LETTER TO JOHN P.. FITZPATRICK FROM JOSEPH W. LAMBERT

Approved for Release: 2022/01/27 C06896969 uNUIJAb 1 t.1.E7371�ii4,114.) Central Intelligence Agency VVashington. D. C 20505 17 December 2012 Mr. John P. Fitzpatrick Information Security Oversight Office 700 Pennsylvania Avenue, N.W. Washington, D.C. 0408-0001 Dear Mr. patrick: (U) In response to the Information Security Oversight Office's (1500) 23 August 2012 request, the Central Intelligence Agency (CIA) has completed an inspection of its classification practices and our report is attached. (U//FOU0) Since the publication of EO 13526, CIA has endeavored to design an audit methodology and survey instrument that would best capture employees' classification and marking decisions and provide data that CIA could use to better tailor policies and training. We plan to audit several components across our agency each year so that we are able to obtain classification data from employees working in each of our mission and support areas. (U//FOU0) This year's reporting cycle was focused on the audit of our headquarters based staff. We selected an administrative component that is engaged in the formulation and implementation of policy and on the development and delivery of training to our agency's employees. This unit is comprised of employees with 'a range of experience including some who have recently entered on duty and others with twenty or more years of experience. (U//FOU0) At the start of the audit these employees were given a survey which asked a range of questions about their classification practices including what types of training they had received, their awareness of classification policies and tools, their safeguarding practices, and types of documents they typically classify. The audit staff then reviewed documents UNCLASSIF Approved for Release: 2022/01/27 C06896969 Approved for Release: 2022/01/27 C06896969 Mr. John P. Fitzpatrick The audit staff then reviewed documents created and classified by each person against a checklist that contained elements focused on the use of guidance, the classification level, the block, banner, and portion marking. The audit revealed that a percentage of documents lacked consistent portion marking but the level of classification was correct on the vast majority of documents evaluated. (U) In order to provide a report that is unclassified, we focused on the outcome and did not discuss any classified details regarding the work, the organizational specifics, or examples of issues found. (U) Please contact Mr. Harry Cooper, Chief, Classification Management and Collaboration Group, at 703- if you have any questions regarding the FY 2011 mission. Enclosure Joseph W. Lambert Director, Information Management Services 2 UNCLASSIFIED//FOU0 Approved for Release: 2022/01/27 C06896969 .r.,�..,Approved for Release: 2022/01/27 C06896969 k ONLY .J.C.0 J-k.....L.L-111 U0E1 Executive Order 13526 2012 CIA Self Inspection Report I. Introduction: a. (U) In accordance with E.O. 13526 � 5.4 (d)(4) as implemented by 32 C.F.R. 2001.60, the Central Intelligence Agency (CIA) has established an ongoing self- inspection program which includes a regular review of a sample of CIA classification decisions. The 2012 CIA sclf-inspection report is provided to CIA's Senior Agency Official who is appointed in accordance with � 5.4 (d) of the Order and is authorized to correct misclassification actions identified during the self-inspection process. While CIA has had an ongoing self-inspection program under predecessor Orders, it is noted that the revised language in EO 13526 brings a greater level of formality to the self-inspection process and has changed the CIA's overall methodology from a distributed process where Classification Management Specialists deployed to CIA elements each conducted several annual informal inspections, to a more formal annual process where one or more components within the CIA are chosen and teams deployed to review classification of that component. The results of these formal "Classification Assistance Visits" will be synthesized into a single report to the Information Security Oversight Office (IS00). (U) Program Description: a. In the intelligence business, classification of information is a more integral part of each employee's daily work than in perhaps any other governmental function in the United States. The CIA makes extensive use of email on classified networks, collects intelligence information that is classified upon collection, and has innumerable issues related to association of CIA with many people, places and things that often make the mere fact of association classified. b. (U) We have relied more on the expertise of our officers in the intelligence business than we have on extensive classification guides due to the nuanced nature of our business. As part of the required fundamental classification guidance review we completed under EO 13526 � 1.9 the CIA has embarked on an significant program to re-write classification guidance on all aspects of the CIA mission. Some new guidance is now available, but work is in progress on the largest portion of the changes in guidance. c. (U) In the 2012 self-inspection cycle we looked at a HQ based component with a largely administrative role. This element provides policy support, customer service, and training. We chose an element with a wide variety of classified documents ranging from email to formal reports to electronic messages. This unit supports sensitive compartmented programs and has a reach across the entire agency, so we believe its work is uniquely representative of a broad swath of administrative support for the agency mission. Unlike the review we made in UNCLASSIFIED//FOR OFFICIAL USE ONLY Approved for Release: 2022/01/27 C06896969 _Approved for Release: 2022/01/27 C06896969 UNLIJoifinadiiroxujju u.v, ONLY 2011 of an operational component, officers in this element are more steeped in corporate policy and typically are not on short duration assignments or experience a significant operational tempo in their daily work. d. (U) In 2012 we worked to improve and standardize our self-inspection program. We utilized a standard format for data collection (see attachment "A") to ensure that each officer we reviewed and each document we inspected would be viewed under the same standards While the data collected suggests some minor changes to the form may be needed, we believe that overall this strategy for collecting information on our classification practices will work well. e. (U) In 2013 we anticipate a blended approach including both operational components and HQ elements. We recognize that our visits to our mission elements must be equally evaluative and helpful. We will utilize these visits as opportunity for mission-specific classification training. Our goal is for employees to welcome our visits as a means to improve performance rather than as some kind of "inspection" oriented at finding problems. ILL Summary of Findings: a. (U) Overall classification at CIA is good. In our inspection of a representative sample of documents we generally found that the classification levels assigned by the derivative classifiers were correct. A breakdown of areas we focused on includes the following: I. (U) Original Classification Decisions: CIA will only report 4 OCA decisions for 2012. We did not review these decisions as they were all made by the manager of the classification management program at CIA and should reasonably be consistent with requirements of the Order. 2. (U) Overall Classification Levels: We have determined that the identification of classification levels using our guide has been very good. We do not believe the majority of classified documents are either under or over classified. 3. (U) Use of Classification Guidance: hi our headquarters environment, employees use an automated tool to mark documents and that tool includes a feature allowing the employee to go directly to the guidance and review it as they make the derivative decision. We find this works well when the employee has a good understanding of the information, but the limited detail in our guidance needs improvement. We found a 5.5% error rate in using the appropriate guidance. 4. (U) Security Violations: The number of violations by CIA employees continues to be relatively low. Like any large organization we do have a number of simple mistakes or errors of omission (such as failing to secure a lock or transporting classified information in an unapproved UNCLASSIFIED//FOR OFFICIAL USE ONLY Approved for Release: 2022/01/27 C06896969 Approved for Release: 2022/01/27 C06896969 UNCLASSIFIED/ / FOR OFFICIAL USE ONLY manner). As part of the required annual training for derivative classifiers we have included instruction in safeguarding that should help reduce the number of violations. 5. (U) Portion Marking: This remains the weakest area among CIA employees. The use of email in government is beginning to mimic its use outside of the work environment. As a result these often cryptic communications lack the formality usually associated with portion marking. We found that in 20.8% of the documents we reviewed portion marking errors (or omissions) were identified. 6. (U) Overall Classification Quality: In addition to the 5.5% errors in selecting the correct use of guidance and 20.8% portion marking errors we found that 2.7% also had issues with markings showing the classification of an attachment or transmittal document without the attachment. None of the reviewed documents were classified at the incorrect level. Overall about 29% of documents reviewed had some kind of error, but those errors were generally minor and procedural rather than over or under classification. 7. (U) Declassification: We did not evaluate declassification during this self-inspection cycle. The CIA programs, however, remain a best practice in government. 8. (UNFOU0) Safeguarding: Safeguarding of classified information is greatly enhanced at the CIA where virtually all work areas are Sensitive Compai tinented Information Facilities (SCIFs). Regular security inspections of facilities and security equipment are provided by our Office of Security, and all deficiencies are handled as quickly as possible. 9. (UHFOU0) Security Education and Training: Employees are required to complete a classification management Computer Based Training (CBT) program that is revised each year, and as a condition of access to classified computer systems and networks employees must also complete a CBT annually that is focused on information systems security. Additionally, classification management professionals placed directly within agency components also provide many ad hoc training sessions or briefings to ensure employees remain continually focused on issues related to classification management and safeguarding of classified information. 10. (UHFOU0) Management and Oversight: Within the area of responsibility of the Chief Information Officer for CIA, the office of Information Management Services (IMS) maintains responsibility for classification management. The Director of IMS is the Senior Agency Official (SAO) under � 5.4 of the Executive Order. To facilitate his role UNCLASSIFIED//FOR OFFICIAL USE ONLY Approved for Release: 2022/01/27 C06896969 Approved for Release: 2022/01/27 C06896969 UNQ.:LAbblt. ih.u/ ute.te,tullui u.t; ONLY as SAO, the D/IMS has established a senior level component (Classification Management and Collaboration Group) led by an SIS/SES level officer to ensure that all classification management requirements established by the Executive Order, implementing directive, or implemented by the Director of National Intelligence (DNI) have been fully complied with at the CIA. The Chief of the Classification Management Group is responsible for classification counts, self inspections and many ongoing CIA programs to ensure the protection of classified information. IV. (U//FOU0) Completed or Planned Corrective Actions: Classification guidance in the form of accurate detailed guides is essential in getting classification right. The CIA has embarked on a Fundamental Classification Guidance Review as required by the Order that when completed will provide significantly better guidance to employees. Work has also begun to institutionalize the requirement for biennial training of derivative classifiers and annual training of original classifiers. This training will also go a long way toward improving employee understanding of the classification process. V. (U) Identified est Practices: a. As discussed above, declassification at the CIA is clearly a best practice. b. We also noted no issues with classification blocks or banner markings. This is due to a large degree to our use of an automated marking tool created by CIA that operates with every application our users create documents with. The tool applies the CAPCO register markings exactly as prescribed by ISO� and CAPCO and no mistakes are ever present in the blocks or banners with regard to format or completeness of markings. This is clearly a CIA best practice, VI. (U) Conclusions: a. Overall classification is good, but areas for improvement do exist. 1. Additional training in portion marking will be provided. We provide derivative classifier training annually (more frequently than the EO requires) and we will incorporate portion marking training in this annual training program. In addition we plan portion marking workshops to give employees hands-on instruction in portion marking different kinds of documents and messages that they write, 2. The work to improve guidance with more detailed classification guides will continue and as new guides are introduced we believe that the quality of decisions will improve. We have already completed several new guides and many others are in development. We are confident that richer guidance will improve the precision of derivative decisions. UNCLASSIFIED//FOR OFFICIAL USE ONLY Approved for Release: 2022/01/27 C06896969 Approved for Release: 2022/01/27 C06896969 UNL:LJAbbltr1.61J//rUK kirriLituJ u.r.; ONLY 3. We will increase awareness among employees that while email may facilitate information communication, it still requires all classification markings when the email is classified. b. The increasingly informal ways that government 'business is conducted today using technology that includes instant messaging, email, blogs and wikis, is changing the way people create and mark classified information. We are learning that we need new tools, training and techniques to bring to our workforce the means to ensure protection of classified information without removing the extemporaneous nature of modern communication. //end// UNCLASSIFIED//FOR OFFICIAL USE ONLY Approved for Release: 2022/01/27 C06896969