REPORT OF EVALUATION

Approved for Release: 2017/10/18 C06199633 UNCLASSIFIED//F0110 CENTRAL INTELLIGENCE AGENCY Office of Inspector General (U) REPORT OF EVALUATION (U) Evaluation Required by the Reducing Over-Classification Act Report No. 2013-0016-AS 26 September 2013 UNCLASSIFIEDilFetke- Approved for Release: 2017/10/18 C06199633 Approved for Release: 2017/10/18 C06199633 UNCLASSIFIED/fFelfe (U) Report of Evaluation (U) Evaluation Required by the Reducing Over-Classification Act Report No. 2013-0016-AS (U) EXECUTIVE SUMMARY (U) This evaluation was conducted in response to a requirement contained in the Reducing Over-Classification Act, Public Law 111-258 (7 October 2010). The Act requires the Inspector General of each US department or agency with an officer who is authorized to make original classifications, in consultation with the National Archives and Records Administration, Information Security Oversight Office (IS00), to conduct no less than two evaluations of that department or agency. In accordance with the Act, the objectives of this evaluation were to: � (U) Assess whether applicable classification policies, procedures, rules, and regulations have been adopted, followed, and effectively administered within the CIA. � (U) Identify policies, procedures, rules, regulations, or management practices that may be contributing to persistent misclassification of material. (UHFOU0) CIA classification policies, procedures, and regulations are consistent with federal requirements and have supported implementation of an effective classification management program. CIA's classification management program is administered by the CIA Office of the Chief Information Officer, Information Management Services (IMS). IMS provides an array of classification services and tools ranging from classification ,:*y guidance to classification management software. According to IMS officials, deployed CIA Information Management Technical Officers (IMT0s) assist CIA personnel in accessing, protecting, organizing, and preserving information in accordance with federal and CIA regulations. IMS has established procedures for individuals to challenge CIA classification decisions and a process for adjudicating classification challenges. Although CIA policies adhere to federal standards for managing classification, there are some areas of classification management that should be improved. (UHFOU0) The CIA's fiscal year (FY) 2012 annual self-inspection of its classification management program and report of the self-inspection did not fully comply with the standards prescribed in Executive Order (E.0.) 13526, Classified National Security Information, and the requirements of 32 Code of Federal Regulations (C.F.R.) Part 2001 - Classified National Security Information. CIA's self-inspection report did not address all of the required areas and lacked sufficient details in certain areas. Our 1 UNCLASSIFIED/W-040- (b)(3) Approved for Release: 2017/10/18 C06199633 Approved for Release: 2017/10/18 C06199633 UNCLASSIFIED/tr.-MO- evaluation report recommends that a process be implemented to ensure that the CIA addresses all self-inspection program reporting requirements prescribed by E.O. 13526 and 32 C.F.R Part 2001. (U) CIA has not established a derivative classification training program that satisfies the E.O. 13526 requirement that persons who apply derivative classification markings receive training in the proper application of derivative classification principles at least once every two years. Agency Regulation establishes a requirement for biannual training for derivative classifiers and provides for suspending derivative classification authority for those who fail to meet the training requirement. A computer-based derivative classification training course was deployed in 2012. However, according to an IMS official, insufficient band- width restricted the number of CIA personnel who were able to access the derivative classification training course, and only 43 percent of CIA personnel completed the course in 2012. This report recommends that effective, mandatory derivative classification refresher training for CIA personnel be implemented as required by E.O. 13526 and (U) We found no instances of over-classification in the sample of finished (b)(3) intelligence reports that we reviewed. However, we found numerous errors with how required information was presented in the reports' classification blocks and with the portion marking of the reports. Some of the errors resulted from updates to the CIA's automated classification management tool (CMT) not being fully deployed to all CIA users. Other errors were the result of internal processes associated with posting the reports to the World Intelligence Review (WIRe). This report recommends that IMS fully deploy the updated version of the CIA's classification management tool to comply with the derivative classification marking standards and guidance prescribed in the ISOO booklet, Marking Classified National Security Information. The report also recommends that procedures be implemented for posting material to the WIRe that comply with the derivative classification marking standards and guidance prescribed by the 'S00. (b)(3) (b)(6) Assistant Inspector General for Audit 2 UNCLASSIFIED/X-014G Approved for Release: 2017/10/18 