very few staff received OUO training at DOE's 
Oak Ridge Office in Oak Ridge, Tennessee, although staff were sent 
general information about the OUO program when it was launched in 2003 
and again in 2005. Instead, this official provides OUO guidance and 
other reference and training materials to senior managers with the 
expectation that they will inform their staff on the proper use of OUO. 

DOD similarly has no departmentwide training requirements before staff 
are authorized to identify, mark, and protect information as FOUO. The 
department relies on the individual services and components within DOD 
to determine the extent of training employees receive. When training is 
provided, it is usually included as part of a unit's overall security 
training, which is required for many but not all employees. There is no 
requirement to track which employees received FOUO training, nor is 
there a requirement for periodic refresher training. Some DOD 
components, however, do provide FOUO training for employees as part of 
their security awareness training. 

Oversight of OUO and FOUO Programs Is Lacking: 

Neither DOE nor DOD knows the level of compliance with OUO and FOUO 
program policies and procedures because neither agency conducts any 
oversight to determine whether the OUO and FOUO programs are being 
managed well. According to a senior manager in DOE's Office of 
Classification, the agency does not review OUO documents to assess 
whether they are properly identified and marked. This condition appears 
to contradict the DOE policy requiring the agency's senior officials to 
assure that the OUO programs, policies, and procedures are effectively 
implemented. Similarly, DOD does not routinely review FOUO information 
to assure that it is properly managed. 

Without oversight, neither DOE nor DOD can assure that staff are 
complying with agency policies. We are aware of at least one recent 
case in which DOE's OUO policies were not followed. In 2005, there were 
several stories in the news about revised estimates of the cost and 
length of the cleanup of high-level radioactive waste at DOE's Hanford 
Site in southeastern Washington. This information was controversial 
because there is a history of delays and cost overruns associated with 
this multibillion dollar project, and DOE was restricting a key 
document containing recently revised cost and time estimates from being 
released to the public. This document, which was produced by the U.S. 
Army Corps of Engineers for DOE, was marked Business Sensitive by DOE. 
However, according to a senior official in the DOE Office of 
Classification, Business Sensitive is not a recognized marking in DOE. 
Therefore, there is no DOE policy or guidance on how to handle or 
protect documents marked with this designation. This official said that 
if information in this document needed to be restricted from release to 
the public, then the document should have been stamped OUO and the 
appropriate FOIA exemption should have been marked on the document. 

Conclusions: 

The lack of clear policies, effective training, and oversight in DOE's 
and DOD's OUO and FOUO programs could result in both over-and 
underprotection of unclassified yet sensitive government documents that 
may need to be limited from disclosure to the public or persons who do 
not need to know such information to perform their jobs to prevent 
potential harm to governmental, commercial, or private interests. 
Having clear policies and procedures in place, as discussed in 
Standards for Internal Control in the Federal Government, can mitigate 
the risk that programs could be mismanaged and can help DOE and DOD 
management assure that OUO or FOUO information is appropriately marked 
and handled. DOE and DOD have no systemic procedures in place to assure 
that staff are adequately trained before designating documents OUO or 
FOUO, nor do they have any means of knowing the extent to which 
established policies and procedures for making these designations are 
being complied with. These issues are important because they affect 
DOE's and DOD's ability to assure that the OUO and FOUO programs are 
identifying, marking, and safeguarding documents that truly need to be 
protected in order to prevent potential damage to governmental, 
commercial, or private interests. 

Recommendations for Executive Action: 

To assure that the guidance governing the FOUO program reflects the 
necessary internal controls for good program management, we recommend 
that the Secretary of Defense take the following two actions: 

* revise the regulations that currently provide guidance on the FOUO 
program to conform to the 1998 policy memo designating which office has 
responsibility for the FOUO program and: 

* revise any regulation governing the FOUO program to require that 
personnel designating a document as FOUO also mark the document with 
the FOIA exemption used to determine the information should be 
restricted. 

We also recommend that the Secretaries of Energy and Defense take the 
following two actions to clarify all guidance regarding the OUO and 
FOUO designations: 

* identify at what point the document should be marked as OUO or FOUO 
and: 

* define what would be an inappropriate use of the designations OUO or 
FOUO. 

