FOIPA adventures
coderman
coderman at gmail.com
Mon Oct 5 09:29:36 PDT 2015
On 10/5/15, coderman <coderman at gmail.com> wrote:
> honestly didn't think i'd get a useful reply to this one:
> " [regarding SCIFs]
...
https://muckrock.s3.amazonaws.com/foia_files/2015/09/29/F15-0117_Peck.PDF
NATIONAL RECONNAISSANCE OFFICE
14675 Lee Road
Chantilly, VA 20151-1715
28 September 2015
Mr. Martin Peck
MuckRock
DEPT MR 21368
PO Box 55819
Boston, MA 02205-5819
Re: NRO Case #F15-0117
Dear Mr. Peck:
This is in response to your request dated 19 September 2015, received
in the National Reconnaissance Office (NRO) on 21 September 2015. Pursuant
to the Freedom of Information Act, you are requesting "Records associated
with self inspection of classified materials handling pursuant to Executive
Order (E.O.) 13526 and E.O. 13587 for the last ten (10) years."
We have accepted your request, and it is being processed in accordance
with the FOIA, 5 U.S.C. § 552, as amended. As an interim release in
response to your request, we are providing to you thirty-nine pages of
responsive information that has previously been released in part to another
requester. These pages are being released in part to you, as well.
Information that is denied is withheld pursuant to FOIA exemption (b)(3),
which is the basis for withholding information exempt from disclosure by
statute. The relevant withholding statute is 10 U.S.C. § 424, which
provides (except as required by the President or for information provided to
Congress), that no provision of law shall be construed to require the
disclosure of the organization or any function of the NRO; the number of
persons employed by or assigned or detailed to the NRO; or the name or
official title, occupational series, grade, or salary of any such person.
Since it is unlikely we will be able to provide a complete response
within the 20 working days stipulated by the Act, you have the right to
consider this a denial and may appeal on this basis to the NRO Appeal Review
Panel, 14675 Lee Road, Chantilly, VA 20151-1715 after the initial 20 working
day period has elapsed. It would seem more reasonable, however, to allow us
sufficient time to continue processing your request and respond as soon as
we can. Unless we hear from you otherwise, we will assume that you agree
and will continue processing your FOIA request on this basis. You will have
the right to appeal any denial of records after you receive a final response
to your request.
The FOIA authorizes federal agencies to assess fees for record
services. Based upon the information provided, you have been placed in the
"other" category of requesters, which means you are responsible for the cost
of search time exceeding two hours ($44.00/hour) and reproduction fees ($.15
per page) exceeding 100 pages. We will notify you if it appears that we will
�meet or exceed our $25.00 minimum billing threshold in processing your
request. Additional information about fees can be found on our website at
www.nro.gov .
If you have any questions, please call the Requester Services Center
at 703 - 227-9326, and reference the case number F15-0117.
atricia B. Cameresi
Chief, Information Review
and Release Group
Enclosure: Responsive information for 2012 & 2013
�UNCLASSIFIED NRO APPROVED FOR RELEASE
28 August 2014
NATIONAL RECONNAISSANCE OFFICE
14675 Lee Road
Chantilly, VA 20151-1715
MEMORANDUM FOR OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR
INTELLIGENCE SECURITY POLICY AND OVERSIGHT DIRECTORATE
SUBJECT: Annual Self - Inspection Report
REFERENCES: OUSD(I) Memorandum, Annual Senior Agency Official
Self - Inspection Program Report for Classified
National Security Information, 8 July 2013
The National Reconnaissance Office (NRO) is providing the
attached Self - Inspection Report as requested in reference.
oint of contact for questions concerning this submission is
A. Jamieson Burnett
Director, Office of Security
and Counterintelligence
Attachment:
NRO Annual Self-Inspection Report for 2013
UNCLASSIFIED
�NRO APPROVED FOR RELEASE
28 August 2014
Enclosure 2
AGENCY ANNUAL SELF-INSPECTION PROGRAM DATA: FY 2013
(Submissions must be unclassified.)
