From the National Archives and Records Administration (NARA):
The Information Security Oversight Office (ISOO) released online its Report to the President for Fiscal Year (FY) 2014. This annual report covers government agencies’ security classification activities, shares cost estimates for these activities, and provides an update on the Controlled Unclassified Information (CUI) program. This annual report was mandated by Executive Order 13526, Classified National Security Information.
FY 2014 report declassification highlights include:
- A 20 percent reduction in original classification activity, for a 2014 total of 46,800 decisions.
- A three percent decrease in derivative classification action, down to 77,515,636 decisions.
- Under automatic, systematic, and discretionary declassification review, agencies reviewed 64,627,008 pages and declassified 27,819,266 pages of historically valuable records.
Agencies reviewed 597.498 pages under mandatory declassification review and declassified 372,134 pages in their entirety, declassified 190,654 pages in part, and retained classification of 34,710 pages in their entirety.
- Progress by Interagency Security Classification Appeals Panel to adjudicate declassification appeals and post decisions online. This year, the Panel declassified 451 documents that had been received under appeal.
ISOO continues to monitor agencies’ self-assessments of their classified information programs. While many agency reports show improvement, others are lacking. ISOO will continue to help agencies with these assessments to ensure compliance.
Controlled Unclassified Information program
ISOO continues to advance its policy development strategy:
- ISOO submitted a proposed federal CUI to the Office of Management and Budget.
- ISOO initiated a CUI Program appraisal process to assist Executive branch agencies in preparing for implementation by providing agency planners with a baseline.
- ISOO developed an updated training module clarifying the distinction between the CUI Program and the Freedom of Information Act.
- ISOO worked with National Institute of Standards and Technology on Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organization.” This publication, expected to be finalized in later this year, provides information system protection standards for CUI in the nonfederal environment.
The National Industrial Security Program Policy Advisory Committee showed progress in the areas of personnel security clearances and certification and accreditation of information systems. ISOO continues its role on the Senior Information Sharing and Safeguarding Steering Committee, leading efforts to incorporate the requirements of the National Insider Threat Policy, and related responses to unauthorized disclosures, into the National Industrial Security Program policy and guidance.
Increase in Costs for Information Systems that process Classified Information
Estimated costs associated with Protection and Maintenance for Classified Information Systems was $7.57 billion, an increase of $3.17 billion, or 72 percent, from the estimate reported for FY 2013. The main driver of this change was the report of the Department of Defense, whose estimate rose from 3.4 billion in FY 2013 to 6.6 billion for FY 2014, a net increase of $3.2 billion.
ISOO and the Department of Defense attribute the increase to many new initiatives following a number of serious security breaches. In response to E.O. 13587, “Structural Reforms to Improve the Security of Classified Networks, and the Responsible Sharing and Safeguarding of Classified Information,” agencies are developing and implementing greater technical safeguards for national security systems, aiming to improve network security by reducing anonymity, enhancing access controls and user monitoring, establishing enterprise auditing, restricting the removal of media, and, developing insider threat programs. Such improvements are costly.
Another reason for the increase is that the DoD has changed its baseline data collection to provide greater precision in reporting additional expenses. Improved insight into cost data led to discovery and attribution of additional information system security expenditures. Previously, DoD reporting of these expenses corresponded to approximately 25 program elements directly identifiable with information system security. This year, funding planning figures include both funding for these program elements plus an additional 40 percent drawn from other program elements not previously assessed as information system security costs, such as those related to command and control and IT). With the new data in hand, which also permitted retrospective analysis, it can now be seen that this increase occurred over prior years between FY 2012 and FY 2013 and between FY 2013 and FY 2014. The combination of the increased scope of reporting and the two annual increases accounts for the near-doubling of DoD reporting in this category.
Direct to Full Text Report