Managing Sensitive Information
Departments of Energy and Defense Policies and Oversight Could Be Improved Gao ID: GAO-06-369 March 7, 2006In the interest of national security and personal privacy and for other reasons, federal agencies place dissemination restrictions on information that is unclassified yet still sensitive. The Department of Energy (DOE) and the Department of Defense (DOD) have both issued policy guidance on how and when to protect sensitive information. DOE marks documents with this information as Official Use Only (OUO) while DOD uses the designation For Official Use Only (FOUO). GAO was asked to (1) identify and assess the policies, procedures, and criteria DOE and DOD employ to manage OUO and FOUO information and (2) determine the extent to which DOE's and DOD's training and oversight programs assure that information is identified, marked, and protected according to established criteria.
Both DOE and DOD base their programs on the premise that information designated as OUO or FOUO must (1) have the potential to cause foreseeable harm to governmental, commercial, or private interests if disseminated to the public or persons who do not need the information to perform their jobs and (2) fall under at least one of eight Freedom of Information Act (FOIA) exemptions. According to GAO's Standards for Internal Control in the Federal Government, policies, procedures, techniques, and mechanisms should be in place to manage agency activities. However, while DOE and DOD have policies in place, our analysis of these policies showed a lack of clarity in key areas that could allow for inconsistencies and errors. For example, it is unclear which DOD office is responsible for the FOUO program, and whether personnel designating a document as FOUO should note the FOIA exemption used as the basis for the designation on the document. Also, both DOE's and DOD's policies are unclear regarding at what point a document should be marked as OUO or FOUO and what would be an inappropriate use of the OUO or FOUO designation. For example, OUO or FOUO designations should not be used to cover up agency mismanagement. In our view, this lack of clarity exists in both DOE and DOD because the agencies have put greater emphasis on managing classified information, which is more sensitive than OUO or FOUO. While both DOE and DOD offer training on their OUO and FOUO policies, neither DOE nor DOD has an agencywide requirement that employees be trained before they designate documents as OUO or FOUO. Moreover, neither agency conducts oversight to assure that information is appropriately identified and marked as OUO or FOUO. According to Standards for Internal Control in the Federal Government, training and oversight are important elements in creating a good internal control program. DOE and DOD officials told us that limited resources, and in the case of DOE, the newness of the program, have contributed to the lack of training requirements and oversight. Nonetheless, the lack of training requirements and oversight of the OUO and FOUO programs leave DOE and DOD officials unable to assure that OUO and FOUO documents are marked and handled in a manner consistent with agency policies and may result in inconsistencies and errors in the application of the programs.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-06-369, Managing Sensitive Information: Departments of Energy and Defense Policies and Oversight Could Be Improved
This is the accessible text file for GAO report number GAO-06-369
entitled 'Managing Sensitive Information: Departments of Energy and
Defense Policies and Oversight Could Be Improved' which was released on
March 14, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Chairman, Subcommittee on National Security, Emerging
Threats, and International Relations, Committee on Government Reform,
House of Representatives:
United States Government Accountability Office:
GAO:
March 2006:
Managing Sensitive Information:
Departments of Energy and Defense Policies and Oversight Could Be
Improved:
GAO-06-369:
GAO Highlights:
Highlights of GAO-06-369, a report to the Chairman, Subcommittee on
National Security, Emerging Threats, and Government Reform, House of
Representatives:
Why GAO Did This Study:
In the interest of national security and personal privacy and for other
reasons, federal agencies place dissemination restrictions on
information that is unclassified yet still sensitive. The Department of
Energy (DOE) and the Department of Defense (DOD) have both issued
policy guidance on how and when to protect sensitive information. DOE
marks documents with this information as Official Use Only (OUO) while
DOD uses the designation For Official Use Only (FOUO). GAO was asked to
(1) identify and assess the policies, procedures, and criteria DOE and
DOD employ to manage OUO and FOUO information and (2) determine the
extent to which DOE‘s and DOD‘s training and oversight programs assure
that information is identified, marked, and protected according to
established criteria.
What GAO Found:
Both DOE and DOD base their programs on the premise that information
designated as OUO or FOUO must (1) have the potential to cause
foreseeable harm to governmental, commercial, or private interests if
disseminated to the public or persons who do not need the information
to perform their jobs and (2) fall under at least one of eight Freedom
of Information Act (FOIA) exemptions. According to GAO‘s Standards for
Internal Control in the Federal Government, policies, procedures,
techniques, and mechanisms should be in place to manage agency
activities. However, while DOE and DOD have policies in place, our
analysis of these policies showed a lack of clarity in key areas that
could allow for inconsistencies and errors. For example, it is unclear
which DOD office is responsible for the FOUO program, and whether
personnel designating a document as FOUO should note the FOIA exemption
used as the basis for the designation on the document. Also, both DOE‘s
and DOD‘s policies are unclear regarding at what point a document
should be marked as OUO or FOUO and what would be an inappropriate use
of the OUO or FOUO designation. For example, OUO or FOUO designations
should not be used to cover up agency mismanagement. In our view, this
lack of clarity exists in both DOE and DOD because the agencies have
put greater emphasis on managing classified information, which is more
sensitive than OUO or FOUO.
While both DOE and DOD offer training on their OUO and FOUO policies,
neither DOE nor DOD has an agencywide requirement that employees be
trained before they designate documents as OUO or FOUO. Moreover,
neither agency conducts oversight to assure that information is
appropriately identified and marked as OUO or FOUO. According to
Standards for Internal Control in the Federal Government, training and
oversight are important elements in creating a good internal control
program. DOE and DOD officials told us that limited resources, and in
the case of DOE, the newness of the program, have contributed to the
lack of training requirements and oversight. Nonetheless, the lack of
training requirements and oversight of the OUO and FOUO programs leave
DOE and DOD officials unable to assure that OUO and FOUO documents are
marked and handled in a manner consistent with agency policies and may
result in inconsistencies and errors in the application of the
programs.
