U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
EPA Does Not
Adequately Follow
National Security Information
Classification Standards
Report No. 14-P-0017
November 15, 2013
-------�
Report Contributors: Chris Baughman
Hilda Canes Garduno
Eric Lewis
Ryan Patterson
Byron Shumate
Abbreviations
CFR
Code of Federal Regulations
EO
Executive Order
EPA
U.S. Environmental Protection Agency
ISOO
Information Security Oversight Office
NHSRC
National Homeland Security Research Center
NSI
National security information
OARM
Office of Administration and Resources Management
OCA
Original classification authority
OHS
Office of Homeland Security
OIG
Office of Inspector General
SMD
Security Management Division
Hotline
Suggestions for Audits or Evaluations
To report fraud, waste or abuse, contact
To make suggestions for audits or evaluations,
us through one of the following methods:
contact us through one of the following methods:
email: OIG Hotline@.epa.qov
email:
OIG WEBCOMMENTSO.eDa.aov.
phone: 1-888-546-8740
phone:
1-202-566-2391
fax: 1-202-566-2599
fax:
1-202-566-2599
online: httD://www.eDa.aov/oia/hotline.htm
online:
httD://www.eDa.aov/oia/contact.html#Full Info
write: EPA Inspector General Hotline
write:
EPA Inspector General
1200 Pennsylvania Avenue, NW
1200 Pennsylvania Avenue, NW
Mailcode 2431T
Mailcode 2410T
Washington, DC 20460
Washington, DC 20460
-------�
^eDsx
' o %
\3z$
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
14-P-0017
November 15, 2013
Why We Did This Review
We evaluated the
U.S. Environmental Protection
Agency's (EPA's) classified
national security information
practices as required by
Section 6(b)(1) of the
Reducing Over-Classification
Act. In this report, we reviewed
a sample of documents
classified by the EPA to
determine the appropriateness
of the classification decisions
and markings.
Information may be classified
so that it is protected against
unauthorized disclosure in the
interest of national security.
Such information must be
appropriately marked to
indicate its classified status.
Original classification means
the initial determination to
classify is made by an original
classification authority, and for
the EPA the Administrator
serves as the sole original
classification authority.
Others can classify information
derivatively on the basis of
classified source documents or
classification guides.
This report addresses the
following EPA theme:
• Embracing EPA as a
high performing organization.
For further information,
contact our public affairs office
at (202) 566-2391.
The full report is at:
www.epa.qov/oiq/reports/2014/
20131115-14-P-0017.pdf
EPA Does Not Adequately Follow National
Security Information Classification Standards
What We Found
Our review of both originally and derivatively
classified documents generated by three offices
found that the EPA does not sufficiently follow
national security information classification standards.
EPA's national security
information could be
improperly classified
without improved
procedures.
Of the two originally classified documents we reviewed, portions of one needed
different classification levels and the other contained numerical data that was
incorrectly transferred from another document. The National Homeland Security
Research Center in the Office of Research and Development agreed to correct
the documents. We also noted that the approved classification guide and the
three guides under review had narrow scopes, which limits their usefulness. The
three proposed guides have been in the approval process for 12 months when it
must take no more than 30 days. Additionally, the declassification process
needs clarity since the one pending declassification request has also been in the
approval process for almost a year when it should take no more than 60 days.
None of the 19 derivatively classified documents we reviewed completely met
the requirements of Executive Order 13526 and the implementing regulations.
The derivative classifiers did not include some required information and did not
correctly transfer information from the source documents. As a result, those who
later access the information may not know how to protect it or be able to
properly identify or use it as a source for their own derivative decision. A lack of
training for derivative classifiers and incorrect information in the annual refresher
training given to all clearance holders contributed to the classification problems
noted. The EPA had not promptly updated guidance. Not all cleared employees
who needed an element relating to designation and management of classified
information as part of their performance evaluation had such an element.
Recommendations and Planned Corrective Actions
We recommend that the Assistant Administrator for the Office of Administration
and Resources Management assist EPA organizations to correct originally and
derivatively classified documents as needed, improve training, and develop a
process to address declassification requests. We recommend that the Assistant
Administrator for the Office of Research and Development submit a single,
unclassified classification guide for approval. The action officials identified
corrective actions for all the recommendations, and with one exception,
identified milestones to complete the actions. We recommend that the Associate
Administrator for the Office of Homeland Security, working with others, develop
a process for approving classification guides since its reviews were delaying the
process. This recommendation is unresolved because the action official did not
concur; resolution will begin immediately upon issuance of the report.
-------�
^ED sr/l^
| \ UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
1 I WASHINGTON, D.C. 20460
*1 PRCrt^
THE INSPECTOR GENERAL
November 15, 2013
MEMORANDUM
SUBJECT: EPA Does Not Adequately Follow National Security Information
Classification Standards
Report No. 14-P-0017
FROM: Arthur A. Elkins Jr. //jAp*] ^' i'fr*"
TO: Craig E. Hooks, Assistant Administrator
Office of Administration and Resources Management
Juan Reyes, Acting Associate Administrator
Office of Homeland Security
Lek Kadeli, Principal Deputy Assistant Administrator
Office of Research and Development
This is our report on the subject review conducted by the Office of Inspector General (OIG) of the
U.S. Environmental Protection Agency (EPA). This report contains findings that describe the problems
the OIG has identified and corrective actions the OIG recommends. This report represents the opinion of
the OIG and does not necessarily represent the final EPA position. Final determinations on matters in
this report will be made by EPA managers in accordance with established audit resolution procedures.
Action Required
In accordance with EPA Manual 2750, resolution on recommendation 4 should begin immediately upon
issuance of the report. We are requesting a meeting of the action officials from the Office of Homeland
Security and the Office of Administration and Resources Management with the Assistant Inspector
General for the Office of Program Evaluation, to start the resolution process and attempt to obtain
resolution. If resolution is still not reached within 30 days, these action officials are required to complete
and submit a dispute-resolution request to the Chief Financial Officer.
Regarding recommendation 1, you are required to provide a written response to this report within
60 calendar days with a completion date for the planned corrective actions. Your response will be posted
on the OIG's public website, along with our memorandum commenting on your response. Your
response should be provided as an Adobe PDF file that complies with the accessibility requirements of
Section 508 of the Rehabilitation Act of 1973, as amended. The final response should not contain data
that you do not want to be released to the public; if your response contains such data, you should
identify the data for redaction or removal along with corresponding justification. We will post this report
to our website at http://www.epa.gov/oig.
-------�
If you or your staff have any questions regarding this report, please contact Carolyn Copper,
Assistant Inspector General for Program Evaluation, at (202) 566-0829 or copper.carolvn@epa.gov; or
Eric Lewis, Product Line Director, Special Program Reviews, at (202) 566-2664 or lewis.eric@epa.gov.
-------�
EPA Does Not Adequately Follow National
Security Information Classification Standards
14-P-0017
Table of C
Chapters
1 Introduction 1
Purpose 1
Background 1
Scope and Methodology 4
2 Original Classification Processes Need Improvement 6
Portions of the Scientific Report Need Different Classification Levels 6
Originally Classified Security Classification Guide Had Errors 7
Other Security Classification Guides Not Yet Approved 8
EPA Needs Timelier Declassification 9
Requirements for Original Classifier Training Were Mostly Met 9
Conclusion 10
Recommendations 10
Agency Comments and OIG Evaluation 11
3 Derivative Classification Decisions Did Not Comply With Requirements.... 12
Required Information Was Missing or Incorrect 12
Information Was Incorrectly Transferred 14
NSI Program Team Found and Reported Problems Wth
Derivative Decisions 15
Derivative Classifier Training Not Implemented 16
Annual Refresher Training Lacked Required Elements 16
Not All Classifiers Were Evaluated on NSI Requirements 17
Conclusion 18
Recommendations 18
Agency Comments and OIG Evaluation 19
Status of Recommendations and Potential Monetary Benefits 20
Appendices
A EPA OIG Reports Address Section 6(b) of Public Law 111-258 22
B Errors in the Derivative Documents 23
C Agency Response to Draft Report 24
D Email From the Information Security Oversight Office 30
E Distribution 32
-------�
Chapter 1
Introduction
Purpose
This report complies with the Reducing Over-Classification Act (Public Law
111-258 of October 7, 2010). Section 6(b)(1) of the act requires the Inspector
General of each agency with an officer or employee who is authorized to make
original classifications, in consultation with the Information Security Oversight
Office (ISOO):1
(A) to assess whether applicable classification policies, procedures,
rules, and regulations have been adopted, followed, and effectively
administered within such department, agency, or component; and
(B) to identify policies, procedures, rules, regulations, or
management practices that may be contributing to persistent
misclassification of material within such department, agency or
component.