PART A: identifying Information
1. Enter the agency name.
1. National
Reconnaissance Office (NRO)
2. Enter the date of this report.
3. Enter the name, title, address, phone, fax, and e-mail address of the
Senior
Agency Official (SAO) (as defined in E.O. 13526, section 5.4(d)) responsible
for this report.
2 . 30
3.
4. Enter the name, title, phone, fax, and e-mail address of the
individual or
office responsible for conducting self-inspections and reporting findings.
4.
5. Enter the name, title, phone, fax, and e-mail address for the
point-ofcontact responsible for answering questions regarding this
report.
5
September 2013
Mr. Frank Calvelli
Principal De suty Director, NRO
Room (b)(3) 10 US(
14675 Lee Road, Chantilly, VA 20151
A. Jamieson Burnett
Director, Office of Security and
Counterintelli .ence,
(b)(3) 10 USC 44 Finn=
(b)(3) 10 USC 424
Chief Securit and Counterintelli ence Policy
.
Staff,
(b)(3) 10 USC 424
Fax (b)(3)
10 USC 424
(b)(3) 10 USC 424
PART B: Classified National Security Information (CNSI) Program Profile
Information
6. Has your agency been designated/delegated as an original
classification authority (OCA)?
7. Does your agency perform original classification activity?
8. Does your agency perform derivative classification activity?
9. Does your agency have an approved declassification guide and declassify CNSI?
6.
7.
8.
9
â– No
_I Yes â– No
Yes â– No
â‘ Yes â– No
â‘
Yes
â‘
PART C: Description of the Program
A description of the agency's self-inspection program to include
activities assessed, program areas covered, and methodology
utilized. The
description must demonstrate how the self-inspection program provides
the SAO with information necessary to
assess the effectiveness of the CNSI
program within individual agency activities and the agency as a whole.
Responsibility
10. How is the SAO involved in the self-inspection program? (Describe
his or her involvement with the self-inspection program.)
The Director of Security and Counterintelligence (D/OS&CI) advises the
Senior Agency Official (SAO) when
events warrant. The NRO Integrated Security Assessment Program (ISAP)
results are also reported to the SAO
thru the annual Management Control Plan Statement of Assurance (MCPSOA).
11. How is the self-inspection program structured to provide the SAO
with information necessary to assess the agency's CNSI program in
order to
fulfill his or her responsibilities under section 5.4(d) of E.O. 13526?
The DOS&CI receives periodic reports on the program and advises the
SAO when the DOS&CI believes events
warrant advising the SAO. The NRO ISAP results are also reported to
the SAO thru the annual MCPSOA.
12. Whom has the SAO designated to assist in directing and
administering the self-inspection program? Who conducts the
self-inspections?
(If the SAO conducts the self-inspections, which may be the case in
smaller agencies, indicate this.)
The DOS&CI is provided a Letter of Instruction by the Director, NRO
which assigns his responsibilities.
Approach
(b)(3) 10 USC 424
13. What means and methods are employed in conducting self-inspections?
(For example: interviews, surveys, data calls, checklists, analysis, etc.)
NRO self-inspections are part of the NRO ISAP. Because contractors
make upillif the total NRO workforce
and have the overwhelming number of Sensitive Compartmented
Information Facilities (SCIFs), ISAP is a
collaborative
between Government and industry to identify and address security
vulnerabilities, provide
, . ,
, process
•
ri •
INFORMATION SECURITY OVERSIGHT OFFICE
AUTHORIZED FOR LOCAL REPRODUCTION
32 CFR 2001 E.O. 13526
�NRO APPROVED FOR RELEASE
28 August 2014
14. If your agency performs different types of inspections (e.g.,
component self-inspections, command inspections, compliance reviews,
etc.),
describe each of them and explain how they are used. If not, indicate NA.
NA
15. Do your agency's self-inspections evaluate adherence to the
principles and requirements of E.O. 13526 and its implementing
directive and the
effectiveness of agency programs covering the following areas? (Select
all that apply.)
