This is the accessible text file for GAO report number GAO-06-385 
entitled 'Information Sharing: The Federal Government Needs to 
Establish Policies and Processes for Sharing Terrorism-Related and 
Sensitive but Unclassified Information' which was released on April 17, 
2006. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

United States Government Accountability Office: 

GAO: 

March 2006: 

Information Sharing: 

The Federal Government Needs to Establish Policies and Processes for 
Sharing Terrorism-Related and Sensitive but Unclassified Information: 

GAO-06-385:
GAO Highlights: 

Highlights of GAO-06-385, a report to congressional requesters 

Why GAO Did This Study: 

A number of initiatives to improve information sharing have been called 
for, including the Homeland Security Act of 2002 and in the 
Intelligence Reform and Terrorism Prevention Act of 2004. The 2002 act 
required the development of policies for sharing classified and 
sensitive but unclassified homeland security information. The 2004 act 
called for the development of an Information Sharing Environment for 
terrorism information. 

This report examines (1) the status of efforts to establish government-
wide information sharing policies and processes and (2) the universe of 
sensitive but unclassified designations used by the 26 agencies that 
GAO surveyed and their related policies and procedures. 

What GAO Found: 

More than 4 years after September 11, the nation still lacks 
governmentwide policies and processes to help agencies integrate the 
myriad of ongoing efforts, including the agency initiatives we 
identified, to improve the sharing of terrorism-related information 
that is critical to protecting our homeland. Responsibility for 
creating these policies and processes shifted initially from the White 
House to the Office of Management and Budget (OMB), and then to the 
Department of Homeland Security, but none has yet completed the task. 
Subsequently, the Intelligence Reform Act called for creation of an 
Information Sharing Environment, including governing policies and 
processes for sharing, and a program manager to oversee its 
development. In December 2005, the President clarified the roles and 
responsibilities of the program manager, now under the Director of 
National Intelligence, as well as the new Information Sharing Council 
and the other agencies in support of creating an Information Sharing 
Environment by December 2006. At the time of our review, the program 
manager was in the early stages of addressing this mandate. He issued 
an interim implementation report with specified tasks and milestones to 
Congress in January 2006, but soon after announced his resignation. 
This latest attempt to establish an overall information-sharing road 
map under the Director of National Intelligence, if it is to succeed 
once a new manager is appointed, will require the Director’s continued 
vigilance in monitoring progress toward meeting key milestones, 
identifying any barriers to achieving them, and recommending any 
necessary changes to the oversight committees. 

The agencies that GAO reviewed are using 56 different sensitive but 
unclassified designations (16 of which belong to one agency) to protect 
information that they deem critical to their missions—for example, 
sensitive law or drug enforcement information or controlled nuclear 
information. For most designations there are no governmentwide policies 
or procedures that describe the basis on which an agency should assign 
a given designation and ensure that it will be used consistently from 
one agency to another. Without such policies, each agency determines 
what designations and associated policies to apply to the sensitive 
information it develops or shares. More than half the agencies reported 
challenges in sharing such information. Finally, most of the agencies 
GAO reviewed have no policies for determining who and how many 
employees should have authority to make sensitive but unclassified 
designations, providing them training on how to make these 
designations, or performing periodic reviews to determine how well 
their practices are working. The lack of such recommended internal 
controls increases the risk that the designations will be misapplied. 
This could result in either unnecessarily restricting materials that 
could be shared or inadvertently releasing materials that should be 
restricted. 

What GAO Recommends: 

To provide for information-sharing policies and procedures, GAO 
recommends that the Director of National Intelligence (DNI) assess 
progress, address barriers, and propose changes, and that OMB work with 
agencies on policies, procedures, and controls to help achieve more 
accountability. OMB said that once ODNI completed its work, OMB would 
work with ODNI and all agencies on additional steps, if needed. ODNI 
declined to comment on our report, indicating that the subject matter 
is outside GAO’s purview. We disagree with this assessment because it 
does not accurately reflect the scope of GAO’s statutory authorities. 

www.gao.gov/cgi-bin/getrpt?GAO-06-385. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact David Powner, 202-512-
9286, pownerd@gao.gov or Eileen Larence, 202-512-6510, 
larencee@gao.gov. 

[ end of section ]

Contents: 

Letter: 

Results in Brief: 

Background: 

The Nation Still Lacks the Governmentwide Policies and Processes Needed 
to Build an Integrated Terrorism-Related Information-Sharing Road Map, 
but Smaller-Scale Sharing Initiatives Are Under Way: 

The Large Number of Sensitive but Unclassified Designations and the 
Lack of Consistent Policies and Procedures for Their Use Make Sharing 
Information More Difficult: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Summary Information on Sensitive But Unclassified 
Designations by Agency: 

Appendix III: Comments from the Office of the Director of National 
Intelligence: 

Appendix IV: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Summary of Key Federal Terrorism-Related Information-Sharing 
Authorities and Initiatives since September 11: 

Table 2: Sensitive but Unclassified Designations in Use at Selected 
Federal Agencies: 

Abbreviations: 

DHS: Department of Homeland Security: 
DNI: Director of National Intelligence: 
DOJ: Department of Justice: 
FBI: Federal Bureau of Investigations: 
FOIA: Freedom of Information Act: 
FOUO: For Official Use Only: 
ISE: Information Sharing Environment: 
IT: information technology: 
LES: Law Enforcement Sensitive: 
ODNI: Office of the Director of National Intelligence: 
OMB: Office of Management and Budget: 
PCII: Protected Critical Infrastructure Information: 
SBU: Sensitive But Unclassified: 
SSI: Sensitive Security Information: 

[End of section] 

United States Government Accountability Office: 

Washington, DC 20548: 

March 17, 2006: 

The Honorable Susan Collins: 
Chairman: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

The Honorable Tom Davis: 
Chairman, Committee on Government Reform: 
House of Representatives: 

The Honorable Todd Platts: 
Chairman: 
Subcommittee on Government Management, Finance, and Accountability: 
Committee on Government Reform: 
House of Representatives: 

The Honorable Christopher Shays: 
Chairman: 
Subcommittee on National Security, Emerging Threats, and International 
Relations: 
Committee on Government Reform: 
House of Representatives: 

The government's single greatest failure in the lead-up to the 
September 11, 2001, attacks was the inability of federal agencies to 
effectively share information about suspected terrorists and their 
activities, according to the former Vice Chair of the National 
Commission on Terrorist Attacks Upon the United States (9/11 
Commission). In addressing this problem, the commission recommended 
that the sharing and uses of information be guided by a set of 
practical policy guidelines for sharing that would simultaneously 
empower and constrain officials, clearly circumscribing what types of 
information they would be permitted to share as well as the types they 
would need to protect. Exchanging terrorism-related information 
continues to be a significant challenge for federal, state, and local 
governments--one that we recognize is not easily addressed. For these 
reasons, we recently added information sharing for homeland security to 
our list of federal programs and initiatives that pose a relatively 
high risk to the federal government and that GAO will continue to 
monitor.[Footnote 1] 

Recognizing that information-sharing weaknesses were a major 
contributing factor to the nation's lack of preparedness for the 
September 11 attacks, the President has called for a number of 
information-sharing initiatives driven by two statutory mandates--The 
Homeland Security Act of 2002[Footnote 2] and the Intelligence Reform 
and Terrorism Prevention Act of 2004 (Intelligence Reform 
Act).[Footnote 3] Section 892 of the Homeland Security Act, enacted in 
November 2002, requires that the President, among other things, 
prescribe and implement procedures under which federal agencies can 
share relevant and appropriate homeland security information with other 
federal agencies, including the Department of Homeland Security (DHS), 
and with appropriate state and local personnel, such as law enforcement 
agencies and first responders. In general, the act defines homeland 
security information as any information possessed by a federal, state, 
or local agency that relates to terrorist activities, suspected 
terrorists, or terrorist organizations, or information that will 
improve the response to terrorist acts. 

In December 2004, Congress mandated a more extensive information- 
sharing regime through section 1016 of the Intelligence Reform Act, 
which requires the President to take action to facilitate the sharing 
of terrorism information by establishing an Information Sharing 
Environment (ISE) that is to combine policies, procedures, and 
technologies that link people, systems, and information among all 
appropriate federal, state, local, and tribal entities and the private 
sector. The act also requires the President to, among other things, 
appoint a program manager to oversee development of the ISE and 
establishes an Information Sharing Council to support the President and 
the program manager--who is now part of the Office of the Director of 
National Intelligence (ODNI)--with advice on developing the policies, 
procedures, guidelines, roles, and standards necessary to implement and 
maintain the information-sharing environment. In general, the 
Intelligence Reform Act defines terrorism information as all 
information relating to foreign or international terrorist groups or 
individuals, or to domestic groups or individuals involved in 
transnational terrorism, including threats posed by such groups or 
individuals and communications of or by them, and includes groups or 
individuals reasonably believed to be associated with such groups or 
individuals. Subsequent to both of these laws, the President issued a 
series of executive orders and memorandums that delegated roles and 
responsibilities for achieving these mandates and set goals and 
objectives for improving the nation's ability to share homeland 
security information. 

Agencies must often balance the need to share sensitive information, 
including terrorism-related information, with the need to protect it 
from widespread access.[Footnote 4] Sensitive but unclassified 
information encompasses a large but unquantifiable amount of 
information--for example, security plans for federal agency buildings-
-and other information that does not meet the standards established by 
executive order for classified national security information but that 
an agency nonetheless considers sufficiently sensitive to warrant 
restricted dissemination. In determining what information to designate 
as sensitive but unclassified, agencies identify any information they 
believe must be safeguarded from public release. Such information could 
include, for example, information in the Department of Justice (DOJ) 
that is critical to a criminal prosecution. DOJ would protect this 
information from inappropriate dissemination by designating it Law 
Enforcement Sensitive and applying prescribed dissemination and 
handling procedures that correspond with the designation. The Office of 
Management and Budget (OMB) has primary governmentwide oversight 
responsibility for such information management and information security 
policies and programs. 

In response to your request to determine the status of information- 
sharing policy initiatives, we (1) determined the status of efforts to 
establish governmentwide policies and processes for sharing terrorism- 
related information between the federal government and its state, 
local, and private sector partners and (2) identified a universe of 
different sensitive but unclassified designations that agencies apply 
to terrorism-related and other sensitive information and determined the 
extent to which these agencies have policies and procedures in place to 
ensure their consistent use. To accomplish these objectives, we 
reviewed relevant laws, directives, and documents and interviewed 
appropriate officials, including those from ODNI, DHS, and OMB who are 
involved in federal information-sharing efforts. We also surveyed 26 
federal agencies on the types of sensitive but unclassified 
designations they use and whether they have policies, procedures, and 
protocols in place for using each designation.[Footnote 5] We 
aggregated the data by agency and sent it back to the agencies for a 
completeness and accuracy review. Appendix I provides further details 
on our objectives, scope, and methodology. We performed our work from 
May 2005 to February 2006 in accordance with generally accepted 
government auditing standards. 

Results in Brief: 

More than 4 years after September 11, the nation still lacks the 
governmentwide policies and processes that Congress called for to 
provide a framework for guiding and integrating the myriad of ongoing 
efforts to improve the sharing of terrorism-related information 
critical to protecting our homeland. In part, this is due to the 
difficulty of the challenge, as well as the fact that responsibility 
for creating these policies has shifted among various executive 
agencies. In response to the Homeland Security Act, the White House and 
OMB were involved in trying to develop guidance on information sharing. 
Then, in July 2003, the President delegated most of his 
responsibilities under section 892 of the act to the Secretary of the 
newly created DHS. Later, DHS decided to reassess its efforts because 
the more recent Intelligence Reform Act had required creation of an 
Information Sharing Environment, as part of a more extensive mandate 
for sharing terrorism information. Most recently, on December 16, 2005, 
the President issued a new memorandum that, among other things, 
established guidelines and requirements in support of the Information 
Sharing Environment. ODNI is in the early stages of addressing its 
information-sharing mandates and has issued an interim implementation 
plan to Congress in January 2006 that lays out a number of steps and 
deadlines for deliverables. According to the interim plan, a large 
amount of terrorism information is already stored electronically in 
systems, but there remains an unknown quantity of relevant information 
not captured and stored electronically. However, many users are not 
connected to these systems; the information about terrorists, their 
plans, and their activities is fragmentary. The interim plan states 
that the information-sharing environment will connect the smaller-scale 
information-sharing initiatives already under way, such as those we 
identified and discuss later in this report, to take advantage of and 
build upon what already exists. Accordingly, the President's December 
16, 2005, memorandum, after a number of unfulfilled initiatives, 
establishes an approach and time frames for responding to the mandates 
to develop governmentwide policies and procedures for information 
sharing. However, it is unclear what progress will be made because the 
ODNI program manager announced his resignation on January 26, 2006, and 
at the time of our review a new program manager had not been named. 
Once a new program manager is named, ensuring the success of this 
project will require support and vigilance from ODNI as well as the 
other agencies mentioned in the memorandum. Consequently, we are 
recommending that the Director of National Intelligence (DNI) assess 
progress toward meeting the milestones in the interim plan, identify 
and address any barriers to progress, and recommend to the 
congressional oversight committees with jurisdiction any necessary 
changes so that the goals of the mandates are achieved and the nation 
has the critical information it needs to protect the homeland. 

Federal agencies report using 56 different sensitive but unclassified 
designations (16 of which belong to one agency) to protect sensitive 
information--from law or drug enforcement information to controlled 
nuclear information--and agencies that account for a large percentage 
of the homeland security budget reported using most of these 
designations. There are no governmentwide policies or procedures that 
describe the basis on which agencies should use most of these sensitive 
but unclassified designations, explain what the different designations 
mean across agencies, or ensure that they will be used consistently 
from one agency to another. In this absence, each agency determines 
what designations to apply to the sensitive but unclassified 
information it develops or shares. For example, one agency uses the 
Protected Critical Infrastructure Information designation, which has 
statutorily prescribed criteria for applying, sharing and protecting 
the information, whereas 13 agencies designate information For Official 
Use Only, which does not have similarly prescribed criteria. Sometimes 
agencies used different labels and handling requirements for similar 
information and, conversely, similar labels and requirements for very 
different kinds of information. More than half of the agencies reported 
encountering challenges in sharing such information. For example, DHS 
said that sensitive but unclassified information disseminated to its 
state and local partners had, on occasion, been posted to public 
Internet sites or otherwise compromised, potentially revealing possible 
vulnerabilities to business competitors. 

Finally, most agencies do not have limits on who and how many employees 
have authority to make designations, nor do they have policies for 
providing training to employees on making designations or performing 
periodic reviews. Nor are there governmentwide policies that require 
such internal control practices. Not having these recommended internal 
controls for effective programs in place increases the probability that 
the designations could be misapplied, potentially restricting the 
sharing of material unnecessarily or resulting in dissemination of 
information that should be restricted. To address this situation, the 
President in his December 16, 2005, memo gave agencies 90 days to 
inventory their sensitive but unclassified procedures and report them 
to the DNI. In carrying out the President's December 16, 2005, mandate, 
we are recommending that the DNI and the Director of OMB use the 
results of our work to validate the inventory of designations agencies 
are required to provide under the memorandum and develop a policy that 
consolidates designations where possible and addresses the consistent 
application across agencies. For any designations agencies use, we are 
also recommending that the Director of OMB, in his oversight role with 
respect to federal information management, work with other agencies to 
develop and issue a directive requiring that agencies have internal 
controls in place that meet GAO's Standards for Internal Control in the 
Federal Government--including implementing guidance, training, and 
review processes--for effective sensitive but unclassified 
programs.[Footnote 6] 

We requested comments on a draft of this report from the Director of 
OMB and the DNI or their designees. OMB neither agreed nor disagreed 
with our findings and recommendations. OMB commented that once the 
program manager and others completed their work to establish 
governmentwide policies, procedures, or protocols to guide the sharing 
of information as it relates to terrorism and homeland security, they 
would work with the program manager and all agencies to determine what 
additional steps are necessary, if any. ODNI, however, declined to 
comment on our draft report, stating that review of intelligence 
activities is beyond GAO's purview (see app. III). We do not agree with 
this assessment. In any event, GAO has broad statutory authority to 
review federal programs and activities--including matters related to 
intelligence activities. 