The law requires that Inspectors General complete two evaluations by
September 30, 2016. The initial evaluation must be completed no later than
September 30, 2013. This report, along with two prior U.S. Environmental
Protection Agency (EPA) Office of Inspector General (OIG) reports, constitute
the initial evaluation. Appendix A addresses how our three reports satisfy the
requirements of the Reducing Over-Classification Act.
The specific objective for this report was to review a representative sample of
EPA's originally and derivatively classified document to determine:
1. Whether appropriate classification markings were applied in a manner
consistent with applicable classification policies, procedures, rules and
regulations.
2. The appropriateness of the original and derivative classification decisions
to identify policies, procedures or management practices that may be
contributing to misclassification of material.
Background
Executive orders (EOs) since 1940 have directed governmentwide information
classification standards and procedures. Such programs must comply with the
December 2009 EO 13526, "Classified National Security Information," which
1 ISOO is responsible to the President for policy and oversight of the governmentwide security classification system
and the National Industrial Security Program. ISOO is a component of the National Archives and Records
Administration and receives policy and program guidance from the National Security Council.
14-P-0017
1
-------�
establishes the current principles, policies and procedures for classification. The
EO prescribes a uniform system for classifying, safeguarding and declassifying
national security information (NSI). EO 13526 expresses the President's belief
that this nation's progress depends on the free flow of information, both within
the government and to the American people. Accordingly, protecting information
critical to national security and demonstrating a commitment to open government
through accurate and accountable application of classification standards and
routine, secure and effective declassification are equally important priorities.
Certain Information Must Be Protected
Pursuant to EO 13526 and its implementing regulations in the Code of Federal
Regulations (CFR), i.e., 32 CFRPart 2001, classified information that is
determined to require protection against unauthorized disclosure to prevent
damage to national security must be marked appropriately to indicate its classified
status. Such information must meet the following standards for classification:
• The information is owned, controlled or produced by or for the
U.S. government.
• The information falls within one or more of the eight categories of
information (reasons for classification) described in EO 13526 Section 1.4.
• The unauthorized disclosure of the information reasonably could be
expected to result in damage to the national security.
The three U.S. classification levels, and correlating-expected damage to
U.S. security if the information is disclosed inappropriately, are identified below.
Except as otherwise provided by statute, no other terms shall be used to identify
U.S. classified information.
• Top Secret: Shall be applied to information, the unauthorized disclosure
of which reasonably could be expected to cause exceptionally grave
damage to the national security.
• Secret: Shall be applied to information, the unauthorized disclosure of
which reasonably could be expected to cause serious damage to the
national security.
• Confidential: Shall be applied to information, the unauthorized disclosure
of which reasonably could be expected to cause damage to the national
security.
Following September 11, 2001, Congress was concerned that information was
being classified at levels such that it could not be disseminated within the federal
government or properly shared with state, local, tribal and private sector entities
when necessary. Accordingly, the Reducing Over-Classification Act places an
emphasis on avoiding "over-classification," which is the designation of information
as classified when the information does not meet one or more of the standards for
classification in EO 13526. Pursuant to EO 13526, classified information shall be
14-P-0017
2
-------�
made accessible to the maximum extent possible to authorized holders. EO 13526
further states that if significant doubt exists about the need to classify information it
should not be classified; if significant doubt exists about the appropriate level of
classification, information shall be classified at the lower level.
Authorized holders of information (including those outside the classifying
organization) who, in good faith, believe that its classification status is improper
are encouraged and expected to challenge the classification status of information.
According to 32 CFR 2001.14(b)(3), an agency shall provide an initial written
response to a challenge within 60 days.
Information May Be Classified by an Original Classification Authority
Original classification means an initial determination that information requires
protection against unauthorized disclosure in the interest of national security.
Information may be originally classified only by original classification authorities
(OCAs). OCAs are individuals authorized in writing—either by the President,
Vice President, agency heads or other officials designated by the President—to
initially classify information. The EPA Administrator serves as the EPA's sole
OCA; since 2004 the Administrators have originally classified eight documents.
When originally classifying information, the OCA must be able to identify and
describe the damage to national security that would be caused by its unauthorized
disclosure. According to 32 CFR 2001.71(c), OCAs must receive detailed training
on proper classification and declassification (with an emphasis on avoiding over-
classification) before originally classifying information, and at least once per
calendar year after that.
Information May Be Classified Derivatively
All personnel with an appropriate security clearance can perform derivative
classification unless an agency limits this activity to specific personnel.
Information may be derivatively classified from a source document or
classification guide. According to 32 CFR 2001.71(d), all personnel who apply
derivative classification markings must receive training on the proper application
principles of EO 13526 prior to derivatively classifying information and at least
once every 2 years thereafter. The regulations describe the elements that must be
present in the training for persons who apply derivative classification markings.
According to the regulations, security classification guides help ensure
classification decisions are consistent and uniform. An OCA must approve each
guide. The guide must state precisely the elements of information to be protected,
as well as which classification level applies to each element of information, and,
when useful, specify the elements of information that are unclassified. In addition,
agencies must incorporate original classification decisions into security
classification guides as soon as practicable. Further, the regulations encourage
those preparing guides to consult users of guides for input. Section 1.3(e) of
14-P-0017
3
-------�
EO 13526 provides for exceptional cases, which are when someone who does not
have original classification authority originates information that they believe
requires classification. Such information shall be promptly provided to an agency
with appropriate subject matter interest and classification authority, which must
decide within 30 days on whether to classify the information.
EPA Has a Program to Classify and Protect NSI
EPA has had a program to safeguard classified NSI since 1972, although ISOO
considers the amount of classification activity to be minute. EPA creates,
receives, handles and stores classified material because of its homeland security,
emergency response and continuity missions. The Assistant Administrator for the
Office of Administration and Resources Management (OARM) has been
delegated overall authority for the NSI program. The Assistant Administrator
may, and has, delegated much of this authority to the OARM Security
Management Division (SMD) within the OARM Office of Administration. The
SMD created an NSI program team to manage the program. In addition, all major
EPA offices assigned at least one employee as an NSI representative to coordinate
the program at their organization. The EPA's National Security Information
Handbook identifies the official policies, standards and procedures for EPA
employees and nonfederal personnel who have access to classified NSI.
Although the EPA has a process for making original classification decisions,
including approving security classification guides, there are no timelines
associated with the process. The key steps in the current approval process are:
• The EPA program office creates and marks the document.
• The SMD performs an administrative review.
• The Office of Homeland Security (OHS) within the Office of the
Administrator evaluates the classification levels assigned.
• The EPA Administrator makes an original classification decision.
Scope and Methodology
We performed our review from February through September 2013. We conducted
our work in accordance with generally accepted government auditing standards
issued by the Comptroller General of the United States. Those standards require
that we plan and perform the evaluation to obtain sufficient, appropriate evidence
to provide a reasonable basis for our findings and conclusions based on our
objectives. We also reviewed internal controls over program operations and
compliance with applicable laws and regulations. The evidence obtained provides
a reasonable basis for our findings and conclusions based on our evaluation
objectives.
