The classification system is designed primarily to protect the confidentiality of certain military, foreign policy, and intelligence information. It deals with only a small slice of the government information that requires protection although it drives the government's security apparatus and most of its costs.
Despite the best of intentions, the classification system, largely unchanged since the Eisenhower administration, has grown out of control. More information is being classified and for extended periods of time. Security rules proliferate, becoming more complex yet remaining unrelated to the threat. Security costs increase as inconsistent requirements are imposed by different agencies or by different program managers within the same agency.
This accretion of security rules and requirements to protect classified information does not make the system work better. Indeed, the classification system is not trusted on the inside any more than it is trusted on the outside. Insiders do not trust it to protect information that needs protection. Outsiders do not trust it to release information that does not need protection.
This Cold War classification system can be simplified. In place of more than 12 levels of protection and widely differing and inconsistent security policies and practices, the Commission recommends a single, rational, governmentwide standard for the protection of classified information.
The Current Classification System-
Cumbersome and Confusing
The classification system is more complex than necessary. Classification is inherently subjective and the current system inappropriately links levels of classification with levels of protection.
The current classification system starts with three levels of classification (Confidential, Secret, and Top Secret), often referred to collectively as collateral. Layered on top of these three levels are at least nine additional protection categories. These include Department of Defense Special Access Programs (DoD SAPs), Department of Energy Special Access Programs, Director of Central Intelligence Sensitive Compartmented Information Programs (DCI SCI), and other material controlled by special access or "bigot" lists (Footnote 1) such as the war plans of the Joint Chiefs of Staff and the operational files and source information of the CIA Operations Directorate. Further complicating the system are restrictive markings and dissemination controls such as ORCON (dissemination and extraction of information controlled by originator), NOFORN (not releasable to foreign nationals), and "Eyes Only."
Levels of Protection
TS - BIGOT LIST
TS - SCI
TS - DoD SAP
S - BIGOT LIST
S - SCI
S - DoD SAP
C - BIGOT LIST
C - SCI
C - DoD SAP
Figure 2. The Current Classification System
Currently, proper classification depends on assessing the expected damage to national security caused by unauthorized disclosure of the information. Information is classified as Confidential if damage is expected to occur. Secret is used if serious damage will result. Information is Top Secret only if exceptionally grave damage will occur. However, because it is difficult to precisely define levels of damage, reasonable persons can and do differ in their evaluation. Yet, it is not even clear why the effort to assess damage should be made since the protection required is not dependent on the level of damage. For example, greater protection is provided for Secret information in SCI channels, disclosure of which would cause "serious damage" to national security, than for Top Secret information that is not within a special access program, disclosure of which would cause "exceptionally grave damage." Moreover, from a Freedom of Information Act or an Espionage Act standpoint, the significant issue is whether the information is classified, not the level at which it is classified.
We conclude that there is no need for levels of classification. Information is not more classified or less classified. It either is classified or it is not. Indeed, thinking about information as more or less classified has led to statements that information is "only Confidential" or "only Secret." This thinking also has led to efforts to link classification levels with the length of time protection is required. Yet we know that some Top Secret information, such as an invasion date, may need to be protected for days, while some Secret information, like the identity of a confidential source, may need to be protected for decades.
Special Access Programs-Lacking Faith in the System
Special access programs (Footnote 2) are used to compensate for the fact that the classification system is not trusted to protect information effectively and does not adequately enforce the "need to know" principle. For example, the Top Secret classification is supposed to protect information that, if improperly disclosed, would result in exceptionally grave damage to the national security. Yet, the perception is that the "regular" classification system cannot protect such information because it has no provision for limiting which cleared persons have access to the information.
In the 1980s, as confidence in the traditional classification system declined, more and more information was put into SAP and SCI compartments based on assertions that the regular classification system provided inadequate need-to-know restrictions. The special access system gave the program manager the ability to decide who had a need-to-know and thus to strictly control access to the information. But elaborate, costly, and largely separate structures emerged. According to some, the system has grown out of control with each SAP program manager able to set independent security rules.
The Department of Defense divides these programs into three categories: acquisition, intelligence, and operations and support. (Footnote 3) Programs in these categories are further defined as either acknowledged or unacknowledged. (Footnote 4) Some of the most sensitive DoD programs are "waived" or "carved out" from certain oversight and administrative requirements. There are over one hundred DoD SAPs, with many having numerous compartments and subcompartments, designed to further segregate and limit access to information. Each special access program manager is free to establish the security rules that will apply to his or her particular program.
Within the Intelligence Community, the term Sensitive Compartmented Information (SCI) refers to data about sophisticated technical collection systems, information collected by those systems, and information concerning or derived from particularly sensitive methods or analytical processes. Specific SCI control systems serve as umbrellas for protecting a type of collection effort or a type of information. Within each SCI system are compartments and within them, subcompartments, all designed to formally segregate data and restrict access to it to those with a need-to-know, as determined by a central authority for each system. There are over 300 SCI compartments (recently reduced from over 800) grouped into a dozen or so control channels. Special activities have their own non-SCI control channels. Rules relating to SCI programs are found in DCI Directives (DCIDs), but implementation is uneven and minimum standards are often exceeded.
In addition to the formal SAP, SCI, and covert action control channels, strict need-to-know access restrictions also are imposed for other types of information within the DoD and the Intelligence Community. These include information identifying intelligence sources and liaison relationships, as well as information about military plans, such as the Single Integrated Operations Plan (SIOP) for strategic nuclear war or the battle plan for the invasion of Iraq during the Gulf War. Access to such information is generally controlled by access or bigot lists.
The Commission agrees that some types of classified information, such as identities of intelligence sources, information about sensitive intelligence methods, plans for operations, and technological advances that provide our military forces unique advantages on the battlefield, may require more protection than others. However, we do not agree that each SAP manager needs to establish a unique set of security rules, or that SAP security rules and SCI security rules need to be different. Current practice has begun to recognize this fact and to coalesce around two standards: one for Confidential and Secret, the other for Top Secret and SAPs/SCI. In personnel security, for example, agencies do not have separate clearance standards for Confidential and Secret. And a single clearance standard for Top Secret and SCI is evolving with DoD SAPs beginning to follow this standard, even though program managers today have the authority to impose their own standards and many do so.