Background: 

Information sharing is essential to enhance the security of our nation 
and is a key element in developing comprehensive and practical 
approaches to defending against potential terrorist attacks. Having 
information on threats, vulnerabilities, and incidents can help an 
agency better understand the risks and determine what preventative 
measures should be implemented. The ability to share such terrorism- 
related information can also unify the efforts of federal, state, and 
local government agencies, as well as the private sector in preventing 
or minimizing terrorist attacks. 

The national commission appointed by members of Congress and the 
President after the September 11 terrorist attacks (the 9/11 
Commission) recognized the critical role of information sharing to the 
reinvigorated mission to protect the homeland from future attacks. In 
its final report, the commission acknowledged the government has vast 
amounts of information but a weak system for processing and using it. 
The commission called on the President to provide incentives for 
sharing, restore a better balance between security and shared 
knowledge, and lead a governmentwide effort to address shortcomings in 
this area. 

Since 2001, the President has called for a number of terrorism-related 
information-sharing initiatives in response to legislative mandates 
passed by Congress. Relatedly, over the past several years, we have 
identified potential information-sharing barriers, critical success 
factors, and other key management issues, including the processes, 
procedures, and systems to facilitate information sharing between and 
among government entities and the private sector. Efforts to promote 
more effective sharing of terrorism-related information must also 
balance the need to protect and secure it. The executive branch has 
established requirements for protecting information that is deemed to 
be critical to our national security. 

Laws and Executive Orders Have Established Requirements to Improve 
Information Sharing since 2001: 

Since the information-sharing weaknesses of September 11, the President 
and the Administration have called for a number of terrorism-related 
information-sharing initiatives driven predominately by two statutory 
mandates--The Homeland Security Act of 2002[Footnote 7] and the 
Intelligence Reform and Terrorism Prevention Act of 2004 (Intelligence 
Reform Act).[Footnote 8] Section 892 of the Homeland Security Act 
requires that the President, among other things, prescribe and 
implement procedures under which federal agencies can share relevant 
homeland security information, as defined in the Homeland Security Act, 
with other federal agencies, including DHS, and with appropriate state 
and local personnel, such as law enforcement. Congress subsequently 
mandated a more extensive information-sharing regimen through section 
1016 of the Intelligence Reform Act, requiring that the President take 
action to facilitate the sharing of terrorism information, as defined 
in the act, by establishing an Information Sharing Environment (ISE) 
that will combine policies, procedures, and technologies that link 
people, systems, and information among all appropriate federal, state, 
local, and tribal entities, and the private sector. The act also 
requires the President to, among other things, appoint a program 
manager to oversee development of the ISE and establishes an 
Information Sharing Council to support the President and the program 
manager with advice on developing the policies, procedures, guidelines, 
roles, and environment. Together, the mandates call for initiatives 
designed to facilitate the sharing of terrorism-related information-- 
which encompasses both homeland security and terrorism information-- 
within and among all appropriate federal, state, local, and tribal 
entities, and the private sector. These and other actions are explained 
in more detail in table 1. 

Table 1: Summary of Key Federal Terrorism-Related Information- Sharing 
Authorities and Initiatives since September 11: 

Date: Oct. 8, 2001; 
Policy action: Executive Order 13228; 
Description: Established the Office of Homeland Security to, among 
other things, identify priorities and coordinate efforts for collection 
and analysis of information, and facilitate the dissemination and 
exchange of information. 

Date: Oct. 26, 2001; 
Policy action: USA PATRIOT Act[A]; 
Description: Mandated broader use of information sharing, access, and 
dissemination. 

Date: July 16, 2002; 
Policy action: National Strategy for Homeland Security; 
Description: Identified information sharing as a foundational element 
in protecting from, preventing, and responding to potential acts of 
terrorism. 

Date: Nov. 25, 2002; 
Policy action: Homeland Security Act of 2002; 
Description: Created the Department of Homeland Security; Among other 
things, section 892 defines homeland security information as any 
information possessed by a federal, state, or local agency that (a) 
relates to the threat of terrorist activity; (b) relates to the ability 
to prevent, interdict, or disrupt terrorist activity; (c) would improve 
the identification or investigation of a suspected terrorist or 
terrorist organization; or (d) would improve the response to a 
terrorist threat. It also requires the President to prescribe and 
implement procedures under which relevant federal agencies (a) share 
relevant and appropriate homeland security information with other 
federal agencies and appropriate state, and local personnel; (b) 
identify and safeguard homeland security information that is sensitive 
but unclassified; and (c) to the extent such information is in 
classified form, determine whether, how, and to what extent to remove 
classified information, as appropriate, and with which such personnel 
it may be shared after such information is removed; Section 893 
required that the President report, no later than 12 months after 
enactment, on the implementation of section 892. The report was to 
include any recommendations for additional measures or appropriation 
requests to increase the effectiveness of sharing information between 
and among federal, state, and local entities. 

Date: July 29, 2003; 
Policy action: Executive Order 13311; 
Description: Assigned most of the President's information-sharing 
responsibilities under section 892 of the Homeland Security Act to the 
Secretary of DHS. 

Date: Aug. 27, 2004; 
Policy action: Executive Order 13355; 
Description: Directed the Director of Central Intelligence to establish 
common security and access standards for managing and handling 
intelligence systems, information, and products with special emphasis 
on facilitating the fullest and most prompt sharing of information 
practicable and the establishment of interface standards for an 
interoperable information-sharing enterprise. 

Date: Aug. 27, 2004; 
Policy action: Executive Order 13356; (later revoked by Executive Order 
13388); 
Description: Required the Director of Central Intelligence, in 
consultation with the Attorney General and other heads of agencies 
within the intelligence community, to develop within 90 days common 
standards for sharing terrorism information, as defined in the order; 
Established an Information Systems Council, to be chaired by a designee 
of the OMB Director, to plan for and oversee the establishment of an 
interoperable terrorism information-sharing environment. 

Date: Aug. 27, 2004; 
Policy action: Homeland Security Presidential Directive-11; 
Description: Called for a coordinated and comprehensive approach to 
terrorist-related screening that supports homeland security; Required 
that DHS, in coordination with other federal departments and agencies, 
report within 75 days on plans and progress for enhancing terrorist-
related screening, including mechanisms for sharing information among 
screeners and all relevant government agencies. 

Date: Dec. 17, 2004; 
Policy action: Intelligence Reform and Terrorism Prevention Act of 2004 
(Intelligence Reform Act); 
Description: Established the Office of the Director of National 
Intelligence; Section 1016 defines terrorism information as all 
information--whether collected, produced, or distributed--by 
intelligence, law enforcement, military, homeland security, or other 
activities relating to (a) the existence, organization, capabilities, 
plans, intentions, vulnerabilities, means of finance or material 
support, or activities of foreign or international terrorist groups or 
individuals, or of domestic groups or individuals involved in 
transnational terrorism; (b) threats posed by such groups or 
individuals to the United States, United States persons, or United 
States interests, or those of other nations; (c) communications of or 
by such groups or individuals; or (d) groups or individuals reasonably 
believed to be assisting or associated with such groups or individuals; 
Section 1016 also requires the President to establish an ISE for 
terrorism information and to designate a program manager who will, 
among other things, plan for and oversee implementation of the ISE. It 
further establishes an Information Sharing Council to assist the 
President and program manager in their duties under the section. 

Date: October 25, 2005; 
Policy action: Executive Order 13388; 
Description: Directs agencies to give the highest priority in their 
design and use of information systems and in the dissemination of 
information among agencies to, among other things, facilitate the 
interchange of terrorism information among agencies and between 
agencies and appropriate authorities of state, local and tribal 
governments, and between agencies and appropriate private sector 
entities; Established an Information Sharing Council, chaired by the 
program manager, pursuant to section 1016 of the Intelligence Reform 
Act; Formally revoked Executive Order 13356 but called for the use of 
standards and plans developed pursuant to that order to facilitate the 
expeditious and effective implementation of policies set forth in the 
present order. 

Date: December 16, 2005; 
Policy action: Memorandum from the President for the Heads of Executive 
Departments and Agencies, Subject: Guidelines and Requirements in 
Support of the Information Sharing Environment (ISE); 
Description: The memorandum directs the DNI to leverage ongoing 
information-sharing efforts in developing the ISE and provides 
information-sharing guidelines for: (a) defining common standards for 
how information is acquired, accessed, shared, and used within the ISE; 
(b) developing a common framework for sharing information between and 
among federal agencies; state, local, and tribal governments; law 
enforcement agencies; and the private sector; (c) standardizing the 
procedures for sensitive but unclassified information; (d) facilitating 
the sharing of information between federal agencies and foreign 
governments; and (e) protecting the information privacy rights and 
other legal rights of Americans. It also requires that heads of federal 
agencies actively work to promote a culture of information sharing 
within their respective agencies; To standardize the procedures for 
sensitive but unclassified information, the memorandum requires that 
all agencies inventory their sensitive but unclassified procedures, 
determine the underlying authority for each procedure, and assess the 
effectiveness of their existing procedures. Recommendations for 
standardizing the procedures, based on this information, will 
subsequently be submitted to the President. 

Source: GAO analysis. 

[A] Public Law 107-56. 

[End of table]

Our Prior Work Identified Challenges in Information Sharing: 

In January 2005, GAO designated information sharing for homeland 
security as a governmentwide high-risk area because, although it was 
receiving increased attention, this area still faced significant 
challenges. Since 1998, we have recommended the development of a 
comprehensive plan for information sharing to support critical 
infrastructure protection efforts.[Footnote 9] Key elements of our 
recommendation can be applied to broader terrorism-related information 
sharing, including clearly delineating the roles and responsibilities 
of federal and nonfederal entities, defining interim objectives and 
milestones, and establishing performance metrics. Over the past several 
years, we have also issued several reports on challenges related to 
information sharing. 

* In June 2005, we reported that as federal agencies work with state 
and local public health agencies to improve the public health 
infrastructure's ability to respond to terrorist threats, including 
acts of bioterrorism, they faced several challenges.[Footnote 10] 
First, the national health information technology (IT) strategy and 
federal health architecture were still being developed. Second, 
although federal efforts continue to promote the adoption of data 
standards, developing such standards and then implementing them were 
challenges for the health care community. Third, these initiatives 
involved the need to coordinate among federal, state, and local public 
health agencies, but establishing effective coordination among the 
large number of disparate agencies would be a major undertaking. 

* In May 2005, we reported that DHS had undertaken numerous initiatives 
to foster partnerships and enhance information sharing with other 
federal agencies, state and local governments, and the private sector 
concerning cyber attacks, threats, and vulnerabilities, but it still 
needed to address underlying barriers to information sharing.[Footnote 
11] At that time, critical infrastructure sector representatives 
identified as barriers to sharing information with the government fear 
of release of sensitive information, uncertainty about how the 
information would be used or protected, lack of trust in DHS, and 
inconsistency in the usefulness of the information shared by DHS. We 
made recommendations to the Secretary of Homeland Security to 
strengthen the department's ability to implement key cybersecurity 
responsibilities by completing critical activities and resolving 
underlying challenges. 

* In September 2004, we reported that nine federal agencies had 
identified 34 major networks--32 operational and 2 in development-- 
supporting homeland security functions, including information 
sharing.[Footnote 12] The total cost of the networks for which cost 
estimates were available was approximately $1 billion per year for 
fiscal years 2003 and 2004. Among the networks identified, DHS's 
Homeland Secure Data Network appeared to be a significant initiative 
for future sharing of classified homeland security information among 
civilian agencies and DOD. 

* In July 2004, we reported on the status of the information sharing 
and analysis centers that were voluntarily created by the private 
sector owners of critical infrastructure assets to provide an 
information-sharing and analysis capability.[Footnote 13] The 
information-sharing center community had identified a number of 
challenges, including increasing participation, building a trusted 
relationship, and sharing information between the federal government 
and the private sector. We recommended that DHS proceed with the 
development of an information-sharing plan that, among other things, 
defines the roles and responsibilities of the various stakeholders and 
establishes criteria for providing the appropriate incentives to 
address the challenges. 

* In October 2001, we identified critical success factors and 
challenges in building successful information-sharing 
relationships.[Footnote 14] In addition, we identified practices that 
could be applied to other entities trying to develop the means of 
appropriately sharing information. One of the most difficult challenges 
to effective information sharing we identified was overcoming new 
entities' initial reluctance to share. Among the best practices we 
identified were (1) establishing trusted relationships with a wide 
variety of federal and nonfederal entities that may be in a position to 
provide potentially useful information and advice, (2) developing 
standards and agreements on how shared information will be used and 
protected, and (3) taking steps to ensure that sensitive information is 
not inappropriately disseminated. 

The Federal Government Has Established Mechanisms to Protect Sensitive 
Information: 

The federal government utilizes a variety of policies and procedures, 
whether prescribed by statute, executive order, or other authority, to 
limit dissemination and protect against the inadvertent disclosure of 
sensitive information. For information the government considers 
critical to our national security, the government may take steps to 
protect such information by classifying it--for example, Top Secret, 
Secret, or Confidential--pursuant to criteria established by executive 
order.[Footnote 15] The executive order prescribes uniform standards 
for making all classification decisions across the federal government. 
Specifically, it prescribes the categories of information that warrant 
classification, establishes criteria for persons with classification 
authority, limits the duration of classification decisions, establishes 
procedures for declassifying or downgrading classified information, 
prescribes standards for identifying and safeguarding classified 
materials, requires that agencies prepare classification guides to 
facilitate proper and uniform classification decisions, and provides 
for oversight of agency classification decisions. 

