Managing Sensitive Information
Actions Needed to Prevent Unintended Public Disclosures of U.S. Nuclear Sites and Activities Gao ID: GAO-10-251 December 15, 2009On May 7, 2009, the Government Printing Office (GPO) published a 266-page document on its Web site that provided detailed information on civilian nuclear sites, locations, facilities, and activities in the United States. At the request of the Speaker of the House, this report determines (1) which U.S. agencies were responsible for the public release of this information and why the disclosure occurred, and (2) what impact, if any, the release of the information has had on U.S. national security. In performing this work, the Government Accountability Office (GAO) analyzed policies, procedures, and guidance for safeguarding sensitive information and met with officials from four executive branch agencies involved in preparing the document, the White House, the House of Representatives, and GPO.
While no single U.S. government agency or office was entirely responsible for the public disclosure of the draft declaration, all of the agencies and offices involved in preparing and publishing the draft declaration share some responsibility for its release. GAO identified several points during the life cycle of the draft document where problems in the process occurred. First, none of the agencies that prepared the draft declaration--the Departments of Energy (DOE) and Commerce, and the Nuclear Regulatory Commission (NRC)--took the added precaution of ensuring that the consolidated draft they helped prepare had a U.S. security designation on each page of the document. Rather, the final version of the document, which they all reviewed, was marked only with the International Atomic Energy Agency's (IAEA) designation--"Highly Confidential Safeguards Sensitive." This marking has no legal significance in the United States. Second, the Department of State, which prepared the draft declaration for transmittal to the White House, sent a transmittal letter to the National Security Council indicating that the contents of the draft declaration should be treated as Sensitive but Unclassified (SBU). Not all federal agencies use this particular marking and, therefore, the marking created confusion for other executive and legislative branch offices that subsequently received the draft declaration on whether the information could be published. Third, the National Security Council, which reviewed the draft declaration on behalf of the White House, did not provide explicit and clear instructions on how to handle the draft declaration to the White House Clerk's Office. Fourth, the legislative branch offices which reviewed and then transmitted the document to GPO for publication--the House of Representatives' Parliamentarian and Clerk's Office--determined incorrectly, in GAO's view, that the document could be published. Officials from these congressional offices were not familiar with the phrase "Sensitive but Unclassified" and did not know how to safeguard that information. Finally, GPO, which proofread and processed the document for publication, did not raise any concerns about the document's sensitivity. GAO believes it is important to correct these problems as soon as possible because the United States is required to submit a declaration to IAEA annually. The public release of the draft declaration of civilian nuclear sites and nuclear facilities does not appear to have damaged national security, according to officials from DOE, NRC, and Commerce. Commerce, DOE, and NRC did not assess the national security implications of the draft declaration's public release because these agencies--plus the Department of Defense--had reviewed the list of civilian nuclear facilities and related activities prior to transmitting it to the White House and Congress to ensure that information of direct national security significance was not included. Information in the draft declaration was limited to civilian nuclear activities, and most nuclear-related information was publicly available on agency Web sites or other publicly available documents. However, according to officials from all of the agencies responsible for compiling this information, the information consolidated in one document made it sensitive and, thus, it should never have been posted to GPO's Web site.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-10-251, Managing Sensitive Information: Actions Needed to Prevent Unintended Public Disclosures of U.S. Nuclear Sites and Activities
This is the accessible text file for GAO report number GAO-10-251
entitled 'Managing Sensitive Information: Actions Needed to Prevent
Unintended Public Disclosures of U.S. Nuclear Sites and Activities'
which was released on December 23, 2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Speaker of the House of Representatives:
United States Government Accountability Office:
GAO:
December 2009:
Managing Sensitive Information:
Actions Needed to Prevent Unintended Public Disclosures of U.S. Nuclear
Sites and Activities:
GAO-10-251:
GAO Highlights:
Highlights of GAO-10-251, a report to the Speaker of the House of
Representatives.
Why GAO Did This Study:
On May 7, 2009, the Government Printing Office (GPO) published a 266-
page document on its Web site that provided detailed information on
civilian nuclear sites, locations, facilities, and activities in the
United States. At the request of the Speaker of the House, this report
determines (1) which U.S. agencies were responsible for the public
release of this information and why the disclosure occurred, and (2)
what impact, if any, the release of the information has had on U.S.
national security. In performing this work, GAO analyzed policies,
procedures, and guidance for safeguarding sensitive information and met
with officials from four executive branch agencies involved in
preparing the document, the White House, the House of Representatives,
and GPO.
What GAO Found:
While no single U.S. government agency or office was entirely
responsible for the public disclosure of the draft declaration, all of
the agencies and offices involved in preparing and publishing the draft
declaration share some responsibility for its release. GAO identified
several points during the life cycle of the draft document where
problems in the process occurred. First, none of the agencies that
prepared the draft declaration”the Departments of Energy (DOE) and
Commerce, and the Nuclear Regulatory Commission (NRC)”took the added
precaution of ensuring that the consolidated draft they helped prepare
had a U.S. security designation on each page of the document. Rather,
the final version of the document, which they all reviewed, was marked
only with the International Atomic Energy Agency‘s (IAEA) designation”’
Highly Confidential Safeguards Sensitive.“ This marking has no legal
significance in the United States. Second, the Department of State,
which prepared the draft declaration for transmittal to the White
House, sent a transmittal letter to the National Security Council
indicating that the contents of the draft declaration should be treated
as Sensitive but Unclassified (SBU). Not all federal agencies use this
particular marking and, therefore, the marking created confusion for
other executive and legislative branch offices that subsequently
received the draft declaration on whether the information could be
published. Third, the National Security Council, which reviewed the
draft declaration on behalf of the White House, did not provide
explicit and clear instructions on how to handle the draft declaration
to the White House Clerk‘s Office. Fourth, the legislative branch
offices which reviewed and then transmitted the document to GPO for
publication”the House of Representatives‘ Parliamentarian and Clerk‘s
Office”determined incorrectly, in GAO‘s view, that the document could
be published. Officials from these congressional offices were not
familiar with the phrase ’Sensitive but Unclassified“ and did not know
how to safeguard that information. Finally, GPO, which proofread and
processed the document for publication, did not raise any concerns
about the document‘s sensitivity. GAO believes it is important to
correct these problems as soon as possible because the United States is
required to submit a declaration to IAEA annually.
The public release of the draft declaration of civilian nuclear sites
and nuclear facilities does not appear to have damaged national
security, according to officials from DOE, NRC, and Commerce.
Commerce, DOE, and NRC did not assess the national security
implications of the draft declaration‘s public release because these
agencies”plus the Department of Defense”had reviewed the list of
civilian nuclear facilities and related activities prior to
transmitting it to the White House and Congress to ensure that
information of direct national security significance was not included.
Information in the draft declaration was limited to civilian nuclear
activities, and most nuclear-related information was publicly available
on agency Web sites or other publicly available documents. However,
according to officials from all of the agencies responsible for
compiling this information, the information consolidated in one
document made it sensitive and, thus, it should never have been posted
to GPO‘s Web site.
What GAO Recommends:
GAO recommends, among other things, that Commerce, DOE, State, and NRC
enter into an interagency agreement concerning the designation,
marking, and handling of sensitive information in future draft
declarations and make any policy or regulatory changes necessary to
reach such an agreement. DOE, State, and GPO agreed, while NRC neither
agreed nor disagreed, with the recommendations. Commerce, White House
Counsel, and the House Offices of the Clerk, Security, and
Parliamentarian did not comment on GAO‘s recommendations.
View [hyperlink, http://www.gao.gov/products/GAO-10-251] or key
components. For more information, contact Gene Aloise at (202) 512-3841
or aloisee@gao.gov.
[End of section]
Contents:
Letter:
Background:
Each of the Federal Agencies and Offices Involved in Preparing and
Publishing the Draft Declaration Shares Some Responsibility for Its
Release to the Public:
Public Release of Draft Declaration Does Not Appear to Have Harmed
National Security, According to DOE, NRC, and Commerce Officials:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Comments from the Department of Energy:
Appendix II: Comments from the Department of State:
Appendix III: Comments from the Government Printing Office:
Appendix IV: Comments from the Nuclear Regulatory Commission:
Appendix V: Comments from the House of Representatives' Sergeant at
Arms:
Appendix VI: GAO Contact and Staff Acknowledgments:
Figures:
Figure 1: Key Dates in the U.S. Implementation of the Additional
Protocol:
Figure 2: Chronology of Key Events and Involvement of U.S. Government
Agencies and Offices That Contributed to the Inadvertent Public Release
of the Draft Declaration:
Abbreviations:
APRS: U.S. Additional Protocol Reporting System:
CUI: Controlled Unclassified Information:
DOE: Department of Energy:
FOIA: Freedom of Information Act:
GPO: Government Printing Office:
IAEA: International Atomic Energy Agency:
NPT: Treaty on the Non-Proliferation of Nuclear Weapons:
NRC: Nuclear Regulatory Commission:
OUO: Official Use Only:
SBU: Sensitive but Unclassified:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
December 15, 2009:
The Honorable Nancy Pelosi:
Speaker of the House:
House of Representatives:
Dear Madam Speaker:
On May 7, 2009, the Government Printing Office (GPO) published a 266-
page document on its Web site that provided detailed information on
civilian nuclear sites, locations, facilities, and activities in the
United States.[Footnote 1] The document described, among other things,
nuclear activities at Department of Energy (DOE) facilities such as Los
Alamos, Lawrence Livermore, and Oak Ridge National Laboratories.
[Footnote 2] The document also included 14 diagrams of buildings or
facilities, 2 of which were marked Official Use Only (OUO). For
example, the document provided the building and vault numbers where
highly enriched uranium is stored at the Y-12 nuclear production
facility near Oak Ridge National Laboratory, as well as a diagram
showing the layout of the part of the building where the material is
stored.[Footnote 3] According to DOE officials, this information was
sensitive because it identified the specific building and vault number,
but no classified information was revealed because the diagram does not
show a map of the entire Y-12 facility and information about the
storage area at Y-12 was already publicly available.
