Managing Sensitive Information

DOE and DOD Could Improve Their Policies and Oversight Gao ID: GAO-06-531T March 14, 2006

In the interest of national security and personal privacy and for other reasons, federal agencies place dissemination restrictions on information that is unclassified yet still sensitive. The Department of Energy (DOE) and the Department of Defense (DOD) have both issued policy guidance on how and when to protect sensitive information. DOE marks documents with this information as Official Use Only (OUO) while DOD uses the designation For Official Use Only (FOUO). GAO was asked to (1) identify and assess the policies, procedures, and criteria DOE and DOD employ to manage OUO and FOUO information; and (2) determine the extent to which DOE's and DOD's training and oversight programs assure that information is identified, marked, and protected according to established criteria.

As GAO reported earlier this month, both DOE and DOD base their programs on the premise that information designated as OUO or FOUO must (1) have the potential to cause foreseeable harm to governmental, commercial, or private interests if disseminated to the public or persons who do not need the information to perform their jobs; and (2) fall under at least one of eight Freedom of Information Act (FOIA) exemptions. While DOE and DOD have policies in place to manage their OUO or FOUO programs, our analysis of these policies showed a lack of clarity in key areas that could allow inconsistencies and errors to occur. For example, it is unclear which DOD office is responsible for the FOUO program, and whether personnel designating a document as FOUO should note the FOIA exemption used as the basis for the designation on the document. Also, both DOE's and DOD's policies are unclear regarding at what point a document should be marked as OUO or FOUO and what would be an inappropriate use of the OUO or FOUO designation. For example, OUO or FOUO designations should not be used to conceal agency mismanagement. In our view, this lack of clarity exists in both DOE and DOD because the agencies have put greater emphasis on managing classified information, which is more sensitive than OUO or FOUO. In addition, while both DOE and DOD offer training on their OUO and FOUO policies, neither DOE nor DOD has an agencywide requirement that employees be trained before they designate documents as OUO or FOUO. Moreover, neither agency conducts oversight to assure that information is appropriately identified and marked as OUO or FOUO. DOE and DOD officials told us that limited resources, and in the case of DOE, the newness of the program, have contributed to the lack of training requirements and oversight. Nonetheless, the lack of training requirements and oversight of the OUO and FOUO programs leaves DOE and DOD officials unable to assure that OUO and FOUO documents are marked and handled in a manner consistent with agency policies and may result in inconsistencies and errors in the application of the programs.

GAO-06-531T, Managing Sensitive Information: DOE and DOD Could Improve Their Policies and Oversight This is the accessible text file for GAO report number GAO-06-531T entitled 'Managing Sensitive Information: DOE and DOD Could Improve Their Policies and Oversight' which was released on March 14, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Testimony: Before the Subcommittee on National Security, Emerging Threats, and International Relations, Committee on Government Reform, House of Representatives: United States Government Accountability Office: GAO: For Release on Delivery Expected at 2:00 p.m. EST: Tuesday, March 14, 2006: Managing Sensitive Information: DOE and DOD Could Improve Their Policies and Oversight: Statement of Davi M. D'Agostino, Director, Defense Capabilities and Management, and Gene Aloise, Director, Natural Resources and Environment: GAO-06-531T: GAO Highlights: Highlights of GAO-06-531T, a testimony to the Chairman, Subcommittee on National Security, Emerging Threats, and International Relations, Committee on Government Reform, House of Representatives: Why GAO Did This Study: In the interest of national security and personal privacy and for other reasons, federal agencies place dissemination restrictions on information that is unclassified yet still sensitive. The Department of Energy (DOE) and the Department of Defense (DOD) have both issued policy guidance on how and when to protect sensitive information. DOE marks documents with this information as Official Use Only (OUO) while DOD uses the designation For Official Use Only (FOUO). GAO was asked to (1) identify and assess the policies, procedures, and criteria DOE and DOD employ to manage OUO and FOUO information; and (2) determine the extent to which DOE‘s and DOD‘s training and oversight programs assure that information is identified, marked, and protected according to established criteria. What GAO Found: As GAO reported earlier this month, both DOE and DOD base their programs on the premise that information designated as OUO or FOUO must (1) have the potential to cause foreseeable harm to governmental, commercial, or private interests if disseminated to the public or persons who do not need the information to perform their jobs; and (2) fall under at least one of eight Freedom of Information Act (FOIA) exemptions. While DOE and DOD have policies in place to manage their OUO or FOUO programs, our analysis of these policies showed a lack of clarity in key areas that could allow inconsistencies and errors to occur. For example, it is unclear which DOD office is responsible for the FOUO program, and whether personnel designating a document as FOUO should note the FOIA exemption used as the basis for the designation on the document. Also, both DOE‘s and DOD‘s policies are unclear