CIA SELF INSPECTION FY14-FINAL WITH TRANSMITTAL LETTER

Approved for Release: 2022/01/27 C06896732 Central Intelligence Agency Washington, D.C. 20505 21 October 2014 Mr. John P. Fitzpatrick, Director Information Security Oversight Office National Archives and Records Administration Washington, D.C. 20408-0001 Dear Mr. Fitzpat4: In response to the Information Security Oversight Office, the Central Intelligence Agency submits the enclosed FY 2014 Agency Annual Self-Inspection Program Data Report. This report covers the period from 1 October 2013 to 30 September 2014. Please contact Mr. Harry Cooper, Chief, Classification Management and Collaboration Group, at if you have any questions regarding the report. Sincerely, Joseph W. Lambert Director, Information Management Services Approved for Release: 2022/01/27 C06896732 Approved for Release: 2022/01/27 C06896732 Mr. John Fitzpatrick CIO/IMS/JWLambert 'SOO Distribution: Orig - Addressee 1 - CIO 2 - D/IMS 1 - C/CMCG IS00/2014 DIMS Transmittal Letter to UNCLASSIFIED Approved for Release: 2022/01/27 C06896732 Approved for Release: 2022/01/27 C06896732 Enclosure 2 AGENCY ANNUAL SELF-INSPECTION PROGRAM DATA: FY 2014 (Submissions must be unclassified.) PART A: Identifying Information 1. Enter the agency name. I. Central Intelligence Agency 2. Enter the date of this report. 2. 21 October 2014 3. Enter the name, title, address, phone, fax, and e-mail address of the Senior Agency Official (SAO) (as defined in E.O. 13526, section 5.4(d)) responsible for this report. 3. Joseph W. Lambert Director, Information Management Services (IMS) CIA Washington DC 20505 4. Enter the name, title, phone, fax, and e-mail address of the individual or office responsible for conducting self-inspections and reporting findings. 4. Harry P. Cooper, Jr. Chief, Classification Management and Collaboration Group (CMCG) CIA, Washington, DC 20505 5. Enter the name, title, phone, fax, and e-mail address for the point-of- contact responsible for answering questions regarding this report. 5. Harry P. Cooper, Jr. Chief, Classification Management and Collaboration Group (CMCG) CIA, Washington, DC 20505 PART B: Classified National Security Information (CNSI) Program Profile Information 6. Has your agency been designated/delegated as an original classification authority (OCA)? 6. 0 Yes 0 No 7. Does your agency perform original classification activity? 7. C) Yes 0 No 8. Does your agency perform derivative classification activity? 8. C) Yes 0 No 9. Does your agency have an approved declassification guide and declassify CNSI? 9. C) Yes 0 No PART C: Description of the Program A description of the agency's self-inspection program to include activities assessed, program areas covered, and methodology utilized. The description must demonstrate how the self-inspection program provides the SAO with information necessary to assess the effectiveness of the CNSI program within individual agency activities and the agency as a whole. Responsibility 10. How is the SAO involved in the self-inspection program? (Describe his or her involvement with the self-inspection program.) The SAO delegates responsibility to CMCG for the self-inspection program, approves the annual self-inspection plan, receives briefings on its results and recommendations, and approves follow-on actions. During FY14, the SAO also observed self-inspection directly through travel with CMCG to a field location. I 1. How is the self-inspection program structured to provide the SAO with information necessary to assess the agency's CNSI program in order to fulfill his or her responsibilities under section 5.4(d) of E.O. 13526? During FY14, while conducting ongoing self-inspection of documents in the Washington Metro Area (WMA), CMCG engaged field location counterparts through travel. Following each travel opportunity, the SAO received a briefing of the results. As mentioned above, the SAO also accompanied CMCG on field location travel. The self-inspection program is designed to cover compliance with all 5.4(d) areas of responsibility and to identify best practices and areas for improvement. 12. Whom has the SAO designated to assist in directing and administering the self-inspection program? Who conducts the self-inspections? (If the SAO conducts the self-inspections, which may be the case in smaller agencies, indicate this.) The Chief of CMCG, an SES-level officer, is designated to assist in directing and administering the self-inspection program. A number of classification specialists in CMCG conduct the self-inspections. Approach 13. What means and methods are employed in conducting self-inspections? (For example: interviews, surveys, data calls, checklists, analysis, etc.) Building from success in FY13, CMCG developed a standard operating procedure to govern data collection in the WMA and from field locations. Subsequently, CMCG partnered with IMS records management colleagues to capture a substantial electronic collection of data from across the primary components of CIA, and CMCG collaborated with colleagues in field locations to ensure that documents sampled covered the depth and breadth of mission activities and support. CMCG conducted personnel interviews in field locations, performed extensive document review, and collaborated with declassification and security colleagues to obtain the necessary information. Subsequently, results were analyzed, and findings and recommendations were prepared for the SAO and 1600. INFORMATION SECURITY OVERSIGI IT OFFICE AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 Approved for Release: 2022/01/27 C06896732 Approved for Release: 2022/01/27 C06896732 Enclosure 2 14. If your agency performs different types of inspections (e.g., component self-inspections, command inspections, compliance reviews, etc.), describe each of them and explain how they are used. If not, indicate NA. Throughout FY14, CMCG reviewed documents across all components of CIA through document sampling and through classification assistance. In support of the self-inspection effort, CMCG engaged in nine field location visits during FY14. Additionally, CMCG conducts the annual Classification Count and analysis and a compliance review of mandatory Original and Derivative Classification Training, as required by E.O. 13526. IS. Do your agency's self-inspections evaluate adherence to the principles and requirements of E.O. 13526 and its implementing effectiveness of agency programs covering the following areas? (Select all that apply) directive and the Management and oversight 0 Original classification 0 Security violations D Safeguarding 0 CI Derivative classification El Declassification 0 Security education and training 16. Do your self-inspections include a review of relevant security directives and instructions? 16. 0 Yes 0 No 17. Do your self-inspections include interviews with producers (where applicable) and users of classified information? 17. 0 Yes 0 No Approach: Representative Sample (If your agency does not classify information, indicate NA.) 18. Do your self-inspections include reviews of representative samples of original and derivative classification actions to evaluate the appropriateness of classification and the proper application of document markings? 18. 0 Yes 0 No 0 NA 19. Do these reviews encompass all agency activities that generate classified information? 19. C) Yes 0 No 0 NA 20. Describe below how the agency identifies activities and offices whose documents are to be included in the sample of classification actions. (Indicate if NA.) In order to review a sample of documents covering all agency activities and mission support, CMCG engaged in document review and personnel interviews in field locations close to mission and performed extensive document review and data analysis in the WMA. In the WMA, CMCG deliberately sampled documents that reflect the five major business areas of the agency. 21. Do the reviews include a sampling of various types of classified information in document and electronic formats? 21. 0 Yes 0 No 0 NA 22. How do you ensure that the materials reviewed provide a representative sample of the agency's classified information? (Indicate if NA.) In the WMA, CMCG worked with IMS records management colleagues to collect a sample of data that covered all agency components. This data collection yielded material across the spectrum of the CIA mission, from administrative matters to intelligence analysis to operational activity. CMCG supplemented its WMA review with visits to field locations, providing a sample of documents directly related to the day-to-day mission critical activities of CIA. 23. How do you determine that the sample is proportionally sufficient to enable a credible assessment of your agency's classified product? (Indicate if NA.) After receiving an initial sample of over one thousand documents, CMCG reviewed the material to ensure that all five primary business areas and their individual missions/responsibilities were present in the sample. CMCG deemed that this sample was sufficient to enable a credible assessment, based on the requirements of 32 CFR 2001.60. After reviewing the results of inspection work in nine field locations, CMCG determined that the final data sample proportionally represented the spectrum of documents associated with CIA operations. 24. Who conducts the review of the classified product? (Indicate if NA.) In the WMA, designated CMCG full-time classification specialists conduct document reviews. For field reviews, CMCG designates teams of 2-3 individuals to conduct classification reviews, interview field personnel, and provide training on classification policies, practices, and employee obligations regarding their secrecy agreements. 25. Are the personnel who conduct the reviews knowledgeable of the classification and marking requirements of E.O. 13526 and its implementing directive? 25. C) Yes 0 No 0 NA 26. Do they have access to pertinent security classification guides? (Indicate if NA.) 26. � Yes 0 No 0 NA 27. Have appropriate personnel been designated to correct misclassification actions? (Indicate if NA.) 27a. If so, identify below. 27. 0 Yes 0 No ONA The Chief of CMCG and all of the group's classification specialists. Frequency 28. How frequently are self-inspections conducted? CMCG conducts the self-inspection year-round. Nine field location visits took place over approximately five months of FY14. 