A New System-Streamlined and Straightforward
The opportunity to change the classification system comes at an important point in our history. In this post-Cold War period, we can move away from a strategy that has been characterized as something close to total risk avoidance and develop instead an approach more clearly based on risk management. We continue to recognize that there is information that needs the protection of the classification system and that there are costs associated with the unauthorized disclosure of information vital to the national security. But we also recognize that in a democracy the public needs access to information about what its government is doing and that there are significant costs associated with keeping information classified and tightly controlled. In sum, it is important to consider the political, economic, and opportunity costs of classifying information, as well as the costs of failing to classify information.
The Commission finds that the costly and complicated bureaucracy that provides security is a reflection of the underlying complexity of the classification management system. The Commission believes that a less complicated system can help correct the current approach that has led to classifying too much at too high a level and for too long. We propose a new one-level classification system. Under this system, information either is classified or it is not. There would be a single legal definition of classified information and no need to pretend that we can precisely measure the amount of damage to national security that would be caused by an unauthorized disclosure.
Two degrees of protection will be available, instead of the dozen or so now used. Information either will be generally protected (labeled SECRET) or specially protected (labeled SECRET COMPARTMENTED ACCESS). Each protection level would be defined both in terms of the type of information to be included and the type of protection. The protections available for each level will be standardized. Most special handling and dissemination markings will be unnecessary and special access controls will be integral to, rather than added onto, the classification system. In addition, only certain clearly defined categories of information will qualify for special protection and only in certain clearly defined circumstances.
Levels of Protection
SECRET CONTROLLED ACCESS
Figure 3. The Proposed Classification System
The vast majority of classified information would be generally protected to promote the availability and accessibility of the information. Baseline security protection standards will be established and discretionary need-to-know would apply; a cleared individual could determine whether to pass the information to another cleared individual. Generally protected information would incorporate current Confidential and Secret documents, which will not have to be remarked.
The Commission recognizes that most departments and agencies have, and will want to continue, procedures that govern the manner in which Secret information is disseminated within their organizations. Some may also wish to maintain limited control on their information that is passed to other agencies, such as a requirement that the recipient agency not pass the information on to a third agency without obtaining permission from the originating agency. Finally, there may be unique problems that arise in implementing this new approach that require an exemption from general rules, such as the manner in which CINCs communicate with Navy vessels. The Commission recognizes the need for flexibility, but does not want to lose the advantages of the new system through creating loopholes by, for example, permitting heads of departments and agencies to create "mini SAPs" by imposing dissemination controls. Therefore, the Commission recommends that heads of departments or agencies be permitted to establish dissemination controls on Secret information only upon approval of the security executive committee proposed in chapter 11.
As a result of risk analysis, a limited amount of information would be specially protected as Secret Compartmented Access information. Enhanced security protection standards would apply, requiring a higher clearance standard for access and a centralized need-to-know control structure provided by an access or bigot list. Compartmented access information would incorporate most current Top Secret, Special Access, and Sensitive Compartmented Information.
The Commission finds that classification management is the "operating system" of the security world. Classification drives the way much of security policies are implemented and security practices are carried out. Standards, organizations, procedures, and policies governing everything from the levels of security clearance, to procedures for processing information, to sentencing guidelines for individuals convicted of espionage are based on our existing classification structure. The complexity of the existing classification system is the root cause for much of the confusion of the existing security system. (Footnote 5) Simplify the classification system and simplification of the security system will follow.
The Commission notes that the existing classification management system is evolving naturally into a two-level system. Confidential and Secret information is handled using similar or identical standards. Top Secret, SCI, and SAP information is protected using more stringent and substantially common standards. The Commission believes that this natural occurring division forms an excellent basis for an improved classification system.
The proposed system will better relate needed asset protection to security countermeasures. In place of the myriad investigative and adjudicative requirements and the differing physical security standards, two security standards, based on analysis of risk, would be developed to guide application of the two degrees of protection for these security disciplines. Procedures for securing classified information would likewise have only two standards. Similar simplifications would follow throughout the rest of the security system.
The Commission recommends the establishment of a one-level classification system with two degrees of protection
A Simplified Controlled Access System
The Commission concludes that the current special access system needs to be simplified. Enhanced security protection can be achieved with less compartmentation and fewer barriers to the flow of information. Instead of the current complicated system with the multiple control officers and multiple control channels, information requiring special protection would be marked SECRET COMPARTMENTED ACCESS and would carry a designator, such as a codeword or number, identifying the relevant access list. A single specially protected information control officer and channel would replace the panoply of structures and systems for protecting SCI, SAPs, or bigot list controlled access information.
The Commission recommends that:
a) All special access, SCI, covert action control systems, war plans, and bigot list activities be integrated into the new classification system.
b) A single control channel for SECRET COMPARTMENTED ACCESS information, with a codeword for each need-to-know list, replace all existing special control channels.
Limiting Use of Special Access Controls
The Commission concludes that simplifying the system will aid in identifying and better protecting information that really needs enhanced security protection. Viewing information as part of a special access program often meant that everything in the program had to be compartmented. Analyzing the impact of the loss of specific information focuses attention on what needs special protection and what does not, and would result in less information being placed at the compartmented access level.
Steps will be taken to limit the amount of information that is specially protected and to prevent the migration of information from the generally protected level to the specially protected level. A first step is to identify clearly in an executive order those limited categories of information qualifying for special protection.
The Commission suggests the following categories of information be considered for special protection:
o A technology application that provides a significant battlefield edge and that could be copied or countered if key information were disclosed to a potential adversary.
o A sensitive military operation or plans for the operation in circumstances in which disclosure might impair its current or future success.
o A fragile intelligence method when the opposition is not aware of either the fact, or special capabilities of the method and, were they to become aware of it, could employ countermeasures to deny us information or use deception to feed the US incorrect information.
o A human source in circumstances in which the US would lose its ability to use the source and/or the source or the source's family is likely to be harmed.
o A sensitive intelligence, counterintelligence, or special activity in circumstances in which disclosure would impair its success.
o Information that would impair US cryptologic systems or activities.
o Sensitive policy issues or relationships with a foreign government which, if revealed, would significantly harm foreign government cooperation with the US.
o A US negotiating position in circumstances in which such disclosure would cause us to lose a negotiating advantage.
o Scientific and technical information that describes the design of weapons of mass destruction that could significantly assist others to develop or to improve such weapons, or to significantly enhance their ability to circumvent the control features of such weapons.
