METHODOLOGY
This Study seeks to evaluate the impact of
the Card Memorandum directing the safeguarding of unclassified
information and the breadth of policies related to the protection
or control of unclassified information across the federal
agencies. A number of recent reports have compiled lists
of the array of different categories for non-classification
protection, but none have requested and compared information
from a broad swath of federal agencies on the protection
of information that cannot properly be classified under
existing procedures guided by the President's EO 12958.
The Archive used Freedom of Information Act requests to
compile data from federal agencies.
IMPACT
OF CARD MEMORANDUM
On March 19, 2002, President Bush's Chief of Staff Andrew
H. Card sent a memorandum ("Card Memorandum")
to the heads of all executive departments and agencies of
the Federal Government. The Card Memorandum called on departments
and agencies to immediately reexamine current measures for
identifying and safeguarding records regarding weapons of
mass destruction (WMD), including chemical, biological,
radiological, and nuclear weapons.
The Acting Director of the Information Security Oversight
Office (ISOO) and the Co-Directors of the Justice Department's
Office of Information and Privacy (OIP) prepared guidance
("ISOO-DOJ Guidance") that was attached to the
Card Memorandum to assist the information reviewing process.
The ISOO-DOJ Guidance examines three levels of sensitivity
for government information and the corresponding steps necessary
to safeguard that information. These are: 1) Classified
Information; 2) Previously Unclassified or Declassified
Information; and 3) Sensitive but Unclassified Information.
The guidance also reminds departments and agencies to process
FOIA requests for records containing WMD or national security
information in accordance with Attorney General John Ashcroft's
FOIA Memorandum ("Ashcroft Memorandum") of October
12, 2001, by giving full and careful consideration to all
applicable FOIA exemptions.
The Card Memorandum directed each department and agency
to report its findings directly to the Office of the White
House Chief of Staff or the Office of Homeland Security
no later than 90 days from the date of the Memorandum. Agencies
and departments were also instructed to contact the Department
of Energy's Office of Security for assistance in determining
the classification of nuclear and radiological weapons information
under the Atomic Energy Act, and to contact the Justice
Department's Office of Information and Privacy for assistance
in applying exemptions of the Freedom of Information Act
(FOIA) to sensitive but unclassified (SBU) information.
The National Security Archive ("Archive") made
FOIA requests to each of thirty-five (35) federal agencies,
departments and offices. The 35 agencies included the 25
agencies surveyed by the Government Accountability Office
(GAO) in its 2001, 2002, and 2003 reports regarding administration
of FOIA. These agencies account for an estimated 97% of
all FOIA requests government-wide. The Archive also submitted
FOIA requests to ten (10) additional agencies and components
to which the Archive frequently submits FOIA requests. Each
FOIA request asked for:
All records, including but not limited to guidance
or directives, memoranda, training materials, or legal
analyses, concerning the March 19, 2002 memorandum issued
by White House Chief of Staff Andrew Card to the heads
of all federal departments and agencies regarding records
containing information about Weapons of Mass Destruction
(WMD). Attached with this memo was a supporting memorandum
by the U.S. Department of Justice and Information Security
Oversight Office.
With one exception, all requests were faxed to the central
FOIA processing office of each department or agency on January
8, 2003. (Note 1) The 20-business day statutory
time limit for a substantive FOIA response expired on February
5 or 6, 2003. On February 7, 2003, after 21 or 22 business
days had expired, appeals were filed with 30 agencies that
had not substantively responded to the requests. The Chart
presented in Appendix I summarizes agency processing times
and information releases.
POLICIES
ON PROTECTION OF SENSITIVE
UNCLASSIFIED INFORMATION
The Archive submitted FOIA requests to each of 43 different
federal agencies, departments, and offices. This survey
included the 25 agencies examined by the Government Accountability
Office (GAO) in its annual reports; the agencies considered
by the GAO represent an estimated 97% of all FOIA requests.
We selected ten additional agencies and components to which
the National Security Archive submits a substantial number
of FOIA requests each year, as well as eight agencies that
we believed, because of the nature of their functions, might
play an important role in the protection of sensitive unclassified
information. Each request sought:
All documents including, but not limited to,
directives, training materials, guides, memoranda, rules
and regulations promulgated on and after January 1, 2000,
that address the handling of,
"sensitive but unclassified," (SBU)
"controlled unclassified information," (CUI)
"sensitive unclassified information," (SUI)
"sensitive security information," (SSI)
"sensitive homeland security information,"
(SHSI)
"sensitive information," (SI)
"for official use only," (FOUO)
and other types and forms of information that,
by law, regulation or practice, require some form of protection
but are outside the formal system for classifying national
security information or do not meet one or more of the
standards for classification set forth in Executive Order
12958 as amended by Executive Order 13292.
The requests were faxed to the central FOIA processing
office of each agency or department on February 25, 2005.
In some cases separate requests were submitted to component
agencies that may have occasion to independently safeguard
unclassified information. The 20-business day statutory
time limit for a substantive FOIA response expired on March
25, 2005. The chart presented in Appendix III summarizes
agency processing times and information releases.
Agency responses were examined for:
- Authority (statutory or internal) for the policy;
- Definition and guidance;
- Power to designate protected information;
- Power to remove designation;
- Government employees' access to information;
- Physical protections for information;
- Limitations on use of designation;
- Relation to or effect on Freedom of Information Act
(FOIA) policies.
Each of the above categories corresponds with the explanatory
sections below (see Findings). The constraints
of this Report format do not allow the details of each agency
policy to be communicated; instead, we have drawn generalized
findings based on an overall review and used specific aspects
of agency responses as examples or case studies within our
broader discussion. The complete documentation of each agency's
response is available on file with the National Security
Archive, http://www.nsarchive.org.
