U.S. security classification taxonomies

Governments love to classify things.  Security classifications establish control over information; that affects national security, or that is pertinent to national interests.  The purpose of these controls is to ensure that only people with a Need-To-Know (NTK) have access to the information.  Projects, objects and locations can also be classified, if they incorporate classified information.

Because of the sheer volume of information relevant to national security and interests; and the number of people who have, want or need, access to that information; governments create taxonomies, referred to as Classification Management Systems (CMS).  A properly implemented CMS allows the government to protect information in a relevant, and cost effective manner.

Relevancy is important to prevent the accumulation of junk secrets, such as the fact that “water does not run uphill,” or “Indian bows and arrows.” Cost effectiveness is important, because information should be classified only to the level that affords it the proper amount of protection; example, information about whether or not White House computers have updated anti-virus software should require less (expensive) protective measures than those used to protect the President’s nuclear launch codes.

Security classification taxonomies can be thought of as one or more “sets of buckets,” into which various substances are poured.  The buckets in each set are labeled according to the amount of bodily harm you would suffer if their contents were dumped on you, à la the 1976 movie “Carrie.”  In the United States, the government has two sets of “buckets,” called national security and national interests.

National Security

The classification scope for national security is anything required for the continued economic, military and political survival of the United States; under its existing constitution.  Classifications levels are based upon the amount of damage that would result from unauthorized disclosure, of classified information.  Classifications for U.S. national security are outlined in the following documents:

  • Executive Order 13526, Classified National Security Information, Obama-2009-12-29.
    • Revokes Executive Order 13292, Bush-2003-03-25.
    • Which amends Executive Order 12958, Clinton-1995-04-17.
    • Which revokes Executive Order 12356, Reagan-1982-04-02.
  • Code of Federal Regulations (CFR), Title 18, Part 3a, National Security Information.

Top Secret: National security information requires the highest amount of protection.  The test for assigning Top Secret classification is whether unauthorized disclosure could reasonably be expected to cause exceptionally grave damage to national security.  Examples of exceptionally grave damage include armed hostilities against the United States or its allies; disruption of foreign relations vitally affecting national security; the compromise of vital national defense plans or complex cryptographic and communications intelligence systems; the revelation of sensitive intelligence operations; and the disclosure of scientific or technological developments vital to national security.  This classification is meant to be used with the utmost restraint.

Secret: National security information requires a substantial amount of protection.  The test for assigning Secret classification is whether unauthorized disclosure could reasonably be expected to cause serious damage to national security.  Examples of serious damage include disruption of foreign relations significantly affecting national security; significant impairment of a program or policy directly related to national security; revelation of significant military plans or intelligence operations; and compromise of significant scientific or technological developments relating to national security.  The Secret classification is meant to be sparingly used.

Confidential: National security information requires protection, but not in the amounts described under Top Secret and Secret.  The test for assigning Confidential classification is whether unauthorized disclosure could reasonably be expected to cause damage to national security.

 

Special handling instructions, called caveats, can be added to classifications.  Example caveats include: Teal Amber, Tacit Blue, Senior Cejay, No Foreign (NOFORN), Restricted Data (RD), Sources And Methods Intelligence (SAMI), and Critical Nuclear Weapons Design Information (CNWDI).  The purpose of caveats is to refine the NTK requirements for specific projects, or types of information.  Not all information related to the same subject is classified at the same level; and not all information at a particular level is related to the same subject.  A person with access to “Secret – Golden Ray” information may not share that information with a person who has access to “Secret – ABL” information.

Any information not classified as Top Secret, Secret, or Confidential, is considered Unclassified.  While Executive Order 13292 specifically prohibits classification of information that is embarrassing to national security, such information can be, and regularly is, rationalized into a classification of Confidential.  That is because all classification definitions contain the vague phrase “…could reasonably be expected to cause… damage to national security.

The classifications Top Secret, Secret, and Confidential, only apply to information that affects national security.  To avoid confusion, anyone doing business with the federal government is discouraged from using similar classification names.

National Interests

The classification scope for national interests is anything not considered classified for national security reasons; but because of its “sensitive nature,” must be afforded some level of protection; because of political, legal, policy, operational or logistical stakes held by government entities outside the federal government.  Collectively called Controlled Unclassified Information (CUI); classifications are based upon a framework of required safeguarding levels and permitted amounts of dissemination; within an Information Sharing Environment (ISE).  The CUI framework attempts to consolidate several hundred pre-existing national interest CMS implementations, independently created by various government agencies.  Classifications for U.S. national interests are outlined in the following document:

  • Presidential Memorandum on Designation and Sharing of Controlled Unclassified Information (CUI), Bush-2008-05-09.