The Commission recommends that compartmented access be considered for the categories of information detailed above and any other categories of equally sensitive information, and that all current and future Special Access Programs, war plans requiring limited access controls, Sensitive Compartmented Information, covert action control systems, and bigot lists be reviewed and validated against that list.
Perhaps the greatest weakness in the entire system is that critical specially protected information within the various DoD and SCI compartments is not clearly identified. Individuals within government and industry are forced to protect everything within a particular compartment, rather than just the small amount of information that truly needs compartmented access status and need-to-know controls.
One general officer likened the situation to trying to protect every blade of grass on a baseball field. He had to have a hundred players to guard the entire field, when only four persons to protect home plate would suffice.
The Commission believes a rigorous review is needed to identify and separate the information that will continue to require special protection from that which does not. Such a review will allow many compartmented access compartments to be eliminated and will permit the consolidation of critical data within fewer remaining compartments.
The Commission recommends that the Secretary of Defense and the Director of Central Intelligence direct that managers for each compartmented access system undertake a review to identify information within all compartments and subcompartments that requires continued special protection. This information should be consolidated in the fewest compartments possible.
Uniform Risk Criteria for Secret - Compartmented Access Information
The Commission believes that decisions to require special protection for sensitive information and activities should be consistently made based on common risk management principles.
The Commission found that uniform risk assessment criteria do not exist for establishing, designating, managing, and disestablishing SAP and SCI compartments. Each component develops its own procedures for assessing the risks dictating compartmented access protection, often with little external guidance or oversight. Some elements place unclassified technologies and independent research and development efforts directly under special protection as soon as a promising military application is discovered. Others do not, and thus disparities exist among agencies in the way the same basic technology or application is classified, designated, and protected.
The decision to designate a DoD SAP as unacknowledged radically increases its cost and severely inhibits oversight, coordination, and integration with other similar programs. Critics advised the Commission that state of the art advances and efficiency gains may be sacrificed or significantly hindered once a technology-based program is brought under special controls. If an acquisition SAP is unacknowledged, others working in the same technology area may be unaware that another agency is developing a program. The government may pay several times over for the same technology or application developed under different special programs within different agencies.
Two military services and the DoE have programs involving the same technological application. One military service classified its program as Top Secret Special Access with a deadly force protection requirement. The other military service classified its program as Secret Special Access with little more than tight need-to-know protection applied. The DoE classified its program as collateral Secret, adopting discretionary need-to-know procedures.
Despite the fact that the Commission did find one or two examples of programs coordinating common technology or scientific issues, the potential still exists for disconnects in coordination and integration among various DoD SAPs and non-SAP programs. In the above example, the three government agency program managers are aware of the other programs, but refuse to devise a common protection standard. This problem is not uncommon. The strict SAP control inhibits the flow of information. One result is that comparable advances in state-of-the-art technology by related noncompartmented government research efforts are not readily accepted by some SAP managers as valid reasons to decompartment their programs. The government pays a high cost when this occurs. Continuing special security controls when they may not be necessary is expensive. But, the controls are probably much less costly than the lost opportunities caused by inhibiting non-governmental research initiatives with potential payoffs for the SAP itself.
The Commission applauds the DoD's action to establish joint coordination and review of Stealth and related low-observable technologies developed by numerous special programs. However, this effort should be expanded to achieve integration across the DoD components and non-DoD agencies in other areas of technology to reduce apparent gaps in the integration of SAP decisions with national-level science and technology intelligence, counterintelligence, and counterproliferation intelligence analysis. Again, using the example above, a common security standard is needed to reduce conflicting analyses regarding the true state-of-the-art or the actual threat to advanced technologies that in turn leads to the application of varying degrees of security and the resulting costs.
There also is the need for coordination of DoD special program issues and decisions with other governmental interests, such as foreign relations with the Department of State and national intelligence issues with the Director of Central Intelligence. In the past, decisions were made not to brief the Director of Central Intelligence on certain DoD programs that affected national intelligence interests. Such decisions can occur when senior-level personnel are not made aware of, for example, the existence of a subcompartment or the impact of certain activities under special programs.
The Commission's recommendations on threat assessment and risk management should be followed in determining whether and how special protection is to be applied, especially with respect to unacknowledged programs. This criteria should form the basis for decisions made on special protection throughout the government.
The Commission recommends that the Secretary of Defense and the Director of Central Intelligence:
a) Establish uniform risk assessment criteria for the consideration, designation, review, management and decompartmentation of information requiring special protection.
b) Conduct independent risk assessments of the unacknowledged status of compartmented access programs, based upon all-source analysis of relevant intelligence and counterintelligence information.
c) Review similar compartmented access programs to ensure reciprocity and eliminate redundancy.
d) Institute a formal mechanism to review designation, coordination, and integration issues related to compartmented access programs to ensure that the DoD elements, the Intelligence Community, the Departments of State, Energy, Commerce, and others are advised of compartmented access program issues affecting their interests.
Currently, SAP security policies are developed independently by individual program managers. Within the Intelligence Community, actual SCI program practices often exceed the DCID standard. The Commission found that many of the problems with the SAPs and the SCI programs are due to obsolete security standards and inconsistent, program-specific applications. The conflicting policies of the DoD and Intelligence Community elements add significant unnecessary expense to the system, with no appreciable increase in security. Common standards for special protection would bring coherence to the DoD and Intelligence Communities, and bridge the gap between the DoDs SAPs and the DCI's SCI programs.
Under the new classification scheme, the security executive committee, described in chapter 11, will work with security professionals and program managers to develop a single uniform security policy and set of standards adequate to protect all DoD and Intelligence Community special programs. As a consequence, there no longer would be the wide variances in security practices that significantly raise costs, particularly in industry. Managers of special programs would not be granted unbridled discretion in deciding which security measures to employ, but they would be allowed to waive down from the standard in circumstances in which reciprocity is not affected. In sum, reciprocity, integration, and the ability to control overall costs requires that a uniform standard be followed in most cases, but exceptions could be made in appropriate circumstances.
