Information Security Oversight Office (ISOO)

2003 Report on Cost Estimates for Security Classification Activities


July 2004
Memorandum for all Annual Report Holders
From: J. William Leonard, Director (signature)
Subject: Annual Cost Report

Enclosed is The Report on Cost Estimates for Security Classification Activities for 2003 from the Information Security Oversight Office (ISOO).


2003 REPORT ON COST ESTIMATES FOR SECURITY CLASSIFICATION ACTIVITIES

The security classification program is now in its ninth year of reporting costs for both Government and industry. Congress first requested security classification cost estimates from the executive branch in 1994. In addition, the Information Security Oversight Office (ISOO) is tasked through Executive Order 12958, as amended, "Classified National Security Information," to report these costs to the President. Executive Order 12829, as amended, "National Industrial Security Program," also requires that industry or contractor costs be collected and reported by ISOO to the President.

In the past, the costs for the security classification program were deemed non-quantifiable, intertwined with other overhead expenses. While many of the program's costs remain ambiguous, ISOO continues to collect cost estimate data and to monitor the methodology used for its collection. Requiring agencies to provide exact responses to the cost collection efforts would be cost prohibitive. Consequently, ISOO relies on the agencies to estimate the costs of the security classification system. The collection methodology has remained stable over the past nine years providing a good indication of the trends in total cost.

GOVERNMENT

The data presented in this report were collected by categories based on common definitions developed by an executive branch working group. The categories are defined below.

Personnel Security: A series of interlocking and mutually supporting program elements that initially establish a Government or contractor employee's eligibility, and ensure suitability for the continued access to classified information.

Physical Security: That portion of security concerned with physical measures designed to safeguard and protect classified facilities and information, domestic or foreign.

Information Security: Includes three subcategories:

Classification Management: The system of administrative policies and procedures for identifying, controlling and protecting classified information from unauthorized disclosure, the protection of which is authorized by executive order or statute. Classification management encompasses those resources used to identify, control, transfer, transmit, retrieve, inventory, archive, or destroy classified information.

Declassification: The authorized change in the status of information from classified information to unclassified information. It encompasses those resources used to identify and process information subject to the automatic, systematic or mandatory review programs authorized by executive order or statute.

Information Systems Security for Classified Information: An information system is a set of information resources organized for the collection, storage, processing, maintenance, use, sharing, dissemination, disposition, display, or transmission of information. Security of these systems involves the protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats. It can include, but is not limited to, the provision of all security features needed to provide an accredited system of protection for computer hardware and software, and classified information, material, or processes in automated systems.

Professional Education, Training and Awareness: The establishment, maintenance, direction, support and assessment of a security training and awareness program; the certification and approval of the training program; the development, management, and maintenance of training records; the training of personnel to perform tasks associated with their duties; and qualification and/or certification of personnel before assignment of security responsibilities related to classified information.

Security Management and Planning: Development and implementation of plans, procedures and actions to accomplish policy requirements, develop budget and resource requirements, oversee organizational activities and respond to management requests related to classified information.

Unique Items: Those department or agency specific activities that are not reported in any of the primary categories but are nonetheless significant and need to be included.

The total security classification costs estimate within Government for FY 2003 is $6,531,005,615. This figure represents estimates provided by 41 executive branch agencies1, including the Department of Defense, whose estimate incorporates the National Foreign Intelligence Program. It does not include, however, the cost estimates of the Central Intelligence Agency (CIA), which that agency has classified.

Because of expressed interest in the declassification programs established under Executive Order 12958, as amended, ISOO also requested agencies to identify that portion of their cost estimates in the category of information security/classification management that was attributable to their declassification programs. The cost estimate from one agency was over reported by approximately $76 million in FY 2002, including $65 million for declassification costs. ISOO's correction of this over reporting reduces the total security cost for FY 2002 to $5,612,070,103.

For FY 2003, the agencies reported declassification cost estimates of $53,770,375, or less than 1 percent of their total cost estimates. This figure reflects an 11 percent increase from FY 2002, but is a 77 percent decrease from the cost estimate for declassification in FY 2001. ISOO is very concerned about this number because it reflects the overall trend of agencies reducing budgets allocated to declassification, reflecting a misperception on the part of some managers that automatic declassification is an event rather than a process which will continue, and require funding for the very long term.

