Information Security Oversight Office (ISOO)

2002 Annual Report

Table of Contents:


June 30, 2003
The President
The White House
Washington, DC 20500

Dear Mr. President:

We are pleased to submit to you the Information Security Oversight Office's (ISOO) 2002 Report.

This Report provides information on the status of the security classification program as required by Executive Order 12958, "Classified National Security Information." It includes statistics and analysis concerning components of the system, primarily classification and declassification. In addition, it contains cost estimates for the security classification system in both Government and industry. Finally, it contains information concerning the implementation of the National Industrial Security Program as required by Executive Order 12829, "National Industrial Security Program."

In response to the current environment of rapidly evolving threats, most agencies have enhanced their systems for safeguarding national security information and protecting the American people and their Government. At the same time, to ensure the continued integrity of the classification system, agencies must be more discerning in how much and how long information is classified. Your recent amendment to Executive Order 12958 gives direction and renewed emphasis to how long information is classified by requiring agencies to make the concept of automatic declassification of historical records that are more than 25 year old a reality by December 31, 2006. Most agencies will need to step up their declassification activities in the coming years to fulfill this directive. Finally, continual refinements in the classification system are required to move the executive branch to a nearly seamless framework that addresses the twin imperatives of information sharing and information protection in the information age.

The National Industrial Security Program (NISP) is in need of a renewed commitment to its goals of administering an integrated and cohesive program that safeguards classified information while preserving our Nation's economic and technological interests. Both Government and industry must redouble their efforts to administer and manage the NISP so that it is responsive and supportive of the Government's transformation activities. Without this commitment, the goals of the NISP will not be fully realized.

Many thousands of individuals within Government and industry are responsible for the progress made thus far in implementing E.O. 12958 and E.O. 12829. There is more that needs to be done and these same individuals stand ready to support your programs to promote an informed American public and to protect our national security.


Respectfully,
J. William Leonard
Director



Information Security Oversight Office

AUTHORITY

Executive Order 12958, "Classified National Security Information," and Executive Order 12829, "National Industrial Security Program." The Information Security Oversight Office (ISOO) is a component of the National Archives and Records Administration and receives its policy and program guidance from the National Security Council (NSC).

MISSION

ISOO oversees the security classification programs in both Government and industry and reports to the President annually on their status.

FUNCTIONS

  • Develops implementing directives and instructions.
  • Maintains liaison with agency counterparts and conducts on-site inspections and special document reviews to monitor agency compliance.
  • Develops and disseminates security education materials for Government and industry; monitors security education and training programs.
  • Receives and takes action on complaints, appeals, and suggestions.
  • Collects and analyzes relevant statistical data and, along with other information, reports them annually to the President.
  • Serves as spokesperson to Congress, the media, special interest groups, professional organizations, and the public.
  • Conducts special studies on identified or potential problem areas and develops remedial approaches for program improvement.
  • Recommends policy changes to the President through the NSC.
  • Provides program and administrative support for the Interagency Security Classification Appeals Panel (ISCAP).

GOALS

  • Promote and enhance the system that protects the national security information that safeguards the American government and its people.
  • Provide for an informed American public by ensuring that the minimum information necessary to the interest of national security is classified and that information is declassified as soon as it no longer requires protection.
  • Promote and enhance concepts that facilitate the sharing of information in the fulfillment of mission critical functions related to national security.



Summary of FY 2002 Program Activity*

The following Report to the President is the seventh report under E.O. 12958, which went into effect in October 1995. The following data highlight ISOO's findings.

CLASSIFICATION

  • Executive branch agencies reported 4,006 original classification authorities.
  • Agencies reported 217,288 original classification decisions.
  • Executive branch agencies reported 23,528,041 derivative classification decisions.
  • Agencies reported 23,745,329 combined classification decisions.

DECLASSIFICATION

  • Under Automatic and Systematic Review Declassification programs, agencies declassified 44,365,711 pages of historically valuable records.
  • Agencies received 3,424 new mandatory review requests.
  • Under mandatory review, agencies declassified in full 52,945 pages; declassified in part 97,270 pages; and retained classification in full on 14,435 pages.
  • Agencies received 81 new mandatory review appeals.
  • On appeal, agencies declassified in whole or in part 4,422 additional pages.

*Please see page 17 for an explanation concerning DOD's security classification program data for FY 2001 and a clarification of ISOO's FY 2001 Annual Report data.



A Look to the Future of the Security Classification System in a Post 9/11 Environment

Our Nation and our Government are profoundly different in a post 9/11 world. Americans' sense of vulnerability has increased, as have their expectations of their Government to keep them safe. Information is crucial to responding to these increased concerns and expectations. On the one hand, Americans are concerned that information may be exploited by our country's adversaries to harm us. On the other hand, impediments to information sharing among Federal agencies and with state, local and private entities need to be overcome in the interests of homeland security. Equally so, the free flow of information is essential if citizens are to be informed and if they are to be successful in holding the Government and its leaders accountable. In many ways, the Federal government is confronted with the twin imperatives of information sharing and information protection, two notions that contain inherent tension but are not necessarily contradictory.

Each year this report seeks to highlight possible trends with respect to the amount of information produced by the executive branch that is beyond the American public's immediate purview because it is classified. In FY 2002 much of the executive branch's attention and action focused on the global war on terrorism and on homeland security related issues. These issues have contributed to a reported increase of 14 percent in the number of classification decisions made by classifiers in the executive branch as compared to FY 2001.

An increase in classification activity can be expected in times of crisis, when the potential for the loss of life if national security information is improperly disclosed is more than theoretical. Effective classification can protect the intelligence source or method required to detect and preclude the next terrorist event. It also can save the lives of our Service men and women who place themselves in harm's way to defend our Nation. Furthermore, Government agencies have found it necessary to examine their mission responsibilities in new ways in order to understand their vulnerability to terrorist and other hostile attacks. This has resulted in new authorities and more classification decisions.

