Managing Sensitive Information:

Actions Needed to Prevent Unintended Public Disclosures of U.S. Nuclear Sites and Activities

GAO-10-251: Published: Dec 15, 2009. Publicly Released: Dec 23, 2009.

Additional Materials:

Contact:

Eugene E. Aloise
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

On May 7, 2009, the Government Printing Office (GPO) published a 266-page document on its Web site that provided detailed information on civilian nuclear sites, locations, facilities, and activities in the United States. At the request of the Speaker of the House, this report determines (1) which U.S. agencies were responsible for the public release of this information and why the disclosure occurred, and (2) what impact, if any, the release of the information has had on U.S. national security. In performing this work, the Government Accountability Office (GAO) analyzed policies, procedures, and guidance for safeguarding sensitive information and met with officials from four executive branch agencies involved in preparing the document, the White House, the House of Representatives, and GPO.

While no single U.S. government agency or office was entirely responsible for the public disclosure of the draft declaration, all of the agencies and offices involved in preparing and publishing the draft declaration share some responsibility for its release. GAO identified several points during the life cycle of the draft document where problems in the process occurred. First, none of the agencies that prepared the draft declaration--the Departments of Energy (DOE) and Commerce, and the Nuclear Regulatory Commission (NRC)--took the added precaution of ensuring that the consolidated draft they helped prepare had a U.S. security designation on each page of the document. Rather, the final version of the document, which they all reviewed, was marked only with the International Atomic Energy Agency's (IAEA) designation--"Highly Confidential Safeguards Sensitive." This marking has no legal significance in the United States. Second, the Department of State, which prepared the draft declaration for transmittal to the White House, sent a transmittal letter to the National Security Council indicating that the contents of the draft declaration should be treated as Sensitive but Unclassified (SBU). Not all federal agencies use this particular marking and, therefore, the marking created confusion for other executive and legislative branch offices that subsequently received the draft declaration on whether the information could be published. Third, the National Security Council, which reviewed the draft declaration on behalf of the White House, did not provide explicit and clear instructions on how to handle the draft declaration to the White House Clerk's Office. Fourth, the legislative branch offices which reviewed and then transmitted the document to GPO for publication--the House of Representatives' Parliamentarian and Clerk's Office--determined incorrectly, in GAO's view, that the document could be published. Officials from these congressional offices were not familiar with the phrase "Sensitive but Unclassified" and did not know how to safeguard that information. Finally, GPO, which proofread and processed the document for publication, did not raise any concerns about the document's sensitivity. GAO believes it is important to correct these problems as soon as possible because the United States is required to submit a declaration to IAEA annually. The public release of the draft declaration of civilian nuclear sites and nuclear facilities does not appear to have damaged national security, according to officials from DOE, NRC, and Commerce. Commerce, DOE, and NRC did not assess the national security implications of the draft declaration's public release because these agencies--plus the Department of Defense--had reviewed the list of civilian nuclear facilities and related activities prior to transmitting it to the White House and Congress to ensure that information of direct national security significance was not included. Information in the draft declaration was limited to civilian nuclear activities, and most nuclear-related information was publicly available on agency Web sites or other publicly available documents. However, according to officials from all of the agencies responsible for compiling this information, the information consolidated in one document made it sensitive and, thus, it should never have been posted to GPO's Web site.

Recommendations for Executive Action

  1. Status: Open

    Comments: The recommendation will remain open pending additional information from the agency.

    Recommendation: To ensure that corrective actions are taken to prevent the inadvertent public disclosure of sensitive information in future draft declarations or other documents prepared for the International Atomic Energy Agency (IAEA) by multiple U.S. agencies, the Secretaries of Commerce, Energy, and State, and the Chairman of the Nuclear Regulatory Commission (NRC) should enter into an interagency agreement concerning the designation, marking, and handling of such information, and make any policy or regulatory changes necessary to reach such an agreement. This agreement should be revised, as necessary, to take into account future direction from the President or the Controlled Unclassified Information Council regarding standardization of the procedures for designating, marking, and handling documents that are unclassified but are not intended for public release.

    Agency Affected: Nuclear Regulatory Commission

  2. Status: Open

    Comments: The recommendation will remain open pending additional information from the agency.

    Recommendation: To ensure that corrective actions are taken to prevent the inadvertent public disclosure of sensitive information in future draft declarations or other documents prepared for the International Atomic Energy Agency (IAEA) by multiple U.S. agencies, the Secretaries of Commerce, Energy, and State, and the Chairman of the Nuclear Regulatory Commission (NRC) should enter into an interagency agreement concerning the designation, marking, and handling of such information, and make any policy or regulatory changes necessary to reach such an agreement. This agreement should be revised, as necessary, to take into account future direction from the President or the Controlled Unclassified Information Council regarding standardization of the procedures for designating, marking, and handling documents that are unclassified but are not intended for public release.