Government Security Classification Costs Estimate
Fiscal Year 2003


Total = $6.5 Billion
Personnel Security = $950 Million
Physical Security = $536 Million
Information Security = $4 Billion
Information Technology = $3.7 Billion
Classification Management = $265 Million
Declassification = $54 Million
Professional Education and Training = $158 Million
Security Managment and Planning = $858 Million
Unique = $28 Million
INDUSTRY

A joint Department of Defense and industry group developed a cost collection methodology for those costs associated with the use and protection of classified information within industry. Because industry accounts for its costs differently than Government, cost estimate data are not provided by category. Rather, a sampling method was applied that included volunteer companies from four different categories of facilities. The category of facility is based on the complexity of security requirements that a particular company must meet in order to hold a classified contract with a Government agency.

The 2003 cost estimate totals for industry pertain to the twelve-month accounting period for the most recently completed fiscal year of each company that was part of the industry sample. For most of the companies included in the sample, December 31, 2003, was the end of their fiscal year. The estimate of total security costs for 2003 within industry was $1,011,524,000.

The Government cost estimate shows a 14 percent increase above the cost estimate reported for FY 2002. For the second year in a row, industry reported an increase in its cost estimate. The total cost estimate for Government and industry for 2003 is $7.5 billion, $1 billion more than the total cost estimate for Government and industry in 2002.

Comparing Cost for Government and Industry
Fiscal Year 1995-2003


Industry

FY 1995 = $2.9 Billion
FY 1996 = $2.6 Billion
FY 1997 = $693 Million
FY 1998 = $1.4 Billion
FY 1999 = $1.2 Billion
FY 2000 = $959 Million
FY 2001 = $767 Million
FY 2002 = $840 Million
FY 2003 = $1.0 Billion

Government

FY 1995 = $2.7 Billion
FY 1996 = $2.6 Billion
FY 1997 = $3.4 Billion
FY 1998 = $3.6 Billion
FY 1999 = $3.8 Billion
FY 2000 = $4.3 Billion
FY 2001 = $4.7 Billion
FY 2002 = $5.7 Billion
FY 2003 = $6.5 Billion

Total

FY 1995 = $5.6 Billion
FY 1996 = $5.2 Billion
FY 1997 = $4.1 Billion
FY 1998 = $5.0 Billion
FY 1999 = $5.0 Billion
FY 2000 = $5.2 Billion
FY 2001 = $5.5 Billion
FY 2002 = $6.5 Billion
FY 2003 = $7.5 Billion

While the overall trend in increasing security costs goes back six years, there appears to be a continuing expansion of information security programs, facilities and personnel as the Federal executive branch continues to meet the requirements identified in the aftermath of the September 11, 2001, terrorist attacks. Many agencies are reporting increased costs in physical security related to facility improvements, such as operations centers, continuity of operations relocation sites, sensitive compartmented information facilities, along with larger guard forces to keep them secure. Others are estimating higher costs to bring programs into compliance with E.O. 12958, as amended. Other factors, such as lessons-learned from recent espionage case, have led to security reforms requiring more resources devoted to personnel security investigations, information technology systems security, and security training and awareness.

In particular, Physical Security cost estimates went up by 47 percent. All other categories noted increases: Personnel Security (1%); Professional Education, Training and Awareness (18%); Security Management, Oversight and Planning (16%); Unique Items (8%); Information Security/Classification Management (19% ); and Information Technology (17% ), and Declassification, which saw an 11 percent increase over the previous year, but a 77 percent decrease from FY 2001.

The Executive Agent for the National Industrial Security Program (Department of Defense) samples a larger mix of small and large companies, which appears to yield the most realistic and consistent data reported to date. The costs have increased for the second year in a row, in large part due to contractor support to the war on terrorism and the war in Iraq and Afghanistan.


1Two agencies, the Department of the Treasury and the National Aeronautics and Space Administration, submitted cost estimates too late for publication. ISOO substituted last year's data for those two agencies. Additionally, the Department of the Interior submitted a corrected cost report too late for publication. ISOO will update the data submitted by these three agencies for next year's report and analysis.

Top