REPORT OF EVALUATION
Document Type:
Collection:
Document Number (FOIA) /ESDN (CREST):
06199633
Release Decision:
RIPPUB
Original Classification:
U
Document Page Count:
18
Document Creation Date:
December 28, 2022
Document Release Date:
October 20, 2017
Sequence Number:
Case Number:
F-2016-02237
Publication Date:
September 26, 2013
File:
Attachment | Size |
---|---|
![]() | 717.45 KB |
Body:
Approved for Release: 2017/10/18 C06199633
UNCLASSIFIED//F0110
CENTRAL INTELLIGENCE AGENCY
Office of Inspector General
(U) REPORT OF EVALUATION
(U) Evaluation Required by the Reducing
Over-Classification Act
Report No. 2013-0016-AS
26 September 2013
UNCLASSIFIEDilFetke-
Approved for Release: 2017/10/18 C06199633
Approved for Release: 2017/10/18 C06199633
UNCLASSIFIED/fFelfe
(U) Report of Evaluation
(U) Evaluation Required by the Reducing
Over-Classification Act
Report No. 2013-0016-AS
(U) EXECUTIVE SUMMARY
(U) This evaluation was conducted in response to a requirement contained in the
Reducing Over-Classification Act, Public Law 111-258 (7 October 2010). The Act
requires the Inspector General of each US department or agency with an officer who is
authorized to make original classifications, in consultation with the National Archives
and Records Administration, Information Security Oversight Office (IS00), to conduct
no less than two evaluations of that department or agency. In accordance with the Act,
the objectives of this evaluation were to:
� (U) Assess whether applicable classification policies, procedures,
rules, and regulations have been adopted, followed, and effectively
administered within the CIA.
� (U) Identify policies, procedures, rules, regulations, or
management practices that may be contributing to persistent
misclassification of material.
(UHFOU0) CIA classification policies, procedures, and regulations are consistent
with federal requirements and have supported implementation of an effective
classification management program. CIA's classification management program is
administered by the CIA Office of the Chief Information Officer, Information
Management Services (IMS). IMS provides an array of classification services and tools
ranging from classification ,:*y guidance to classification management software.
According to IMS officials, deployed CIA Information Management Technical
Officers (IMT0s) assist CIA personnel in accessing, protecting, organizing, and
preserving information in accordance with federal and CIA regulations. IMS has
established procedures for individuals to challenge CIA classification decisions and a
process for adjudicating classification challenges. Although CIA policies adhere to
federal standards for managing classification, there are some areas of classification
management that should be improved.
(UHFOU0) The CIA's fiscal year (FY) 2012 annual self-inspection of its
classification management program and report of the self-inspection did not fully comply
with the standards prescribed in Executive Order (E.0.) 13526, Classified National
Security Information, and the requirements of 32 Code of Federal Regulations (C.F.R.)
Part 2001 - Classified National Security Information. CIA's self-inspection report did
not address all of the required areas and lacked sufficient details in certain areas. Our
1
UNCLASSIFIED/W-040-
(b)(3)
Approved for Release: 2017/10/18 C06199633
Approved for Release: 2017/10/18 C06199633
UNCLASSIFIED/tr.-MO-
evaluation report recommends that a process be implemented to ensure that the CIA
addresses all self-inspection program reporting requirements prescribed by E.O. 13526 and 32 C.F.R
Part 2001.
