Managing Sensitive Information: DOD Can More Effectively Reduce the Risk of Classification Errors

Abstract

A lack of oversight and inconsistent implementation of the Department of Defense's (DoD) information security program are increasing the risk of misclassification. DoD's information security program is decentralized to the DoD component level, and the Office of the Under Secretary of Defense for Intelligence (OUSD(I)), the DoD office responsible for DoD's information security program, has limited involvement with, or oversight of, components' information security programs. While some DoD components and their subordinate commands appear to manage effective programs, GAO identified weaknesses in others in the areas of classification management training, self-inspections, and classification guides. For example, training at 9 of the 19 components and subordinate commands reviewed did not cover fundamental classification management principles, such as how to properly mark classified information or the process for determining the duration of classification. Also, OUSD(I) does not have a process to confirm whether self-inspections have been performed or to evaluate their quality. Only 8 of the 19 components performed self-inspections. GAO also found that some of the DoD components and subordinate commands that were examined routinely do not submit copies of their security classification guides to a central library as required. Some did not track their classification guides to ensure they were reviewed at least every 5 years for currency as required. Because of the lack of oversight and weaknesses in training, self-inspection, and security classification guide management, the Secretary of Defense cannot be assured that the information security program is effectively limiting the risk of misclassification across the department. To reduce the risk of misclassification and improve DoD's information security operations, GAO is recommending six actions, including several to increase program oversight and accountability. DoD concurred with GAO's recommendations.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jun 01, 2006
Accession Number
ADA450320

Entities

People

  • Adam Hatton
  • Ann Borseth
  • Barbara Hills
  • Davi M. D'agostino
  • David Keefer
  • David Mayfield
  • Jim Reid
  • Marc Schwartz
  • Mattias Fenton
  • Terry Richardson

Organizations

  • United States Government Accountability Office

Tags

Communities of Interest

  • Cyber
  • Human Systems

DTIC Thesaurus Topics

  • Department Of Defense
  • Electronic Mail
  • Foreign Relations
  • Governments
  • Information Exchange
  • Information Security
  • International Relations
  • Management Training
  • Military Science
  • Money
  • National Governments
  • National Security
  • Students
  • Unauthorized Disclosure
  • United States
  • United States Government
  • Warfare

Readers

  • Enterprise Information Systems Architecture and Joint Command Capability Interoperability Support.
  • Government and Public Administration Law.
  • Instructional Design and Training Evaluation.