29. Describe the factors that were considered in establishing this time period? Field location visits required extensive coordination with the respective offices to facilitate information access that would not disrupt mission-critical activities. Document inspection continued year-round in the WMA in order to allow CMCG sufficient time to identify possible data gaps within the sample and to provide the opportunity to return to IMS records management partners for additional documents. INFORMATION SECURITY OVERSIGHT OFFICE AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 Approved for Release: 2022/01/27 C06896732 Approved for Release: 2022/01/27 C06896732 Enclosure 2 Coverage 30, How do you determine what offices, activities, divisions, etc., are covered by your self-inspection program? What agency activities are assessed? As noted in the response to Question 20 above, in order to review a sample of documents covering all agency activities and mission support, CMCG engaged in document review and personnel interviews in field locations and performed extensive document review and data analysis in the WMA. CIA has five major business areas, and CMCG deliberately sampled documents that reflect these components and their respective areas of responsibility within the broader CIA mission. 31. How is the self-inspection program structured to assess individual agency activities and the agency as a whole? CMCG carefully considers the type of function performed in each component and the types of documents that each of these components produces. Classification assistance questions from the current and prior fiscal year help to shape this consideration. CMCG also considers the demanding circumstances surrounding work in the field and in high-tempo areas of CIA as it pertains to understanding how officers in field offices classify information. Special Access Programs (SAP) (If your agency does not have the authority to create SAPs, indicate NA.) 32. If your agency has any special access programs, are self-inspections of the SAP programs conducted annually? 32. C) Yes 0 No 0 NA 33. Do the self-inspections confirm that the agency head or principal deputy has reviewed each special access program annually to determine if it continues to meet the requirements of E.O. 13526? 33. 0 Yes 0 No 0 NA 34. Do the self-inspections determine if officers and employees are aware of the prohibitions and sanctions for creating or continuing a special access program contrary to the requirements of E.O. 13526? 34. 0 Yes 0 No 0 NA Reporting 35. What is the format for documenting self-inspections in your agency? CMCG documents its self-inspection through standardized document checklists, followed by data aggregation spreadsheets. CMCG also uses standardized forms for field personnel interviews. Following each field visit, CMCG prepares a classified trip report that analyzes findings and after-action opportunities related to classification training and practice improvements. As requested, CMCG briefs the SAO on these visits and overall progress. At the end of the self-inspection, CMCG prepares the annual report and briefing materials for the SAO and other agency senior officials, as necessary. 36. Who receives the reports? The SAO; Chief of CMCG; the Chief Information Officer; other agency senior officials, as necessary; ISOO. 37. Who compiles/analyzes the reports? The CMCG self-inspection staff. 38. How are the findings analyzed to determine if there are problems of a systemic nature? CMCG aggregates data from the document checklists and personnel interviews in spreadsheets, then develops formulas that identify opportunities for improvement in the reporting areas required by ISOO, including: over/underclassification, overall marking requirements, and portion marking. CMCG also tracks and analyzes trends in classification derivative choices, application of dissemination controls, classification differences between WMA and field locations, and classification differences between the five major agency components. The final analysis helps CMCG identify potential areas for improvement in both customized and agency-wide original and derivative classifier training. 39. How and when are the results of the self-inspections reported to the SAO? CMCG briefs the SAO after completion of data analysis and production of draft findings and recommendations. The annual self-inspection program data form is submitted to the SAO before it is released to ISOO. Once the SAO approves the findings and recommendations, CMCG submits the form to ISOO and begins implementation of recommendations, as necessary. 40. How is it determined if corrective actions are required? CMCG carefully analyzes its document review and interview data for opportunities for improvement in agency-wide classification practices. If/when patterns are evident either in a particular business area or agency-wide, CMCG develops possible corrective action for consideration by the SAO. 41. Who takes the corrective actions? Action depends on the finding: CMCG, IMS records management partners, field offices when necessary. 42. How are the findings from your agency's self-inspection program distilled for the annual report to the Director of ISOO? CMCG relies upon spreadsheet analysis of documents and raw-answer aggregation of interview data to distill findings for the Director of ISOO. Self-inspection findings are also supported by day-to-day classification support and training provided by CMCG to CIA. 43. Has the SAO formally endorsed this self-inspection report? If yes, please provide documentation. 43. 0 Yes 0 No INFORMATION SECURITY OVERSIGHT OFFICE AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 Approved for Release: 2022/01/27 C06896732 Approved for Release: 2022/01/27 C06896732 Enclosure 2 PART D: A summary of the findings of your agency's self-inspection program The summary should present specific, concise findings from your self-inspection program for each of the required program areas below. It is not a description of the requirements of the agency's CNSI program. Rather, the summary outlines the essential self-inspection findings based on the compilation and/or distillation of the information contained in the agency's internal self-inspection reports, checklists, etc. In large agencies where findings are drawn from multiple agency offices and activities, the findings that are reported here may be the most significant or most frequently occurring. 