Managing Sensitive Information: Actions Needed to Prevent Unintended Public Disclosures of U.S. Nuclear Sites and Activities
Highlights
On May 7, 2009, the Government Printing Office (GPO) published a 266-page document on its Web site that provided detailed information on civilian nuclear sites, locations, facilities, and activities in the United States. At the request of the Speaker of the House, this report determines (1) which U.S. agencies were responsible for the public release of this information and why the disclosure occurred, and (2) what impact, if any, the release of the information has had on U.S. national security. In performing this work, the Government Accountability Office (GAO) analyzed policies, procedures, and guidance for safeguarding sensitive information and met with officials from four executive branch agencies involved in preparing the document, the White House, the House of Representatives, and GPO.
While no single U.S. government agency or office was entirely responsible for the public disclosure of the draft declaration, all of the agencies and offices involved in preparing and publishing the draft declaration share some responsibility for its release. GAO identified several points during the life cycle of the draft document where problems in the process occurred. First, none of the agencies that prepared the draft declaration--the Departments of Energy (DOE) and Commerce, and the Nuclear Regulatory Commission (NRC)--took the added precaution of ensuring that the consolidated draft they helped prepare had a U.S. security designation on each page of the document. Rather, the final version of the document, which they all reviewed, was marked only with the International Atomic Energy Agency's (IAEA) designation--"Highly Confidential Safeguards Sensitive." This marking has no legal significance in the United States. Second, the Department of State, which prepared the draft declaration for transmittal to the White House, sent a transmittal letter to the National Security Council indicating that the contents of the draft declaration should be treated as Sensitive but Unclassified (SBU). Not all federal agencies use this particular marking and, therefore, the marking created confusion for other executive and legislative branch offices that subsequently received the draft declaration on whether the information could be published. Third, the National Security Council, which reviewed the draft declaration on behalf of the White House, did not provide explicit and clear instructions on how to handle the draft declaration to the White House Clerk's Office. Fourth, the legislative branch offices which reviewed and then transmitted the document to GPO for publication--the House of Representatives' Parliamentarian and Clerk's Office--determined incorrectly, in GAO's view, that the document could be published. Officials from these congressional offices were not familiar with the phrase "Sensitive but Unclassified" and did not know how to safeguard that information. Finally, GPO, which proofread and processed the document for publication, did not raise any concerns about the document's sensitivity. GAO believes it is important to correct these problems as soon as possible because the United States is required to submit a declaration to IAEA annually. The public release of the draft declaration of civilian nuclear sites and nuclear facilities does not appear to have damaged national security, according to officials from DOE, NRC, and Commerce. Commerce, DOE, and NRC did not assess the national security implications of the draft declaration's public release because these agencies--plus the Department of Defense--had reviewed the list of civilian nuclear facilities and related activities prior to transmitting it to the White House and Congress to ensure that information of direct national security significance was not included. Information in the draft declaration was limited to civilian nuclear activities, and most nuclear-related information was publicly available on agency Web sites or other publicly available documents. However, according to officials from all of the agencies responsible for compiling this information, the information consolidated in one document made it sensitive and, thus, it should never have been posted to GPO's Web site.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Nuclear Regulatory Commission | To ensure that corrective actions are taken to prevent the inadvertent public disclosure of sensitive information in future draft declarations or other documents prepared for the International Atomic Energy Agency (IAEA) by multiple U.S. agencies, the Secretaries of Commerce, Energy, and State, and the Chairman of the Nuclear Regulatory Commission (NRC) should enter into an interagency agreement concerning the designation, marking, and handling of such information, and make any policy or regulatory changes necessary to reach such an agreement. This agreement should be revised, as necessary, to take into account future direction from the President or the Controlled Unclassified Information Council regarding standardization of the procedures for designating, marking, and handling documents that are unclassified but are not intended for public release. |
Closed – Not Implemented
Implementation of the recommendation would require all four agencies to which the recommendation was made 'the Department of Commerce, the Department of Energy, the Department of State, and the Nuclear Regulatory Commission' to enter into an interagency agreement on the designation, marking, and handling of sensitive information. According to the State Department, the relevant agencies have coordinated on the these issues. However, the agencies have not completed an interagency agreement to formalize the designation, marking, and handling procedures for sensitive information.