For this phase of our initial evaluation under the Reducing Over-Classification
Act, we reviewed the two most recent original classification decisions, both dated
14-P-0017
4
-------�
May 2012, as well as 19 of the derivatively classified documents (excluding
emails) authored by the EPA between January 2010 and December 2012. At
ISOO's direction, we narrowed our review to classified documents created after
the December 2009 issuance of EO 13526. The derivative decisions were made
by three EPA organizations: OHS, the National Homeland Security Research
Center (NHSRC) in the Office of Research and Development, and the OIG (made
by the OIG's Office of Investigations). In addition, we:
• Examined the results of the fundamental classification guidance review.
• Examined the results of self-inspection reporting.
• Examined applicable Standard Form 311, "Agency Security Classification
Management Program Data."
• Reviewed relevant policies, regulations and related reports.
• Reviewed the NSI annual refresher training to determine whether it was
consistent with NSI guidance.
• Compared the derivatively classified documents with the corresponding
source material when available.
• Interviewed EPA's sole original classification authority and four
derivative classifiers.
• Interviewed staff responsible for security training and related policy
development and implementation, including staff from SMD, NHSRC
and OHS.
As directed by the Reducing Over-Classification Act, we consulted with ISOO
and coordinated throughout the evaluation with other Inspector General offices
with the intent of ensuring that our evaluations followed a consistent methodology
to allow for cross-agency comparisons. We also used an evaluation guide that was
prepared by a working group of participating Inspectors General under the
auspices of the Council of the Inspectors General on Integrity and Efficiency.
To discern whether agency policies and practices were consistent with EO 13526
and the regulations, we used the following from the evaluation guide:
• Methodology for determining the appropriateness of an original
classification decision.
• Original classification authority interview coverage.
• Methodology for determining appropriateness of a derivative classification
decision.
• Derivative classifier interview coverage.
14-P-0017
5
-------�
Chapter 2
Original Classification Processes Need Improvement
The EPA needs to improve several activities related to the original classification
of information. We reviewed two originally classified documents that were
prepared by NHSRC: a scientific report and a security classification guide for that
scientific report. We found that portions of the scientific report needed different
classification levels, and that the guide contained incorrect instructions and
numerical data that was incorrectly transferred from another document. NHSRC
agreed to correct the documents. We also noted that the approved classification
guide, as well as three guides under review (but not yet originally classified),
covered information previously classified by the Administrator, which limits their
usefulness. Further, the three proposed guides have been in the approval process
for a year when approvals must, by executive order, take no more than 30 days. In
addition, an earlier document originally classified by the EPA will reach its
declassification date in 2014. The declassification process needs clarity since a
pending declassification request has been in the approval process for almost a
year when it should, according to federal regulation, take no more than 60 days.
This has delayed making currently classified information more accessible.
Portions of the Scientific Report Need Different Classification Levels
The originally classified scientific report had classification inconsistencies and
errors. We brought these matters to the attention of the NHSRC staff, who offered
satisfactory responses and agreed to correct the document. As a result, the scientific
report may need to go through the original classification process again.
We found that different classification levels were assigned to the same
information within the scientific report. Four narrative portions marked
"Confidential" contained information that was marked "Secret" in tables and
figures. Another paragraph marked "Secret" contained information marked
"Unclassified" elsewhere. NHSRC staff agreed portions should be consistently
marked and plan to appropriately revise the document by increasing certain
markings to a higher classification level.
We also identified portions of the scientific report that seemed to be over-
classified. The report acknowledged there were doubts as to whether the release
of some of the report data would constitute a threat to national security but the
information was nonetheless classified. As noted in chapter 1, EO 13526 states
that if there is doubt, information should be unclassified or classified at a lower
level. In response to our questions, NHSRC offered satisfactory explanations for
classifying the information and explained the threat that the release of such
information would pose.
14-P-0017
6
-------�
One of the most effective ways to protect classified information is through
applying standard classification markings and dissemination control markings.
Dissemination controls are control markings that identify the expansion or
limitation on the distribution of information. These markings are in addition to
and separate from the levels of classification defined by EO 13526. We
determined the scientific report was marked correctly, with one minor formatting
exception. Dissemination controls within portion marks must be preceded by a
double slash; however, some portion marks in this document had dissemination
controls preceded by a single slash. For instance, a classified paragraph was
incorrectly portion marked as U/FOUO rather than as U//FOUO,2 Having one
versus two slashes can change the meaning.
Originally Classified Security Classification Guide Had Errors
The security classification guide for the scientific report gave incorrect
instructions to those using it and contained numerical data different than that in
the scientific report. It also had some portion marks with dissemination controls
preceded by a single slash instead of two slashes. This is the May 2012 security
classification guide to which EPA referred in the June 2012 report on its
fundamental classification guidance review.
The security classification guide provided incorrect instructions to would-be
derivative classifiers:
• Title 32 CFR 2001.22(b) requires derivative classifiers to be identified by
name and position or by personal identifier. However, the guide only
instructs derivative classifiers to supply their names.
• Title 32 CFR 2001.22(e) instructs derivative classifiers to carry forward
the declassification instructions from the source document. However, the
guide did not specify this and instead instructs the derivative classifier to
declassify "25 years from the date of document creation." The guide did
not clarify if the document creation date was in reference to the guide
itself or the derivative document based on the guide.
The security classification guide included classified numerical data that did not
match the source data from the scientific report. The numerical data were
classified at the same level in both documents. However, we believe the
inconsistency in the data may confuse those using the guide. In response to our
questions, NHSRC staff agreed to correct the numerical data taken from tables in
the scientific report. As a result, the classification guide may need to go through
the original classification process again unless it is superseded, as discussed
below.
2 U = Unclassified. FOUO = For official use only.
14-P-0017
7
-------�
Other Security Classification Guides Not Yet Approved
Three other security classification guides have been in the process for an original
classification decision since August 2012. According to the EO, classification
guides will facilitate the proper and uniform derivative classification of
information. Although NHSRC submitted an initial guide that was broad in scope,
OHS wanted the guide to be narrow in scope, i.e., pertain to a single document
originally classified by the Administrator. EPA clearance holders need broader
guidance to discern what information the EPA should classify. With such a
classification guide approved, NHSRC will not need to process so many
documents as original classification decisions. This would shorten the
classification process by removing two steps. The omitted steps would be
(1) obtaining the Administrator's approval and (2) actions needed because of such
approval.
Classification Guide With a Broader Scope Would Be More Useful
NHSRC staff initially prepared a broad security classification guide that would
encompass both past and possible future work. They designed the guide to help
NHSRC staff understand what must be classified and what can be made publicly
available. NHSRC considers this part of its risk assessment on each new project.
According to a NHSRC staff member, the OHS required NHSRC to replace the
broad guide with a narrowly-scoped guide that addressed only one of the original
classification decisions by the EPA Administrator. NHSRC submitted three
additional guides, narrowly scoped along the lines of original classification
decisions. This resulted in four security classification guides narrowly scoped to
reflect the original classification decisions already made. The narrow scope of these
guides is consistent with information included in the 2012 annual refresher training.
As noted in chapter 3, the training described a security classification guide as an
aggregation of items from original classification decisions made by an agency or
department. However, this description of classification guides does not completely
reflect all of the requirements in the regulations at 32 CFR 2001.15(b).
According to an OHS senior staff member, the EPA needs narrowly scoped
security classification guides because the originally classified documents mixed
classified with unclassified information in the same portions. Instead, the
classified material should have been in separate portions or an appendix.
Thus, a derivative classifier would clearly understand what must be protected.
Based on the requirements in the regulations, a single guide could address both
past original classification decisions and future NHSRC work. NHSRC, not OHS,
would be using the guide since it would describe the type of information NHSRC
might encounter or create during their work. With a broad security classification
guide, NHSRC staff could classify scientific reports without going through the
original classification process. This would shorten the classification process by
reducing the number of steps. As discussed in chapter 3, SMD oversees derivative
14-P-0017
8
-------�
classification decisions by EPA staff, so it can monitor the NHSRC decisions for
the concerns identified by OHS staff.