Original classification
Cl Security violations
[ 1 Safeguarding
__I Management and oversight
Derivative classification
â– Declassification
11 Security education and training
16. Do your self-inspections include a review of relevant security
directives and instructions?
16. â– Yes 7 No
17. Do your self-inspections include interviews with producers (where
applicable) and users of classified information?
17. H Yes â– No
Approach: Representative Sample
(If your agency does not classify information, indicate NA.)
18. Do your self-inspections include reviews of representative samples
of original and derivative classification
18.
Yes â– No â– NA
actions to evaluate the appropriateness of classification and the
proper application of document markings?
19. Do these reviews encompass all agency activities that generate
classified information?
19. â– Yes
No â– NA
â‘
20. Describe below how the agency identifies activities and offices
whose documents are to be included in the sample of classification
actions.
(Indicate if NA.)
Based on the 291 site self-assessments submitted, the ISAP Manager,
Program Security Officers (PSOs) and
stakeholders discuss findings and formulate recommendations for a
formal assessment, if required. OS&CI
talePhnlrle.re rPrirpcAnt the tr. inr (IC R,- rr clirp.rtnratF•c and
nrnrrram ref-St-.F. cv rnrift, etafFc int...II
-IA.11a but nett
21. Do the reviews include a sampling of various types of classified
information in document and electronic
21. — Yes ■No ■NA
formats?
22. How do you ensure that the materials reviewed provide a
representative sample of the agency's classified information?
(Indicate if NA.)
Documents are selected for review in cooperation with site personnel
who are familiar with the type of materials
produced by the site. However, contractors are not required to count
classified pages produced because of the
additional costs that would be incurred by the NRO, so the documents
reviewed may not be a representative
1
n-11
1
.
11
1
.
A
. .1
lrat-1,-IL
1 !11 1!1
I.
•.
nn
1
nn
•
11
1
.
.1
23. How do you determine that the sample is proportionally sufficient
to enable a credible assessment of your agency's classified product?
(Indicate if NA.)
We do not attempt to do this as it would increase costs to the NRO (as
explained in item 22 above).
24. Who conducts the review of the classified product? (Indicate if NA.)
PSOs and Classification Management Officers (CMOs).
25. Are the personnel who conduct the reviews knowledgeable of the
classification and marking requirements of
E.O. 13526 and its implementing directive?
26. Do they have access to pertinent security classification guides?
(Indicate if NA.)
27. Have appropriate personnel been designated to correct
misclassification actions? (Indicate if NA.)
If so, identify below.
â– No â– NA
â‘ Yes â– No â– NA
25. D Yes
26.
27. El Yes
â– No â– NA
Frequency
28. How frequently are self-inspections conducted?
Annually.
29. Describe the factors that were considered in establishing this time period?
The time period is defined in the NRO Security Manual (NSM).
INFORMATION SECURITY OVERSIGHT OFFICE
AUTHORIZED FOR LOCAL REPRODUCTION
32 CFR 2001 E.O. 13526
�Enclosure 2
NRO APPROVED FOR RELEASE
28 August 2014
Coverage
30. How do you determine what offices, activities, divisions, etc.,
are covered by your self-inspection program?
assessed?
What agency activities are
Self-assessments are to be completed on each contractor SCIF. All
contractor activities are assessed.
31. How is the self-inspection program structured to assess individual
agency activities and the agency as a whole?
Contractor SCIF locations far outnumber government SCIF locations in
the NRO. Government locations are
relatively few in number and have professional government security
officers assigned who can monitor
safeguarding and classified information production and correct errors
as they occur. We chose to concentrate on
.
1
rni
1
.. •
Special Access Programs (SAP)
(If your agency does not have the authority to create SAPs, indicate NA.)
32. If your agency has any special access programs, are
self-inspections of the SAP programs conducted annually?
33. Do the self-inspections confirm that the agency head or principal
deputy has reviewed each special access
program annually to determine if it continues to meet the requirements
of E.O. 13526?