|
| Department of State | To ensure that corrective actions are taken to prevent the inadvertent public disclosure of sensitive information in future draft declarations or other documents prepared for the International Atomic Energy Agency (IAEA) by multiple U.S. agencies, the Secretaries of Commerce, Energy, and State, and the Chairman of the Nuclear Regulatory Commission (NRC) should enter into an interagency agreement concerning the designation, marking, and handling of such information, and make any policy or regulatory changes necessary to reach such an agreement. This agreement should be revised, as necessary, to take into account future direction from the President or the Controlled Unclassified Information Council regarding standardization of the procedures for designating, marking, and handling documents that are unclassified but are not intended for public release. |
Closed – Not Implemented
Implementation of the recommendation would require all four agencies to which the recommendation was made 'the Department of Commerce, the Department of Energy, the Department of State, and the Nuclear Regulatory Commission' to enter into an interagency agreement on the designation, marking, and handling of sensitive information. According to the State Department, the relevant agencies have coordinated on the these issues. However, the agencies have not completed an interagency agreement to formalize the designation, marking, and handling procedures for sensitive information.
|
| Department of Commerce | To ensure that corrective actions are taken to prevent the inadvertent public disclosure of sensitive information in future draft declarations or other documents prepared for the International Atomic Energy Agency (IAEA) by multiple U.S. agencies, the Secretaries of Commerce, Energy, and State, and the Chairman of the Nuclear Regulatory Commission (NRC) should enter into an interagency agreement concerning the designation, marking, and handling of such information, and make any policy or regulatory changes necessary to reach such an agreement. This agreement should be revised, as necessary, to take into account future direction from the President or the Controlled Unclassified Information Council regarding standardization of the procedures for designating, marking, and handling documents that are unclassified but are not intended for public release. |
Closed – Not Implemented
Implementation of the recommendation would require all four agencies to which the recommendation was made 'the Department of Commerce, the Department of Energy, the Department of State, and the Nuclear Regulatory Commission' to enter into an interagency agreement on the designation, marking, and handling of sensitive information. According to the State Department, the relevant agencies have coordinated on the these issues. However, the agencies have not completed an interagency agreement to formalize the designation, marking, and handling procedures for sensitive information.
|
| Department of Energy | To ensure that corrective actions are taken to prevent the inadvertent public disclosure of sensitive information in future draft declarations or other documents prepared for the International Atomic Energy Agency (IAEA) by multiple U.S. agencies, the Secretaries of Commerce, Energy, and State, and the Chairman of the Nuclear Regulatory Commission (NRC) should enter into an interagency agreement concerning the designation, marking, and handling of such information, and make any policy or regulatory changes necessary to reach such an agreement. This agreement should be revised, as necessary, to take into account future direction from the President or the Controlled Unclassified Information Council regarding standardization of the procedures for designating, marking, and handling documents that are unclassified but are not intended for public release. |
Closed – Not Implemented
Implementation of the recommendation would require all four agencies to which the recommendation was made 'the Department of Commerce, the Department of Energy, the Department of State, and the Nuclear Regulatory Commission' to enter into an interagency agreement on the designation, marking, and handling of sensitive information. According to the State Department, the relevant agencies have coordinated on the these issues. However, the agencies have not completed an interagency agreement to formalize the designation, marking, and handling procedures for sensitive information.
