Skip to main content

Managing Sensitive Information: DOJ Needs a More Complete Staffing Strategy for Managing Classified Information and a Set of Internal Controls for Other Sensitive Information

GAO-07-83 Published: Oct 20, 2006. Publicly Released: Nov 20, 2006.
Jump To:
Skip to Highlights

Highlights

The September 11 attacks showed that agencies must balance the need to protect and share sensitive information to prevent future attacks. Agencies classify this information or designate it sensitive but unclassified to protect and limit access to it. The National Archives' Information Security Oversight Office (ISOO) assesses agencies' classification management programs, and in July 2004 and April 2005 recommended changes to correct problems at the Justice Department (DOJ) and Federal Bureau of Investigation (FBI). GAO was asked to examine (1) DOJ's and FBI's progress in implementing the recommendations and (2) the management controls DOJ components have to ensure the proper use of sensitive but unclassified designations. GAO reviewed ISOO's reports and agency documentation on changes implemented and controls in place, and interviewed security program managers at DOJ, its components, and ISOO to examine these issues.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Justice To strengthen DOJ's management of classified information, the Attorney General should direct the security and emergency planning staff (SEPS) director to determine the resource level needed to ensure that it can effectively carry out the office's responsibilities, including full implementation of the ISOO recommendations.
Closed – Implemented
Security and Emergency Planning Staff issued a memorandum on July 28,2009, outlining a reorganization plan to address deficiencies pointed out by the National Archives' Information Security Oversight Office, as well as recommendations made in GAO's report. The plan details the resources necessary to enhance the management of sensitive information, including roles and responsibilities for relevant staff members in areas such as training and inspections. This action is responsive to our recommendation and as a result the recommendation is closed as implemented.
Department of Justice To strengthen DOJ's management of classified information, the Attorney General should direct the SEPS director to devise a strategy for making resources available and for using them most effectively to address remaining deficiencies in ways that reduce the most risk to proper management of classified information, such as determining whether to address training, oversight, or other program deficiencies first.
Closed – Implemented
Security and Emergency Planning Staff (SEPS) issued a memorandum on July 28, 2009 outlining a reorganization plan to address deficiencies pointed out by the National Archives' Information Security Oversight Office, as well as recommendations made in GAO's report. The plan delineates a structured approach for SEPS staff to use in managing classified information and meeting requirements for inspections, training, and other related functions. This plan meets the intent of our recommendation and as a result the recommendation is closed as implemented.
Department of Justice In addition, to help ensure that sensitive but unclassified designations are correctly and consistently applied, and once the interagency working group has determined the standard set of sensitive but unclassified designations for the federal government, the Attorney General should ensure that the department and its various components establish specific guidance for applying the designations they will use.
Closed – Implemented
The September 11 attacks showed that agencies must balance the need to protect and share sensitive information to prevent future attacks. Agencies classify this information or designate it sensitive but unclassified to protect and limit access to it. The National Archives and Records Administration (NARA) assesses agencies' classification management programs. In our October 2006 report, we noted that the Department of Justice (DOJ) had made progress in implementing NARA's recommendations aimed at correcting deficiencies in its programs to properly classify information. However, DOJ had not provided its components (e.g., Bureau of Alcohol, Tobacco, Firearms and Explosives; Criminal Division; Drug Enforcement Administration; Federal Bureau of Investigation; and U.S. Marshals Service) with guidance for applying the designations they will use. At that time, DOJ officials noted that the department was waiting for additional guidance and governmentwide standards for sensitive but unclassified information before considering additional changes in its practices or those of its components. In November 2010, the President signed Executive Order 13556 "Controlled Unclassified Information" (CUI), which established the CUI program to standardize how the executive branch handles unclassified information and designated NARA as the CUI Executive Agent. In this role, NARA has the authority and responsibility to oversee and manage implementation of the CUI program. In April 2011, DOJ provided NARA with recommendations for proposed CUI categories and subcategories, marking, safeguarding, and dissemination requirements. In June 2011, NARA issued implementation guidance for the executive order, which allowed DOJ to move forward. DOJ has 180 days from the issuance date (December 2011) to fully implement the CUI guidance and related policies. In July 2011, DOJ's Assistant Director for Security and Emergency Planning Staff stated that the department has drafted a framework to provide specific guidance to components on the department's CUI program, including application of designations. He noted that this framework will serve as DOJ's "one-stop-shop" for internal guidance related to the application of CUI designations and that the department has reserved Chapter 16 of its Security Program Operating Manual for this guidance. He added that the framework document is currently undergoing internal DOJ review and will then be sent to department components. Finally, he noted that DOJ's guidance cannot be finalized until NARA provides additional implementation guidance over the next several months, but that he does not forsee any obstacles to DOJ finalizing its guidance before NARA's December 2011 deadline. These actions meet the intent of our recommendation and it is closed as implemented.
Department of Justice In addition, to help ensure that sensitive but unclassified designations are correctly and consistently applied, and once the interagency working group has determined the standard set of sensitive but unclassified designations for the federal government, the Attorney General should ensure that the department and its various components ensure that all employees authorized to make the designations have the necessary training before they can designate documents.
