I’m Sorry, But That’s Classified
Category
News, Cybersecurity Fundamentals
Risk Level
The discovery of classified information at high profile politicians’ homes and alternate work locations has seemingly swarmed the news cycle in the past six months. Let’s take a look at what classified information is and how it is managed by the United States government.
“What is Classification in the Government?”
Information classification is the process of categorizing information based on its level of sensitivity, importance, and the need for protection. In the United States, the classification of government information is governed by several laws and regulations, including Executive Order (EO) 13526, the National Security Act of 1947 (and modern amendments), the Espionage Act of 1917 (and modern amendments) and the Information Security Oversight Office (ISOO) directives. The purpose of these regulations is to ensure that information that may harm national security interests at home and abroad are properly safeguarded, and is not disclosed or otherwise shared with adversaries who may use that information against the United States, whether purposefully or by accident.
“What do the different classifications mean?”
Unclassified Information
The government is responsible for the production and consumption of A LOT of information. Not ALL of the information the government handles is deemed a threat to National Security. However, the impact of the loss or breach of some of the information, even if unclassified, could pose a risk to citizens as a whole or individually. These types of information generally fall under categorizations including Controlled Unclassified information (CUI) or Sensitive But Unclassified (phasing out and replaced by CUI markings) information.
Classified National Security Information
There are three main levels of classification for National Security Information (NSI), as established and codified into law by the National Security Act and Information Security Oversight Office directives in the United States: Confidential, Secret, and Top Secret. These classifications may be further marked and divided into subcategories, such as Special Access Program (SAP) information or Sensitive Compartmented Information (SCI) for example:
Confidential information is defined as information that, if disclosed, could reasonably be expected to cause damage to national security. This is the lowest level of classification and requires proper storage and protection, but it may be shared with those who have a need to know.
Secret information is defined as information that, if disclosed, could reasonably be expected to cause serious damage to national security. This level of classification requires stricter protection measures and access is limited to those who have a need to know and a valid security clearance.
Top Secret information is defined as information that, if disclosed, could reasonably be expected to cause exceptionally grave damage to national security. This is the highest level of classification and access is strictly limited to those who have a valid security clearance and a compelling need to know.
Special Access Program (SAP) Information (or Special Access Required / SAR in the DoD) is a special categorization of information that requires higher levels of protection than generalized Top Secret information. Special Access Program information may refer to especially sensitive NSI dealing with active programs, projects, or operations that poses a particularly grave threat to National Security if mishandled or compromised.
Sensitive Compartmented Information (SCI) is a special categorization of information that requires even higher levels of protection and is derived from sensitive intelligence sources, methods, or analytical processes. SCI is information that must be handled within formal access control systems established by the Intelligence Community. Access to SCI is limited to those who have been specifically authorized and have a need to know.
Classification of Atomic Energy Information
Atomic energy information (AEI) refers to information related to the design, manufacture, and use of atomic weapons and nuclear energy. In the United States, the classification of atomic energy information is governed by the Atomic Energy Act of 1954 and the Department of Energy (DOE) Directives.
Atomic energy information is classified outside of the standard NSI classification system. AEI follows a classification system established by the Atomic Energy Act and later DoE and DoD joint directives. AEI may be classified as Restricted Data (RD), Formerly Restricted Data (FRD) and Transclassified Foreign Nuclear Information (TFNI) (also governed by the National Security Act as NSI).
RD is defined as all data concerning the design, manufacture, or utilization of atomic weapons; the production of special nuclear material; or the use of special nuclear material in the production of energy. RD is the highest level of classification and is strictly controlled and limited to those who have a need to know.
FRD refers to information that was previously classified as RD but no longer requires protection as RD. FRD may still be classified as Confidential, Secret, or Top Secret, but it is no longer considered RD and may be shared with those who have a need to know and the proper clearance.
TFNI refers to information concerning the atomic energy programs of other nations that has been removed from the Restricted Data category for use by the intelligence community and is safeguarded as NSI under EO13526.
“What is a Security Clearance then?”
Clearance is often confused with a blanket authorization to access information classified at the same sensitivity level. In fact, clearance is more of a “fitness” test for individuals to validate that they meet certain requirements to access information up to a level of classification, specifically if they have a valid “need to know” to access that information. The requirements depend on the classification level of the information they will need access to in the course of their job function. So if an individual will need access to Top Secret or SCI information, they will need to pass a clearance investigation at the level commensurate with Top Secret or SCI information access and its requirements. The requirements generally include varying degrees of background information, criminal record checks, financial fitness checks and evaluation, and for the clearances to Top Secret, TS/SCI, or TS/SAP information a lifestyle or full-scope polygraph may be ordered as part of the determination process.
Clearances must be periodically refreshed with a re-investigation and “fitness” evaluation of the individual, so long as they still require the clearance.
Clearance is based on a valid “need to know”
A clearance at the Top Secret level, for example, means you have met the requirements to access information classified at such a level, however you do not have blanket authorization to access ANY and ALL Top Secret information. Access to information is granted on a least privilege basis, and you are only authorized to access information you have a valid need to know or access to complete your job duties. Individuals may be “read in” on information they do not have a clearance specifically to access by individuals with authority to do so. When you no longer need access to information, such as leaving your position, or if access to such information no longer is required as part of your job function, your “need to know” ends and your access is revoked, even if your clearance and investigation remain active.