Delays Issuing Other Guides
NHSRC staff provided three security classification guides to SMD and OHS in
July and August 2012. Following SMD approval, the guides were sent to the OHS
no later than September 2012, where they remain. Despite inquiries from NHSRC
officials, NHSRC has not received feedback from OHS on the status of the
security classification guides. As noted in Chapter 1, EO 13526 requires a
classification decision within 30 days for exceptional cases, which need an
original classification decision. According to an OHS senior intelligence advisor,
the guides were classified working papers, which may be retained for 180 days
before finalization. When told by OIG staff that 180 days had been exhausted, the
staff member responded that the review process was still incomplete and the
guides were not ready to be processed. The SMD staff had no explanation for the
OHS delay. They had also asked OHS for status information, but did not receive
an adequate response.
EPA Needs Timelier Declassification
EPA needs to declassify information in a timelier manner. NHSRC staff
challenged the classification of an EPA originally classified document in July
2012 by recommending that it be declassified. When a classification decision is
challenged, the regulations require an initial response within 60 days. SMD staff
completed their review of the challenge and forwarded it to OHS no later than
September 2012; the action has remained in OHS. SMD was unable to get update
information from OHS. When asked about the delay, a senior OHS staff member
said this was the first declassification action processed by the EPA and extra time
was necessary to complete the action properly. Since another originally classified
document will reach its declassification date in 2014, the declassification process
needs to work more quickly. To ensure the free flow of information, according to
EO 13526, routine, secure and effective declassification is an important priority.
Requirements for Original Classifier Training Were Mostly Met
The former Administrator received training for original classifiers in 2011 and
2012. As noted in chapter 1, the regulations require that the annual training for
OCAs must include proper classification and declassification, and emphasize
avoiding over-classification. We found that the 2012 training materials failed to
cover declassification, one of the required training elements. We were unable to
evaluate the adequacy of the 2011 training because that training material was not
available.
We believe the former Administrator demonstrated adequate knowledge of
classification management procedures. During her 4 years in the position, the
14-P-0017
9
-------�
former Administrator made only three original classification decisions, all related
to the same scientific report. Given her infrequent use of her original
classification authority, she relied on assistance from EPA experts to help her
make classification decisions. However, the former Administrator was aware of
the importance of avoiding over-classification.
Conclusion
Because of the OIG's questions about the originally classified documents we
reviewed, NHSRC agreed to make corrections and offered reasonable
explanations for its classification decisions. As a result, these documents may
need to undergo another original classification decision. In addition, the EPA
needs to improve several activities related to the original classification of
information, including the process and speed with which (1) security
classification guides are approved so information can be derivatively classified in
a proper and uniform manner and (2) originally classified documents are
declassified so the information may flow freely as stated in the EO 13526. Also,
NHSRC needs a classification guide that will cover both past original
classification decisions and future work.
Recommendations
We recommend that the Assistant Administrator for the Office of Administration
and Resources Management:
1. Work with the Office of Research and Development to:
a. Correct the marking errors in the two originally classified
documents reviewed by the OIG (the scientific report and security
classification guide).
b. Change the classification levels for portions of the scientific report.
c. Correct the security classification guide.
2. Provide annual OCA training to the Administrator that complies with the
regulatory requirements.
3. Develop a process for declassifying, within 60 days, information classified
by EPA.
We recommend that the Associate Administrator for the Office of Homeland
Security:
4. Work with the Assistant Administrator for OARM to develop a process
for approving classification guides within the 30 days specified in
EO 13526.
14-P-0017
10
-------�
We recommend that the Assistant Administrator for the Office of Research and
Development:
5. Submit to the NSI program team a single, unclassified classification guide
that covers both past and future EPA scientific research to replace the
multiple guides.
Agency Comments and OIG Evaluation
On behalf of the three action officials, the Assistant Administrator for OARM
provided official comments on our draft report. Agency comments are in
Appendix C. Appendix D is "Attachment 2" cited in the agency comments.
The agency's comments included suggested wording changes, which we
incorporated as appropriate. The agency action officials concurred with
recommendations 1, 2 and 5. For recommendation 3 (which was
recommendation 4 in the draft report), an alternative action was proposed.
We considered the alternative action acceptable and revised the recommendation
accordingly. The response included timeframes for completing the actions on
recommendations 2, 3 and 5, so these recommendations are resolved and open
pending completion of the agreed-to actions. A specific date for completing the
corrective action on recommendation 1 was not given; this recommendation is
unresolved until it is provided.
The Office of Homeland Security did not concur with recommendation 4
(which was recommendation 3 in the draft report) regarding a process to approve
classification guides. To support its position, OHS indicated it is the EPA's
position, supported by ISOO, that classification guides are not required. However,
responding to one of our prior reports,3 the Deputy Administrator stated in a
memorandum to the Inspector General dated December 22, 2011, that the EPA
would prepare classification guides. Below is an excerpt from that memorandum.
Recommendation 4 is unresolved. The audit resolution process starts immediately
upon report issuance.
In consultation with the Office of Homeland Security, the Office of
Administration and Resources Management and the Office of
General Counsel, we have determined that these recommendations
[to approve and distribute classification guides] are helpful in light
of evolving information-sharing initiatives for classified EPA
products. The agency will implement them beginning with an
initial classification guide that addresses materials most recently
originally classified. . . .
3 EPA Should Prepare and Distribute Security Classification Guides (Report No. 1 l-P-0722 issued September 29,
2011).
14-P-0017
11
-------�
Chapter 3
Derivative Classification Decisions
Did Not Comply With Requirements
None of the 19 derivatively classified documents the OIG reviewed completely
met the requirements of EO 13526 and 32 CFR Part 2001. The derivative
classifiers did not include some required information and did not correctly
transfer information from the source documents. As a result, those who later
access the information may not know how to protect the information or be able to
properly identify or use it as a source for their own derivative decision. During
fiscal year 2012, the EPA NSI program team started reviewing derivative
classification decisions and reported to ISOO problems with derivative decisions
similar to the problems we found. We identified a lack of training for derivative
classifiers and incorrect information in the annual refresher training given to all
clearance holders as management practices that may be contributing to
misclassification of material or incorrect markings. EPA had not updated the
guidance it provided to cleared staff members. Not all cleared employees who
needed one had an element relating to designation and management of classified
information as part of their performance evaluation.
Required Information Was Missing or Incorrect
All 19 derivatively classified documents reviewed either lacked required
information and/or included incorrect information. The regulations require that
each derivative document identify who classified the document, the source
document(s) from which the classified information was derived, and a
declassification date or instructions. The information appears in what is called a
classification authority block (referred to as the classification block in the NSI
Handbook). The NSI Handbook instructs that every classified document must
contain a classification block in the lower-left corner on the front cover, title page,
or first page. Besides the classification block, classified documents must have
proper overall markings (e.g., the classification level at the top and bottom of each
page), portion markings, and dissemination control and handling markings.
We considered these and other requirements when reviewing the derivative
documents. Appendix B is a summary of the number of derivative documents
reviewed, along with the key information missing.
Classification Authority Block
Required information related to derivative classifier identification, source
documents and declassification date was not always present in EPA derivative
documents. Six of the 19 derivative documents had no classification authority
block. For these six instances, we had to ask the EPA staff responsible for the
14-P-0017
12
-------�
document to identify the derivative classifier and the source documents. Seven of
the 13 documents with a classification block did not identify the derivative
classifier. Prior to the June 2010 effective date for EO 13526, regulations did not
require derivative classifier identification in the classification block. Five of these
seven instances occurred during a 19-month period between the EO effective date
and the January 2012 revision of the EPA NSI Handbook, which was updated to
include the derivative classifier identification requirement. Agency guidance
lagging behind the policy changes may have resulted in derivative classifiers not
identifying themselves in the classification block. Thus, derivative classifiers
relying on EPA guidance may have been unaware of the new requirement.