The Commission recommends that:
a) A single, consolidated policy and set of security standards be established for Secret Compartmented Access information, including all current SAPs, SCI, covert action, and the various bigot list programs.
b) Standards contain some flexibility, but waivers down from compartmented access security measures be permitted only when there is no impact upon reciprocity.
Increasing the Flow of Data
Many persons who spoke to the Commission were quite critical of the Intelligence Community's tendency to disseminate intelligence data within compartmented channels rather than at the generally protected level. Combatant commanders are adamant that intelligence must be released at the Secret level to be useful to them. Law enforcement agencies increasingly assert that most intelligence information passed to them is overclassified and therefore often unusable. Excessive compartmentation precludes the timely dissemination of intelligence pending completion of reviews to remove (or sanitize) source and method revealing information or until permission is granted for release of originator-controlled data. This has an adverse impact on the timeliness and specificity of intelligence. The impact is very serious to users of intelligence in the DoD, its agencies, and the military services.
During the Gulf War, the limited amount of sanitized operations-related intelligence information forced one military officer to meet his warfighting needs by regularly flying two Captains back and forth to US installations in Europe to get additional information decompartmented and then to return with as much of this hard copy intelligence data and imagery as they could carry.
All users made clear to the Commission that they want intelligence provided in a more timely manner, with as much specificity as possible, and with fewer dissemination restrictions. Currently compartmented data should be reviewed to remove source- or method-revealing information so that significantly more intelligence information can be made available as generally protected information. Those sanitizing intelligence should also ensure as much usable data remains as possible. Concerns have been raised that, at times, so much information is removed in order to protect sources and methods, the ability of users of the information to make critical decisions is undermined.
The Commission is encouraged by efforts under way to limit the amount of controlled access information within the Intelligence Community. Most intelligence reporting based on human sources is not compartmented because source-identifying information is deleted. Further, a significant amount of imagery is being released outside of compartmented channels. While the National Security Agency has made progress in decompartmenting its information, more can be done. Significant benefit would be gained if the National Security Agency were to form a task force, similar to the one formed by the Central Imagery Office, to drastically reduce the amount of compartmented information it produces, and to release more intelligence at the generally protected level.
The Commission believes that, as a general rule, only the limited amount of intelligence that would materially compromise sensitive sources and methods or collection strategies, as well as that which has exceptional political sensitivity due to the nature of the target, should remain within compartmented channels. The remaining vast majority of data should be routinely released as generally protected information. Where source-revealing information must necessarily be included, the Commission strongly recommends the use of a tear line. Those who need to know how the information was derived will have access to the information above the tear line, marked SECRET COMPARTMENTED ACCESS. Those who need to act on the information, but do not need to know the source of the information, will receive the generally protected information below the tear line, marked SECRET.
The Commission recommends that:
a) All intelligence reporting within compartmented channels be severely restricted to the limited amount of information that would compromise sensitive sources and methods or collection strategies, or that has exceptional political sensitivity.
b) All other intelligence products, particularly when related to military operations, be released as generally protected information.
Advanced weapon systems and specialized intelligence capabilities are of little use to the military commander if he is unaware of them and unable to train warfighting elements in the use of the new capability. Briefing commanders when compartmented access programs are ready for use is not enough. Military elements must be kept aware of the program, its goals and objectives, and its potential employment well ahead of production and deployment in order to fully incorporate new capabilities into unit war plans.
Although many technologies, weapon systems, and intelligence capabilities are ultimately developed for use by the warfighter, no effective procedure exists to ensure that combatant commanders are briefed on all such systems, their capabilities, and projected availability for use. Moreover, the Commission found that even when military elements are briefed, they are put under such tight constraints that they are unable to use the compartmented access information in any practical way. This prohibits field elements from being able to incorporate these capabilities into war planning and other crisis activities.
A senior military officer on the Joint Staff expressed concern that current classification and security procedures constrict the flow of operational information to the warfighter at the tactical level. He felt that we still treat certain capabilities as pearls too precious to wear-we acknowledge their value, but because of their value, we lock them up and don't use them for fear of losing them.
The Commission believes that more needs to be done to keep combatant commanders informed of current and upcoming programs, capabilities, weapons, and operations that could potentially be used in a military venue. Accordingly, a separate, small entity should be established and given the responsibility to work with the owners of compartmented access information to disseminate it aggressively to combatant commanders. This entity, with full access to all compartmented access programs, would balance the perceived reluctance of special access program managers to share information against the perceived tendency of military entities to disseminate this information broadly within a command. The intent is to ensure that combatant commanders are more fully informed about compartmented access activities while taking into account the sensitivity and fragility of the information.
The Commission recommends that the Secretary of Defense and the Director of Central Intelligence:
a) Establish a separate entity to work with special access program managers and combatant commanders to ensure that military commands are more fully aware of compartmented access information concerning current and projected technologies, weapons, techniques, operations and programs that are pertinent to their responsibilities.
b) Delegate authority to combatant commanders to brief staff members with a need-to-know on compartmented access information so that these capabilities can be incorporated into conflict planning activities.
Special Cover Measures
There are many valid reasons for the special cover measures used by some military and intelligence organizations, such as potentially life-threatening, high-risk, covert operations and intelligence and counterintelligence investigations or operations. However, these techniques also have increasingly been used for major acquisition and technology-based contracts to conceal the fact of the existence of a facility or activity or to mask government-contractor affiliations.
The Commission found that the use of cover to conceal the existence of a government facility or the fact of government research and development interest in a particular technology is broader than necessary and significantly increases costs. For example, one military service routinely uses cover mechanisms for its acquisition controlled access programs without regard to individual threat or need. Another military organization uses cover to hide the existence of certain activities or facilities. Critics maintain that in many cases, cover is being used to hide what is already known and widely reported in the news media.
Several government agencies paid, under various secure contracts, to have a significant number of "sterile" telephones installed to hide contractors' affiliations with the government. In many cases, the sterile telephones were installed next to secure telephones required by other classified government contracts. In one case, a contractor had 200 sterile telephones next to 173 STU-III telephones and 145 secure "green" phone lines.