What GAO Recommends:
GAO made several recommendations for DOE and DOD to clarify their
policies to assure the consistent application of OUO and FOUO
designations and increase the level of management oversight in their
use.
DOE and DOD agreed with most of GAO‘s recommendations, but partially
disagreed with its recommendation to periodically review OUO or FOUO
information. DOD also disagreed that personnel designating a document
as FOUO should also mark it with the applicable FOIA exemption.
www.gao.gov/cgi-bin/getrpt?GAO-06-369.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Davi D'Agostino at (202)
512-5431 or Gene Aloise at (202) 512-3841.
[End of section]
Contents:
Letter:
Results in Brief:
DOE and DOD Lack Clear OUO and FOUO Guidance in Key Aspects:
Neither DOE nor DOD Requires Training or Conducts Oversight:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Comments from the Department of Energy:
Appendix II: Comments from the Department of Defense:
Appendix III: GAO Contacts and Staff Acknowledgments:
Table:
Table 1: FOIA Exemptions:
Figure:
Figure 1: DOE's OUO Stamp:
Abbreviations:
DOD: Department of Defense:
DOE: Department of Energy:
FOIA: Freedom of Information Act:
FOUO: For Official Use Only:
OUO: Official Use Only:
United States Government Accountability Office:
Washington, DC 20548:
March 7, 2006:
The Honorable Christopher Shays:
Chairman:
Subcommittee on National Security, Emerging Threats, and International
Relations:
Committee on Government Reform:
House of Representatives:
Dear Mr. Chairman:
In the interest of protecting national security, the federal government
routinely classifies certain documents and other information as Top
Secret, Secret, or Confidential. In addition to classified information,
federal agencies also place dissemination restrictions on unclassified
but sensitive information. These restrictions are used to indicate that
the information, if disseminated to the public or persons who do not
need such information to perform their jobs, may cause foreseeable harm
to protected governmental, commercial, or privacy interests. Such
information includes, for example, sensitive personnel information,
such as Social Security numbers, and the floor plans for some federal
buildings. The Department of Energy (DOE) and the Department of Defense
(DOD) use the designations Official Use Only (OUO) and For Official Use
Only (FOUO), respectively, to identify information that is unclassified
but sensitive. According to both DOE and DOD officials, it is unknown
how many documents containing OUO and FOUO information exist, but a DOE
official stated that there were many millions of pages of OUO material.
Congressional concern has recently arisen that some government
officials may be improperly designating certain documents as
unclassified but sensitive, which unnecessarily limits their
dissemination to the public.
DOE's and DOD's OUO and FOUO programs are largely based on the
exemption provisions of the Freedom of Information Act (FOIA), which
establishes the public's legal right of access to government
information, as well as the government's right to restrict public
access to certain types of unclassified information.[Footnote 1] FOIA
identifies nine categories of information that are generally exempt
from public release, including law enforcement records and proprietary
information, although only eight of these categories are applicable to
OUO and FOUO programs.[Footnote 2]
This report responds in part to your request that we review the broad
issues regarding information classification management at DOE and DOD.
As agreed with your office, to respond to your request, we will issue
three reports on this subject. This report discusses OUO and FOUO
programs at DOE and DOD. In addition, in June 2006, we will issue two
separate reports on DOE's and DOD's management of information
classified as Top Secret, Secret, or Confidential, which is separate
from the agencies' OUO and FOUO programs. In this report, we will (1)
identify and assess the policies, procedures, and criteria DOE and DOD
employ to manage OUO and FOUO information and (2) determine the extent
to which DOE's and DOD's training and oversight programs assure that
information is identified, marked, and protected according to
established criteria.
We also recently issued a report on the designation of sensitive
security information at the Transportation Security
Administration.[Footnote 3] Finally, we are currently reviewing the
management of Sensitive but Unclassified information within the
Department of Justice, the agency's current efforts to share sensitive
homeland security information among federal and nonfederal entities,
and the challenges posed by such information sharing.
To identify and assess the policies and procedures DOE and DOD use to
manage OUO and FOUO information, we reviewed and analyzed FOIA and
DOE's and DOD's current applicable policies, regulations, orders,
manuals, and guides. We compared these to the objectives and
fundamental concepts of internal controls defined in Standards for
Internal Control in the Federal Government.[Footnote 4] To determine
the extent to which these agencies' internal controls assure that
information is identified and marked according to established criteria,
we reviewed the training provided to staff at both agencies and the
oversight conducted on the OUO and FOUO programs. We compared these
efforts with the standards for training and oversight envisioned in
Standards for Internal Control in the Federal Government. We also
interviewed officials from DOE and DOD in Washington, D.C; at DOE field
locations in Los Alamos and Albuquerque, New Mexico, Oak Ridge,
Tennessee, and the Savannah River Site in South Carolina; and at
several DOD field locations. These locations were selected based on the
large amounts of activity in classifying and controlling information.
According to agency officials, there is no listing or identifiable
universe of OUO or FOUO documents maintained by the agencies. Because
of this limitation, we did not sample documents marked OUO or FOUO.
We performed our work from April 2005 through January 2006 in
accordance with generally accepted government auditing standards.
Results in Brief:
Both DOE and DOD base their programs on the premise that information
designated as OUO or FOUO must (1) have the potential to cause
foreseeable harm to governmental, commercial, or private interests if
disseminated to the public or persons who do not need the information
to perform their jobs and (2) fall under at least one of eight FOIA
exemptions. According to Standards for Internal Control in the Federal
Government, policies, procedures, techniques, and mechanisms should be
in place to manage agency activities. However, while DOE and DOD have
policies in place, our analysis of these policies showed a lack of
clarity in key areas that could allow for inconsistencies and errors.
