Issue Brief: Federal Classified Information and Controlled Unclassified Information

SAA Position

SAA supports efforts to improve classification and avoid over-classification according to the following recommendations:

• Classification should be simplified into two classification categories, the current “Top Secret” and a second level that would follow standards for a lower level of protection.
• Classification should take a risk-management approach, i.e., that the level of protection assigned should align with the level of harm due to an unauthorized release by linking clearly identifiable risk to an accurate assessment of harm in classification guidance.
• In both policy and practice, a “safe harbor” protection should be provided to classifiers who rigorously take this approach in order to prevent bias toward classification and protect those who make good-faith decisions not to classify information.
• The protections needed for intelligence sources and methods should be precisely defined and distinguished.
• Information with short-lived sensitivity should be identified and set aside for automatic declassification without further review. This could include creating a category of “self-cancelling” classification in which information based on an operation, date, or event is declassified automatically when that operation, date, or event passes. Any exceptions would require a written notice of a specific need for the information to remain classified.
• The system used to rate civilian and military personnel performance should include the designation and management of classified information as a critical element or item to be evaluated when rating individuals whose duties significantly involve the creation or handling of classified information
• Agencies continue to improve classification training—especially concerning derivative classification—and the processes used to monitor such training and provide oversight.
• Any system designed to handle unclassified information that must be safeguarded (i.e., Controlled Unclassified Information) or have its dissemination controlled due to law, regulations, and policy (e.g., “protected health information” under the Health Insurance Portability and Accountability Act [HIPAA]) must avoid disclosure restrictions that override discovery, whistleblower protections, and other lawful disclosures; must not discourage legitimate information sharing both inside and outside the government; and must not hinder access via the Freedom of Information Act. In short, the system should not become another layer of “classification.”
• Congress should appropriate more funding directed to classification training and the development of technologies to assist and improve the classification process.

In accordance with this position, SAA will:

• Advocate for pertinent legislation and the development of appropriate agency regulations that support these goals.
• Advocate for additional funding from Congress to improve classification, especially for training and technology to assist and improve the classification process.
• Work with other organizations concerned about the over-protection of information.

The Issues

The classification system currently in use was created more than seventy years ago. The methods used to identify, mark, handle, and store have remained fairly constant and the system’s purpose—to categorize and protect sensitive information—has changed little. But basing classification decisions on a loosely defined level of presumed “damage” to national security, with little input from other classifying agencies or knowledge of prior declassification decisions, led to a system that almost always favored protection over declassification and eventual public access. Inadequate guidance and training exacerbated the problem. In addition, the advent of electronic records resulted in a hodgepodge of changes to policies and procedures based on the older, paper-based system, which led to more system complexity that worsened over-classification. Available technology has not been used to meet current needs nor to handle the increasing volume of digital records. 

Classification comes at a cost. In the latest figures available (2015), the cost of classification management—the resources used to identify, control, transfer, transmit, retrieve, inventory, archive, or destroy classified information—was $367.44 million.[1] The total cost for security classification (which in addition to the costs already noted includes the costs for personnel, physical security, protection and maintenance for classified information systems, training, and other related costs) was $16.17 billion.[2] And costs have been rising steadily since 1997, when the total cost for security classification was $3.37 billion.[3] Streamlining the classification process, reducing over-classification, and increasing the use of technology could help bring down these costs.

Related to the question of classification is the administration of controlled unclassified information (CUI). This is “information that laws, regulations, or Government-wide policies require to have safeguarding or dissemination controls, excluding classified information.” Prior to 2010 more than 100 different markings existed to denote CUI as a result of ad hoc, agency-specific efforts to administer this type of information. This led to a patchwork system that was confusing and inefficient; that inadequately safeguarded information that needed protection; and that unnecessarily impeded information sharing. Executive Order 13556 (November 4, 2010) established a program to standardize the way CUI was handled in the federal government. The Information Security Oversight Office (ISOO) of the National Archives and Records Administration, tasked with developing policy and overseeing the CUI program, published CUI regulations (32 CFR Part 2002) in the Federal Register on September 14, 2016. It is reassuring that the patchwork of agency-developed systems of categorizing sensitive but unclassified materials has been replaced with a standardized system overseen by the federal agency with the necessary expertise in records management. The government—particularly ISOO—is to be commended for this effort to establish an orderly and standardized system to handle CUI.

Core values of archivists as defined by the Society of American Archivists and the profession include accountability and access and use. “In a republic … accountability and transparency constitute an essential hallmark of democracy. Public leaders must be held accountable both to the judgment of history and future generations as well as to citizens in the ongoing governance of society. Access to the records of public officials and agencies provides a means of holding them accountable both to public citizens and to the judgment of future generations.”[4] Use is one of the tenets of archival ethics as well: “Recognizing that use is the fundamental reason for keeping archives, archivists actively promote open and equitable access to the records in their care within the context of their institutions’ missions and their intended user groups.”[5]

Reforming the classification process, reducing over-classification, and ensuring the CUI system does not become yet another system of “classification” will lead to a more open and transparent government as demanded by both our core values and code of ethics.

[1] “2015 Report to the President,” Information Security Oversight Office, July 15, 2016, p.31-32. https://www.archives.gov/files/isoo/reports/2015-annual-report.pdf 

[2] Ibid, p.32.

[3] Ibid, p.34.

[4] http://www2.archivists.org/statements/saa-core-values-statement-and-code-of-ethics. 

[5] Ibid.

Additional Resources

Code of Federal Regulations Title 32, Part 2002, https://www.gpo.gov/fdsys/pkg/CFR-1998-title32-vol6/pdf/CFR-1998-title32-vol6-part2002.pdf. 

Controlled Unclassified Information (CUI), National Archives and Records Administration: https://www.archives.gov/cui.

Open the Government coalition: http://www.openthegovernment.org/.

Public Interest Declassification Board, “Transforming the Security Classification System” report (2012), http://www.archives.gov/declassification/pidb/recommendations/transforming-classification.pdf.  

Revised Guidance regarding Controlled Unclassified Information and the Freedom of Information Act, July 3, 2014, https://www.archives.gov/files/cui/registry/policy-guidance/registry-documents/2014-doj-oip-cui-joint-issuance-on-foia.pdf.

All sites accessed September 22, 2017.

Approved by the SAA Council, November 2017.