(U) CIA has not established a derivative classification training program that satisfies
the E.O. 13526 requirement that persons who apply derivative classification markings
receive training in the proper application of derivative classification principles at least
once every two years. Agency Regulation
establishes a requirement for biannual training for derivative
classifiers and provides for suspending derivative classification authority for those who
fail to meet the training requirement. A computer-based derivative classification training
course was deployed in 2012. However, according to an IMS official, insufficient band-
width restricted the number of CIA personnel who were able to access the derivative
classification training course, and only 43 percent of CIA personnel completed the course
in 2012. This report recommends that effective, mandatory derivative classification
refresher training for CIA personnel be implemented as required by E.O. 13526 and
(U) We found no instances of over-classification in the sample of finished (b)(3)
intelligence reports that we reviewed. However, we found numerous errors with how
required information was presented in the reports' classification blocks and with the
portion marking of the reports. Some of the errors resulted from updates to the CIA's
automated classification management tool (CMT) not being fully deployed to all CIA
users. Other errors were the result of internal processes associated with posting the
reports to the World Intelligence Review (WIRe). This report recommends that IMS
fully deploy the updated version of the CIA's classification management tool to comply
with the derivative classification marking standards and guidance prescribed in the ISOO
booklet, Marking Classified National Security Information. The report also recommends
that procedures be implemented for posting material to the WIRe that comply with the
derivative classification marking standards and guidance prescribed by the 'S00.
(b)(3)
(b)(6)
Assistant Inspector General for Audit
2
UNCLASSIFIED/X-014G
Approved for Release: 2017/10/18 C06199633
Approved for Release: 2017/10/18 C06199633
UNCLASSIFIED/tFOLH3-
(U) BACKGROUND
(U) The Reducing Over-Classification Act, Public Law 111-258 (7 October 2010),
was enacted in response to issues highlighted by the National Commission on Terrorist
Attacks Upon the United States (the "9/11 Commission"). The 9/11 Commission
concluded that security requirements lead to over-classification and excessive
compartmentation of information among agencies.' The 9/11 Commission observed that
over-classification of information interferes with accurate, actionable, and timely
information sharing; increases the cost of information security; and needlessly limits
stakeholder and public access to information. The Reducing Over-Classification Act
requires the Inspector General of each US department or agency with an officer who is
authorized to make original classifications, in consultation with the Information Security
Oversight Office (IS00),2 to conduct no less than two evaluations of that department or
agency to:
� (U) Assess whether applicable classification policies, procedures,
rules, and regulations have been adopted, followed, and effectively
administered.
� (U) Identify policies, procedures, rules, regulations, or
management practices that may be contributing to persistent
misclassification of material.
The first evaluation is to be completed no later than 30 September 2013. The second
evaluation will review progress in addressing the results of the first evaluation and is to
be completed no later than 30 September 2016. The Act requires that the Inspectors
General coordinate their work with one another and with the ISOO to ensure that
evaluations are conducted following a consistent methodology that allows for
comparisons across departments and agencies.
(U) On 29 December 2009, President Obama signed Executive Order (E.0.) 13526,
Classified National Security Information, which established the current principles,
policies, and procedures for classification. E.O. 13526 prescribes a uniform system for
classifying, safeguarding, and declassifying national security information. E.O. 13526
expresses the President's belief that the nation's progress depends on the free flow of
information, both within the government and to the American people. Accordingly,
protecting information critical to national security and demonstrating a commitment to
open government through accurate and accountable application of classification standards
and effective declassification are equally important priorities.
(U) Over-classification is the designation of information as classified, when the information does not meet one or
more of the standards for classification under E.O. 13526, Classified National Security Information.
2(U) The ISOO is a component of the National Archives and Records Administration and receives policy and
program guidance from the National Security Staff. ISO� is responsible for policy and oversight of the
Government-wide security classification system and the National Industrial Security Program.
3
UNCLASSIFIED/If-GU-a
Approved for Release: 2017/10/18 C06199633
Approved for Release: 2017/10/18 C06199633
UNCLASSIFIED/IfelJet
(U) As prescribed by E.O. 13526, information that requires protection against
unauthorized disclosure to prevent damage to national security must be marked
appropriately to indicate its classified status. Information may be classified at one of the
following three levels:
1. (U) "Confidential"�applied to information when its unauthorized
disclosure could reasonably be expected to cause damage to the
national security that the original classification authority is able to
identify or describe.