34. Do the self-inspections determine if officers and employees are
aware of the prohibitions and sanctions for
creating or continuing a special access program contrary to the
requirements of E.O. 13526?
32.
33.
34•
â– No â– NA
—I Yes III No ■NA
Yes III No â– NA
â‘
Yes
â‘
Reporting
35. What is the format for documenting self-inspections in your agency?
Self-assessments are documented using the self-assessment review tool
in the NSM, Appendix B. For formal
assessments, an out-briefing is provided to site security staff and
other site senior management identifying
ori
iritu nrnorrarn c 1 'nor:wet.
nhcanratinna and am,
36. Who receives the reports?
cAri
1 rift! "ha et nr nti ni.c " fl I c nrafArPrl di Irina the frorm it
The OS&CI ISAP Manager.
37. Who compiles/analyzes the reports?
The ISAP Manager and the responsible PSO analyze the report.
38. How are the findings analyzed to determine if there are problems
of a systemic nature?
The ISAP Manager provides to the sponsoring Government Program
Security Officer (GPSO) for review and
subsequent action.
39. How and when are the results of the self-inspections reported to the SAO?
The DOS&CI determines when results warrant informing the SAO.
40. How is it determined if corrective actions are required?
The Government PSO and security stakeholder(s) reviews determine if
corrective actions are required.
41. Who takes the corrective actions?
The assessed site.
42. How are the findings from your agency's self-inspection program
distilled for the annual report to the Director of ISOO?
The OS&CI Security Policy Staff (SPS) tasks the ISAP Manager to
distill the findings and provide them to SPS
for inclusion in the annual report.
43. Has the SAO formally endorsed this self-inspection report?
IN FORMATION SECURITY OVERSIGHT OFFICE
43.
â– Yes
â‘
No
AUTHORIZED FOR LOCAL REPRODUCTION
32 CFR 2001 E.O. 13526
�NRO APPROVED FOR RELEASE
28 August 2014
PART D: A summary of the findings of your agency's self-inspection program
The summary should present specific, concise findings from your
self-inspection program for each of the required program areas below.
It is not a
description of the requirements of the agency's CNSI program. Rather,
the summary outlines the essential self-inspection findings based on
the
compilation and/or distillation of the information contained in the
agency's internal self-inspection reports, checklists, etc. In large
agencies where
findings are drawn from multiple agency offices and activities, the
findings that are reported here may be the most significant or most
frequently
occurring.
44. Original Classification:
OCAs are senior officers and mainly exercise their authority through
the signing of classification guides for
information unique to their activity. While OCA decisions get
implemented through the classification guide,
written documentation of individual OCA decisions is difficult or
impossible to locate. OCA's were not using
the appropriate OCA classification block but a derivative block. OS&CI
Policy Branch will issue clear
instructions for all classification guides to contain the appropriate
OCA classification block.
45. Derivative Classification:
NRO activities result in complicated Power Point slide briefings with
complex tables, diagrams, and text boxes
describing engineering and R&D activities. Under reduced manning from
sequestration and budget cuts which
have resulted in a loss of over 1,000 man-years of experience across
the NRO, derivative classifiers struggle to
get all derivative markings accurate after they have compiled
difficult subject matter on compressed time lines
under stressful conditions. It is admirable that individuals perform
as well as they do.
46. Declassification:
Not included in self-inspection.
47. Safeguarding:
Regular conduct of exercises provides vital feedback to the physical
security program. Exercises identify areas
for corrective measures, enhancements, validates current tactics
techniques and procedures (TTP) and the
adoption/employment of new TTP to meet a dynamic threat environment.
Regular inspections/audits are
essential to ensuring status and validity of issued IC badges and
conformity to physical security requirements.
Risk assessments/physical security assessments provide a helpful
"outside" perspective to site security offices.
48. Security Violations:
The ISAP program is the formal mechanism by which we corroborate
self-inspections. Included in these formal
reviews is an assessment of the respective security violation program
and trends. In addition, each component
Security team evaluates Security incidents and violations by tracking
them according to general broad categories.