These cover mechanisms are expensive and the marginal security benefits gained by compartmenting knowledge of the existence of a government or contractor facility often are outweighed by the costs of concealment, including the costs to other programs that would benefit from sharing technical knowledge and sharing use of the facility. Special protection generally should focus on the most sensitive uses of a facility, rather than the fact of its existence.
Organizations with high-funding profiles and extensive contracts, such as the National Reconnaissance Office, have incorporated elaborate rules into their daily operations to conceal the fact of their existence and to hide the identity and affiliation of organization employees and contractors. Even though the NRO's existence was finally declassified in 1992, classification for most of its personnel and activities remains in place. We believe many NRO classification requirements currently imposed can be dropped without danger to essential NRO activities.
The Commission believes an overall review of the DoD and Intelligence Community organizations employing cover mechanisms is needed to determine whether such costly measures continue to be necessary.
The Commission recommends that the Secretary of Defense and the Director of Central Intelligence:
a) Rescind blanket classified status for the NRO and its employees.
b) Review the cover status of the DoD and Intelligence Community elements and personnel, rescinding cover for those without a documented covert intelligence or operational mission.
c) Review existing covert contractual requirements to determine those that may be canceled as soon as advantageous to the government.
d) Develop new policies for cover that limits its use to those situations for which it is needed.
Security Oversight of Compartmented Access Programs
The DoD management framework provides for oversight of all DoD compartmented access programs through reviews by the Deputy Secretary of Defense. Oversight is also provided by reports to Congress. The Commission has reviewed the reporting procedures that exist with respect to Congressional oversight of the DoD controlled access programs, including those for programs that are waived from certain requirements due to their extreme sensitivity. We see no need to modify existing reporting procedures and believe that the current system should continue without change.
Until recently there has been no procedure for centralized assessment of special program proposals submitted directly to the Deputy Secretary of Defense by the military departments. The recent formation of the DoD Special Access Program Oversight Committee, which the Commission fully supports, will ensure that every program is reviewed by a panel of senior officials prior to its establishment, and annually thereafter, to determine whether compartmentation for each program is still required. This new management structure is an important initiative to improve centralized review, cross-program integration, security policy guidance, and oversight of special programs.
The Commission suggests that the Oversight Committee expand this review to incorporate a separate evaluation of the proposed or actual security countermeasures for each special program. A separate review could yield alternate security countermeasures to replace the sometimes costly or inefficient countermeasures proposed by the sponsoring special program managers. For existing controlled access programs, the Committee should examine how previously-approved security countermeasures are actually implemented. This may reveal security practices that are no longer necessary and help to lessen the gap between actual practice and policies for controlled access programs. Finally, the Commission believes that security cost-drivers, such as unacknowledged special program status, imposition of cover, mandatory polygraphs for access, and waivers from Defense Investigative Service inspections of contractors, should be considered and approved separately by the DoD Special Access Program Oversight Committee before they are imposed. These steps will aid the Oversight Committee in eliminating unnecessary and costly security practices and in redirecting scarce protection resources to other program priorities.
The Commission believes that the DoD's new approach to overseeing controlled access programs is reasonable. However, the Commission believes the process could be strengthened by establishing a security oversight arm that is wholly independent from the everyday management and security of controlled access programs. An independent viewpoint is necessary to interject an unbiased, broader perspective on controlled access proposals and practices because many believe that SAPs are created not simply for security reasons, but to create a specialized cadre of experts, streamline procurement, limit oversight, and thus speed development. Others are concerned that fundamental questions about the propriety of controlled access activities may not be raised by those within the special program community, or be presented to senior policymakers outside of the sponsoring military service. This new oversight function would have to have up-front, across-the-board access to all special access programs.
The Commission's proposed independent oversight arm also would provide valuable guidance with respect to access control practices applied to programs other than recognized SAPs. In the past, certain DoD components have limited the distribution of particular types of classified information, such as military plans, without formally designating the program as a SAP, because SAPs require high-level approval and oversight. These programs use labels such as LIMDIS (limited distribution), SPECAT (special category), or other less formal designations. The Commission views these programs as "SAP-like" in that aspects of approved specially protected programs, such as multiple compartments and nondisclosure agreements, often are imposed upon those given access to the information. However, DoD officials have taken the position that compartmentation to protect military plans should not be considered a "program" within the meaning of Special Access Program regulations, but simply a "planning document." As a result, military plans currently are not included in senior-level special program reviews.
In the future, none of these "plans versus program" distinctions should matter under the Commission's proposed new classification structure. However, independent oversight will continue to be necessary for controlled access programs to ensure that security issues are fully aired to senior management. Assigning independent responsibility for conducting inquiries regarding activities protected by special programs and similar compartments, will give the Secretary of Defense a valuable check and serve as a safety valve in ensuring that security protections are not misused, and that questionable practices are brought to light and resolved within the Department.
The Commission recommends that the Secretary of Defense:
a) Under the auspices of the DoD Special Access Program Oversight Committee:
1) Conduct a separate evaluation of proposed or actual security countermeasures for controlled access programs.
2) Separately review and approve unacknowledged status, imposition of cover, mandatory polygraph for access requirements, and waivers from Defense Investigative Service security inspections of contractors before they may be imposed on controlled access programs.
b) Assign security oversight responsibilities for controlled access activities to an independent DoD office outside the special program community.
CLASSIFICATION MANAGEMENT PRACTICES
There are a number of additional areas dealing with the implementation and management of the classification system, whether the current or the proposed system, that require consideration and improvement.
Dissemination Controls-Impediments to
Getting Intelligence into the Hands of Customers
A senior intelligence official stated that "the day-to-day most serious problem is that we don't get intelligence to the policymakers in a way that they can use it." The issue is not merely that too much information is compartmented, but that intelligence users may be denied timely access to intelligence data and other classified information due to an originator's tendency to include unnecessary control markings.
Four of the standard control markings (Footnote 6) established by the Director of Central Intelligence for the Intelligence Community are security controls; two are not. (Footnote 7) The Commission recommends that three of the four security control markings be eliminated. They are duplicative, unnecessary, and impede the timely transfer of intelligence to those who need it. WNINTEL (Warning Notice - Intelligence Sources and Methods Involved) is implicit in the specially protected category, ORCON ( Dissemination and Extraction of Information Controlled by Originator) is viewed as more of an impediment to intelligence users than a protection for intelligence producers, and all US classified information is NOFORN (not releasable to foreign nationals), unless a decision is made to release such information. Accordingly, the REL TO (authorized for release to . . . ) control should suffice.