The document was a draft of a declaration being prepared pursuant to an
agreement known as the Additional Protocol with IAEA.[Footnote 4] The
declaration supplements information provided pursuant to the U.S.
Safeguards Agreement with IAEA by providing IAEA with a broader range
of information on U.S. nuclear and nuclear-related activities.
Safeguards allow IAEA to independently verify that quantities of
nuclear material declared to the agency have not been diverted for
nuclear weapons uses. The Additional Protocol allows IAEA to, among
other things, access locations containing nuclear material declared by
a country. Within the United States, the Additional Protocol allows
IAEA to access a selected number of facilities and locations containing
nuclear material.
This was the first time the United States had prepared and submitted a
declaration to IAEA, and the United States will now be required to
submit a declaration to IAEA every year.[Footnote 5] Sixty days before
sending the declaration to IAEA, the President is required to send the
draft declaration to Congress. Congress had received the first draft
declaration on May 5, 2009. On June 1, 2009, the Federation of American
Scientists, a nonprofit group that reports on scientific and
technological security issues, discovered the draft declaration on
GPO's Web site and posted it on the Federation's Web site. On June 2,
2009, multiple media outlets began reporting that the U.S. government
had "accidentally" and "mistakenly" posted a list of nuclear sites and
a description of their nuclear activities on GPO's Web site. For
example, The New York Times reported that a security official found the
disclosure of the draft declaration "a one-stop shop for information on
U.S. nuclear programs." In response to media inquiries, GPO temporarily
removed the document from its Web site, and after consulting with the
Clerk of the House of Representatives, permanently did so.
In addition to posting the draft report on its Web site, GPO printed
over 900 copies of the document and shipped about 240 copies to
Congress and some federal agencies. GPO recalled these copies and, as
of December 2, 2009, around 670 copies were secured in a safe in its
security office. However, it is possible that copies were downloaded
from various Web sites. The location of any such downloaded copies is
unknown and cannot be accounted for. As of October 2009, copies of the
document could still be found on a number of Web sites. We brought this
matter to the attention of State officials and provided them with
internet addresses for two such sites in late October 2009. A State
official subsequently informed us that the department was able to get
at least one Web site to remove the information.
The disclosure of sensitive information on U.S. nuclear facilities and
activities raises concerns about procedures to properly handle and
safeguard such sensitive information. In this context, you asked us to
determine (1) which U.S. agencies were responsible for the public
release of this information and why the disclosure occurred, and (2)
what impact, if any, the release of the information has had on U.S.
national security.
To determine which U.S. agencies were responsible for the disclosure
and why the disclosure occurred, we analyzed the policies, procedures,
and guidance for safeguarding sensitive information from the
departments of Energy and State; the Nuclear Regulatory Commission
(NRC); the House of Representatives Clerk's Office; and GPO. We also
reviewed transmittal sheets prepared by DOE, State, the House of
Representatives' Clerk's Office, and GPO to determine how the document
was marked for security purposes as it was distributed and prepared for
publication. In addition, to determine how each of these agencies and
offices safeguarded and transmitted the document, we interviewed
officials from DOE; Commerce; State; NRC; GPO (including the Inspector
General's office); and the Clerk's Office, Security Office, and the
Office of the Parliamentarian in the House of Representatives. In
addition, we asked to meet with the officials from the White House
National Security Council and Executive Clerk's Office who had handled
and transmitted the draft declaration to Congress so that we could
obtain information directly from the individuals responsible for
reviewing and handling the document. The White House declined to make
these individuals available to us; instead, attorneys from the White
House Counsel's office met with those individuals and then conveyed
information to us. To determine what impact the release of the
information has had on U.S. national security interests, we reviewed
the draft declaration to identify potentially sensitive nuclear sites
and activities and then interviewed officials from DOE, Commerce,
State, and NRC to determine whether any information of direct national
security significance was compromised and whether these departments
took any actions to enhance security at the declared sites, locations,
and facilities.
We conducted our work between June 2009 and November 2009 in accordance
with generally accepted government auditing standards. Those standards
require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.
Background:
Under its Safeguards Agreement with IAEA, the United States submitted a
list of civilian nuclear facilities--primarily civilian nuclear power
reactors. The Additional Protocol,[Footnote 6] a separate agreement
between the United States and IAEA, supplements the United States'
Safeguards Agreement with IAEA.[Footnote 7] Under the Additional
Protocol, the United States must provide IAEA with a broader range of
civilian nuclear and nuclear-related information than that required
under the Safeguards Agreement, such as the manufacturing of key
nuclear-related equipment; research and development activities related
to the nuclear fuel cycle; the use and contents of buildings on a
nuclear site; and exports of IAEA-specified, sensitive nuclear-related
equipment. The United States must also provide IAEA with access,
through on-site inspections, to resolve questions relating to the
accuracy and completeness of the information. As a nuclear weapon state
party to the Treaty on the Non-Proliferation of Nuclear Weapons, the
United States is not obligated by the Treaty to accept IAEA safeguards
or to implement an Additional Protocol. However, according to U.S.
officials, voluntarily adopting the Additional Protocol underscores U.S
support for IAEA's strengthened safeguards system and makes efforts to
encourage more countries to adopt the Additional Protocol more
effective and credible.
In its act implementing the Additional Protocol, Congress prohibited
the inclusion of certain information: any classified information; any
information that would be deemed restricted data under the Atomic
Energy Act; and any information of direct national security
significance regarding any location, site, or facility associated with
activities of the Department of Defense or DOE. The act also provided
that information collected for the purposes of the Additional Protocol
would be exempt from disclosure under 5 U.S.C. § 552, which is the
Freedom of Information Act. Figure 1 shows a timeline of the U.S.
implementation of the Additional Protocol.
Figure 1: Key Dates in the U.S. Implementation of the Additional
Protocol:
[Refer to PDF for image: timeline]
June 12, 1998:
The United States signed the Additional Protocol.
May 9, 2002:
The President sent the Additional Protocol to the Senate for its advice
and consent for ratification.
March 31, 2004:
The Senate provided its advice and consent for ratification.
December 16, 2006:
Congress passed the U.S. Additional Protocol Implementation Act, which
required the President to submit the draft declaration to Congress 60
days prior to submitting the declaration to IAEA.
February 4, 2008:
President Bush signed an Executive Order to implement the Additional
Protocol and authorized Commerce, DOE, State, and NRC to collect
information about nuclear sites and facilities that would be provided
to IAEA.
May 3, 2009:
The draft declaration was submitted to Congress for a 60-day review.
July 3, 2009:
The United States sent IAEA the final declaration.
Source: GAO.
[End of figure]
The U.S. government classifies information that it determines could
damage the national security of the United States if disclosed
publicly.[Footnote 8] Beginning in 1940, classified national defense
and foreign relations information has been created, handled, and
safeguarded in accordance with a series of executive orders. Executive
Order 12958, Classified National Security Information, as amended, is
the most recent. It demarcates different security classification
levels, the unauthorized disclosure of which could reasonably be
expected to cause exceptionally grave damage (Top Secret), serious
damage (Secret), or damage (Confidential).
Federal agencies also place dissemination restrictions on certain
unclassified information. Federal agencies use many different
designations to identify this type of information. For example, DOE
uses the designation OUO, while State uses SBU. According to a May 2009
presidential memorandum, there are more than 107 unique markings and
over 130 different labeling or handling processes and procedures for
documents that are unclassified, but are considered sensitive. For
example, according to DOE officials, although OUO information is less
sensitive than classified information, OUO information may be shared
with people lacking security clearances provided that officials
determine they have a "need to know." These restrictions are used to
indicate that the information, if disseminated to the public or persons
who do not need such information to perform their jobs, may cause
foreseeable harm to protected governmental, commercial, or privacy
interests. Such information includes, for example, sensitive personnel
information, such as Social Security numbers and the floor plans for
some federal buildings. It may also include information exempted from
disclosure under the Freedom of Information Act.
Each of the Federal Agencies and Offices Involved in Preparing and
Publishing the Draft Declaration Shares Some Responsibility for Its
Release to the Public:
While no single U.S. government agency or office was entirely
responsible for the public disclosure of the draft declaration, all of
the agencies and offices involved in preparing and publishing the draft
declaration share some responsibility for its public release. We
identified several points during the life cycle of the draft document
where problems occurred. Specifically, we found that opportunities to
improve the secure handling of the document were missed because of the
absence of clear interagency guidance, different procedures across the
agencies governing the handling and marking of sensitive documents,
poor decision making, and a lack of training and adequate security
awareness. These missed opportunities occurred between February 2008
and May 2009. Several U.S. government agencies played key roles in
preparing and making important decisions regarding the publication of
the draft declaration: DOE, Commerce, State, NRC, the White House (the
National Security Council and Executive Clerk's Office), the U.S. House
of Representatives (Office of the Parliamentarian, Office of Security,
and the Clerk's Office), and GPO. Figure 2 is a two-page summary of key
dates and events that occurred during the life cycle of the draft
declaration, leading up to its inadvertent public release on May 7,
2009.
Figure 2: Chronology of Key Events and Involvement of U.S. Government
Agencies and Offices That Contributed to the Inadvertent Public Release
of the Draft Declaration:
[Refer to PDF for image: illustration]
Agencies responsible for preparing the draft declaration:
Department of Energy: Nuclear Regulatory Commission;
Security markings of draft declaration and accompanying documents:
OUO: List of nuclear sites and activities;
DOE and NRC provided nuclear-related information to Commerce on January
15, 2009, and March 18, 2009, respectively. DOE and NRC marked their
contributions as OUO.
Department of Commerce:
Security markings of draft declaration and accompanying documents:
OUO:
Commerce consolidated all nuclear-related information into a draft
declaration. Transmittal letter and compact disc from Commerce to State
identified information in draft declaration as OUO (Highly Confidential
Safeguards Sensitive: Draft declaration[A]).