To assure that OUO and FOUO designations are correctly and consistently 
applied, we recommend that the Secretaries of Energy and Defense take 
the following two actions: 

* assure that all employees authorized to make OUO and FOUO 
designations receive an appropriate level of training before they can 
mark documents and: 

* develop a system to conduct periodic oversight of OUO and FOUO 
designations to assure that information is being properly marked and 
handled. 

Agency Comments and Our Evaluation: 

In commenting on a draft of this report, both DOE and DOD agreed with 
the findings of the report and with most of the report's 
recommendations. DOE agreed with our recommendations to clarify its 
guidance to identify at what point a document should be marked OUO and 
define what would be an inappropriate use of OUO. They also agreed with 
our recommendation that all employees authorized to make OUO 
designations receive training before they can mark documents. DOD 
concurred with our recommendations to revise the regulations 
designating which office has responsibility for the FOUO program, to 
clarify guidance regarding at what point to mark a document as FOUO and 
to define inappropriate usage of the FOUO designation, and to assure 
that all employees authorized to make FOUO designations receive 
appropriate training. 

Both DOE and DOD partially concurred with our recommendation to develop 
a system to conduct periodic oversight of OUO or FOUO designations. 
They agreed with developing a system for periodic oversight of OUO or 
FOUO designations, but disagreed with the recommendation in our draft 
report to conduct period reviews of OUO or FOUO information to 
determine if the information continues to require that designation. DOE 
stated that much of the information designated as OUO is permanent by 
nature--such as information related to privacy and proprietary 
interests--and a systematic review would "primarily serve to correct a 
small error rate that would be better addressed by additional training 
and oversight." In its comments, DOD stated that such a review would 
not be an efficient use of limited resources because "all DOD 
information, whether marked as FOUO or not, is specifically reviewed 
for release when disclosure to the public is desired by the Department 
or requested by others. Any erroneous or improper designation as FOUO 
is identified and corrected in this review process and the information 
released as appropriate. Thus, information is not withheld from the 
public based solely on the initial markings applied by the originator." 
Based on DOE's and DOD's comments, we believe the agencies have agreed 
to address the principal concern that led to our original 
recommendation. We therefore have modified the report and our 
recommendation to focus on the need for periodic oversight of the OUO 
and FOUO programs by deleting the portion of the recommendation calling 
for a periodic review of the information to determine if it continues 
to require an OUO or FOUO designation. 

DOD did not concur with our recommendation to require that personnel 
designating a document as FOUO also mark the document with the 
applicable FOIA exemption(s). DOD stated that "if the individual 
erroneously applies an incorrect/inappropriate FOIA exemption to a 
document, then it is possible that other documents that are 
derivatively created from this document would also carry the incorrect 
FOIA exemption or that the incorrect designation could cause problems 
if a denial is litigated. Additionally, when the document is reviewed 
for release to the public, the annotated FOIA exemption may cause the 
reviewer to believe that the document is automatically exempt from 
release and not perform a proper review." However, we believe that the 
practice of citing the applicable FOIA exemption(s) will not only 
increase the likelihood that the information is appropriately marked as 
FOUO, but will also foster consistent application of the marking 
throughout DOD. Using a stamp similar to the one employed by DOE (see 
fig. 1), which clearly states that the marked information may be exempt 
from public release under a specific FOIA exemption, should facilitate 
the practice. Furthermore, as DOD stated above, "all DOD information, 
whether marked as FOUO or not, is specifically reviewed for release 
when disclosure to the public is desired by the Department or requested 
by others. Any erroneous or improper designation as FOUO is identified 
and corrected in this review process and the information released as 
appropriate. Thus, information is not withheld from the public based 
solely on the initial markings applied by the originator." Therefore, 
if DOD, under the FOIA process, properly reviews all documents before 
they are released and corrects any erroneous or improper designation, 
then prior markings should not affect the decision to release a 
document, particularly if such markings are identified as provisional. 
Therefore, we continue to believe our recommendation has merit. 