2. (U) "Secret"�applied to information when its unauthorized
disclosure could reasonably be expected to cause serious damage to the
national security that the original classification authority is able to
identify or describe.
3. (U) "Top Secret"�applied to information when its unauthorized
disclosure could reasonably be expected to cause exceptionally grave
damage to the national security that the original classification authority
is able to identify or describe.
If significant doubt exists about the appropriate level of classification, E.O. 13526
prescribes that the information be classified at the lower level.
(U) Executive Order 13526 prescribes that the authority to classify information
originally may be exercised only by individuals authorized by the President, the
Vice President, agency heads, or other officials designated by the President. E. 0. 13526
defines "original classification" as the initial determination that information requires, in
the interest of the national security, protection against unauthorized disclosure. The
President has delegated original classification authority to the Director, CIA who has, in
turn, delegated original classification authority to CIA officials. To make an original
classification decision, an authorized individual must determine if the information meets
the following standards:
� (U) The information is owned, controlled, or produced by or for the
US Government.
� (U) The information falls within one or more of the eight categories of
information described in Section 1.4 of E.O. 13526, such as intelligence
activities, intelligence sources or methods, or cryptology.
� (U) The unauthorized disclosure of the information reasonably could be
expected to result in damage to the national security, which the original
classification authority is able to identify or describe.
By definition, original classification precedes all other aspects of the security classification
system, including derivative classification, safeguarding, and declassification.
4
UNCLASSIFIED/IF-003-
Approved for Release: 2017/10/18 C06199633
Approved for Release: 2017/10/18 C06199633
UNCLASSIFIED/WO-L/0-
(U) According to Agency Regulation
all cleared Agency personnel�staff, detailees, and contractors�
are authorized to apply derivative classification in accordance with E.O. 13526.
Information may be derivatively classified from a source document, or through the use of
a classification guide.
(U) Federal departments and agencies may implement a system of restrictive caveats
that can be applied to classified information in the form of dissemination controls and
handling instructions. These caveats are not classifications, rather, they prescribe how
classified information can be distributed or shared. Only those dissemination controls
and handling instructions approved by the ISO� or, with respect to Intelligence
Community organizations, by the Director of National Intelligence (DNI), may be used.
(U) RESULTS AND RECOMMENDATIONS
(U) CIA Classification Program
Management Is Generally Effective
(UHFOU0) CIA classification policies, procedures, and regulations are consistent
with federal requirements and have supported implementation of an effective
classification management program. CIA's classification management program is
administered by the CIA Office of the Chief Information Officer, Information
Management Services (IMS). IMS provides an array of classification services and tools
ranging from classification policy guidance to classification management software.
According to IMS officials, there are IA Information Management Technical
Officers (IMT0s) who are deployed within various CIA components and assist personnel
in accessing, protecting, organizing, and preserving their information in accordance with
federal and CIA regulations. IMTOs are trained in classification standards and provide
guidance in making classification decisions and applying classification markings. IMS
has also established a procedure for individuals to challenge CIA classification decisions
and a process for adjudicating classification challenges.
(U) CIA Exercise of Original Classification Authority
U Agency Guidance
lists IA positions that have original classification authori the Director, CIA and
positions delegated authority by the Director, CIA. Of the CIA officers that have
been delegated original classification authority, only one officer has exercised this
authority in the last five years. The only CIA officer to exercise original classification
authority in the last five years is the Chief, Classification Management and Collaboration
Group (CMCG), IMS. The incumbent in this position is an expert in information and
classification management with over 30 years of experience. The Chief, CMCG
adjudicates classification challenges, and his staff is responsible for developing and
administering the Agency's classification training program.
