Guidance for Handling and Reporting Incidents and Spillages of Classified National Security Information
The Director of the Information Security Oversight Office has provided guidance that was promulgated by the Committee on National Security Systems for determining, investigating and reporting data incidents and spills involving classified information onto information systems not accredited and certified to the appropriate level of the information’s classification.
Guidance on what to do if a member of the public or a non-governmental archives finds what looks like classified national security information in their collections
Please contact ISOO: the Director of ISOO is charged under 32 C.F.R. Part 2001.36(b) to provide guidance and assistance to anybody who possesses potentially classified national security information outside of government control. ISOO has developed an information paper that provides more detail on this issue.
Guidance for transmission methods of Secret and Confidential information within and between the U.S., Puerto Rico, or a U.S. possession or territory
The Director of the Information Security Oversight Office has provided guidance that agency heads may authorize the use of current holders of the GSA contract, when a requirement exists, for the overnight delivery of Secret and Confidential information within and between the U.S., Puerto Rico, or a U.S. possession or territory.
Guidance on the National Declassification Center
The National Declassification Center (NDC) was created when President Obama signed the new Executive order released by the White House on December 29, 2009.
Frequently Asked Questions About E.O. 13526
These reference questions pertain to E.O. 13526.
Please Contact ISOO if you have more questions concerning.
- In section 4.1(f)(3)(B) who determines "standardized electronic formats?"
- Self-inspections program data is already included on the annual Agency Security Classification Management Program Data (SF-311) submissions. How will "reporting annually to the Director of the Information Security Oversight Office on the agency's self-inspection program" differ?
- What is the difference between a "confidential human source" and a "human intelligence source?"
- "Is the statement, "original classification authority may extend the duration of classification up to 25 years from the date of the origin of the document" intended to allow an OCA to extend declassification for another 25 years (total 50 years)?
- Is there a standard procedure for notifying the Archivist in case of reclassification?
- In section 1.9(a) is the statement, "within 2 years of the effective date of this Order" defined as June 27, 2012 or December 29, 2011?
- According to section 3.3(j)(1)(C), who is responsible for verifying "a specific and independently verifiable event?"
- In section 3.7(b)(1), how is "timely" defined?
- Must anyone who creates derivative work be pre-designated as "authorized" to do so and if so, at what level should the training be?
- If an agency is delegated original classification authority (OCA) from another agency (e.g. the ODNI delegating OCA authority to NRO), which agency reports to the Director of ISOO in accordance
with the Memorandum for the Heads of Executive Departments and Agencies? Is the ODNI to report, or NRO, or both?
- What are the requirements for the use of the 50X and 75X exemptions?
- What happens to the documents marked 50X-HUM and WMD after 50 years?
- What marking goes on the "declassify on" line for derivative documents, if the source document is marked 25X1-Human?
- Who can derivatively mark documents?
- How is a derivative document marked if the source document has no date?
- What happens if a document does not have any declassification instructions?
- How are dynamic documents portioned mark?
- How are documents being declassified remarked?
- Can a classification be extended?
- If an agency has a current exemption, does it need to be re-approved?
- What happens if a document is marked 25X6 and at the 25 year mark the treaty is still in place?
- When will the 50X or 75X exemptions become effective?
- If a security declassification guide has an instruction to mark certain information for declassification for 25 years, is it from the date of the guide or the date of the document?
An agency head or senior agency official, or with respect to the Intelligence Community, the Director of National Intelligence, makes this determination.
2. Self-inspections program data is already included on the annual Agency Security Classification Management Program Data (SF-311) submissions. How will "reporting annually to the Director of the Information Security Oversight Office on the agency's self-inspection program" differ?
The SF 311 only requires data on the total number of self inspections conducted by the agency. The requirements, frequency, and coverage of a self-inspection program, as discussed in 32 CFR Part 2001 section 2001.60, are to be reported to ISOO annually.
The two terms are used interchangeably, but "confidential human source" is a term used by the FBI; "human intelligence source" is a term used by the intelligence community.
4. Is the statement, "original classification authority may extend the duration of classification up to 25 years from the date of the origin of the document" intended to allow an OCA to extend declassification for another 25 years (total 50 years)?
There is no intent to allow an OCA to extend classification for another 25 years. This clause relates to information that was initially classified for less than 25 years. An OCA may extend the classification up to 25 years from the date of origin of the document. For example, on a document created on April 13, 2005, with a declassification date of April 13, 2015, an OCA may extend the duration of classification up to April 13, 2030.