Closed – Implemented
The September 11 attacks showed that agencies must balance the need to protect and share sensitive information to prevent future attacks. Agencies classify this information or designate it sensitive but unclassified to protect and limit access to it. The National Archives and Records Administration (NARA) assesses agencies' classification management programs. In our October 2006 report, we noted that the Department of Justice (DOJ) had made progress in implementing NARA's recommendations aimed at correcting deficiencies in its programs to properly classify information. However, DOJ had not provided its components (e.g., Bureau of Alcohol, Tobacco, Firearms and Explosives; Criminal Division; Drug Enforcement Administration; Federal Bureau of Investigation; and U.S. Marshals Service) with training to ensure that all employees authorized to make sensitive but unclassified designations have the necessary training before they can designate documents. At that time, DOJ officials noted that the department was waiting for additional guidance and governmentwide standards for sensitive but unclassified information before considering additional changes in its practices or those of its components. In November 2010, the President signed Executive Order 13556 "Controlled Unclassified Information" (CUI), which established the CUI program to standardize how the executive branch handles unclassified information and designated NARA as the CUI Executive Agent. In this role, NARA has the authority and responsibility to oversee and manage implementation of the CUI program. In June 2011, NARA issued initial implementation guidance for the executive order, which provides minimum standards for education and training. DOJ has 180 days from the issuance date (until December 2011) to fully implement the CUI guidance and related policies. In July 2011, DOJ's Assistant Director for Security and Emergency Planning Staff stated that NARA has provided a baseline training module on CUI (which is also available on NARA's website) that will be rolled out to DOJ officials before the end of August 2011. This training module will be an introduction to CUI guidance and implementation. He noted that DOJ has an existing training module (Control and Protection of Limited Official Use Information under DOJ order 2620.7) that the department is modifying to provide more detailed training to department employees on CUI designations. DOJ officials added that other training could include powerpoint briefings, computer-based training, and live presentations provided to Security Programs Managers and posted to a security office webpage. These actions substantially meet the intent of our recommendation and it is closed as implemented.
Department of Justice In addition, to help ensure that sensitive but unclassified designations are correctly and consistently applied, and once the interagency working group has determined the standard set of sensitive but unclassified designations for the federal government, the Attorney General should ensure that the department and its various components set internal controls for overseeing sensitive but unclassified designations to help ensure that they are properly applied.
Closed – Implemented
The September 11 attacks showed that agencies must balance the need to protect and share sensitive information to prevent future attacks. Agencies classify this information or designate it sensitive but unclassified to protect and limit access to it. The National Archives and Records Administration (NARA) assesses agencies' classification management programs. In our October 2006 report, we noted that the Department of Justice (DOJ) had made progress in implementing NARA's recommendations aimed at correcting deficiencies in its programs to properly classify information. However, DOJ had not set internal controls for overseeing sensitive but unclassified designations to help ensure that they are properly applied. At that time, DOJ officials noted that the department was waiting for additional guidance and governmentwide standards for sensitive but unclassified information before considering additional changes in its practices or those of its components. In November 2010, the President signed Executive Order 13556 "Controlled Unclassified Information" (CUI), which established the CUI program to standardize how the executive branch handles unclassified information and designated NARA as the CUI Executive Agent. In this role, NARA has the authority and responsibility to oversee and manage implementation of the CUI program. In June 2011, NARA issued initial implementation guidance for the executive order, which requires agencies to create a self-inspection program that adheres to the principles and requirements of the executive order and implementation guidance. DOJ has 180 days from the issuance date (until December 2011) to fully implement the CUI guidance and related policies. In July 2011, DOJ's Assistant Director for Security and Emergency Planning Staff stated that compliance with the new standards and policies will be achieved through the DOJ Security Program Operating Manual self-inspection program and the DOJ Compliance Review Team. He noted that the Compliance Review Team currently provides oversight of all DOJ security-related activities and will be responsible for ensuring that DOJ components comply with the principles and requirements of CUI guidance during the initial roll out. He added that DOJ's existing self-inspection checklist, currently in place for Limited Official Use designations, will be revised to reflect the new CUI guidance. The checklist will include information on whether DOJ components have conducted CUI training and if officials are familiar with the CUI designation registry, among other things. The checklist will be administered by each component's security office and be an integral part of the Compliance Review Team's annual inspection process. The CUI self inspection program will be similar to the existing self inspection program that is used to monitor and oversee the designation of classified information. These actions meet the intent of the recommendation and it is closed as implemented.

Full Report

Office of Public Affairs

Topics

Classified informationEmployee trainingGovernment information disseminationHomeland securityInformation classificationInformation disclosureInformation managementInformation securityInspectionInternal controlsPolicy evaluationProgram managementReporting requirementsRisk assessment