Under the new classification system, security control markings, apart from REL TO, will not be needed or desirable for generally protected information labeled SECRET, because such information will be under a discretionary need-to-know regime. Similarly, security control markings will not be needed or desirable for specially protected information labeled SECRET COMPARTMENTED ACCESS because such information incorporates centralized access controls that already specify the personnel (government, contractor, foreign government) who are to receive the information.
The Commission recommends that the two remaining control markings: PROPIN (PROPRIETARY INFORMATION), and NOCONTRACT (not releasable to contractors or consultants) be combined into a single marking: government-industry-restricted information (GOVIND). The NOCONTRACT marking, as currently used, often prevents contractors from obtaining the information they need to do their job. This is particularly inappropriate in the case of Federally Funded Research and Development Centers (FFRDCs). These are non-profit institutions with no production facilities, no products or services to sell in commercial markets, and that are not supposed to compete with non-FFRDCs. Accordingly, procedures should be developed to routinely obtain advance agreement that corporate proprietary information is given to the government with the express understanding that such information can be shared with FFRDCs as required by the government.
In the system we propose, government employees and contractors will be cleared to the same standard and appropriately indoctrinated. Consequently, there will be no need to restrict information from contractors with a need to know, other than to protect two types of information. The first is information that is provided to the government by a commercial firm or private source under an express or implied understanding that the information will be protected as a trade secret or proprietary data and will not be disseminated to a potential competitor. The second is government information, for example budgetary information, that could give the contractor an unfair competitive advantage. A new marking, GOVIND, would restrict both types of information.
Agency-specific dissemination controls such as "Exclusive For," "Secret/Sensitive," or "Eyes Only" add to the confusion, and are rarely enforced. We recommend that no agency-specific, dissemination-control markings be used for security purposes. There is no consistency between agencies in the terms used. Whatever unique handling restrictions they imply usually are not understood by the recipient agencies and are improperly applied.
The Commission recommends that, with the exception of "GOVIND" and "REL TO," dissemination markings and controls be eliminated.
Sharing Classified Information
The world is changing and US classified information not only is provided to close allies, but also to coalition partners, some of whom normally have interests quite divergent from ours. The US also finds it necessary to provide classified information to the NATO and the United Nations in circumstances where such information, once provided, may be broadly distributed.
It is not possible to anticipate every situation, and flexibility must be preserved so that military commanders and foreign policy officials are able to meet the special needs and requirements of each situation. Nevertheless, it is helpful to have general governmentwide guidance as to the types of information that readily can be shared or that pose particular problems. This reduces the amount of information that must be assimilated and the number of decisions that must be made on an ad hoc basis in the heat of a crisis.
The security executive committee should review information sharing requirements and ensure that guidance and expertise is readily available to inform and assist officials who must make release decisions.
The Commission recommends development of governmentwide guidance for sharing classified information with coalition partners and with the United Nations.
Billet and Access Control Policies
One of the most frustrating features of many current SAP and SCI systems is the resource-intensive, bureaucratic procedure for authorizing access. Military commanders and senior managers confront cumbersome approval requirements, often including arbitrary numerical ceilings and rigid billet structures, if they wish to bring another person with a legitimate reason for access into the compartment.
Program managers try to limit the number of people allowed access to many special programs by imposing an arbitrary ceiling on the number of individual billets (spaces) authorized for a particular organization or facility. Both government and industry organizations are forced to resort to inefficient and costly practices to get around the access restrictions to get the job done. The Commission found that the imposition of these numerical ceilings and rigid billet structures does not reduce the actual number of persons accessed nor enhance the security of a controlled access program. Instead, these practices add unnecessary complexity and confusion.
Because a special access program manager refused to approve a new billet structure with a higher billet ceiling, a government supervisor briefed and debriefed multiple people against a single authorized billet to get the number of people needed for the program. The supervisor would brief an engineer, telling the engineer to think about a particular controlled access issue, then immediately debrief him/her. The same procedure was followed with other needed personnel until all had been briefed on the controlled access program, given a problem to resolve under the program, and then debriefed. Several weeks later, the supervisor used the same brief/debrief method to obtain the solutions from the personnel.
These controls only give the illusion of security while adding excessive cost and inefficiency to the access approval process. The Commission, therefore, recommends an end to the practice of limiting access to specially protected information based on the number of authorized billets or imposed numerical ceilings. The Commission believes that, to permit more effective accomplishment of mission tasks, a zero-based review and update of controlled access rosters in concert with using elements is necessary to determine the personnel who truly have a bona fide contractual or job-related requirement for controlled access information. The results of the review should form the backbone of new access management processes that should eventually feed into a data base system. Quite simply, the number of persons accessed to specially protected information should be based on the number necessary to accomplish the job.
The Commission recommends that the Secretary of Defense and the Director of Central Intelligence direct that controlled access program managers conduct a zero-based review to ensure that all personnel with a mission-essential need to know specially protected information receive access to the information. The number of accessed personnel should meet the need for properly cleared and indoctrinated persons to support acquisition, planning, and operations and not depend on arbitrary ceilings.
At present, most US Government employees and contractors granted access to classified information sign a Classified Information Nondisclosure Agreement (Secrecy Agreement) in which they agree never to divulge classified information to an unauthorized person. While this agreement does not contain a prepublication review provision, the individual agrees that, if there is uncertainty about the classification status of information, he will confirm with an authorized official that the information is unclassified before he discloses it.
Recipients of access to Sensitive Compartmented Information (SCI) and DoD Special Access Programs (SAPs) sign a nondisclosure agreement or indoctrination statement with a prepublication requirement each time that they are admitted to a compartment, program, or category of information within a program.
The SCI agreement obligates the signer not to disclose anything marked as SCI or that they know to be SCI, and to submit for review any material that "contains or purports to contain any SCI or description of activities that produce or relate to SCI, or that they have reason to believe are derived from SCI." Recipients of National Security Agency information agree to submit for review all information that contains or purports to contain, refers to, or is based upon "Protected Information," essentially defined as classified information obtained as a result of their relationship with the NSA.