(b)(3)
5
UNCLASSIFIED/WO-L/0-
(b)(3)
(b)(3)
Approved for Release: 2017/10/18 C06199633
Approved for Release: 2017/10/18 C06199633
UNCLASSIFIED/IF-GU&
(U) We reviewed the four original classification decisions made by the Chief, CMCG
in FY 2012. In each instance the Chief, CMCG documented the rationale behind his
classification decisions and why the information was not covered by an existing citation
in the CIA National Security Classification Guide . According to the Chief,
CMCG, the CIA National Security Classification Guide is updated every five years, and
these original classification decisions will be addressed, as appropriate, in the next
revision of the Guide, which is planned for 2015.
(U) As prescribed by 32 Code of Federal Regulations (C.F.R.) Part 2001, persons
having original classification authority are required to receive training in proper
classification prior to originally classifying information and at least once per calendar
year thereafter, incorporates these requirements and provides for suspending
original classification authority for persons who fail to meet training requirements.
Although only current CIA officers having original classification authority
have completed training, the training requirement must be satisfied before the authority is
exercised. The Chief, CMCG has completed required training.
(U) CIA Exercise of Derivative Classification Authority
(b)(3)
(b)(3)
(b)(3)
(U) states that all cleared Agency personnel�staff, detailees, and
contractors�are authorized in accordance with E.O. 13526 to apply derivative
classification. According to the Chief, CMCG and CIA reporting to ISO�, CIA
personnel made more than 27 million derivative classification decisions in FY 2012.
Unlike many other federal agencies, the CIA has maintained a single, comprehensive
classification guide rather than individual guides for projects, programs, or categories of
information.
(U) In response to an E.O. 13526 requirement, IMS undertook a review of the CIA
National Security Classification Guide. The review concluded that greater precision in
(b)(3)
the use of the guide might be achieved if the key intelligence disciplines that are
represented in the guide, e.g. were reviewed by subject (b)(3)
matter experts (SMEs) in each discipline. A team of classification guidance professionals
have engaged with the SMEs to examine in detail why specific aspects of CIA business
processes, tradecraft, and operations are classified and to identify those aspects that are
not. IMS plans to expand the guide to include appendices for each of the intelligence (b)(3)
disciplines to provide detailed guidance for CIA officers when making derivative
classification decisions.
(UHFOU0) Although CIA policies adhere to federal standards for managing
classification, there are some areas of classification management that should be
improved.
6
UNCLASSIFIEDWGIJO
Approved for Release: 2017/10/18 C06199633
Approved for Release: 2017/10/18 C06199633
UNCLASSIFIED/I-Kee-
(U) CIA Self-Inspection of Its Classification
Management Program Needs To Be Strengthened
(UHFOU0) The CIA's fiscal year (FY) 2012 self-inspection of its classification
management program and report of the self-inspection did not fully comply with the
standards prescribed in E.O. 13526 and the requirements of 32 C.F.R. Part 2001 -
Classified National Security Information. CIA's self-inspection report, submitted to the
ISO() on 14 December 2012, did not address all of the required program areas and lacked
sufficient details in certain areas. The report's statement regarding required classification
training implied that the CIA's computer-based, derivative classifier training had been
fully implemented, which was not the case for FY 2012.
(U) E.O. 13526 requires each federal agency to establish and maintain an ongoing
self-inspection program and to report annually to the Director of the 'SOO the results of
the agency's self-inspection. 32 C.F.R. Part 2001 prescribes specific standards for
establishing and maintaining a self-inspection program. The self-inspection is to include
reviews of representative samples of original and derivative classification decisions,
declassifications, safeguarding of classified information, procedures for assessing
security violations, security education and training, and management and oversight. In
addition, the self-inspection is to assess actions taken or planned to correct deficiencies in
the classification management program and identify best practices in classification
management. The self-inspection report is required to include a description of the self-
inspection program and a summary of the findings from the self-inspection.
(U) In a 6 March 2013 letter to the Director, IMS the Director, ISO() outlined
deficiencies in the CIA's FY 2012 self-inspection report that had been noted by the ISO()
staff:
� (U) The report included only a partial description of the CIA's self-
inspection program and did not fully describe its structure,
approach, frequency, coverage, and reporting.