regarding at what point a document should be marked as OUO or FOUO and what would be an inappropriate use of the OUO or FOUO designation. For example, OUO or FOUO designations should not be used to conceal agency mismanagement. In our view, this lack of clarity exists in both DOE and DOD because the agencies have put greater emphasis on managing classified information, which is more sensitive than OUO or FOUO. In addition, while both DOE and DOD offer training on their OUO and FOUO policies, neither DOE nor DOD has an agencywide requirement that employees be trained before they designate documents as OUO or FOUO. Moreover, neither agency conducts oversight to assure that information is appropriately identified and marked as OUO or FOUO. DOE and DOD officials told us that limited resources, and in the case of DOE, the newness of the program, have contributed to the lack of training requirements and oversight. Nonetheless, the lack of training requirements and oversight of the OUO and FOUO programs leaves DOE and DOD officials unable to assure that OUO and FOUO documents are marked and handled in a manner consistent with agency policies and may result in inconsistencies and errors in the application of the programs. What GAO Recommends: In its report issued earlier this month, GAO made several recommendations for DOE and DOD to clarify their policies to assure the consistent application of OUO and FOUO designations and increase the level of management oversight in their use. DOE and DOD agreed with most of GAO‘s recommendations, but partially disagreed with its recommendation to periodically review OUO or FOUO information. DOD also disagreed that personnel designating a document as FOUO should mark it with the applicable FOIA exemption. www.gao.gov/cgi-bin/getrpt?GAO-06-531T. To view the full product, including the scope and methodology, click on the link above. For more information, contact Davi D'Agostino at (202) 512-5431 or Gene Aloise at (202) 512-3841. [End of section] Mr. Chairman and Members of the Subcommittee: We are pleased to be here today to discuss our work on how the Departments of Energy (DOE) and Defense (DOD) use the designations Official Use Only (OUO) and For Official Use Only (FOUO), respectively, to manage information that is unclassified but sensitive. My testimony today is based on our report issued earlier this month entitled Managing Sensitive Information: Departments of Energy and Defense Policies and Oversight Could Be Improved (GAO-06-369). This report (1) identified and assessed the policies, procedures, and criteria that DOE and DOD employ to manage OUO and FOUO information; and (2) determined the extent to which DOE's and DOD's training and oversight programs assure that information is identified and marked according to established criteria. In summary, both DOE and DOD base their programs on the premise that information designated as OUO or FOUO must (1) have the potential to cause foreseeable harm to governmental, commercial, or private interests if disseminated to the public or persons who do not need the information to perform their jobs; and (2) fall under at least one of eight Freedom of Information Act (FOIA) exemptions.[Footnote 1] (See the appendix for a list and description of the exemptions of FOIA.) Both agencies have policies in place to implement their programs. However, our analysis of these policies showed a lack of clarity in key areas that could allow inconsistencies and errors to occur. Specifically: * It is unclear which DOD office is responsible for the FOUO program, and whether personnel designating a document as FOUO should note the FOIA exemption used as the basis for the designation on the document. * Both DOE's and DOD's policies are unclear regarding at what point a document should be marked as OUO or FOUO and what would be an inappropriate use of the OUO or FOUO designation. For example, OUO or FOUO designations should not be used to conceal agency mismanagement. In addition, while both DOE and DOD offer training on their OUO and FOUO policies, neither DOE nor DOD has an agencywide requirement that employees be trained before they designate documents as OUO or FOUO. Moreover, neither agency conducts oversight to assure that information is appropriately identified and marked as OUO or FOUO. This lack of training requirements and oversight leaves DOE and DOD officials unable to assure that OUO and FOUO documents are marked and handled in a manner consistent with agency policies and may result in inconsistencies and errors in the application of the programs. We recommended that both agencies clarify their policies and guidance to identify at what point a document should be marked as OUO or FOUO and to define inappropriate uses of these designations. We also recommended that DOD clarify its policies as to which office is responsible for the FOUO program and that it require personnel designating a document as FOUO also to note the FOIA exemption they used to determine that the information should be restricted. With regard to training and management oversight, we recommended that both DOE and DOD require personnel to be trained before they can designate information as OUO or FOUO, and that they develop a system to conduct periodic oversight of OUO or FOUO designations to assure that their policies are being followed. In commenting on our draft report, DOE and DOD agreed with most of our recommendations, but DOD disagreed that personnel designating a document as FOUO should also mark the document with the FOIA exemption used to determine that the information should be restricted. DOD expressed concern that an individual may apply an incorrect or inappropriate FOIA exemption and thus cause other documents that are created from the original to also carry the incorrect FOIA exemption