Information that does not meet the standards established by executive 
order for classified national security information but that an agency 
nonetheless considers sufficiently sensitive to warrant restricted 
dissemination is generally referred to as sensitive but unclassified. 
In designating information this way, agencies determine that the 
information they use must therefore be safeguarded from public release. 
Such information could include, for example, information at DOJ that is 
critical to a criminal prosecution. DOJ would protect this information 
from inappropriate dissemination by identifying it with a designation, 
such as Law Enforcement Sensitive, and prescribing restricted handling 
procedures for information with this designation. Some specific 
designations--such as Sensitive Security Information (SSI), used for 
certain transportation-related information, and Protected Critical 
Infrastructure Information (PCII), used for information that has been 
voluntarily submitted to DHS by the private sector and is related to 
the security of the nation's critical infrastructure--have a specific 
basis in statute, but many other designations that agencies use do not. 
For example, some agencies use the provisions of the Freedom of 
Information Act (FOIA),[Footnote 16] which establishes the public's 
legal right of access to government information but also enables the 
government to withhold certain information from public release, as 
their basis for designating information sensitive but unclassified. OMB 
has primary governmentwide oversight responsibility for information 
management and information security.[Footnote 17] 

The Nation Still Lacks the Governmentwide Policies and Processes Needed 
to Build an Integrated Terrorism-Related Information-Sharing Road Map, 
but Smaller-Scale Sharing Initiatives Are Under Way: 

No governmentwide policies or processes have been established by the 
executive branch to date to define how to integrate and manage the 
sharing of terrorism-related information across all levels of 
government and the private sector despite legislation and executive 
orders dating back to September 11. This is due, in part, to the 
difficulty of the challenge, as well as the fact that responsibility 
for creating these policies has shifted among various executive 
agencies. Most recently in December 2005, the President once again 
tried to better clarify the roles and responsibilities of the ODNI 
program manager, Information Sharing Council, DHS, and other agencies 
in support of the Information Sharing Environment (ISE). The program 
manager is in the early stages of addressing the mandate and issued an 
interim implementation plan to Congress in January 2006 that lays out a 
number of steps and deadlines for deliverables. However, until 
governmentwide policies and processes on sharing are in place, the 
federal government will lack a comprehensive road map to improve the 
exchange of critical information needed to protect the homeland. 

Chronology of Efforts to Develop Governmentwide Policies and Processes 
to Facilitate Terrorism-Related Information Sharing Demonstrates a 
Series of Unfulfilled Initiatives and the Complexity of the Challenge: 

Following September 11, the White House and OMB first began to work on 
information-sharing policies. Following passage of the Homeland 
Security Act in November 2002, the presidential responsibility for 
developing policies and processes for information sharing under section 
892 of the act was not immediately assigned. 

* On July 29, 2003, the President issued Executive Order 13311 
delegating to the Secretary of DHS the responsibility to create and 
implement policies for sharing sensitive homeland security information, 
and to report to Congress by November 2003 on implementation of section 
892 of the Homeland Security Act. 

* DHS began its efforts, but did not provide the implementation report 
to Congress until February 2004. The report primarily discussed several 
small-scale efforts within DHS associated with sensitive but 
unclassified information. It did not provide recommendations for 
additional legislative measures to increase the effectiveness of the 
sharing of information between and among federal, state, and local 
entities. The report concluded that to avoid uncertainty and confusion, 
federal agencies must have a consistent set of policies and procedures 
for identifying the information to be shared as well as to be 
safeguarded, but it did not define those policies and procedures or 
DHS's actions to develop them. 

* Subsequently, DHS developed a notice of proposed rule making laying 
out a proposed policy framework to govern sharing sensitive homeland 
security information in response to the mandate, but after internal 
Executive Branch review it was not formally transmitted to OMB and, 
according to DHS officials, it was never issued. 

* When the new Secretary assumed leadership of DHS in February 2005, a 
reassessment of the proposed rule making was requested in part to 
assure harmonization with the related requirements of the more recent 
Intelligence Reform Act, according to DHS's Deputy Director for 
Information Sharing and Collaboration. 

Then, in response to the December 2004 Intelligence Reform Act, the 
President issued a series of directives to better clarify 
responsibilities and time frames for achieving a governmentwide road 
map for information sharing. 

* On April 15, 2005, the President designated a program manager 
responsible for information sharing across the federal government, as 
required by the Intelligence Reform Act. 

* On June 2, 2005, the President issued a memorandum directing that 
during the initial 2-year term of the program manager, the DNI would 
exercise authority, direction, and control over the program manager. 
The memorandum also directed the DNI to provide the program manager all 
personnel, funds, and other resources as assigned. The Intelligence 
Reform Act had authorized an appropriation of $20 million for each of 
fiscal years 2005 and 2006. 

* On October 25, 2005, the President issued Executive Order 13388, 
which established, among other things, priorities for facilitating the 
sharing of terrorism information and an Information Sharing Council, 
chaired by the program manager. The order also revoked the President's 
earlier direction, Executive Order 13356, which had addressed similar 
issues and imposed similar requirements with respect to--the Director 
of Central Intelligence, OMB, and other agencies. The present order, 
however, calls for the use of standards and plans developed pursuant to 
the revoked order. 

* In November 2005, the new Information Sharing Council, tasked with 
planning for and overseeing the establishment of an ISE for sharing 
terrorism information, had its first meeting and took over for the 
former Information Systems Council that OMB had chaired. 

* On December 16, 2005, the President issued a memorandum providing 
guidance and imposing requirements on the heads of all executive 
departments and agencies in support of the development of the ISE. The 
memo delineates roles and responsibilities as well as sets deadlines 
for an effort to leverage ongoing efforts consistent with establishing 
the ISE as required by the Intelligence Reform Act and in accordance 
with requirements of the Homeland Security Act and related executive 
orders. For example, the memorandum requires the program manager, in 
consultation with the council, to conduct and complete, within 90 days 
of the memorandum's issuance, a comprehensive evaluation of existing 
resources pertaining to terrorism information sharing employed by 
individual or multiple executive departments and agencies. It also 
tasked the ODNI with developing the policies, procedures, and 
architectures needed to create the ISE by December 16, 2006. 

The ODNI Is in the Early Stages of Addressing the Intelligence Reform 
Act Mandate, but Establishing the Required Information-Sharing 
Requirements Will Be a Challenge: 

ODNI is in the early stages of addressing the mandate under the 
Intelligence Reform Act to create an ISE. Soon after the appointment of 
the program manager in April 2005, he issued a preliminary report on 
its plans to establish the ISE as required by the act. The program 
manager later outlined the priorities for his office's work in 
establishing the ISE: 

* clarifying the differing standards among agencies for the designation 
and dissemination of terrorism information, 

* ensuring two-way flow of information from the federal level to the 
state and local level as well as from state and local agencies to the 
federal level, 

* providing fast-paced, value-added dissemination of information and 
informational expertise from the intelligence community, 

* overcoming the hesitancy of the intelligence community to share 
information; and: 

* ensuring the protection of information privacy and other legal rights 
of Americans, and: 

* identifying and removing impediments to information sharing. 

On January 9, 2006, ODNI issued an Information Sharing Environment 
Interim Implementation Plan to Congress that lays out a number of steps 
and deadlines for deliverables. ODNI noted in the interim plan the need 
for more time to develop the final implementation plan because the 
Intelligence Reform Act requirements call for detailed answers that can 
be provided only after significant coordination between the program 
manager and all departments and agencies that are ultimately 
responsible for implementing the ISE. In the plan, ODNI acknowledged 
that it recognizes the value and challenge in building ownership for 
the ISE among all of the federal agencies that have a role in homeland 
security. The plan also stated that adding to the complexity of the 
task is the fact that the needs of state, local, and tribal governments 
and private sector entities must also be taken into account as well. 
ODNI plans to issue a more comprehensive implementation plan to 
Congress in July 2006. 

The interim plan noted that while a large amount of terrorism 
information is already stored electronically in systems, many users are 
not connected to those systems. In addition, there remains an unknown 
quantity of relevant information not captured and stored 
electronically. Thus, the information about terrorists, their plans, 
and their activities is fragmentary. The interim plan states that the 
ISE will connect disparate electronic storehouses to take advantage of 
what already exists. Additionally, it will provide mechanisms for 
capturing and providing access to terrorism information not currently 
available electronically. According to the interim plan, ISE 
implementation will be based on a three-pronged strategy: 

* Implementation of the presidential guidelines and requirements. 

* Support and augmentation for existing information-sharing 
environments, such as the National Counterterrorism Center (NCTC). NCTC 
was selected to serve as one of the initial information-sharing 
environments because it is the primary organization in the U.S. 
government for analyzing and integrating all information pertaining to 
terrorism and counterterrorism.[Footnote 18] Moreover, DHS and DOJ will 
identify one or more environments run by states and major urban areas 
for evaluation of the effectiveness of the flow of terrorism 
information between federal, state and local governments and the 
private sector. 

* A process for integrating the President's guidelines and requirements 
with the needs of the broader ISE, which includes addressing the 
overall ISE's functions, capabilities, resources, conceptual design, 
architecture, budget, and performance management process. 

While recognizing that creating a fully functioning ISE will take time, 
the interim plan includes a schedule for completing a number of key 
milestones. For example, by June 14, 2006, the program manager and the 
Director of NCTC are to have conducted a comprehensive review of all 
agency missions, roles, and responsibilities related to any aspects of 
information sharing, especially sharing with state, local, and private 
entities; developed and disseminated information-sharing standards 
across the federal, state, local, and private sectors; developed 
recommendations for sharing with foreign partners and allies; developed 
privacy guidelines to govern sharing; developed guidelines, training, 
and incentives to hold personnel accountable for improved information 
sharing; and developed the ISE investment strategy, among other things. 

As part of its efforts to provide end-user input to the technical 
development of the ISE, ODNI plans to continue to expand the use of 
information access pilot programs at the state and local levels. 
Currently, ODNI has two ongoing information-sharing technology pilot 
programs involving the Federal Bureau of Investigation (FBI) and the 
Department of Energy (DOE). The FBI's New York Field Office's Special 
Operations Division is using handheld wireless devices for field 
operations to facilitate enhanced communications among counterterrorism 
personnel by providing rapid wireless access to sensitive but 
unclassified data sources. DOE is sponsoring a pilot project that will 
apply technical analytic expertise to intelligence pertaining to 
nuclear terrorism. The project has established a core group of nuclear 
expert analysts, across five national laboratories, whose focus is on 
providing both long-term, strategic analysis of potential sources of 
nuclear terrorism and better short-term tactical intelligence on this 
issue. Central to the success of this effort is the sharing of all 
relevant sensitive information with these laboratories. 

Despite this progress, when the program manager testified before the 
Subcommittee on Intelligence, Information Sharing, and Terrorism Risk 
Assessment, Committee on Homeland Security, in November 2005, he 
expressed concern about whether he had enough resources to meet the 
mandates in the Intelligence Reform Act. For example, he said that for 
2006, he did not have a budget line item and was continuing to work 
with the DNI on his budget. The Intelligence Reform Act authorized $20 
million for fiscal year 2006, but the program manager said he needed 
$30 million a year at a minimum. At the time, the program manager also 
said that although he planned to have a staff of 25, he had only 11 
federal employees and 6 contractors on board. On January 26, 2006, the 
program manager announced his resignation from his position. At the 
time of our review, a new program manager had not yet been appointed. 
Once a new program manager is named, it will be important for the DNI 
to monitor milestones set in the interim implementation plan; identify 
any barriers to achieving the milestones, such as insufficient 
resources; and recommend to the oversight committees with jurisdiction 
any necessary changes to the organizational structure or approach to 
the ISE. 

Many Agencies Are Taking Small-Scale Actions to Improve the Sharing of 
Terrorism-Related Information: 

Despite the lack of governmentwide policies and procedures for 
information sharing, many agencies have their own information-sharing 
initiatives under way. The following are examples of agency-based 
terrorism-related information-sharing efforts. 

* The FBI leads Joint Terrorism Task Forces, which are one of the means 
by which the FBI shares information with federal, state, and local law 
enforcement agencies and officers. At the time of our review, the FBI 
had 103 Joint Terrorism Task Forces around the country, staffed by 
bureau officers as well as state and local law enforcement officers. 
The mission of the task forces is to respond to terrorism by combining 
the national and international investigative resources of federal 
agencies with the street-level expertise of state and local law 
enforcement agencies. 

* The FBI and DHS also collaborate to circulate sensitive intelligence 
information, through bulletins, to state and local officials. These 
bulletins are intended to alert state and local governments to 
information that is being noted at the federal level. As part of this 
effort, they have provided state and local officials guidance about 
appropriate control and sharing of this information. 

Multiple other mechanisms exist to share terrorism-related information. 
For example, through our prior work in 2004 we have identified at least 
34 major networks that support homeland security functions.[Footnote 
19] Some of the major technology systems we identified in this review 
and in our other work are described below: 

* DHS's Homeland Secure Data Network grew out of a former U.S. Customs 
Service system that was consolidated with the DHS IT network when the 
department was created. The system is composed of secure network 
connections on a data communications framework that connects users to 
data centers to allow them to share intelligence and other information 
securely. The network is eventually intended to connect 600 
geographically dispersed DHS intelligence-gathering units; operational 
components; and other federal, state, and local agencies involved in 
homeland security activities. 

* The DOJ Regional Information Sharing System (RISS) links thousands of 
local, state, and federal law enforcement agencies throughout the 
nation, providing secure communications, information-sharing resources, 
and investigative support to combat multijurisdictional crime and 
terrorist threats. RISS was integrated with the DOJ Law Enforcement 
Online system in 2002 and with the Automated Trusted Information 
Exchange in 2003, to provide users with access to homeland security, 
disaster, and terrorist threat information. 

One of the first steps ODNI plans to undertake in developing the ISE is 
to perform a review of the existing systems such as these so that it 
can leverage what has already been done and find ways to connect 
existing systems. 

The Large Number of Sensitive but Unclassified Designations and the 
Lack of Consistent Policies and Procedures for Their Use Make Sharing 
Information More Difficult: 

Federal agencies[Footnote 20] report that they are using a total of 56 
different designations[Footnote 21] for information they determined is 
sensitive but unclassified, and agencies that account for a large 
percentage of the homeland security budget reported using most of these 
designations.[Footnote 22] There are no governmentwide policies or 
procedures that describe the basis on which agencies should designate, 
mark, and handle this information. In this absence, the agency 
determines what designations to apply to its sensitive but unclassified 
information. Such inconsistency can lead to challenges in information 
sharing. In fact, more than half of the agencies reported encountering 
challenges in sharing sensitive but unclassified information. 
Furthermore, most agencies do not determine who and how many employees 
can make such designations, provide them training on how to do so, or 
perform periodic reviews of how well their practices are working, nor 
are there governmentwide policies that require such internal control 
practices. By not providing guidance and monitoring, there is a 
probability that the designation will be misapplied, potentially 
restricting material unnecessarily or resulting in dissemination of 
information that should be restricted. 

Agencies Report Using 56 Different Designations for Sensitive but 
Unclassified Information: 

As table 2 shows, agencies reported using 56 different designations to 
identify categories of sensitive but unclassified information-- 
including, for example, For Official Use Only (FOUO) and Protected 
Critical Infrastructure Information (PCII). Most of these designations 
are in use by agencies that account for a large percentage of the 
homeland security budget (those shown in bold in the table). However, 
other agencies in the list, such as the Environmental Protection Agency 
(EPA) and the U.S. Department of Agriculture (USDA) also have homeland 
security-related sensitive but unclassified information. The numerous 
designations can be confusing for recipients of this information, such 
as state and local law enforcement agencies, which must understand and 
protect the information according to each agency's own rules. 

Table 2: Sensitive but Unclassified Designations in Use at Selected 
Federal Agencies. 

Designation: 1. Applied Technology; 
Agencies using designation: *Department of Energy (DOE). 

Designation: 2. Attorney-Client Privilege; 
Agencies using designation: Department of Commerce (Commerce), *DOE. 

Designation: 3. Business Confidential; 
Agencies using designation: *DOE. 

Designation: 4. Budgetary Information; 
Agencies using designation: Environmental Protection Agency (EPA). 

Designation: 5. Census Confidential; 
Agencies using designation: Commerce. 

Designation: 6. Confidential Information Protection and Statistical 
Efficiency Act Information (CIPSEA); 
Agencies using designation: Social Security Administration (SSA). 

Designation: 7. Computer Security Act Sensitive Information (CSASI); 
Agencies using designation: Department of Health and Human Services 
(HHS). 

