Skip to Highlights
Highlights

Misclassification of national security information impedes effective information sharing, can provide adversaries with information to harm the United States and its allies, and incurs millions of dollars in avoidable administrative costs. As requested, GAO examined (1) whether the implementation of the Department of Defense's (DOD) information security management program, effectively minimizes the risk of misclassification; (2) the extent to which DOD personnel follow established procedures for classifying information, to include correctly marking classified information; (3) the reliability of DOD's annual estimate of its number of classification decisions; and (4) the likelihood of DOD's meeting automatic declassification deadlines.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense To reduce the risk of misclassification and create greater accountability across the department, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence to establish a centralized oversight process for monitoring components' information security programs to ensure that they satisfy federal and DOD requirements. This oversight could include requiring components to report on the results of self-inspections or other actions, targeted document reviews, and/or reviews by the DOD Inspector General and component audit agencies.
Closed - Implemented
In response to our recommendation, Office of the Under Secretary of Defense for Intelligence (USD(I)) officials--including the Deputy Director for Information Security and Security Oversight--stated that they recently established the Department of Defense (DOD) Security Oversight and Assessment Program. Under this program, USD(I) is selecting DOD components for oversight and assessment visits to identify best practices and lessons learned for trend analysis and program improvement, and to evaluate the relevance, effectiveness, and efficiency of DOD information security policies. For example, subsequent to our report, USD(I) began issuing guidance to DOD components for estimating the number of annual classification decisions they made, thereby increasing the accuracy and reliability of these estimates. Additionally, DOD is issuing a revised information security program regulation as a four-volume manual, DOD Information Security Program, Number 5200.01. Volume 1, enclosure 3 of the manual, entitled DOD Information Security Program Overview,assigns the USD(I) responsibility for directing, administering, and overseeing the DOD Information Security Program.
Department of Defense To reduce the risk of misclassification and create greater accountability across the department, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence to to issue a revised Information Security Program regulation to ensure that those personnel who are authorized to and who actually perform classification actions, receive training that covers the fundamental classification principles as defined in the Under Secretary's memorandum of November 30, 2004 and that completion of such training is a prerequisite for these personnel to exercise this authority.
Closed - Implemented
The Department of Defense (DOD) is in the process of issuing a revised information security program regulation as a four-volume manual, DOD Information Security Program, Number 5200.01. Volume 3, enclosure 5 of the manual, entitled 'Security Education and Training,' includes training on fundamental classification principles that meet the intent of our recommendation. Specifically, enclosure 5 requires the heads of DOD organizations to ensure that all personnel granted access to classified information receives, prior to gaining initial access to classified information, training in the proper and complete classification markings, and how those markings are to be applied. Under Secretary of Defense for Intelligence (USD(I)) officials--including the Deputy Director for Information Security and Security Oversight--stated that volume 3 of the manual is being coordinated within the department, and a 2010 issue date is anticipated.
Department of Defense To reduce the risk of misclassification and create greater accountability across the department, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence to to issue a revised Information Security Program regulation to ensure that the frequency, applicability, and coverage of self-inspections, and the reporting of inspection results are based on explicit criteria.
Closed - Implemented
The Department of Defense (DOD) is issuing a revised information security program regulation as a four-volume manual, DOD Information Security Program, Number 5200.01. Volume 1, enclosure 2 of the manual, entitled "Responsibilities," requires DOD organizations to establish and maintain a self-inspection and oversight program to evaluate their information security programs. According to the manual, the frequency of self-inspections shall be based on program needs and classification activity; will cover, at a minimum, original and derivative classification, declassification, safeguarding, education and training, and management and oversight; and the results of these self-inspections shall be submitted to either the Information Security Oversight Office--which is part of the National Archives and Records Administration--and/or the Under Secretary of Defense for Intelligence (USD(I)) at least annually. USD(I) officials--including the Deputy Director for Information Security and Security Oversight--stated that volume 1 of the manual is being coordinated within the department, and a 2010 issue date is anticipated.
Department of Defense To reduce the risk of misclassification and create greater accountability across the department, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence to to issue a revised Information Security Program regulation to ensure that authorized individuals can access up-to-date security classification guides necessary to derivatively classify information accurately.
Closed - Implemented
The Department of Defense (DOD) is issuing a revised information security program regulation as a four-volume manual, DOD Information Security Program, Number 5200.01. Volume 1, enclosure 6 of the manual, entitled "Security Classification Guides," requires responsible original classification authorities to issue security classification guides for each system, plan, program, or project involving classified information as early as practical, and revise whenever necessary to promote effective derivative classification. Further, original classification authorities are required to distribute security classification guides to those DOD organizations and activities that may classify information the guide covers, as well as to the Defense Technical Information Center, which serves as a repository of DOD scientific and technical documents. The Center is required to maintain an on-line index of security classification guides that will facilitate their accessibility. Under Secretary of Defense for Intelligence (USD(I)) officials--including the Deputy Director for Information Security and Security Oversight--stated that volume 1 of the manual is being coordinated within the department, and a 2010 issue date is anticipated.
Department of Defense To support informed decision making with regard to information security, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence to institute quality assurance measures to ensure that components implement consistently the DOD guidance on estimating the number of classification decisions, thereby increasing the accuracy and reliability of these estimates.
Closed - Implemented
In response to our recommendation, Under Secretary of Defense for Intelligence (USD(I)) annually issues guidance to Department of Defense (DOD) components on how they are to estimate the number of classification decisions made. This guidance describes what the components should count (e.g., photographs) and not count (e.g., e-mail replies) in their estimates, how to sample their population of classification decisions to derive an estimate, and how to report their estimates on the standard federal form. The guidance also identifies a USD(I) official who components can contact for additional information. The requirement for components to calculate their classification decision estimates in accordance with instructions provided by USD(I) is contained in volume 1, enclosure 2 of DOD's Information Security Program manual, Number 5200.01. USD(I) officials--including the Deputy Director for Information Security and Security Oversight--stated that volume 1 of the manual is being coordinated within the department, and a 2010 issue date is anticipated.
Department of Defense To assist DOD in its efforts to meet automatic declassification deadlines, the Secretary of Defense should direct the Under Secretary of Defense for Intelligence to evaluate the merits of consolidating records eligible for automatic declassification that contain information classified by multiple DOD components at fewer than the current 14 geographically dispersed sites.
Closed - Implemented
Under Secretary of Defense for Intelligence (USD(I)) officials--including the Deputy Director for Information Security and Security Oversight--stated that since our report was issued in 2006 the Department of Defense (DOD) has eliminated 1 of its 14 automatic declassification sites that contain information classified by multiple DOD components. Further, in January 2010 DOD began pilot-phase operations of the DOD Joint Referral Center, co-located with the Army Declassification Activity near Fort Belvoir, Virginia, to evaluate processes for the expedited clearing of declassification referrals in a joint, collaborative manner. If the pilot yields positive results, USD(I) officials indicated that it could lead to further consolidation of automatic declassification sites.

Full Report