� (U) The report provided an assessment of the findings of the CIA's
self-inspection program for a majority, but not all, of the required
program areas.
� (U) The report answered less than half of the focus questions that
apply to CIA.
� (U) The report provided the types and percentages of discrepancies
found during the annual review of classification actions, but failed
to provide the volume of classified materials reviewed.
According to the Chief, CMCG, an ISO() staff member advised that the number of
documents reviewed in CIA's testing of derivative classifications was not sufficient to
meet the standards of 32 C.F.R. Part 2001.
UNCLASSIFIED/iFOL}0-
Approved for Release: 2017/10/18 C06199633
Approved for Release: 2017/10/18 C06199633
UNCLASSIFIEDitFette-
(U/ ) Our review of the CIA's self-inspection report found that although most
of the required program areas were addressed, the report included few details on several
of the areas. For example, the section of the report addressing security violations states
that the number of violations by CIA employees continues to be relatively low, but the
report does not cite the number of security violations that occurred in FY 2012 or
whether the number decreased or increased over previous years. The report states that
CIA chose not to evaluate declassification actions in its FY 2012 self-inspection but
provides no explanation for that decision. In addition, the report references the CIA's
mandatory classification management training program. Although requires
derivative classification training, only 43 percent of CIA personnel have completed the
training.
(U) IMS officials told us that, because IMS resources had been devoted to
implementing other requirements of E.O. 13526, for example the review of the CIA
classification guide, limited IMS resources were available to conduct the self-inspection
of the CIA's classification management program. IMS is working to develop procedures
to more effectively and efficiently conduct the self-inspection and prepare the report of
the self-inspection for submission to the ISO� in FY 2013.
(U) Recommendation
(U) The Director, IMS concurs with this recommendation. In comments on a draft of
this report, he stated that IMS chose not to include information about CIA's
declassification program as part of the FY 2012 self-inspection because the CIA
declassification program undergoes regular inspections by the ISO� staff. According to
the Director, IMS, CIA's declassification program has been repeatedly identified by
ISO() as a "best practice" throughout government.
(U) Required Derivative Classification
Training Has Not Been Fully Implemented
(U) CIA has not established a derivative classification training program that satisfies
the E.O. 13526 requirement that persons who apply derivative classification markings
receive training in the proper application of derivative classification principles at least
once every two years. E.O. 13526 prescribes that derivative classifiers who do not
complete such training at least once every two years will have their authority to apply
derivative classification markings suspended until they complete such training.
establishes a requirement for biannual training for derivative classifiers and provides for
8
UNCLASSIFIED/W-009-
Approved for Release: 2017/10/18 C06199633
Approved for Release: 2017/10/18 C06199633
UNCLASSIFIED/I-Fee&
suspending derivative classification authority for those who fail to meet the training
requirement.
(U) All CIA employees receive classification training when they enter on duty. A
mandatory, computer-based derivative classification refresher training course was
deployed in 2012. However, according to the Chief, CMCG, insufficient band-width
restricted the number of CIA personnel who were able to access the derivative
classification training course, and only 43 percent of CIA personnel completed the course
in 2012. Although equires training only every other year, the computer-based
training course states that the training is an annual requirement for all derivative
classifiers. The Chief, CMCG told us that completion of the computer-based derivative
classification training course will be made an annual requirement by revision of
when the course is effectively implemented. A 2013 version of the course has been
developed and is being tested to ensure that it is deployed with adequate band-width.
(U) Recommendation 2 (Significant)�For the Director, Information
Management Services, Office of the Chief Information Officer, in
coordination with the Chief Information Officer: Implement effective,
mandatory derivative classification refresher training for CIA
personnel as required by Executive Order 13526, Classified National
Security Information, and Agency Regulation
(U) The Director, IMS concurs with this recommendation.