Designation: 8. Confidential[A]; 
Agencies using designation: Department of Labor. 

Designation: 9. Confidential Business Information (CBI); 
Agencies using designation: Commerce, EPA. 

Designation: 10. Contractor Access Restricted Information (CARI); 
Agencies using designation: HHS. 

Designation: 11. Copyrighted Information; 
Agencies using designation: *DOE. 

Designation: 12. Critical Energy Infrastructure Information (CEII); 
Agencies using designation: Federal Energy Regulatory Commission 
(FERC). 

Designation: 13. Critical Infrastructure Information; 
Agencies using designation: Office of Personnel Management (OPM). 

Designation: 14. DEA Sensitive; 
Agencies using designation: Department of Justice (DOJ). 

Designation: 15. DOD Unclassified Controlled Nuclear Information; 
Agencies using designation: Department of Defense (DOD). 

Designation: 16. Draft; 
Agencies using designation: EPA. 

Designation: 17. Export Controlled Information; 
Agencies using designation: *DOE. 

Designation: 18. For Official Use Only (FOUO); 
Agencies using designation: Commerce, DOD, Department of Education, 
EPA, General Services Administration, HHS, DHS, Department of Housing 
and Urban Development (HUD), DOJ, Labor, OPM, SSA, and the Department 
of Transportation (DOT). 

Designation: 19. For Official Use Only--Law Enforcement Sensitive; 
Agencies using designation: DOD. 

Designation: 20. Freedom of Information Act (FOIA); 
Agencies using designation: EPA. 

Designation: 21. Government Confidential Commercial Information; 
Agencies using designation: *DOE. 

Designation: 22. High-Temperature Superconductivity Pilot Center 
Information; 
Agencies using designation: *DOE. 

Designation: 23. In Confidence; 
Agencies using designation: *DOE. 

Designation: 24. Intellectual Property; 
Agencies using designation: *DOE. 

Designation: 25. Law Enforcement Sensitive; 
Agencies using designation: Commerce, EPA, DHS, DOJ, HHS, Labor, OPM. 

Designation: 26. Law Enforcement Sensitive/Sensitive; 
Agencies using designation: DOJ. 

Designation: 27. Limited Distribution Information; 
Agencies using designation: DOD. 

Designation: 28. Limited Official Use (LOU); 
Agencies using designation: DHS, DOJ, Department of Treasury. 

Designation: 29. Medical records; 
Agencies using designation: EPA. 

Designation: 30. Non-Public Information; 
Agencies using designation: FERC. 

Designation: 31. Not Available National Technical Information Service; 
Agencies using designation: Commerce. 

Designation: 32. Official Use Only (OUO); 
Agencies using designation: DOE, SSA, Treasury. 

Designation: 33. Operations Security Protected Information (OSPI); 
Agencies using designation: HHS. 

Designation: 34. Patent Sensitive Information; 
Agencies using designation: *DOE. 

Designation: 35. Predecisional Draft; 
Agencies using designation: *DOE. 

Designation: 36. Privacy Act Information; 
Agencies using designation: *DOE, EPA. 

Designation: 37. Privacy Act Protected Information (PAPI); 
Agencies using designation: HHS. 

Designation: 38. Proprietary Information; 
Agencies using designation: *DOE, DOJ. 

Designation: 39. Protected Battery Information; 
Agencies using designation: *DOE. 

Designation: 40. Protected Critical Infrastructure Information (PCII); 
Agencies using designation: DHS. 

Designation: 41. Safeguards Information; 
Agencies using designation: Nuclear Regulatory Commission (NRC). 

Designation: 42. Select Agent Sensitive Information (SASI); 
Agencies using designation: HHS. 

Designation: 43. Sensitive But Unclassified (SBU); 
Agencies using designation: Commerce, HHS, NASA, National Science 
Foundation (NSF), Department of State, U.S. Agency for International 
Development (USAID). 

Designation: 44. Sensitive Drinking Water Related Information (SDWRI); 
Agencies using designation: EPA. 

Designation: 45. Sensitive Information; 
Agencies using designation: DOD, U.S. Postal Service (USPS). 

Designation: 46. Sensitive Instruction; 
Agencies using designation: SSA. 

Designation: 47. Sensitive Internal Use; 
Agencies using designation: *DOE. 

Designation: 48. Sensitive Unclassified Non-Safeguards Information; 
Agencies using designation: NRC. 

Designation: 49. Sensitive Nuclear Technology; 
Agencies using designation: *DOE. 

Designation: 50. Sensitive Security Information (SSI); 
Agencies using designation: DHS, DOT, U.S. Department of Agriculture 
(USDA). 

Designation: 51. Sensitive Water Vulnerability Assessment Information; 
Agencies using designation: EPA. 

Designation: 52. Small Business Innovative Research Information; 
Agencies using designation: *DOE. 

Designation: 53. Technical Information; 
Agencies using designation: DOD. 

Designation: 54. Trade Sensitive Information; 
Agencies using designation: Commerce. 

Designation: 55. Unclassified Controlled Nuclear Information (UCNI); 
Agencies using designation: DOE. 

Designation: 56. Unclassified National Security-Related 
[Telecommunications] Information; 
Agencies using designation: *DOE. 

Source: GAO analysis of agency responses. 

Note: The designations shown in the table were reported to us by the 26 
agencies in our survey as their sensitive but unclassified 
designations. Three of the agencies reported that they do not have 
sensitive but unclassified designations. The list may not be all- 
inclusive because of individual agency interpretations of what 
constitutes a designation. For example, agencies may use the 
designation "draft," but only one reported it as a designation. In 
addition, DOE has attempted to limit the number of designations it 
uses, but reported to us that some staff continue to use unofficial 
designations that they refer to as ad hoc designations. DOE's ad hoc 
designations have an asterisk symbol in front of them in the table. 

[A] This "confidential" designation does not fall into the 
classification scheme for national security information established by 
executive order. 

[End of table]

For most of these designations, there are no governmentwide policies or 
procedures to guide agency decision making on using the designations, 
explaining what they mean across agencies, and assuring that the 
information is protected and shared consistently from one agency to 
another. Different agencies and departments currently define sensitive 
but unclassified information in many different ways in accordance with 
their unique missions and authorities. 

As a result of the lack of standard criteria for sensitive but 
unclassified information, multiple agencies often use the same or 
similar terms to designate information, but they define these terms 
differently. For example, there are at least 13 agencies that use the 
designation For Official Use Only, but there are at least five 
different definitions of FOUO. At least seven agencies or agency 
components use the term Law Enforcement Sensitive (LES), including the 
U.S. Marshals Service, the Department of Homeland Security (DHS); the 
Department of Commerce, and the Office of Personnel Management (OPM). 
These agencies gave differing definitions for the term. While DHS does 
not formally define the designation, the Department of Commerce defines 
it to include information pertaining to the protection of senior 
government officials, and OPM defines it as unclassified information 
used by law enforcement personnel that requires protection against 
unauthorized disclosure to protect the sources and methods of 
investigative activity, evidence, and the integrity of pretrial 
investigative reports. 

Agencies also use different terminology or restrictive phrases for what 
is essentially the same type of information. According to a senior 
official in the Delaware Department of Homeland Security, the multiple 
designations are a problem. He said that often multiple terms or 
phrases are used by different agencies for the same material. For 
example, information about a narcotics-smuggling ring that was 
financing terrorism might be considered sensitive by the DHS Customs 
and Border Protection component, which would mark it as FOUO or LES and 
require it to be kept in a locked file, cabinet, or desk when not in 
use. The same information might be marked DEA-Sensitive by DOJ's Drug 
Enforcement Administration (DEA), which under its policy, requires a 
higher level of protection than normally afforded sensitive but 
unclassified information. Additionally, the Department of Defense, the 
Department of State, the Environmental Protection Agency, and the U.S. 
Agency for International Development all use the categories under FOIA 
that exempt information from public disclosure as basic criteria for 
designating some of its sensitive information. However, for FOIA-exempt 
material, DOD uses the term For Official Use Only, State uses Sensitive 
But Unclassified, EPA uses FOIA, and the U.S. Agency for International 
Development (USAID) uses Sensitive But Unclassified. Use of multiple 
designations such as this can hamper sharing efforts and confuse end 
users about the information. 

Some Agencies and End Users Reported Challenges in Sharing Sensitive 
but Unclassified Information: 

More than half of the agencies reported challenges in sharing sensitive 
but unclassified information. For example, 11 of the 26 agencies that 
we surveyed said that they had concerns about the ability of other 
parties to protect sensitive but unclassified information. These 
concerns could lead them to share less information than they could. DHS 
said that sensitive but unclassified information disseminated to its 
state and local partners had, on occasion, been posted to public 
Internet sites or otherwise compromised, potentially revealing possible 
vulnerabilities to business competitors. The Department of 
Transportation (DOT) said that the time it takes to determine whether 
other departments' handling and protection requirements meet or exceed 
DOT's requirements for Sensitive Security Information represents a 
challenge. Six agencies said that the lack of standardized criteria for 
defining what constitutes sensitive but unclassified information was a 
challenge in their efforts to share information, and DOD said that 
standardizing the designations and definitions used by federal agencies 
for sensitive but unclassified information might facilitate the 
handling and safeguarding of the information, thereby strengthening 
information-sharing efforts. Four agencies reported that they struggle 
with balancing the trade-off between limited dissemination of sensitive 
but unclassified information in order to protect it and broader 
dissemination to more stakeholders, who could use it for their efforts. 
Finally, 3 agencies reported challenges in using their designations 
that were not related to identifying, sharing, and safeguarding 
sensitive information, and 9 agencies reported no challenges. 

First responders reported that the multiplicity of designations and 
definitions not only causes confusion but leads to an alternating feast 
or famine of information. Lack of clarity on the dissemination rules 
and lack of common standards for controlling sensitive but unclassified 
information have led to periods of oversharing of information, often 
overwhelming end users with the same or similar information from 
multiple sources, according to an Illinois State Police Officer. 

Most of the Agencies We Surveyed Do Not Determine Which Employees Can 
Make Sensitive but Unclassified Designations, nor Do They Provide These 
Employees with Training: 

Of the 20 agencies that reported on who is authorized to make sensitive 
but unclassified designations at their agency, 13 did not limit which 
employees could apply at least one of their sensitive but unclassified 
designations. For example, DHS does not limit which employees may 
decide whether to designate a document For Official Use Only. At the 
Department of State, there are no limits on which personnel can 
designate information as sensitive but unclassified. At the National 
Aeronautics and Space Administration (NASA), approximately 20,000 civil 
servants and 80,000 contract employees are authorized to designate 
information as sensitive but unclassified using the Administratively 
Controlled Information designation of the agency. In addition, 12 of 23 
agencies (or 52 percent) reported that they did not have policies or 
procedures for specialized training for personnel making sensitive but 
unclassified designations. 

Several agencies, however, have taken steps to limit the number of 
designators or have provided at least some limited training to their 
employees. The U.S. Secret Service limits its designation authority 
solely to those individuals in the organization with the authority to 
classify information at the Confidential level under the National 
Security Information program. DOE restricts the application and removal 
authority for the Unclassified Controlled Nuclear Information (UCNI) 
designation to specially trained UCNI reviewing officials. Also, the 
Department of State provides training for its designators, and the 
Department of the Treasury provides training for designators and users 
of one of its designations. 

Very Few Agencies Perform Periodic Reviews of How Well Their Sensitive 
but Unclassified Practices Are Working or Set Time Limits on the 
Designations: 

Eighteen of the 23 agencies that provided us with information do not 
have policies or procedures for periodically reviewing how well the 
agency's designation practices are working and how accurately employees 
are making these decisions. Without oversight, agencies have no way to 
know the level of compliance or the effectiveness of the policies and 
procedures they have set. 

In addition, only 2 of the agencies that provided information on the 
issue of time limits for sensitive but unclassified information set 
such limits. In contrast, classified national security information is 
declassified as specified by the governing executive order. The U.S. 
Postal Service (USPS) set a limit of 5 years, and USDA set a limit of 
10 years, after which the designation would no longer be valid, and the 
information could become publicly available. Two agencies, the General 
Services Administration and the Department of Commerce, indicated that 
if it was possible to foresee a specific event that could remove the 
need for continued protection of the information--for example, a 
document concerning trade negotiations would be considered sensitive 
until the negotiations were ended--the agency marked the document in 
such a way so that the designation was removed upon the completion of 
the event. Documents designated sensitive but unclassified at the other 
agencies that did not set time limits will remain so designated until a 
review of the document's status is triggered by an action such as a 
FOIA request by a private citizen. Continued restriction limits access 
to this information over the long term. 

To address the obstacles to information sharing, the Homeland Security 
Act required the President to, among other things, develop policies for 
sharing homeland security information, including sensitive but 
unclassified information, with appropriate state and local personnel. 
He delegated this responsibility to the Secretary of the newly created 
DHS in July 2003. Later, in his December 2005 memo, the President gave 
agencies 90 days to inventory their sensitive but unclassified 
procedures and report them to ODNI, which in turn is to provide them to 
the Secretary of DHS and the Attorney General. Working in coordination 
with the Secretaries of State, Defense, and Energy and with the DNI, 
they have 90 days from when they receive the inventories to develop 
recommended procedures that will provide a more standardized approach 
for designating homeland security information, law enforcement 
information, and terrorism information as sensitive but unclassified. 
The memorandum also requires that ODNI, in coordination and 
consultation with other agencies, develop recommendations for 
standardizing sensitive but unclassified procedures for all information 
not addressed by the first set of recommendations. 

Conclusions: 

In part because of the complexity of the task, shifting 
responsibilities, and missed deadlines, more than 4 years after 
September 11 the federal government still lacks comprehensive policies 
and processes to improve the sharing of information that is critical to 
protecting our homeland. After the 9/11 Commission's recommendation 
that the sharing and uses of information be guided by a set of 
practical policy guidelines, Congress passed the Intelligence Reform 
Act and mandated the creation of an Information Sharing Environment 
(ISE), to be planned for and overseen by a program manager. While 
recognizing that creating a fully functioning ISE will take time, the 
program manager's interim implementation plan includes a schedule for 
meeting a number of key deadlines. For example, by June 14, 2006, the 
program manager and the Director of NCTC are to have conducted a 
comprehensive review of all agency missions, roles, and 
responsibilities both as producers and users of terrorism information. 
Given that the program manager resigned and, at the time of our review, 
a new one had not been appointed, meeting this deadline will be 
difficult. When a new program manager is appointed, ensuring the 
success of this project will require support and vigilance from ODNI as 
well as the other agencies mentioned in the President's memorandum. It 
will be essential that the DNI assess progress toward meeting the 
milestones in the interim plan, identify and address any barriers to 
progress, and recommend to the congressional oversight committees with 
jurisdiction any changes necessary to achieve the goals of the 
mandates. 

The President's December 2005 memorandum recognizes the need to 
standardize procedures for sensitive but unclassified information. 
Currently, no governmentwide policies or procedures exist for most 
sensitive but unclassified designations. Our work on the policies and 
procedures agencies currently use can help validate ODNI's efforts in 
this area. It will be important that the new policies and procedures 
provide for consistent application of the designations and consistent 
handling requirements. Establishing governmentwide policies and 
procedures is a critical first step, but unless agencies, when 
implementing designations, ensure employees have the tools they need to 
use the designations accurately, and establish a monitoring system for 
their use, designations could be misapplied and information might be 
unnecessarily restricted or released when it should be protected. In 
the end, agencies need the flexibility to use designations that meet 
their mission needs, but where feasible using the same designation and 
handling procedures across agencies for similar information will 
provide for more consistent sharing and protection of sensitive 
information. Without continued vigilance, there is danger that there 
will be further delays in developing a governmentwide information- 
sharing policy and in establishing sensitive but unclassified policies 
that better enable the sharing of the information critical to the 
protection of the homeland. 