During this past FY, the majority (63%) of incidents/violations were
related to categories within personnel
electronic devices in SCIFs. Other categories that have multiple
occurrences indicating potential trends are data
49. Security Education and Training:
100% of personnel assigned to the NRO are required to complete an SCI
indoctrination briefing to include
signing a Non-Disclosure Agreement. E.O. 13526 is called out
specifically so that personnel fully understand
their responsibilities and requirements to protect classified
information. This message is repeated by the release
of awareness videos and reminders throughout the year; to include
presentations, written materials, and training.
Specifically, OS&CI incorporates classification management questions
within the Annual Security Refresher
50. Management and Oversight:
Government oversight of NRO-sponsored SCIFs is achieved in a multi
faceted manner. Program Security
Officers, Physical/Technical, and Computer Security Officers review
self-assessment results and participate in
on-site reviews. Some program findings for FY 13 were identified in
the following areas:
• Standard Operating Procedures (SOPs) require more detail and more
frequent revision to stay up-to-date with
security requirements.
INFORMATION SECURITY OVERSIGHT OFFICE
AUTHORIZED FOR LOCAL REPRODUCTION
32 CFR 2001 E.O. 13526
�NRO APPROVED FOR RELEASE
28 August 2014
PART E: An assessment of the findings of your agency's self-inspection program
The assessment
discerns what the findings mean. The assessment is an evaluation of
the state of each element of your agency's CNSI program
based on an analysis of the specific, concise findings of the
self-inspection program. It reports what you have determined the
findings indicate about
the state of your agency's CNSI program.
The assessment should inform the SAO and other decision makers of
significant issues that impact the CNSI program. It should be used to
determine
how security programs can be improved, whether the agency regulation
or other policies and procedures must be updated, and if necessary
resources
are committed to the effective implementation of the CNSI program. The
assessment should report trends that were identified during the
reporting
period across the agency or in particular activities, as well as
trends detected by making comparisons with earlier reporting periods.
It can be used to
support assertions about the successes and strengths of an agency's program.
51. Original Classification:
While OCA's produce timely and sufficient Classification Guides,
decisions are not normally documented
outside the guide by a separate source document. OCAs are not using an
OCA style classification block but this
will be corrected soon when specific detailed policy is issued by
Security Policy.
52. Derivative Classification:
Derivative classifiers are still wrestling with proper portion marking
and classification of complex power point
slide presentations and other documents concerning difficult subject
matter and formats. To try and stem this
tide, we are adding more classification management questions to our
ASR. Dwindling budgets, reduced
manpower, and "greening" (reducing) of salaries has reduced longevity,
increased turnover, and reduced portion
marking proficiency.
53. Declassification:
Not included in self-inspection.
54. Safeguarding:
Awareness and education programs are vital to ensuring the workforce
maintains awareness of security policy
and procedures. Regular and aperiodic exercises, inspections, and
audits provide crucial inputs that are
indispensable to ensuring that the physical security program is
current and effective. Key challenges are
maintaining adequate funding to replace aging, malfunctioning, and
obsolete security equipment and training and
education for new personnel. The NRO has an organization-level process
for the Assessment and Authorization
55. Security Violations:
The NSM detail the NRO process for reporting and investigating
security incidents, infractions and violations.
Appropriate and prompt corrective actions were taken to mitigate the
severity of the infraction/violation, and to
sanction the offender via management, counterintelligence, and
personnel security processes. Infractions and
violations are centrally tracked in the Security Log (the NRO
incident/violation database). This database is
managed by the Program Security Officers in each directorate and
office, and enables the PSO to automatically
56. Security Education and Training:
OS&CI works closely with PSOs, Counterintelligence personnel, and the
Integrated Self Assessment Program
to determine any trends or specific areas that need an additional
educational awareness campaign. Security
communications are then targeted, utilizing large scale efforts, per a
topic area and audience for best impact
results. The NRO is adding additional classification management
questions to the Annual Security Refresher to
better satisfy the derivative classification training requirement.