Recipients of DoD SAP information sign a similar agreement that indoctrinates them into the program and obligates them to submit for review all information which contains or purports to contain any "Designated Classified Information," (essentially defined as SAP information) or description of activities that produce or relate to Designated Classified Information.
Central Intelligence Agency employees sign a secrecy agreement that contains a significantly broader prepublication agreement that obligates them to submit for review any material they contemplate disclosing that contains any mention of intelligence data or activities or contains any other information or material that might be based upon classified information. There are strong arguments for this expansive language. It has more teeth and gives broader legal protection. Because the obligation is not limited to classified information, the government can proceed against the individual simply for failing to submit for prior review information that mentioned or was based on intelligence without having to prove classification.
Most of the Commissioners are not persuaded that persons with access to the same classified information should have differing obligations. Most Commissioners also are not persuaded that intelligence professionals at the CIA should be held to a higher standard than that applied to others in government who receive CIA information. These Commissioners do, however, acknowledge that it is not unreasonable for a Director of Central Intelligence to conclude that CIA employees should be held to a higher standard because, for example, CIA employees are more likely to be exposed to sensitive sources and methods information over their career than many employees in other agencies.
Prepublication review is designed to guard against the malicious and the uncertain. Those with malicious intent will not submit material for review no matter how broad the standard. The conscientious employee or retiree, uncertain as to whether information is classified, will submit material even with a narrow standard. The Commission is concernedaboutthe chilling affect of any prepublication review, but particularly the broad standards in the current CIA secrecy agreement. Government employees should not forfeit the ability to participate in public policy debates merely because they have, or had, access to highly classified information. Indeed, their participation in the debate should be encouraged. On balance, the majority of the Commissioners concluded that there should be one standard secrecy agreement for government and contractor employees with access to compartmented information that does not incorporate the higher review standard in the current CIA version. However, the Commission also recognizes that the Director of Central Intelligence may conclude that his statutory responsibility to protect sources and methods requires that he maintain the stricter version.
Regardless of the prepublication review standard, the Commission believes that it is neither legally required nor desirable, with respect to SCI and SAP material, for the individual to sign a separate nondisclosure agreement for each compartment, subcompartment, program and category of information within a program. A single secrecy agreement obligates the individual not to disclose classified information. A single prepublication provision obligates the individual to submit specially protected material for review. Although there is no harm in reminding an individual of his obligation to protect the information, the multiple forms may in fact create the erroneous impression that unless a new form is signed for each type of information or for each compartment, the obligation to protect the information and submit it for prepublication review is somehow not present. Moreover, there are costs involved in producing, using, and storing the plethora of forms, particularly in an environment in which many individuals have multiple accesses. These costs can and should be avoided.
The Commission believes that standardization of secrecy or nondisclosure agreements and of prepublication review requirements is needed. (Footnote 8) Two agreement forms should suffice: one agreement for generally protected information, and one for specially protected information. If an individual signs the agreement for specially protected information, it will be the only agreement required.
The Commission recommends that no individual sign more than two nondisclosure agreements. One standardized agreement, without a prepublication review provision, will be used for generally protected information; the other standardized agreement, with a prepublication review provision, will be used for specially protected information. If an individual signs the agreement for specially protected information, signing an agreement for generally protected information would not be necessary.
Simply put, the current system for declassification does not work. Much of the information that is classified does not have a declassification date. Generally it is marked OADR (Originating Agency's Determination Required) and remains classified indefinitely. Detailed review of these documents is not feasible, and arbitrary bulk or automatic declassification schemes are perceived as risking the loss of information that still requires protection.
The Cold War period produced a huge amount of classified information, and thus, an enormous backlog of potentially declassifiable information. In addition to information held by individual agencies, there are an estimated 300-400 million pages of classified information in the National Archives. Millions of additional documents are classified each year. The Information Security Oversight Office reports between 6-7 million original and derivative classification actions per year in Fiscal Years 1990 to 1992.
Agencies generally are not willing to declassify information without review, yet as the mountain of classified information grows, it is clear that a line-by-line and document-by-document review of this information would be extremely expensive and time consuming. (Footnote 9) Moreover, given public and congressional concern today that sufficient resources are not being devoted to current FOIA, Privacy Act, and mandatory review requesters, diverting limited available resources to a time-consuming review process that is not driven by customer demand is unacceptable.
Any declassification regime, therefore, must be examined to ensure that it does not create a significant burden for government agencies without providing any great advantage to the public. Put more positively, a new classification system should maintain classification for the shortest possible time and make the declassification system more efficient rather than more costly.
We believe that a great deal of information can be automatically released in ten years and that most information can be released in 25 years. What is necessary, however, is to distinguish those categories of information that are good candidates for declassification after 10, 15, or 20 years from categories of information, such as human-source information, that may require protection for longer periods of time. By correctly categorizing classified information, we can reduce the number of times that the government needs to review documents and develop a strategy that will allow release of information without the need for line-by-line review.
We recommend that a new Executive order on classification specify certain categories of information that can be exempted from automatic declassification at the end of 10 years, and also permit agency heads to nominate, and the security executive committee to approve additional limited categories of information that may require protection longer than 10 but fewer than 25 years. Information could then be marked at the time of its creation to reflect a date upon which it would be automatically declassified.
For example, if it were believed, with respect to a particular category of information that, at the end of 10 years, classification would have to be extended for the majority of information in that category, a longer time period would be selected. Otherwise, when the 10-year, automatic-declassification date arrived, the agency would feel compelled to do a line-by-line review of the information, most of the information probably would remain classified, a great deal of cost would be incurred, and little advantage would be derived by the public.
On the other hand, if it were believed that most of the information in that category could be released at the end of 15 years, then it would be expected that when the automatic declassification date arrived, the agency would feel more comfortable adopting a risk management rather than a risk avoidance approach to the material. The agency would be far less likely to see the need for line-by-line review of the information and far more willing to release the information with little or no review. For example, if it were believed that finished intelligence could be released in 15 years, then it could be expected that at the end of that period reviewers might conclude that the release of 15-year-old political intelligence would not result in significant harm, that the release of 15-year-old economic intelligence would not do significant harm, but that there were a couple of weapon systems still in use and still of continued interest. In such a scenario, reviewers might look to see if 15-year-old military intelligence written on these two weapon systems still should remain classified, but would not undertake a line-by-line review of the rest of the 15-year-old finished intelligence.