or that the incorrect designation could cause problems if a denial is litigated. However, we believe that citing the applicable FOIA exemptions when marking a document will cause the employee to consider the exemptions and make a thoughtful determination that the information fits within the framework of the FOUO designation. Also, when the public requests documents, before DOD releases or denies release of the documents, FOIA experts review them, at which time an incorrect initial designation should be corrected. Our recommendation was intended to better assure appropriate consideration of the FOIA exemptions at the beginning of the process and we continue to believe that this recommendation has merit. DOE and DOD Lack Clear OUO and FOUO Guidance in Key Aspects: Both DOE and DOD have established offices, designated staff, and promulgated policies to provide a framework for the OUO and FOUO programs. However, their policies lack sufficient clarity in important areas, which could result in inconsistencies and errors. DOE policy clearly identifies the office responsible for the OUO program and establishes a mechanism to mark the FOIA exemption used as the basis for the OUO designation on a document. However, our analysis of DOD's FOUO policies shows that it is unclear which DOD office is responsible for the FOUO program, and whether personnel designating a document as FOUO should note the FOIA exemption used as the basis for the designation on the document. Also, both DOE's and DOD's policies are unclear regarding at what point a document should be marked as OUO or FOUO, and what would be an inappropriate use of the OUO or FOUO designation. In our view, this lack of clarity exists in both DOE and DOD because the agencies have put greater emphasis on managing classified information, which is more sensitive than OUO or FOUO information. DOE's Office of Security issued an order, a manual, and a guide in April 2003 to detail the requirements and responsibilities for DOE's OUO program and to provide instructions for identifying, marking, and protecting OUO information.[Footnote 2] DOE's order established the OUO program and laid out, in general terms, how sensitive information should be identified and marked, and who is responsible for doing so. The guide and the manual supplement the order. The guide provides more detailed information on the applicable FOIA exemptions to help staff decide whether exemption(s) may apply, which exemption(s) may apply, or both. The manual provides specific instructions for managing OUO information, such as mandatory procedures and processes for properly identifying and marking this information. For example, the employee marking a document is required to place on the front page of the document an OUO stamp that has a space for the employee to identify which FOIA exemption is believed to apply; the employee's name and organization; the date; and, if applicable, any guidance the employee may have used in making this determination.[Footnote 3] According to one senior DOE official, requiring the employee to cite a reason why a document is designated as OUO is one of the purposes of the stamp, and one means by which DOE's Office of Classification encourages practices consistent with the order, guide, and manual throughout DOE. Figure 1 shows the DOE OUO stamp. Figure 1: DOE's OUO Stamp: [See PDF for image] Source: DOE. [End of figure] With regard to DOD, its regulations are unclear regarding which DOD office controls the FOUO program. Although responsibility for the FOUO program shifted from the Director for Administration and Management to the Office of the Assistant Secretary of Defense, Command, Control, Communications, and Intelligence (now the Under Secretary of Defense, Intelligence) in October 1998, this shift is not reflected in current regulations. Guidance for DOD's FOUO program continues to be included in regulations issued by both offices. As a result, which DOD office has primary responsibility for the FOUO program is unclear. According to a DOD official, on occasion this lack of clarity causes personnel who have FOUO questions to contact the wrong office. A DOD official said that the department began coordination of a revised Information Security regulation covering the FOUO program at the end of January 2006. The new regulation will reflect the change in responsibilities and place greater emphasis on the management of the FOUO program. DOD currently has two regulations, issued by each of the offices described above, containing similar guidance that addresses how unclassified but sensitive information should be identified, marked, handled, and stored.[Footnote 4] Once information in a document has been identified as for official use only, it is to be marked FOUO. However, unlike DOE, DOD has no departmentwide requirement to indicate which FOIA exemption may apply to the information, except when it has been determined to be releasable to a federal governmental entity outside of DOD. We found, however, that one of the Army's subordinate commands does train its personnel to put an exemption on any documents that are marked as FOUO, but does not have this step as a requirement in any policy. In our view, if DOD were to require employees to take the extra step of marking the exemption that may be the reason for the FOUO designation at the time of document creation, it would help assure that the employee marking the document had at least considered the exemptions and made a thoughtful determination that the information fit within the framework of the FOUO designation. Including the FOIA exemption on the document at the time it is marked would also facilitate better agency oversight of the FOUO program, since it would provide any reviewer/inspector with an indication of the basis for the marking. In