Notification of the Archivist would be accomplished in the same manner that official notifications are made to other heads of Executive branch agencies.
For sections 1.7, 3.3, and 3.7, two years from the effective date of the Order is defined as December 29, 2011. For the remaining sections, two years from the effective date of the Order is defined as June 27, 2012.
The OCA decides and sends the information to the Interagency Security Classification Appeals Panel (ISCAP) for approval.
The Director of the National Declassification Center (NDC) will determine when the referral is made; after which the agency will have one year to adjudicate.
There is no requirement in E.O. 13526 (the Order) to "pre-designate" an individual to derivatively classify information. The agency will determine the degree of training required in accordance with any additional guidance that is provided in 32 CFR Part 2001.70.
10. If an agency is delegated original classification authority (OCA) from another agency (e.g. the ODNI delegating OCA authority to NRO), which agency reports to the Director of ISOO in accordance with the Memorandum for the Heads of Executive Departments and Agencies? Is the ODNI to report, or NRO, or both?
The agency that delegates the authority reports the delegation.
Section 3.3(h)(2) allows for agencies to seek the exemption of specific information from automatic declassification at 50 years in extraordinary cases. Records containing information exempted from declassification under this provision will be automatically declassified on December 31 of the year 75 years from the date of origin of those records, unless an agency seeks the exemption of specific information from automatic declassification at 75 years.
Section 3.3(h)(3) allows for agencies to seek the exemption of specific information from automatic declassification at 75 years. Proposals to seek an exemption at 50 or 75 years, shall be submitted to the Director of ISOO, serving as Executive Secretary of the ISCAP, 1 year before the information is subject to automatic declassification.
- Exemptions require ISCAP approval prior to use.
- Require a date or event.
(50X1-HUM and 50X2-WMD are the only exemptions that can be used without a date)
- Must be included in agency declassification guide.
Example of requesting a 75X1 or 75X6 exemption:
- i. Description of Information:
The identity of senior officials of foreign governments who provided intelligence information to the U.S. about those governments, with the expectation of confidentiality, between 1935 and 1942.
- ii. Explanation of Exemption:
The declassification the identity of this confidential human source would prevent the U.S. Intelligence Community from collecting intelligence from confidential human sources, and would cause serious harm to the diplomatic relations of the U.S. Government if relationship of those officials to the U.S. Government at that time is not known by the current governments of those nations.
- iii. Date or Event for Declassification:
Declassify no later than 90 years after the date of the record containing the exempted information.
50X HUM and WMD are already exempted at 50 years and subject to automatic declassification at 75 years. They may be exempted beyond 75 years if the exemption is approved by the ISCAP.
Carry over the declassification instruction 25X1-human from the source document to the derivative document. Do not change to 50X1-HUMwithout authorization from the originating agency.
Anyone who has a security clearance and access to classified information as part of their job or who is working in a classified environment has derivative authority. They must also have the required derivative training
Mark the document 25 years from the date of the creation of the derivative document.
Try to go back to the originator of the document and obtain the information for declassification. If the information can not be traced, then declassify at 25 years from creation of the document.
Portion mark the sections or portions that you can, and the overall marking of the document. If a section or portion can not be marked, it can not be used a derivative source document.
The only documents that are "allowed" to be remarked are those being requested for FOIA, MDR or other public access, and that are still in control of the agency. Do not remark any documents that are subject to automatic declassification or that have been accessioned to the National Archives.
Only an OCA with jurisdiction over the information may extend the duration of classification for up to 25 years from the date of the origin of the document. In cases where an extension is made, the Declassify On line shall be revised to include the new declassification instructions and shall include the identity of the person authorizing the extension and the date of the action.
Yes, but it's a separate process from the 50X or 75X exemptions. All current 10 year exemptions should be updated with the ISCAP.
If within 5 years from the onset of automatic declassification there is still a treaty in place, then the exemption and declassification guide must be revised and approved by the ISCAP.
Agencies must have their 50X or 75X exemptions approved by the ISCAP by December 2011. The exemptions become effective January 2013. Current documents exempted at 25X could possibly be exempted at 50 years if approved by the ISCAP before the December 2012 deadline.
The "25 years" denotes 25 years from the date of document creation, not the date of the security classification guide.
Updated November 5, 2014