Nonetheless, when it comes to classification activity, more is not necessarily better. Much the same way the indiscriminate use of antibiotics reduces their effectiveness in combating infections, classifying either too much information or for too long can reduce the effectiveness of the classification system, which, more than anything else, is dependent upon the confidence of the people touched by it. While there is always a temptation to err on the side of caution, especially in times of war, the challenge for agencies is to similarly avoid damaging the nation's security by hoarding information.

Both consumers and producers of classified information, as well as the general public, need to be assured that the classification system is discerning enough to capture only that information that needs protection in the interest of our national security. If the system is not perceived as being discerning, then the very people depended upon to make the system work begin to substitute their own judgment in determining what is sensitive and requires protection and what is not. This can lead to a lack of accountability, and an environment conducive to unauthorized disclosures of classified information, thus placing all classified information at increased risk of unauthorized disclosure.

While great emphasis is often placed on the consequences of the improper disclosure of classified information, restrictions on dissemination of information carry their own risks. Whether within the Federal Government or between the Federal Government and state, local and private sector personnel, or with the public, the ability to share information rapidly and seamlessly can make the difference in precluding or responding to the next terrorist event. Classification can be a significant impediment to information sharing. As such, there will be situations when just because information can be classified, it does not mean that it should be classified. Many agencies have recognized the importance of having aggressive downgrading, declassification, and/or sanitization (i.e., removal of classified references) programs that promote information sharing at all levels.

Today's rapidly changing environment suggests that the current framework for identifying, protecting and declassifying national security information is due for some fundamental reassessment. In addressing the imperatives of information sharing and information protection, special note must be made of the electronic environment in which the Government increasingly operates. As Government agencies reengineer their business processes and then apply information technology solutions, they are often still unable to effectively communicate and share information with another agency. This can be due, in part, to the fact that they superimpose upon their new processes a document-centric process for classifying information that has fundamentally remained unchanged for the past 60 years.

Our current challenge, then, is to be able to recast existing policy governing the classification of information to reflect the Government's electronic operating environment. This will require the transformation of the current document-centric framework for classifying information requiring protection in the interest of national security to one more conducive to information sharing taking into account the life-cycle of information. The Information Security Oversight Office is preparing now to embark on this challenge, seeking innovative solutions through the interagency process for this important policy of the future.



Interagency Security Classification Appeals Panel

AUTHORITY

Section 5.4 of Executive Order 12958, "Classified National Security Information."

FUNCTIONS

(1) To decide on appeals by authorized persons who have filed classification challenges under Section 1.9 of E.O. 12958.

(2) To approve, deny or amend agency exemptions from automatic declassification as provided in Section 3.4(d) of E.O. 12958.

(3) To decide on mandatory declassification review appeals by parties whose requests for declassification under Section 3.6 of E.O. 12958 have been denied at the agency level.

MEMBERS*

William H. Leary, Acting Chair
National Security Council

James A. Baker
Department of Justice

Carl A. Darby
Intelligence Community

Carol A. Haave
Department of Defense

Michael J. Kurtz
National Archives and Records Administration

Frank M. Machak
Department of State

EXECUTIVE SECRETARY*
J. William Leonard, Director, Information Security Oversight Office

SUPPORT STAFF
Information Security Oversight Office

*The individuals named in this section were those in such positions as of the end of FY 2002.

SUMMARY OF ACTIVITY

The Interagency Security Classification Appeals Panel (ISCAP) was created under E.O. 12958 to perform the critical functions noted in this section. The ISCAP, comprised of senior level representatives appointed by the Secretaries of State and Defense, the Attorney General, the Director of Central Intelligence, the Archivist of the United States, and the Assistant to the President for National Security Affairs, began meeting in May 1996. The President designates its Chair; the Director of ISOO serves as its Executive Secretary, and ISOO provides its staff support.

To date, the majority of the ISCAP's efforts have focused on mandatory declassification review appeals. During FY 2002, the ISCAP decided upon 49 documents that remained fully or partially classified upon the completion of agency processing. It declassified the entirety of the remaining classified information in 9 documents (18%), and declassified some portions, while affirming the classification of other portions, in 17 of the documents (35%). The ISCAP fully affirmed the agency decisions in their entirety for 23 documents (47%).

From May of 1996 through September 2002, the ISCAP has decided upon a total of 301 documents. Of these, the ISCAP declassified information in 76% of the documents. Specifically, it has declassified the entirety of the remaining classified information in 102 documents (34%), and has declassified some portions, while affirming the classification of other portions, in 126 documents (42%). The ISCAPhas fully affirmed agency classification actions in 73 documents (24%).

Documents declassified by the ISCAP are made available through the entity that has custody of them, usually a presidential library. For assistance in identifying and requesting copies of such documents, or for any other questions regarding the ISCAP, please contact the ISCAP staff at ISOO.

The ISCAP also approved a declassification guide submitted by the Department of the Treasury in accordance with Section 3.4(d) of E.O. 12958 and the applicable provision of its government-wide implementing directive (32 C.F.R. Part 2001.51(i)). When approved by the ISCAP, such guides authorize the exemption of information determined by an agency to fall within an exemption category listed in Section 3.4(b) of the Order. Essentially, the guides permit certain information to be classified for more than 25 years. In order for the ISCAP to approve a guide it must provide: a comprehensive description of the information proposed for exemption; a distinct relationship to a specific exemption; a rational justification or explanation of the need for exemption; and a fixed date or event for future declassification.