C06199633 Approved for Release: 2017/10/18 C06199633 UNCLASSIFIED/tFOLH3- (U) BACKGROUND (U) The Reducing Over-Classification Act, Public Law 111-258 (7 October 2010), was enacted in response to issues highlighted by the National Commission on Terrorist Attacks Upon the United States (the "9/11 Commission"). The 9/11 Commission concluded that security requirements lead to over-classification and excessive compartmentation of information among agencies.' The 9/11 Commission observed that over-classification of information interferes with accurate, actionable, and timely information sharing; increases the cost of information security; and needlessly limits stakeholder and public access to information. The Reducing Over-Classification Act requires the Inspector General of each US department or agency with an officer who is authorized to make original classifications, in consultation with the Information Security Oversight Office (IS00),2 to conduct no less than two evaluations of that department or agency to: � (U) Assess whether applicable classification policies, procedures, rules, and regulations have been adopted, followed, and effectively administered. � (U) Identify policies, procedures, rules, regulations, or management practices that may be contributing to persistent misclassification of material. The first evaluation is to be completed no later than 30 September 2013. The second evaluation will review progress in addressing the results of the first evaluation and is to be completed no later than 30 September 2016. The Act requires that the Inspectors General coordinate their work with one another and with the ISOO to ensure that evaluations are conducted following a consistent methodology that allows for comparisons across departments and agencies. (U) On 29 December 2009, President Obama signed Executive Order (E.0.) 13526, Classified National Security Information, which established the current principles, policies, and procedures for classification. E.O. 13526 prescribes a uniform system for classifying, safeguarding, and declassifying national security information. E.O. 13526 expresses the President's belief that the nation's progress depends on the free flow of information, both within the government and to the American people. Accordingly, protecting information critical to national security and demonstrating a commitment to open government through accurate and accountable application of classification standards and effective declassification are equally important priorities. (U) Over-classification is the designation of information as classified, when the information does not meet one or more of the standards for classification under E.O. 13526, Classified National Security Information. 2(U) The ISOO is a component of the National Archives and Records Administration and receives policy and program guidance from the National Security Staff. ISO� is responsible for policy and oversight of the Government-wide security classification system and the National Industrial Security Program. 3 UNCLASSIFIED/If-GU-a Approved for Release: 2017/10/18 C06199633 Approved for Release: 2017/10/18 C06199633 UNCLASSIFIED/IfelJet (U) As prescribed by E.O. 13526, information that requires protection against unauthorized disclosure to prevent damage to national security must be marked appropriately to indicate its classified status. Information may be classified at one of the following three levels: 1. (U) "Confidential"�applied to information when its unauthorized disclosure could reasonably be expected to cause damage to the national security that the original classification authority is able to identify or describe. 2. (U) "Secret"�applied to information when its unauthorized disclosure could reasonably be expected to cause serious damage to the national security that the original classification authority is able to identify or describe. 3. (U) "Top Secret"�applied to information when its unauthorized disclosure could reasonably be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe. If significant doubt exists about the appropriate level of classification, E.O. 13526 prescribes that the information be classified at the lower level. (U) Executive Order 13526 prescribes that the authority to classify information originally may be exercised only by individuals authorized by the President, the Vice President, agency heads, or other officials designated by the President. E. 0. 13526 defines "original classification" as the initial determination that information requires, in the interest of the national security, protection against unauthorized disclosure. The President has delegated original classification authority to the Director, CIA who has, in turn, delegated original classification authority to CIA officials. To make an original classification decision, an authorized individual must determine if the information meets the following standards: � (U) The information is owned, controlled, or produced by or for the US Government. � (U) The information falls within one or more of the eight categories of information described in Section 1.4 of E.O. 13526, such as intelligence activities, intelligence sources or methods, or cryptology. � (U) The unauthorized disclosure of the information reasonably could be expected to result in damage to the national security, which the original classification authority is able to identify or describe. By definition, original classification precedes all other aspects of the security classification system, including derivative classification, safeguarding, and declassification. 4 UNCLASSIFIED/IF-003- Approved for Release: 2017/10/18 C06199633 Approved for Release: 2017/10/18 C06199633 UNCLASSIFIED/WO-L/0- (U) According to Agency Regulation all cleared Agency personnel�staff, detailees, and contractors� are authorized to apply derivative classification in accordance with E.O. 13526. Information may be derivatively classified from a source document, or through the use of a classification guide. (U) Federal departments and agencies may implement a system of restrictive caveats that can be applied to classified information in the form of dissemination controls and handling instructions. These caveats are not classifications, rather, they prescribe how classified information can be distributed or shared. Only those dissemination controls and handling instructions approved by the ISO� or, with respect to Intelligence Community organizations, by the Director of National Intelligence (DNI), may be used. (U) RESULTS AND RECOMMENDATIONS (U) CIA Classification Program Management Is Generally Effective (UHFOU0) CIA classification policies, procedures, and regulations are consistent with federal requirements and have supported implementation of an effective classification management program. CIA's classification management program is administered by the CIA Office of the Chief Information Officer, Information Management Services (IMS). IMS provides an array of classification services and tools ranging from classification policy guidance to classification management software. According to IMS officials, there are IA Information Management Technical Officers (IMT0s) who are deployed within various CIA components and assist personnel in accessing, protecting, organizing, and preserving their information in accordance with federal and CIA regulations. IMTOs are trained in classification standards and provide guidance in making classification decisions and applying classification markings. IMS has also established a procedure for individuals to challenge CIA classification decisions and a process for adjudicating classification challenges. (U) CIA Exercise of Original Classification Authority U Agency Guidance lists IA positions that have original classification authori the Director, CIA and positions delegated authority by the Director, CIA. Of the CIA officers that have been delegated original classification authority, only one officer has exercised this authority in the last five years. The only CIA officer to exercise original classification authority in the last five years is the Chief, Classification Management and Collaboration Group (CMCG), IMS. The incumbent in this position is an expert in information and classification management with over 30 years of experience. The Chief, CMCG adjudicates classification challenges, and his staff is responsible for developing and administering the Agency's classification training program. (b)(3) 5 UNCLASSIFIED/WO-L/0- (b)(3) (b)(3) Approved for Release: 2017/10/18 C06199633 Approved for Release: 2017/10/18 C06199633 UNCLASSIFIED/IF-GU& (U) We reviewed the four original classification decisions made by the Chief, CMCG in FY 2012. In each instance the Chief, CMCG documented the rationale behind his classification decisions and why the information was not covered by an existing citation in the CIA National Security Classification Guide . According to the Chief, CMCG, the CIA National Security Classification Guide is updated every five years, and these original classification decisions will be addressed, as appropriate, in the next revision of the Guide, which is planned for 2015. (U) As prescribed by 32 Code of Federal Regulations (C.F.R.) Part 2001, persons having original classification authority are required to receive training in proper classification prior to originally classifying information and at least once per calendar year thereafter, incorporates these requirements and provides for suspending original classification authority for persons who fail to meet training requirements. Although only current CIA officers having original classification authority have completed training, the training requirement must be satisfied before the authority is exercised. The Chief, CMCG has completed required training. (U) CIA Exercise of Derivative Classification Authority (b)(3) (b)(3) (b)(3) (U) states that all cleared Agency personnel�staff, detailees, and contractors�are authorized in accordance with E.O. 13526 to apply derivative classification. According to the Chief, CMCG and CIA reporting to ISO�, CIA personnel made more than 27 million derivative classification decisions in FY 2012. Unlike many other federal agencies, the CIA has maintained a single, comprehensive classification guide rather than individual guides for projects, programs, or categories of information. (U) In response to an E.O. 13526 requirement, IMS undertook a review of the CIA National Security Classification Guide. The review concluded that greater precision in (b)(3) the use of the guide might be achieved if the key intelligence disciplines that are represented in the guide, e.g. were reviewed by subject (b)(3) matter experts (SMEs) in each discipline. A team of classification guidance professionals have engaged with the SMEs to examine in detail why specific aspects of CIA business processes, tradecraft, and operations are classified and to identify those aspects that are not. IMS plans to expand the guide to include appendices for each of the intelligence (b)(3) disciplines to provide detailed guidance for CIA officers when making derivative classification decisions. (UHFOU0) Although CIA policies adhere to federal standards for managing classification, there are some areas of classification management that should be improved. 6 UNCLASSIFIEDWGIJO Approved for Release: 2017/10/18 C06199633 Approved for Release: 2017/10/18 C06199633 UNCLASSIFIED/I-Kee- (U) CIA Self-Inspection of Its Classification Management Program Needs To Be Strengthened (UHFOU0) The CIA's fiscal year (FY) 2012 self-inspection of its classification management program and report of the self-inspection did not fully comply with the standards prescribed in E.O. 13526 and the requirements of 32 C.F.R. Part 2001 - Classified National Security Information. CIA's self-inspection report, submitted to the ISO() on 14 December 2012, did not address all of the required program areas and lacked sufficient details in certain areas. The report's statement regarding required classification training implied that the CIA's computer-based, derivative classifier training had been fully implemented, which was not the case for FY 2012. (U) E.O. 13526 requires each federal agency to establish and maintain an ongoing self-inspection program and to report annually to the Director of the 'SOO the results of the agency's self-inspection. 32 C.F.R. Part 2001 prescribes specific standards for establishing and maintaining a self-inspection program. The self-inspection is to include reviews of representative samples of original and derivative classification decisions, declassifications, safeguarding of classified information, procedures for assessing security violations, security education and training, and management and oversight. In addition, the self-inspection is to assess actions taken or planned to correct deficiencies in the classification management program and identify best practices in classification management. The self-inspection report is required to include a description of the self- inspection program and a summary of the findings from the self-inspection. (U) In a 6 March 2013 letter to the Director, IMS the Director, ISO() outlined deficiencies in the CIA's FY 2012 self-inspection report that had been noted by the ISO() staff: � (U) The report included only a partial description of the CIA's self- inspection program and did not fully describe its structure, approach, frequency, coverage, and reporting. � (U) The report provided an assessment of the findings of the CIA's self-inspection program for a majority, but not all, of the required program areas. � (U) The report answered less than half of the focus questions that apply to CIA. � (U) The report provided the types and percentages of discrepancies found during the annual review of classification actions, but failed to provide the volume of classified materials reviewed. According to the Chief, CMCG, an ISO() staff member advised that the number of documents reviewed in CIA's testing of derivative classifications was not sufficient to meet the standards of 32 C.F.R. Part 2001. UNCLASSIFIED/iFOL}0- Approved for Release: 2017/10/18 C06199633 Approved for Release: 2017/10/18 C06199633 UNCLASSIFIEDitFette- (U/ ) Our review of the CIA's self-inspection report found that although most of the required program areas were addressed, the report included few details on several of the areas. For example, the section of the report addressing security violations states that the number of violations by CIA employees continues to be relatively low, but the report does not cite the number of security violations that occurred in FY 2012 or whether the number decreased or increased over previous years. The report states that CIA chose not to evaluate declassification actions in its FY 2012 self-inspection but provides no explanation for that decision. In addition, the report references the CIA's mandatory classification management training program. Although requires derivative classification training, only 43 percent of CIA personnel have completed the training. (U) IMS officials told us that, because IMS resources had been devoted to implementing other requirements of E.O. 13526, for example the review of the CIA classification guide, limited IMS resources were available to conduct the self-inspection of the CIA's classification management program. IMS is working to develop procedures to more effectively and efficiently conduct the self-inspection and prepare the report of the self-inspection for submission to the ISO� in FY 2013. (U) Recommendation (U) The Director, IMS concurs with this recommendation. In comments on a draft of this report, he stated that IMS chose not to include information about CIA's declassification program as part of the FY 2012 self-inspection because the CIA declassification program undergoes regular inspections by the ISO� staff. According to the Director, IMS, CIA's declassification program has been repeatedly identified by ISO() as a "best practice" throughout government. (U) Required Derivative Classification Training Has Not Been Fully Implemented (U) CIA has not established a derivative classification training program that satisfies the E.O. 13526 requirement that persons who apply derivative classification markings receive training in the proper application of derivative classification principles at least once every two years. E.O. 13526 prescribes that derivative classifiers who do not complete such training at least once every two years will have their authority to apply derivative classification markings suspended until they complete such training. establishes a requirement for biannual training for derivative classifiers and provides for 8 UNCLASSIFIED/W-009- Approved for Release: 2017/10/18 C06199633 Approved for Release: 2017/10/18 C06199633 UNCLASSIFIED/I-Fee& suspending derivative classification authority for those who fail to meet the training requirement. (U) All CIA employees receive classification training when they enter on duty. A mandatory, computer-based derivative classification refresher training course was deployed in 2012. However, according to the Chief, CMCG, insufficient band-width restricted the number of CIA personnel who were able to access the derivative classification training course, and only 43 percent of CIA personnel completed the course in 2012. Although equires training only every other year, the computer-based training course states that the training is an annual requirement for all derivative classifiers. The Chief, CMCG told us that completion of the computer-based derivative classification training course will be made an annual requirement by revision of when the course is effectively implemented. A 2013 version of the course has been developed and is being tested to ensure that it is deployed with adequate band-width. (U) Recommendation 2 (Significant)�For the Director, Information Management Services, Office of the Chief Information Officer, in coordination with the Chief Information Officer: Implement effective, mandatory derivative classification refresher training for CIA personnel as required by Executive Order 13526, Classified National Security Information, and Agency Regulation (U) The Director, IMS concurs with this recommendation. (U) Classification Markings for Finished Intelligence Are Not Fully Compliant With Current Standards (U) Derivative classification markings in CIA finished intelligence products are not always consistent with the guidance and standards prescribed by the 'SOO. The ISO� booklet, Marking Classified National Security Information, revised 1 January 2012, prescribes classification markings for derivatively classified documents. The booklet provides guidance on the components of the classification banner' and classification box, classification duration, and placement of portion markings. Except in extraordinary circumstances, or as approved by the Director, 'SOO, the marking of classified information may not deviate from the prescribed formats. (U//f�449)- We reviewed a statistical sample of finished intelligence reports from calendar year 2012 posted to the World Intelligence Review (WIRe), an enterprise website hosted by CIA that provides intelligence analysis, clandestine reporting, and open source content to policymakers and the Intelligence Community. The mished 3 (U) Classification banners appear at the top and bottom of each page of a classified document and include information such as classification level, sensitive controlled information markings, and dissemination control markings. UNCLASSIFIED/W-00e- Approved for Release: 2017/10/18 C06199633 Approved for Release: 2017/10/18 C06199633 UNCLASSIFIED/Ifelzfe- (b)(3) intelligence reports were derived from intelligence reports and open source documents. In conducting our review, we examined a sufficient number of source documents to assess the classification markings appended to the finished intelligence reports. We assessed the content of classification blocks and other required classification markings, such as portion markings. In total, we tested 16 attributes concerning classification level and markings. (U) We found no instances of over-classification in the finished intelligence reports we reviewed. However, we found numerous errors with how required information was presented in the reports' classification blocks and with the portion marking of the reports. Some of the errors resulted from the CIA's automated classification management tool (CMT) not being updated to reflect current classification marking standards. Other errors were the result of internal processes for posting WIRe articles. Errors caused by the outdated CMT involved: � (UNT4444) Declassification Instructions: Seventy-five percent of the sampled reports had inaccuracies in the declassification instructions in the classification block. Discrepancies included: use of a 50-year declassification date when there was no sensitive human source information to justify the extended period of classification; and use of "25X1-Human," which is no longer an authorized designation for declassification. CIA internal guidance states that the use of "25X1-Human" was eliminated with E.O. 13526. However the CMT still allows