44. Original Classification: The self-inspection determined that the number of original classifiers (OCAs) was kept at the lowest possible level, based on a demonstrable and continuing need to exercise this authority, per E.O. 13526, Sec. 1.3. This information was provided to ISOO separately via a letter signed by Director, IMS, including the positions of all current OCAs. During FY14, CIA had an estimated 18 OCA actions, which will be reported separately on the SF-311. Self-inspection found that original classifier training was provided and, in keeping with this training, OCAs understood that their authority is only to be exercised in the rare case that an Agency classification guide does not provide sufficient guidance, and there appears to be a need for classification, based on the E.O. 13526 criteria. 45. Derivative Classification: From a sample of over 1,600 documents, the self-inspection found that 9.0% of the sample was overclassified. More specifically: 12.3% of documents classified as Top Secret (TS) were overclassified, including 11.4% that should have been Secret (S); less than 1% that should have been Confidential (C); and less than 1% that should have been For Official Use Only (FOUO). 6.3% of documents classified as S were overclassified, including 3.2% that should have been C; 1.9%, FOUO; and less than 1%, fully Unclassified (U). 16.0% of the documents classified as C were overclassified, although -- with only one exception -- the U documents would have included dissemination controls (e.g., FOUO). The self-inspection found that 14.5% of the sample was underclassified. The predominant finding was that 48.8% of documents classified as C should have been S instead. Additionally, the self-inspection noted that a majority of the sample (85.4%) lacked correct portion marking; 4.1% had an inappropriate ORCON/NOFORN caveat; 1.3% were missing all or part of the classification block; and 1.3% failed to identify the derivative classifier. 46. Declassification: The review of the automatic declassification program looked at both process and substantive issues and encountered no examples of missed equities, improper exemptions, or inappropriate referrals. 47. Safeguarding: The review determined that the Agency's policies and accompanying procedures related to safeguarding as outlined in E.O. 13526 are in alignment with the E.O., existing Federal statutes, and other pertinent Executive Branch issuances. Specifically, while adhering to E.O. 13526, the Agency follows the governing requirements outlined in ICD 503 for information technology; ICD 704 for personnel security; ICD 705 for physical and technical security; and E.O. 12829 and the NISPOM for industrial security. All of these build upon the requirements listed in E.O. 13526. Additionally, the Agency is developing a more robust administration model for all information technology systems to provide enhanced enforcement of appropriate access and controls for users. 48. Security Violations: The review determined that the Agency's policies and accompanying procedures related to the reporting and investigation of security violations are in alignment with E.O. 13526 and with procedures established by the Department of Justice and the Federal Bureau of Investigation. The review confirmed that the Agency dedicates resources to ensure its ability to investigate leaks to the media and promotes enhanced internal awareness programs for employees and contractors to ensure adherence to all required security regulations involving unauthorized disclosures of classified information to the media. The Agency also has embarked on a campaign to ensure the Agency population, including cleared contractors, is made aware of their enduring obligation to protect classified information under the terms of the nondisclosure agreement. Additionally, the Agency maintains a program that incorporates the reporting, investigation, and adjudication of all security violations. 49. Security Education and Training: The review determined that the Agency's policies and accompanying procedures provide the appropriate level of security training and education commensurate with the requirements of E.O. 13526 and other applicable Executive Branch issuances. Specifically, the review found that the Agency's security training and education program extends for the lifecycle of a cleared individual's association with the Agency and covers initial education and training indoctrination, annual refresher and mandatory training, exit debriefing, classification training, and pre-publication reviews. Training received is recorded in personnel records. 