Comments from DOE's Director, Office of Security and Safety Performance 
Assurance and DOD's Deputy Under Secretary of Defense 
(Counterintelligence and Security) are reprinted in appendix I and 
appendix II, respectively. DOE and DOD also provided technical 
comments, which we included in the report as appropriate. 

As agreed with your offices unless you publicly release the contents of 
this report earlier, we plan no further distribution until 30 days from 
its date. We will then send copies of this report to the Secretary of 
Energy; the Secretary of Defense; the Director, Office of Management 
and Budget; and interested congressional committees. We will also make 
copies available to others upon request. In addition, this report will 
be available at no charge on the GAO Web site at http://www.gao.gov. 

If you or your staff have any questions concerning this report, please 
contact either of us. Davi M. D'Agostino can be reached at (202) 512- 
5431 or dagostinod@gao.gov, and Gene Aloise can be reached at (202) 512-
3841 or aloisee@gao.gov. Contact points for our Offices of 
Congressional: 

Relations and Public Affairs may be found on the last page of this 
report. GAO staff who made major contributions to this report are 
listed in appendix III. 

Sincerely yours, 

Signed by: 

Davi M. D'Agostino: 
Director, Defense Capabilities and Management: 

Gene Aloise: 
Director, Natural Resources and Environment: 

[End of section] 

Appendix I: Comments from the Department of Energy: 

Department of Energy: 
Washington, DC 20585: 

February 7, 2006: 

Mr. Gene Aloise: 
Director: 
Natural Resources and Environment Team: 
United States Government Accountability Office: 
Washington, D.C. 20548: 

Dear Mr. Aloise: 

The Department of Energy (DOE) has completed its review of the 
Government Accountability Office (GAO) draft report GAO-06-369, 
MANAGING SENSITIVE INFORMATION: Departments of Energy and Defense 
Policies and Oversight Could Be Improved. We understand the report is 
one of three that resulted from a request by The Honorable Christopher 
Shays to review information classification management at the Department 
of Energy and the Department of Defense (DOD). This review was 
specifically to (1) identify and assess the policies, procedures, and 
criteria the DOE and the DOD employ to manage Official Use Only (OUO) 
and For Official Use Only (FOUO) information and (2) determine the 
extent to which DOD's and DOD's training and oversight programs assure 
that information is identified, marked, and protected according to 
established criteria. 

The DOE agrees that the findings are accurate and concurs with all but 
one recommendation as discussed below. Since the 2003 publication of 
DOE Order 471.3, Identifying and Protecting Official Use Only 
Information, DOE Manual 471.3-1, Manual for Identifying and Protecting 
Official Use Only Information, and DOE Guide 471.3-1, Guide to 
Identifying Official Use Only Information, DOE efforts have focused on 
education and assistance. The DOE has assisted its organizations by 
providing training and reviewing OUO training materials produced by 
program offices as requested, and by responding to questions. In 
addition, Headquarters personnel met with field personnel regarding OUO 
training and program implementation during classification oversight 
reviews. Despite these efforts, we agree with the GAO that the DOE OUO 
program is implemented unevenly. Therefore, we agree that OUO training 
should be required for all employees and that OUO should be included as 
an element of oversight reviews. The DOE plans to revise OUO directives 
to add training and oversight requirements. These actions should ensure 
OUO information is identified accurately and consistently throughout 
the DOE. In addition, the directives will be revised, as recommended, 
to include information on the inappropriate use of OUO and clarify the 
point at which a document containing OUO information should be marked. 

However, we disagree with the GAO recommendation for periodic review of 
OUO information. Most OUO documents are in collections that do not have 
permanent historical value, for which there is no public interest, and 
that are destroyed without ever having been requested. Documents are 
currently reviewed as requested and when they are scheduled for 
release. The DOE believes this approach represents the most efficient 
method of providing information to the public and best matches the 
public interest to taxpayer cost. 

Periodic review is also unnecessary because it would likely result in 
few changes to OUO determinations. Unlike classified information, which 
may be declassified or subject to declassification dates or events, the 
Freedom of Information Act (FOIA) basis for OUO information is stable, 
and much of the information is permanent by nature. OUO is consistent 
with FOIA exemptions, which, except for minor additions, have been 
stable since the law was enacted in 1966. Certain exemptions, such as 
privacy and proprietary exemptions, are permanent in nature. Systematic 
review would primarily serve to correct a small error rate that would 
be better addressed by additional training and oversight. 