(U) Classification Markings for Finished Intelligence
Are Not Fully Compliant With Current Standards
(U) Derivative classification markings in CIA finished intelligence products are not
always consistent with the guidance and standards prescribed by the 'SOO. The ISO�
booklet, Marking Classified National Security Information, revised 1 January 2012,
prescribes classification markings for derivatively classified documents. The booklet
provides guidance on the components of the classification banner' and classification box,
classification duration, and placement of portion markings. Except in extraordinary
circumstances, or as approved by the Director, 'SOO, the marking of classified
information may not deviate from the prescribed formats.
(U//f�449)- We reviewed a statistical sample of finished intelligence reports
from calendar year 2012 posted to the World Intelligence Review (WIRe), an enterprise
website hosted by CIA that provides intelligence analysis, clandestine reporting, and
open source content to policymakers and the Intelligence Community. The mished
3 (U) Classification banners appear at the top and bottom of each page of a classified document and include
information such as classification level, sensitive controlled information markings, and dissemination control
markings.
UNCLASSIFIED/W-00e-
Approved for Release: 2017/10/18 C06199633
Approved for Release: 2017/10/18 C06199633
UNCLASSIFIED/Ifelzfe-
(b)(3)
intelligence reports were derived from intelligence reports and open source
documents. In conducting our review, we examined a sufficient number of source
documents to assess the classification markings appended to the finished intelligence
reports. We assessed the content of classification blocks and other required classification
markings, such as portion markings. In total, we tested 16 attributes concerning
classification level and markings.
(U) We found no instances of over-classification in the finished intelligence
reports we reviewed. However, we found numerous errors with how required
information was presented in the reports' classification blocks and with the portion
marking of the reports. Some of the errors resulted from the CIA's automated
classification management tool (CMT) not being updated to reflect current classification
marking standards. Other errors were the result of internal processes for posting WIRe
articles. Errors caused by the outdated CMT involved:
� (UNT4444) Declassification Instructions: Seventy-five percent of the
sampled reports had inaccuracies in the declassification instructions in the
classification block. Discrepancies included: use of a 50-year
declassification date when there was no sensitive human source
information to justify the extended period of classification; and use of
"25X1-Human," which is no longer an authorized designation for
declassification. CIA internal guidance states that the use of
"25X1-Human" was eliminated with E.O. 13526. However the CMT still
allows derivative classifiers to select this declassification marking.
� (U) Inclusion of a Classification Reason: Twelve percent of the sampled
finished intelligence products included in the classification block a
"Classification reason" line, which is no longer required for derivatively
classified documents.
(b)(3)
Errors caused by weaknesses in internal processes for posting WIRe articles involved:
� (U) Identification of the Classifier: Ninety-two percent of the finished
intelligence reports in our sample did not have a "Classified by" line in the
classification block. Derivative classifiers should be identified by name
and position or by a unique personal identifier, in a manner that is
immediately apparent on each derivatively classified document. The CMT
automatically populates the "Classified by" line. However, for finished
intelligence products published on the WIRe, the CMT stores the
classifiers' information but does not display the information.
� (U//FOU0) Classification Source: Thirty-nine percent of the finished
intelligence reports in our sample did not accurately identify the
classification source in the "Derived from" line, as prescribed by the 'SOO
classification marking booklet. The "Derived from" line identifies the
source document or classification guide used to classify the document.
10
UNCLASSIFIEDH-FOLfe-
Approved for Release: 2017/10/18 C06199633
Approved for Release: 2017/10/18 C06199633
UNCLASSIFIED/I-F(30a
When using multiple source documents, the "Derived from" line should be
marked "Multiple Sources" and a list of those sources should be included
with the report. However, based on procedures used for the publication of
finished intelligence reports on the WIRe, when a source document
includes a sensitive controlled information marking in the classification,
only that source document is listed on the "Derived from" line of the
report, regardless of the classifications of other source documents. This
practice does not comply with ISOO guidance.