derivative classifiers to select this declassification marking. � (U) Inclusion of a Classification Reason: Twelve percent of the sampled finished intelligence products included in the classification block a "Classification reason" line, which is no longer required for derivatively classified documents. (b)(3) Errors caused by weaknesses in internal processes for posting WIRe articles involved: � (U) Identification of the Classifier: Ninety-two percent of the finished intelligence reports in our sample did not have a "Classified by" line in the classification block. Derivative classifiers should be identified by name and position or by a unique personal identifier, in a manner that is immediately apparent on each derivatively classified document. The CMT automatically populates the "Classified by" line. However, for finished intelligence products published on the WIRe, the CMT stores the classifiers' information but does not display the information. � (U//FOU0) Classification Source: Thirty-nine percent of the finished intelligence reports in our sample did not accurately identify the classification source in the "Derived from" line, as prescribed by the 'SOO classification marking booklet. The "Derived from" line identifies the source document or classification guide used to classify the document. 10 UNCLASSIFIEDH-FOLfe- Approved for Release: 2017/10/18 C06199633 Approved for Release: 2017/10/18 C06199633 UNCLASSIFIED/I-F(30a When using multiple source documents, the "Derived from" line should be marked "Multiple Sources" and a list of those sources should be included with the report. However, based on procedures used for the publication of finished intelligence reports on the WIRe, when a source document includes a sensitive controlled information marking in the classification, only that source document is listed on the "Derived from" line of the report, regardless of the classifications of other source documents. This practice does not comply with ISOO guidance. � (U) Identification of Multiple Sources: Twenty-three percent of the finished intelligence reports in our sample that accurately cited "Multiple Sources" in the "Derived from" line of the classification block did not include sufficient information in the source list to identify all source documents. For example, information on some source documents was limited to identifying the federal agency that produced the documents, but did not include titles, document numbers, or dates. � (U) Portion Marks: Fifty-three percent of the finished intelligence reports had portion marks at the end of the portions to which the marks applied. According to the ISO() classification marking booklet, portion marks should precede the portions to which they apply. This issue appears to be the result of a delay in implementing a change regarding the placement of portion marks, which has since been resolved. Current WIRe articles correctly placed portion marks at the beginning of the portions to which they apply. (U) Although CIA guidance has been updated to reflect current classification requirements, the CMT and procedures for publication of WIRe articles have not been updated and fully deployed. The CMT is an automated tool that is intended to assist derivative classifiers in correctly classifying and marking classified information. The CMT should incorporate current standards for classification markings. In addition, managers of the WIRe need to consult with IMS to develop procedures to ensure that classification markings and the classification block on articles published in the WIRe are fully compliant with current ISO() marking requirements. (U) Recommendation (b)(3) (b)(5) 11 UNCLASSIFIED/If-04G- Approved for Release: 2017/10/18 C06199633 Approved for Release: 2017/10/18 C06199633 UNCLASSIFIED/tFeth3- (U) Director, IMS concurs with this recommendation. In comments to a draft of this report, he stated that due to the complexity of updates to CIA systems worldwide, the updated version of the CMT, made available to intelligence community agencies in September 2012, has not yet been fully deployed at CIA. The completion of the update process to bring all CIA users into compliance will take some time. He also stated that some errors in classification markings are caused by user error and cannot be corrected with the updates made to the CMT. (U) Recommendation (U) In comments on a draft of this report, the Director and Managing Editor of the WIRe stated that he concurs with the recommendation, and that the WIRe development team is working to update the classification block of all WIRe featured content items. 12 UNCLASSIFIED/IF-GI:Ha- Approved for Release: 2017/10/18 C06199633 Approved for Release: 2017/10/18 C06199633 UNCLASSIFIED/fFetle Exhibit A (U) Objectives, Scope, and Methodology (U) This evaluation was conducted in response to a requirement contained in the Reducing Over-Classification Act, Public Law 111-258 (7 October 2010). The Act requires the Inspector General of each US department or agency with an officer who is authorized to make original classifications, in consultation with the National Archives and Records Administration, Information Security Oversight Office (IS00), to conduct no less than two evaluations of that department or agency. In accordance with the Act, the objectives of this evaluation were to: � (U) Assess whether applicable classification policies, procedures, rules, and regulations have been adopted, followed, and effectively administered within the CIA. � (U) Identify policies, procedures, rules, regulations, or management practices that may be contributing to persistent misclassification of material. The first evaluation is to be completed no later than 30 September 2013. The second evaluation will review progress in addressing the results of the first evaluation and is to be completed no later than 30 September 2016. This review focused on whether CIA is in compliance with the requirements and standards set forth in Executive Order (E.0.) 13526, Classified National Security Information, and 32 Code of Federal Regulations (C.F.R.), Part 2001, Classified National Security Information, for a uniform system for classifying and safeguarding national security information. (U) The scope of the evaluation included an assessment of CIA regulations, classification management process and procedures, fiscal year 2012 reporting to the ISO�, classification training programs, and the accuracy of classification markings appended to finished intelligence reports issued in calendar year 2012. To accomplish evaluation objectives, we: � (U) Reviewed Public Law 111-258; Executive Order (E.0.) 13526; 32 C.F.R. Part 2001; ISO� guidance for self-inspection programs; the ISO() booklet, Marking Classified National Security Information; CIA regulations; and internal CIA guidance issued by the Office of the Chief Information Officer, Information Management Services. � (UHFOU0) Interviewed the CIO, IMS, Classification Management and Collaboration Group staff; Directorate of Intelligence (DI) analysts; World Intelligence Review (WIRe) management; National Geospatial Intelligence Agency analysts detailed to CIA; Information Management Technical Officers; Human Resources Policy officers; Office of Security management; and a DI Kent School Career Analyst Program (CAP) instructor. I UNCLASSIFIED/I-Kit/0- Approved for Release: 2017/10/18 C06199633 Approved for Release: 2017/10/18 C06199633 UNCLASSIFIED/I-F(2OG � (U) Participated in working group meetings and conference calls with OIG officers from other federal agencies who were conducting Public Law 111-258 reviews of their agencies. � (U) Reviewed Original Classification Authority designations, classification decisions, and training records. � (U) Reviewed the FY 2012 derivative classification computer-based refresher training course and completion records. (b)(3) � (UHFOU0) Tested a statistical sample of DI finished intelligence products published on the WIRe to determine if the classified documents were in compliance with classification standards contained in ISOO booklet, Marking Classified National Security Information, dated 1 January 2012. Because classification marking guidance was updated 1 January 2012, we chose a sample of finished intelligence products published between 1 January and 31 December 2012. We chose finished intelligence because the universe of finished intelligence was well-defined, finished intelligence is intended to be shared, and finished intelligence was not examined in the most recent CIA self-inspection. We worked with a statistician to develop our testing methodology and select a sample of finished intelligence (b)(3) products. We obtained a complete list of the DI intelligence reports created from 1 January 2012 through 31 December 2012. With a confidence level of 90 percent and ex ected error rate of five percent, we selected a (b)(3) statistical sample size of using the American Institute of Certified Public Accountants (AICPA) statistical sample tables. We tested 16 attributes with regard to classification markings. (U) We conducted this evaluation from March to June 2013. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our evaluation objectives. We received comments on a draft of this report from the Director, Information Management Services; Office of the Chief Information Officer; and Director and Managing Editor, WIRe. 2 UNCLASSIFIED//F4300 Approved for Release: 2017/10/18 C06199633 Approved for Release: 2017/10/18 C06199633 UNCLASSIFIED/IfetH3 Exhibit B (U) Recommendations (U) Recommendation 1 (b)(3) (b)(5) (U) Recommendation 2 (Significant)�For the Director, Information Management Services, Office of the Chief Information Officer, in coordination with the Chief Information Officer: Implement effective, mandatory derivative classification refresher training for CIA personnel as required by Executive Order 13526, Classified National Security Information, and Agency Regulation (U) Recommendation 3H (b)(3) (b)(5) (U) Recommendation aH (b)(3) (b)(5) (U) The status of the significant recommendation will be included in the Inspector General's semiannual reports to the Director, Central Intelligence Agency. Exhibit B is Unclassified UNCLASSIFIEDItFetH3 Approved for Release: 2017/10/18 C06199633 Approved for Release: 2017/10/18 C06199633 UNCLASSIFIED/I-K*16- Exhibit C (U) Evaluation Team (u/ U This report was prepared by the Office of Inspector General. (b)(3) UNCLASSIFIED/fFelie- Approved for Release: 2017/10/18 C06199633 Approved for Release: 2017/10/18 C06199633 UNCLASSIFIED/I.FOU0- UNCLASSIFIED/IFGUO- Approved for Release: 2017/10/18 C06199633