SENATE DOCUMENT 105-2
PURSUANT TO PUBLIC LAW 236
103RD CONGRESS
Chairman
Daniel Patrick Moynihan, New York
Vice Chairman
Larry Combest, Texas
Commission Members
Jesse Helms, North Carolina
Lee H. Hamilton, Indiana
John M. Deutch, Massachusetts
Martin C. Faga, Virginia
Alison B. Fortier, Maryland
Richard K. Fox, District of Columbia
Ellen Hume, District of Columbia
Samuel P. Huntington, Massachusetts
John D. Podesta, District of Columbia
Maurice Sonnenberg, New York
... Living With Ambiguity: The Levels of Classification
Individuals who have already decided to classify a piece of information then must decide on the level at which to do so. Executive Order 12958 preserves the three classification levels of Confidential, Secret, and Top Secret that have long served as the foundation for protecting classified information. While elements of the definitions of these three levels have varied over time—Executive Order 12958, for instance, is the first to require classifiers to be able to “identify and describe” the damage to the national security if the information were disclosed—they have remained based on the concept of “damage” since the 1950s. If the unauthorized disclosure of the information could potentially cause damage, it may be classified Confidential; Secret if “serious damage;” or Top Secret if “exceptionally grave damage.” Most classifiers employ the middle option: 71 percent of all classified information is Secret; only 20 percent and 9 percent of all classified information is Confidential and Top Secret, respectively.10
The three classification levels are commonly referred to as the “collateral” system—a term meaning “ancillary”—a revealing point, since these three levels are intended to be the core of the classification system.
The difficult task of differentiating between such vague standards has long been criticized by many classifiers, recognizing that reasonable people may well disagree over the degree of damage certain information might cause if disclosed and, thus, over the level at which it should be classified (as well as whether it should be classified at all). This subjectivity has been one of the major factors leading to calls for reducing or consolidating these levels. 11 Most recently, the Joint Security Commission recommended the creation of a “one-level classification system” in which, according to the JSC, the only difference between information with the potential to cause different degrees of damage would have been the type of physical protection it received. Yet even under the JSC’s “one-level” proposal, classifiers still would have been required to select and apply one of two “degrees of [physical] protection.” In addition, although changing the number of levels may simplify the classification system, the Commission has found no evidence that such a change would reduce the amount of classification.
Controlling Access to Secrets: The “Need-to-Know” Principle
The granting of a security clearance for a certain level of classified information is not supposed to mean that an individual gains access to all information classified at that level. The dissemination of classified information is intended to be limited to those who both (1) hold the appropriate clearance, and (2) need the information in order to properly perform their duties. The extent to which the “need-to-know” principle is adhered to in practice, however, has been the subject of debate and disagreement for decades.12 The placing of classified information on automated information systems presents additional challenges in this regard, as a growing number of cleared personnel are able to access classified information for which they may not have a genuine need. Intelink—the Intelligence Community’s version of the Internet, which allows cleared personnel access to a range of classified information—provides one notable example of how need-to-know is becoming harder to enforce in the Information Age.
The difficulty of discerning who truly needs access to classified information has contributed to the rise of a host of methods for limiting such access. A variety of control markings and handling caveats restricts the dissemination of information and has added extra layers to the classification system. For example, thirteen access categories (known as Sigmas) limit access to Restricted Data, and within the Intelligence Community the control marking “ORCON” (Dissemination and Extraction of Information Controlled by Originator) prohibits further dissemination without the specific approval of the originator of the information.
Clarifying Security in Special Access Programs
A Special Access Program
Access to information considered to be particularly sensitive is controlled through a range of special access programs, which involve access controls and security measures typically in excess of those normally required for access to classified information. (Unless specified as Department of Defense (DoD) Special Access Programs (SAPs), the term “special access program” is used throughout this report to denote any program that limits access beyond that of the three-tiered collateral classification system.) These include programs within the Departments of Defense, Energy, and State, as well as the plethora of compartments within the Intelligence Community designed to protect intelligence information and material referred to as Sensitive Compartmented Information (SCI). The legal basis for creating such programs flows from successive executive orders and, in the case of SCI, from the National Security Act of 1947 and Executive Order 12333 (which lays out the responsibilities of various intelligence agencies). Other special access programs, such as those relating to the protection of the President, the continuity of government operations, and covert action (all known as “national programs”), are operated from within the Executive Office of the President.
Additional security requirements to protect these special access programs can range from mere upgrades of the collateral system’s requirements (such as rosters specifying who is to have access to the information) to entire facilities being equipped with added physical security measures or elaborate and expensive cover, concealment, deception, and operational security plans. Such measures often have been justified as the only way to provide the security necessary to protect information considered especially sensitive. Programs can concern research, development, and acquisition activities; intelligence; or military operations. They can be funded by one agency but managed by another, which often leads to difficulty in simply accounting for how many programs exist and how much money is spent on them.
Publicly acknowledged programs are considered distinct from unacknowledged programs, with the latter colloquially referred to as “black” programs because their very existence and purpose are classified. Among black programs, further distinction is made for “waived” programs, considered to be so sensitive that they are exempt from standard reporting requirements to the Congress. The chairperson, ranking member, and, on occasion, other members and staff of relevant Congressional committees are notified only orally of the existence of these programs.
There are approximately 150 DoD-approved SAPs (the exact number is classified and others have been created but not yet formally approved), down from 200 in the late 1980s, and roughly 300 SCI compartments, compared with an estimated 800 in the late 1980s.13 These numbers, however, do not include the many subcompartments, perhaps best termed “SAPs within SAPs,” that further limit the extent to which personnel have access to various parts of the same program.
A notable example of the declining use of such programs to protect information considered especially sensitive is the reevaluation of how to best protect certain imagery capabilities (which also led to the declassification of large amounts of imagery dating from the 1950s and 1960s). Since 1995, an estimated 95 percent of all imagery derived from electro-optical image systems and once restricted to a highly classified SCI compartment has been produced and disseminated at the Secret level. As a result, this information can now be more widely disseminated to government “consumers,” such as the military, which has relatively few individuals cleared above the Secret level.
In 1994, the DoD created the Special Access Program Oversight Committee (SAPOC) to standardize and formalize the approval, termination, revalidation, and restructuring procedures for DoD special access programs. As required by Executive Order 12958, the SAPOC annually reviews and validates all previously identified DoD special access programs for continued special access program status. The review process is intended to validate the need for continued security compartmentation or to restructure a program into either another special access program or a “collateral” program, and seeks to eliminate redundancy among programs. The SAPOC is intended to provide senior leadership, oversight, and management of all DoD special access programs, to ensure compliance with applicable executive orders and other policies and procedures, and to ensure that required information is provided to the Congress. Within the Intelligence Community, the Controlled Access Program Oversight Committee (CAPOC) performs much the same function as the SAPOC, including annual review of all such programs as required by Executive Order 12958 and a report to the Congress. The CAPOC includes within its review the SCI control system compartments and special access programs funded by the National Foreign Intelligence Program.
However, while carefully assessing program cost, schedule, and performance, these reviews have not always focused on the special security features imposed and their associated costs. Despite the improvements described above, concerns have been raised that the SAPOC is too senior a body to have the necessary working knowledge and expertise to adequately address the security procedures and costs associated with DoD special access programs.
Many of the industrial contractor representatives who attended Commission Roundtables noted that there appear to be unlimited budgets for security in many special access programs and a failure to weigh the value of additional security against its costs.
More generally, the lack of standardized security procedures for special access programs contributes to high costs and other difficulties. The Joint Security Commission (JSC) recommended a “single, consolidated policy and set of security standards” for such programs, but nearly three years later this recommendation has not been implemented.
Industrial contractors performing classified contracts are governed by the National Industrial Security Program (NISP), created in 1993 by Executive Order 12829 to “serve as a single, integrated, cohesive industrial security program to protect classified information.” A Supplement to the NISP operating manual (NISPOM) was issued in February 1995 with a “menu of options” from which government program managers can select when establishing standards for contractors involved with special access programs. However, industrial contractors report that wide variations still exist in the standards applied by government program managers of different SAPs. The “menu of options” continues to allow conflicting and costly security requirements. For example, a senior security officer from a large industrial contractor presented the Commission with a thick set of supplemental forms—all prepared by different program managers and often requesting the same information—that frequently are required before contractor employees can be granted access to certain special access programs.
Within the Intelligence Community, special access programs have been standardized by DCI directives, while those within the DoD continue to operate based on a menu with a wide variety of choices. Some military services continue to increase security regulations for SAPs, while others try to do the opposite. To address this problem, many industry representatives suggest establishing a clearer “baseline” standard and then requiring a specific justification before any additional security can be imposed.