OCAs complete yearly training provided by
57. Management and Oversight:
The NRO has a very mature Security management and oversight program.
Over the past FY, much greater
emphasis has been placed on ensuring all sites and facilities
accomplished the self-assessments and submited the
findings to the Government within the mandated time requirements. This
improved management oversight has
made an impact. Our self-inspection program coupled with security
officer visits, and formal team assessments
provide managers a report card on the health of our security programs.
When negative trends are identified,
INFORMATION SECURITY OVERSIGHT OFFICE
AUTHORIZED FOR LOCAL REPRODUCTION
32 CFR 2001 E.O. 13526
�NRO APPROVED FOR RELEASE
28 August 2014
PART F: Focus Questions
Answer the questions below. If the response identifies a deficiency,
it should be explained in Part D, Summary of Findings, under the
relevant
program area, and should be addressed in Part H, Corrective Actions.
Training for Original Classification Authorities
Original classification authorities are required to receive training
in proper classification and declassification each calendar year.
(Section 1.3(d) of
E.O. 13526 and § 2001.70(c) of 32 C.F.R. Part 2001) (Indicate NA
ifyour agency does not have original classification authority)
58. Does agency policy require training for original classifiers?
58.
Yes â– No â– NA
59. Has the agency validated that this training has been received?
59. I Yes â– No â– NA
â‘
100
60. What percentage of the original classification authorities at your
agency has received this training?
60.
61. Have any waivers to this requirement been granted?
61. III Yes
Actual
â– Estimated
No â– NA
Persons who Apply Derivative Classification Markings
Persons who apply derivative classification markings are required to
receive training in the proper application of the derivative
classification
principles of E.O. 13526, prior to derivatively classifying
information and at least once every two years thereafter. (Section
2.1(d) of E.O. 13526 and
§ 2001.70(d) of 32 C.F.R. Part 2001) (Indicate NA if your agency does
not have any personnel who derivatively classify information)
62. Does agency policy require training for derivative classifiers?
62. • Yes Ill No III NA
63. Has the agency validated that this training has been received?
63.
Yes â– No â– NA
64. What percentage of the derivative classifiers at your agency has
received this training?
64.
â–
100
Actual
Estimated
65. â– Yes i No
Initial Training
All cleared agency personnel are required to receive initial training
on basic security policies, principles, practices, and criminal,
civil, and
administrative penalties. (0 2001.70(6) of 32 C.F.R. Part 2001)
66. Does agency policy require initial training?
66. â‘ Yes â– No
65. Have any waivers to this requirement been granted?
67. Has the agency validated that this training has been received?
67.
â‘
68. What percentage of cleared personnel at your agency has received
this training?
68.
100
70. Has the agency validated that this training has been received?
70.
71. What percentage of the cleared employees at your agency has
received this training?
71. 100
Actual
Yes
â– NA
â– No
LI Actual • Estimated
Annual Refresher Training
Agencies are required to provide annual refresher training to all
employees who create, process, or handle classified information. (§
2001.70() of
32 C.F.R. Part 2001)
69. Does agency policy require annual refresher training?
69.
Yes â– No
â‘
rl Yes â– No
â– Estimated
Identification of Derivative Classifiers on Derivatively Classified Documents
Derivative classifiers must be identified by name and position, or by
personal identifier on each classified document. (Section 2.1(b)(1) of
E.O.
13526 and § 2001.22(b) of 32 C.F.R. Part 2001) (Indicate NA ifyour
agency does not derivatively classify information.)
72. Does your agency's review of classification actions evaluate if
this requirement is being met`'
72.
Yes â– No â– NA
73. What percentage of the documents sampled meet this requirement?
73 .
74. What was the number of documents reviewed for this requirement?
74.
87
166,130 pages
List of Sources on Documents Derivatively Classified from Multiple Sources
A list of sources must be included on or attached to each derivatively
classified document that is classified based on more than one source
document
or classification guide. (§ 2001.22c(l)(ii) of 32 C.F.R. Part 2001)
75. Does your agency's review of classification actions evaluate if
this requirement is being met?