April 17, 2009: OUO: Transmittal letter to State.
Department of State:
Security markings of draft declaration and accompanying documents:
SBU:
State prepared a transmittal letter for the White House‘s National
Security Council identifying the information in the draft declaration
as ’Sensitive but Unclassified.“
SBU:
State drafted a one-page presidential message with language in the body
that explained the contents of the draft declaration were considered
’Highly Confidential Safeguards Sensitive,“ but the U.S. would regard
the information as ’Sensitive but Unclassified.“
Highly Confidential Safeguards Sensitive: Draft declaration[A].
April 30, 2009: SBU: Transmittal letter to National Security Council.
White House: National Security Council;
Security markings of draft declaration and accompanying documents:
The National Security Council did not provide explicit and clear
instructions to the White House Clerk‘s Office on how to handle
information in the draft declaration.
SBU: One-page presidential message;
Highly Confidential Safeguards Sensitive: Draft declaration[A].
White House: Clerk's Office;
Security markings of draft declaration and accompanying documents:
The Clerk‘s Office did not provide explicit and clear instructions to
the House of Representatives on how to handle information in the draft
declaration. On May 5, 2009, the Clerk‘s Office sent the one-page
presidential message and draft declaration to Congress.
SBU: One-page presidential message;
Highly Confidential Safeguards Sensitive: Draft declaration[A].
House of Representatives: Parliamentarian;
Security markings of draft declaration and accompanying documents:
The Parliamentarian read the one-page presidential message and believed
the draft declaration could be published because it was unclassified.
He sent the documents to the Clerk‘s Office to process them for
publication by GPO.
SBU: One-page presidential message;
Highly Confidential Safeguards Sensitive: Draft declaration[A].
House of Representatives: Clerk‘s Office;
Executive Communications Clerk asks the Director of the Office of
Security, the Journal Clerk in Legislative Operations Office, the White
House Clerk‘s Office and the IAEA whether the draft declaration can be
printed. Based on their advice, she decides the document can be printed.
Security markings of draft declaration and accompanying documents:
The Clerk‘s Office read the documents and ordered GPO to print them.
May 6, 2009: Transmittal letter to GPO.
SBU: One-page presidential message;
Highly Confidential Safeguards Sensitive: Draft declaration[A].
Government Printing Office:
Security markings of draft declaration and accompanying documents:
May 7, 2009: Draft declaration posted on GPO‘s Web site.
SBU: One-page presidential message;
Highly Confidential Safeguards Sensitive: Draft declaration[A].
Source: GAO.
[A] The only marking on the draft declaration was IAEA's designation on
the top of the document--"Highly Confidential Safeguards Sensitive"--
which has no legal significance in the United States.
[End of figure]
DOE, NRC, and Commerce Began Collecting Information on Civilian Nuclear
Sites to Be Included in the Draft Declaration in Early 2008:
After the President signed an executive order in February 2008 to
implement the Additional Protocol, DOE, Commerce, and NRC began
collecting information on nuclear sites, facilities, and activities to
be included in the draft declaration. DOE collected information from
national laboratories and nuclear weapons production facilities. NRC,
which regulates the civilian use of nuclear materials, collected
information from NRC-licensed nuclear facilities, including four
civilian nuclear power plants previously selected by IAEA for the
application of safeguards.[Footnote 9] DOE and NRC provided nuclear-
related information to Commerce on January 15, 2009, and March 18,
2009, respectively. Commerce collected information from private nuclear-
related industries not regulated by DOE or NRC, such as the location,
operational status, and production capacity of conventional uranium
mines. Commerce then consolidated all nuclear-related information from
its offices, as well as from DOE and NRC, into a draft U.S. declaration
for final interagency approval and transmittal to State. The process
for collecting and consolidating this information from the three
agencies took several months.
Commerce, in consolidating and formatting the information in the draft
declaration, did not mark the document with an official U.S. government
security marking. The only marking on the draft declaration was IAEA's
designation on the top of the document--"Highly Confidential Safeguards
Sensitive"--which has no legal significance in the United States. To
consolidate and properly format the information, Commerce established
and managed a central database, known as the U.S. Additional Protocol
Reporting System (APRS). IAEA provided a software program for this
database that standardizes the information sent to IAEA by each member
state and helps IAEA assess the completeness of the information. Before
transmitting data to Commerce or adding data to the APRS, each agency
reviewed the information it collected for accuracy, data consistency,
and national security concerns. Each agency also reviewed the
information to ensure that no classified information was being
disclosed. The agencies had agreed that the information in the U.S.
declaration would not be classified, as required by the U.S. Additional
Protocol Implementation Act; that an unclassified database could be
used to process the information; and that the data were sensitive and
would be restricted to authorized personnel only.
When Commerce and NRC added information to APRS, IAEA-supplied software
automatically marked the top of each page of the draft declaration as
"Highly Confidential Safeguards Sensitive." IAEA uses this designation
to ensure the document's appropriate handling and control. According to
IAEA officials, Highly Confidential Safeguards Sensitive information is
the agency's highest classification level. This type of information, if
released, could cause grave damage to IAEA interests. When IAEA
receives a document from a country with this classification, it cannot
publicly disclose the information in the document because, in some
instances, its release could disclose confidential business
information, create potential security issues, or identify reporting
discrepancies between countries. Distribution of this information is
limited and released on a need-to-know basis. Since this IAEA marking
has no legal significance in the United States, DOE, Commerce, and NRC
treated the information as OUO. These agencies use OUO markings to
provide a warning that information in a document is sensitive and is
generally only to be released to those with a need to know, regardless
of their security clearance.
DOE, NRC, and Commerce took steps to safeguard the information that
each contributed to the draft declaration. Specifically, before DOE and
NRC submitted data to Commerce in January and March 2009, respectively:
* DOE marked the top and bottom of each page it submitted to Commerce
with nuclear information from the national laboratories and production
facilities as OUO and added a statement that the information may be
exempt from public release under the Freedom of Information Act.
* NRC officials hand carried a compact disc containing its nuclear-
related information to Commerce, rather than electronically sending the
information.
Commerce officials also safeguarded the information by password
protecting APRS and sending State the draft declaration through secure
e-mail that included a transmittal letter explaining that the contents
were considered OUO. In addition, they hand carried a compact disc to
State that was marked with "For Official Use Only/Not For Public
Release/IAEA Highly Confidential Safeguards Protected" hand written on
the disc.
Although each agency designated the information it contributed as OUO,
the document--which was produced from each agency's contributions--did
not have any U.S. government security markings. The agencies reviewed
the draft declaration multiple times, but no agency marked the pages
containing information it had contributed to the full draft declaration
as OUO. Once all the information was consolidated, the 266-page
document was not marked OUO or any other security designation
recognized in the United States that would have clearly indicated that
the data were sensitive, restricted to authorized personnel only, and
not releasable to the public. The only OUO markings were next to site
diagrams of two DOE facilities found on two different pages of the
draft declaration.
According to Commerce officials, while the IAEA software template
automatically adds the IAEA designation, it does not add a U.S.
security designation to the top and bottom of each page and does not
allow Commerce to modify the IAEA designation or add U.S. security
markings. They stated that the only way to mark the draft document as
OUO would have been to print out each page, stamp the U.S. designation
by hand, and then scan the document back in as a new electronic file.
Furthermore, according to DOE officials, the agencies wanted to submit
a draft declaration to Congress that was identical to the final
declaration submitted to IAEA. Providing Congress with a draft
declaration that had both the IAEA and U.S. security markings would not
have been an exact representation of the declaration sent to IAEA.
However, there were no requirements in the U.S. Additional Protocol
Implementation Act binding U.S. agencies to submit a declaration free
of any additional U.S. security markings.
Even after Commerce circulated the draft declaration to DOE, NRC, and
the Department of Defense for a final interagency review in late March
2009 to ensure no information of national security significance was
included in the draft before submission to State, agency officials did
not raise any concerns about the draft declaration's lack of a U.S.
security designation. According to DOE, Commerce, and NRC officials,
they assumed that the draft declaration would never be publicly
released and that, once delivered to IAEA, it would be properly
safeguarded. As a result, they saw no need to add an additional U.S.
government security marking.
In Mid-April 2009, Commerce Sent the Draft Declaration to State for
Transmittal to the White House:
Commerce sent the consolidated draft declaration to State on April 17,
2009. State prepared the draft declaration for transmittal to the White
House. In completing the draft declaration for transmittal, State
prepared a letter to the National Security Council asking it to treat
the contents of the draft declaration as SBU. Unlike DOE, Commerce, and
NRC, State does not use the OUO designation, but rather the SBU
designation. State's guidance governing the use and handling of SBU
documents is similar to that of the other agencies for handling OUO.
[Footnote 10] State also prepared a draft message from the President to
Congress that would accompany the draft declaration. In describing the
purpose and contents of the document and the classification level of
the information, State wrote in the draft presidential message, "the
IAEA classification of the enclosed declaration is 'Highly Confidential
Safeguards Sensitive'; however, the United States regards this
information as 'Sensitive but Unclassified'." The two-page transmittal
letter described the contents of the draft declaration and the top and
bottom was clearly marked SBU, accompanied by a footnote explaining
that the draft declaration was exempt from disclosure under the Freedom
of Information Act.
State completed its review of the draft declaration and accompanying
transmittal documentation in mid-April 2009 and sent the "package" to
the Executive Secretary of the National Security Council on April 30,
2009.