� (U) Identification of Multiple Sources: Twenty-three percent of the
finished intelligence reports in our sample that accurately cited "Multiple
Sources" in the "Derived from" line of the classification block did not
include sufficient information in the source list to identify all source
documents. For example, information on some source documents was
limited to identifying the federal agency that produced the documents, but
did not include titles, document numbers, or dates.
� (U) Portion Marks: Fifty-three percent of the finished intelligence reports
had portion marks at the end of the portions to which the marks applied.
According to the ISO() classification marking booklet, portion marks
should precede the portions to which they apply. This issue appears to be
the result of a delay in implementing a change regarding the placement of
portion marks, which has since been resolved. Current WIRe articles
correctly placed portion marks at the beginning of the portions to which
they apply.
(U) Although CIA guidance has been updated to reflect current classification
requirements, the CMT and procedures for publication of WIRe articles have not been
updated and fully deployed. The CMT is an automated tool that is intended to assist
derivative classifiers in correctly classifying and marking classified information. The
CMT should incorporate current standards for classification markings. In addition,
managers of the WIRe need to consult with IMS to develop procedures to ensure that
classification markings and the classification block on articles published in the WIRe are
fully compliant with current ISO() marking requirements.
(U) Recommendation
(b)(3)
(b)(5)
11
UNCLASSIFIED/If-04G-
Approved for Release: 2017/10/18 C06199633
Approved for Release: 2017/10/18 C06199633
UNCLASSIFIED/tFeth3-
(U) Director, IMS concurs with this recommendation. In comments to a draft of this
report, he stated that due to the complexity of updates to CIA systems worldwide, the
updated version of the CMT, made available to intelligence community agencies in
September 2012, has not yet been fully deployed at CIA. The completion of the update
process to bring all CIA users into compliance will take some time. He also stated that
some errors in classification markings are caused by user error and cannot be corrected
with the updates made to the CMT.
(U) Recommendation
(U) In comments on a draft of this report, the Director and Managing Editor of the
WIRe stated that he concurs with the recommendation, and that the WIRe development
team is working to update the classification block of all WIRe featured content items.
12
UNCLASSIFIED/IF-GI:Ha-
Approved for Release: 2017/10/18 C06199633
Approved for Release: 2017/10/18 C06199633
UNCLASSIFIED/fFetle
Exhibit A
(U) Objectives, Scope, and Methodology
(U) This evaluation was conducted in response to a requirement contained in the
Reducing Over-Classification Act, Public Law 111-258 (7 October 2010). The Act
requires the Inspector General of each US department or agency with an officer who is
authorized to make original classifications, in consultation with the National Archives
and Records Administration, Information Security Oversight Office (IS00), to conduct
no less than two evaluations of that department or agency. In accordance with the Act,
the objectives of this evaluation were to:
� (U) Assess whether applicable classification policies, procedures,
rules, and regulations have been adopted, followed, and effectively
administered within the CIA.
� (U) Identify policies, procedures, rules, regulations, or
management practices that may be contributing to persistent
misclassification of material.
The first evaluation is to be completed no later than 30 September 2013. The second
evaluation will review progress in addressing the results of the first evaluation and is to
be completed no later than 30 September 2016. This review focused on whether CIA is
in compliance with the requirements and standards set forth in Executive Order
(E.0.) 13526, Classified National Security Information, and 32 Code of Federal
Regulations (C.F.R.), Part 2001, Classified National Security Information, for a uniform
system for classifying and safeguarding national security information.
(U) The scope of the evaluation included an assessment of CIA regulations,
classification management process and procedures, fiscal year 2012 reporting to the
ISO�, classification training programs, and the accuracy of classification markings
appended to finished intelligence reports issued in calendar year 2012. To accomplish
evaluation objectives, we:
� (U) Reviewed Public Law 111-258; Executive Order (E.0.) 13526;
32 C.F.R. Part 2001; ISO� guidance for self-inspection programs; the
ISO() booklet, Marking Classified National Security Information; CIA
regulations; and internal CIA guidance issued by the Office of the Chief
Information Officer, Information Management Services.