|
| Department of State | To ensure that corrective actions are taken to prevent the inadvertent public disclosure of sensitive information in future draft declarations or other documents prepared for IAEA by multiple U.S. agencies, the Secretary of State should clearly indicate in the text whether the presidential message and attached documents, if any, should be printed and made publicly available when preparing presidential communications to Congress for documents to be presented to IAEA. |
Closed – Implemented
In response to this recommendation, the Department of State has revised the cover letter that it prepares when submitting to Congress changes to the U.S. Additional Protocol. The cover letter to the congressional reports now confirms that the contents of the document are highly confidential and are not to be released to the public. The paragraph states: "The IAEA classification of the enclosed declaration is 'Highly Confidential Safeguards Sensitive.' The United States regards this information as 'Official Use Only.' Under Section 231 of the United States Additional Protocol Implementation Act, information reported to, or otherwise acquired by, the United States government under that Act or under the Additional Protocol shall be exempt from disclosure under Section 552 of Title 5, United States Code. Therefore, none of the enclosed documents should be printed, posted on any website, or otherwise made publicly available." Department of State officials also said that both 'Official Use Only' and 'Highly Confidential Safeguards Sensitive' remain written at the top of each page of the actual Declaration to prevent unintended public disclosure. In addition, officials added, the 'Official Use Only' designation is written at the bottom of each page. Further, Department of State officials said that the department will continue to ensure that any sensitive material transmitted to Congress related to implementation of safeguards in the United States will be clearly labeled as such in order to prevent future unintended public disclosures.
|
| Executive Office of the President | To ensure that corrective actions are taken to prevent the inadvertent public disclosure of sensitive information in future draft declarations or other documents prepared for IAEA by multiple U.S. agencies, the Executive Office of the President should consider revising any written guidance and/or practices it has and conduct staff training for handling and safeguarding sensitive information in future declarations or other documents between the United States and IAEA before it needs to issue its next declaration in May 2010. |
Closed – Not Implemented
GAO made this recommendation to the Executive Office of the President during a previous administration. Efforts to obtain additional information to close the recommendation since the report's release have been unsuccessful. Because GAO made this recommendation to a previous administration and has been unsuccessful in obtaining updated information, GAO is closing this recommendation as not implemented.
|
| Government Publishing Office | To ensure that corrective actions are taken to prevent the inadvertent public disclosure of sensitive information in future draft declarations or other documents prepared for IAEA by multiple U.S. agencies, GPO's public printer should implement, as expeditiously as possible, the recommendations from the agency's August 2009 Inspector General report in order to improve the security culture and reduce the possibility of future postings of sensitive information to the GPO Web site. |
Closed – Implemented
In response to our recommendation, GPO took the following steps: (1) Updated order forms to include classification fields to indicate whether the work requested is classified or sensitive, as well as procedures to follow for handling sensitive information. GPO also updated its Printing Procurement Regulation to ensure that GPO's federal agency customer meets all personally identifiable information (PII) or sensitive information handling requirements for all awards over $100,000 that involve PII or other sensitive information. Agencies must provide a copy of the security plan and the pre-award survey. If unavailable, the agency's confirmation must include a specific waiver of a contractor security plan and pre-award survey. (2) Prepared a Standard Operating Procedure for GPO customer service employees describing receipt of material from a federal customer agency, procuring the contract requirements, and reporting of any suspected or known breach of PII or sensitive information procedures. (3) Updated GPO Directive 825.7D through the issuance of Directive 825.7E to address "sensitive information." GPO Directive 825.7E specifically addresses the handling of sensitive information, detailing that "controlled but unclassified" information must be protected and controlled, and that GPO business unit managers must ensure employees are aware of classification levels of information being printed and/or handled. (4) Briefed and trained on sensitive information GPO managers and supervisors who receive information/jobs from customers. Customers submit in writing the appropriate sensitivity level and any special handling instruction on information being submitted. (5) Briefed GPO staff on Operations Security, which informs them about their responsibility to protect and report unclassified indicators, which may seem minor or irrelevant, but could be critical intelligence data. GPO's Security Services also perform weekly security walks visiting employees and managers throughout GPO distributing security awareness information on the Operations Security (unclassified indicators), the Eagle Eyes Program ("see something - say something"), and the Controlled Unclassified Information (CUI) program, which details how to handle sensitive unclassified information. Additionally, all GPO employees with security clearances are provided security briefings on their responsibility for handling and controlling "national security information."
|