The White House's National Security Council and Executive Clerk's
Office Did Not Provide Explicit and Clear Instructions on How to
Safeguard the Draft Declaration When It Sent the Document to Congress:
In early May 2009, the National Security Council completed its review
of the draft declaration and presidential message and provided the
documents to the Executive Clerk of the White House for transmission to
Congress. The National Security Council, which reviewed these documents
on behalf of the White House, did not add explicit and clear
instructions in the presidential message on how to handle the draft
declaration, such as whether or not it should be published, when it
sent the documents to the White House Clerk's Office, which transmitted
the documents to Congress. The National Security Council also did not
include a transmittal letter, as other executive branch agencies had,
with instructions on how to handle the draft declaration. Attorneys
from the Office of the White House Counsel provided two reasons why the
National Security Council did not feel it was necessary to take these
additional measures to protect the document from disclosure. First,
counsel stated that they did not think Congress would publish the
report and the National Security Council and the Executive Clerk's
Office followed their standard practice for transmitting unclassified
documents, which does not involve using a transmittal letter or
modifying text in the presidential message.[Footnote 11] However,
attorneys from the Office of the White House Counsel did not provide us
with any written guidance on how these offices usually handle documents
that are unclassified, but are considered sensitive, such as those
marked SBU, and should not be publicly released. In addition, attorneys
from the Office of the White House Counsel told us that the Executive
Clerk's Office does not have written guidance on how it transmits
documents to Congress. Second, counsel pointed out that the draft
declaration was an unusual and unique document because it was the first
time that the United States had prepared a draft declaration and
submitted it to Congress.
After reviewing the draft declaration and presidential message it
received from State, the National Security Council sent the White House
Clerk's Office a final draft of the presidential message and the 266-
page draft declaration. The last two paragraphs of the presidential
message stated:
"The IAEA classification of the enclosed declaration is 'Highly
Confidential Safeguards Sensitive;' however, the United States regards
this information as 'Sensitive but Unclassified.' Nonetheless, under
Public Law 109-401, information reported to, or otherwise acquired by,
the United States Government under this title or under the U.S.-IAEA
Additional Protocol shall be exempt from disclosure under section 552
of title 5, United States Code."
The language in the presidential message prepared by State and used by
the National Security Council did not clearly and explicitly state that
the information was not to be published, and the additional legal
citations did not clarify how to handle the document.[Footnote 12]
According to attorneys from the Office of the White House Counsel, the
White House clerks who transmitted the document to Congress read the
presidential message and noticed its reference to the draft declaration
as SBU. However, while the White House clerks have security clearances
and have received training on how to handle unclassified, sensitive,
and classified documents, they do not normally see SBU documents and
did not have the authority or responsibility to determine whether
Congress could print the document. Attorneys from the Office of the
White House Counsel told us the draft declaration was an unusual and
unique document because of the IAEA classification markings and the
reference to the information as SBU.
The White House clerks transmit only unclassified documents. The
National Security Council does not transmit documents that cannot be
printed, such as classified documents, to the White House clerks.
Instead, the National Security Council transmits those documents
directly to congressional committee staff with the appropriate
clearances. Because the clerks received the draft declaration from the
National Security Council, the clerks transmitted the presidential
message and the draft declaration to Congress just as they had received
it from the National Security Council--without a transmittal sheet or
SBU markings on the top or bottom of any page.
Congressional Offices That Reviewed and Transmitted the Draft
Declaration Determined Incorrectly That the Document Could be Published:
Congressional offices that reviewed and then transmitted the draft
declaration to GPO for publication--the House of Representatives'
Office of the Parliamentarian and Clerk's Office--determined,
incorrectly in our view, that the document could be published. The
draft declaration passed through several congressional offices. First,
on May 5, 2009, the Executive Clerk of the White House formally
delivered the presidential message and draft declaration while the
House was in session. The Parliamentarian read the presidential message
and decided the message should be referred to the House Committee on
Foreign Affairs and ordered it printed as a House of Representatives
document. The Parliamentarian told us that while he received security
training on classification issues, he did not recall ever seeing a
presidential message that just mentioned the SBU designation and did
not know how that type of information should be safeguarded. The
Parliamentarian believed that the draft declaration could be published
because it was unclassified. According to the Parliamentarian,
sensitive and classified messages and documents are usually not
delivered to the floor of the House, but rather are transmitted by
secure courier and referred directly to the appropriate committee for
handling and storage. In addition, while the Parliamentarian read the
presidential message--the one-page message from the President to
Congress that described the purpose and contents of the draft
declaration--he did not read the draft declaration, which listed U.S.
civilian nuclear sites and activities. Staff in the Office of the
Parliamentarian do not routinely read enclosures accompanying a
presidential message, according to the House Parliamentarian.
Second, the Office of the Parliamentarian gave the document to the
House of Representatives' Clerk's Office to process it for referral to
the House Committee on Foreign Affairs and prepare it for transmission
to and publication by GPO. After reading the President's message and
seeing the IAEA markings on the draft declaration, the Executive
Communications Clerk, who works in the Clerk's Office, told us she was
confused about the classification level of the document and whether it
could be published. As a result, the Clerk locked the document in a
safe while she sought clarification and guidance from the following
sources before sending the draft declaration to GPO for publication:
* The Journal Clerk in the House of Representatives' Legislative
Operations Office. On May 5, 2009, this clerk had received the
documents from the Office of the Parliamentarian and stamped the
documents acknowledging receipt from the White House before providing
the documents to the Executive Communications Clerk. According to the
Executive Communications Clerk, the Journal Clerk told her she could
print the document because it was unclassified.
* The House of Representatives' Security Office. The Security Office
Director reviewed the document on May 5, 2009, but did not take custody
of it or make inquiries on its proper handling and safeguarding.
Instead, the Security Office Director told the Executive Communications
Clerk to obtain clarification from IAEA--incorrectly assuming that IAEA
was the classifier of the document--and the White House Clerk's Office.
The Security Office stated that it was not required to take custody of
the document and the Executive Communications Clerk did not request
that the Security Office store the document or help her in contacting
the agencies and offices that transmitted the document. However, the
Security Office did not raise concerns with the House Clerk's Office
about publicly releasing 266 pages of information on U.S. nuclear sites
and activities and, in our view, missed an opportunity to be more
directly involved in ensuring that the document was not publicly
released without explicit authorization from the agencies that
designated the information as SBU.
* An IAEA official located in New York. According to the Executive
Communications Clerk, this official told her on May 5, 2009, that IAEA
member states have discretion on how to treat information provided to
IAEA and publication of the declaration is a decision left to each
member state. In July 2009, we interviewed IAEA officials in the
Department of Safeguards in Vienna, Austria. This department is
responsible for reviewing all Additional Protocol agreements between
the agency and member states. These officials told us that the
Executive Communications Clerk received correct information from IAEA's
New York office, but the appropriate inquiry should have been directed
to their office in Vienna.
* The White House Clerk's Office. The White House Clerk's Office and
the Executive Communications Clerk disagreed in their recollections of
the advice the White House clerk provided to the House of
Representatives. According to attorneys from the Office of the White
House Counsel, the White House Clerk's office told the Executive
Communications Clerk that the document was unclassified but did not
make a legal judgment or provide any advice on whether the document
should be printed. However, according to the Executive Communications
Clerk, the White House Clerk's office referred her to the penultimate
paragraph in the presidential message stating that the United States
regards the information as SBU as justification for printing the
document. According to the Executive Communications Clerk, the White
House Clerk's justification for going forward with the printing was
that the document was unclassified.
On the basis of advice from these various offices, on May 6, 2009, the
Executive Communications Clerk ordered GPO to print the presidential
message and the draft declaration.
GPO Did Not Raise Concerns about Publishing the Draft Declaration:
GPO, which edited and processed the document for publication, did not
raise any concerns about the document's sensitivity. On May 6, 2009,
GPO received a request from the House of Representatives' Executive
Communications Clerk to print the presidential message and draft
declaration by 7:00 a.m. on May 7, 2009. The transmittal page from the
Clerk did not include any special handling instructions and ordered the
documents to be printed. The presidential message, which contained the
language that the contents of the draft declaration should be treated
as SBU, was typeset and proofread twice by GPO production employees.
According to an August 2009 GPO Inspector General's report, GPO
production employees are not required to read and proof for meaning,
but merely to check for proper characters and format.[Footnote 13] The
266-page draft declaration was digitally scanned, rather than typed and
proofread. While "Highly Confidential Safeguards Sensitive" was marked
on nearly every page of the draft declaration, the GPO Inspector
General found that no GPO employees raised any concerns during the
processing of the document. According to the GPO Inspector General's
report, GPO employees who reviewed the scanned copy looked for page
numbers and format, without proofreading or reviewing the document text
or markings.
GPO officials told us that GPO rarely prints sensitive or classified
documents. They told us that GPO relies on its customers to identify
sensitive documents and notify it of special instructions, given the
high volume of print requests. However, the August 2009 GPO Inspector
General's report found that GPO does not have procedures for
identifying potentially sensitive documents and safeguarding them. In
addition, most employees had not received education or training for
recognizing or identifying sensitive documents or information.
Although the GPO Inspector General found no wrongdoing on the part of
GPO or its employees, it made several recommendations to improve GPO's
process for handling sensitive information and preventing the
inadvertent disclosure of such information in the future. These
recommendations included:
* establishing a protocol with customer agencies on clearly identifying
sensitive information that may be published and developing written
procedures for handling such information;
* establishing written procedures for verifying any requests for
publishing documents that are clearly identified or marked as being of
a sensitive or otherwise restricted nature;
* updating GPO guidance to define "sensitive information" and how to
specifically recognize, mark, and safeguard such information; and:
* developing and conducting ongoing training of GPO employees on how to
recognize, handle, and safeguard sensitive information and documents.
During the course of our review, officials from several of the federal
agencies and offices told us that it would be helpful if there was a
standardized marking system for documents that are sensitive but are
unclassified. In fact, the term sensitive but unclassified was very
confusing for several officials who handled the draft declaration. To
help clarify, a May 2008 presidential memorandum had adopted the phrase
"Controlled Unclassified Information" (CUI) as a single designation for
all information previously labeled SBU or with another similar marking.