Recommendations for Executive Action: 

To ensure effective implementation of the Intelligence Reform Act, we 
recommend that the following six actions be taken: 

We recommend that the Director of National Intelligence (1) assess 
progress toward the milestones set in its Interim Implementation Plan; 
(2) identify any barriers to achieving these milestones, such as 
insufficient resources and determine ways to resolve them; and (3) 
recommend to the oversight committees with jurisdiction any necessary 
changes to the organizational structure or approach to creating the 
ISE. 

In carrying out the President's December 2005 mandates for 
standardizing sensitive but unclassified information, we recommend that 
the Director of National Intelligence and the Director of OMB (1) use 
the results of our work to validate the inventory of designations that 
agencies are required to conduct in accordance with the memo and (2) 
issue a policy that consolidates sensitive but unclassified 
designations where possible and addresses their consistent application 
across agencies. 

We recommend that the Director of OMB, in his oversight role with 
respect to federal information management, work with other agencies to 
develop and issue a directive requiring that agencies have in place 
internal controls that meet the standards set forth in GAO's Standards 
for Internal Controls in the Federal Government. This directive should 
include guidance for employees to use in deciding what information to 
protect with sensitive but unclassified designations; provisions for 
training on making designations, controlling, and sharing such 
information with other entities; and a review process to determine how 
well the program is working. 

Agency Comments: 

We requested comments on a draft of this report from the Director of 
OMB and the Director of National Intelligence or their designees. We 
received comments from OMB that neither agreed nor disagreed with our 
findings and recommendations. OMB commented that once the program 
manager and others completed their work to establish governmentwide 
policies, procedures, or protocols to guide the sharing of information 
as it relates to terrorism and homeland security, they would work with 
the program manager and all agencies to determine what additional steps 
are necessary, if any. ODNI, however, declined to comment on our draft 
report, stating that the review of intelligence activities is beyond 
GAO's purview. We are disappointed by the lack of an ODNI response to 
our report on the critical issue of information-sharing efforts in the 
federal government. We have placed information sharing for homeland 
security on GAO's high-risk list, in part because federal agencies have 
not done an adequate job of sharing critical information in the past 
and because success in this area will involve the combined efforts of 
multiple agencies and key stakeholders. The President has tasked ODNI 
with key coordinating roles in furtherance of this effort. 

In declining to comment, ODNI stated that our draft report was "very 
broad" and that it "addresses a number of intelligence-related issues, 
including a discussion of the management of [ODNI] and specific 
recommendations to the Director of National Intelligence (DNI)." ODNI 
then made a general reference to the DOJ having "previously advised" 
GAO that "the review of intelligence activities is beyond the GAO's 
purview." In DOJ's comments on a 2003 GAO report on information 
sharing, DOJ similarly said "the review of intelligence activities is 
an arena beyond GAO's purview." However, there was no legal analysis 
attached to either of these statements. 

There is a 1988 DOJ Office of Legal Counsel (OLC) opinion that offers 
DOJ's views on our authority to review intelligence activities in the 
context of foreign policy. In the 1988 opinion, OLC asserted that by 
enacting the current intelligence oversight framework, codified at 50 
U.S.C. § 413, Congress intended the intelligence committees to maintain 
exclusive oversight with respect to intelligence activities, 
foreclosing reviews by GAO. Although we recognize that section 413 
codified practices to simplify the congressional intelligence oversight 
process, we do not agree with DOJ's view that the intelligence 
oversight framework precludes GAO reviews in the intelligence arena. 
Neither section 413 nor its legislative history states that the 
procedures established therein constitute the exclusive mechanism for 
congressional oversight of intelligence activities, to the exclusion of 
other relevant committees or GAO. GAO has broad statutory authority to 
evaluate agency programs and investigate matters related to the 
receipt, disbursement, and use of public money.[Footnote 23] GAO also 
has broad authority to inspect and obtain agency information and 
records, subject to a few limited exceptions.[Footnote 24] 

In any event, we do not agree with ODNI's characterization that our 
review involved "intelligence activities." Our review did not involve 
evaluation of the conduct of actual intelligence activities. Rather, 
our review addresses the procedures in place to facilitate the sharing 
of a broad range of information across all levels of government. In our 
view ODNI's concept of "intelligence activities" is overly broad and 
would extend to governmentwide information-sharing efforts clearly 
outside the traditional intelligence arena--including, for example, 
procedures for sharing sensitive but unclassified information unrelated 
to homeland security. The use of such a sweeping definition to limit 
GAO's work would seriously impair Congress's oversight of executive 
branch information-sharing activities. 

Given the above, we strongly disagree with ODNI's reasons for declining 
to comment on our report. ODNI's letter is reprinted in appendix III. 

As agreed with your offices, unless you publicly release the contents 
of this report earlier, we plan no further distribution until 30 days 
from the report date. We will then send copies of this report to the 
Director, Office of Management and Budget; the Director of National 
Intelligence; the Secretaries and heads of the 26 departments and 
agencies in our review; and interested congressional committees. In 
addition, this report will be available at no charge on the GAO Web 
site at http://www.gao.gov. 

If you or your staff have any questions concerning this report, please 
contact either David Powner at 202-512-9286 or pownerd@gao.gov, or 
Eileen Larence at 202-512-6510 or larencee@gao.gov. Contact points for 
our Offices of Congressional Relations and Public Affairs may be found 
on the last page of this report. GAO staff who made major contributions 
to this report are listed in appendix IV. 

Signed By: 
 
David Powner: 
Director, Information Technology Management Issues: 

Signed By: 

Eileen Larence: 
Director, Homeland Security and Justice: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

The objectives of our review were to (1) determine the status of 
efforts to establish governmentwide policies and processes for sharing 
terrorism-related information between the federal government and its 
state, local, and private sector partners and (2) identify the universe 
of different sensitive but unclassified designations agencies apply to 
homeland security and to other sensitive information and determine the 
extent to which these agencies have policies and procedures in place to 
ensure their consistent use. 

To determine the status of efforts to establish governmentwide policies 
and processes for sharing terrorism information, we reviewed applicable 
federal laws, executive orders, presidential directives, memorandums, 
reports, and testimony. Because they have roles in cross-government 
information sharing, we also interviewed the Deputy Director and Chief 
of Staff of the Information Sharing and Collaboration Office at the 
Department of Homeland Security and the Chief of the Information Policy 
and Technology Branch, Office of Management and Budget, to determine 
efforts to date and the current status of required actions. We also 
interviewed Congressional Research Service staff who work on 
information-sharing issues and a member of the 9/11 Public Discourse 
Project, a privately funded continuation of the 9/11 Commission. We 
gathered publicly available documents on the establishment of the 
Office of the Director of National Intelligence's (ODNI) on the 
establishment of the Information Sharing Council and the Information 
Sharing Environment, met informally with a senior ODNI official who 
provided us with the interim implementation plan. During the course of 
our review, we were negotiating protocols for working with ODNI. 

We also surveyed 26 major federal agencies, those that are subject to 
the requirements in the Chief Financial Officers Act as well as the 
Federal Energy Regulatory Commission and the U.S. Postal Service 
because our experience with these two agencies indicated that they used 
sensitive but unclassified designations. We obtained information on 
their sharing processes for terrorism-related information and for 
descriptions of any actions they had taken to encourage or improve the 
sharing of this information. We also asked the agencies about 
challenges pertaining to identifying, safeguarding, and sharing 
sensitive but unclassified information. We queried the agencies on the 
types of sensitive but unclassified designations they use; the 
policies, procedures, and protocols they have in place for each 
designation; and the extent to which they provide controls for 
protecting and policies for sharing these types of information. We 
aggregated the data by agency and sent them back to the agencies' 
responding officials who reviewed the information for completeness and 
accuracy. 

We collected and reviewed applicable federal laws and regulations, 
policies, procedures, and documents related to the sensitive but 
unclassified and national security classification processes for federal 
agencies. We met with officials at the National Archives and Records 
Administration's Information Security Oversight Office, and discussed 
policies and processes for handling, overseeing, and sharing national 
security related information as compared with policies and processes 
for handling, sharing, and overseeing sensitive but unclassified 
information. We also contacted the International Association of Police 
Chiefs, the International Association of Fire Chiefs, and the National 
Governor's Association to obtain information from end users such as 
state and local law enforcement, first responders, and state-level 
homeland security and disaster response agencies, since such 
organizations are likely to require access to sensitive but 
unclassified information. 

To determine whether appropriate policies and procedures were in place, 
we relied on GAO's Standards for Internal Control in the Federal 
Government for benchmarks and standards against which to assess each 
agency's sensitive but unclassified designation policies and 
procedures.[Footnote 25] We conducted our work from May 2005 through 
February 2006 in accordance with generally accepted government auditing 
standards. 

[End of section] 

Appendix II: Summary Information on Sensitive But Unclassified 
Designations by Agency: 

The following information was provided by the 26 federal agencies that 
we surveyed. The agencies were queried on the types of sensitive but 
unclassified designations they use; the basis of the designations; and 
policies, procedures, and protocols for designating, handling, and 
sharing these types of information. We provided the agencies with the 
opportunity to review their summarized information for accuracy and 
completeness. 

Department of Agriculture. 

Agencywide. 

Designation: Sensitive Security Information. 

Basis for designation: Departmental Regulation 3440-2, Control and 
Protection of Sensitive Security Information (January 2003). 

Definition: The designation is used for unclassified information of a 
sensitive nature, that if publicly disclosed could be expected to have 
a harmful impact on the security of Federal operations or assets, the 
public health or safety of the citizens of the United States or its 
residents, or the nation's long-term economic prosperity and which 
describes, discusses, or reflects; the ability of any element of the 
critical infrastructure of the United States to resist intrusion, 
interference, compromises, theft, or incapacitation by either physical 
or computer-based attack or other similar conduct that violates 
federal, state, or local law; harms interstate or international 
commerce of the United States; or threatens public health or safety; 
any currently viable assessment, projection, or estimate of the 
security vulnerability of any element of the critical infrastructure of 
the United States, specifically including--but not limited to-- 
vulnerability assessment, security testing, risk evaluation, risk 
management planning, or risk audit; or; any currently applicable 
operational problem or solution regarding the security of any element 
of the critical infrastructure of the United States, specifically 
including--but not limited to--the repair, recovery, redesign, 
reconstruction, relocation, insurance, and continuity of operations of 
any element. 

Designating authority: Officials from departmental organizations have 
the authority to determine which information originating under their 
supervision requires protection against unauthorized disclosure. 

Policies or procedures for specialized training for designators: No. 
Systematic review process: Yes: 

Department of Commerce: 

Agencywide. 

Designation: For Official Use Only. 

Basis for designation: Freedom of Information Act (FOIA), as amended (5 
U.S.C. § 552) Disclosure of Government Information (15 C.F.R. pt. 4), 
Export Administration Act (EAA) of 1979, as amended (50 U.S.C. app § 
2401 et. seq.); (new policy on sensitive but unclassified information 
in draft Security Manual). 

Definition: The designation is used for information that has not been 
given a security classification, but may be withheld from the public 
because there is a sound legal basis for withholding the information 
under specific statutes or regulations. 

Designating authority: Secretarial officials, operating unit heads, 
senior departmental officials, and program managers. 

Policies or procedures for specialized training for designators: No. 
Systematic review process: No. 

Designation: Sensitive But Unclassified. 

Basis for designation: FOIA, as amended; Privacy Act of 1974, as 
amended (5 U.S.C. § 552a); EAA of 1979, as amended; Tariff Act of 1930, 
as amended (19 U.S.C. § 1202 et. seq.); (new policy on sensitive but 
unclassified information in draft Security Manual). 

Definition: The designation is used for information the unauthorized 
disclosure of which could result in harm or unfair treatment to any 
individual, group or have a negative impact on the department's mission 
(e.g., personal, medical and financial information, business 
proprietary information). 

Designating authority: Secretarial officials, operating unit heads, 
senior departmental officials and program managers. 

Policies or procedures for specialized training for designators: No. 
Systematic review process: No. 

Designation: Trade Sensitive Information. 

Basis for designation: Trade Act of 1974, as amended; FOIA, as amended; 
(new policy on sensitive but unclassified information in draft Security 
Manual). 

Definition: The designation is used for information pertaining to U.S. 
Trade Policy, strategies and negotiating objectives. 

Designating authority: Secretarial officials, operating unit heads, 
senior departmental officials and program managers. 

Policies or procedures for specialized training for designators: No. 
Systematic review process: No. 

Designation: Attorney/Client Privilege. 

Basis for designation: FOIA, as amended; (new policy on sensitive but 
unclassified information in draft Security Manual). 

Definition: The designation is used for information between an attorney 
and client; information prepared by an attorney in contemplation of 
litigation. 

Designating authority: Secretarial officials, operating unit heads, 
senior departmental officials and program managers. 

Policies or procedures for specialized training for designators: No. 
Systematic review process: No: 

Department of Commerce (continued). 

Designation: Law Enforcement Sensitive. 

Basis for designation: FOIA, as amended; (new policy on sensitive but 
unclassified information in draft Security Manual). 

Definition: The designation is used for information pertaining to the 
protection of senior government officials; investigative data. 

Designating authority: Secretarial officials, operating unit heads, 
senior departmental officials and program managers: 

Polices or procedures for specialized training for designators: No. 
Systematic review process: No: 

Bureau of Industry and Security. 

Designation: Confidential Business Information. 

Basis for designation: FOIA, as amended; Chemical Weapons Convention 
Implementation Act of 1998 (18 U.S.C. §§ 229-229D; 22 U.S.C. § 6701 et. 
seq.); Defense Production Act of 1950, as amended (50 U.S.C. app § 2061 
et. seq.) 

Definition: The designation is used for information designated under 
the Chemical Weapons Implementation Act of 1998 as a trade secret or 
commercial financial information, or other information as described in 
§304(e)(2) of the Act or 5 U.S.C 552 § (b)(4). 

Designating authority: Secretarial officials, operating unit heads, 
senior departmental officials and program managers. 

Policies or procedures for specialized training for designators: No. 
Systematic review process: No: 

National Technical Information Service. 

Designation: Not Available National Technical Information Service. 

Basis for designation: FOIA, as amended. 

Definition: The designation is used to identify specific technical 
product information in the NTIS sales collection that has been 
withdrawn from public disclosure. 

Designating authority: Appropriate official of the executive branch 
agency that authored or funded the report and requests non-disclosure 
of information to the public. 

Policies or procedures for specialized training for designators: No. 
Systematic review process: No: 

Bureau of the Census. 

Designation: Census Confidential. 

Basis for Designation: Titles 13, 15, and 26, U.S.C. 

Definition: The designation is used for information pertaining to 
statistical collections and survey algorithms used in conduct of 
mandates of Title 13 U.S.C. 

Designating authority: Automatic designation, no designation decision 
required. 

Policies or procedures for specialized training for designators: N/A. 
Systematic review process: No: 

Department of Defense: 

Agencywide. 

Designation: For Official Use Only Information. 

