Skip to main content

Managing Sensitive Information: Departments of Energy and Defense Policies and Oversight Could Be Improved

GAO-06-369 Published: Mar 07, 2006. Publicly Released: Mar 14, 2006.
Jump To:
Skip to Highlights

Highlights

In the interest of national security and personal privacy and for other reasons, federal agencies place dissemination restrictions on information that is unclassified yet still sensitive. The Department of Energy (DOE) and the Department of Defense (DOD) have both issued policy guidance on how and when to protect sensitive information. DOE marks documents with this information as Official Use Only (OUO) while DOD uses the designation For Official Use Only (FOUO). GAO was asked to (1) identify and assess the policies, procedures, and criteria DOE and DOD employ to manage OUO and FOUO information and (2) determine the extent to which DOE's and DOD's training and oversight programs assure that information is identified, marked, and protected according to established criteria.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense To assure that the guidance governing the FOUO program reflects the necessary internal controls for good program management, the Secretary of Defense should revise the regulations that currently provide guidance on the FOUO program to conform to the 1998 policy memo designating which office has responsibility for the FOUO program.
Closed – Implemented
The Department of Defense (DOD) is issuing a revised information security program regulation as a four-volume manual, DOD Information Security Program, Number 5200.01. Volume 4 of the manual provides guidance on identifying and protecting controlled unclassified information (CUI), which includes For Official Use Only (FOUO) information. Volume 4, enclosure 2 of the manual, entitled "Responsibilities," designates the Office of the Under Secretary of Defense for Intelligence (USD(I)) responsibility for directing, administering, and overseeing DOD's Information Security Program. USD(I) officials--including the Deputy Director for Information Security and Security Oversight--stated that volume 4 of the manual is being coordinated within the department, and a 2010 issue date is anticipated.
Department of Defense To assure that the guidance governing the FOUO program reflects the necessary internal controls for good program management, the Secretary of Defense should revise any regulation governing the FOUO program to require that personnel designating a document as FOUO also mark the document with the FOIA exemption used to determine the information should be restricted.
Closed – Not Implemented
Based on follow-up information from DOD, DOD does not intend to implement this recommendation because DOD did not concur with the recommendation.
Department of Defense To clarify all guidance regarding the OUO and FOUO designations, the Secretaries of Energy and Defense should identify at what point the document should be marked as OUO or FOUO.
Closed – Not Implemented
The Department of Defense (DOD) non-concurred with this recommendation in 2006. In recent conversations with Under Secretary of Defense for Intelligence (USD(I)) officials, they stated that DOD has no intention of implementing this recommendation.
Department of Energy To clarify all guidance regarding the OUO and FOUO designations, the Secretaries of Energy and Defense should identify at what point the document should be marked as OUO or FOUO.
Closed – Implemented
DOE stated that it had revised its departmental OUO directives on September 15, 2006 to clarify when documents should be marked OUO and what constituted an inappropriate use of OUO.
Department of Defense To clarify all guidance regarding the OUO and FOUO designations, the Secretaries of Energy and Defense should define what would be an inappropriate use of the designations OUO or FOUO.
Closed – Implemented
The Department of Defense (DOD) is issuing a revised information security program regulation as a four-volume manual, DOD Information Security Program, Number 5200.01. Volume 4 of the manual provides guidance on identifying and protecting controlled unclassified information (CUI), which includes For Official Use Only (FOUO) information. Volume 4, enclosure 3 of the manual, entitled "Identification and Protection of CUI," states that information may not be designated CUI to: (1) conceal violations of law, inefficiency, or administrative error; (2) prevent embarrassment to a person, organization, or agency; (3) restrain competition; or (4) prevent or delay the release of information that does not require protection under statute or regulation. The manual further states that information shall not be designated CUI to prevent or avoid its proper classification, and that information that has been disclosed to the public under proper authority may not be subsequently designated or redesignated CUI. USD(I) officials--including the Deputy Director for Information Security and Security Oversight--stated that volume 4 of the manual is being coordinated within the department, and a 2010 issue date is anticipated.
Department of Energy To clarify all guidance regarding the OUO and FOUO designations, the Secretaries of Energy and Defense should define what would be an inappropriate use of the designations OUO or FOUO.
Closed – Implemented
DOE stated that it had revised its departmental OUO directives on September 15, 2006 to clarify when documents should be marked OUO and what constituted an inappropriate use of OUO.
Department of Defense To assure that OUO and FOUO designations are correctly and consistently applied, the Secretaries of Energy and Defense should assure that all employees authorized to make OUO and FOUO designations receive an appropriate level of training before they can mark documents.