This memorandum also charged the National Archives and Records
Administration with implementing a framework for CUI terrorism-related
information, which is not expected to be in place until 2013. Despite
these efforts, a May 27, 2009, presidential memorandum found that there
is still no uniformity across federal agencies on rules to implement
safeguards for information that is deemed SBU. The memorandum noted
that agencies use SBU as a designation for federal government documents
and information that are sufficiently sensitive to warrant some level
of protection, but that do not meet the standards for national security
classification. With each agency implementing its own protections for
categorizing and handling SBU material, the memorandum stated that
there are more than 107 unique markings and over 130 different labeling
or handling processes and procedures for SBU information. The 2009
memorandum directed the creation of a Task Force to review agencies'
current procedures for categorizing and sharing SBU information, to
track the progress federal agencies are making to implement the
framework for CUI terrorism-related information, and to recommend
whether the CUI framework should be extended to apply to all SBU
information.
Public Release of Draft Declaration Does Not Appear to Have Harmed
National Security, According to DOE, NRC, and Commerce Officials:
The inadvertent public release of the draft declaration of civilian
nuclear sites and nuclear facilities does not appear to have damaged
national security, according to officials from DOE, NRC, and Commerce.
Information in the draft declaration was limited to civilian nuclear
activities, and most nuclear-related information was publicly available
on agency Web sites or in other published documents, according to
officials from the three agencies. However, officials from all of the
agencies that compiled this information told us the information--all of
which was considered unclassified--was sensitive because it was
consolidated into one document and should never have been posted to
GPO's Web site. Commerce, DOE, and NRC did not formally assess the
impact of the public release of the information on U.S. national
security. According to DOE, NRC, and Commerce officials, it was not
necessary to do so because the agencies reviewed the list of civilian
nuclear facilities and related activities on multiple occasions to
ensure that no information of direct national security significance was
included and that no classified information was contained in the
declaration prior to transmitting it to the White House and Congress.
Consolidated List of Civilian Nuclear Facilities and Activities
Contained in the Draft Declaration Is Considered Sensitive and Was
Never Meant to be Made Public:
According to U.S. government officials, the draft declaration in
totality represents a consolidated list of hundreds of U.S. civilian
nuclear facilities and activities that never should have been publicly
released. These officials asserted that it could be potentially
problematic if such a consolidated list of facilities and activities
found its way into the hands of individuals who had malicious or
malevolent intentions. For example, agency officials told us, in
several instances, the draft declaration contained maps showing
detailed diagrams of civilian reactor facilities or buildings storing
nuclear materials at national laboratories.
The draft declaration included 14 diagrams of buildings or facilities,
2 of which were marked OUO. For example, the declaration provided the
building and vault numbers where highly enriched uranium is stored at
the Y-12 nuclear production facility, as well as a diagram showing the
layout of the part of the building where the material is stored.
According to DOE officials, this information was sensitive because it
identified the specific building and vault number, but no classified
information was revealed because the diagram does not show a map of the
entire Y-12 facility and the specific location of a vault at the Y-12
complex. Of the other 12 diagrams, 1 was of a plutonium oxide storage
area at DOE's Savannah River site and 11 were of civilian nuclear
facilities. The pages containing these diagrams did not have any
markings: Highly Confidential Safeguards Sensitive, OUO, or any other
U.S. designation.
The 11 diagrams of civilian nuclear facilities accompanied information
on 8 NRC licensed commercial sites--4 reactors and 4 fuel fabrication
facilities. For example, the draft declaration included a site map of
the Turkey Point reactor in Florida and a diagram identifying the
building where spent fuel is stored. According to NRC officials, the
information and diagrams related to the facilities in the draft
declaration are not classified because they do not specify the
quantities and types of nuclear materials held at these facilities.
However, the information is sensitive because it includes commercially
sensitive data, such as the actual annual production, rather than the
more general and publicly available information on how much material
the facility is licensed to produce.
According to DOE and State officials, the release of the information
could be problematic for the United States because other countries
could scrutinize the completeness and accuracy of the information and
potentially pressure IAEA to do more rigorous inspections of the
facilities listed. Inspections of nuclear facilities with nuclear
materials and nuclear-related activities are the cornerstone of IAEA's
data collection efforts and provide the ability to independently verify
information in countries' Additional Protocol declarations. Potential
pressure to conduct more comprehensive inspections of U.S. facilities
could divert time and resources from more rigorous inspections in
countries and facilities of proliferation concern, such as Iran or
Syria.
Agencies Did Not Assess National Security Implications of Disclosure of
Draft Declaration:
Commerce, DOE, State, and NRC did not undertake any assessments after
the draft declaration was released to determine its impact on U.S.
national security. According to officials from these agencies, no such
assessment was necessary because all of the agencies involved in the
development of the draft declaration (as well as the Department of
Defense) had fully reviewed the consolidated list of civilian nuclear
facilities and related activities on multiple occasions to ensure that
no information of direct national security significance was included
and that no classified information was contained in the declaration
prior to transmitting it to the White House and Congress.
DOE, which provided most of the information in the draft declaration,
had three separate levels of security review and approvals for the
information it submitted for the document. First, the national
laboratories' counterintelligence, export controls, and security
offices reviewed the information submitted for the declaration. Second,
the national laboratories' site managers reviewed the information, and
each site manager certified to DOE that the national laboratory had
completed vulnerability assessments on the national security impact of
releasing the information to IAEA and that the facilities were ready
for IAEA inspections. Finally, program managers and security officers
at DOE headquarters reviewed the contents. According to DOE officials,
at all levels of review, officials from the national laboratories and
DOE concluded that no information detrimental to national security was
included in the document. NRC and Commerce reported information about
facilities' activities and locations that was mostly, if not all,
publicly available. State obtained additional confirmation from DOE,
Commerce, NRC, and the Department of Defense that the draft declaration
contained no classified or national security information before sending
it to the White House.
According to agency officials, there was no requirement to conduct a
formal assessment of any possible security concerns arising from the
declaration's publication because classified information was not
released. A formal assessment is required only if there is a release of
information that could harm U.S. national security. DOE and NRC did
seek assurances after the release of the draft declaration from
officials at the national laboratories and civilian nuclear facilities
that physical security at those locations was sufficient. DOE asked the
national laboratories to review their security procedures and ensure
that the facilities were secure. Based on these assessments, DOE
officials told us they did not increase security at any site. NRC
contacted every NRC licensee and agreement states with licensees
included in the draft declaration to notify them of the disclosure of
information[Footnote 14]. Agreement states notified their affected
licensees. NRC and agreement states' licensees reviewed their security
procedures to make sure there were no vulnerabilities. According to
NRC, the only NRC facility to express concern was Turkey Point in
Florida because of its spent fuel pool. NRC officials told us that the
location of this facility was already publicly disclosed, and satellite
images show the building that houses the spent fuel pool. Turkey Point
operators reviewed their security procedures and determined the
procedures they had in place were sufficient, even with the release of
the draft declaration.
Conclusions:
The draft declaration listing civilian nuclear sites and activities
under the terms of the Additional Protocol was the first of its kind
prepared by the United States for IAEA and sent to Congress for review.
However, the draft declaration contained sensitive civilian nuclear
information that, when taken in its totality, needed to be properly
handled and safeguarded. Protecting sensitive information from
inadvertent public disclosure is a critical function of all federal
entities that possess, handle, or transmit such information. Since the
United States is required to submit a draft declaration to Congress and
then send the declaration to IAEA every year, there is an opportunity
to address the problems that occurred to ensure that this inadvertent
disclosure does not occur again.
A more systematic, well-coordinated approach by all of the agencies
that handled the draft declaration would have reduced the chances of
publicly releasing sensitive information--particularly if the document
had been clearly identified as not for public release. We found several
critical points where opportunities to improve safeguards over the
document were missed due to: the absence of clear interagency guidance,
different procedures across the agencies governing the handling and
marking of sensitive documents, poor decision making, and the lack of
training and adequate security awareness.
No agency or office that was involved with the production or
transmittal of the draft declaration ensured that the final document
was marked with any U.S. security designation. DOE, NRC, and Commerce
marked the information they submitted for the draft declaration as OUO.
However, none of these agencies took the added precaution of ensuring
that the consolidated draft declaration maintained the OUO designation
on each page of the document once the IAEA marking was placed on the
document. Further contributing to the subsequent confusion over how to
handle the draft declaration was State's use of the SBU marking. Many
officials focused on the unclassified portion of the marking and
determined, incorrectly in our view, that the document could be made
public. We believe that it would have been a simple matter to clearly
state in the presidential message that the draft declaration was not
meant for public dissemination.
Furthermore, the White House failed to take measures to ensure that the
draft declaration was not published. Attorneys from the Office of the
White House Counsel did not provide us with any written guidance on how
the National Security Council and the Executive Clerk's Office usually
handle documents that are unclassified, but are considered sensitive,
such as those marked SBU, that should not be publicly released.
However, counsel did indicate that individuals with the National
Security Council and White House Clerk's office handled the draft
declaration according to White House practices. In our view, these
practices, as best as we understand them, are not sufficient to prevent
similar problems from occurring in the future.
In addition, legislative branch officials did not properly safeguard
the draft declaration and did not properly handle the information. In
particular, we believe that the House of Representatives Security
Office Director should have been more directly involved in resolving
conflicting and confusing information regarding the classification of
the draft declaration. Conversely, the Executive Communications Clerk
is to be commended for taking actions to do everything in her power--at
her level of responsibility--to pursue the right course of action.
Finally, in our view, GPO officials also share responsibility for the
public disclosure of the draft declaration. Although the August 2009
GPO Inspector General's report assigns no wrongdoing to either GPO or
its employees, GPO officials should have had procedures in place to
prevent such a release from occurring. Thus, we agree with the
Inspector General's proposed recommendations and we encourage GPO to
implement them as expeditiously as possible.