Although systematic review is inadvisable, we agree that some quality 
control is prudent. We, therefore, plan to include the review of OUO 
documents in oversight reviews and to revise DOE directives to require 
document reviews for OUO in field-conducted oversight reviews and self- 
assessments. 

We also plan to take a pro-active approach to lessen the likelihood of 
incorrect OUO determinations. Revising DOE directives for clarity and 
requiring additional training and oversight should improve the 
implementation of the OUO program and decrease the likelihood of 
documents being incorrectly marked or not marked as OUO. Our planned 
actions, as detailed in the appendix, should provide sufficient 
education and quality control to ensure that the DOE's OUO program is 
consistent and accurate. We feel these actions represent a cost 
effective solution to improving the DOE's OUO program. 

Sincerely, 

Signed by: 

Glenn S. Podonsky: 
Director: 
Office of Security and Safety Performance Assurance: 

Enclosures: 

Appendix: 

DOE Response to GAO Draft Report MANAGING SENSITIVE INFORMATION: 
Departments of Energy and Defense Policies and Oversight Could Be 
Improved (GAO-06-369): 

In summary, the DOE finds the draft report to be a fair evaluation of 
its Official Use Only (OUO) program. The DOE plans the following 
specific actions related to recommendations in the draft report: 

Recommendation 1. We recommend that the Secretaries of Energy and 
Defense clarify all guidance regarding the OUO and FOUO designations: 

* To identify when the document should be marked as "OUO" or "FOUO" and 

* To define what would be an inappropriate use of the designations 
"OUO" or "FOUO." 

DOE Response. The DOE plans to revise DOE Order 471.3, Identifying and 
Protecting Official Use Only Information, and DOE Manual 471.3-1, 
Manual for Identifying and Protecting Official Use Only Information, to 
clarify the point at which OUO markings should be applied to a 
document. 

The DOE also plans to revise the above directives to include a 
discussion of the inappropriate use of OUO. 

Recommendation 2. Assure that all employees authorized to make OUO and 
FOUO designations receive an appropriate level of training before they 
can mark documents. 

DOE Response. The DOE plans to revise DOE directives to require initial 
and refresher OUO training and identify the persons responsible for 
ensuring training is implemented and conducted. 

Recommendation 3. Develop a system to conduct periodic oversight of OUO 
and FOUO designations to assure that information is being properly 
marked and handled and that a periodic review of the information is 
done to determine if the information continues to be OUO. 

DOE Response. The DOE plans to implement an OUO oversight program to 
include an evaluation of the identifying, marking, and protection of 
OUO information using lines of inquiry based on DOE directives and 
guidance. The program will be developed and incorporated into the 
Classification and Information Control Oversight Program. Oversight 
reviews will include the review of documents marked OUO and unmarked 
documents to ensure OUO determinations are appropriate and consistent, 
and the correct exemptions are cited. In addition, the DOE plans to 
revise the OUO directives to add the evaluation of the identification, 
marking, and protection of OUO as a requirement for field oversight 
reviews and self-assessments. 

The DOE does not plan to develop a program for systematic review of OUO 
documents. The current approach of reviewing documents as requested and 
when they are scheduled for release represents the most efficient 
method of providing information to the public and best matches the 
public interest to taxpayer cost. The DOE feels increased training and 
oversight will produce a more consistent and accurate OUO program 
sufficiently responsive to public interest. 

[End of section] 

Appendix II: Comments from the Department of Defense: 

OFFICE OF THE UNDER SECRETARY OF DEFENSE: 
INTELLIGENCE: 
5000 DEFENSE PENTAGON: 
WASHINGTON, DC 20301-5000: 

Ms. Davi M. D'Agostino: 
Director, Defense Capabilities and Management: 
U.S. Government Accountability Office: 
441 G Street, N.W.: 
Washington, DC 20548: 

Dear Ms. D'Agostino: 

This is the Department of Defense (DoD) response to the GAO draft 
report, "MANAGING SENSITIVE INFORMATION: Departments of Energy and 
Defense Policies and Oversight Could Be Improved," dated January 23, 
2006, (GAO Code 350774/GAO-06-369). 