Basis for designation: FOIA, as amended; DOD 5200.1-R, Information 
Security Program (January 1997); and Under Secretary of Defense for 
Intelligence Memorandum, Interim Information Security Guidance (April 
2004). 

Definition: The designation is used as the overall designation for 
unclassified information that may be withheld from public release under 
Freedom of Information Act (FOIA) exemptions. 

Designating authority: Any DOD employee. 

Policies or procedures for specialized training for designators: No. 
Systematic review process: No. 

Designation: DOD Unclassified Controlled Nuclear Information. 

Basis for designation: 10 U.S.C § 128, DOD Directive (DODD) 5210.83, 
Department of Defense Unclassified Controlled Nuclear Information. 

Definition: The designation is used for unclassified information on 
security measures (including security plans, procedures, and equipment) 
for the physical protection of DOD Special Nuclear Material, equipment, 
or facilities. 

Designating authority: Heads of components and individuals they 
designate. 

Policies or procedures for specialized training for designators: No. 
Systematic review process: No. 

Designation: Technical Information. 

Basis for designation: 10 U.S.C. 140c, DODD 5230.25, Withholding of 
Unclassified Technical Data From Public Disclosure (November 1984); and 
DODD 5230.24, Distribution Statements on Technical Documents (March 
1987). 

Definition: DODD 5230.24 requires distribution statements to be placed 
on technical documents. Distribution statements are used to denote the 
extent of its availability for distribution, release, and disclosure 
without additional approvals or authorizations. DODD 5230.24 covers 
newly created technical documents generated by all DOD-funded research, 
development, test and evaluation programs and also applies to newly 
created engineering drawings, standards, specifications, technical 
manuals, blueprints, drawings, plans, instructions, computer software 
and documentation, and other technical information that can be used or 
be adapted for use to design, engineer, produce, manufacture, operate, 
repair, overhaul, or reproduce any military or space equipment or 
technology concerning such equipment. 

Designating authority: Managers of technical programs. 

Policies and procedures for specialized training for designators: No. 
Systematic review process: Yes: 

Department of Defense (continued). 

Designation: Limited Distribution Information. 

Basis for designation: 10 U.S.C. 455; DODD 5105.60, National Imagery 
and Mapping Agency (NIMA) (October 1996); and DODD 5030.59, National 
Imagery and Mapping Agency (NIMA) Limited Distribution Imagery or 
Geospatial Information and Data (May 2003) and guidance in DOD 
5200.1/R. 

Definition: Designation used by the National Geospatial-Intelligence 
Agency (NGA) to identify a select group of sensitive but unclassified 
imagery or geospatial information and data created or distributed by 
NGA or information, data, and products derived from such information. 

Designating authority: National Geospatial-Intelligence agency 
personnel. 

Policies or procedures for specialized training for designators: Yes. 
Systematic review process: Yes. 

Designation: For Official Use Only--Law Enforcement Sensitive. 

Basis for designation: DOD 5200.1-R, Information Security Program 
(January 1997), and Under Secretary of Defense for Intelligence 
Memorandum, Interim Information Security Guidance (April 2004). 

Definition: The designation is used for certain information compiled 
for law enforcement purposes that should be afforded appropriate 
security in order to protect certain legitimate government interests. 

Designating authority: Personnel engaged in law enforcement activities. 

Policies or procedures for specialized training for designators: No. 
Systematic review process: No. 

Designation: Sensitive Information. 

Basis for designation: Computer Security Act of 1987, Pub. L. No. 100- 
235, (as enacted at 15 U.S.C. § 271 et. seq.); DOD 5200.1-R, 
Information Security Program (January 1997), and Under Secretary of 
Defense for Intelligence Memorandum, Interim Information Security 
Guidance (April 2004). 

Definition: Any information, the loss, misuse, or unauthorized access 
to or modification of which could adversely affect the national 
interest or the conduct of federal programs, or the privacy to which 
individuals are entitled under section 552a of title 5, United States 
Code (the Privacy Act), but which has not been specifically authorized 
under criteria established by an executive order or an act of Congress 
to be kept secret in the interest of national defense or foreign 
policy. 

Designating authority: Personnel involved with information systems. 

Policies or procedures for specialized training for designators: No. 
Systematic review process: No: 

Department of Education: 

Agencywide. 

Designation: For Official Use Only. 

Basis for designation: FOIA, as amended; Privacy Act of 1974, as 
amended; Section 208 of the E-Government Act of 2002 (44 U.S.C. § 3501, 
note); Handbook for Information Technology Security Risk Assessment 
Procedures OCIO-07 (January 2004); and Handbook for Information 
Assurance Security OCIO-01 (December 2005). 

Definition: The designation is used for information that (1) falls 
within one or more of the nine exemptions or three exclusions of the 
Freedom of Information Act (FOIA), (2) is protected by the Privacy Act 
of 1974, or (3) is marked by the Office of the Inspector General to 
prohibit distribution to unauthorized persons. 

Designating authority: The owner of the information. 

Policies and procedures for specialized training for designators: No. 
Systematic review process: No: 

Department of Energy: 

Agencywide. 

Designation: Official Use Only. 

Basis for designation: DOE Order 471.3 (April 2003). 

Definition: Certain unclassified information that may be exempt from 
public release under the Freedom of Information Act and has the 
potential to do damage to governmental, commercial or private interests 
if disseminated to people who do not need the information to perform 
their jobs or other DOE authorized functions. 

Designating authority: Any DOE or DOE contractor employee: 

Polices or procedures for specialized training for designators: No. 
Systematic review process: No: 

Designation: Unclassified Controlled Nuclear Information. 

Basis for designation: Section 148 of the Atomic Energy Act of 1954, as 
amended (42 U.S.C. § 2168), 10 C.F.R. pt.1017, DOE Order 471.1A (June 
2000). 

Definition: The designation is used for certain unclassified government 
information prohibited from unauthorized dissemination under section 
148 of the Atomic Energy Act; which concerns atomic energy defense 
programs; which pertains to (i) the design of production or utilization 
facilities (ii) security measures for the physical protection of 
production or utilization facilities or nuclear material contained in 
these facilities or in transit (iii) the design, manufacture or 
utilization of nuclear weapons or components that were once classified 
as Restricted Data; whose unauthorized dissemination could reasonably 
be expected to have a significant adverse effect on the health and 
safety of the public or the common defense and security by 
significantly increasing the likelihood of (i) illegal production of 
nuclear weapons or (ii) theft, diversion, or sabotage of nuclear 
materials, equipment or facilities. 

Designating authority: UCNI reviewing officials (training and 
designated individuals in DOE and DOE contractor organizations) only. 

Policies or Procedures for Specialized Training for Designators: Yes; 
Systematic review process: No: 

Department of Health and Human Services. 

Agencywide. 

Designation: Sensitive But Unclassified. 

Basis for designation: FOIA, as amended; Public Health Security and 
Bioterrorism Preparedness and Response Act of 2002 (Titles 7, 21, 29, 
and 42, U.S.C; see 21 U.S.C. § 350c); (Draft HHS Information Security 
Policy and Procedures for Sensitive But Unclassified Information). 

Definition: The Sensitive But Unclassified designation is used for 
information that does not meet the standards for classification under 
national security information but it is protected from public 
disclosure under exemptions 2-8 of FOIA. 

Designating authority: Not specified. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Centers for Disease Control and Prevention. 

Designation: Sensitive But Unclassified. 

Basis for designation: Section 201(a) of the Public Health Security and 
Bioterrorism Preparedness and Response Act of 2002, (42 U.S.C. § 262a 
(h)), and 42 C.F.R. pt. 73 (Select Agents and Toxins); (new policy in 
draft). 

Definition: The designation is used for information which identifies 
possession, use, or transfer of a select agent or toxin; or information 
derived therefrom to the extent that it identifies the listed agent or 
toxin possessed, used, or transferred by a specified registered person 
or discloses the identity or location of a specific registered person. 

Designating authority: Not specified. 

Policies or procedures for specialized training for designators: N/A; 
Systematic review process: N/A. 

Designation: Computer Security Act Sensitive Information. 

Basis for designation: Computer Security Act of 1987; (new policy in 
draft). 

Definition: The designation is used for any information, the loss, 
misuse, or unauthorized access to or modification of which could 
adversely affect the national interest or the conduct of federal 
programs, or the privacy to which individuals are entitled under 
section 552a of Title 5. U.S.C. (the Privacy Act). 

Designating authority: Not specified. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Centers for Disease Control and Prevention (continued). 

Designation: Contractor Access Restricted Information. 

Basis for designation: 41 U.S.C. § 401; Federal Acquisition Regulations 
1.102; Executive Order 11222 (May 8, 1965); (new policy in draft). 

Definition: Unclassified information that involves functions reserved 
to the federal government as vested by the Constitution as inherent 
power or as implied power as necessary for the proper performance of 
its duties. 

Designating authority: Not specified. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Designation: For Official Use Only. 

Basis for designation: FOIA, as amended; (new policy in draft). 

Definition: This designation is applied to unclassified information 
that is exempt from mandatory release to the public under FOIA. 

Designating authority: Not specified. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Designation: Law Enforcement Sensitive. 

Basis for designation: Not specified; (new policy in draft). 

Definition: The designation is used for law enforcement purposes. 
Information that could reasonably be expected to interfere with law 
enforcement proceedings, would deprive a person of a right to a fair 
trial or impartial adjudication, could reasonably be expected to 
constitute an unwarranted invasion of personal privacy of others, 
disclose the identity of a confidential source, disclose investigative 
techniques and procedures or could reasonably be expected to endanger 
the life or physical safety of any individual is to be marked law 
enforcement sensitive. 

Designating authority: Not specified. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Designation: Operations Security Protected Information. 

Basis for designation: National Security Decision Directive 298, 
(January 1988); (new policy in draft). 

Definition: The designation is applied to unclassified information 
concerning CDC mission, functions, operations, or programs that require 
protection in the national interest, or security of homeland defense. 

Designating authority: Not specified. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Designation: Privacy Act Protected Information. 

Basis for designation: Privacy Act of 1974, as amended: 45 C.F.R. pt. 
5b; (new policy in draft). 

Definition: The designation covers information that, if released, could 
reasonably be expected to constitute a clearly unwarranted invasion of 
the personal privacy of individuals. 

Designating authority: Not specified. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Designation: Select Agent Sensitive Information. 

Basis for designation: Public Health Security and Bioterrorism 
Preparedness and Response Act of 2002; (new policy in draft). 

Definition: The designation is used on any document that has been 
prepared using information from the Select Agent Program database and 
identifies more than one entity as having an unspecified select agent 
or agents. A portion of the Select Agent Program data base, or any 
document that has been prepared using information from the Select Agent 
Program database and is limited to information received from one entity 
will be unclassified but will be protected to safeguard the public 
interest and marked as For Official Use Only. 

Designating authority: Not specified. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Department of Homeland Security. 

Agencywide. 

Designation: For Official Use Only. 

Basis For designation: Management Directive 11042.1 (January 2005). 

Definition: The term used within DHS to identify unclassified 
information of a sensitive nature, not otherwise categorized by statute 
or regulation, the unauthorized disclosure of which could adversely 
affect a person's privacy or welfare, the conduct of federal programs, 
or other programs or operations essential to the national interest. 

Designating authority: Any DHS employee, detailee, or contractor. 

Policies or procedures for specialized training for designators: Yes; 
Systematic review process: No. 

Designation: Law Enforcement Sensitive. 

Basis for designation: Not specified. 

Definition: The designation is not formally defined by a DHS policy, 
directive, or regulation. In practice, according to DHS, its law 
enforcement components apply the designation to information that may be 
exempt from disclosure under exemptions 2 or 7 of the Freedom of 
Information Act. 

Designating authority: Any DHS employee, detailee, or contractor 
attached to a component with a law enforcement mission. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Directorate for Preparedness. 

Designation: Protected Critical Infrastructure Information. 

Basis for designation: 6 C.F.R § 29.2 (February 2004). 

Definition: The designation is defined as information (including the 
identity of the submitting person or entity) that is voluntarily 
submitted to DHS for its use regarding the security of critical 
infrastructure and protected systems, analysis, warning, 
interdependency study, recovery, reconstitution, or other informational 
purpose, when accompanied by an express statement as described in 6 
C.F.R § 29.5. 

Designating authority: PCII Program Manager or authorized designees. 

Policies or procedures specialized training for designators: N/A; 
Systematic review process: No. 

Transportation Security Administration & U.S. Coast Guard. 

Designation: Sensitive Security Information. 

Basis for designation: Homeland Security Act of 2002 (Pub. L. No.107- 
296); Maritime Transportation Security Act of 2002 (Pub. L. No. 107- 
295), 49 U.S.C. § 114(s); 49 C.F.R. pt.1520 (May 2004); Management 
Directive (MD) 11056 (December 2005). 

Department of Homeland Security (continued). 

Definition: In accordance with 49 U.S.C. § 114(s), SSI is information 
obtained or developed in the conduct of security activities, including 
research and development, the disclosure of which the Transportation 
Security Administration has determined would 1) constitute an 
unwarranted invasion of privacy (including, but not limited to, 
information contained in any personnel, medical, or similar file); (2) 
reveal trade secrets or privileged or confidential information obtained 
from any person; or (3) be detrimental to the security of 
transportation. 

Designating authority: All TSA personnel and contractors are obligated 
to mark information SSI if it fits within the rules established by 49 
C.F.R. § 1520.5. The TSA Administrator and four other TSA personnel 
have the discretion to designate information outside the rules. See § 
1520.5(b)(16). 

Policies or procedures for specialized training for designators: Yes; 
Systematic review process: No. 

US Secret Service. 

Designation: Limited Official Use. 

Basis For designation: USSS Recruitment and Personnel Security Manual. 

Definition: The designation, Limited Official Use, administratively 
controls officially limited information within the agency as it relates 
to internal investigations, and the development of Secret Service or 
DHS policy. This includes information pertaining to (1) the enforcement 
of criminal/civil law relating to departmental or bureau matters, (2) 
departmental or bureau personnel rules and regulations, and (3) 
sensitive or proprietary information relative to departmental or bureau 
policy. 

Designating authority: Only persons authorized to classify documents as 
Confidential are authorized to designate documents as LOU. 

Policies or procedures for specialized training for designators: Yes; 
Systematic review process: No. 

Department of Housing and Urban Development. 

Agencywide. 

Designation: For Official Use Only. 

Basis for designation: None (new policy in draft). 

Definition: None at present. 

Designating authority: Not specified. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Department of the Interior. 

Agencywide. 

Designation: None. 

Basis for designation: N/A (new policy in draft). 

Definition: N/A. 

Designating authority: N/A. 

Policies or procedures for specialized training for designators: N/A; 
Systematic review process: N/A. 

Department of Justice. 

Agencywide (Justice Management Division). 

Designation: Limited Official Use. 

Basis for designation: DOJ Order 2620.7 (September 1982). 

Definition: Unclassified information of a sensitive, proprietary, or 
personally private nature which must be protected against release to 
unauthorized individuals. 

Designating authority: Heads of Departmental organizations or their 
designees. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

US Marshals Service. 

Designation: Law Enforcement Sensitive. 

Basis for designation USMS Policy Directive 2.34 (November 2005). 

Definition: The law enforcement sensitive designation is used for 
unclassified information of a sensitive and proprietary nature that if 
disclosed could cause harm to law enforcement activities by 
jeopardizing investigations, compromising operations, or causing life- 
threatening situations for confidential informants, witnesses, or law 
enforcement personnel. The Agencywide Limited Official Use designation 
is used for other sensitive, but unclassified, official information. 