For example, it is unclear which DOD office is responsible for the FOUO
program, and whether personnel designating a document as FOUO should
note the FOIA exemption used as the basis for the designation on the
document. Also, both DOE's and DOD's policies are unclear regarding at
what point a document should be marked as OUO or FOUO and what would be
an inappropriate use of the OUO or FOUO designation. For example, OUO
or FOUO designations should not be used to cover up agency
mismanagement. In our view, this lack of clarity exists in both DOE and
DOD because the agencies have put greater emphasis on managing
classified information, which is more sensitive than OUO or FOUO
information.
While both DOE and DOD offer training on their OUO and FOUO policies,
neither DOE nor DOD has an agencywide requirement that employees be
trained before they designate documents as OUO or FOUO. Moreover,
neither agency conducts oversight to assure that information is
appropriately identified and marked as OUO or FOUO. According to
Standards for Internal Control in the Federal Government, training and
oversight are important elements in creating a good internal control
program. DOE and DOD officials told us that limited resources, and in
the case of DOE, the newness of the program, have contributed to the
lack of training requirements and oversight. Nonetheless, the lack of
training requirements and oversight of the OUO and FOUO programs leaves
DOE and DOD officials unable to assure that OUO and FOUO documents are
marked and handled in a manner consistent with agency policies and may
result in inconsistencies and errors in the application of the
programs.
We are recommending that DOE and DOD clarify their policies to assure
the consistent application of OUO and FOUO designations and increase
the level of management oversight in their use. In commenting on a
draft of this report, DOE and DOD agreed with most of our
recommendations. Both DOE and DOD disagreed with our recommendation to
periodically review information to determine if it continues to require
an OUO or FOUO designation. Based on their comments, we modified the
report and our recommendation to focus on the need for periodic
oversight of the OUO and FOUO programs.
Also, DOD disagreed with our draft report recommendation that personnel
designating a document as FOUO also mark the document with the FOIA
exemption used to determine the information should be restricted. We
believe that the practice of citing the applicable FOIA exemption(s)
will not only increase the likelihood that the information is
appropriately marked as FOUO, but will also foster consistent
application of the marking throughout DOD. Therefore, we continue to
believe our recommendation has merit.
DOE and DOD Lack Clear OUO and FOUO Guidance in Key Aspects:
Both DOE and DOD have established offices; designated staff; and
promulgated policies, manuals, and guides to provide a framework for
the OUO and FOUO programs. However, based on our assessment of the
policies governing both DOE's and DOD's programs, their policies to
assure that unclassified but sensitive information is appropriately
identified and marked lack sufficient clarity in important areas that
could allow for inconsistencies and errors. DOE policy clearly
identifies the office responsible for the OUO program and establishes a
mechanism to mark the FOIA exemption used as the basis for the OUO
designation on a document. However, our analysis of DOD's FOUO policies
shows that it is unclear which DOD office is responsible for the FOUO
program, and whether personnel designating a document as FOUO should
note the FOIA exemption used as the basis for the designation on the
document. Also, both DOE's and DOD's policies are unclear regarding at
what point a document should be marked as OUO or FOUO, and what would
be an inappropriate use of the OUO or FOUO designation. In our view,
this lack of clarity exists in both DOE and DOD because the agencies
have put greater emphasis on managing classified information, which is
more sensitive than OUO or FOUO information.
DOE's OUO program was created in 2003 and DOD's FOUO program has been
in existence since 1968. Both programs use the exemptions in FOIA for
designating information in a document as OUO or FOUO. Table 1 outlines
these exemptions.
Table 1: FOIA Exemptions:
Exemption: 1. Classified in accordance with an executive order[A];
Examples: Classified national defense or foreign policy information.
Exemption: 2. Related solely to internal personnel rules and practices
of an agency;
Examples: Routine internal personnel matters, such as performance
standards and leave practices; internal matters the disclosure of which
would risk the circumvention of a statute or agency regulation, such as
law enforcement manuals.
Exemption: 3. Specifically exempted from disclosure by federal statute;
Examples: Nuclear weapons design (Atomic Energy Act); tax return
information (Internal Revenue Code).
Exemption: 4. Privileged or confidential trade secrets, commercial, or
financial information;
Examples: Scientific and manufacturing processes (trade secrets); sales
statistics, customer and supplier lists, profit and loss data, and
overhead and operating costs (commercial/financial information).
Exemption: 5. Interagency or intra-agency memoranda or letters that are
normally privileged in civil litigation;
Examples: Memoranda and other documents that contain advice, opinions,
or recommendations on decisions and policies (deliberative process);
documents prepared by an attorney in contemplation of litigation
(attorney work-product); confidential communications between an
attorney and a client (attorney- client).
Exemption: 6. Personnel, medical, and similar files the disclosure of
which would constitute a clearly unwarranted invasion of personal
privacy;
Examples: Personal details about a federal employee, such as date of
birth, marital status, and medical condition.
Exemption: 7. Records compiled for law enforcement purposes where
release either would or could harm those law enforcement efforts in one
or more ways listed in the statute;
Examples: Witness statements; information obtained in confidence in the
course of an investigation; identity of a confidential source.
Exemption: 8. Certain records and reports related to the regulation or
supervision of financial institutions;
Examples: Bank examination reports and related documents.
Exemption: 9. Geographical and geophysical information and data,
including maps, concerning wells;
Examples: Well information of a technical or scientific nature, such as
number, locations, and depths of proposed uranium exploration drill-
holes.
Sources: FOIA and GAO analysis.
[A] As noted earlier in this report, classified information is not
included in DOE's and DOD's OUO and FOUO programs.
[End of table]
The Federal Managers Financial Improvement Act of 1982 states that
agencies must establish internal administrative controls in accordance
with the standards prescribed by the Comptroller General.[Footnote 5]
The Comptroller General published such standards in Standards for
Internal Control in the Federal Government, which sets out management
control standards for all aspects of an agency's operation. These
standards are intended to provide reasonable assurance of meeting
agency objectives, and should be recognized as an integral part of each
system that management uses to regulate and guide its operations. One
of the standards of internal control--internal control activities--
states that appropriate policies, procedures, techniques, and
mechanisms should exist with respect to each of the agency's activities
and are an integral part of an agency's planning, implementing, and
reviewing.