During this period, the ISCAP heard its first appeal of a classification challenge filed pursuant to Section 1.9 of E.O. 12958. This appeal sought to reverse the decision of the Defense Department that four portions of an abstract regarding Global Positioning System Monitor Station data were classified. As the information was less than 10 years old and concerned "vulnerabilities or capabilities of systems, installations, projects, or plans relating to the national security," the ISCAP affirmed the prior classification of each of the portions under Section 1.5(g) of the Order.

If you have any questions concerning the ISCAP, please contact the ISCAP staff at:
Telephone: (202) 219 - 5250
Fax: (202) 219 - 5385
E-mail: iscap@nara.gov
Internet: http://www.archives.gov/isoo/oversight_groups/iscap.html



The National Industrial Security Program

Executive Order 12829 of January 6, 1993, established the National Industrial Security Program (NISP). Its goal, then and now, is to make the executive branch's industrial security program more efficient and cost effective while fully protecting classified information in the possession of Government contractors, licensees or grantees. The NISP is intended to serve as a single, integrated, cohesive industrial security program and to ensure that short and long-term costs of requirements, restrictions and other safeguards are taken into account in the program's implementation.

In the ten years that the NISP has been in existence, it has yet to achieve its full potential. Three areas of concern continue to prevent the NISP from reaching its full potential:

  • Clearance delays. Investigative and adjudicative delays totaling a year or more are still common. The clearance processing delays experienced by industry have serious consequences for both industry and its Government customers. While both Government and industry have had to deal with these long standing challenges, industry is more limited in its ability to respond.
  • Reciprocity. While reciprocity is a major tenet of the NISP, from industry's perspective, it is not being practiced consistently. Reciprocity means the acceptance of clearance certifications between and among agencies without levying additional requirements. The lack of reciprocity creates duplicative efforts, lengthy time delays, and inefficient use of valuable resources.
  • Automated Information Systems (AIS) Accreditation. Accreditation of AIS has been a problem area for both Government and industry alike. Industry continues to report difficulty in this area, in particular, the considerable delays in the system accreditation process. These delays stem from the availability of resources to perform the accreditations. Other concerns in this area relate to the consistency in the interpretation and application of the AIS requirements set forth in Chapter 8 of the NISP Operating Manual.

The impact of these issues are obvious: considerable additional costs to both contractors and their Government customers, as well as limiting industry's ability to recruit and retain the best and the brightest. Collectively, these issues limit industry's ability to respond to Government's needs in a timely manner. Ultimately, they negatively effect Government's and industry's ability to optimize both budget and technology to maintain this country's position as a leader on the global stage.

Several initiatives are being developed or implemented to address these longstanding issues, to include consolidating the function for most security investigations into one entity. The signatories of the NISP, the Departments of Defense and Energy, the Central Intelligence Agency and the Nuclear Regulatory Commission will be critical players in the success or failure of these initiatives.

The National Industrial Security Program Policy Advisory Committee (NISPPAC), also established by Executive Order 12829,1 serves an important role by bringing forward issues and possible solutions concerning the NISP. By bringing together Government and industry, the NISPPAC can facilitate equitable resolutions to common problems.

In keeping with the oversight responsibilities for the NISP, ISOO will develop a Government-wide implementing directive for the NISP through an interagency effort. ISOO anticipates playing a greater role in facilitating information sharing between Government and industry through increased liaison activity.

For more information on NISP initiatives go to ISOO's home page.



Security Classification: What Does It Cost?

The security classification program is now in its eighth year of reporting costs for both Government and industry. Congress first requested security classification cost estimates from the executive branch in 1994. In addition, ISOO is tasked through Executive Order 12958 to report these costs to the President. Executive Order 12829, also requires that industry or contractor costs be collected and reported by ISOO to the President.

Until the last few years, the costs for the security classification program were deemed non-quantifiable, intertwined with other somewhat amorphous overhead expenses. While many of the program's costs remain ambiguous, ISOO continues to monitor the methodology used to collect the cost estimate data. Requiring agencies to provide exact responses to the cost collection efforts would be cost prohibitive. Consequently, ISOO relies on sampling to estimate the costs of the security classification system. The collection methodology has remained stable over the past eight years providing a good indication of the trends in total cost. In the future, ISOO expects to review the cost collection methodology, particularly the definitions being used. This review will help to ensure that the methodology is current and relevant.

GOVERNMENT

The data presented below were collected by categories based on common definitions developed by an executive branch-working group. The categories are defined below.

Personnel Security: A series of interlocking and mutually supporting program elements that initially establish a Government or contractor employee's eligibility, and ensure suitability for the continued access to classified information.

Physical Security: That portion of security concerned with physical measures designed to safeguard and protect classified facilities and information, domestic or foreign.

INFORMATION SECURITY:
INCLUDES THREE SUB-CATEGORIES:


Classification Management: The system of administrative policies and procedures for identifying, controlling and protecting classified information from unauthorized disclosure, the protection of which is authorized by executive order or statute. Classification management encompasses those resources used to identify, control, transfer, transmit, retrieve, inventory, archive, or destroy classified information.

Declassification: The authorized change in the status of information from classified information to unclassified information. It encompasses those resources used to identify and process information subject to the automatic, systematic or mandatory review programs authorized by executive order or statute.

Information Technology Systems Security (Automated Information Systems or Information Technology Systems Security): Measures and controls that ensure confidentiality, integrity, and availability of the information processed and stored by a computer or information technology system. It can include, but is not limited to, the provision of all security features needed to provide an accredited system of protection for computer hardware and software, and classified information, material, or processes in automated systems.

Professional Education, Training and Awareness: The establishment, maintenance, direction, support and assessment of a security training and awareness program; the certification and approval of the training program; the development, management, and maintenance of training records; the training of personnel to perform tasks associated with their duties; and qualification and/or certification of personnel before assignment of security responsibilities related to classified information.

Security Management and Planning: Development and implementation of plans, procedures and actions to accomplish policy requirements, develop budget and resource requirements, oversee organizational activities and respond to management requests related to classified information.

Unique Items: Those department or agency specific activities that are not reported in any of the primary categories but are nonetheless significant and need to be included.

The total security classification costs estimate within Government for FY 2002 is $5,688,385,711.

This figure represents estimates provided by 45 executive branch agencies, including the Department of Defense, whose estimate incorporates the National Foreign Intelligence Program. It does not include, however, the cost estimates of the CIA, which that agency has classified. Because of expressed interest in the declassification programs established under Executive Order 12958, ISOO also requested agencies to identify that portion of their cost estimates in the category of information security/classification management that was attributable to their declassification programs. For FY 2002, the agencies reported declassification cost estimates of $112,964,750, or 2 percent of their total cost estimates, which is a significant drop from last year's 4.9 percent.


Government Security Classification Costs Estimate

Total $5.7 billion
Personnel Security $941 million
Physical Security $367 million
Information Security $3.5 billion
Information Technology Security $3.1 billion
Classification Management $237 million
Declassification $113 million
Professional Education Training & Awareness $134 million
Security Management & Planning $742 million
Unique $26 million

INDUSTRY

A joint Department of Defense and industry group developed a cost collection methodology for those costs associated with the use and protection of classified information within industry. Because industry accounts for its costs differently than Government, cost estimate data are not provided by category. Rather, a sampling method was applied that included volunteer companies from four different categories of facilities. The category of facility is based on the complexity of security requirements that a particular company must meet in order to hold a classified contract with a Government agency.

The 2002 cost estimate totals for industry pertain to the twelve-month accounting period for the most recently completed fiscal year of each company that was part of the industry sample. For most of the companies included in the sample, December 31, 2002, was the end of their fiscal year. The estimate of total security costs for 2002 within industry was $839,809,000.

The Government cost estimate shows a 21 percent increase above the cost estimate reported for FY 2001. Industry also reported a 10 percent increase in its cost estimate from calendar year 2001. The total cost estimate for Government and industry for 2002 is $6.5 billion, $1 billion more than the total cost estimate for Government and industry in 2001.

The increase in cost estimates for Government can be attributed, in part, to greater attention to security programs after September 11, 2001; in particular, Physical Security cost estimates went up by 70 percent. All other categories noted increases, Personnel Security (9%); Professional Education, Training and Awareness (21%); Security Management, Oversight and Planning (31%); Unique Items (2%); Information Security/Classification Management (7%); and Information Technology (20%), except Declassification, which saw a 50 percent decrease from last year. Given the events of September 11th, this could be expected. However, the decrease in declassification activity is an area of concern that the Information Security Oversight Office will monitor closely. While it seems reasonable that some funding for the declassification program would be deferred in the short term, it cannot continue to decline, or significant amounts of classified information will remain unreviewed when it becomes subject to automatic declassification on December 31, 2006.

For the first time in 3 years, contractor costs have risen. The 2002 figure is not the highest reported by industry, but represents the high middle ground for industry. This increase in cost estimates for industry is more than likely also a reflection of post 9/11 requirements. The current estimate was again based on sampling from a larger pool of companies. ISOO continues to believe, as does the Executive Agent for the National Industrial Security Program (Department of Defense), that a larger mix of small and large companies reporting data would provide a better sample. ISOO expects that future estimates will continue to include this larger mix of small and large companies, which appears to yield the most realistic and consistent data reported to date.

Comparing Total Costs for Government and Industry
Fiscal Years 1995 - 2002


FY 2002 Total 6.5$ billion
FY 2001 Total 5.5$ billion
FY 2000 Total 5.2$ billion
FY 1999 Total 5$ billion
FY 1998 Total 5$ billion
FY 1997 Total 4.1$ billion
FY 1996 Total 5.2$ billion
FY 1995 Total 5.6$ billion

FY 2002 Government $5.7 billion
FY 2001 Government $4.7 billion
FY 2000 Government $4.3 billion
FY 1999 Government $3.8 billion
FY 1998 Government $3.6 billion
FY 1997 Government $3.4 billion
FY 1996 Government $2.6 billion
FY 1995 Government $2.7 billion

FY 2002 Industry $839,809,000
FY 2001 Industry $766,503,000
FY 2000 Industry $958,543,000
FY 1999 Industry $1.2 billion
FY 1998 Industry $1.4 billion
FY 1997 Industry $692,823,000
FY 1996 Industry $2.6 billion
FY 1995 Industry $2.9 billion



Classification

CLARIFICATION OF FISCAL YEAR 2001 DATA

In ISOO's FY 2001 Annual Report some of the data reported for the Department of Defense's security classification program were incorrect. We fully recognize the significance of this error and have taken steps to ensure that it does not recur. ISOO and all agencies will continue to work together closely to make certain that all data are valid, are reported accurately, and are of value to those interested in such data.

Certain areas of last year's annual report are little affected by the correction in DOD figures, such as the number of original classification authorities, number of original classification decisions, and pages declassified under mandatory review appeals. The sections regarding derivative classification actions and mandatory review requests are significantly impacted, however. In those cases where the figures make a significant difference in how the data should be interpreted, ISOO includes a discussion of the changes within the body of this report. Additionally, we have included charts showing the new figures on pages 24 and 30. ISOO, as noted above, worked closely with OSD to validate the DOD program figures for FY 2002.

ORIGINAL CLASSIFIERS

Original classification authorities (OCAs), also called original classifiers, are those individuals designated in writing, either by the President or by selected agency heads, to classify information in the first instance. Under Executive Order 12958, only original classifiers determine what information, if disclosed without authority, could reasonably be expected to cause damage to the national security. Original classifiers must also be able to identify or describe the damage.

For fiscal year 2002, the number of original classifiers throughout the executive branch decreased to 4006, or approximately 3 percent from the previous year. Executive branch agencies with significant decreases in OCAs include the Department of Energy (DOE), the Department of Defense (DOD) and the Nuclear Regulatory Commission (NRC). Additionally, the Department of State (State) experienced a slight decrease in the number of OCAs. ISOO believes that the agency heads' careful scrutiny and re-issuance of delegations of original classification authority continues to be the largest contributing factor for keeping OCAs to a minimum. Additionally, the use of classification guidance has reduced the need for OCAs for operational needs. Nevertheless, some larger agencies that had comparable classification activity, but many more OCAs, could apparently reduce the number of OCAs without negatively affecting operations through the development and increased use of classification guidance. ISOO is pleased to report that the three agencies which received original classification authority for the first time in this fiscal year, the Environmental Protection Agency (EPA), the Department of Health and Human Services (HHS), and the Department of Agriculture (USDA), have exercised great restraint in use of the original classification authority. EPA and USDA have appointed one OCA each, and HHS has appointed three.

In fiscal year 2002, agencies reported a 5 percent decrease in the number of original classifiers for the Top Secret level, the first decrease in three years. There was a decrease for the Secret level of original classifiers of 2 percent, and a decline of 5 percent at the Confidential level. The number of OCAs in DOD at each of the three levels dropped significantly. This might be in part due to a recent self-review of selected Department of Defense OCA allocations. While most agencies are reducing the number of OCAs, ISOO is concerned that the National Security Council (NSC) increased its overall total by 14 percent and that the National Aeronautics and Space Administration (NASA) increased its overall total by 50 percent. NSC's increase is due in part to the demands of dealing with the issues of global terrorism and homeland security. Because NASA has a small number of OCAs, any increase appears significant. ISOO notes that the Department of Treasury reported a 3 percent increase in its total number of OCAs, and State reported a 2 percent decrease. Although ISOO anticipated a significant increase in the number of OCAs reported by the agencies in FY 2002 as the full effect of our new security environment in a post 9/11 world becomes apparent in the security classification, these figures do not reflect such an increase. ISOO commends the entire Executive Branch for its judicious use of Original Classification Authority.

Original Classifiers Fiscal Year 2002
Total 4,006
Top Secret 929
Secret 2,898
Confidential 179

ORIGINAL CLASSIFICATION

Original classification is an initial determination by an authorized classifier that information requires extraordinary protection, because unauthorized disclosure of the information could reasonably be expected to cause damage to the national security. The process of original classification ordinarily includes both the determination of the need to protect the information and the placement of markings to identify the information as classified. By definition, original classification precedes all other aspects of the security classification system, e.g., derivative classification, safeguarding, and declassification. Therefore, ISOO often refers to the number of original classification decisions as the most important figure that it reports.

For fiscal year 2002, agencies reported a total of 217,288 original classification decisions. This figure represents a decrease of 17 percent over the number of original classification decisions reported in FY 2001, most of which is attributable to decreases reported by the DOD. By classification level, Top Secret decreased by 4 percent, Secret decreased by 26 percent and Confidential decreased by 2 percent. A review of original classification activity under E.O. 12958 does not show a consistent trend. During fiscal year 1997, the second full year of implementation of the Order, original classification activity increased by 51 percent, while fiscal year 1998 saw a decrease of 14 percent, and fiscal year 1999 an increase of 24 percent. Original classification activity increased by 30 percent in FY 2000 and by 18 percent in FY 2001. The decrease for fiscal year 2002 may continue to reflect changes in how certain agencies are collecting the data but can also reflect transformation in the way agencies accomplish their mission.

Three agencies—DOD, Justice, and State—now account for 99 percent of all original classification decisions. DOD reported a total of 37,320 original classification decisions, a 59 percent decrease from the previous year. The reasons for the decrease include better education among DOD components on how to report the actions, better accountability of the actual numbers submitted, and increased use of classification guides. For the sixth year in a row, Justice reported an increase. For fiscal year 2002 the increase is directly related to the FBI's activities with the war on terrorism and the Bureau's increased presence in this executive branch-wide effort. State registered a 10 percent increase, probably because of its enhanced accountability and reporting system for this type of information.

Original Classification Activity Fiscal Year 2002
Total 217,288
Top Secret 11,463
Secret 114,237
Confidential 91,588

Several agencies with smaller security classification programs reported marked decreases in the number of original classification decisions. In particular, ISOO commends AID for a 77 percent decrease. ISOO also notes decreases for Commerce (13%), NASA (37%), ONDCP (27%), OSTP (100%), and Treasury (18%).

Original Classification by Level Fiscal Year 2002
Top Secret 5%
Secret 53%
Confidential 42%

Original Classification by Agency
State 118,739
DOD 37,320
Justice 60,598
All Others 631

As part of the original classification process, the classifiers must determine a timeframe for the protection of the information. This is commonly called the "duration" of classification. Executive Order 12958 creates three possible outcomes at the time of original classification. First, if applicable to the duration of the information's national security sensitivity, information should be marked for declassification upon a specific date or event. For example, a classifier could determine that the information's sensitivity would lapse upon the completion of a particular project. The event would be noted on the face of the document, and when the project had been completed, the information would automatically be declassified. Second, if the original classification authority could not determine an earlier specific date or event for declassification, information should ordinarily be marked for declassification 10 years from the date of the original decision. Third, if the specific information falls within one or more of eight categories, the classifier may exempt it from declassification at 10 years. In almost all instances, this will result in the information being subject to automatic declassification at 25 years. The indefinite duration marking used under E.O. 12958's predecessor, Executive Order 12356, "Originating Agency's Determination Required" or "OADR," was eliminated with the issuance of E.O. 12958.

During fiscal year 2002, classifiers chose declassification upon a specific date or event less than 10 years, or upon the 10-year date for 124,352 (57%) original classification decisions. On the remaining 92,936 (43%) original classification decisions, original classifiers elected to apply an exemption from 10-year declassification. The 57 percent noted for the 10-year or less category is only 2 percent lower than the alltime high percentage reported by the agencies in 2000. Historically, under this Order, agencies selected 10 years or less 59 percent in 2000; 50 percent in 1999; 36 percent in 1998 and 50 percent in 1997 and 1996. The 10 years or less timetable seems well accepted by OCAs and should continue. The long-term effect of assigning a specific date, event or 10-year date suggests that more information will be declassified earlier without the need for more costly reviews in the future.

DERIVATIVE CLASSIFICATION

Derivative classification is the act of incorporating, paraphrasing, restating, or generating in a new form classified source information. Information may be classified in two ways: (a) through the use of a source document, usually correspondence or publications generated by an original classification authority; or (b) through the use of a classification guide. A classification guide is a set of instructions issued by an original classification authority. It pertains to a particular subject and describes the elements of information about that subject that must be classified, and the level and duration of classification. Only executive branch or Government contractor employees with the appropriate security clearance, who are required by their work to restate classified source information, may classify derivatively.

For fiscal year 2002, agencies reported 23,528,041 derivative classification actions. Last year's figure, inaccurately reported in the FY 2001 annual report as 32,760,209, was 20,575,135. The following analysis compares this year's figure with the corrected figure from FY 2001.

This year derivative classification is up 14 percent from last year. The majority of the increase comes from three of the major classifying agencies, DOD, CIA, and Justice. DOD is up 10 percent, CIA 29 percent, and Justice 52 percent. For fiscal year 2002, DOD, CIA, NRO and Justice represented 99 percent of all derivative classification actions reported. DOD derivatively classified the most of any agency, CIA the second most, NRO the third, with Justice a distant fourth. In addition to NRO, State, Interior and Commerce reported significant decreases. Treasury reported a modest decrease. ISOO commends these agencies for their efforts to reduce derivative classification activity.

The increase in derivative classification activity is influenced by a variety of factors. World events continue to influence the amount of derivative activity, in particular, the global war on terrorism, and homeland security. However, ISOO remains convinced that the vastly increased use of automated information management systems, and advancements in technology will continue to affect how information is created, collected, analyzed, and disseminated, thus affecting the tabulation of derivative classification activity. ISOO is continuing to develop guidance for standardization of sampling and the application of what constitutes a classification decision.

COMBINED CLASSIFICATION

Together, original and derivative classification decisions make up what ISOO calls combined classification activity. In fiscal year 2002, combined classification activity totaled 23,745,329. Since derivative actions outnumbered original actions by a ratio of more than 109:1, the fluctuation in derivative activity essentially determines the fluctuation of combined classification activity.

DOD accounted for 63 percent of all combined classification activity reported for fiscal year 2002; CIA, 30 percent; NRO, 5 percent; and Justice, 1 percent. As in the past, the remaining agencies accounted for only one percent of the combined classification activity. DOD and CIA reported increases in combined classification by 10 and 29 percent, respectively. NRO reported a decline of 11 percent while Justice reported an increase of 39 percent.

With the uncertainty of world events at this time, ISOO cannot predict if there will be a continuing rise in classification activity in the coming years. We can only continue to monitor trends and encourage thoughtful and balanced decisions concerning the classification of information through ISOO's oversight activities.



Declassification

BACKGROUND

Declassification is an integral part of the security classification system. It is the authorized change in status of information from classified to unclassified. When Executive Order 12958, was issued on April 17, 1995, the declassification policies of the past changed dramatically. In preceding years, classified information stayed classified and very often did not see the light of general public's, researchers' or historians' eyes without persistent and continuous efforts on the part of these individuals. E.O. 12958 changed this paradigm. With the Order's effective date of October 14, 1995, a new "Automatic Declassification" program was begun in addition to the longstanding "Systematic Review for Declassification."

Under the "Automatic Declassification" provision of E.O. 12958, information appraised as having permanent historical value is automatically declassified once it reaches 25 years of age unless an agency head has determined that it falls within a narrow exemption that permits continued classification. With the issuance of E.O. 12958, these records were subject to automatic declassification on April 17, 2000. Executive Order 13142, issued on November 19, 1999, amended E.O. 12958, to extend the date of the imposition of the automatic declassification provision until October 14, 2001. It also extended the date of the imposition of the automatic declassification provision an additional eighteen months, until April 17, 2003, for two groups of records, those that contain information classified by more than one agency and those that almost invariably contain information pertaining to intelligence sources or methods. While Executive branch agencies had made significant strides in trying to meet the April 17, 2003, deadline, it was clear in late 2001 that this latter deadline would not be met. Recognizing this, work was begun to further amend the Order to extend the deadline. On March 25, 2003, the signing of E.O. 13292 recommitted the executive branch to the automatic declassification process and extended the date of the imposition of the automatic declassification provision until December 31, 2006. By this date, executive branch agencies are expected to have either completed the declassification of their eligible records or properly exempted them.

"Systematic Review for Declassification," which began in 1972, is the program under which classified permanently valuable records are reviewed for the purpose of declassification after the records reach a specific age. Under E.O. 12356, the predecessor Order, the National Archives and Records Administration (NARA) was the only agency required to conduct a systematic review of its classified holdings. Now E.O. 12958 requires all agencies that originate classified information to establish and conduct a systematic declassification review program, which is undertaken in conjunction with the potential onset of automatic declassification. In effect, systematic review has become an appendage of the automatic declassification program. ISOO has collected data on declassification that does not distinguish between the two programs because they are now so interrelated.

In effect, E.O. 12958 reverses the resource burden. Unlike prior systems, in which agencies had to expend resources in order to declassify older information, under E.O. 12958, agencies must expend the resources necessary to demonstrate why older, historical information needs to remain classified. Fiscal year 2002 marked the seventh year in which the policies of the Order have been in effect.

PAGES DECLASSIFIED

During FY 2002, the executive branch declassified 44,365,711 pages of permanently valuable historical records. This figure represents a 56 percent decrease from that reported for FY 2001, and the largest decrease since Executive Order 12958 became effective on October 14, 1995. Even so, the number of pages declassified in FY 2002 continues to exceed the yearly average (12.6 million pages) under prior executive orders by three-fold. Given the many obstacles faced by executive branch agencies in their declassification efforts, this accomplishment is remarkable.

ISOO estimates that agencies have completed work on approximately 77 percent of the pages subject to automatic declassification, either by declassifying or exempting them. Those records remaining to be reviewed (an estimated 382 million pages based on the April 27, 2000, deadline) tend to be more complex and sensitive bodies of records dated 1976 and earlier. Such records require more time for review and processing. The number of pages subject to the automatic declassification provisions has not been updated since the November 1999 amendment to E.O. 12958. With the further amendment to E.O. 12958, in particular the automatic declassification provisions, ISOO will be asking agencies to again assess their records to determine the volume of records subject to this very important provision of the Order. This assessment will provide a better picture of the workload agencies will face to meet the final deadline set by the March 25, 2003 amendment to E.O. 12958.

Other factors outside the process have also affected declassification activity. The most significant factor has been the impact of the events of September 11, 2001. These events have caused agencies to look more closely at certain types of information before making declassification decisions. In particular, agencies are reviewing and re-reviewing their records for information related to weapons of mass destruction and homeland security to ensure that the information contained in the records truly warrants continued protection. Legislation enacted in FY 1999 addressing the protection of Restricted Data and Formerly Restricted Data (Section 3161 of Public Law 105-261, entitled "Protection Against Inadvertent Release of Restricted Data and Formerly Restricted Data") and other special topical searches mandated by other legislative initiatives have required agencies to shift resources away from the automatic and systematic declassification programs to meet the requirements of the legislation. Additionally, as noted in the Security Cost Estimates section of this report, funding for declassification decreased by almost 50 percent, which we believe is also a result, at least in part, of the events of September 11th. It appears that funding has been shifted to other components of security, which is understandable. However, ISOO will closely monitor this aspect of agencies' declassification programs to ensure that this decrease in funding does not become permanent. Decreased funding will very clearly impact the ability of agencies to completely review their 25 year-old or older holdings prior to the deadline set for automatic declassification in the March 25, 2003 amendment to E.O. 12958. The consequence will be a shift back to the ever increasing "mountain" of classified records being stored in secure locations or containers across Government and contractor facilities.

The number of pages NARA declassified in FY 2002 again declined, from 3.2 million pages in FY 2001 to 652,405 pages in FY 2002. This is the lowest number of pages declassified by NARA since the first full year of implementation of the automatic declassification provisions of E.O. 12958 in 1996. Legislative mandates; page-by-page review requirements for NARA staff versus the use of sampling methods; and shifting staff resources to special reviews like "records of special interest—weapons of mass destruction and homeland security related" all continue to contribute to NARA's decreased declassification activity.

Again, DOD led the executive branch in the number of total pages declassified in FY 2002, accounting for 75 percent of the total. While DOD led the executive branch, it, like NARA, reported the lowest number of pages declassified since the Order became effective on October 14, 1995.

Three agencies reported remarkable increases in their declassification activity during FY 2002 as compared to FY 2001: NSC (476%); State (242%); and Justice (41%). Those agencies that experienced significant decreases include: Treasury (82%); NASA (58%); AID (52%); FEMA (36%); CIA (25%); and DOE (16%). ISOO encourages all these agencies to sustain or work to increase their efforts to implement their automatic declassification programs.

Fiscal Years 1980-2002 1.19 Billion Pages Declassified
Fiscal Years 1996-2002 939 million pages (79%)
Fiscal Years 1980-1995 257 million pages (21%)

In the seven years that Executive Order 12958 has been in effect, executive branch agencies have declassified over 939 million pages of permanently valuable historical records. Compared to the 257 million pages declassified under the prior two executive orders (E.O. 12065 and E.O. 12356) and before E.O. 12958 became effective, the executive branch in the past seven years has more than tripled the number of pages declassified. Since ISOO came into existence in late 1978, and began collecting and analyzing data beginning in FY 1980, it has reported the declassification of permanently valuable records totaling approximately 1.2 billion pages. Of that total, 1 billion pages or 84 percent, have been declassified due in large part to the automatic declassification provision of E.O. 12958.

LOOKING AHEAD

The data reported by agencies about their automatic declassification programs clearly show that our changed security environment has had an impact. Agencies have reconsidered the declassification of certain types of information, like weapons of mass destruction. With declassification infrastructures in place as a result of the declassification policies contained in this Order, agencies were better able to address these records of concern than they were before the automatic declassification program was instituted in 1995. While declassification cost estimates went down in fiscal year 2002 (see Security Cost Estimates section of this Report), it is to the benefit of the executive branch and the public to ensure that this does not become a trend. As the executive branch looks forward to a new deadline for automatic declassification, it must prepare for the challenges that this new deadline brings, which includes continued funding and support. ISOO, in concert with the agencies, will need to find new process improvements to meet the December 31, 2006 deadline. This will require cooperation, innovative thinking and hard work, which will in the end, benefit, not only the general public, historians and researchers, but also the agencies. Knowing, understanding and managing the information contained in agencies' records systems is an essential part of the overall solution. Technology is ever moving us forward and will also be an important element in the solution. We must push the envelope and recognize the future of information in the electronic environment. It is the challenge of the information age.