Designating authority: Supervisors and management only. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No: 

Bureau of Alcohol, Tobacco, Firearms and Explosives. 

Designation: Law Enforcement Sensitive/Sensitive. 

Basis for designation: DOJ Order 2620.7 (September 1982); ATF Order 
3700.2A; and ATF Order 7500.2. 

Definition: The designation is used for information that, if disclosed, 
could adversely affect the ability of ATF/NDIC to accomplish its 
mission. 

Designating authority: Not specified in response. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No: 

Drug Enforcement Administration. 

Designation: DEA Sensitive. 

Basis for designation: Control and Decontrol of DEA Sensitive 
Information (June 1999). 

Definition: The designation is used for information that, if disclosed, 
could adversely affect the ability of DEA to accomplish its mission and 
when disseminated outside the agency, must be afforded a higher level 
of protection than Sensitive But Unclassified information. 

Designating authority: Special Agents in Charge, Assistant Special 
Agents in Charge, Resident Agents in Charge, Group Supervisors, 
Laboratory Chiefs, Section Chiefs and higher, DEA Inspectors, and DEA 
Strike Force Representatives occupying supervisory and liaison 
positions. 

Policies or procedures for specialized training for designators: Yes; 
Systematic review process: No. 

Department of Justice (continued). 

Federal Bureau of Prisons. 

Designation: For Official Use Only. 

Basis for designation: BOP Policy 1237.11 (October 1997). 

Definition: The BOP would designate the following information as FOUO: 
internal personnel rules and practices, information exempt from 
disclosure (i.e. inmate medical data), privileged interagency 
correspondence, medical and personnel files, LES information, certain 
financial data. 

Designating authority: BOP agency head and facility heads or 
equivalent. 

Policies or procedures for specialized training for designators: Yes; 
Systematic review process: No. 

Federal Bureau of Investigation. 

Designation: For Official Use Only. 

Basis for designation: Intelligence Policy Manual (August 2005). 

Definition: The designation is used for information that may be exempt 
from mandatory release to the public under the Freedom of Information 
Act (FOIA), 5 U.S.C. 552. 

Designating authority: Any FBI employee or contractor in the course of 
performing assigned duties may designate information as FOUO. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Designation: Law Enforcement Sensitive. 

Basis for designation: Intelligence Policy Manual (August 2005). 

Definition: The designation is used to protect information compiled for 
law enforcement purposes. LES is a subset of FOUO. 

Designating authority: Any FBI employee or contractor in the course of 
performing assigned duties may designate information as LES. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Designation: Limited Official Use. 

Basis for designation: DOJ Order 2620.7, Control and Protection of 
Limited Official Use Information (September 1982): 

Federal Bureau of Investigation (continued). 

Definition: The designation is used for unclassified information of a 
sensitive, proprietary, or personally private nature which must be 
protected against release to unauthorized individuals. 

Designating authority: Any FBI employee or contractor in the course of 
performing assigned duties may designate information as LOU under 
guidelines of DOJ Order. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Designation: Proprietary Information. 

Basis for designation: Director of Central Intelligence Directive 
(DCID) 6/6, Security Controls on the Dissemination of Intelligence 
Information (July 2001). 

Definition: The designation is used for information provided by a 
commercial firm or private source under an express or implied 
understanding that the information will be protected as a proprietary 
trade secret or proprietary data believed to have actual or potential 
value. This marking may be used on government proprietary information 
only when the government proprietary information can provide a 
contractor(s) an unfair advantage, such as US Government budget or 
financial information. 

Designating authority: Any FBI employee or contractor in the course of 
performing assigned duties may designate information meeting the DCID 
criteria as PROPIN. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No: 

Department of Labor: 

Bureau of Labor Statistics. 

Designation: Confidential. 

Basis for designation: Confidential Information Protection and 
Statistical Efficiency Act (Title V of Pub. L. No.107-347, see 44 
U.S.C. § 3501, note; Trade Secrets Act (see 18 U.S.C. § 1905); Privacy 
Act, as amended; OMB Statistical Confidentiality Order (62 FR 35043, 
June 27, 1997), OMB Statistical Directive No. 3, Secretary's Order 39- 
72, Commissioner's Order No. 3-04, Commissioner's Order 4-00, 
Commissioner's Order 1-05 and Administrative Procedures 2-05. 

Definition: The designation is used for information acquired from 
respondents to BLS statistical surveys under a pledge of 
confidentiality for exclusively statistical purposes. It is also used 
for pre-release economic series data, which are statistics and analyses 
that have not yet officially been released to the public. This 
includes, in particular, pre-release economic data for the Principal 
Federal Economic Indicators produced by the Bureau. 

Designating authority: Commissioner of Labor Statistics. 

Policies and procedures for specialized training for designators: N/A; 
Systematic review process: N/A: 

Office of Inspector General. 

Designation: Law Enforcement Sensitive. 

Basis for designation: The Inspector General's Act of 1978, as amended 
(5 U.S.C. app. 3). 

Definition: Investigative information involving the progression of a 
case from intelligence gathering through the referral for prosecution. 

Designating authority: Automatic designation under the Inspector 
General Act of 1978. 

Policies and procedures for specialized training for designators: No; 
Systematic review process: No. 

Designation: For Official Use Only. 

Basis for designation: The Inspector General's Act of 1978. 

Definition: Also used for Law Enforcement Sensitive information when 
memorandums/letters are provided to Federal entities and for when an 
investigative memorandum is forwarded to a Department of Labor agency 
for their review and decision on the outcome of an investigation. 

Designating authority: Not specified. 

Policies and procedures for specialized training for designators: No; 
Systematic review process: No: 

Department of State: 

Agencywide. 

Designation: Sensitive But Unclassified. 

Basis for designation: FOIA, as amended; Privacy Act, as amended;12 FAM 
540 (November 2005). 

Definition: Information that is not classified for national security 
reasons, but that warrants/requires administrative control and 
protection from public or other unauthorized disclosure for other 
reasons. Sensitive But Unclassified information should meet one or more 
of the criteria for exemption from public disclosure under the Freedom 
of Information Act (FOIA) (which also exempts information protected 
under other statutes), 5 U.S.C. § 552 or should be protected by the 
Privacy Act, 5 U.S.C. § 552a. 

Designating authority: All Department of State personnel. 

Policies or procedures for specialized training for designators: Yes; 
Systematic review process: No: 

Department of the Treasury: 

Agencywide. 

Designation: Limited Official Use. 

Basis for designation: Treasury Security Manual (June 1998). 

Definition: Information that an authorized official within the 
Department determines needs to be protected from unauthorized 
disclosure because such disclosure would injure the Department's 
mission or responsibilities, or cause harm to other persons or parties. 
LOU includes--but is not necessarily limited to--important, delicate, 
sensitive, or proprietary information used in development of Treasury 
policy, such as the enforcement of criminal and civil laws relating to 
Treasury operations and the consideration of financial information 
provided in confidence. 

Designating authority: Any Treasury employee may designate information 
Limited Official Use. 

Policies and procedures for specialized training for designators: Yes; 
Systematic review process: No: 

Internal Revenue Service. 

Designation: Limited Official Use. 

Basis for designation: Internal Revenue Manual 11.3.12 (July 2005). 

Definition: The designation is used only on materials intended for use 
by the highest officials within the Internal Revenue Service or 
addressed to officials of the Department of the Treasury. 

Designating authority: Documents may be classified LOU only by the 
Commissioner. 

Policies and procedures for specialized training for designators: No; 
Systematic review process: No. 

Designation: Official Use Only. 

Basis for designation: Internal Revenue Manual 11.3.12 (July 2005). 

Definition: The designation is used for certain types of documents that 
should not be subject to public distribution such as printed materials 
intended for internal use and the law enforcement manual. 

Designating authority: Not specified. 

Policies and procedures for specialized training for designators: No; 
Systematic review process: No: 

Department of Transportation: 

Agencywide. 

Designation: For Official Use Only (FOUO). 

Basis for designation: 5 U.S.C. § 301; 49 U.S.C. § 322; DOT M 1640-4D 
(December 1997). 

Definition: DOT uses the general description and terms contained in the 
Freedom of Information Act, including the first seven exemptions from 
public disclosure of information, as its basis for designating 
information as FOUO. 

Designating authority: Any DOT employee. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Designation: Sensitive Security Information. 

Basis for designation: 49 U.S.C. § 40119(b), 49 C.F.R. pt.15. 

Definition: SSI is information obtained or developed in the conduct of 
security activities, including research and development, the disclosure 
of which [the Transportation Security Administration] has determined 
would (1) constitute an unwarranted invasion of privacy (including, but 
not limited to, information contained in any personnel, medical, or 
similar file); (2) reveal trade secrets or privileged or confidential 
information obtained from any person; or (3) be detrimental to 
transportation safety. 

Designating authority: All modal administrators and their designees 
(designation must be done in writing). 

Policies or procedures for specialized training for designators: Yes; 
Systematic review process: Yes: 

Department of Veterans Affairs: 

Agencywide. 

Designation: None. 

Basis of designation: N/A. 

Definition: N/A. 

Designating authority: N/A. 

Policies or procedures for specialized training for designators: N/A; 
Systematic review process: N/A: 

Environmental Protection Agency: 

Agencywide. 

Designation: Law Enforcement Sensitive. 

Basis for designation: FOIA, as amended. 

Definition: The designation is used for records or information compiled 
for law enforcement purposes, including information that relates to 
investigative procedures and grand jury information. It aligns with the 
definition of Freedom of Information Act exemption 7 (records or 
information compiled for law enforcement purposes). 

Designating authority: Not specified. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Designation: Freedom of Information Act. 

Basis for designation: FOIA, as amended; Freedom of Information Act 
Manual (EPA Directive 1550) (1992). 

Definition: The designation is used for information defined exempt 
pursuant to FOIA and related case law. 

Designating authority: Not specified. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Designation: Privacy Act. 

Basis for designation: Privacy Act, as amended; Privacy Act Manual (EPA 
Directive 2190) (1986). 

Definition: The designation is used for information defined pursuant to 
the Privacy Act and implementing regulations. 

Designating authority: Not specified. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Designation: Medical Records. 

Basis for designation: Health Insurance Portability and Accountability 
Act of 1996 (Pub. L. No. 104-191). 

Definition: The designation is used for information defined pursuant to 
the Health Insurance Portability and Accountability Act (HIPPA) of 
1996. 

Designating authority: Not specified. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Designation: Budgetary Information. 

Basis for designation: Information Sensitivity Compendium (Guidance 
Document). 

Definition: The designation is used for information defined pursuant to 
OMB Circular A-11, prohibition of release of agency budget information 
before public release of the President's budget. 

Designating authority: Not specified. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No: 

Environmental Protection Agency (continued). 

Designation: Confidential Business Information. 

Basis for designation: Resource Conservation and Recovery Act, as 
amended (42 U.S.C. § 6901 et. seq.); CBI Manual/Security Plan; Toxic 
Substances Control Act, as amended (see 15 U.S.C. § 2601 et. seq.) 

Definition: The designation is used for information defined by the 
Agency under various statutes and covered under FOIA exemption 4. 

Designating authority: EPA's contracting officers may designate 
information as CBI, as well as the owner of the information. 

Policies or procedures for specialized training for designators: Yes; 
Systematic review process: No. 

Designation: Sensitive Water Vulnerability Assessment Information. 

Basis for designation: Information Protection Protocol (November 2002). 

Definition: The designation is used to control access to vulnerability 
assessments and information derived from the vulnerability assessments 
provided to EPA in accordance with the Public Health Safety and 
Bioterrorism Preparedness and Response Act of 2002. 

Designating authority: The EPA Administrator designates those who will 
have access and control. 

Policies or procedures for specialized training for designators: Yes; 
Systematic review process: No. 

Designation: Sensitive Drinking Water-Related Information. 

Basis for designation: FOIA, as amended; 
Policy to Manage SDWRI (April 2005). 

Definition: The designation is used for information pertaining to 
drinking water well and intake location data and the source water area 
GIS polygon coverages as sensitive related to homeland security. 

Designating authority: Not specified. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Designation: Draft. 

Basis for designation: No specific authority. 

Definition: The designation is used for general information that should 
be handled with care. 

Designating authority: Not specified. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No: 

National Homeland Security Research Center. 

Designation: For Official Use Only. 

Basis For designation: NHSRC-70-01, Rev.0 (November 2004). 

Definition: For Official Use Only (FOUO) is applied by the NHSRC as the 
sole designator for sensitive but unclassified (SBU) information. The 
NHRSC uses the following definition of sensitive but unclassified, 
taken from the Computer Security Act of 1987, Public Law 100-235, which 
defines "sensitive information" as "any information, the loss, misuse, 
or unauthorized access to or modification of which could adversely 
affect the national interest or the conduct of federal programs, or the 
privacy to which individuals are entitled under section 552a of Title 5 
[U.S.C.] (Privacy Act) but which has not been specifically authorized 
under criteria established by an Executive order or an Act of Congress 
to be kept secret in the interest of national defense or foreign 
policy". 

Designating authority: Any National Homeland Security Research Center 
employee, contractor, subcontractor, or grantee may designate 
information FOUO. However, such designations must be certified by a 
NHSRC Review Authority (DRA). 

Policies or procedures for specialized training for designators: Yes; 
Systematic review process: Yes: 

Federal Energy Regulation Commission: 

Agencywide. 

Designation: Critical Energy Infrastructure Information. 

Basis for designation: FOIA, as amended; 18 C.F.R. §§ 388.112-.113; and 
Commissioner Order Nos. 630, 630-A, 649, and 662. 

Definition: Information about proposed or existing critical 
infrastructure that; relates to the production, generation, 
transportation, transmission, or distribution of energy; could be 
useful to a person in planning an attack on critical infrastructure; is 
exempt from mandatory disclosure under the Freedom of Information Act, 
5 U.S.C. § 552; and; does not simply give the location of the critical 
infrastructure. 

Designating authority: Both filers and staff can mark information CEII. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Designation: Non-Public Information. 

Basis for designation: FOIA, as amended; 18 C.F.R. §§ 1b.9, 1b.20- 
.21(c), 385.410, 606, 388.112; 15 U.S.C. § 717g(b), 16 U.S.C. 825(b). 

Definition: Any information that is not routinely provided to the 
public absent a Freedom of Information Act (FOIA) request, including 
information that would not be released under the FOIA. Non-Public 
Information includes, for example, information that is submitted to the 
Commission with a request for non-public treatment under 18 C.F.R. § 
388.112(a), which applies to information the submitter claims is exempt 
from mandatory disclosure under the FOIA; information concerning 
dispute resolution communications. See 18 C.F.R. § 385.606; information 
covered by a protective order. See 18 C.F.R. § 385.410; information 
obtained during the course of an investigation. See 18 C.F.R. §§ 1b.9, 
1b.20; Information and documents obtained through the Hotline Staff. 
See 18 C.F.R. § 1b.21(c); information obtained during the course of 
examination of books or other accounts. See 15 U.S.C. § 717g(b); 16 
U.S.C. § 825(b); information exempt from disclosure under the FOIA, 
such as drafts; staff deliberative documents; attorney work product and 
attorney-client communications exempt from disclosure under 5 U.S.C. § 
552(b)(5). 

Designating authority: All filers and staff. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No: 

General Services Administration. 