� (UHFOU0) Interviewed the CIO, IMS, Classification Management and
Collaboration Group staff; Directorate of Intelligence (DI) analysts; World
Intelligence Review (WIRe) management; National Geospatial Intelligence
Agency analysts detailed to CIA; Information Management Technical
Officers; Human Resources Policy officers; Office of Security management;
and a DI Kent School Career Analyst Program (CAP) instructor.
I
UNCLASSIFIED/I-Kit/0-
Approved for Release: 2017/10/18 C06199633
Approved for Release: 2017/10/18 C06199633
UNCLASSIFIED/I-F(2OG
� (U) Participated in working group meetings and conference calls with
OIG officers from other federal agencies who were conducting Public
Law 111-258 reviews of their agencies.
� (U) Reviewed Original Classification Authority designations, classification
decisions, and training records.
� (U) Reviewed the FY 2012 derivative classification computer-based
refresher training course and completion records.
(b)(3)
� (UHFOU0) Tested a statistical sample of DI finished intelligence
products published on the WIRe to determine if the classified documents
were in compliance with classification standards contained in ISOO booklet,
Marking Classified National Security Information, dated 1 January 2012.
Because classification marking guidance was updated 1 January 2012, we
chose a sample of finished intelligence products published between
1 January and 31 December 2012. We chose finished intelligence because
the universe of finished intelligence was well-defined, finished intelligence
is intended to be shared, and finished intelligence was not examined in the
most recent CIA self-inspection. We worked with a statistician to develop
our testing methodology and select a sample of finished intelligence (b)(3)
products. We obtained a complete list of the DI intelligence reports
created from 1 January 2012 through 31 December 2012. With a confidence
level of 90 percent and ex ected error rate of five percent, we selected a (b)(3)
statistical sample size of using the American Institute of Certified
Public Accountants (AICPA) statistical sample tables. We tested
16 attributes with regard to classification markings.
(U) We conducted this evaluation from March to June 2013. We believe the
evidence obtained provides a reasonable basis for our findings and conclusions based on
our evaluation objectives. We received comments on a draft of this report from the
Director, Information Management Services; Office of the Chief Information Officer; and
Director and Managing Editor, WIRe.
2
UNCLASSIFIED//F4300
Approved for Release: 2017/10/18 C06199633
Approved for Release: 2017/10/18 C06199633
UNCLASSIFIED/IfetH3
Exhibit B
(U) Recommendations
(U) Recommendation 1
(b)(3)
(b)(5)
(U) Recommendation 2 (Significant)�For the Director, Information
Management Services, Office of the Chief Information Officer, in
coordination with the Chief Information Officer: Implement effective,
mandatory derivative classification refresher training for CIA personnel as
required by Executive Order 13526, Classified National Security
Information, and Agency Regulation
(U) Recommendation 3H
(b)(3)
(b)(5)
(U) Recommendation aH
(b)(3)
(b)(5)
(U) The status of the significant recommendation will be included in the Inspector
General's semiannual reports to the Director, Central Intelligence Agency.
Exhibit B is Unclassified
UNCLASSIFIEDItFetH3
Approved for Release: 2017/10/18 C06199633
Approved for Release: 2017/10/18 C06199633
UNCLASSIFIED/I-K*16-
Exhibit C
(U) Evaluation Team
(u/ U This report was prepared by the Office of Inspector General.
(b)(3)
UNCLASSIFIED/fFelie-
Approved for Release: 2017/10/18 C06199633
Approved for Release: 2017/10/18 C06199633
UNCLASSIFIED/I.FOU0-
UNCLASSIFIED/IFGUO-
Approved for Release: 2017/10/18 C06199633