List of Sources
Of the 13 derivative documents with a classification block, eight indicated they
were derived from multiple sources. When there are multiple sources, the
derivative classifier must include a listing of all the source materials on, or attached
to, each derivatively classified document. None of the eight documents had a
source list on or attached to it. For seven of the eight documents, someone other
than the derivative classifier prepared the list after the fact because the derivative
classifier had left the EPA. The classifier for the eighth document had the list but it
was not with the document. Also, one of the derivative documents that identified
only one source document was actually derived from multiple sources.
Overall Page Markings
Eleven documents had page marking errors. Most were relatively minor, like a
misplaced page banner. Four were more serious—one because the classification
level was incorrect and three because a dissemination control marking was missing.
Portion Markings
Eighteen of the 19 documents had errors in their portion markings. In total,
one-third of the pages had one or more portion marking errors. Some were minor
errors, like having only one slash instead of the required two slashes between
marking categories. Others were more serious, such as not marking some portions
of the document. Without proper portion marks, those with access to the
document will not know what level of classification and safeguarding applies to
the document. Also, if they want to use the information in a derivatively classified
document they will not know how to correctly mark it.
Date
Ten of the 19 derivative documents had no date. Of the nine with a date, three
showed only the month and year, not a specific date. A date is needed so that it
can be cited when describing the source of a derivative document, as required by
the regulations.
14-P-0017
13
-------�
Information Was Incorrectly Transferred
Derivative classifiers did not always correctly transfer information from the
source documents to the derivative document. We compared 18 of the 19
derivative classified documents to their identified source documents and found
that all 18 documents had mistakes in transferring information. These mistakes
ranged from portion-marking errors to document-level issues. The EPA
organization responsible for the derivative documents was unable to provide the
source document for one of the sample items. Appendix B identifies the number
of documents with transfer problems.
Cited Source Was an Inappropriate Basis for a Derivative Decision
We found EPA derivatively classifying EPA-originated research on a basis not
allowed by the regulations. Three of the derivative documents were reports on
scientific studies that EPA performed for another federal agency. As their source,
these three derivative documents cited an instructional email from an outside
agency. This instructional email contained vague classification instructions (which
themselves were classified) and did not meet the requirements in the regulations to
be a security classification guide. The EPA derivative classifier told us he could not
verify the email author's identity. Since the EPA performed the research but did not
have an appropriate basis to derivatively classify the results, we concluded that the
EPA should have originally classified these research reports.
Proposal Reviews Were Over-Classified
Three derivative documents marked "Secret" were reviews of proposed scientific
studies prepared for an outside agency. One of the reviews contained only an
unclassified proposal title, a document control number and the name of the
reviewer but was still marked "Secret." Another of these reviews was of a
proposal that had no portion markings. However, none of the review comments
contained excerpts from this proposal. Similarly, for the third review, none of the
reviewer's comments included classified portions in the proposal. The form used
for these reviews came from the outside organization and had a dropdown field to
select the overall classification level. The EPA reviewer could not recall if he had
selected the classification level or if the form came with the level already selected.
Transfer Errors or Omissions
Of the 18 derivative documents we compared to source document(s), the
derivative classifiers did not properly transfer the declassification date for
13 documents. The derivative classifier must carry forward the instructions on the
"Declassify On" line from the source document to the derivative document. If
there was more than one source document, the "Declassify On" line must reflect
the longest duration of any of its sources. However, the derivative classifier
incorrectly transferred the declassification date for seven documents. For six other
14-P-0017
14
-------�
documents, the declassification date from the appropriate source was not
transferred because the derivative document did not have a classification block.
Three of the derivative documents contained classified portions that did not come
from the identified sources. For these, we concluded there were one or more
unidentified source documents. For example, one portion mentioned activity in
2011 even though none of the sources were dated later than 2010. Another portion
without a source in this same document was marked "Secret"; the NSI
representative told us this was a mistake and the derivative classifier (who is no
longer with EPA) was being over-zealous.
There were multiple errors with another document derived from three sources.
One portion from the first source was over-classified in the derivative document.
Parts of the derivative document came from a second source, which had no portion
marks, so we could not determine whether it was under- or over-classified. Portions
that came from the third source were under-classified; the information classified in
the third source as "Secret" was marked "Confidential" in the derivative document.
The third source was an EPA-generated research report that, according to the
derivative classifier, should have been classified as "Confidential" even though it
was marked "Secret."
NSI Program Team Found and Reported Problems With
Derivative Decisions
As part of its 2012 self-inspection, the EPA reported to ISOO problems with
derivative decisions similar to the problems we found. During fiscal year 2012, the
EPA NSI program team started reviewing derivative classification decisions. Their
reviews were to ensure that: (1) classification markings are carried over and applied
appropriately, (2) the overall classification is applied throughout each document,
and (3) the derivative classification block contains the applicable information to
include identifying sources. They reviewed 56 derivative classification decisions—
approximately 25 percent of EPA's derivative decisions at the time. In the
November 2012 report to ISOO, the EPA reported that none of the sampled
decisions included a list of sources used when derived from multiple sources.
During fiscal year 2013, the NSI program team reviewed 26 recent derivative
decisions. They found the multiple-source issue persisted as the multiple-source
list was not present in 14 documents. In addition, they found:
• An incorrect declassification date in 16 documents.
• Portion marking errors in 13 documents.
• Overall classification marking errors in six documents.
• The Classification block missing in six documents.
• The "classified by" line missing in four documents.
• Working paper marking errors in four documents.
14-P-0017
15
-------�
Derivative Classifier Training Not Implemented
The EPA has not met the requirements in the regulations for training the
derivative classifiers. The NSI program team proposed additional training for
derivative classifiers but has not yet implemented the training.
EPA does not offer derivative classifier training. As noted in chapter 1, the
training must emphasize avoiding over-classification and cover certain
information. Without this required training at least every 2 years, the regulations
require the EPA to suspend the authority of the individual to apply derivative
classification markings.
We found EPA derivative classifiers had gaps in their knowledge of derivative
classification procedures. None of the four derivative classifiers we interviewed
succeeded in answering all of our knowledge test questions. In addition, some of
the subjects' knowledge gaps appeared to lead to marking errors in their
documents. For example, when asked if a list of source documents was kept with
documents derived from multiple sources, one respondent told us the list was kept
separate. This respondent created one of the documents derived from multiple
sources that did not have a source list with the document.
Although the EPA does not offer training for derivative classifiers, it is available
elsewhere. An example is the Web-based Classification Management and the
IC [Intelligence Community] Markings System course offered by the Office of the
Director of National Intelligence. This course meets the minimum national
training requirements for derivative classifiers established in EO 13526 and the
regulations.
In its 2012 annual self-inspection report, the EPA informed ISOO it had
identified a need for additional training related to marking derivative documents,
identifying multiple sources where applicable, and marking requirements in the
electronic environment (specifically as it relates to email on the Homeland Secure
Data Network). It told ISOO that clearance holders would be provided with
derivative classifier training as part of its mandatory 2012 NSI annual refresher
training. However, as discussed below, we found this was not done. The EPA also
told ISOO it would make stand-alone derivative classifier training available to
clearance holders during fiscal year 2013 and ensure that all clearance holders are
trained. However, this has not yet been done.
Annual Refresher Training Lacked Required Elements
The regulations require that annual refresher training be given to all cleared
employees who create, process or handle classified information. However, the
training EPA provided in 2011 and 2012 was inconsistent with some aspects of
the regulations. It also did not cover all the information needed by derivative
classifiers, so it did not fulfill the requirements for derivative classifier training.
14-P-0017
16
-------�
The 2011 annual refresher training did not cover seven of the nine required
elements for derivative classifiers, and the 2012 training did not cover four of
these elements. The four elements required for derivative classifiers not covered
by either the 2011 or 2012 refresher training concerned classification prohibitions
and limitations, sanctions, classification challenges and information sharing.
In addition, neither the 2011 nor 2012 training emphasized avoiding
over-classification.
The annual refresher training in 2011 included information inconsistent with the
regulations. For example, the training omitted that a derivative classifier may make
a derivative classification decision based on a security classification guide. Instead,
the training only mentioned derivatively classifying an item based on a classified
original document. This lack of a reference to security classification guides limited
what source a derivative classifier might use to classify information.