Agencywide. 

Designation: For Official Use Only. 

Basis For designation: GSA Order, PBS 3490.1--applicable only to 
building information (March 2002--new overall policy in draft). 

Definition: This designation is used for building information deemed 
sensitive and includes but is not limited to paper or electronic 
documentation of physical facility information. 

Designating authority: Assistant Regional Administrators and the Chief 
Architect. 

Policies or procedures for specialized training for designators: Yes; 
Systematic review process: No. 

National Aeronautics and Space Administration. 

Agencywide. 

Designation: Sensitive But Unclassified. 

Basis for designation: Computer Security Act of 1987; Privacy Act, as 
amended; and NPR 1600.1 (November 2005). 

Definition: Unclassified information or material determined to have 
special protection requirements to preclude unauthorized disclosure to 
avoid compromises, risks to facilities, projects, or programs, threat 
to the security and/or safety of the source of information, or to meet 
access restrictions established by laws, directives, or regulations: 
ITAR--International Traffic in Arms Regulations; EAR--Export 
Administration Regulations; MCTL--Militarily Critical Technologies 
List; FAR--Federal Acquisition regulations; Privacy Act; Proprietary; 
FOIA--Freedom of Information Act; UCNI--Unclassified Controlled Nuclear 
Information; NASA Developed Software; Scientific and Technical 
Information (STI); Source Selection and Bid and Proposal Information; 
Inventions. 

Designating authority: All NASA employees and contractors. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

National Science Foundation. 

Agencywide. 

Designation: Sensitive But Unclassified. 

Basis for designation: NSF Privacy Regulations (45 C.F.R. § 613), NSF 
Freedom of Information Act Regulations (45 C.F.R. § 612), NSF Bulletin 
05-14 (September 2005). 

Definition: The designation is given to information that is defined as 
sensitive under the Privacy Act. 

Designating authority: Not specified in response. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Nuclear Regulatory Commission. 

Agencywide. 

Designation: Safeguards Information. 

Basis for designation: Section 147 of Atomic Energy Act of 1954, as 
amended (42 U.S.C. § 2167); 10 C.F.R. § 73-21; Directive 12.6 (December 
1999); (policy revision in draft). 

Definition: Safeguards Information means information, not otherwise 
classified as National Security Information or Restricted Data that 
specifically identifies a licensee's or applicant's detailed; control 
and accounting procedures or security measures (including security 
plans, procedures, and equipment) for the physical protection of 
special nuclear material, by whomever possessed, whether in transit or 
at fixed sites, in quantities determined by the Commission to be 
significant to the public health and safety or the common defense and 
security; security measures (including security plans, procedures, and 
equipment) for the physical protection of source material or byproduct 
material, by whomever possessed, whether in transit or at fixed sites, 
in quantities determined by the Commission to be significant to the 
public health and safety or the common defense and security; or; 
security measures (including security plans, procedures, and equipment) 
for the physical protection of and the location of certain plant 
equipment vital to the safety of production or utilization facilities 
involving nuclear materials covered by paragraphs (1) and (2) if the 
unauthorized disclosure of such information could reasonably be 
expected to have a significant adverse effect on the health and safety 
of the public or the common defense and security by significantly 
increasing the likelihood of theft, diversion, or sabotage of such 
material or such facility. 

Designating authority: Employees at the section chief and above levels. 

Policies or procedures for specialized training for designators: Yes; 
Systematic review process: No. 

Designation: Sensitive Unclassified Non-Safeguards Information. 

Basis for designation: NRC Policy for Handling, Marking and Protecting 
SUNSI (October 2005). 

Definition: Sensitive but unclassified information that does not 
pertain to nuclear Safeguards Information, including any information of 
which the loss, misuse, modification, or unauthorized access can 
reasonably be foreseen to harm the public interest, the commercial or 
financial interests of the entity or individual to whom the information 
pertains, the conduct of NRC and federal programs, or the personal 
privacy of individuals. 

Designating authority: Variable. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Office of Personnel Management. 

Agencywide. 

Designation: For Official Use Only. 

Basis for designation: Not specified; (policy is in draft). 

Definition: The term used within OPM to identify unclassified 
information of a sensitive nature, not otherwise categorized by statute 
or regulation, the unauthorized disclosure of which could adversely 
affect a person's privacy or welfare, the conduct of federal programs, 
or other programs or operations essential to the national interest. 

Designating authority: Deputy Associate Director of the Center for 
Security and Emergency Actions (CSEA). 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Designation: Law Enforcement Sensitive. 

Basis for designation: Not specified. 

Definition: Law Enforcement Sensitive Information is unclassified 
information used by law enforcement personnel and requires protection 
against unauthorized disclosure to protect the sources and methods of 
investigative activity, evidence, and the integrity of pretrial 
investigative reports. Law Enforcement Sensitive information can be 
originated by CSEA personnel during the course of an inquiry or 
investigation or it can be received and transmitted to and from other 
law enforcement agencies or organizations. Law Enforcement Sensitive 
information, by definition, is exempt from Freedom of Information Act 
disclosure. 

Designating authority: Deputy Associate Director of the Center for 
Security and Emergency Actions (CSEA). 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Designation: Critical Infrastructure Information. 

Basis for designation: Not specified. 

Definition: The term used within OPM to protect voluntarily shared 
information from public disclosure: financial services, 
telecommunications, transportation, energy, emergency services, and 
government essential services, whose disruption or destruction would 
affect our economic or national security. 

Designating authority: Deputy Associate Director of the Center for 
Security and Emergency Actions (CSEA). 

Policies or procedures for specialized training For designators: No; 
Systematic review process: No. 

Small Business Administration. 

Agencywide. 

Designation: None. 

Basis for designation: (new policy in draft). 

Definition: N/A. 

Designating authority: N/A. 

Policies or procedures for specialized training for designators: N/A; 
Systematic review process: N/A. 

Social Security Administration. 

Agencywide. 

Designation: Official Use Only. 

Basis for designation: Union/Management Agreement (October 1997) and 
SSA Administrative Instruction Manual (February 2003). 

Definition: The designation was agreed to by SSA management and the 
union on the distribution, review, and maintenance of physical security 
survey reports. The designation is to limit access to the reports to 
authorized personnel who have a need to know the details of contractor- 
produced physical security facility reviews for the purpose of 
reviewing recommendations and taking corrective actions. 

Designating authority: N/A. 

Policies or procedures for specialized training for designators: N/A; 
Systematic review process: N/A. 

Office of Income Security Programs. 

Designation: Sensitive Instructions. 

Basis for designation: Policy Writer's Toolkit (April 2005). 

Definition: Sensitive Instructions are intranet policy or processing 
instructions available to SSA personal but not available to the public. 

Designating authority: Decided by author of the policy or system 
instruction based on guidance provided in the Toolkit. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

Office of Policy. 

Designation: Confidential Information Protection and Statistical 
Efficiency Act. 

Basis For designation: Confidential Information Protection and 
Statistical Efficiency Act (Title V of Pub. L. No. 107-347, see 44 
U.S.C. § 3501, note). 

Definition: Data or information acquired by an agency under a pledge of 
confidentiality and for exclusively statistical purposes. The 
information is to be used by officers, employees, or agents of the 
agency exclusively for statistical purposes. 

Designating authority: The Associate Commissioner of the Office of 
Research, Evaluation, and Statistics is authorized to make this 
designation for the Office of Policy. 

Policies or procedures for specialized training for designators: N/A; 
Systematic review process: No. 

Office of Realty and Management. 

Designation: For Official Use Only. 

Basis for designation: GSA Order, PBS 3490.1 (March 2002)--GSA policy 
for federal buildings. 

Definition: All building information falls under the designation. The 
designation remains in force for the entire life cycle of a building, 
from design inception through construction, and to the demolition or 
lease termination for the property. 

Designating authority: Not specified. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

United States Agency for International Development. 

Agencywide. 

Designation: Sensitive But Unclassified. 

Basis for designation: State Department's 12 FAM 540 and Automated 
Directive System 568.3.2. 

Definition: The designation is used for official information and 
material that is not national security information, and therefore is 
not classifiable, but nevertheless requires protection due to the risk 
and magnitude of loss or harm that could result from inadvertent or 
deliberate disclosure, alteration or destruction of the data. The term 
includes data whose improper use or disclosure could adversely affect 
the ability of the agency to accomplish its mission, proprietary data, 
records requiring protection under the Privacy Act and data not 
releasable under the Privacy Act and the Freedom of Information Act (5 
U.S.C. § 552). 

Designating authority: Any official having management authority for the 
information. 

Policies or procedures for specialized training for designators: No; 
Systematic review process: No. 

United States Postal Service. 

Agencywide. 

Designation: Sensitive Information. 

Basis for designation: 39 C.F.R. § 262.3(a). 

Definition: Information that has been identified by the USPS as 
restricted or critical. 

Designating authority: Chief Privacy Officer and Corporate Information 
Security Officer. 

Policies or procedures for specialized training for designators: Yes; 
Systematic review process: Yes. 

[End of table] 

[End of section] 

Appendix III: Comments from the Office of the Director of National 
Intelligence: 

OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE: 
WASHINGTON, DC 20511: 

March 2, 2006: 

Henry L. Hinton, Jr. 

Managing Director, Defense Capabilities and Management: 
United States Government Accountability Office: 
Washington, D.C. 20548: 

Dear Mr. Hinton: 

We appreciate the opportunity to review the Government Accountability 
Office's (GAO) March 2006 draft report entitled, The Federal Government 
Needs to Establish Policies and Processes for Sharing Terrorism-Related 
and Sensitive but Unclassified Information, as conveyed in your 
February 9, 2006 letter. 

The draft report is very broad and addresses a number of intelligence- 
related issues, including a discussion of the management of the Office 
of the Director of National Intelligence (ODNI) and specific 
recommendations to the Director of National Intelligence (DNI). 

We are aware that you have been previously advised by the Department of 
Justice that the review of intelligence activities is beyond the GAO's 
purview. For similar reasons, we decline to provide the GAO with 
comments on the draft report. 

The Congress and the Executive Branch have established a long-standing, 
effective and efficient process for the oversight of intelligence 
activities. To assist Congress in its oversight responsibilities, the 
Executive Branch regularly provide; 

information and briefings to the congressional intelligence committees, 
and to other committees of jurisdiction, on relevant topics including 
information sharing within the Federal government and the activities of 
the Program Manager for the Information Sharing Environment. 

If you have any questions concerning this matter, please contact Mr. 
Peter Petrihos, in the Office of Legislative Affairs, at 703-482-5616. 

Sincerely, 

Signed by: 

Kathleen Turner: 
Deputy Director: 
Office of Legislative Affairs: 

[End of section] 

Appendix IV: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

David Powner at (202) 512-9286 or pownerd@gao.gov or Eileen Larence at 
(202) 512-6510 or larencee@gao.gov: 

Staff Acknowledgments: 

In addition to the individual named above, Susan Quinlan, Assistant 
Director, Rochelle Burns, Joanne Fiorino, Thomas Lombardi, Lori 
Martinez, Vickie Miller, David Plocher, John Stradling, Morgan Walts, 
and Marcia Washington made key contributions to this report. 

FOOTNOTES 

[1] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C. 
January 2005). 

[2] Homeland Security Act of 2002, Pub. L. No.107-296, 116 Stat. 2135. 

[3] Intelligence Reform and Terrorism Prevention Act of 2004, Pub. L. 
No. 108-458, 118 Stat. 3638. 

[4] For purposes of this report, the term "terrorism-related 
information" encompasses both homeland security information, as defined 
by the Homeland Security Act, and terrorism information, as defined by 
the Intelligence Reform Act. 

[5] We selected major federal agencies defined as those subject to the 
Chief Financial Officers Act, and also included the Federal Energy 
Regulatory Commission and the U.S. Postal Service because our previous 
experience with these agencies indicated that they used sensitive but 
unclassified designations. 

[6] GAO, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3.1 (Washington, D.C. November 1999). 

[7] Homeland Security Act of 2002, Pub L. No. 107-296, 116 Stat. 2135. 

[8] Intelligence Reform and Terrorism Prevention Act of 2004, Pub. L. 
No. 108-458, 118 Stat. 3638. 

[9] GAO-05-207. 

[10] GAO, Information Technology: Federal Agencies Face Challenges in 
Implementing Initiatives to Improve Public Health Infrastructure, GAO-
05-308 (Washington, D.C. June 10, 2005). 

[11] GAO, Critical Infrastructure Protection: Department of Homeland 
Security Faces Challenges in Fulfilling Cybersecurity Responsibilities, 
GAO-05-434 (Washington, D.C. May 26, 2005). 

[12] GAO, Information Technology: Major Federal Networks That Support 
Homeland Security Functions, GAO-04-375 (Washington D.C. Sept. 17, 
2004). 

[13] GAO, Critical Infrastructure Protection: Improving Information 
Sharing with Infrastructure Sectors, GAO-04-780 (Washington, D.C. July 
9, 2004). 

[14] GAO, Information Sharing: Practices That Can Benefit Critical 
Infrastructure Protection, GAO-02-24 (Washington, D.C. Oct. 15, 2001). 

[15] See Executive Order 13292, Further Amendment to Executive Order 
12958, as Amended, Classified National Security Information (Mar. 25, 
2003). 

[16] 5 U.S.C. § 552. 

[17] OMB is responsible for developing and overseeing federal agency 
implementation of policies, principles, standards, and guidelines for 
the management of information resources, including information 
collection, privacy protection, records management, information 
security, and information technology. OMB's duties are set forth 
primarily in the Paperwork Reduction Act (44 U.S.C. § 3504), the 
Privacy Act (5 U.S.C. § 552a), the Federal Information Security 
Management Act (44 U.S.C. § 3543), the E-Government Act (44 U.S.C. § 
3602), and the Clinger-Cohen Act (40 U.S.C. § 11301). OMB's primary 
guidance in this area is found in OMB Circular No. A-130, Management of 
Federal Information Resources (November 2000). For this and related OMB 
guidance, see http://www.whitehouse.gov/omb/inforeg/infopoltech.html. 

[18] NCTC does not handle intelligence pertaining to domestic terrorism 
and counterterrorism. 

[19] GAO-04-375. 

[20] We selected major federal agencies--defined as those subject to 
the Chief Financial Officers Act--and we also included the Federal 
Energy Regulatory Commission and the U.S. Postal Service because our 
previous experience with these agencies indicated that they used 
sensitive but unclassified designations. 

[21] This total includes 16 designations used solely by the DOE. DOE 
also uses four additional designations. 

[22] The Departments of Defense, Energy, Health and Human Services, 
Homeland Security, and Justice spent 92 percent of the federal homeland 
security budget in fiscal year 2005. 

[23] 31 U.S.C. §§ 712, 717. 

[24] These include narrow legal limitations on our access to certain 
"unvouchered" accounts of the Central Intelligence Agency and on our 
authority to compel our access to foreign intelligence and 
counterintelligence information. For more detail, see our testimony, 
U.S. General Accounting Office, Central Intelligence Agency: 
Observations on GAO Access to Information on CIA Programs and 
Activities, GAO-01-975T (Washington, D.C. July 2001). See also 31 
U.S.C. § 716(d). 

[25] GAO/AIMD-00-21.3.1. 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 

441 G Street NW, Room LM 

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm 

E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director, 

NelliganJ@gao.gov 

(202) 512-4800 

U.S. Government Accountability Office, 

441 G Street NW, Room 7149 

Washington, D.C. 20548: