U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL EPA Does Not Adequately Follow National Security Information Classification Standards Report No. 14-P-0017 November 15, 2013 ------- Report Contributors: Chris Baughman Hilda Canes Garduno Eric Lewis Ryan Patterson Byron Shumate Abbreviations CFR Code of Federal Regulations EO Executive Order EPA U.S. Environmental Protection Agency ISOO Information Security Oversight Office NHSRC National Homeland Security Research Center NSI National security information OARM Office of Administration and Resources Management OCA Original classification authority OHS Office of Homeland Security OIG Office of Inspector General SMD Security Management Division Hotline Suggestions for Audits or Evaluations To report fraud, waste or abuse, contact To make suggestions for audits or evaluations, us through one of the following methods: contact us through one of the following methods: email: OIG Hotline@.epa.qov email: OIG WEBCOMMENTSO.eDa.aov. phone: 1-888-546-8740 phone: 1-202-566-2391 fax: 1-202-566-2599 fax: 1-202-566-2599 online: httD://www.eDa.aov/oia/hotline.htm online: httD://www.eDa.aov/oia/contact.html#Full Info write: EPA Inspector General Hotline write: EPA Inspector General 1200 Pennsylvania Avenue, NW 1200 Pennsylvania Avenue, NW Mailcode 2431T Mailcode 2410T Washington, DC 20460 Washington, DC 20460 ------- ^eDsx ' o % \3z$ U.S. Environmental Protection Agency Office of Inspector General At a Glance 14-P-0017 November 15, 2013 Why We Did This Review We evaluated the U.S. Environmental Protection Agency's (EPA's) classified national security information practices as required by Section 6(b)(1) of the Reducing Over-Classification Act. In this report, we reviewed a sample of documents classified by the EPA to determine the appropriateness of the classification decisions and markings. Information may be classified so that it is protected against unauthorized disclosure in the interest of national security. Such information must be appropriately marked to indicate its classified status. Original classification means the initial determination to classify is made by an original classification authority, and for the EPA the Administrator serves as the sole original classification authority. Others can classify information derivatively on the basis of classified source documents or classification guides. This report addresses the following EPA theme: • Embracing EPA as a high performing organization. For further information, contact our public affairs office at (202) 566-2391. The full report is at: www.epa.qov/oiq/reports/2014/ 20131115-14-P-0017.pdf EPA Does Not Adequately Follow National Security Information Classification Standards What We Found Our review of both originally and derivatively classified documents generated by three offices found that the EPA does not sufficiently follow national security information classification standards. EPA's national security information could be improperly classified without improved procedures. Of the two originally classified documents we reviewed, portions of one needed different classification levels and the other contained numerical data that was incorrectly transferred from another document. The National Homeland Security Research Center in the Office of Research and Development agreed to correct the documents. We also noted that the approved classification guide and the three guides under review had narrow scopes, which limits their usefulness. The three proposed guides have been in the approval process for 12 months when it must take no more than 30 days. Additionally, the declassification process needs clarity since the one pending declassification request has also been in the approval process for almost a year when it should take no more than 60 days. None of the 19 derivatively classified documents we reviewed completely met the requirements of Executive Order 13526 and the implementing regulations. The derivative classifiers did not include some required information and did not correctly transfer information from the source documents. As a result, those who later access the information may not know how to protect it or be able to properly identify or use it as a source for their own derivative decision. A lack of training for derivative classifiers and incorrect information in the annual refresher training given to all clearance holders contributed to the classification problems noted. The EPA had not promptly updated guidance. Not all cleared employees who needed an element relating to designation and management of classified information as part of their performance evaluation had such an element. Recommendations and Planned Corrective Actions We recommend that the Assistant Administrator for the Office of Administration and Resources Management assist EPA organizations to correct originally and derivatively classified documents as needed, improve training, and develop a process to address declassification requests. We recommend that the Assistant Administrator for the Office of Research and Development submit a single, unclassified classification guide for approval. The action officials identified corrective actions for all the recommendations, and with one exception, identified milestones to complete the actions. We recommend that the Associate Administrator for the Office of Homeland Security, working with others, develop a process for approving classification guides since