Recommendations for Executive Action:
To ensure that corrective actions are taken to prevent the inadvertent
public disclosure of sensitive information in future draft declarations
or other documents prepared for IAEA by multiple U.S. agencies, we are
making the following four recommendations:
* The Secretaries of Commerce, Energy, and State, and the Chairman of
the NRC should enter into an interagency agreement concerning the
designation, marking, and handling of such information, and make any
policy or regulatory changes necessary to reach such an agreement. This
agreement should be revised, as necessary, to take into account future
direction from the President or the Controlled Unclassified Information
Council regarding standardization of the procedures for designating,
marking, and handling documents that are unclassified but are not
intended for public release.
* The Secretary of State should clearly indicate in the text whether
the presidential message and attached documents, if any, should be
printed and made publicly available when preparing presidential
communications to Congress for documents to be presented to IAEA.
* The Executive Office of the President should consider revising any
written guidance and/or practices it has and conduct staff training for
handling and safeguarding sensitive information in future declarations
or other documents between the United States and IAEA before it needs
to issue its next declaration in May 2010.
* GPO's public printer should implement, as expeditiously as possible,
the recommendations from the agency's August 2009 Inspector General
report in order to improve the security culture and reduce the
possibility of future postings of sensitive information to the GPO Web
site.
Agency Comments and Our Evaluation:
We provided a draft of this report to DOE, State, GPO, NRC, Commerce,
Office of the White House Counsel, and the House of Representatives'
Sergeant at Arms and Offices of the Clerk and Parliamentarian for
comment. DOE, State, GPO, NRC and the House of Representatives Sergeant
at Arms provided written comments, which are presented in appendixes I,
II, III, IV and V, respectively. State and the Office of the White
House Counsel provided technical comments which we incorporated as
appropriate. Commerce and the House Offices of the Clerk and
Parliamentarian reviewed, but did not provide comments on our draft
report.
DOE, State, and GPO agreed with our recommendations. NRC neither agreed
nor disagreed with our recommendations, but did provide technical
comments which we incorporated as appropriate. In response to our
recommendation involving an interagency agreement to designate, mark,
and handle sensitive information provided to IAEA on U.S. nuclear sites
and activities, DOE noted that the interagency agreement would
specifically address the marking and handling of future draft
declarations and other documents provided to IAEA under U.S. safeguards
agreements. The interagency agreement will not address broader,
governmentwide standards on how to mark and handle all unclassified,
but sensitive information. These standards will be developed by the
Controlled Unclassified Information Council or other entity designated
by the President. This is consistent with our recommendation. As we
state in our report, the interagency agreement should be a corrective
action to prevent the inadvertent public disclosure of sensitive
information in future draft declarations or other documents prepared
for IAEA by multiple U.S. agencies, rather than addressing broader,
governmentwide standards on how to mark and handle all unclassified but
sensitive information.
The House of Representatives' Sergeant at Arms did not comment on our
recommendations but provided three points of clarification regarding
the Office of Security's role in reviewing and transmitting the draft
declaration. First, the House Sergeant at Arms stated that, contrary to
what we stated in our draft report, the House Security Office made no
determination as to whether the draft document could be published and
did not provide the House Clerk's office with any direction or legal
advice regarding this matter. Second, according to the House Sergeant
at Arms, the House Security Office properly advised the House Clerk's
office to contact IAEA regarding the handling of the draft document.
Third, the House Sergeant at Arms stated that the House Security Office
did not need to take control of the draft document, nor was the
Security Office requested to take control of the document. In addition,
the Security Office does not have the authority to order a House of
Representatives office or entity to store a document with the Security
Office.
Regarding the first point, we believe that given the sensitive nature
of the draft document--and commensurate with its role and
responsibilities--the House Security Office should have, at a minimum,
raised concerns with the House Clerk's Office about publicly releasing
266 pages of information on U.S. nuclear sites and activities and
advised the House Clerk not to print the document without explicit
authorization from the agencies that designated the information SBU.
While we do not dispute the statement that the House Security Office
did not provide any advice or direction regarding the printing of the
document, we believe that it would have been appropriate for this
Office to play a more assertive role because the House Clerk sought
advice and guidance in determining whether the document could be
printed. However, based on these comments, we modified the text of the
report to reflect the claims made by the House Security Office.
Specifically, we removed reference to the Security Office on page 16 to
avoid inferences that the Security Office provided direction or legal
advice to the Clerk's Office that it could print the document.
Regarding the second point, the House Office of Security has
misconstrued what we stated in the draft report. While there was
nothing inherently wrong with the Office of Security suggesting that
the Clerk's Office contact IAEA about the document, IAEA did not
prepare, transmit, or mark the document. As we noted in our report, the
U.S. agencies that prepared the draft declaration placed the IAEA
markings on the document. The presidential message explained that the
draft declaration was prepared by the United States and would be
submitted to IAEA. Because the IAEA markings on the document have no
legal significance in the United States, the presidential message
further explained that information in the document should be treated as
SBU and was exempt from disclosure. IAEA was not the originating agency
for the information. As a result, it continues to be our view that the
Director of the House Office of Security did not provide the correct
advice to the House Clerk on who she should contact to obtain
authorization on releasing SBU information.
Finally, regarding the matter of physical custody of the document, we
do not dispute Security Office's claim that it was not required--nor
did it have the authority--to take control of the document. However, we
believe that it would have been prudent for that office to take
physical control of the document as a precautionary measure until a
determination was made concerning whether or not the document could be
published. The Director of the Office of Security missed opportunities
to prevent the document's release and should have been more directly
involved in resolving conflicting and confusing information regarding
the dissemination of the draft declaration. However, we modified the
text on page 17 to include information about the Security Office's
physical custody requirements and the assistance the House Clerk
requested from the Security Office.
As agreed with your office, unless you publicly announce the contents
of this report earlier, we plan no further distribution of it until
eight days from date of this report. At that time, we will send copies
of this report to the Secretaries of Commerce, Energy, and State; the
Chairman of the Nuclear Regulatory Commission; the House of
Representatives' Parliamentarian, Clerk, and Sergeant at Arms; the
Executive Clerk of the White House; the Public Printer of the
Government Printing Office; and interested congressional committees. In
addition, the report will be available at no charge on the GAO Web site
at [hyperlink, http://www.gao.gov].
If you or your staff have any questions about this report, please
contact me at (202) 512-3841 or aloisee@gao.gov. Contact points for our
Office of Congressional Relations and Public Affairs may be found on
the last page of this report. GAO staff who made major contributions to
this report are listed in appendix VI.
Sincerely yours,
Signed by:
Gene Aloise:
Director, Natural Resources and Environment:
[End of section]
Appendix I: Comments from the Department of Energy:
Department of Energy:
National Nuclear Security Administration:
Washington, DC 20585:
December 2, 2009:
Mr. Gene Aloise:
Director, Natural Resources and Environment:
U.S. Government Accountability Office:
Washington, D.C. 20458:
Dear Mr. Aloise:
The National Nuclear Security Administration (NNSA) appreciates the
opportunity to review the Government Accountability Office's GAO)
report, Managing Sensitive Information. Actions Needed to Prevent
Unintended Public Disclosures of U.S. Nuclear Sites and Activities, GA0-
10-251. We understand that the Speaker of the House asked GAO to
perform a review on GPO's release of Sensitive Nuclear Information.
Specifically, GAO was asked to determine which U.S. agencies were
responsible for the public release of this information and why the
disclosure occurred, and (2) what impact, if any, the release of the
information has had on U.S. national security.
NNSA agrees with the report and the recommendations. Regarding the
first recommendation concerning an interagency agreement, we agree that
better coordination needs to occur. The development of any protocols
should be specific to the marking and handling of documents that
contain unclassified information that should not be publicly released
pursuant to the U.S. Safeguards Agreement with the International Atomic
Energy Agency. The development of broader standards for Controlled
Unclassified Information (CUI) should remain the responsibility of the
Executive Agent and CUI Council designated by the President and will
take appropriate action to meet GAO's concerns.
If you have any questions concerning this response, please contact
JoAnne Parker, Acting Director, Policy and Internal Controls Management
at 202-586-1913.
Sincerely,
Signed by:
Michael C. Kane:
Associate Administrator for Management and Administration:
cc:
Deputy Administrator for Defense Nuclear Nonproliferation:
Associate Administrator for Defense Nuclear Security:
[End of section]
Appendix II: Comments from the Department of State:
United States Department of State:
Assistant Secretary and Chief Financial Officer:
Washington, DC 20520:
December 7, 2009:
Ms. Jacquelyn Williams-Bridgers:
Managing Director:
International Affairs and Trade:
Government Accountability Office:
441 G Street, N.W.
Washington, D.C. 20548-0001:
Dear Ms. Williams-Bridgers:
We appreciate the opportunity to review your draft report, "Managing
Sensitive Information: Actions Needed to Prevent Unintended Public
Disclosures of U.S. Nuclear Sites and Activities," GAO Job Code 361127.
The enclosed Department of State comments are provided for
incorporation with this letter as an appendix to the final report.
If you have any questions concerning this response, please contact Jim
LaFemina, Deputy Director, Strategic Planning and Outreach,
International Security and Nonproliferation at (202) 647-9501.
Sincerely,
Signed by:
James L. Millette:
cc:
GAO - Glen Levis:
ISN - Vann Van Diepen:
OIG - Mark Duda:
[End of letter]
Department of State Comments on GAO Draft Report:
Managing Sensitive Information: Actions Needed to Prevent Unintended
Public Disclosures of U.S. Nuclear Sites and Activities (GAO-10-251,
GAO Code 361127):
Thank you for the opportunity to comment on your draft report entitled
"Managing Sensitive Information: Actions Needed to Prevent Unintended
Public Disclosures of U.S. Nuclear Sites and Activities." The
Department of State has long been a strong supporter of improving the
protection and security of sensitive information, and is eager to
cooperate in efforts to make this process more effective.
The Department of State endorses the main findings and conclusions of
the GAO report. We believe that GAO's assessment of the events leading
up to the unintended public disclosure of U.S. nuclear sites and
activities is both accurate and balanced.
The Department of State agrees fully with the recommendations contained
in the report and has been working with the interagency Controlled
Unclassified Information (CUI) Council to develop standards for the
designation, marking, and handling of terrorism information, which
includes "weapons of mass destruction" information based on the
Implementing the Recommendations of the 9/11 Act of 2007. The
Department of State will continue to work with the interagency to
develop appropriate policies for designating, marking, and handling
this kind of information.
The Department of State also agrees with GAO's recommendation to
clearly indicate whether or not any presidential message or attached
documents that will be presented to the IAEA should be printed and made
publicly available when preparing presidential communications to the
Congress. The Office of Multinational Security Agreements within the
Bureau of International Security and Nonproliferation will work closely
with the necessary bureaus and offices within the Department to see
that this becomes standard procedure for transmitting such documents.
[End of section]
Appendix III Comments from the Government Printing Office:
Note: GAO comments supplementing those in the report text appear at the
end of this appendix.
Memorandum:
U.S. Government Printing Office:
Quality Assurance:
Keeping America Informed: [hyperlink, http://www.gpo.gov]
Date: December 2, 2009:
Subject: Review of Draft report "Managing Sensitive Information”Actions
Needed to Prevent Unintended Public Disclosures of U.S. Nuclear Sites
and Activities."
Reply to the Attention of:
Reynold Schweickhardt, Chief Technology Officer, U.S. Government
Printing Office (GPO).
To: Gene Aloise, Director, Natural Resources and Environment, General
Accountability Office (GAO):
Comments:
GPO would like to thank you for the opportunity to review GAO's draft
copy of this report and appreciates the opportunity to provide feedback.
GAO has recommended GPO implement four recommendations put forth by
GPO's Office of Inspector General (OM) in their report of August 2009.
The Public Printer has concurred with these recommendations and GPO
will be taking the appropriate actions to implement the recommendations
as outlined by the Public Printer. The 010 recommendations and the
Public Printer's response can be found in Appendix A.
We would also like to submit the following notes for your
consideration:
In the Highlights section of the draft, the final sentence of the first
paragraph mentions that GAO "...met with officials from DOE, NRC,
Commerce, State, the White House, and the House of Representatives." We
would like mention that GAO also met with GPO. [See comment 1]
The first paragraph on page 3 states that GPO shipped copies "to
Congress and some federal agencies" and "recalled these copies and
secured them..." A table with the current status of the printed copies
can be found in Appendix B. [See comment 2]
If desired, GPO would welcome the opportunity to review these comments
with you or your staff.
[End of memo]
The following are GAO's comments to the Government Printing Office
letter dated December 2, 2009.
GAO Comments:
1. We added GPO to the Highlights page as one of the agencies and
offices we met with to discuss why the disclosure of the draft
declaration occurred.
2. We modified the text on page 3 to include the most recent data on
the status of the printed copies of the draft declaration, based on
information contained in the technical appendix provided by GPO.
[End of section]
Appendix IV: Comments from the Nuclear Regulatory Commission:
Note: GAO comments supplementing those in the report text appear at the
end of this appendix.
United States:
Nuclear Regulatory Commission:
Washington, D.C. 20555-0001:
December 2, 2009:
Gene Aloise:
Director, Natural Resources and Environment:
Government Accountability Office:
441 G St., NW:
Washington, D.C. 20548:
Dear Mr. Aloise:
This letter is in response to your November 16, 2009 request to Mr.
Bill Borchardt, the U.S. Nuclear Regulatory Commission's (NRC's)
Executive Director for Operations, for agency comments on the draft
Government Accountability Office (GAO) report "Managing Sensitive
Information: Actions Needed to Prevent Unintended Public Disclosures of
U.S. Nuclear Sites and Activities" (GAO-10-251). The NRC has no
objections to the report; however, the agency suggests the following
editorial change for GAO's consideration for incorporation in the final
report.
At the bottom of page 4 and top of page 5, under the Background
section, we recommend that the current language "... and exports of
sensitive and other key nuclear-related equipment" be modified to read
"... and exports of specific nuclear-related equipment," We believe
that this change would indicate to the reader that the nuclear-related
equipment being reported is equipment specified by the International
Atomic Energy Agency to be reported and not just equipment that the
U.S. might consider as sensitive or key. [See comment 1]
The NRC appreciates the opportunity to comment on GAO-10-251.
Sincerely,
Signed by:
Martin J. Virgilio:
Deputy Executive Director for Materials, Waste, Research, State, Tribal
and Compliance Programs:
Office of the Executive Director for Operations:
[End of letter]
See comment 1.
The following is GAO's comment to the Nuclear Regulatory Commission
letter dated December 2, 2009.
GAO Comment:
1. We modified the text on the bottom of page 4 in the Background
section to clarify that under the Additional Protocol, the U.S. must
declare exports of sensitive nuclear-related equipment specified by
IAEA.
[End of section]
Appendix V: Comments from the House of Representatives' Sergeant at
Arms:
Note: GAO comments supplementing those in the report text appear at the
end of this appendix.
Office Of The Sergeant At Arms:
Wilson Livengood:
Sergeant At Arms:
U.S. House of Representatives:
H-124 Capitol:
Washington, DC 20515-6634:
202-225-2456:
December 2, 2009:
Gene L. Dodaro:
Acting Comptroller General of the United States:
General Accountability Office:
441 G Street, N.W.
Washington, D.C. 20548:
Dear Mr. Dodaro:
Thank you very much for providing GAO's draft report "Managing
Sensitive Information: Actions Needed to Prevent Unintended Public
Disclosures of U.S. Nuclear Sites and Activities" for comment. After
reviewing the draft report, there are some items in the draft that I
believe require clarification.
1. The House Security Office did not make an incorrect determination
that the document could be published.
On page 17 of the draft report, a determination is made that the I
louse Security Office, along with the Parliamentarian and the Clerk's
office, made an incorrect determination that the document could be
published. However, the Security Office made no determination as to
whether the document could be published or not. [See comment 1]
As the draft report states at page 18, the Director of the Security
Office reviewed the document on May 5, 2009. The document contained a
security marking that was placed on the document by the IAEA that
stated: "Highly Confidential Safeguards Sensitive." This has no legal
significance in the United States, as the report acknowledges. [See
comment 2]
Also, none of the U.S. agencies that reviewed the document prior to it
being forwarded to the Parliamentarian's office properly marked the
document with a classification designation. See Draft Report at 13. The
National Security Council did not include a transmittal letter, which
would have included handling instructions, to the White House Clerk's
office which subsequently forwarded the document to the House of
Representatives. See Draft Report at 15. The only indication as to the
nature of the document was in the presidential message that indicated
"sensitive but unclassified," See Draft Report at 15. [See comment 3]
Upon being presented with the document, the Security Office did not
recognize the designation placed upon it by the IAEA. Therefore, the
Director of the Security Office advised the Clerk's office to contact
the IAEA for guidance as to what the IAEA's classification meant. [See
comment 4]
In addition, the Clerk's office was advised to contact the White House
for printing guidance as it was the U.S. entity that forwarded document
to the House with the designation in the presidential message of
"sensitive but unclassified." The Security Office would have made the
same inquiries if it had been the entity that was in control of the
document or had been requested to make the inquiries on behalf of the
Clerk's office.
At no time did the Security Office provide direction or legal advice
that the document could be printed and the report should be corrected
to accurately reflect this. [See comment 5]
2. The Security Office properly advised the Clerk's office to contact
IAEA.
The draft report indicates that the IAEA was the only entity that
marked the document with any type of language pertaining to how to
properly handle the document. The only other indication that the House
had as to the nature of the document was in the presidential message
that accompanied the document. [See comment 6]
The draft report concludes: "No agency or office that was involved with
the production or transmittal of the draft declaration ensured that the
final document was marked with any U.S. security designation." See
Draft Report at 26. While agencies did internally mark the document,
none of the agencies took the added precaution of ensuring that the
consolidated draft have a recognized U.S. Government classification.
Since the only marking on the document was the IAEA designation, it is
logical to determine what meaning, and handling procedures, its
markings were designed to convey. Therefore, I would request that the
reference to the Security Office improperly determining that IAEA
classified the document be removed. [See comment 7]
3. The House Security Office did not need to take control of the
document nor was the Security Office requested to take control over the
document.
The draft report states that: "The Security Office Director reviewed
the document on May 5, 2009 but did not take custody of it or make
inquiries on its proper handling and safeguarding." See Draft Report at
18. [See comment 8]
House offices are not required to relinquish custody and control of
sensitive or classified documents to the House Security Office for
storage. If requested, the Security Office does provide that service.
The Office does not have the authority to order an entity to store the
document with the Security Office. [See comment 9]
Every week, the Security Office provides security, education and
awareness training for House staff including the proper methods for
handling sensitive or classified information. This information was
shown to the GAO investigators during their investigation. During the
presentation to GAO, the House Security Office showed GAO that any
"other common document designation" is treated as confidential or
classified information and it should not be released without
authorization from the originating agency.
The Clerk's office did not request that the Security Office store the
document. As the report states, the Clerk's office was seeking advice
on handling a document whose classification level, if any, unclear.
However, upon being presented with the document, the Director of the
Security Office did inquire as to how the Clerk's office stored and
handled the document within the confines of its office. Upon being
informed of the Clerk's internal storage procedures, and those
procedures being in accordance with the training that the Security
Office had provided to the Clerk's staff, there was no need for the
Security Office to suggest that it take custody of the document. [See
comment 10]
If the procedures that the Clerk's office employed to store the
document were deficient, the Security Office would have advised the
Clerk's office to allow the Security Office to store the document on
the Clerk's behalf.
Therefore, I would request that the reference on page I 8 of the draft
report stating that the Security Office did not take custody of the
document or inquire as to its handling and safeguarding be removed from
the draft or clarified to acknowledge that the Security Office did
inquire as to the Clerk's handling of the document. [See comment 11]
4. The Director of the House Security Office acted properly.
While the Security Office was created to serve, in part, the role of a
repository for classified material, there is no mandatory requirement
that Member, Committee or other House entities store classified
material with the Security Office. In fact, it was designed
specifically for those offices that did not have the proper means to
store classified material. If a Member, Committee or other House entity
had the proper storage protocols in place, there would be no need for
the Security Office to intervene and suggest that it take custody of
the document.
The Clerk's office did not request that the Security Office take
custody of the document. They merely sought advice as to the
classification of the document. The Director provided that advice. In
addition, the Clerk's office did not request assistance in contacting
the entities that were responsible for the creation and transmittal of
the document. [See comment 12]
In addition, the Director inquired as to that office's internal
handling of the document. Since the document was being properly stored,
there was no need for the Security Office to take control. The Director
of House Security followed proper procedure.
I would request that the reference to the Director of the Security
Office be removed or, in the alternative, modified to accurately
reflect the role that the Director's position and the Security Office
play in the House. [See comment 13]
Also, I would suggest a recommendation that would require Member
offices and other non-Committee House entities that are not equipped to
properly store sensitive or classified material to relinquish custody
of such material to the Security Office. [See comment 14]
Thank you very much for providing me the opportunity to comment on the
draft report. Please feel free to contact William McFarland at (202)
226-2044 if you should have any other questions.
Sincerely,
Signed by:
Wilson Livingood:
Sergeant at Arms:
[End of letter]
The following are GAO's comments to the House of Representatives
Sergeant at Arms letter dated December 2, 2009.
GAO Comments:
1. We have modified the text on page 16 by removing a reference to the
Security Office to clarify that it did not make a determination as to
whether the document could be published.
2. The Sergeant at Arms is incorrect when he states that IAEA marked
the document "Highly Confidential Safeguards Sensitive." As we state in
our report, U.S. agencies that prepared the declaration marked the
document, not IAEA. U.S. agencies used an IAEA-supplied software to
mark the document with the highest IAEA security marking to put IAEA on
notice, once it received the document, that it should be properly
safeguarded against disclosure. However, the draft declaration is a
U.S. document and should not have been publicly disclosed.
3. We agree that U.S. agencies and offices that prepared and
transmitted the document prior to sending it to the House of
Representatives missed opportunities to better mark the document and
avoid confusion about whether it should have been published. However,
the presidential message that accompanied the draft declaration
explained that the United States regarded the information as SBU. The
presidential message also explained that the information was exempt
from disclosure under FOIA. In our view, the information in the
presidential message should have been sufficient to put the House
Security Office on notice that the information should be treated as SBU
and should not be published or publicly released without a more
rigorous inquiry.
4. See comment 2.
5. See comment 1.
6. While there was nothing inherently wrong with the Office of Security
suggesting that the Clerk's Office contact IAEA about the document,
IAEA did not prepare, transmit, or mark the document. IAEA was not the
originating agency for the information. As a result, it continues to be
our view that the Director of the House Office of Security did not
provide the correct advice to the House Clerk on who she should have
contacted to obtain authorization on releasing SBU information.
7. As we noted in our report, U.S. agencies that prepared the draft
declaration placed the IAEA marking on the document. The presidential
message explained that the draft declaration was prepared by the United
States and would be submitted to IAEA. IAEA was not the originating
agency for the information.
8. We have modified the text on page 17 to clarify that the Security
Office was not required to take custody and control of the document.
9. See comment 8.
10. We have modified the text on page 17 to clarify that the Security
Office was not required to take custody and control of the document.
However, given the unfamiliar markings and 266 pages of detailed
information on U.S. nuclear sites and activities, we believe that it
would have been prudent to take positive physical control of the
document as a precautionary measure until a determination was made
concerning whether or not the document could be published. The Director
of the Office of Security missed opportunities to prevent the
document's release and he should have been more directly involved in
resolving conflicting and confusing information regarding the
classification of the draft declaration.
11. See comment 8.
12. We have modified the text on page 17 to clarify that the Security
Office was not required to take custody and control of the document and
the Executive Communications Clerk did not request that the Security
Office take custody of the document or assist her in contacting the
agencies and offices that transmitted the document.
13. We have modified the text on page 17 to clarify the Security
Office's document custody requirements and what was asked of the
Security Office by the House Clerk. However, we believe that given the
sensitive nature of the draft document--and commensurate with its role--
the House Security Office should have, at a minimum, raised concerns
with the House Clerk's Office about publicly releasing 266 pages of
information on U.S. nuclear sites and activities and advised the House
Clerk not to print the document without a more rigorous inquiry as to
whether it should have been published.
14. We believe that the recommendation suggested by the Sergeant at
Arms to require Member offices and other non-Committee House entities
that are not equipped to properly store sensitive or classified data to
relinquish custody of such material to the House Security Office would
involve a change in House rules and procedures that is beyond the scope
of our review.
[End of section]
Appendix VI: GAO Contact and Staff Acknowledgments:
GAO Contact
Gene Aloise (202) 512-3841 or aloisee@gao.gov.
Staff Acknowledgments
In addition to the contact named above, Glen Levis, Assistant Director,
Antoinette Capaccio, Leland Cogliani; Ralph Dawn, Karen Keegan; Tim
Persons; and Carol Herrnstadt Shulman made significant contributions to
this report.
[End of section]
Footnotes:
[1] GPO is a legislative branch agency and the federal government's
primary centralized resource for gathering, cataloging, producing,
providing, and preserving published information in all its forms. GPO
was directed to publish a presidential message along with the document.
The message explained that the document would be provided to the
International Atomic Energy Agency (IAEA) and that the IAEA
classification of the document was "Highly Confidential Safeguards
Sensitive," but the United States regarded the information as
"Sensitive but Unclassified" (SBU).
[2] DOE manages the largest laboratory system of its kind in the world.
Originally created to design and build atomic bombs under the Manhattan
Project, these laboratories have since expanded to conduct research in
many disciplines--from high-energy physics to advanced computing
facilities throughout the nation.
[3] The Y-12 complex was constructed as part of the World War II
Manhattan Project. Y-12's mission includes, among other things, the
production/rework of nuclear weapons components and the receipt,
storage, and protection of special nuclear materials.
[4] IAEA, an autonomous international organization affiliated with the
United Nations, was established in Vienna, Austria, in 1957. The agency
has the dual role of promoting the peaceful uses of nuclear energy by
transferring nuclear science and technology through its nuclear science
and applications and technical cooperation programs, and verifying,
through its safeguards program, that nuclear materials subject to
safeguards are not diverted to nuclear weapons or other proscribed
purposes. As of October 2009, 24 non-nuclear weapon states that were
parties to the Treaty on the Non-Proliferation of Nuclear Weapons (NPT)
did not have comprehensive safeguards agreements with IAEA in force. In
addition, India, Israel, and Pakistan are not parties to the NPT. As a
result, they also do not have comprehensive safeguards agreements with
IAEA.
[5] Beginning in 2010, the United States is required to submit a
declaration annually to IAEA by May 15.
[6] The agreement is formally known as The Protocol Additional to the
Agreement between the United States of America and the International
Atomic Energy Agency for the Application of Safeguards in the United
States of America. As of October 2009, 93 countries, including the
United States, have an Additional Protocol which has entered into force
and another 33 have signed the agreement.
[7] GAO, Nuclear Nonproliferation: IAEA Has Strengthened Its Safeguards
and Nuclear Security Programs, but Weaknesses Need to be Addressed,
[hyperlink, http://www.gao.gov/products/GAO-06-93] (Washington, D.C.:
Oct. 7, 2005).
[8] In Executive Order 12958, as amended, "national security" means the
national defense or foreign relations of the United States.
[9] The United States, along with four other nuclear weapons states
that are parties to the NPT (China, France, the Russian Federation, and
the United Kingdom) are not obligated by the NPT to accept IAEA
safeguards. However, each nuclear weapons state, including the United
States, has voluntarily entered into legally binding safeguards
agreements with IAEA, and have submitted designated nuclear materials
and facilities to IAEA safeguards to demonstrate to the non-nuclear
weapons states their willingness to share in the administrative and
commercial costs of safeguards.
[10] State guidance for classified and sensitive information defines
SBU as information that is not classified for national security
reasons, but that warrants/requires administrative control and
protection from public or other unauthorized disclosure for other
reasons.
[11] As evidenced by a May 2009 memorandum on Classified Information
and Controlled Unclassified Information, the President is generally
committed to broad implementation of a framework for the
standardization of treatment and the facilitation of information
sharing that is not classified, but may still merit protection from
public disclosure.
[12] Public Law 109-401 refers to the United States Additional Protocol
Implementation Act, and section 552 of Title 5 refers to the Freedom of
Information Act (FOIA). The United States Additional Protocol
Implementation Act exempted the information collected for the
declaration from disclosure under FOIA. However, FOIA was only
marginally relevant to Congress' handling of the document because FOIA
only applies to agencies responding to requests for specific pieces of
information and Congress is not an agency, nor was there a request for
this information. Exemption under FOIA may be one criterion that an
agency uses in its own determination as to whether to treat a document
as OUO or SBU, but the agencies had already decided to treat the draft
declaration as OUO/SBU and, ultimately, it was the draft declaration's
OUO/SBU status that should have governed whether or not it was to be
published, not its exemption under FOIA.
[13] GPO, Management Implication Report Publication of House Document
111-37 on U.S. Nuclear Sites, August 3, 2009, [hyperlink,
http://www.gpo.gov/pdfs/ig/investigations/MIR_HD_111-37.pdf] (assessed
Nov. 12, 2009).
[14] Under the Atomic Energy Act of 1954, NRC has the authority to give
primary regulatory authority to states (called agreement states) under
certain conditions. As of October 1, 2009, NRC has relinquished its
licensing, inspection, and enforcement authority to 37 agreement states
while NRC continues to issue licenses in the remaining 13 states.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