The annual refresher training in 2012 also included information that was
inconsistent with the regulations. The training mistakenly instructed that:
• The classification block of a derivatively classified document should
include a "Reason" line; the regulations do not require a "Reason" line.
• When the "Derived from" line indicates multiple sources, the list of these
sources must be attached; the regulations allow the derivative classifier the
option of incorporating the list in the document.
• A security classification guide is an aggregation of items from an originally
classified document; the regulations require a security classification guide to
identify elements of information that must be protected without stipulating
that the information must already be in an originally classified document.
Also, the training slides had no examples of overall markings or portion marking
with more than one category, such as "SECRET//NOFORN" or "(S//NF)."
Not All Classifiers Were Evaluated on NSI Requirements
Not all cleared employees who needed it had an element or item relating to
designation and management of classified information in their performance
evaluation. EO 13526 requires such an element or item to be evaluated in the
rating for personnel whose duties significantly involve handling classified
information, including those who regularly apply derivative classification
markings. We reviewed the performance evaluations—specifically, the critical
element related to national security—for SMD staff and the derivative classifiers
we interviewed. The performance evaluations for three of the four derivative
classifiers interviewed included a critical element related to NSI activities. The
fourth derivative classifier, who was also a NSI representative, did not have a
critical element related to NSI-related responsibilities.
14-P-0017
17
-------�
EO 13526, 32 CFR 2001 and the NSIHandbook all provide that sanctions can be
imposed for violating NSI requirements. Further, the Reducing Over-
Classification Act authorizes agencies under Chapter 45 of Title 5, U.S. Code, to
consider an employee's consistent and proper classification of information when
making cash awards; however, this assumes that the Office of Management and
Budget is again allowing discretionary monetary awards.
Conclusion
EO 13526 requires the EPA to protect information critical to our nation's security.
The errors we found in the 19 derivatively classified documents make it harder for
those with access to each document to know what level of classification and
safeguarding applies to it. During fiscal year 2012, the EPA NSI program team
started reviewing derivative classification decisions to ensure they complied with
EO 13526 and the regulations. They found deficiencies in ancillary issues not
directly affecting the appropriateness of the derivative classification decision, and
the deficiencies persisted into fiscal year 2013. Although the NSI program team
identified lack of derivative classifier training as a weakness, the team has not
provided the required training to date. Moreover, as long as incorrect information
is presented in the annual refresher training given to all clearance holders, EPA
lacks assurance that its cleared staff are aware of their responsibilities. This is
occurring even though employees may be subject to appropriate sanctions if they
violate any provisions of the EO or the regulations.
Recommendations
We recommend that the Assistant Administrator for the Office of Administration
and Resources Management:
6. Assist the appropriate EPA organizations in bringing the derivative
documents reviewed by the OIG into compliance with EO 13526 and
32 CFR Part 2001. For example:
a. Attach or incorporate a source document list if derived from
multiple sources.
b. Correct the classification blocks to include the name and position
or personal identifier of the derivative classifier.
c. Declassify proposal reviews and other documents deemed
over-classified.
d. Convert derivatively classified documents to original
classifications.
e. Ensure consistency in portion marks from sources applied to
original documents.
7. Provide NSI annual refresher training that is consistent with regulatory
requirements.
14-P-0017
18
-------�
8. Enforce the requirements in 32 CFR 2001.71(d) regarding derivative
classifier training.
9. Remind the heads of EPA organizations that their staff who hold a security
clearance should have included in their performance evaluation a critical
element or item on the designation and management of classified
information if the individual is a security manager or specialist or has
duties that significantly involve creating or handling classified information
(e.g., NSI representatives).
Agency Comments and OIG Evaluation
The action official concurred with recommendations 6, 7 and 8. For
recommendation 9, an alternative action was proposed. We considered the
alternative acceptable, but did not revise the recommendation since OARM is still
the action official. The response included timeframes for completing these
actions. Thus, these recommendations are resolved and open pending completion
of the agreed-to actions.
14-P-0017
19
-------�
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
POTENTIAL MONETARY
BENEFITS (In $000s)
Rec.
No.
Page
No.
Subject
Status1
Action Official
Planned
Completion
Date
Claimed
Amount
Ag reed-To
Amount
10 Work with the Office of Research and Development U
to:
a. Correct the marking errors in the two
originally classified documents reviewed by
the OIG (the scientific report and security
classification guide).
b. Change the classification levels for portions
of the scientific report.
c. Correct the security classification guide.
10 Provide annual OCA training to the Administrator 0
that complies with the regulatory requirements.
10 Develop a process for declassifying, within
60 days, information classified by EPA.
10 Work with the Assistant Administrator for OARM to
develop a process for approving classification
guides within the 30 days specified in EO 13526.
11 Submit to the NSI program team a single,
unclassified classification guide that covers both
past and future EPA scientific research to replace
the multiple guides
18 Assist the appropriate EPA organizations in
bringing the derivative documents reviewed by the
OIG into compliance with EO 13526 and 32 CFR
Part 2001. For example:
a. Attach or incorporate a source document list
if derived from multiple sources.
b. Correct the classification blocks to include
the name and position or personal identifier
of the derivative classifier.
c. Declassify proposal reviews and other
documents deemed over-classified.
d. Convert derivatively classified documents to
original classifications.
e. Ensure consistency in portion marks from
sources applied to original documents.
18 Provide NSI annual refresher training that is
consistent with regulatory requirements.
19 Enforce the requirements in 32 CFR 2001.71(d)
regarding derivative classifier training.
Assistant Administrator for
Administration and
Resources Management
Assistant Administrator for
Administration and
Resources Management
Assistant Administrator for
Administration and
Resources Management
Assistant Administrator for
Administration and
Resources Management
12/30/13
3/30/14
Assistant Administrator for
Administration and
Resources Management
Assistant Administrator for
Administration and
Resources Management
Associate Administrator for
Homeland Security
Assistant Administrator for 12/30/13
Research and Development
9/30/14
12/30/13
3/30/14
14-P-0017
20
-------�
RECOMMENDATIONS
POTENTIAL MONETARY
BENEFITS (In $000s)
Rec.
No.
Page
No.
Subject
Status1
Action Official
Planned
Completion
Date
19 Remind the heads of EPA organizations that their
staff who hold a security clearance should have
included in their performance evaluation a critical
element or item on the designation and
management of classified information if the
individual is a security manager or specialist or has
duties that significantly involve creating or handling
classified information (e.g., NSI representatives).
Assistant Administrator for
Administration and
Resources Management
12/30/13
Claimed
Amount
Ag reed-To
Amount
1 0 = Recommendation is open with agreed-to corrective actions pending.
C = Recommendation is closed with all agreed-to actions completed.
U = Recommendation is unresolved with resolution efforts in progress.
14-P-0017
21
-------�
Appendix A
EPA 01G Reports Address Section 6(b)
of Public Law 111-258
Section 6(b) of the Reducing Over-Classification Act (PL 111-258) requires the Inspector
General of each agency with an officer or employee who is authorized to make original
classifications, in consultation with the ISOO, to carry out no less than two evaluations of that
agency. The first evaluation shall be completed by September 30, 2013, and the second by
September 30, 2016. The evaluations are to cover the following, with the second evaluation
being a review of the progress made pursuant to the results of the first evaluation:
• Assess whether applicable classification policies, procedures, rules, and regulations have
been adopted, followed, and effectively administered within such department, agency, or
component.
• Identify policies, procedures, rules, regulations, or management practices that may be
contributing to persistent misclassification of material within such department, agency or
component.
In consultation with ISOO, the Council of the Inspectors General on Integrity and Efficiency
issued a guide for conducting the initial evaluation under the Reducing Over-Classification Act.
The guide's goal is to ensure that the OIG evaluations meet the above requirements and follow a
consistent methodology to allow for cross-agency comparisons. It identified five researchable
questions. The table below lists each question and the EPA OIG report that addressed it. Thus,
we completed the work required for the first evaluation. We plan to start work on the second
evaluation during fiscal 2015.