75. • Yes ■No ■NA
76. What percentage of the documents sampled meet this requirement?
76. 88
77. What was the number of documents reviewed for this requirement?
INFORMATION SECURITY OVERSIGHT OFFICE
7 7.
166,130 pages
AUTHORIZED FOR LOCAL REPRODUCTION
32 CFR 2001 E.O. 13526
�Enclosure 2
a ca alai
The
NRO APPROVED FOR RELEASE
28 August 2014
mauct nvatuations
performance contract or other rating system of original classification
authorities, security managers, and other personnel whose duties
significantly involve the creation or handling of classified
information must include a critical element to be evaluated relating
to designation and
management of classified information. (Section 5.4(d)(7) of E.O. 13526 )
78. Does agency policy require this critical element in the
performance evaluations of personnel in the
categories required by E.O. 13526?
79. Has the agency validated that this critical element is included in
the performance evaluations of
personnel in the categories requited by E.O. 13526?
80. What percentage of such personnel at your agency has this element
in their performance
evaluations?
OCA Delegations
â– Yes No
79.â– Yes 0 No
78.
â‘
80. 50%
Actual
•
Estimated
OCA delegations shall be reported or made available by name or
position to the Director of the Information Security Oversight Office.
(Section
I .3(c)(5) of E.O. /3526). This can be accomplished by an initial
submission followed by updates on a frequency determined by the £40,
but at least
annually. 02001.11 (c) and §2001.90(a) of 32 C.F.R. Part 2001)
81. Have there been any changes in the delegations, by name and
position, of original classification
authority in your agency since delegations were reported to ISOO in 2010.
82. Have all delegations been limited to the minimum required based on
a demonstrable and
continuing need to exercise this authority?
83. If changes have been made, have they been reported, by name or
position, to ISOO?
81.
82.
83.
â– Yes
No
â–
NA
Yes MI No I. NA
â– Yes â– No
NA
Classification Challenges
An agency head or SAO shall establish procedures under which
authorized holders of information. including authorized holders
outside the
classifying agency, are encouraged and expected to challenge the
classification of information that they believe is improperly
classified or
unclassified. (Section 1.8(b) of E.O. 13526) Classification challenges
must be covered in the trainingfor original classification authorities
and
persons who apply derivative classification markings. 02001.7 1
and (§2001.71(d) of 32 C.F.R. Part 2001)
84. Has your agency established procedures under which the
classification of information can be
challenged in accordance with section 1.8(b) of E.O. 13526 and
§2001.14 of 32 C.F.R. Part 2001?
85. Does your agency's training for OCAS and for personnel who apply
derivative classification
markings cover classification challenges?
86. Does your agency's training for all other cleared personnel cover
classification challenges?
84•
Yes
85.
â– Yes
86. III Yes
PART G: Findings of the Annual Review of Agency's Original and
Derivative Classification Actions
â– No â– NA
â‘
â‘
No â– NA
No
In this section provide specific information with regard to the
findings of the annual review of the agency's original and derivative
classification
actions to include the volume of classified materials reviewed and the
number and type of discrepancies identified.
87. Indicate the volume of classified materials reviewed
during the annual review of agency's original and derivative
classification actions. (If your agency does not classify information,
indicate NA.)
87. 166,130 pages
88. Indicate the number of discrepancies found during the annual
review of classification actions for each category below. For
additional
information on marking, consult the ISOO marking guide.
88 (a) Over-classification: Information does not meet the standards
for classification.
88 (a) 28,798
88 (b) Overgraded/Undergraded: Information classified at a
higher/lower level than appropriate.
88
(b) 42,779
88 (c) Declassification: Improper or incomplete declassification
instructions or no declassification instructions.
88 (c) 24,043
88 (d) Duration: a shorter duration of classification would be appropriate.
88 (d) 13,889
88(e) Unauthorized classifier: A classification action was taken by
someone not authorized to do so.