Number of Pages Declassified by Agency
TOTAL 44,365,711

DOD 33,326,261
Navy 15,754,436
OSD 7,757,995
Army 4,901,153
Air Force 1,952,974
NIMA 1,411,076
DTRA 1,080,424
JCS 300,000
DIA 115,000
All Others 53,203

CIA 5,310,000
JUSTICE 2,452,846
STATE 1,510,101
NARA 652,405
DOE 522,155
AID 382,292
NSC 131,750
NASA 61,055
TREASURY 15,514
FEMA 832
NRC 500

MANDATORY REVIEW

Under Executive Order 12958, the mandatory review process permits individuals or agencies to require an agency to review specified national security information for purposes of seeking its declassification. Requests must be in writing and describe the information with sufficient detail to permit the agency to retrieve it with a reasonable amount of effort. Mandatory review remains popular with some researchers as a less contentious alternative to Freedom of Information Act (FOIA) requests. It is also used to seek the declassification of presidential papers or records, which are not subject to the FOIA.

Mandatory Review Pages Processed Fiscal Years 2001-2002

FY 2002 Total 164,650
FY 2001 Total 148,414*

FY 2002 Granted in Full 52,945
FY 2001 Granted in Full 58,463*

FY 2002 Granted in Part 97,270
FY 2001 Granted in Part 73,750*

FY 2002 Denied in Full 14,435
FY 2001 Denied in Full 16,201*

*Data for FY 2001 reflect revised figures for DOD.

During FY 2002, agencies processed 3,284 cases, totaling 164,650 pages. The number of pages processed increased by 11 percent from the previous year. Both the number of pages and the percentage of pages declassified in whole or in part increased, from 132,213 pages and 89 percent to 150,215 pages and 91 percent. The percentage of pages declassified in whole or in part has remained high under Executive Order 12958, with this year's rate being the third highest of the last seven years. While outside factors, such as our new security environment, and special search legislation, have had an impact on how many mandatory declassification review requests can be processed by the agencies, ISOO believes that mandatory review remains a very successful means for declassifying information.

Mandatory Review Appeals Disposition Fiscal Year 2002

Granted in Full 32%
Granted in Part 59%
Denied in Full 9%

During FY 2002, agencies processed 84 appeals that comprised 5,327 pages. Of these, 83 percent of the pages were granted in whole or in part. The rate is 34 percent higher than last year and is the third highest rate since this Order became effective on October 14, 1995. The higher rate of declassification suggests that researchers can continue to anticipate greater return in declassified information if they pursue an appeal.



Agency Acronyms or Abbreviations

AID: Agency for International Development
Air Force: Department of the Air Force
Army: Department of the Army
CEA: Council of Economic Advisers
CIA: Central Intelligence Agency
Commerce: Department of Commerce
DARPA: Defense Advanced Research Projects Agency
DCAA: Defense Contract Audit Agency
DIA: Defense Intelligence Agency
DISA: Defense Information Systems Agency
DLA: Defense Logistics Agency
DOD: Department of Defense
DOE: Department of Energy
DOT: Department of Transportation
DSS: Defense Security Service
DTRA: Defense Threat Reduction Agency
ED: Department of Education
EPA: Environmental Protection Agency
EXIMBANK: Export-Import Bank
FBI: Federal Bureau of Investigation
FCC: Federal Communications Commission
FEMA: Federal Emergency Management Agency
FMC: Federal Maritime Commission
FRS: Federal Reserve System
GSA: General Services Administration
HHS: Department of Health and Human Services
HUD: Department of Housing and Urban Development
Interior: Department of the Interior
ISCAP: Interagency Security Classification Appeals Panel
ISOO: Information Security Oversight Office
ITC: International Trade Commission
JCS: Joint Chiefs of Staff
Justice: Department of Justice
Labor: Department of Labor
MMC: Marine Mammal Commission
MSPB: Merit Systems Protection Board
MDA: Missile Defense Agency
NARA: National Archives and Records Administration
NASA: National Aeronautics and Space Administration
Navy: Department of the Navy
NISPPAC: National Industrial Security Program Policy Advisory Committee
NIMA: National Imagery and Mapping Agency
NRC: Nuclear Regulatory Commission
NRO: National Reconnaissance Office
NSA: National Security Agency
NSC: National Security Council
NSF: National Science Foundation
OA, EOP: Office of Administration, Executive Office of the President
OIG, DOD: Office of the Inspector General, Department of Defense
OMB: Office of Management and Budget
ONDCP: Office of National Drug Control Policy
OPIC: Overseas Private Investment Corporation
OPM: Office of Personnel Management
OSD: Office of the Secretary of Defense
OSTP: Office of Science and Technology Policy
OVP: Office of the Vice President
PC: Peace Corps
PFIAB: President's Foreign Intelligence Advisory Board
SBA: Small Business Administration
SEC: Securities and Exchange Commission
SSS: Selective Service System
State: Department of State
Treasury: Department of the Treasury
TVA: Tennessee Valley Authority
USDA: Department of Agriculture
USMC: United States Marine Corps
USPS: United States Postal Service
USTR: Office of the United States Trade Representative
VA: Department of Veterans Affairs




Executive Order 12958, as amended



Top