Information Sharing: The Federal Government Needs to Establish Policies and Processes for Sharing Terrorism-Related and Sensitive but Unclassified Information

In fiscal year 2006, we reviewed and reported on efforts to establish government-wide information sharing policies and processes. We found that one effort to establish these tools included the creation of an Information Sharing Environment (ISE), as mandated by the Intelligence Reform and Terrorism Prevention Act of 2004. Part of this effort included the development of an Interim Implementation Plan that included a schedule for completing a number of key milestones for implementing the ISE. We recommended that the Director of National Intelligence assess progress toward the milestones set in its Interim Implementation Plan. The Program Manager for the ISE, within the Office of the Director of National Intelligence, subsequently issued a formal Implementation Plan in November 2006 and reported on the progress of the ISE in its 2007 Annual Report to Congress.

In fiscal year 2006, we reviewed and reported on efforts to establish government-wide information sharing policies and processes. We found that one effort to establish government-wide information sharing policies and processes included the creation of an Information Sharing Environment (ISE) as mandated by the Intelligence Reform and Terrorism Prevention Act of 2004, and barriers, such as the availability of resources to meet the Act's mandates for the ISE may exist. While progress had been made towards implementing the ISE, the ISE Program Manager at the time expressed concern over resources, such as the budget for the ISE and number of staff available. Therefore, we recommended that the Director of National Intelligence identify any barriers to achieving the milestones in the Interim Implementation Plan and determine ways to resolve them. Since then, the Program Manager for the ISE, housed within the Office of the Director of National Intelligence, has taken several steps to assess resource barriers and to determine ways to resolve them. For instance, in the November 2006 ISE Implementation Plan, the Program Manager stated that the initial period of standing up the ISE will be longer than the two years originally authorized by the Intelligence Reform and Terrorism Prevention Act. Therefore, the Program Manager recommended continuation of the project through June 2009. The implementation plan also describes the use of the Information Sharing Council consisting of member departments to leverage knowledge and resources. Finally, the Program Manager partnered with the Office of Management and Budget to identify resources in the budgets of other agencies that can be leveraged for the ISE.

In fiscal year 2006, we reviewed and reported on efforts to establish government-wide information sharing policies and processes. We found that one effort to establish these tools included the creation of an Information Sharing Environment (ISE) as mandated by the Intelligence Reform and Terrorism Prevention Act of 2004. While progress had been made towards implementing the ISE, the ISE Program Manager at the time expressed concern over resources, such as the budget for the ISE and number of staff available. Therefore, we recommended that the Director of National Intelligence recommend to the oversight committees with jurisdiction any necessary changes to the organizational structure or approach to creating the ISE. Toward implementing this, the November 2006 ISE Implementation Plan recommends an organizational change to grant the Program Manager for the ISE authority to issue the procedures, guidelines, functional standards, and instructions necessary for the management, development, and operations of the ISE as well as the continuation of the Office of the Program Manager for the ISE and the Information Sharing Council for the 3 years covered by the Implementation Plan. The Implementing the 9/11 Commission Act of 2007 codified the first recommendation and provided for the continuation of the Program Manager's appointment until he is removed from office or replaced.

Among other things, our report recommended that in carrying out the President's December 2005 mandates for standardizing sensitive but unclassified information, the Director of National Intelligence and the Director of OMB use the results of our work to validate the inventory of designations that agencies are required to conduct in accordance with the memo. According the DHS co-chair of the interagency task force conducting this inventory and a senior official in the Office of the Director of National Intelligence--the organization that has ultimate responsibility for the results--our work has been very useful to the task force and helped them complete their inventory more expeditiously than they could have without it.

Among other things, our report recommended that in carrying out the President's December 2005 mandates for standardizing sensitive but unclassified information, the Director of National Intelligence and the Director of OMB use the results of our work to validate the inventory of designations that agencies are required to conduct in accordance with the memo. According the DHS co-chair of the interagency task force conducting this inventory and a senior official in the Office of the Director of National Intelligence--the organization that has ultimate responsibility for the results--our work has been very useful to the task force and helped them complete their inventory more expeditiously than they could have without it.

On March 17, 2006, we reported on (1) the status of efforts to establish government-wide homeland security information sharing policies and processes, and (2) the universe of sensitive but unclassified (SBU) designations used by the 26 agencies that we surveyed to protect and restrict the dissemination of certain sensitive information, as well as the agencies' related policies and procedures. We reported, among other things, that the agencies that we reviewed were using 56 different sensitive but unclassified designations to protect information that they deemed critical to their missions. For most designations, there were no governmentwide policies or procedures that describe the basis on which an agency should assign a given designation and ensure that it will be used consistently from one agency to another. We noted that without such policies, each agency determined what designations and associated policies to apply to the sensitive information it develops or shares, posing challenges for sharing, especially with state and local partners. We also observed that most of the agencies we reviewed had no policies for determining who and how many employees should have authority to make sensitive but unclassified designations, providing them training on how to make these designations, or performing periodic reviews to determine how well their practices are working. Finally, we reported that the President had issued a memorandum in 2005 that called for the standardization of SBU data across the government and the Office of the Director of National Intelligence's Program Manager for the Information Sharing Environment had been working to standardize SBU policies. We recommended, among other things, that in carrying out the President's December 2005 mandates for standardizing sensitive but unclassified information, the Director of National Intelligence and the Director of the Office of Management and Budget (OMB) (1) use the results of our work to validate the inventory of designations that agencies are required to conduct in accordance with the memo and (2) issue a policy that consolidates sensitive but unclassified designations where possible and addresses their consistent application across agencies. To address this issue, on May 9, 2008, the President released new standards for how agencies should label sensitive but unclassified information, creating a single set of policies and procedures on the way materials should be marked, stored safely and disseminated. The new "Controlled Unclassified Information" (CUI) framework replaces the sensitive but unclassified categorization and establishes three CUI categories. Under those categories, agencies that are part of the federal information sharing environment or the information sharing council should label unclassified data that is considered sensitive. The President mandated that any additional markings can be prescribed only by the National Archives and Records Administration (NARA) , which will be the "executive agent" in charge of implementing the framework. These changes will standardize practices for the designation of SBU information and make information sharing more effective across the federal government.

