What We Did:
The objective of this audit was to determine whether DoD Components developed and maintained security classification guides (SCGs) in accordance with Federal and DoD guidance.
What We Found:
DoD Component OCAs did not develop or maintain SCGs in accordance with Federal and DoD guidance. Of the 50 SCGs that we selected for review, the OCAs could not locate 3 of the SCGs and did not properly cancel another 4 SCGs that were no longer needed. For the remaining 43 SCGs, the OCAs did not:
• identify and review existing classification guidance to avoid classification conflicts between similar information for 38 SCGs;
• identify the items of information requiring protection for one SCG;
• identify how long the classification should remain in effect for 16 SCGs;
• identify the reasons for classifying information for 23 SCGs;
• identify the classification level of information for 34 SCGs;
• identify the SCG approval authority with program and supervisory responsibility over the information addressed for seven SCGs;
• provide a copy of the SCG to the DTIC for 15 SCGs;
• conduct a 5-year review and update 20 SCGs; or
• complete mandatory classification training before exercising their authority for 34 SCGs.
The DoD Components did not develop and maintain SCGs in accordance with Federal and DoD guidance because:
• the Under Secretary of Defense for Intelligence and Security did not direct, administer, and oversee the DoD process for developing and maintaining SCGs, as required by DoD Manual 5200.01, Volume 1, and DoD Manual 5200.45; and
• the DTIC did not establish business rules for the SCG index to ensure that OCAs could identify existing classification guidance relevant to the development of new SCGs. The DTIC also did not issue reminders to the OCAs concerning the required SCG 5-year review.
Based on the universe of 1,501 SCGs, we project that OCAs did not develop or maintain 1,257 SCGs (83.7 percent) in accordance with DoD guidance. Furthermore, we project that the OCAs would not be able to locate or had improperly canceled 244 SCGs (16.3 percent). Notably, we project at least one type of error in each of the 1,501 SCGs in the universe.
Inaccurate and incomplete SCGs increase the risk that derivative classifiers will incorrectly interpret or apply the guidance and; therefore, over- or under-classify information, classify similar information inconsistently across programs, or not declassify information in a timely manner. Over-classification can result in a lack of insight and transparency concerning DoD programs. Under-classification can result in unauthorized disclosure of classified information that can inform threat actors about critical DoD programs and systems. If immediate actions are not taken to address issues identified in this report, the DoD increases the risk of unauthorized disclosure of classified information and the potential for threat actors to gain unauthorized access to information about critical programs and systems.
What We Recommend:
We recommend that the Under Secretary of Defense for Intelligence and Security:
• Direct all DoD Component Heads to account for all SCGs under their purview.
• Direct all DoD Component Heads to immediately review all SCGs under their purview, and at least once every 5 years thereafter, and take action to update the SCGs as needed.
• Establish a process to ensure that the DoD Components, the OCAs, and the DTIC comply with the requirements in DoD Manual 5200.01, Volume 1, and DoD Manual 5200.45.
• In coordination with the Under Secretary of Defense for Research and Engineering, direct the DTIC to re-establish the 5-year reminder process to ensure that OCAs review and update SCGs as required.
In addition, we recommend that the DTIC Administrator, in coordination with the Under Secretary of Defense for Intelligence and Security, establish business rules for the SCG index, including an SCG naming, numbering, and formatting convention that will facilitate OCA searches of existing classification guidance to enable consistent classification of similar information throughout the DoD.