What
Is Sensitive Unclassified Information?
This study is focused solely on security sensitive information
that does not meet the standard for classification or, for
some other reason, is not classified in accordance with
Executive Order 12958 (as amended by E.O. 13292). When referring
generally to the category of policies examined in this Study,
rather than a specific agency policy (the names of which
are denoted in bold text), we use the term
"sensitive unclassified information" policies.
Because of the number of policies and the extent to which
they overlap-some use the same terminology but differ in
substance-this is used as a generic phrase, as it incorporates
the two common elements (the claimed sensitivity of the
information and its unclassified nature). We include as
"security"-related concerns those potential harms
related to national security or law enforcement, as well
as protection of other information the release of which
may impair the functioning of the government.
What
Is Not Sensitive Unclassified Information?
The web of government information control policies and
practices is vast and complex. As this Study makes clear,
many documents may potentially fall into multiple categories
or be marked with more than one type of restriction. For
purposes of clarity and focus, this Study examines specifically
those policies aimed at controlling unclassified information
for purposes of security. This category of information overlaps
substantially with what are often referred to as "dissemination
control markings" (Note 2) or routing
guidelines. Such markings may be applied to either classified
or unclassified information, and serve the purpose of directing
where a given document may go and who may receive
it, rather than characterizing the substantive content of
the document.
Examples of these "caveats" or "special
handling designations" used by the Department of Defense
and exclusively applicable to classified information include:
ATOMAL (containing atomic materials); NATO (NATO classified
information); and SIOP-ESI (Single Integrated Operations
Plan-Extremely Sensitive Information) and other SPECAT (Special
Category) designators. (Note 3) The Department
of State and several other agencies recognize markings specifically
prescribing distribution restrictions for the document,
including: EXDIS ("exclusive distribution to officers
with essential need to know"); LIMDIS ("distribution
limited to officers, offices, and agencies with the need
to know, as determined by the chief of mission or designee");
NODIS ("no distribution to other than addressee without
approval of addresser or addressee. NODIS is used only on
messages of the highest sensitivity between the President,
the Secretary of State, and Chiefs of Mission."); (Note
4) and NOFORN ("intelligence which . . . may not
be provided in any form to foreign governments, international
organizations, coalition partners, foreign nations, or immigrant
aliens without originator approval.") (Note
5)
NOTES
ON FINDINGS
The Study's findings are qualified on a number of grounds.
First, there are limitations to the method of requesting
documents under the FOIA. The Archive cannot be certain
that every relevant office was searched, that every responsive
document was found, or that all the data on these issues
was released. The wide range of responses received suggests
that there almost certainly are additional responsive documents
that were not provided to the Archive.
Second, as to the sensitive unclassified information policies
presented in this Study, in the majority of cases, we were
unable to determine to what extent these policies have affected
agency practice. Due to the amorphous, decentralized, and
generally unmonitored nature of policies controlling unclassified
information, it is impossible to discern how many employees
in a given agency are using the policy and how much information
has been designated for protection or withholding under
the policy. Some inferences can be drawn in cases where
the means of dissemination of a given policy can be discerned,
but this was not possible with the material provided by
most agencies.
Third, as of today, 258 business days since submission
of the FOIA request for documents on sensitive unclassified
information policies, only 32 agencies out of 42 surveyed
(or approximately 76%) have responded, but only 20 or 48%
have provided responsive documents. In some cases, such
policies are created by statute or have been pronounced
publicly as agency policy. Therefore, the agency FOIA responses
were supplemented with research based on publicly-available
materials. Thirty-three out of 35 agencies surveyed (approximately
91%) have responded to our Card Memorandum request, but
over 750 business days have passed since those requests
were submitted.
Finally, there are many different tallies of the total
number of sensitive unclassified information policies. Several
attempts have been made to measure the volume of distinct
designations used to protect unclassified information, but
each organization has employed its own approach and, in
particular, its own interpretation of how the boundaries
of the category should be defined. In 1972, a study commissioned
by the House Government Operations Committee revealed 63
separate "control labels" used by various federal
agencies; however, a number of the labels included in that
count are applied only as an additional safeguard to classified
information-for example, Restricted Data, Siop-Esi ("Single
integrated operational plan-extremely sensitive information"),
and Noforn ("No foreign distribution"). Further,
at least eight of the agencies included in that survey are
no longer in existence, and others are small agencies that
were not included in this Study.
A more recent quantification of sensitive unclassified
information policies was completed by OpenTheGovernment.org
as part of their Secrecy Report Card 2005. (Note
6) OpenTheGovernment.org referred to 50 "restrictions
on unclassified information"; included in this count,
however, are the nine defined exemptions under the Freedom
of Information Act, as well as several other restrictions
that were not reported by the agencies surveyed for this
Study or that do not clearly qualify as either distribution
or control markings-for example, protective measures in
place under the Export Administration Regulations and restrictions
applied to Grand Jury Information under the Federal Rules
of Criminal Procedure. Once again, for this Study we considered
principally the information and policies provided by the
agencies in response to FOIA requests. The deviations as
to the total number of policies exhibits two conclusions
about the state of sensitive unclassified information regulation-namely,
that these diverse policies are not clearly set out by the
agencies or publicly available, and that there is even misunderstanding
and disagreement within agencies about the nature and application
of the policies.
Notes
1. The Archive faxed a FOIA request to
the Office of Management and Budget (OMB) on January 9,
2003.
2. Defense Information Systems Agency,
"DMS GENSER Message Security Classifications, Categories,
and Marking Phrase Requirements," Version 1.2, Attachment
5 (Mar. 19, 1999).
3. Id. at 6-7.
4. Id. at 9.
5. Id. at 12.
6. http://www.openthegovernment.org/otg/SRC2005.pdf