The President Doesn’t Have or Need a Clearance
The President is not required to obtain a security clearance or pass a “fitness” evaluation. This is for a number of reasons, such as:
The President’s powers are directly authorized by Article II of the United States Constitution;
The President is considered the highest Original Classification Authority (OCA). OCA is a designation also held by the Vice President, Secretary of Defense, Secretary of Military Branches, and few other DoD Officials, and the President is the ultimate authority on OCA delegation decisions and may confer or delegate OCA to members of his/her Cabinet, individual agency heads outside of the cabinet, and anyone in his/her immediate sphere (Chief of Staff for example); and,
The Presidency carries an implied assumption that it must be aware of and have knowledge of all National Security matters (a blanket “need to know” so to speak).
“How does classified information need to be handled?”
Classified information must be stored and safeguard in accordance with Federal Guidelines and Regulations depending on the classification level. Different classification levels have different storage and security requirements. The ISOO and National Archives and Records Administration (NARA) have jointly defined the requirements for the U.S. government to access, handle, store, secure, retain, and dispose of classified information. Many of these requirements can be found in the U.S. Code of Federal Regulations (U.S. CFR), and in NARA published directives.
For records originating from (created by) or received by the Executive Office of the President or by the President him/herself in the course of their official duties, the Presidential Records Act of 1978 and associated guidance from EO13256 apply.
For government contractors and third-parties storing or processing classified information, the Department of Defense’s National Industrial Security Program Operation Manual (NISPOM) or DoD 5220.22-M governs the requirements for securely handling and storing classified information. The requirements to meet DoD 5220.22-M are embedded in contracting as part of the Defense Federal Acquisition Regulation Supplement (DFARS) for DoD contracts, and Federal Acquisition Regulation (FAR Clause) for non-DoD contracts. For example, information carrying markings of Top Secret or SCI, or RD, FRD, TFNI as discussed previously, may only be stored in a Secure Compartmented Information Facility (SCIF). SCIFs are accredited facilities that have implemented special security measures and safeguards to protect the information stored within from breach or unauthorized exfiltration. For example, most SCIFs do not allow personal electronic devices like mobile phones, IoT devices, etc. in because they could potentially be used to exfiltrate information or pictures of information or the facility itself.
“How is classified information declassified?”
Most classified information since EO13256 was passed during the Obama administration inherits an automatic declassification timeframe based on its original classification level. Once that timeframe is up, the redacted information may be made available to the public, such as through Freedom of Information Act (FOIA) requests.
Some categories of classified information are exempt from automatic declassification rules, however, such as TS/SCI dealing with human intelligence or human assets (further categorized as HUMINT), and Atomic Energy RD, FRD, and TFNI. The authority to declassify this information rests with the Director of National Intelligence (in coordination with ISOO) for HUMINT, and jointly between the Department of Energy and the DNI or Department of Defense for nuclear secrets information depending on the type and application (military applications would be DoE + DoD, TFNI would be DoE + DNI).
“What can the President declassify and when?”
The President, being the highest Original Classification Authority and whose power is only limited by the Constitution of the United States, can generally declassify any classified information with a few caveats. The President cannot unilaterally declassify Atomic Energy Information (RD, FRD, TFNI), nor extremely sensitive NSI like the HUMINT category of SCI. These may only be declassified by the authorities mentioned above, and the process for declassification is formal and rigorous.
The President can otherwise share and retroactively declassify (initiating a formal process for marking updates, redaction, etc.) any NSI at will, so long as he/she is the President. Presidential authority ends the second the new President is sworn in. After that, like every other public official with a clearance who leaves their job, their “need to know” ends immediately, and their access to classified information with it. In most cases, the newly sworn-in President or other OCAs, may “read in” the former President, especially when it is critical to transition activities or national security interests, and most new Presidents extend the “read-in” as a courtesy.
In short, the President has significant classification / declassification authority over classified information, with the exception of Atomic Energy Information and some extremely sensitive categories of NSI dealing with human intelligence and assets, while in office. However, former Presidents (like anyone else who leaves their official government capacity and loses “need to know”) cannot retain or declassify classified information following the termination of their Presidency with the swearing-in of the new President.
“What about Presidential Records?”
Presidential Records, if you recall, are records originated (or received) by the Executive Office of the President as defined in 44 U.S.C. Chapter 22 of the U.S. Code. Any records created or received within the Executive Office of the President in the course of Presidential business, identified as Presidential and not strictly identified as personal records, become the property of the National Archives and transfer to the custody of the National Archivist upon the termination of the Presidency. Any Presidential Records that the Archivist has not already cataloged and secured in custody during the course of the Presidency must be expeditiously returned to NARA following the end of the President’s term.
“What does it all mean?”
In the United States, information classification is an important tool for protecting sensitive information that could harm national security, individuals, or organizations. It is important for government agencies and individuals who handle classified information to understand the regulations and requirements for protecting this information, just as it’s important for United States citizens to understand how the government, it’s third-parties, and anyone else, should handle and secure classified information that may put them at risk if improperly controlled.