We are keenly aware that an important underpinning of our system of government is an informed citizenry and that without the prompt release of pertinent information, intelligent public policy debate, academic discussion, and historical research is handicapped. Nevertheless, there are clear examples where the American people are better served by continued protection of certain classified information. For example, the revelation of the identity of a confidential intelligence source, even after the passage of years, can have a serious negative impact on that individual and would not serve US interests. Similarly, release of information about a previous generation of US weapons can still have a significant negative impact on the safety of US forces.
o We believe the proper balance can be struck in the Executive order by allowing agency heads to exempt, at the time of its creation, specific information from the 25 year automatic declassification. This information would be within the following categories:
o Information that would jeopardize a human intelligence source or impair use of an intelligence method.
o Information that would compromise sensitive military operations.
o Information that would impair US cryptologic systems or activities.
o Information about weapons technology that provides the US with a battlefield advantage or would assist in the development or use of weapons of mass destruction.
The Commission recommends that four principles drive the declassification system:
a) A classifier should attempt to identify a specific date or event when information can be declassified.
b) If no date or event is specified, there is a rebuttable presumption that all classified information would be declassified no later than 10 years from the date of creation.
c) The Executive order should specify categories of information, exempt from the 10 year declassification requirement, that can remain classified for 25 years. Agency heads should prepare guidelines to implement exemption of these categories. These guidelines will be approved by the security executive committee.
d) The Executive order should also specify very narrow categories of information that will be exempt from the 25 year automatic declassification requirements. These categories should include information that would jeopardize a human intelligence source or compromise ongoing sensitive military capabilities. Heads of agencies should develop guidelines that will implement the exemption of these categories from automatic declassification. These guidelines would be approved by the security executive committee.
Making the Classification System Really Work-
An Integrated Approach with Appropriate Oversight
The one-level classification system with two degrees of protection is designed to provide a framework that will support a coherent and consistent governmentwide approach to both classification and security. It recognizes that classification drives security costs and that security practices are evolving naturally, albeit slowly, around two levels of protection. It and the other classification management recommendations build upon steps already taken by, and borrow from the ideas of, thoughtful security professionals.
Nevertheless, no system can be expected to work very well if there is no one in charge. Today, there are few governmentwide standards and, even when standards are supposed to have general applicability, they often are translated and interpreted in ways that do violence to the concept of standardization. Often there is no penalty for noncompliance. Moreover, we conclude that the Information Security Oversight Office (ISOO) simply is not positioned to ensure compliance. Without an effective policy and oversight structure, no coherent security policy is likely to evolve. Instead, inconsistent rules will continue to be formulated, and disputes will continue to impede the development of a uniform policy.
The proposed security executive committee, on the other hand, would be positioned to provide effective centralized oversight. Its staff could include a strengthened ISOO, headed by a security ombudsman, with a broader security oversight role. In addition, the outside security advisory board we propose would provide a mechanism for nongovernment and public interest concerns about the system to be raised to the committee.
Although centralized oversight is a necessary and important innovation, effective oversight must begin at the agency level. We recommend, therefore, that each agency appoint a classification ombudsman whose mission is to encourage and act on complaints about over-classification. The ombudsman also will be required to routinely review a representative sample of the agency's classified material. This individual would have the authority to ask why a particular piece of information was classified and to order it declassified if no persuasive reason is forthcoming. Real-time review of employee complaints, cable traffic, and other documents; real-time identification of categories of information subject to misclassification; and real-time identification of the individuals responsible for classification errors would add management oversight of classification decisions and attach penalties to what too often can be characterized as classification by rote. The system outlined above, in its broad contours, has been in place in the Department of State for the past two years, and we are told that over the past six months noticeable progress has been made. Information that previously had been classified is no longer classified and greater discipline has been injected into the entire classification process.
The Commission recommends:
a) Strong centralized oversight by the security executive committee as well as more effective oversight at the agency level.
b) A strengthened Information Security Oversight Office as a part of the security executive committee staff.
c) A requirement that each agency appoint a classification ombudsman, establish a hot line for employee classification questions and complaints, and institute a spot check system.
Dealing with Sensitive but Unclassified Information
The information universe usually is subdivided into classified and unclassified, with best estimates of the ratio having classified as about ten percent of total government information. Unclassified information is further subdivided into sensitive information-unclassified information which has some confidentiality requirement-and non-sensitive information which may be disseminated freely. It has been estimated that as much as seventy-five percent of all government-held information may be sensitive.
Government-held sensitive but unclassified information is information whose loss, misuse, unauthorized access to, or modification of, could adversely affect the national interest or the conduct of Federal programs, or adversely affect the privacy to which individuals are entitled under the Privacy Act.
As with classified information, this information must be protected to ensure its confidentiality, integrity, and availability. In some cases, we do not wish unauthorized persons to see certain information, such as medical or personnel records. Sometimes, it is more important that information is not changed or destroyed, such as with payroll or other payment records. Finally, it may be important to ensure the availability of these records within the period of time necessary for their particular use or application. For example, if a system were intentionally clogged or disrupted, we might be unable to access treatment data to deal with a medical emergency or logistics data to deal with a military or diplomatic crisis.
The Commission believes that our information infrastructure is at increasing risk, but its vulnerability is not sufficiently understood or appreciated and there is not in place a process to appropriately deal with the problem. Increased attention must be paid to identifying and protecting sensitive but unclassified information within the Defense and Intelligence Communities. In addition, the information system security countermeasures that are developed should be available more broadly to protect such information in the rest of the government, as well as information that, while neither classified nor government-held, is crucial to US security in its broadest sense. We have in mind information about, and contained in, our air traffic control system, the social security system, the banking, credit, and stock market systems, the telephone and communications networks, and the power grids and pipeline networks. All of these are highly automated systems that require appropriate security measures to protect confidentiality, integrity and availability.
The Commission recommends that the Secretary of Defense and the Director of Central Intelligence put in place a process to evaluate the vulnerability of sensitive but unclassified information within the Defense and Intelligence Communities and to explore appropriate countermeasures.