its reviews were delaying the process. This recommendation is unresolved because the action official did not concur; resolution will begin immediately upon issuance of the report. ------- ^ED sr/l^ | \ UNITED STATES ENVIRONMENTAL PROTECTION AGENCY 1 I WASHINGTON, D.C. 20460 *1 PRCrt^ THE INSPECTOR GENERAL November 15, 2013 MEMORANDUM SUBJECT: EPA Does Not Adequately Follow National Security Information Classification Standards Report No. 14-P-0017 FROM: Arthur A. Elkins Jr. //jAp*] ^' i'fr*" TO: Craig E. Hooks, Assistant Administrator Office of Administration and Resources Management Juan Reyes, Acting Associate Administrator Office of Homeland Security Lek Kadeli, Principal Deputy Assistant Administrator Office of Research and Development This is our report on the subject review conducted by the Office of Inspector General (OIG) of the U.S. Environmental Protection Agency (EPA). This report contains findings that describe the problems the OIG has identified and corrective actions the OIG recommends. This report represents the opinion of the OIG and does not necessarily represent the final EPA position. Final determinations on matters in this report will be made by EPA managers in accordance with established audit resolution procedures. Action Required In accordance with EPA Manual 2750, resolution on recommendation 4 should begin immediately upon issuance of the report. We are requesting a meeting of the action officials from the Office of Homeland Security and the Office of Administration and Resources Management with the Assistant Inspector General for the Office of Program Evaluation, to start the resolution process and attempt to obtain resolution. If resolution is still not reached within 30 days, these action officials are required to complete and submit a dispute-resolution request to the Chief Financial Officer. Regarding recommendation 1, you are required to provide a written response to this report within 60 calendar days with a completion date for the planned corrective actions. Your response will be posted on the OIG's public website, along with our memorandum commenting on your response. Your response should be provided as an Adobe PDF file that complies with the accessibility requirements of Section 508 of the Rehabilitation Act of 1973, as amended. The final response should not contain data that you do not want to be released to the public; if your response contains such data, you should identify the data for redaction or removal along with corresponding justification. We will post this report to our website at http://www.epa.gov/oig. ------- If you or your staff have any questions regarding this report, please contact Carolyn Copper, Assistant Inspector General for Program Evaluation, at (202) 566-0829 or copper.carolvn@epa.gov; or Eric Lewis, Product Line Director, Special Program Reviews, at (202) 566-2664 or lewis.eric@epa.gov. ------- EPA Does Not Adequately Follow National Security Information Classification Standards 14-P-0017 Table of C Chapters 1 Introduction 1 Purpose 1 Background 1 Scope and Methodology 4 2 Original Classification Processes Need Improvement 6 Portions of the Scientific Report Need Different Classification Levels 6 Originally Classified Security Classification Guide Had Errors 7 Other Security Classification Guides Not Yet Approved 8 EPA Needs Timelier Declassification 9 Requirements for Original Classifier Training Were Mostly Met 9 Conclusion 10 Recommendations 10 Agency Comments and OIG Evaluation 11 3 Derivative Classification Decisions Did Not Comply With Requirements.... 12 Required Information Was Missing or Incorrect 12 Information Was Incorrectly Transferred 14 NSI Program Team Found and Reported Problems Wth Derivative Decisions 15 Derivative Classifier Training Not Implemented 16 Annual Refresher Training Lacked Required Elements 16 Not All Classifiers Were Evaluated on NSI Requirements 17 Conclusion 18 Recommendations 18 Agency Comments and OIG Evaluation 19 Status of Recommendations and Potential Monetary Benefits 20 Appendices A EPA OIG Reports Address Section 6(b) of Public Law 111-258 22 B Errors in the Derivative Documents 23 C Agency Response to Draft Report 24 D Email From the Information Security Oversight Office 30 E Distribution 32 ------- Chapter 1 Introduction Purpose This report complies with the Reducing Over-Classification Act (Public Law 111-258 of October 7, 2010). Section 6(b)(1) of the act requires the Inspector General of each agency with an officer or employee who is authorized to make original classifications, in consultation with the Information Security Oversight Office (ISOO):1 (A) to assess whether applicable classification policies, procedures, rules, and regulations have been adopted, followed, and effectively administered within such department, agency, or component; and (B) to identify policies, procedures, rules, regulations, or management practices that may be contributing to persistent misclassification of material within such department, agency or component. The law requires that Inspectors General complete two evaluations by September 30, 2016. The initial evaluation must be completed no later than September 30, 2013. This report, along with two prior U.S. Environmental Protection Agency (EPA) Office of Inspector General (OIG) reports, constitute the initial evaluation. Appendix A addresses how our three reports satisfy the requirements of the Reducing Over-Classification Act. The specific objective for this report was to review a representative sample of EPA's originally and derivatively classified document to determine: 1. Whether appropriate classification markings were applied in a manner consistent with applicable classification policies, procedures, rules and regulations. 2. The appropriateness of the original and derivative classification decisions to identify policies, procedures or management practices that may be contributing to misclassification of material. Background Executive orders (EOs) since 1940 have directed governmentwide information classification standards and procedures. Such programs must comply with the December 2009 EO 13526, "Classified National Security Information," which 1 ISOO is responsible to the President for policy and oversight of the governmentwide security classification system and the National Industrial Security Program. ISOO is a component of the National Archives and Records Administration and receives policy and program guidance from the National Security Council. 14-P-0017 1 ------- establishes the current principles, policies and procedures for classification. The EO prescribes a uniform system for classifying, safeguarding and declassifying national security information (NSI). EO 13526 expresses the President's belief that this nation's progress depends on the free flow of information, both within the government and to the American people. Accordingly, protecting information critical to national security and demonstrating a commitment to open government through accurate and accountable application of classification standards and routine, secure and effective declassification are equally important priorities. Certain Information Must Be Protected Pursuant to EO 13526 and its implementing regulations in the Code of Federal Regulations (CFR), i.e., 32 CFRPart 2001, classified information that is determined to require protection against unauthorized disclosure to prevent damage to national security must be marked appropriately to indicate its classified status. Such information must meet the following standards for classification: • The information is owned, controlled or produced by or for the U.S. government. • The information falls within one or more of the eight categories of information (reasons for classification) described in EO 13526 Section 1.4. • The unauthorized disclosure of the information reasonably could be expected to result in damage to the national security. The three U.S. classification levels, and correlating-expected damage to U.S. security if the information is disclosed inappropriately, are identified below. Except as otherwise provided by statute, no other terms shall be used to identify U.S. classified information. • Top Secret: Shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security. • Secret: Shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security. • Confidential: Shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security. Following September 11, 2001, Congress was concerned that information was being classified at levels such that it could not be disseminated within the federal government or properly shared with state, local, tribal and private sector entities when necessary. Accordingly, the Reducing Over-Classification Act places an emphasis on avoiding "over-classification," which is the designation of information as classified when the information does not meet one or more of the standards for classification in EO 13526. Pursuant to EO 13526, classified information shall be 14-P-0017 2 ------- made accessible to the maximum extent possible to authorized holders. EO 13526 further states that if significant doubt exists about the need to classify information it should not be classified; if significant doubt exists about the appropriate level of classification, information shall be classified at the lower level. Authorized holders of information (including those outside the classifying organization) who, in good faith, believe that its classification status is improper are encouraged and expected to challenge the classification status of information. According to 32 CFR 2001.14(b)(3), an agency shall provide an initial written response to a challenge within 60 days. Information May Be Classified by an Original Classification Authority Original classification means an initial determination that information requires protection against unauthorized disclosure in the interest of national security. Information may be originally classified only by original classification authorities (OCAs). OCAs are individuals authorized in writing—either by the President, Vice President, agency heads or other officials designated by the President—to initially classify information. The EPA Administrator serves as the EPA's sole OCA; since 2004 the Administrators have originally classified eight documents. When originally classifying information, the OCA must be able to identify and describe the damage to national security that would be caused by its unauthorized disclosure. According to 32 CFR 2001.71(c), OCAs must receive detailed training on proper classification and declassification (with an emphasis on avoiding over- classification) before originally classifying information, and at least once per calendar year after that. Information May Be Classified Derivatively All personnel with an appropriate security clearance can perform derivative classification unless an agency limits this activity to specific personnel. Information may be derivatively classified from a source document or classification guide. According to 32 CFR 2001.71(d), all personnel who apply derivative classification markings must receive training on the proper application principles of EO 13526 prior to derivatively classifying information and at least once every 2 years thereafter. The regulations describe the elements that must be present in the training for persons who apply derivative classification markings. According to the regulations, security classification guides help ensure classification decisions are consistent and uniform. An OCA must approve each guide. The guide must state precisely the elements of information to be protected, as well as which classification level applies to each element of information, and, when useful, specify the elements of information that are unclassified. In addition, agencies must incorporate original classification decisions into security classification guides as soon as practicable. Further, the regulations encourage those preparing guides to consult users of guides for input. Section 1.3(e) of 14-P-0017 3 ------- EO 13526 provides for exceptional cases, which are when someone who does not have original classification authority originates information that they believe requires classification. Such information shall be promptly provided to an agency with appropriate subject matter interest and classification authority, which must decide within 30 days on whether to classify the information. EPA Has a Program to Classify and Protect NSI EPA has had a program to safeguard classified NSI since 1972, although ISOO considers the amount of classification activity to be minute. EPA creates, receives, handles and stores classified material because of its homeland security, emergency response and continuity missions. The Assistant Administrator for the Office of Administration and Resources Management (OARM) has been delegated overall authority for the NSI program. The Assistant Administrator may, and has, delegated much of this authority to the OARM Security Management Division (SMD) within the OARM Office of Administration. The SMD created an NSI program team to manage the program. In addition, all major EPA offices assigned at least one employee as an NSI representative to coordinate the program at their organization. The EPA's National Security Information Handbook identifies the official policies, standards and procedures for EPA employees and nonfederal personnel who have access to classified NSI. Although the EPA has a process for making original classification decisions, including approving security classification guides, there are no timelines associated with the process. The key steps in the current approval process are: • The EPA program office creates and marks the document. • The SMD performs an administrative review. • The Office of Homeland Security (OHS) within the Office of the Administrator evaluates the classification levels assigned. • The EPA Administrator makes an original classification decision. Scope and Methodology We performed our review from February through September 2013. We conducted our work in accordance with generally accepted government auditing standards issued by the Comptroller General of the United States. Those standards require that we plan and perform the evaluation to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our objectives. We also reviewed internal controls over program operations and compliance with applicable laws and regulations. The evidence obtained provides a reasonable basis for our findings and conclusions based on our evaluation objectives. For this phase of our initial evaluation under the Reducing Over-Classification Act, we reviewed the two most recent original classification decisions, both dated 14-P-0017 4 ------- May 2012, as well as 19 of the derivatively classified documents (excluding emails) authored by the EPA between January 2010 and December 2012. At ISOO's direction, we narrowed our review to classified documents created after the December 2009 issuance of EO 13526. The derivative decisions were made by three EPA organizations: OHS, the National Homeland Security Research Center (NHSRC) in the Office of Research and Development, and the OIG (made by the OIG's Office of Investigations). In addition, we: • Examined the results of the fundamental classification guidance review. • Examined the results of self-inspection reporting. • Examined applicable Standard Form 311, "Agency Security Classification Management Program Data." • Reviewed relevant policies, regulations and related reports. • Reviewed the NSI annual refresher training to determine whether it was consistent with NSI guidance. • Compared the derivatively classified documents with the corresponding source material when available. • Interviewed EPA's sole original classification authority and four derivative classifiers. • Interviewed staff responsible for security training and related policy development and implementation, including staff from SMD, NHSRC and OHS. As directed by the Reducing Over-Classification Act, we consulted with ISOO and coordinated throughout the evaluation with other Inspector General offices with the intent of ensuring that our evaluations followed a consistent methodology to allow for cross-agency comparisons. We also used an evaluation guide that was prepared by a working group of participating Inspectors General under the auspices of the Council of the Inspectors General on Integrity and Efficiency. To discern whether agency policies and practices were consistent with EO 13526 and the regulations, we used the following from the evaluation guide: • Methodology for determining the appropriateness of an original classification decision. • Original classification authority interview coverage. • Methodology for determining appropriateness of a derivative classification decision. • Derivative classifier interview coverage. 