Closed – Implemented
The Department of Defense (DOD) is issuing a revised information security program regulation as a four-volume manual, DOD Information Security Program, Number 5200.01. Volume 4 of the manual provides guidance on identifying and protecting controlled unclassified information (CUI), which includes For Official Use Only (FOUO) information. Volume 4, enclosure 4 of the manual, entitled "CUI Education and Training ," states that personnel who have access to CUI shall receive, upon initial entry into a position that requires such access, training in CUI policies, principles, and practices that addresses, among other things: (1) the responsibilities of personnel who create or handle CUI; (2) the characteristics that qualify information for designation as CUI and the importance of properly applying CUI markings; (3) the marking and protection requirements for FOUO information and other categories of CUI routinely used; and (4) where to find detailed guidance on marking, handling, storing, transmitting, sharing, and destroying CUI. The manual also requires DOD personnel with access to CUI to complete annual refresher training that reinforces the policies, principles, and procedures covered in the initial CUI training. USD(I) officials--including the Deputy Director for Information Security and Security Oversight--stated that volume 4 of the manual is being coordinated within the department, and a 2010 issue date is anticipated.
Department of Energy To assure that OUO and FOUO designations are correctly and consistently applied, the Secretaries of Energy and Defense should assure that all employees authorized to make OUO and FOUO designations receive an appropriate level of training before they can mark documents.
Closed – Not Implemented
The team contacted Mr. Andrew Weston-Dawkes, the director of the Office of Classification and Information Control. Mr. Weston-Dawkes stated that the situation had not changed since the team last contacted him in the summer of 2008. He explained that the Office of Classification and Information Control drafted a change in the DOE Order governing the marking of documents OUO that would have required employees to have training before marking any documents but that the DOE office of General Counsel objected. He added that there objections remain. Mr. Weston-Dawkes added that the Obama Administration was in the final stages of drafting its own, government-wide policy on this, and that it too would not require that all employees authorized to make OUO and FOUO designations, as well as any other CUI (controlled unclassified information) designations, receive an appropriate level of training before they can mark documents. Mr. Weston-Dawkes expects this executive order to apply government-wide. Accordingly, we are closing this recommendation as unimplemented.
Department of Defense To assure that OUO and FOUO designations are correctly and consistently applied, the Secretaries of Energy and Defense should develop a system to conduct periodic oversight of OUO and FOUO designations to assure that information is being properly marked and handled.
Closed – Implemented
The Department of Defense (DOD) is issuing a revised information security program regulation as a four-volume manual, DOD Information Security Program, Number 5200.01. Volume 4 of the manual provides guidance on identifying and protecting controlled unclassified information (CUI), which includes For Official Use Only (FOUO) information. Volume 4, enclosure 2 of the manual, entitled "Responsibilities," requires all DOD organizations to establish and maintain an ongoing oversight program to evaluate and assess the effectiveness and efficiency of their information security program pertaining to CUI. According to the manual, evaluation criteria for the oversight program shall include CUI safeguarding, designation, education and training, and management and oversight; and a periodic review and assessment of CUI products to ensure that the information is being properly marked and handled. USD(I) officials--including the Deputy Director for Information Security and Security Oversight--stated that volume 4 of the manual is being coordinated within the department, and a 2010 issue date is anticipated.
Department of Energy To assure that OUO and FOUO designations are correctly and consistently applied, the Secretaries of Energy and Defense should develop a system to conduct periodic oversight of OUO and FOUO designations to assure that information is being properly marked and handled.
Closed – Implemented
The head of classification oversight for DOE's Office of Security Evaluations, reports that reviews of the appropriateness of OUO designations were incorporated into OSE reviews of classification programs beginning at OSE's review of the Savannah River Site in the summer of 2006, and have been a part of every OSE inspection since -- which would be 6 in 2006 and 7 so far in 2007. This confirms the statement in DOE's September 19, 2006 letter to GAO from the head of the Office of Health, Safety and Security concerning this report, stating that reviews of OUO documents were being incorporated into OSE oversight reviews and self-assessments, and that DOE directives were being revised to reflect this policy change.

Full Report

Office of Public Affairs

Topics

Confidential communicationsConfidential informationEmployee trainingEvaluation criteriaInformation accessInformation managementInternal controlsPolicy evaluationProgram evaluationPolicies and proceduresTransparency