Question
EPA OIG Report
1. To what extent has the organization adopted
classification policies, procedures, rules and
regulations?
EPA Should Prepare and Distribute Security
Classification Guides (Report No. 11-P-0722
issued September 29, 2011)
EPA's National Security Information Program Could
Be Improved (Report No. 12-P-0543 issued
June 18, 2012)
2. To what extent do the organization classification
policies, procedures, rules and regulations comply
with existing Federal classification requirements,
guidelines, etc?
3. To what extent have the organization
classification policies, procedures, rules, and
regulations been effectively followed and
administered?
EPA's National Security Information Program Could
Be Improved (Report No. 12-P-0543 issued
June 18, 2012)
EPA Does Not Adequately Follow National Security
Information Classification Standards (Report No.
14-P-0017 issued November 15, 2013)
4. To what extent, if any, and in what manner have
information and materials been over-classified
within the organization?
EPA Does Not Adequately Follow National Security
Information Classification Standards (Report No.
14-P-0017 issued November 15, 2013)
EPA's National Security Information Program Could
Be Improved (Report No. 12-P-0543 issued
June 18, 2012)
5. To what extent, if any, and in what manner have
policies, procedures, rules, regulations, or
management practices contributed to any over-
classifications?
Source: OIG analysis.
14-P-0017
22
-------�
Appendix B
Errors in the Derivative Documents
Description
OHS
(out of 1 )4
Number of Documents
OIG NHSRC
(out of 7) (Out of 11)
Total
(Out of 19)
Required Information Was Missing
Document had no date of origin for the document.
(32 CFR 2001.22(a) and 2001.22(c))
1
2
7
10
There was no classification authority block.
(32 CFR 2001.22)
0
0
6
6
Information in the classification block was
incomplete or incorrect. (32 CFR 2001.22)
1
7
5
13
Multiple sources were cited in the classification
block, but the list of sources was missing.
(32 CFR 2001.22(c))
0
7
1
85
Page marking had errors. (32 CFR 2001.21(b))
0
6
5
11
Portion marking had errors. (32 CFR 2001.21 (c))
0
7
11
18
Transfer Errors6
Source was not a proper basis for a derivative
decision. (32 CFR 2001.22(a) and 2001.22(c))
0
0
3
3
Document contained no classified information so
it can be declassified. (EO 13526, Section 3.1)
0
0
5
5
Declassification date was not correctly transferred
from the source document(s) to the derivative
document (32 CFR 2001.22(e))
0
7
6
13
Other information was incorrectly transferred from
the source document(s). (32 CFR 2001.22)
0
3
5
8
4 We were unable to compare the derivative document to the source document.
5 Only eight of the 19 documents cited multiple sources in the classification block.
6 We evaluated 18 of the derivative documents for transfer errors since the source for one of the derivative
documents was not available.
14-P-0017
23
-------�
Appendix C
Agency Response to Draft Report
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
SEP 23 2013
OFFICE OF
ADMINISTRATION
AND RESOURCES
MANAGEMENT
MEMORANDUM
SUBJECT: Response to Office of Inspector General Draft Report No. OPE-FY13-0009,
"EPA Does Not Sufficiently Follow National Security Information Classification
Standards," dated September 6, 2013
FROM: Craig E. Hooks, Assistant Administrator /s/
TO: Jeffrey Harris, Acting Deputy Assistant Inspector General
Office of Program Evaluation
Thank you for the opportunity to respond to the issues and recommendations in the subject draft
audit report. The following is a summary of the agency's overall position, with an attached table
of responses to each of the report recommendations (Attachment 1). For those recommendations
with which the agency agrees, we have provided intended corrective actions and estimated
completion dates. For report recommendations the agency does not agree with, we have
explained our position.
Overall Position
The agency agrees with recommendations 1, 2 and 5-8. The responsible office, OARM, agrees
with the intent of recommendation 9 but proposes another means to address the recommendation.
The responsible office, OHS, disagrees with recommendations 3 and 4; OARM proposes an
alternative for recommendation 4.
14-P-0017
24
-------�
Recommendations for Changes to Draft Report Text
The report would present a clearer picture of the agency's classification program if it mentioned
its small size. Since 2004, the agency has originally classified only eight documents. Our
derivative classification program is also small. In a 2011 message to the EPA, the Acting
Director of the Information Security Oversight Office said, "EPA only has one OCA; unlike at
almost all other agencies, it may not be delegated. Additionally, unlike almost all other agencies,
it has a very minute amount of classification activity" (Attachment 2).
The agency believes the phrase "flawed numerical data" ("At a Glance" and p. 7) implies that the
scientific report has flawed data. The scientific report does not have flawed data, and we
recommend that the text be changed to reflect that fact. We agree that the Originally Classified
Security Classification Guide contained two numbers that were incorrectly transferred from the
source document.
The agency recommends revising the OIG finding that the scientific report and classification
guide, once corrected, needs to go through the original classification process again. ORD
reported to the OIG one marking error (a "U//FOUO" marked paragraph containing one Secret
fact) which will be corrected. Because the Secret fact was already classified elsewhere in the
scientific report, the documents may not need to go through the original classification process.
We recommend that the documents must be evaluated to determine if they need to go through the
original classification process again.
OARM, ORD and OHS will continue collaborating to strengthen the agency's classification
program.
If you have questions regarding OARM responses, please contact Tami Franklin, Director of the
OARM/OA/ Security Management Division at (202) 564-9218. For questions on ORD
responses, please contact Deborah Heckman at 202-564-7274. For questions on OHS responses,
please contact Juan Reyes, Acting Associate Administrator, at (202) 564-4188.
Attachments (2)
cc: LekKadeli
Juan Reyes
John Showman
Steve Blankenship
Brandon McDowell
Eric Lewis
Christine Baughman
14-P-0017
25
-------�
AGENCY'S RESPONSE TO REPORT RECOMMENDATIONS
Agreements
No.
Recommendation/
Responsible Office
High-Level Intended
Corrective Action(s)
Estimated
Completion by
Quarter and FY
1 a-c
Responsible Office: OARM
Work with the appropriate EPA
organization to:
a. Correct the marking errors
in the two originally
classified documents
reviewed by the OIG (the
scientific report and security
classification guide).
b. Change the classification
levels for portions of the
scientific report.
c. Correct the erroneous data
in the security classification
guide.
The National Security
Information Program Team will
review all corrections and
changes submitted, to ensure
the markings are appropriately
placed and at the correct
classification level.
The NSI Program
Team review will
be completed within
30 calendar days of
receipt of a
document.
2
Responsible Office: OARM
Provide annual Original
Classification Authority
training to the Administrator
that complies with the
regulatory requirements.
The NSI Program Team will
ensure that CY13 OCA training
complies with all regulatory
requirements. (NOTE: EO
13526 training requirements are
stated in terms of calendar vear.
The OIG response template
calls for completion dates by
fiscal vear. As a result, some
lines in this document refer to
CY and FY.)
Fully compliant
OCA training will
be provided to the
Administrator by
the end of Q1FY14.
14-P-0017
26
-------�
No.
Recommendation/
Responsible Office
High-Level Intended
Corrective Action(s)
Estimated
Completion by
Quarter and FY
5.
Responsible Office: ORD
Submit to the NSI program
team a single, unclassified
classification guide that covers
both past and future EPA
scientific research to replace the
multiple guides.
ORD will prepare and submit to
the NSI Program Team an
unclassified classification guide
to cover past and future
scientific research.
The document will
be submitted to the
NSI Program Team
by the end of
Q1FY14.
6.