DOE's Office of Security issued an order, a manual, and a guide in
April 2003 to detail the requirements and responsibilities for DOE's
OUO program and to provide instructions for identifying, marking, and
protecting OUO information.[Footnote 6] According to DOE officials, the
agency issued the order, manual, and guide to provide guidance on how
and when to identify information as OUO and eliminate various
additional markings, such as Patent Caution or Business Sensitive, for
which there was no law, regulation, or DOE directive to inform staff
how such documents should be protected. The overall goal of the order
was to establish a policy consistent with criteria established in FOIA.
DOE's order established the OUO program and laid out, in general terms,
how sensitive information should be identified and marked, and who is
responsible for doing so. The guide and the manual supplement the
order. The guide provides more detailed information on the eight
applicable FOIA exemptions to help staff decide whether exemption(s)
may apply, which exemption(s) may apply, or both. The manual provides
specific instructions for managing OUO information, such as mandatory
procedures and processes for properly identifying and marking this
information. For example, the employee marking a document is required
to place on the front page of the document an OUO stamp that has a
space for the employee to identify which FOIA exemption is believed to
apply; the employee's name and organization; the date; and, if
applicable, any guidance the employee may have used in making this
determination.[Footnote 7] According to one senior DOE official,
requiring the employee to cite a reason why a document is designated as
OUO is one of the purposes of the stamp, and one means by which DOE's
Office of Classification encourages practices consistent with the
order, guide, and manual throughout DOE. Figure 1 shows the DOE OUO
stamp.
Figure 1: DOE's OUO Stamp:
[See PDF for image]
Source: DOE.
[End of figure]
The current DOD regulations are unclear regarding which DOD office
controls the FOUO program. Although responsibility for the FOUO program
was shifted from the Director for Administration and Management to the
Office of the Assistant Secretary of Defense, Command, Control,
Communications, and Intelligence (now the Under Secretary of Defense,
Intelligence) in October 1998, this shift is not reflected in current
regulations. Guidance for DOD's FOUO program continues to be included
in regulations issued by both offices. As a result, there is currently
a lack of clarity regarding which DOD office has primary responsibility
for the FOUO program. According to a DOD official, this lack of clarity
causes personnel who have FOUO questions to contact the wrong office.
The direction provided in Standards for Internal Control in the Federal
Government states that an agency's organizational structure should
clearly define key areas of authority and responsibility. A DOD
official said that they began coordination of a revised Information
Security regulation covering the FOUO program at the end of January
2006. The new regulation will reflect the change in responsibilities
and place greater emphasis on the management of the FOUO program.
DOD currently has two regulations, issued by each of the offices
described above, containing similar guidance that addresses how
unclassified but sensitive information should be identified, marked,
handled, and stored.[Footnote 8] Once information in a document has
been identified as FOUO, it is to be marked For Official Use Only.
However, unlike DOE, DOD has no departmentwide requirement to indicate
which FOIA exemption may apply to the information, except when it has
been determined to be releasable to a federal governmental entity
outside of DOD. We found, however, that one of the Army's subordinate
commands does train its personnel to put an exemption on any documents
that are marked as FOUO, but does not have this step as a requirement
in any policy. In our view, if DOD were to require employees to take
the extra step of marking the exemption that may be the reason for the
FOUO designation at the time of document creation, it would help assure
that the employee marking the document has at least considered the
exemptions and made a thoughtful determination that the information
fits within the framework of the FOUO designation. Including the FOIA
exemption on the document at the time it is marked would also
facilitate better agency oversight of the FOUO program since it would
provide any reviewer/inspector with an indication of the basis for the
marking.
Both DOE's and DOD's policies are unclear at what point to actually
affix the OUO or FOUO designation to a document. If a document is not
marked at creation, but might contain information that is OUO or FOUO
and should be handled as such, it creates a risk that the document
could be mishandled. DOE policy is vague about the appropriate time to
apply a marking. DOE officials in the Office of Classification stated
that their policy does not provide specific guidance about at what
point to mark a document because such decisions are highly situational.
Instead, according to these officials, the DOE policy relies on the
"good judgment" of DOE personnel in deciding the appropriate time to
mark a document. Similarly, DOD's current Information Security
regulation addressing the FOUO program does not identify when a
document should be marked. In contrast, DOD's September 1998 FOIA
regulation, in a chapter on FOUO, states that "the marking of records
at the time of their creation provides notice of FOUO content and
facilitates review when a record is requested under the FOIA." In our
view, a policy can provide flexibility to address highly situational
circumstances and also provide specific guidance and examples of how to
properly exercise this flexibility.
In addition, we found both DOE's and DOD's OUO and FOUO programs lack
clear language identifying examples of inappropriate use of OUO or FOUO
markings. According to Standards for Internal Control in the Federal
Government, agencies should have sufficient internal controls in place
to mitigate risk and assure that employees are aware of what behavior
is acceptable and what is unacceptable. Without explicit language
identifying inappropriate use of OUO or FOUO markings, DOE and DOD
cannot be confident that their personnel will not use these markings to
conceal mismanagement, inefficiencies, or administrative errors or to
prevent embarrassment to themselves or their agency.[Footnote 9]
Neither DOE nor DOD Requires Training or Conducts Oversight:
Standards for Internal Control in the Federal Government discusses the
need for both training and continuous program monitoring as necessary
components of a good internal control program. However, while both DOE
and DOD offer training to staff on managing OUO and FOUO information,
neither agency requires any training of its employees before they are
allowed to identify and mark information as OUO or FOUO, although some
staff will eventually take OUO or FOUO training as part of other
mandatory training. In addition, neither agency has implemented an
oversight program to determine the extent to which employees are
complying with established policies and procedures. DOE and DOD
officials told us that limited resources, and in the case of DOE, the
newness of the program, have contributed to the lack of training
requirements and oversight.