50. Management and Oversight: CMCG provides a year-round resource for classification assistance to mission partners. This includes courses intended for the professional training of classification specialists, training for new personnel in the fundamentals of classification, as well as more specialized training for the various components. CMCG also provides original and derivative classifier refresher training and a classification assistance service that provides real-time assistance to Agency personnel. Beginning in FY14, CMCG deployed its first classification referent to serve as an in-house expert for specific business areas. These functions provide insight into the types of problems that are encountered on a daily basis and helps CMCG strengthen classification training, classification guide development, and regulatory policy adjustments which provide meaningful support to the workforce. CMCG brings issues to the attention of the SAO, who consults with the CIO, Agency Executive Director, and others as appropriate. INFORMATION SECURITY OVERSIGHT OFFICE AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 Approved for Release: 2022/01/27 C06896732 Approved for Release: 2022/01/27 C06896732 Enclosure 2 PART E: An assessment of the findings of your agency's self-inspection program The assessment discerns what the findings mean. The assessment is an evaluation of the state of each element of your agency's CNSI program based on an analysis of the specific, concise findings of the self-inspection program. It reports what you have determined the findings indicate about the state of your agency's CNSI program. The assessment should inform the SAO and other decision makers of significant issues that impact the CNSI program. It should be used to determine how security programs can be improved, whether the agency regulation or other policies and procedures must be updated, and if necessary resources are committed to the effective implementation of the CNSI program. The assessment should report trends that were identified during the reporting period across the agency or in particular activities, as well as trends detected by making comparisons with earlier reporting periods. It can be used to support assertions about the successes and strengths of an agency's program. 51. Original Classification: During FY14, 14 of the 18 OCA actions involved approval of new classification guides developed in collaboration with business areas in order to provide meaningful information protection guidance to officers working with those equities. CMCG continues to work closely with subject matter experts throughout the Agency to identify other business areas, programs, projects, and/or topics that would benefit from more customized guidance associated with classified material. 52. Derivative Classification: CMCG strives to support CIA toward the highest standard for classifying material; therefore, a rate of over 20% under- and overclassification is not acceptable. Lessons learned from the self-inspection will help CMCG to tailor its classification training and guidance to focus on specific improvement standards, including a greater rate of accurate portion marking; better use of certain classification guide derivatives; and applying changes to the electronic classification marking tool to improve banner and portion marking. Based on the FY14 sample, an information campaign tailored to preventing the use of inappropriate "ORCON/NOFORN" caveats helped CMCG to reduce the use of this caveat from about 8% in FY13 to 4.1% in FY14. CMCG will continue to use similar strategies to inform the workforce on additional changes to classification markings and IC standards and requirements 53. Declassification: CIA continued declassification program improvements with the establishment of an automated digital dashboard to help the Agency better manage Freedom of Information Act (FOIA), Privacy Act (PA), and Mandatory Declassification Review (MDR) declassification efforts. In FY14, CIA achieved a FOIA/PA backlog reduction of 3% and an MDR backlog reduction of 38%. The Agency reduced the FOIA/PA appeals backlog by 13% and closed the ten oldest FOIA/PA appeals. In FY14, the Agency automatic declassification program again released over one million pages of information and, for the first time, 20,000 pages of Presidents Daily Briefs were reviewed for declassification. 54. Safeguarding: The Agency's safeguarding measures are meeting mission needs. The Agency continually evaluates and tests its existing safeguarding measures. Safeguarding policies and procedures are being reviewed and updated to leverage technological advances for information technology (IT) systems; ensure best practices are used in information sharing; to inform the Agency population of proper classification conventions; and revise facility access protocols. In the IT systems area, the Agency is building tools to maximize accessibility of information for authorized personnel while automating process to detect and flag improper sharing of information. 55. Security Violations: The review determined that Agency personnel appropriately report security violations. Currently, the Agency is updating its policies and procedures related to protection, accountability, control, and disposition of classified information to ensure personnel are provided with detailed guidance for all aspects of safeguarding classified national security information. 56. Security Education and Training: The Agency security and education training program meets the needs of the Agency's mission through curriculum that offers instruction for all aspects of safeguarding information. For example, advanced training for administrators reinforces the users' responsibility to protect classified data, and specialized training ensures privileged users are informed fully regarding security policies and standards. Additionally, the Agency has published updated national security classification guides to promote the identification, markings, and integrity of classified security information. 