14-P-0017 5 ------- Chapter 2 Original Classification Processes Need Improvement The EPA needs to improve several activities related to the original classification of information. We reviewed two originally classified documents that were prepared by NHSRC: a scientific report and a security classification guide for that scientific report. We found that portions of the scientific report needed different classification levels, and that the guide contained incorrect instructions and numerical data that was incorrectly transferred from another document. NHSRC agreed to correct the documents. We also noted that the approved classification guide, as well as three guides under review (but not yet originally classified), covered information previously classified by the Administrator, which limits their usefulness. Further, the three proposed guides have been in the approval process for a year when approvals must, by executive order, take no more than 30 days. In addition, an earlier document originally classified by the EPA will reach its declassification date in 2014. The declassification process needs clarity since a pending declassification request has been in the approval process for almost a year when it should, according to federal regulation, take no more than 60 days. This has delayed making currently classified information more accessible. Portions of the Scientific Report Need Different Classification Levels The originally classified scientific report had classification inconsistencies and errors. We brought these matters to the attention of the NHSRC staff, who offered satisfactory responses and agreed to correct the document. As a result, the scientific report may need to go through the original classification process again. We found that different classification levels were assigned to the same information within the scientific report. Four narrative portions marked "Confidential" contained information that was marked "Secret" in tables and figures. Another paragraph marked "Secret" contained information marked "Unclassified" elsewhere. NHSRC staff agreed portions should be consistently marked and plan to appropriately revise the document by increasing certain markings to a higher classification level. We also identified portions of the scientific report that seemed to be over- classified. The report acknowledged there were doubts as to whether the release of some of the report data would constitute a threat to national security but the information was nonetheless classified. As noted in chapter 1, EO 13526 states that if there is doubt, information should be unclassified or classified at a lower level. In response to our questions, NHSRC offered satisfactory explanations for classifying the information and explained the threat that the release of such information would pose. 14-P-0017 6 ------- One of the most effective ways to protect classified information is through applying standard classification markings and dissemination control markings. Dissemination controls are control markings that identify the expansion or limitation on the distribution of information. These markings are in addition to and separate from the levels of classification defined by EO 13526. We determined the scientific report was marked correctly, with one minor formatting exception. Dissemination controls within portion marks must be preceded by a double slash; however, some portion marks in this document had dissemination controls preceded by a single slash. For instance, a classified paragraph was incorrectly portion marked as U/FOUO rather than as U//FOUO,2 Having one versus two slashes can change the meaning. Originally Classified Security Classification Guide Had Errors The security classification guide for the scientific report gave incorrect instructions to those using it and contained numerical data different than that in the scientific report. It also had some portion marks with dissemination controls preceded by a single slash instead of two slashes. This is the May 2012 security classification guide to which EPA referred in the June 2012 report on its fundamental classification guidance review. The security classification guide provided incorrect instructions to would-be derivative classifiers: • Title 32 CFR 2001.22(b) requires derivative classifiers to be identified by name and position or by personal identifier. However, the guide only instructs derivative classifiers to supply their names. • Title 32 CFR 2001.22(e) instructs derivative classifiers to carry forward the declassification instructions from the source document. However, the guide did not specify this and instead instructs the derivative classifier to declassify "25 years from the date of document creation." The guide did not clarify if the document creation date was in reference to the guide itself or the derivative document based on the guide. The security classification guide included classified numerical data that did not match the source data from the scientific report. The numerical data were classified at the same level in both documents. However, we believe the inconsistency in the data may confuse those using the guide. In response to our questions, NHSRC staff agreed to correct the numerical data taken from tables in the scientific report. As a result, the classification guide may need to go through the original classification process again unless it is superseded, as discussed below. 