OUO and FOUO Training Is Generally Not Required:
While many DOE units offer training on DOE's OUO policy, DOE does not
have a departmentwide policy that requires OUO training before an
employee is allowed to designate a document as OUO. As a result, some
DOE employees may be identifying and marking documents for restriction
from dissemination to the public or persons who do not need to know the
information to perform their jobs and yet may not be fully informed as
to when it is appropriate to do so. At DOE, the level of training that
employees receive is not systematic and varies considerably by unit,
with some requiring OUO training at some point as a component of other
periodic employee training, and others having no requirements at all.
For example, most of DOE's approximately 10,000 contractor employees at
the Sandia National Laboratories in Albuquerque, New Mexico, are
required to complete OUO training as part of their annual security
refresher training. In contrast, according to the senior classification
official at Oak Ridge, very few staff received OUO training at DOE's
Oak Ridge Office in Oak Ridge, Tennessee, although staff were sent
general information about the OUO program when it was launched in 2003
and again in 2005. Instead, this official provides OUO guidance and
other reference and training materials to senior managers with the
expectation that they will inform their staff on the proper use of OUO.
DOD similarly has no departmentwide training requirements before staff
are authorized to identify, mark, and protect information as FOUO. The
department relies on the individual services and components within DOD
to determine the extent of training employees receive. When training is
provided, it is usually included as part of a unit's overall security
training, which is required for many but not all employees. There is no
requirement to track which employees received FOUO training, nor is
there a requirement for periodic refresher training. Some DOD
components, however, do provide FOUO training for employees as part of
their security awareness training.
Oversight of OUO and FOUO Programs Is Lacking:
Neither DOE nor DOD knows the level of compliance with OUO and FOUO
program policies and procedures because neither agency conducts any
oversight to determine whether the OUO and FOUO programs are being
managed well. According to a senior manager in DOE's Office of
Classification, the agency does not review OUO documents to assess
whether they are properly identified and marked. This condition appears
to contradict the DOE policy requiring the agency's senior officials to
assure that the OUO programs, policies, and procedures are effectively
implemented. Similarly, DOD does not routinely review FOUO information
to assure that it is properly managed.
Without oversight, neither DOE nor DOD can assure that staff are
complying with agency policies. We are aware of at least one recent
case in which DOE's OUO policies were not followed. In 2005, there were
several stories in the news about revised estimates of the cost and
length of the cleanup of high-level radioactive waste at DOE's Hanford
Site in southeastern Washington. This information was controversial
because there is a history of delays and cost overruns associated with
this multibillion dollar project, and DOE was restricting a key
document containing recently revised cost and time estimates from being
released to the public. This document, which was produced by the U.S.
Army Corps of Engineers for DOE, was marked Business Sensitive by DOE.
However, according to a senior official in the DOE Office of
Classification, Business Sensitive is not a recognized marking in DOE.
Therefore, there is no DOE policy or guidance on how to handle or
protect documents marked with this designation. This official said that
if information in this document needed to be restricted from release to
the public, then the document should have been stamped OUO and the
appropriate FOIA exemption should have been marked on the document.
Conclusions:
The lack of clear policies, effective training, and oversight in DOE's
and DOD's OUO and FOUO programs could result in both over-and
underprotection of unclassified yet sensitive government documents that
may need to be limited from disclosure to the public or persons who do
not need to know such information to perform their jobs to prevent
potential harm to governmental, commercial, or private interests.
Having clear policies and procedures in place, as discussed in
Standards for Internal Control in the Federal Government, can mitigate
the risk that programs could be mismanaged and can help DOE and DOD
management assure that OUO or FOUO information is appropriately marked
and handled. DOE and DOD have no systemic procedures in place to assure
that staff are adequately trained before designating documents OUO or
FOUO, nor do they have any means of knowing the extent to which
established policies and procedures for making these designations are
being complied with. These issues are important because they affect
DOE's and DOD's ability to assure that the OUO and FOUO programs are
identifying, marking, and safeguarding documents that truly need to be
protected in order to prevent potential damage to governmental,
commercial, or private interests.
Recommendations for Executive Action:
To assure that the guidance governing the FOUO program reflects the
necessary internal controls for good program management, we recommend
that the Secretary of Defense take the following two actions:
* revise the regulations that currently provide guidance on the FOUO
program to conform to the 1998 policy memo designating which office has
responsibility for the FOUO program and:
* revise any regulation governing the FOUO program to require that
personnel designating a document as FOUO also mark the document with
the FOIA exemption used to determine the information should be
restricted.
We also recommend that the Secretaries of Energy and Defense take the
following two actions to clarify all guidance regarding the OUO and
FOUO designations:
* identify at what point the document should be marked as OUO or FOUO
and:
* define what would be an inappropriate use of the designations OUO or
FOUO.
To assure that OUO and FOUO designations are correctly and consistently
applied, we recommend that the Secretaries of Energy and Defense take
the following two actions:
* assure that all employees authorized to make OUO and FOUO
designations receive an appropriate level of training before they can
mark documents and:
* develop a system to conduct periodic oversight of OUO and FOUO
designations to assure that information is being properly marked and
handled.
Agency Comments and Our Evaluation:
In commenting on a draft of this report, both DOE and DOD agreed with
the findings of the report and with most of the report's
recommendations. DOE agreed with our recommendations to clarify its
guidance to identify at what point a document should be marked OUO and
define what would be an inappropriate use of OUO. They also agreed with
our recommendation that all employees authorized to make OUO
designations receive training before they can mark documents. DOD
concurred with our recommendations to revise the regulations
designating which office has responsibility for the FOUO program, to
clarify guidance regarding at what point to mark a document as FOUO and
to define inappropriate usage of the FOUO designation, and to assure
that all employees authorized to make FOUO designations receive
appropriate training.
Both DOE and DOD partially concurred with our recommendation to develop
a system to conduct periodic oversight of OUO or FOUO designations.