57. Management and Oversight: The self-inspection demonstrated the benefit of providing face-to-face guidance and training to Agency personnel in the WMA and the field. Travel efforts allowed CMCG to conduct hands-on interaction with field materials and officers and increased awareness of classification resources. The development of business-area specific classification guides and the deployment of a classification referent for a unique business area also demonstrated the value added to information protection when customized support is present. Interviews conducted during the self-inspection indicated that CMCG needs to improve efforts to publicize available web-based classification resources, its classification hotline, and its email support option. Accordingly, CMCG has taken steps to collaborate with IMS records management colleagues on unique customer-facing information resources, including internal blogs. CMCG will continue to assess the mission support and enhancement associated with customized classification guides, classification referents, and tailored training. INFORMATION SECURITY OVERSIGHT OFFICE AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 _Approved for Release: 2022/01/27 C06896732 Approved for Release: 2022/01/27 C06896732 Enclosure 2 PART F: Focus Questions Answer the questions below. If the response identifies a deficiency, it should be explained in Part D, Summary of Findings, under the relevant program area, and should be addressed in Part H, Corrective Actions. Training for Original Classification Authorities Original classification authorities are required to receive training in proper classification and declassification each calendar year. (Section 1,3(d of E.O. 13526 and � 2001.70(e) of 32 C.F.R. Part 2001) (Indicate NA if your agency does not have original classification authority.) 58. Does agency policy require training for original classifiers? 58. *Yes 0 No DNA 59. Has the agency validated that this training has been received? 59. *Yes 0 No 0 NA 60. What percentage of the original classification authorities at your agency has received this training? 60. 83% C) Actual 0 Estimated 61. Have any waivers to this requirement been granted? 61. 0 Yes � No DNA Persons who Apply Derivative Classification Markings Persons who apply derivative classification markings are required to receive training in the proper application of the derivative classification principles of E.O. 13526, prior to derivatively classifying information and at least once every two years thereafter. (Section 2.I(d) of E.G. 13526 and � 2001.70(d) (3132 C.F.R. Part 2001) (Indicate NA if your agency does not have any personnel who derivatively classify information.) 62. Does agency policy require training for derivative classifiers? 62. 0 Yes 0 No DNA 63. Has the agency validated that this training has been received? 63. *Yes 0 No DNA 64. What percentage of the derivative classifiers at your agency has received this training? 64. 97% 0 Actual C) Estimated 65. Have any waivers to this requirement been granted? 65. *Yes 0 No DNA Initial Training All cleared agency personnel are required to receive initial training on basic security policies, principles, practices, and criminal, civil, and administrative penalties. (,f 2001.70(b) of 32 C.F.R. Part 2001) 66. Does agency policy require initial training? 66. * Yes 0 No 67. Has the agency validated that this training has been received? 67. ()Yes 0 No 68. What percentage of cleared personnel at your agency has received this training? 68. 100% C) Actual 0 Estimated Annual Refresher Training Agencies are required to provide annual refresher training to all employees who create, process, or handle classified information. (f 2001.70(1) of 32 C.F.R. Part 2001) 69. Does agency policy require annual refresher training? 69. * Yes 0 No 70. Has the agency validated that this training has been received? 70. *Yes 0 No 71. What percentage of the cleared employees at your agency has received this training? 71. 97% 0 Actual C) Estimated Identification of Derivative Classifiers on Derivatively Classified Documents Derivative classifiers must be identified by name and position, or by personal identifier on each classified document. (Section 2.1(6)(1) of E.O. 13526 and f 2001.22(h) of 32 C.F.R. Part 2001) (Indicate NA if your agency does not derivatively classify informatiot A 72. Does your agency's review of classification actions evaluate if this requirement is being met? 72. *Yes 0 No DNA 73. What percentage of the documents sampled meet this requirement? 73. 98.9% 74. What was the number of documents reviewed for this requirement? 74. 1,648 List of Sources on Documents Derivatively Classified from Multiple Sources A list of sources gnat be included on or attached to each derivativeIy classified document that is classified based on 1770re than one source document or classification guide. 0 2001.22c(1)(h) of 32 C.F.R. Part 2001) 75. Does your agency's review of classification actions evaluate if this requirement is being met? 75. *Yes 0 No DNA 76. What percentage of the documents sampled meet this requirement? 76. 50% 77. What was the number of documents reviewed for this requirement? 77. 1,648 INFORMATION SECURITY OVERSIGHT OFFICE AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 Approved for Release: 2022/01/27 C06896732 Approved for Release: 2022/01/27 C06896732 Enclosure 2 Performance Evaluations The pei:ffirmance contract or other rating system o f original classification authorities, security managers, and other personnel whose duties significantly involve the creation or handling of classified information 17721Si include a critical element to be evaluated relating to designation and management of classified information. (Section 5.4(d)(7) of E. 0. 