88(e)
0
88 (f) "Classified By" line: A document does not identify the OCA or
derivative classifier by name and position
or by personal identifier.
88 (f) 22,368
88 (g) "Reason" line: an originally classified document does not cite
a reason from section 1.4 of E.O. 13526.
88
(g) 0
88 (h) "Derived From" line: A document fails to cite, or cites
improperly, the classification source. The line
should include type of document, date of document, subject, and
office/agency of origin.
88 017,096
88 (i) Multiple sources: A document cites "Multiple Sources" as the
basis for classification, but a list of these
sources is not included on or attached to the document.
88 (i) 19,190
88(j) Marking: A document lacks overall classification markings or has
improper overall classification markings.
88 (j) 34,141
88 (k) Portion Marking: The document lacks some or all of the required
portion markings.
88 (k) 59,937
88(1) Instructions from a classification guide are not properly applied.
88 (1) 17,070
88 (m) Other:
.
88 (m) 0
INFORMATION SECURITY OVERSIGHT OFFICE
AUTHORIZED FOR LOCAL REPRODUCTION
32 CFR 2001 E.O. 13526
�Enclosure 2
NRO APPROVED FOR RELEASE
28 August 2014
•
__ __..._ ..-..-...
89. Describe actions that have been taken or are
planned to correct identified program deficiencies, marking
discrepancies, or misclassification
actions, and to deter their reoccurrence.
OS&CI Policy Branch will issue written instructions that all
Classification Guides and original classification
decisions will use an OCA style classification block.
We plan to issue NRO-wide, monthly, short written educational
reminders of the most error-prone mistakes
reported in item 88 which will also include the proper way to classify
and mark materials.
PART I: Best Practices
Best practices are those actions or activities that
make your self-inspection program and/or CNSI program more effective
or efficient. They set your
program apart through innovation or by exceeding the minimum program
requirements. These are practices that may be utilized or emulated by
other agencies.
90. Describe best practices that were identified during the self-inspection.
One contractor site developed a database that allows self-assessments
to be completed by each program area at
that site. The database can apply filtering and reporting
capabilities, thereby allowing managers to focus
resources on a wide-range of security-related disciplines. This type
of approach and comprehensive tool
development had not been previously seen by the ISAP Program.
PART J: Explanatory Comments
Use this space to elaborate on any section of this form. If more space
is needed, provide as an attachment to this fonn. Provide explanations
for any
significant changes in trends/numbers from the previous year's report.
Item 16. All security directives and instructions are issued by the
DOS&CI and are reviewed and updated
annually but not as part of the self-inspection. All directives and
instructions are maintained on-line and are
accessible to all government employees and contractors.
(b)(3) 10 USC 424
Item 27. All government and contractor PSOs and CMOs (about ' '
'ndividuals) are authorized to correct
incorrect classification, incorrect use of SCI control channels, an•
incorrect dissemination restrictions.
Item 68. CIA personnel (including CIA contractors with Agency Data
Network or staff-like access) at the NRO
are required to take the CIA "2013 Derivative Classifier Training" by
their parent agency. All other government
and contractors at the NRO take their training through the Annual
Security Refresher briefing.
Item 78. The NRO is comprised of government individuals from various
agencies. Parent agencies set the rules
for their performance contract or rating system which cannot be
altered by the NRO. The percentage given
represents the percentage of individuals from agencies that require a
security performance evaluation statement.
For !SOO Use Only
ISOO Analyst:
Date QC:
Analyst Initials:
AUTHORIZED FOR LOCAL REPRODUCTION
32 CFR 2001 E.O. 13526
�UNCLASSIFIED
NRO APPROVED FOR RELEASE
28 August 2014
NATIONAL RECONNAISSANCE OFFICE
14675 Lee Road
Chantilly, VA 20151-1 71 5
12 October 2012
MEMORANDUM FOR OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR
INTELLIGENCE SECURITY DIRECTORATE
More information about the Testlist
mailing list