    Agency Affected: Department of State

  3. Status: Open

    Comments: The recommendation will remain open pending additional information from the agency.

    Recommendation: To ensure that corrective actions are taken to prevent the inadvertent public disclosure of sensitive information in future draft declarations or other documents prepared for the International Atomic Energy Agency (IAEA) by multiple U.S. agencies, the Secretaries of Commerce, Energy, and State, and the Chairman of the Nuclear Regulatory Commission (NRC) should enter into an interagency agreement concerning the designation, marking, and handling of such information, and make any policy or regulatory changes necessary to reach such an agreement. This agreement should be revised, as necessary, to take into account future direction from the President or the Controlled Unclassified Information Council regarding standardization of the procedures for designating, marking, and handling documents that are unclassified but are not intended for public release.

    Agency Affected: Department of Commerce

  4. Status: Open

    Comments: The recommendation will remain open pending additional information from the agency.

    Recommendation: To ensure that corrective actions are taken to prevent the inadvertent public disclosure of sensitive information in future draft declarations or other documents prepared for the International Atomic Energy Agency (IAEA) by multiple U.S. agencies, the Secretaries of Commerce, Energy, and State, and the Chairman of the Nuclear Regulatory Commission (NRC) should enter into an interagency agreement concerning the designation, marking, and handling of such information, and make any policy or regulatory changes necessary to reach such an agreement. This agreement should be revised, as necessary, to take into account future direction from the President or the Controlled Unclassified Information Council regarding standardization of the procedures for designating, marking, and handling documents that are unclassified but are not intended for public release.

    Agency Affected: Department of Energy

  5. Status: Open

    Comments: The recommendation will remain open pending additional information from the agency.

    Recommendation: To ensure that corrective actions are taken to prevent the inadvertent public disclosure of sensitive information in future draft declarations or other documents prepared for IAEA by multiple U.S. agencies, the Secretary of State should clearly indicate in the text whether the presidential message and attached documents, if any, should be printed and made publicly available when preparing presidential communications to Congress for documents to be presented to IAEA.

    Agency Affected: Department of State

  6. Status: Open

    Comments: The recommendation will remain open pending additional information from the agency.

    Recommendation: To ensure that corrective actions are taken to prevent the inadvertent public disclosure of sensitive information in future draft declarations or other documents prepared for IAEA by multiple U.S. agencies, the Executive Office of the President should consider revising any written guidance and/or practices it has and conduct staff training for handling and safeguarding sensitive information in future declarations or other documents between the United States and IAEA before it needs to issue its next declaration in May 2010.

    Agency Affected: Executive Office of the President

  7. Status: Closed - Implemented

    Comments: In response to our recommendation, GPO took the following steps: (1) Updated order forms to include classification fields to indicate whether the work requested is classified or sensitive, as well as procedures to follow for handling sensitive information. GPO also updated its Printing Procurement Regulation to ensure that GPO's federal agency customer meets all personally identifiable information (PII) or sensitive information handling requirements for all awards over $100,000 that involve PII or other sensitive information. Agencies must provide a copy of the security plan and the pre-award survey. If unavailable, the agency's confirmation must include a specific waiver of a contractor security plan and pre-award survey. (2) Prepared a Standard Operating Procedure for GPO customer service employees describing receipt of material from a federal customer agency, procuring the contract requirements, and reporting of any suspected or known breach of PII or sensitive information procedures. (3) Updated GPO Directive 825.7D through the issuance of Directive 825.7E to address "sensitive information." GPO Directive 825.7E specifically addresses the handling of sensitive information, detailing that "controlled but unclassified" information must be protected and controlled, and that GPO business unit managers must ensure employees are aware of classification levels of information being printed and/or handled. (4) Briefed and trained on sensitive information GPO managers and supervisors who receive information/jobs from customers. Customers submit in writing the appropriate sensitivity level and any special handling instruction on information being submitted. (5) Briefed GPO staff on Operations Security, which informs them about their responsibility to protect and report unclassified indicators, which may seem minor or irrelevant, but could be critical intelligence data. GPO's Security Services also perform weekly security walks visiting employees and managers throughout GPO distributing security awareness information on the Operations Security (unclassified indicators), the Eagle Eyes Program ("see something - say something"), and the Controlled Unclassified Information (CUI) program, which details how to handle sensitive unclassified information. Additionally, all GPO employees with security clearances are provided security briefings on their responsibility for handling and controlling "national security information."

    Recommendation: To ensure that corrective actions are taken to prevent the inadvertent public disclosure of sensitive information in future draft declarations or other documents prepared for IAEA by multiple U.S. agencies, GPO's public printer should implement, as expeditiously as possible, the recommendations from the agency's August 2009 Inspector General report in order to improve the security culture and reduce the possibility of future postings of sensitive information to the GPO Web site.

    Agency Affected: Government Printing Office

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Looking for more? Browse all our products here