The DoD agrees that policy regarding use of the "For Official Use Only" 
(FOUO) designation could be clarified and changes to do so are included 
in the revision of DoD Regulation 5200.1, "DoD Information Security 
Program," which is currently underway. Additional guidance will be 
incorporated to include changes suggested by the GAO. However, the DoD 
disagrees with the GAO's recommendations that the designator annotate 
the applicable FOIA exemption and that documents so marked be 
periodically reviewed to determine if the information continues to 
require the FOUO designation. 

Detailed comments on each of the specific recommendations in the draft 
report are attached. 

Sincerely, 

Signed for: 

Robert W. Rogalski: 
Deputy Under Secretary of Defense (Counterintelligence and Security): 

GAO DRAFT REPORT - DATED JANUARY 23, 2006 GAO CODE 350774/GAO-06-369: 

"MANAGING SENSITIVE INFORMATION: Departments of Energy and Defense 
Policies and Oversight Could Be Improved" 

DEPARTMENT OF DEFENSE COMMENTS TO THE RECOMMENDATIONS: 

RECOMMENDATION 1: The GAO recommended that the Secretary of Defense 
revise the regulations that currently provide guidance on the FOUO 
program to conform to the 1998 policy memo designating which office has 
responsibility for the FOUO program. (p. 13/GAO Draft Report): 

DOD RESPONSE: Concur. This requirement will be addressed as part of the 
on-going revisions of DoD Regulation 5200.1, "DoD Information Security 
Program," and DoD Regulation 5400.7, "Freedom of Information Act 
Program." 

RECOMMENDATION 2: The GAO recommended that the Secretary of Defense 
revise any regulation governing the FOUO program to require that 
personnel designating a document as "FOUO" also mark the document with 
the applicable FOIA exemption used to determine the information should 
be restricted. (p. 13/GAO Draft Report): 

DOD RESPONSE: Non-concur. The Department does not concur with the GAO 
recommendation that the personnel designating an original document as 
"FOUO" also annotate the marking with the appropriate FOIA exemption. 
If the individual erroneously applies an incorrect/inappropriate FOIA 
exemption to a document, then it is possible that other documents that 
are derivatively created from this document would also carry the 
incorrect FOIA exemption or that the incorrect designation could cause 
problems if a denial is litigated. Additionally, when the document is 
reviewed for release to the public, the annotated FOIA exemption may 
cause the reviewer to believe that the document is automatically exempt 
from release and not perform a proper review. 

RECOMMENDATION 3: The GAO recommended that the Secretaries of Energy 
and Defense clarify all guidance regarding the OUO and FOUO 
designations to identify when the document should be marked as "OUO" or 
"FOUO"; and, to define what would be an inappropriate use of the 
designations "OUO" or "FOUO." (p. 14/GAO Draft Report): 

DOD RESPONSE: Concur. These requirements will be added to the guidance 
regarding FOUO information in the revision of DoD 5200.1-R that is 
underway. 

RECOMMENDATION 4: The GAO recommended that the Secretaries of Energy 
and Defense assure that all employees authorized to make OUO and FOUO 
designations receive an appropriate level of training before they can 
mark documents. (p. 14/GAO Draft Report): 

DOD RESPONSE: Concur. The revision to DoD 5200.1-R will specify that 
all personnel shall receive training that provides a basic 
understanding of the nature of controlled unclassified information and 
to ensure proper protection of such information in their possession. 