addition, both DOE's and DOD's policies are unclear as to the point at which the OUO or FOUO designation should actually be affixed to a document. If a document might contain information that is OUO or FOUO but it is not so marked when it is first created, the risk that the document could be mishandled increases. DOE policy is vague about the appropriate time to apply a marking. DOE officials in the Office of Classification stated that their policy does not provide specific guidance about at what point to mark a document because such decisions are highly situational. Instead, according to these officials, the DOE policy relies on the "good judgment" of DOE personnel in deciding the appropriate time to mark a document. Similarly, DOD's current Information Security regulation addressing the FOUO program does not identify at what point a document should be marked. In contrast, DOD's September 1998 FOIA regulation, in a chapter on FOUO, states that "the marking of records at the time of their creation provides notice of FOUO content and facilitates review when a record is requested under the FOIA."[Footnote 5] In our view, a policy can provide flexibility to address highly situational circumstances and also provide specific guidance and examples of how to properly exercise this flexibility. In addition, we found that both DOE's and DOD's OUO and FOUO programs lack clear language identifying examples of inappropriate usage of OUO or FOUO markings. Without such language, DOE and DOD cannot be confident that their personnel will not use these markings to conceal mismanagement, inefficiencies, or administrative errors, or to prevent embarrassment to themselves or their agency.[Footnote 6] Neither DOE nor DOD Requires Training or Conducts Oversight: While both DOE and DOD offer training to staff on managing OUO and FOUO information, neither agency requires any training of its employees before they are allowed to identify and mark information as OUO or FOUO, although some staff will eventually take OUO or FOUO training as part of other mandatory training. In addition, neither agency has implemented an oversight program to determine the extent to which employees are complying with established policies and procedures. OUO and FOUO Training Is Generally Not Required: While many DOE units offer training on DOE's OUO policy, DOE does not have a departmentwide policy that requires OUO training before an employee is allowed to designate a document as OUO. As a result, some DOE employees may be identifying and marking documents for restriction from dissemination to the public or persons who do not need to know the information to perform their jobs, and yet may not be fully informed as to when it is appropriate to do so. At DOE, the level of training that employees receive is not systematic and varies considerably by unit, with some requiring OUO training at some point as a component of other periodic employee training, and others having no requirements at all. DOD similarly has no departmentwide training requirements before staff are authorized to identify, mark, and protect information as FOUO. The department relies on the individual services and field activities within DOD to determine the extent of training that employees receive. When training is provided, it is usually included as part of a unit's overall security training, which is required for many but not all employees. There is no requirement to track which employees received FOUO training, nor is there a requirement for periodic refresher training. Some DOD components, however, do provide FOUO training for employees as part of their security awareness training. Oversight of OUO and FOUO Programs Is Lacking: Neither DOE nor DOD knows the level of compliance with OUO and FOUO program policies and procedures because neither agency conducts any oversight to determine whether the OUO and FOUO programs are being managed well. According to a senior manager in DOE's Office of Classification, the agency does not review OUO documents to assess whether they are properly identified and marked. This condition appears to contradict the DOE policy requiring the agency's senior officials to assure that the OUO programs, policies, and procedures are effectively implemented. Similarly, DOD does not routinely conduct oversight of its FOUO program to assure that it is properly managed. Without oversight, neither DOE nor DOD can assure that staff are complying with agency policies. We are aware of at least one recent case in which DOE's OUO policies were not followed. In 2005, several stories appeared in the news about revised estimates of the cost and length of the cleanup of high-level radioactive waste at DOE's Hanford Site in southeastern Washington. This information was controversial because this multibillion-dollar project has a history of delays and cost overruns, and DOE was restricting a key document containing recently revised cost and time estimates from being released to the public. This document, which was produced by the U.S. Army Corps of Engineers for DOE, was marked Business Sensitive by DOE. However, according to a senior official in the DOE Office of Classification, Business Sensitive is not a recognized marking in DOE. Therefore, there is no DOE policy or guidance on how to handle or protect documents marked with this designation. This official said that if information in this document needed to be restricted from release to the public, then the document should have been stamped OUO and the appropriate FOIA exemption should have been marked on the document. In closing, the lack of clear policies, effective training, and oversight in DOE's and DOD's OUO and FOUO programs could result in both over-and underprotection of unclassified yet sensitive government documents. Having clear policies