They agreed with developing a system for periodic oversight of OUO or
FOUO designations, but disagreed with the recommendation in our draft
report to conduct period reviews of OUO or FOUO information to
determine if the information continues to require that designation. DOE
stated that much of the information designated as OUO is permanent by
nature--such as information related to privacy and proprietary
interests--and a systematic review would "primarily serve to correct a
small error rate that would be better addressed by additional training
and oversight." In its comments, DOD stated that such a review would
not be an efficient use of limited resources because "all DOD
information, whether marked as FOUO or not, is specifically reviewed
for release when disclosure to the public is desired by the Department
or requested by others. Any erroneous or improper designation as FOUO
is identified and corrected in this review process and the information
released as appropriate. Thus, information is not withheld from the
public based solely on the initial markings applied by the originator."
Based on DOE's and DOD's comments, we believe the agencies have agreed
to address the principal concern that led to our original
recommendation. We therefore have modified the report and our
recommendation to focus on the need for periodic oversight of the OUO
and FOUO programs by deleting the portion of the recommendation calling
for a periodic review of the information to determine if it continues
to require an OUO or FOUO designation.
DOD did not concur with our recommendation to require that personnel
designating a document as FOUO also mark the document with the
applicable FOIA exemption(s). DOD stated that "if the individual
erroneously applies an incorrect/inappropriate FOIA exemption to a
document, then it is possible that other documents that are
derivatively created from this document would also carry the incorrect
FOIA exemption or that the incorrect designation could cause problems
if a denial is litigated. Additionally, when the document is reviewed
for release to the public, the annotated FOIA exemption may cause the
reviewer to believe that the document is automatically exempt from
release and not perform a proper review." However, we believe that the
practice of citing the applicable FOIA exemption(s) will not only
increase the likelihood that the information is appropriately marked as
FOUO, but will also foster consistent application of the marking
throughout DOD. Using a stamp similar to the one employed by DOE (see
fig. 1), which clearly states that the marked information may be exempt
from public release under a specific FOIA exemption, should facilitate
the practice. Furthermore, as DOD stated above, "all DOD information,
whether marked as FOUO or not, is specifically reviewed for release
when disclosure to the public is desired by the Department or requested
by others. Any erroneous or improper designation as FOUO is identified
and corrected in this review process and the information released as
appropriate. Thus, information is not withheld from the public based
solely on the initial markings applied by the originator." Therefore,
if DOD, under the FOIA process, properly reviews all documents before
they are released and corrects any erroneous or improper designation,
then prior markings should not affect the decision to release a
document, particularly if such markings are identified as provisional.
Therefore, we continue to believe our recommendation has merit.
Comments from DOE's Director, Office of Security and Safety Performance
Assurance and DOD's Deputy Under Secretary of Defense
(Counterintelligence and Security) are reprinted in appendix I and
appendix II, respectively. DOE and DOD also provided technical
comments, which we included in the report as appropriate.
As agreed with your offices unless you publicly release the contents of
this report earlier, we plan no further distribution until 30 days from
its date. We will then send copies of this report to the Secretary of
Energy; the Secretary of Defense; the Director, Office of Management
and Budget; and interested congressional committees. We will also make
copies available to others upon request. In addition, this report will
be available at no charge on the GAO Web site at http://www.gao.gov.
If you or your staff have any questions concerning this report, please
contact either of us. Davi M. D'Agostino can be reached at (202) 512-
5431 or dagostinod@gao.gov, and Gene Aloise can be reached at (202) 512-
3841 or aloisee@gao.gov. Contact points for our Offices of
Congressional:
Relations and Public Affairs may be found on the last page of this
report. GAO staff who made major contributions to this report are
listed in appendix III.
Sincerely yours,
Signed by:
Davi M. D'Agostino:
Director, Defense Capabilities and Management:
Gene Aloise:
Director, Natural Resources and Environment:
[End of section]
Appendix I: Comments from the Department of Energy:
Department of Energy:
Washington, DC 20585:
February 7, 2006:
Mr. Gene Aloise:
Director:
Natural Resources and Environment Team:
United States Government Accountability Office:
Washington, D.C. 20548:
Dear Mr. Aloise:
The Department of Energy (DOE) has completed its review of the
Government Accountability Office (GAO) draft report GAO-06-369,
MANAGING SENSITIVE INFORMATION: Departments of Energy and Defense
Policies and Oversight Could Be Improved. We understand the report is
one of three that resulted from a request by The Honorable Christopher
Shays to review information classification management at the Department
of Energy and the Department of Defense (DOD). This review was
specifically to (1) identify and assess the policies, procedures, and
criteria the DOE and the DOD employ to manage Official Use Only (OUO)
and For Official Use Only (FOUO) information and (2) determine the
extent to which DOD's and DOD's training and oversight programs assure
that information is identified, marked, and protected according to
established criteria.
The DOE agrees that the findings are accurate and concurs with all but
one recommendation as discussed below. Since the 2003 publication of
DOE Order 471.3, Identifying and Protecting Official Use Only
Information, DOE Manual 471.3-1, Manual for Identifying and Protecting
Official Use Only Information, and DOE Guide 471.3-1, Guide to
Identifying Official Use Only Information, DOE efforts have focused on
education and assistance. The DOE has assisted its organizations by
providing training and reviewing OUO training materials produced by
program offices as requested, and by responding to questions. In
addition, Headquarters personnel met with field personnel regarding OUO
training and program implementation during classification oversight
reviews. Despite these efforts, we agree with the GAO that the DOE OUO
program is implemented unevenly. Therefore, we agree that OUO training
should be required for all employees and that OUO should be included as
an element of oversight reviews. The DOE plans to revise OUO directives
to add training and oversight requirements. These actions should ensure
OUO information is identified accurately and consistently throughout
the DOE. In addition, the directives will be revised, as recommended,
to include information on the inappropriate use of OUO and clarify the
point at which a document containing OUO information should be marked.
However, we disagree with the GAO recommendation for periodic review of
OUO information. Most OUO documents are in collections that do not have
permanent historical value, for which there is no public interest, and
that are destroyed without ever having been requested. Documents are
currently reviewed as requested and when they are scheduled for
release. The DOE believes this approach represents the most efficient
method of providing information to the public and best matches the
public interest to taxpayer cost.
Periodic review is also unnecessary because it would likely result in
few changes to OUO determinations. Unlike classified information, which
may be declassified or subject to declassification dates or events, the
Freedom of Information Act (FOIA) basis for OUO information is stable,
and much of the information is permanent by nature. OUO is consistent
with FOIA exemptions, which, except for minor additions, have been
stable since the law was enacted in 1966. Certain exemptions, such as
privacy and proprietary exemptions, are permanent in nature. Systematic
review would primarily serve to correct a small error rate that would
be better addressed by additional training and oversight.
Although systematic review is inadvisable, we agree that some quality
control is prudent. We, therefore, plan to include the review of OUO
documents in oversight reviews and to revise DOE directives to require
document reviews for OUO in field-conducted oversight reviews and self-
assessments.
We also plan to take a pro-active approach to lessen the likelihood of
incorrect OUO determinations. Revising DOE directives for clarity and
requiring additional training and oversight should improve the
implementation of the OUO program and decrease the likelihood of
documents being incorrectly marked or not marked as OUO. Our planned
actions, as detailed in the appendix, should provide sufficient
education and quality control to ensure that the DOE's OUO program is
consistent and accurate. We feel these actions represent a cost
effective solution to improving the DOE's OUO program.
Sincerely,
Signed by:
Glenn S. Podonsky:
Director:
Office of Security and Safety Performance Assurance:
Enclosures:
Appendix:
DOE Response to GAO Draft Report MANAGING SENSITIVE INFORMATION:
Departments of Energy and Defense Policies and Oversight Could Be
Improved (GAO-06-369):
In summary, the DOE finds the draft report to be a fair evaluation of
its Official Use Only (OUO) program. The DOE plans the following
specific actions related to recommendations in the draft report:
Recommendation 1. We recommend that the Secretaries of Energy and
Defense clarify all guidance regarding the OUO and FOUO designations:
* To identify when the document should be marked as "OUO" or "FOUO" and
* To define what would be an inappropriate use of the designations
"OUO" or "FOUO."
DOE Response. The DOE plans to revise DOE Order 471.3, Identifying and
Protecting Official Use Only Information, and DOE Manual 471.3-1,
Manual for Identifying and Protecting Official Use Only Information, to
clarify the point at which OUO markings should be applied to a
document.
The DOE also plans to revise the above directives to include a
discussion of the inappropriate use of OUO.
Recommendation 2. Assure that all employees authorized to make OUO and
FOUO designations receive an appropriate level of training before they
can mark documents.
DOE Response. The DOE plans to revise DOE directives to require initial
and refresher OUO training and identify the persons responsible for
ensuring training is implemented and conducted.
Recommendation 3. Develop a system to conduct periodic oversight of OUO
and FOUO designations to assure that information is being properly
marked and handled and that a periodic review of the information is
done to determine if the information continues to be OUO.
DOE Response. The DOE plans to implement an OUO oversight program to
include an evaluation of the identifying, marking, and protection of
OUO information using lines of inquiry based on DOE directives and
guidance. The program will be developed and incorporated into the
Classification and Information Control Oversight Program. Oversight
reviews will include the review of documents marked OUO and unmarked
documents to ensure OUO determinations are appropriate and consistent,
and the correct exemptions are cited. In addition, the DOE plans to
revise the OUO directives to add the evaluation of the identification,
marking, and protection of OUO as a requirement for field oversight
reviews and self-assessments.
The DOE does not plan to develop a program for systematic review of OUO
documents. The current approach of reviewing documents as requested and
when they are scheduled for release represents the most efficient
method of providing information to the public and best matches the
public interest to taxpayer cost. The DOE feels increased training and
oversight will produce a more consistent and accurate OUO program
sufficiently responsive to public interest.
[End of section]
Appendix II: Comments from the Department of Defense:
OFFICE OF THE UNDER SECRETARY OF DEFENSE:
INTELLIGENCE:
5000 DEFENSE PENTAGON:
WASHINGTON, DC 20301-5000:
Ms. Davi M. D'Agostino:
Director, Defense Capabilities and Management:
U.S. Government Accountability Office:
441 G Street, N.W.:
Washington, DC 20548:
Dear Ms. D'Agostino:
This is the Department of Defense (DoD) response to the GAO draft
report, "MANAGING SENSITIVE INFORMATION: Departments of Energy and
Defense Policies and Oversight Could Be Improved," dated January 23,
2006, (GAO Code 350774/GAO-06-369).
The DoD agrees that policy regarding use of the "For Official Use Only"
(FOUO) designation could be clarified and changes to do so are included
in the revision of DoD Regulation 5200.1, "DoD Information Security
Program," which is currently underway. Additional guidance will be
incorporated to include changes suggested by the GAO. However, the DoD
disagrees with the GAO's recommendations that the designator annotate
the applicable FOIA exemption and that documents so marked be
periodically reviewed to determine if the information continues to
require the FOUO designation.
Detailed comments on each of the specific recommendations in the draft
report are attached.
Sincerely,
Signed for:
Robert W. Rogalski:
Deputy Under Secretary of Defense (Counterintelligence and Security):
GAO DRAFT REPORT - DATED JANUARY 23, 2006 GAO CODE 350774/GAO-06-369:
"MANAGING SENSITIVE INFORMATION: Departments of Energy and Defense
Policies and Oversight Could Be Improved"
DEPARTMENT OF DEFENSE COMMENTS TO THE RECOMMENDATIONS:
RECOMMENDATION 1: The GAO recommended that the Secretary of Defense
revise the regulations that currently provide guidance on the FOUO
program to conform to the 1998 policy memo designating which office has
responsibility for the FOUO program. (p. 13/GAO Draft Report):
DOD RESPONSE: Concur. This requirement will be addressed as part of the
on-going revisions of DoD Regulation 5200.1, "DoD Information Security
Program," and DoD Regulation 5400.7, "Freedom of Information Act
Program."
RECOMMENDATION 2: The GAO recommended that the Secretary of Defense
revise any regulation governing the FOUO program to require that
personnel designating a document as "FOUO" also mark the document with
the applicable FOIA exemption used to determine the information should
be restricted. (p. 13/GAO Draft Report):
DOD RESPONSE: Non-concur. The Department does not concur with the GAO
recommendation that the personnel designating an original document as
"FOUO" also annotate the marking with the appropriate FOIA exemption.
If the individual erroneously applies an incorrect/inappropriate FOIA
exemption to a document, then it is possible that other documents that
are derivatively created from this document would also carry the
incorrect FOIA exemption or that the incorrect designation could cause
problems if a denial is litigated. Additionally, when the document is
reviewed for release to the public, the annotated FOIA exemption may
cause the reviewer to believe that the document is automatically exempt
from release and not perform a proper review.
RECOMMENDATION 3: The GAO recommended that the Secretaries of Energy
and Defense clarify all guidance regarding the OUO and FOUO
designations to identify when the document should be marked as "OUO" or
"FOUO"; and, to define what would be an inappropriate use of the
designations "OUO" or "FOUO." (p. 14/GAO Draft Report):
DOD RESPONSE: Concur. These requirements will be added to the guidance
regarding FOUO information in the revision of DoD 5200.1-R that is
underway.
RECOMMENDATION 4: The GAO recommended that the Secretaries of Energy
and Defense assure that all employees authorized to make OUO and FOUO
designations receive an appropriate level of training before they can
mark documents. (p. 14/GAO Draft Report):
DOD RESPONSE: Concur. The revision to DoD 5200.1-R will specify that
all personnel shall receive training that provides a basic
understanding of the nature of controlled unclassified information and
to ensure proper protection of such information in their possession.
RECOMMENDATION 5: The GAO recommended that the Secretaries of Energy
and Defense develop a system to conduct periodic oversight of OUO and
FOUO designations to assure that information is being properly marked
and handled and that a periodic review of the information is done to
determine if the information continues to require an OUO/FOUO
designation. (p. 14/GAO Draft Report):
DOD RESPONSE: Partially Concur. The Department concurs with the
recommendation to develop a system to conduct periodic oversight of
FOUO designations and will include that requirement as part of the
Information Security Program oversight process. The Department non-
concurs with the requirement to conduct periodic reviews of FOUO
information to determine if the information continues to require that
designation. Except to the extent that FOUO information is included in
a classification guide and is reviewed as part of a classified program
requirement, such a review is not an efficient use of limited
Departmental resources. Designation as FOUO does not limit information
dissemination to the public but rather serves to inform DoD personnel
that the information may qualify for withholding and that extra caution
should be taken in handling the information. All DoD information,
whether marked as FOUO or not, is specifically reviewed for release
when disclosure to the public is desired by the Department or requested
by others. Any erroneous or improper designation as FOUO is identified
and corrected in this review process and the information released as
appropriate. Thus, information is not withheld from the public based
solely on the initial markings applied by the originator. Additionally,
it is not clear that a sufficient number of FOUO designations would
change with the passage of time to justify the resource expenditure as
the basis for many of the exemptions is not time-related (e.g.,
proprietary, Privacy, statutory).
[End of section]
Appendix III: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Davi M. D'Agostino (202) 512-5431 or dagostinod@gao.gov:
Gene Aloise (202) 512-3841 or aloisee@gao.gov:
Acknowledgments:
In addition to the contacts named above, Ann Borseth and Ned Woodward,
Assistant Directors; Nancy Crothers; Doreen Feldman; Mattias Fenton;
Adam Hatton; David Keefer; William Lanouette; Gregory Marchand; David
Mayfield; James Reid; Marc Schwartz; Kevin Tarmann; Cheryl Weissman;
and Jena Whitley made key contributions to this report.
FOOTNOTES
[1] Freedom of Information Act (5 U.S.C. § 552).
[2] FOIA exemption 1 solely concerns classified information, which is
governed by Executive Order; DOE and DOD do not include this category
in their OUO and FOUO programs since the information is already
restricted by each agency's classified information procedures. In
addition, exemption 3 addresses information specifically exempted from
disclosure by statute, which may or may not be considered OUO or FOUO.
Information that is classified or controlled under a statute, such as
Restricted Data or Formerly Restricted Data under the Atomic Energy
Act, is not also designated as OUO or FOUO.
[3] GAO, Transportation Security Administration: Clear Policies and
Oversight Needed for Designation of Sensitive Security Information, GAO-
05-677 (Washington, D.C.: June 29, 2005).
[4] GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).
[5] Pub. L. No. 97-255 (Sept. 8, 1982).
[6] DOE Order 471.3, Identifying and Protecting Official Use Only
Information, contains responsibilities and requirements; DOE Manual
471.3-1, Manual for Identifying and Protecting Official Use Only
Information, provides instructions for implementing requirements; and
DOE Guide 471.3-1, Guide to Identifying Official Use Only Information,
provides information to assist staff in deciding whether information
could be OUO.
[7] DOE classification guides used for managing classified information
sometimes include specific guidance on what information should be
protected and managed as OUO. When such specific guidance is available
to the employee, he or she is required to mark the document
accordingly.
[8] DOD 5400.7-R, DOD Freedom of Information Act Program (Sept. 4,
1998); DOD 5200.1-R, Information Security Program (Jan. 14, 1997); and
interim changes to DOD 5200.1-R, Information Security Regulation,
Appendix 3: Controlled Unclassified Information (April 2004).
[9] Similar language is included in DOD's policies regarding protection
of national security information (DOD 5200.1-R, Information Security
Program, (Jan. 14, 1997), sec. C2.4.3.1). DOE's policy for protecting
national security information (DOE M 475.1-1A) makes reference to
Executive Order 12958, as amended, which also has similar language.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