RECOMMENDATION 5: The GAO recommended that the Secretaries of Energy 
and Defense develop a system to conduct periodic oversight of OUO and 
FOUO designations to assure that information is being properly marked 
and handled and that a periodic review of the information is done to 
determine if the information continues to require an OUO/FOUO 
designation. (p. 14/GAO Draft Report): 

DOD RESPONSE: Partially Concur. The Department concurs with the 
recommendation to develop a system to conduct periodic oversight of 
FOUO designations and will include that requirement as part of the 
Information Security Program oversight process. The Department non- 
concurs with the requirement to conduct periodic reviews of FOUO 
information to determine if the information continues to require that 
designation. Except to the extent that FOUO information is included in 
a classification guide and is reviewed as part of a classified program 
requirement, such a review is not an efficient use of limited 
Departmental resources. Designation as FOUO does not limit information 
dissemination to the public but rather serves to inform DoD personnel 
that the information may qualify for withholding and that extra caution 
should be taken in handling the information. All DoD information, 
whether marked as FOUO or not, is specifically reviewed for release 
when disclosure to the public is desired by the Department or requested 
by others. Any erroneous or improper designation as FOUO is identified 
and corrected in this review process and the information released as 
appropriate. Thus, information is not withheld from the public based 
solely on the initial markings applied by the originator. Additionally, 
it is not clear that a sufficient number of FOUO designations would 
change with the passage of time to justify the resource expenditure as 
the basis for many of the exemptions is not time-related (e.g., 
proprietary, Privacy, statutory). 

[End of section] 

Appendix III: GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

Davi M. D'Agostino (202) 512-5431 or dagostinod@gao.gov: 
Gene Aloise (202) 512-3841 or aloisee@gao.gov: 

Acknowledgments: 

In addition to the contacts named above, Ann Borseth and Ned Woodward, 
Assistant Directors; Nancy Crothers; Doreen Feldman; Mattias Fenton; 
Adam Hatton; David Keefer; William Lanouette; Gregory Marchand; David 
Mayfield; James Reid; Marc Schwartz; Kevin Tarmann; Cheryl Weissman; 
and Jena Whitley made key contributions to this report. 

FOOTNOTES 

[1] Freedom of Information Act (5 U.S.C. § 552). 

[2] FOIA exemption 1 solely concerns classified information, which is 
governed by Executive Order; DOE and DOD do not include this category 
in their OUO and FOUO programs since the information is already 
restricted by each agency's classified information procedures. In 
addition, exemption 3 addresses information specifically exempted from 
disclosure by statute, which may or may not be considered OUO or FOUO. 
Information that is classified or controlled under a statute, such as 
Restricted Data or Formerly Restricted Data under the Atomic Energy 
Act, is not also designated as OUO or FOUO. 

[3] GAO, Transportation Security Administration: Clear Policies and 
Oversight Needed for Designation of Sensitive Security Information, GAO-
05-677 (Washington, D.C.: June 29, 2005). 

[4] GAO, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). 

[5] Pub. L. No. 97-255 (Sept. 8, 1982). 

[6] DOE Order 471.3, Identifying and Protecting Official Use Only 
Information, contains responsibilities and requirements; DOE Manual 
471.3-1, Manual for Identifying and Protecting Official Use Only 
Information, provides instructions for implementing requirements; and 
DOE Guide 471.3-1, Guide to Identifying Official Use Only Information, 
provides information to assist staff in deciding whether information 
could be OUO. 

[7] DOE classification guides used for managing classified information 
sometimes include specific guidance on what information should be 
protected and managed as OUO. When such specific guidance is available 
to the employee, he or she is required to mark the document 
accordingly. 

[8] DOD 5400.7-R, DOD Freedom of Information Act Program (Sept. 4, 
1998); DOD 5200.1-R, Information Security Program (Jan. 14, 1997); and 
interim changes to DOD 5200.1-R, Information Security Regulation, 
Appendix 3: Controlled Unclassified Information (April 2004). 

[9] Similar language is included in DOD's policies regarding protection 
of national security information (DOD 5200.1-R, Information Security 
Program, (Jan. 14, 1997), sec. C2.4.3.1). DOE's policy for protecting 
national security information (DOE M 475.1-1A) makes reference to 
Executive Order 12958, as amended, which also has similar language. 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 

441 G Street NW, Room LM 

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm 

E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director, 

NelliganJ@gao.gov 

(202) 512-4800 

U.S. Government Accountability Office, 

441 G Street NW, Room 7149 

Washington, D.C. 20548: