Managing Sensitive Information: DOD Can More Effectively Reduce the Risk of Classification Errors

摘要

A lack of oversight and inconsistent implementation of the Department of Defense's (DoD) information security program are increasing the risk of misclassification. DoD's information security program is decentralized to the DoD component level, and the Office of the Under Secretary of Defense for Intelligence (OUSD(I)), the DoD office responsible for DoD's information security program, has limited involvement with, or oversight of, components' information security programs. While some DoD components and their subordinate commands appear to manage effective programs, GAO identified weaknesses in others in the areas of classification management training, self-inspections, and classification guides. For example, training at 9 of the 19 components and subordinate commands reviewed did not cover fundamental classification management principles, such as how to properly mark classified information or the process for determining the duration of classification. Also, OUSD(I) does not have a process to confirm whether self-inspections have been performed or to evaluate their quality. Only 8 of the 19 components performed self- inspections. GAO also found that some of the DoD components and subordinate commands that were examined routinely do not submit copies of their security classification guides to a central library as required. Some did not track their classification guides to ensure they were reviewed at least every 5 years for currency as required. Because of the lack of oversight and weaknesses in training, self-inspection, and security classification guide management, the Secretary of Defense cannot be assured that the information security program is effectively limiting the risk of misclassification across the department. To reduce the risk of misclassification and improve DoD's information security operations, GAO is recommending six actions, including several to increase program oversight and accountability. DoD concurred with GAO's recommendations.