The US government does not officially consider CUI to be “classified information.”  That is because the government reserves the term “classified” for national security information.  But because it assigns safeguarding  and dissemination levels to “sensitive information,” the CUI framework is still a CMS, and anything receiving a CUI designation becomes “classified,” for all intents and purposes.

Enhanced Specific (Controlled Enhanced with Specified Dissemination): Requires safeguarding measures similar to those used to protect Confidential information.  Additional instructions state what kinds of dissemination is permitted.  Unauthorized or inadvertent disclosure would create the risk of substantial harm to national interests.

Controlled Specific (Controlled with Specified Dissemination): Requires ordinary safeguarding measures to reduce the risk of unauthorized or inadvertent disclosure.  Additional instructions state what kind of dissemination is permitted.

Controlled Standard (Controlled with Standard Dissemination): Requires ordinary safeguarding measures to reduce the risk of unauthorized or inadvertent disclosure.  Dissemination is permitted if it is reasonably believed, that doing so would further a lawful or official purpose; provided that persons disseminating the information are doing so within their assigned duties.

 

Safeguarding caveats can be added to CUI classifications.  Safeguarding caveats indicate the specific manner in which information is to be protected.  An official list of safeguarding caveats is contained in the CUI Framework Standards Registry, which is being developed and maintained by the National Archives and Records Administration (NARA).

Dissemination instructions are regulatory in nature, and are not listed in the CUI Registry.  Instructions usually appear in the form of legacy Administrative Control Designation (ACD), or Sensitive But Unclassified (SBU), markings.  Typical examples are: Law Enforcement Only (LEO), For Official Use Only (FOUO), Limited Distribution (LD), and Limited Official Use (LOU).

Any information not classified under either national security or interests is Unclassified.  In language that is similar to Executive Order 13292; the Presidential Memorandum on CUI prohibits classification of information in order “…to conceal violations of law, inefficiency, or administrative error; prevent embarrassment to the Federal Government or any Federal official, any organization, or agency; improperly or unlawfully interfere with competition in the private sector; or prevent or delay the release of information that does not require such protection.”  However as in the case of national security; it is very easy to rationalize CUI classifications for any information, in which a government entity holds a “political, legal, policy, operational or logistical” stake.  Compounding the potential for abuse is the framework’s flexibility which allows agencies to ”…retain control of decisions regarding whether to disseminate CUI materials beyond their Standard or Specified Dissemination instructions, including any dissemination to the media or general public.”  Law enforcement investigations are an excellent example of how information can be “Controlled Specific – LEO,” and still be released to the media; as it suits the needs of the investigation.  Other abusive practices include the “selective leaking” of investigative information to the media, under the guise of voluntary “sunshine law” compliance, in an effort to mold public opinion, through the use of “unfair adverse publicity.”

Homeland Security

If national security and national interests are like “sets of buckets,” then homeland security is like the “puddle of water” that lies between them.  While not yet a taxonomy in its own right, the guidance for classification of homeland security information is outlined in the following document:

  • Memorandum For The Heads Of Executive Departments And Agencies, Action to Safeguard Information Regarding Weapons of Mass Destruction and Other Sensitive Documents Related to Homeland Security, Card, 2002-03-19.

One result of this guidance is that homeland security infrastructure protection agreements, are exempt from the CUI framework; due to their quasi national security nature.  CUI exceptions also apply to the following:

  • CFR, Title 6, Part 27, Chemical Vulnerability Information (CVI).
  • CFR, Title 6, Part 29, Protected Critical Infrastructure Information (PCII).
  • CFR, Title 10, Part 73, Safeguards Information (SGI).
  • CFR, Title 49, Part 15, Department of Transportation (DOT); Sensitive Security Information (SSI).
  • CFR, Title 49, Part 1520, Department of Homeland Security (DHS): Transportation Security; Sensitive Security Information (SSI).

Homeland security classifications are still fluid, and are mostly done on a case-by-case basis.  It is expected that a third taxonomy will eventually be developed, to bridge the gap between national security and national interests.

The Assurer has more than 30 years experience working with both Classified and Unclassified government information.  He also holds a DoD Facility Security Officer (FSO) certificate.  If you or your organization requires assistance in working with Classified information, please contact The Assurer for a consultation.

Spread the word!