Publicly Released: June 23, 2022
Objective
The objective of this audit was to determine whether DoD Components developed and maintained security classification guides (SCGs) in accordance with Federal and DoD guidance.
Background
The DoD uses SCGs to communicate the requirements for classifying and protecting sensitive DoD information. The SCGs identify the classification of a system, plan, program, project, or mission, including the level and duration of classification for protecting information critical to national security. An original classification authority (OCA) is an individual, authorized in writing, either by the President, Vice President, or an agency head, to classify sensitive information in the first instance and is responsible for developing and maintaining the accuracy of SCGs. Once an OCA issues an SCG, derivative classifiers use the SCGs to facilitate the proper and uniform classification of information. Derivative classification is the process of incorporating, paraphrasing, restating, or generating in a new form information that is already classified and marking the newly developed material consistent with classification guidance, which includes any applicable SCGs.
The DoD requires OCAs to follow seven steps when developing SCGs, provide a copy of each approved SCG to the Defense Technical Information Center (DTIC) index of SCGs, and review and update SCGs at least every 5 years to promote uniformity and consistency and to avoid classification conflicts between SCGs.
We reviewed 50 SCGs during the audit. Of those 50 SCGs, we statistically selected 43 to review from a universe of 1,501 SCGs and nonstatistically selected an additional seven SCGs to review that we had used in previous audits or that had known problems.
Finding
DoD Component OCAs did not develop or maintain SCGs in accordance with Federal and DoD guidance. Of the 50 SCGs that we selected for review, the OCAs could not locate 3 of the SCGs and did not properly cancel another 4 SCGs that were no longer needed. For the remaining 43 SCGs, the OCAs did not:
- identify and review existing classification guidance to avoid classification conflicts between similar information for 38 SCGs;
- identify the items of information requiring protection for one SCG;
- identify how long the classification should remain in effect for 16 SCGs;
- identify the reasons for classifying information for 23 SCGs;
- identify the classification level of information for 34 SCGs;
- identify the SCG approval authority with program and supervisory responsibility over the information addressed for seven SCGs;
- provide a copy of the SCG to the DTIC for 15 SCGs;
- conduct a 5-year review and update 20 SCGs; or
- complete mandatory classification training before exercising their authority for 34 SCGs.
The DoD Components did not develop and maintain SCGs in accordance with Federal and DoD guidance because:
- the Under Secretary of Defense for Intelligence and Security did not direct, administer, and oversee the DoD process for developing and maintaining SCGs, as required by DoD Manual 5200.01, Volume 1, and DoD Manual 5200.45; and
- the DTIC did not establish business rules for the SCG index to ensure that OCAs could identify existing classification guidance relevant to the development of new SCGs. The DTIC also did not issue reminders to the OCAs concerning the required SCG 5-year review.
Based on the universe of 1,501 SCGs, we project that OCAs did not develop or maintain 1,257 SCGs (83.7 percent) in accordance with DoD guidance. Furthermore, we project that the OCAs would not be able to locate or had improperly canceled 244 SCGs (16.3 percent). Notably, we project at least one type of error in each of the 1,501 SCGs in the universe.
Inaccurate and incomplete SCGs increase the risk that derivative classifiers will incorrectly interpret or apply the guidance and; therefore, over- or under-classify information, classify similar information inconsistently across programs, or not declassify information in a timely manner. Over-classification can result in a lack of insight and transparency concerning DoD programs. Under-classification can result in unauthorized disclosure of classified information that can inform threat actors about critical DoD programs and systems. If immediate actions are not taken to address issues identified in this report, the DoD increases the risk of unauthorized disclosure of classified information and the potential for threat actors to gain unauthorized access to information about critical programs and systems.
Recommendations
We recommend that the Under Secretary of Defense for Intelligence and Security:
- Direct all DoD Component Heads to account for all SCGs under their purview.
- Direct all DoD Component Heads to immediately review all SCGs under their purview, and at least once every 5 years thereafter, and take action to update the SCGs as needed.
- Establish a process to ensure that the DoD Components, the OCAs, and the DTIC comply with the requirements in DoD Manual 5200.01, Volume 1, and DoD Manual 5200.45.
- In coordination with the Under Secretary of Defense for Research and Engineering, direct the DTIC to re-establish the 5-year reminder process to ensure that OCAs review and update SCGs as required.
In addition, we recommend that the DTIC Administrator, in coordination with the Under Secretary of Defense for Intelligence and Security, establish business rules for the SCG index, including an SCG naming, numbering, and formatting convention that will facilitate OCA searches of existing classification guidance to enable consistent classification of similar information throughout the DoD.
Management Comments and Our Response
The Deputy Director for Defense Intelligence, Counterintelligence, Law Enforcement, and Security, responding for the Under Secretary of Defense for Intelligence and Security, did not agree or disagree with the recommendations. Therefore, the Deputy Director should provide additional comments to the final report describing the steps that will be taken to direct DoD Component Heads to account for all SCGs under their purview and to establish a process to ensure compliance with DoD Manual 5200.01, Volume 1, and DoD Manual 5200.45.
The Deputy Director stated that an SCG review was underway in accordance with a 5-year review requirement in Executive Order 13526. Therefore, the recommendation to direct DoD Component Heads to conduct an SCG review is closed and no further action is required.
The DTIC Administrator disagreed with the recommendation to establish business rules for the SCG index, stating that “complex” rules would not guarantee a complete, accurate, and easily searchable SCG index, but would instead increase opportunities for error, making SCG retrieval more difficult. We do not consider a naming, numbering, and formatting convention as a set of “complex business rules,” but instead necessary action to reduce classification conflicts and eliminate duplicate SCG index entries. Therefore, the DTIC Administrator should provide additional comments to the final report on the establishment of business rules to facilitate OCA searches of existing classification guidance.
This report is a result of Project No. D2020-D000CX-0166.000.