On March 17, 2006, we reported on (1) the status of efforts to establish government-wide homeland security information sharing policies and processes, and (2) the universe of sensitive but unclassified (SBU) designations used by the 26 agencies that we surveyed to protect and restrict the dissemination of certain sensitive information, as well as the agencies' related policies and procedures. We reported, among other things, that the agencies that we reviewed were using 56 different sensitive but unclassified designations to protect information that they deemed critical to their missions. For most designations, there were no governmentwide policies or procedures that describe the basis on which an agency should assign a given designation and ensure that it will be used consistently from one agency to another. We noted that without such policies, each agency determined what designations and associated policies to apply to the sensitive information it develops or shares, posing challenges for sharing, especially with state and local partners. We also observed that most of the agencies we reviewed had no policies for determining who and how many employees should have authority to make sensitive but unclassified designations, providing them training on how to make these designations, or performing periodic reviews to determine how well their practices are working. Finally, we reported that the President had issued a memorandum in 2005 that called for the standardization of SBU data across the government and the Office of the Director of National Intelligence's Program Manager for the Information Sharing Environment had been working to standardize SBU policies. We recommended, among other things, that in carrying out the President's December 2005 mandates for standardizing sensitive but unclassified information, the Director of National Intelligence and the Director of the Office of Management and Budget (OMB) (1) use the results of our work to validate the inventory of designations that agencies are required to conduct in accordance with the memo and (2) issue a policy that consolidates sensitive but unclassified designations where possible and addresses their consistent application across agencies. To address this issue, on May 9, 2008, the President released new standards for how agencies should label sensitive but unclassified information, creating a single set of policies and procedures on the way materials should be marked, stored safely and disseminated. The new "Controlled Unclassified Information" (CUI) framework replaces the sensitive but unclassified categorization and establishes three CUI categories. Under those categories, agencies that are part of the federal information sharing environment or the information sharing council should label unclassified data that is considered sensitive. The President mandated that any additional markings can be prescribed only by the National Archives and Records Administration (NARA) , which will be the "executive agent" in charge of implementing the framework. These changes will standardize practices for the designation of SBU information and make information sharing more effective across the federal government.

In fiscal year 2006, we reviewed and reported on efforts to establish governmentwide information sharing policies and processes. We found that federal agencies we surveyed reported using a total of 56 different designations for information they determined to be sensitive but unclassified (SBU) and that no governmentwide policies or procedures were in place to describe the basis on which agencies should designate, mark, and handle this information. Moreover, governmentwide policies that required internal control practices were not in place. We concluded that by not providing guidance and monitoring, there is a probability that a designation might be misapplied, potentially restricting material unnecessarily or resulting in dissemination of information that should be restricted. We recommended that the OMB Director, in his oversight role with respect to federal information management, should work with other agencies to develop and issue a directive requiring that agencies have in place internal controls that meet GAO's Standards for Internal Controls in the Federal Government. This directive should include guidance for employees to use in deciding what information to protect with SBU designations; provisions for training on making designations, controlling, and sharing such information with other entities; and a review process to determine how well the program is working. Consistent with our recommendations, in May 2008, the President issued a memorandum, "Designation and Sharing of Controlled Unclassified Information," that adopted Controlled Unclassified Information (CUI) as the single categorical designation to be used for SBU information throughout the executive branch. The memo made the National Archives and Records Administration (NARA) responsible for overseeing and managing implementation of the CUI framework. In response, NARA established a CUI office to accomplish the new tasks associated with implementing CUI policy. The office is to establish new safeguards and dissemination controls as well as monitor agency compliance with CUI policy and standards. In May 2009, the President issued a memorandum for the heads of executive departments and agencies, "Classified Information and Controlled Unclassified Information," that established an interagency task force to review CUI procedures and provide recommendations regarding how the executive branch should proceed with respect to CUI. In August 2009, the task force issued its report, which provided 40 recommendations, including one for a single, standardized framework for marking, safeguarding and disseminating SBU information across the federal government. In November 2010, the President issued Executive Order 13556, "Controlled Unclassified Information," which establishes an open and uniform program for managing information that requires safeguarding and dissemination controls and rescinds the May 2008 Presidential memorandum. On June 9, 2011, NARA issued, "Controlled Unclassified Information Office Notice 2011-01: Initial Implementation Guidance for Executive Order 13556," to establish an initial implementing directive for agencies regarding, among other things, CUI designation, marking, safeguarding, dissemination, and training. Pursuant to the order, departments and agencies are developing their proposed CUI categories and markings. These actions are consistent with the intent of our recommendation and, as a result, this recommendation is closed as implemented.