Responsible Office: OARM
Assist the appropriate EPA
organizations in bringing the
derivative documents reviewed
by the OIG into compliance
with EO 13526 and 32 CFR
2001. For example:
a. Attach or incorporate a
source document list if
derived from multiple
sources
b. Correct the classification
blocks to include the name
and position or personal
identifier of the derivative
classifier
c. Declassify proposal reviews
and other documents
deemed over-classified
d. Convert derivatively
classified documents to
original classifications
e. Ensure consistency in
portion markings from
sources applied to original
documents
OARM will assist appropriate
EPA organizations in bringing
the derivative documents
reviewed by the OIG into
compliance with EO 13526 and
32 CFR Part 2001. The
cooperation of the appropriate
EPA organizations (ORD, OHS,
and the OIG) is essential for the
completion of this
recommended action.
The NSI Program
Team will complete
its review
of/assistance with
the documents
within 30 days of
receipt. The
documents cannot
be brought into
compliance without
the active
involvement of the
appropriate EPA
organizations.
OARM anticipates
completion by the
end of Q4FY14.
14-P-0017
27
-------�
No.
Recommendation/
Responsible Office
High-Level Intended
Corrective Action(s)
Estimated
Completion by
Quarter and FY
7.
Responsible Office: OARM
Provide NSI annual refresher
training that is consistent with
regulatory requirements.
The NSI computer-based
refresher training module for
CY13 has been developed,
although not yet disseminated.
The NSI Program Team, to be
fully consistent with regulatory
requirements, will supplement
the training with outreach
material. CY14 computer-based
refresher training will be fully
consistent with regulatory
requirements.
Supplemental
outreach for CY13
will be completed
and provided to
clearance holders
by the end of
Q1FY14. Refresher
training for CY14
will be provided to
clearance holders
by the end of
Q1FY15.
8.
Responsible Office: OARM
Enforce the requirements in 32
CFR 2001.71(d) regarding
derivative classifier training.
Computer-based derivative
classifier training will meet the
requirements in 32 CFR
2001.71(d)
Derivative classifier
training will be
developed by the
end of Q2FY14.
Disagreements
No.
Recommendation/
Responsible Office
Agency Explanation/ Response
Proposed
Alternative
3
Responsible Office: OHS
Work with the assistant
administrator for OARM to
develop a transparent process for
approving classification guides
within the 30 days specified in
EO 13526.
(Note: OHS provided the
following to OARM.) "OHS
non-concurs with
recommendation No. 3. It is the
current EPA position supported
by ISOO that Classification
Guides are not required."
Note: OHS did not
provide to OARM a
proposed alternative
to include in this
response.
4
Responsible Office: OHS
Work with the assistant
administrator for OARM to
develop a transparent process for
declassifying, within 60 days,
information classified by EPA.
(Note: OHS provided the
following to OARM.) "OHS
non-concurs with
recommendation No. 4. Under
the current and existing
delegation, it is the
By the end of
Q2FY14,
information
classified by EPA
will be declassified,
if appropriate,
14-P-0017
28
-------�
No.
Recommendation/
Responsible Office
Agency Explanation/ Response
Proposed
Alternative
responsibility of OARM to
develop a transparent
declassification review process
in accordance with EO 13526."
OARM has a draft process for
declassifying, within 60 days,
information classified by the
EPA. OARM has traditionally
included OHS in this process as
a collaborative partner, but
given OHS's position and the
OIG's finding that
declassification must be
timelier, OARM accepts
responsibility for this
recommendation and will work
with subject matter experts to
provide declassification
recommendations for the
Administrator's approval.
within 60 days of
the NSI Program
Team's receipt of
the request.
9
Responsible Office: OARM
Remind the heads of EPA
organizations that their staff who
hold a security clearance should
have included in their
performance evaluation a critical
element or item on the
designation and management of
classified information if the
individual is a security manager
or specialist or has duties that
significantly involve creating or
handling classified information
(e.g., derivative classifiers and
NSI representatives).
We fully agree with the intent
of this recommendation, but
propose that the reminder be
sent from the director of the
Security Management Division
to the NSI representatives
newly appointed by each
organization's head to act as
that organization's liaison to the
NSI Program Team. The
designations were made in
response to an August 16, 2013,
formal request from the AA,
OARM to the heads of EPA
organizations. The NSI
representatives will ensure that
all cleared employees have the
appropriate critical element
added to their PARS.
The director of the
Security
Management
Division will send
the reminder by the
end of Q1 FY14.
14-P-0017
29
-------�
Appendix D
Email From the Information Security Oversight Office
The following email was submitted by ISOO to the EPA on June 1, 2011.
Subject: EPA Classification Policy
EPA has asked ISOO if it needs to create a classification guide in accordance with Section 2.2 of
Executive Order 13526 ("the Order").
Finding: ISOO does not believe that EPA needs to create a classification guide. ISOO does not
believe that EPA is in violation of section 2.2 of the Order. ISOO continues to believe that EPA
has strong and sufficient controls in place with regard to its original classification program.
Background and supporting observations:
1. In the past seven fiscal years, EPA has originally classified a total of six documents. See FY
list at the bottom of this e-mail message.
2. EPA is one of few agencies granted Original Classification Authority by the President. Under
the Order, only the Administrator serves as the OCA and she may not delegate this authority.
EPA's situation is unique in that the OCA may not be delegated and it rarely needs to exercise
this OCA authority.
3. EPA has developed a meticulous and rigorous process for deciding to originally classify
records. ISOO conducted a detailed on-site review in September 2005 that among other items,
commended EPA for its decision-making process. At that time, ISOO found that EPA's detailed
process ensured that each possible classification decision was well-thought out, rationale, and
informed. Further, ISOO found that this process involved all appropriate staff and offices,
including the Office of the Administrator.
4. Since this detailed on-site audit, ISOO has met yearly with EPA officials to discuss its
classified national security program. Additionally, ISOO is in regular communication with EPA
security staff to discuss EPA's classified national security program. Finally, ISOO regularly
monitors EPA's classified national security program and evaluates EPA's reports and responses
to ISOO data calls and requests.
5. EPA has strong processes in place to ensure that classification decisions are appropriate and
in accordance with the Order.
6. The purpose of Section 2.2 of the Order is to ensure that those agencies that have several
OCAs and make many classification decisions are doing so in an effective and efficient manner
that aids the classification system by ensuring uniformity and consistency. EPA only has one
OCA; unlike at almost all other agencies, it may not be delegated. Additionally, unlike almost all
other agencies, it has a very minute amount of classification activity.
Concluding remarks: While the exact letter of the Order seems to suggest that all agencies
granted OCA authority by the President must have classification guides, there is still room for
judgement (sic) and common sense. In our view, looking at the program and its activity in its
14-P-0017
30
-------�
entirety, EPA's program is fully functioning and has the appropriate checks and balances
place to ensure that its classification program is consistent and effective.
2010-
Original-O
Derivative-16
2009-
Original- 0
Derivative-4
2008-
0riginal-3
Derivative-10
2007-
Original-O
Derivative-13
2006-
Original-O
Derivative-46
2005-
0-2
D-5
2004-
0-1
D-0
14-P-0017
-------�
Appendix E
Distribution
Office of the Administrator
Assistant Administrator for Administration and Resources Management
Principal Deputy Assistant Administrator for Research and Development
Associate Administrator for Homeland Security
Agency Follow-Up Official (the CFO)
Agency Follow-Up Coordinator
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for External Affairs and Environmental Education
Principal Deputy Assistant Administrator, Office of Administration and Resources Management
Director, Office of Policy and Resource Management, Office of Administration and
Resources Management
Deputy Director, Office of Policy and Resource Management, Office of Administration and
Resources Management
Director, Office of Regional Operations
Director, Office of Administration, Office of Administration and Resources Management
Director, Security Management Division, Office of Administration and Resources Management
Chief, Personnel Security Branch, Office of Administration and Resources Management
Team Leader, National Security Information Program Team, Office of Administration and
Resources Management
Director, National Homeland Security Research Center, Office of Research and Development
Audit Follow-Up Coordinator, Office of the Administrator
Audit Follow-Up Coordinator, Office of Administration and Resources Management
Audit Follow-Up Coordinator, Office of Research and Development
Audit Follow-Up Coordinator, Office of Policy and Resource Management, Office of
Administration and Resources Management
14-P-0017
32
-------� |