13526) 78. Does agency policy require this critical element in the performance evaluations of personnel in the categories required by E.O. 13526? 78. 0 Yes 0 No 79. Has the agency validated that this critical element is included in the performance evaluations of personnel in the categories required by E.O. 13526? 79. 0 Yes 0 No 80. What percentage of such personnel at your agency has this element in their performance evaluations? 80. 100% 0 Actual 0 Estimated OCA Delegations OCA delegations shall be reported or made available by name or position to the Director of the Inffirmation Security Oversight Office. (Section 1.3(c)(5) of E. 0. 13526). This can be accomplished by an initial submission followed by updates on a frequency determined by the SAO, but at least annually. (�2001.11(c) and �2001.90(a) of 32 C.F.R. Part 2001) 81. Have there been any changes in the delegations, by name and position, of original classification authority in your agency since delegations were reported to ISOO in 2010. 81. ()Yes 0 No 0 NA 82. Have all delegations been limited to the minimum required based on a demonstrable and continuing need to exercise this authority? 82. ()Yes 0 No 0 NA 83. If changes have been made, have they been reported, by name or position, to ISOO? 83. *Yes 0 No 0 NA Classification Challenges An agency head or SAO shall establish procedures under which authorized holders of information, including authorized holders outside the classifying agency, are encouraged and expected to challenge the classification of information that they believe is improperly classified or unclassified. (Section 1.8(b) of KO. 13526) Classification challenges must be covered in the training for original classification authorities and persons who apply derivative classification markings. 0201.71(0 and (0001.71(d) of 32 CF.R. Part 2001) 84. Has your agency established procedures under which the classification of information can be challenged in accordance with section I.8(b) of E.O. 13526 and �2001.14 of 32 C.F.R. Part 2001? 84. �Yes 0 No 85. Does your agency's training for OCAs and for personnel who apply derivative classification markings cover classification challenges? 85. ()Yes 0 No 86. Does your agency's training for all other cleared personnel cover classification challenges? 86. *Yes 0 No PART G: Findings of the Annual Review of Agency's Original and Derivative Classification Actions In this section provide specific information with regard to the .findings of the annual review of the agency's original and derivative classification actions to include the volume of classified materials reviewed and the number and type of discrepancies identified. 87. Indicate the volume of classified materials reviewed during. the annual review of agency's original and derivative classification actions. (If your agency does not classify information, indicate NA.) 87. 18 Original 1,648 Derivative 88. Indicate the number of discrepancies found during the annual review of classification actions for each category below. For additional information on marking, consult the ISOO marking guide. 88 (a) Over-classification: Information does not meet the standards for classification. 88 (a) 70 88 (b) Overgraded/Undergraded: Information classified at a higher/lower level than appropriate. 88 (b) 332 88(c) Declassification: Improper or incomplete declassification instructions or no declassification instructions. 88 (c) 17 88 (d) Duration: A shorter duration of classification would be appropriat 88 (d) 87 88 (e) Unauthorized classifier: A classification action was taken by someone not authorized to do so 88 (e) 0 88 (f) "Classified By" line: A document does not identify the OCA or derivative classifier by name and position or by personal identifier. 88 (f) 18 88 (g) "Reason" line: An originally classified document does not cite a reason from section 1.4 of E.O. 13526. 88(g) 0 88 (11) "Derived From" line: A document fails to cite, or cites improperly, the classification source. The line should include type of document, date of document, subject, and office/agency of origin. 88 (h) 256 88 (i) Multiple sources: A document cites "Multiple Sources" as the basis for classification, but a list of these sources is not included on or attached to the document. 88 (i) 7 88 (j) Marking: A document lacks overall classification markings or has improper overall classification markings. 88 (j) 378 88 (k) Portion Marking: The document lacks some or all of the required portion markings 88 (k) 1,214 88 (I) Instructions from a classification guide are not properly applied. 88(1) 453 88 (m) Other: Inappropriate use of prohibited ORCON/NOFORN caveat. 88 (m) 67 INFORMATION SECURITY OVERSIGHT OFFICE AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 Approved for Release: 2022/01/27 C06896732 Approved for Release: 2022/01/27 C06896732 Enclosure 2 PART H: Corrective Actions 89. Describe actions that have been taken or are planned to correct identified program deficiencies, marking discrepancies, or misclassification actions, and to deter their reoccurrence. CMCG will continue to use its mandatory derivative classifier refresher training, new employee training, and varied classification topic training courses to improve awareness of appropriate classification marking policies and practices. CMCG uses internal information forums, including IMS blogs, group newsletters, the CMCG website, and CIA news resources to publicize and promote requirements. During FY14, CMCG used these means to raise awareness regarding current and forthcoming changes to HCS and ORCON-USGOV. CMCG has started the process of translating lessons learned into process improvements through its classification assistance resources, feedback to field locations visited, and highlighting persistent problems through the internal media resources referenced above. CMCG will continue to work with electronic systems developers to address identified issues with automated classification and will maintain its active role in review of, and counsel toward, changes in IC markings standards and their application within the Classification Marking Tool. CMCG will continue its engagement with the major business areas of CIA to translate the findings of this inspection into action in FY15. PART 1: Best Practices Best practices are those actions or activities that make your self-inspection program and/or CNSI program more effective or efficient. They set your program apart through innovation or by exceeding the minimum program requirements. These are practices that may be utilized or emulated by other agencies. 90. Describe best practices that were identified during the self-inspection. Agency use of metrics to track its declassification efforts constitutes a best practice. Metrics allow managers to monitor, on a real-time basis, progress toward declassification review goals and to ensure review accuracy. In an environment of high researcher demand and resource constraints, such monitoring is critical to identify bottlenecks and inefficiencies, spot trends, and redeploy resources to improve review accuracy. This helps CIA to manage most efficiently its production workload to meet required deadlines. The inclusion of field locations offered tremendous insights into the application of classification training, awareness, and resources to mission-critical activities. The ability to sample field documents and interview personnel provided CMCG with valuable information on the impact of location and close-to-mission focus on classification practices. Additionally, the opportunity to brief leadership in the field provided a valuable information sharing opportunity and allowed CMCG to promote available classification assistance resources. During FY14, the addition of a classification referent to a major-action business area provided the ability to better serve mission partners in a timely, efficient manner. CMCG will continue to explore additional deployment of these officers in the future. CMCG deployed its FY15 mandatory derivative classification training refresher course on 1 October. This will allow CMCG to strengthen metrics reporting to 1E00 on this E.O. 13526 obligation. . PART J: Explanatory Comments Use this space to elaborate on any section of this form. If more space is needed, provide as an attachment to this form. Provide explanations for any signlficant changes in trends/numbers front the previous year's report. 065. One waiver was granted regarding the derivative classification training requirement. The individual who received the waiver completed the training before the end of FY14. 076. In its survey of 1,648 documents, CMCG found 70 documents that used Multiple Sources, a source document, or another government agency classification guide in either the classification block of the primary document or in attachments to the primary document. 56 of these documents involved Multiple Sources specifically. CMCG discovered that the major issue for derivative classifiers existed in the transfer of "Multiple Sources" as a classification citation from attachments to primary documents. Additional training and education on this point should help remedy the issue in FY15. 088H. CMCG found 256 instances in which documents 1) met the criteria for classification; 2) were marked as classified; and 3) were classified at the correct level; but with the wrong citation from the CIA National Security Classification Guide (NCSG). Adjusting for possible discrepancies in the level of classification, this number rises to 341. 088K. CMCG found the failure to fully and or appropriately portion mark to be a major issue in the FY14 self-inspection. CMCG applied a very conservative standard to this assessment, marking as wrong those documents that did not fully and correctly use portion marks for all required document portions. CMCG held classified documents and unclassified documents with dissemination controls to the same standard. Subsequently, CMCG found only 72 documents that fully met the standard for correct portion marks. Another 151 documents were found to be partially correct. Through document review and interviews with field personnel, CMCG found that the practice of portion marking often was not observed when officers were faced with time-sensitive, mission-critical matters. 088L. CMCG found 453 instances in which documents 1) met the criteria for classification; 2) were marked as classified; 3) were classified at the correct level; and 4) had at least one correct citation from the CIA NCSG, but were found to be missing other reasonable citations from the NCSG. Adjusting for possible discrepancies in the level of classification, this number rises to 478. For ISOO Use Only ISO() Analyst: Date QC: Analyst Initials: AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 Approved for Release: 2022/01/27 C06896732