and procedures in place can mitigate the risk of program mismanagement and can help DOE and DOD management assure that OUO or FOUO information is appropriately marked and handled. DOE and DOD have no systemic procedures in place to assure that staff are adequately trained before designating documents OUO or FOUO, nor do they have any means of knowing the extent to which established policies and procedures for making these designations are being complied with. These issues are important because they affect DOE's and DOD's ability to assure that the OUO and FOUO programs are identifying, marking, and safeguarding documents that truly need to be protected in order to prevent potential damage to governmental, commercial, or private interests. Mr. Chairman, this concludes GAO's prepared statement. We would be happy to respond to any questions that you or Members of the Subcommittee may have. GAO Contacts and Staff Acknowledgments: For further information on this testimony, please contact either Davi M. D'Agostino at (202) 512-5431 or dagostinod@gao.gov, or Gene Aloise at (202) 512-3841 or aloisee@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this statement. Individuals making key contributions to this testimony included Ann Borseth, David Keefer, Kevin Tarmann, and Ned Woodward. [End of section] Appendix I: FOIA Exemptions: Exemption: 1. Classified in accordance with an executive order[A]; Examples: Classified national defense or foreign policy information. Exemption: 2. Related solely to internal personnel rules and practices of an agency; Examples: Routine internal personnel matters such as performance standards and leave practices; internal matters the disclosure of which would risk the circumvention of a statute or agency regulation, such as law enforcement manuals. Exemption: 3. Specifically exempted from disclosure by federal statute; Examples: Nuclear weapons design (Atomic Energy Act); tax return information (Internal Revenue Code). Exemption: 4. Privileged or confidential trade secrets, commercial, or financial information; Examples: Scientific and manufacturing processes (trade secrets); sales statistics, customer and supplier lists, profit and loss data, and overhead and operating costs (commercial/financial information). Exemption: 5. Interagency or intra-agency memoranda or letters that are normally privileged in civil litigation; Examples: Memoranda and other documents that contain advice, opinions, or recommendations on decisions and policies (deliberative process); documents prepared by an attorney in contemplation of litigation (attorney work-product); confidential communications between an attorney and a client (attorney- client). Exemption: 6. Personnel, medical, and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy; Examples: Personal details about a federal employee such as date of birth, marital status, and medical condition. Exemption: 7. Records compiled for law enforcement purposes where release either would or could harm those law enforcement efforts in one or more ways listed in the statute; Examples: Witness statements; information obtained in confidence in the course of an investigation; identity of a confidential source. Exemption: 8. Certain records and reports related to the regulation or supervision of financial institutions; Examples: Bank examination reports and related documents. Exemption: 9. Geographical and geophysical information and data, including maps, concerning wells; Examples: Well information of a technical or scientific nature, such as number, locations, and depths of proposed uranium exploration drill- holes. Sources: FOIA and GAO analysis. [A] As noted earlier in this report, classified information is not included in DOE's and DOD's OUO and FOUO programs. [End of table] FOOTNOTES [1] Freedom of Information Act (5 U.S.C. sec. 552). FOIA exemption 1 solely concerns classified information, which is governed by Executive Order; DOE and DOD do not include this category in their OUO and FOUO programs since the information is already restricted by each agency's classified information procedures. In addition, exemption 3 addresses information specifically exempted from disclosure by statute, which may or may not be considered OUO or FOUO. Information that is classified or controlled under a statute, such as Restricted Data or Formerly Restricted Data under the Atomic Energy Act, is not also designated as OUO or FOUO. [2] DOE Order 471.3, Identifying and Protecting Official Use Only Information, contains responsibilities and requirements; DOE Manual 471.3-1, Manual for Identifying and Protecting Official Use Only Information, provides instructions for implementing requirements; and DOE Guide 471.3-1, Guide to Identifying Official Use Only Information, provides information to assist staff in deciding whether information could be OUO. [3] DOE classification guides used for managing classified information sometimes include specific guidance on what information should be protected and managed as OUO. When such specific guidance is available to the employee, he or she is required to mark the document accordingly. [4] DOD 5400.7-R, DOD Freedom of Information Act Program (Sept. 4, 1998); DOD 5200.1-R, Information Security Program (Jan. 14, 1997); and interim changes to DOD 5200.1-R, Information Security Regulation, Appendix 3: Controlled Unclassified Information (Apr. 16, 2004). [5] DOD 5400.7-R, C4.1.4, p.43. [6] Similar language is included in DOD's policies regarding protection of national security information (DOD 5200.1-R, Information Security Program (Jan. 14, 1997), sec. C2.4.3.1). DOE's policy for protecting national security information (DOE M 475.1-1A) makes reference to Executive Order 12958, Classified National Security Information, as amended, which also has similar language.