2 U = Unclassified. FOUO = For official use only. 14-P-0017 7 ------- Other Security Classification Guides Not Yet Approved Three other security classification guides have been in the process for an original classification decision since August 2012. According to the EO, classification guides will facilitate the proper and uniform derivative classification of information. Although NHSRC submitted an initial guide that was broad in scope, OHS wanted the guide to be narrow in scope, i.e., pertain to a single document originally classified by the Administrator. EPA clearance holders need broader guidance to discern what information the EPA should classify. With such a classification guide approved, NHSRC will not need to process so many documents as original classification decisions. This would shorten the classification process by removing two steps. The omitted steps would be (1) obtaining the Administrator's approval and (2) actions needed because of such approval. Classification Guide With a Broader Scope Would Be More Useful NHSRC staff initially prepared a broad security classification guide that would encompass both past and possible future work. They designed the guide to help NHSRC staff understand what must be classified and what can be made publicly available. NHSRC considers this part of its risk assessment on each new project. According to a NHSRC staff member, the OHS required NHSRC to replace the broad guide with a narrowly-scoped guide that addressed only one of the original classification decisions by the EPA Administrator. NHSRC submitted three additional guides, narrowly scoped along the lines of original classification decisions. This resulted in four security classification guides narrowly scoped to reflect the original classification decisions already made. The narrow scope of these guides is consistent with information included in the 2012 annual refresher training. As noted in chapter 3, the training described a security classification guide as an aggregation of items from original classification decisions made by an agency or department. However, this description of classification guides does not completely reflect all of the requirements in the regulations at 32 CFR 2001.15(b). According to an OHS senior staff member, the EPA needs narrowly scoped security classification guides because the originally classified documents mixed classified with unclassified information in the same portions. Instead, the classified material should have been in separate portions or an appendix. Thus, a derivative classifier would clearly understand what must be protected. Based on the requirements in the regulations, a single guide could address both past original classification decisions and future NHSRC work. NHSRC, not OHS, would be using the guide since it would describe the type of information NHSRC might encounter or create during their work. With a broad security classification guide, NHSRC staff could classify scientific reports without going through the original classification process. This would shorten the classification process by reducing the number of steps. As discussed in chapter 3, SMD oversees derivative 14-P-0017 8 ------- classification decisions by EPA staff, so it can monitor the NHSRC decisions for the concerns identified by OHS staff. Delays Issuing Other Guides NHSRC staff provided three security classification guides to SMD and OHS in July and August 2012. Following SMD approval, the guides were sent to the OHS no later than September 2012, where they remain. Despite inquiries from NHSRC officials, NHSRC has not received feedback from OHS on the status of the security classification guides. As noted in Chapter 1, EO 13526 requires a classification decision within 30 days for exceptional cases, which need an original classification decision. According to an OHS senior intelligence advisor, the guides were classified working papers, which may be retained for 180 days before finalization. When told by OIG staff that 180 days had been exhausted, the staff member responded that the review process was still incomplete and the guides were not ready to be processed. The SMD staff had no explanation for the OHS delay. They had also asked OHS for status information, but did not receive an adequate response. EPA Needs Timelier Declassification EPA needs to declassify information in a timelier manner. NHSRC staff challenged the classification of an EPA originally classified document in July 2012 by recommending that it be declassified. When a classification decision is challenged, the regulations require an initial response within 60 days. SMD staff completed their review of the challenge and forwarded it to OHS no later than September 2012; the action has remained in OHS. SMD was unable to get update information from OHS. When asked about the delay, a senior OHS staff member said this was the first declassification action processed by the EPA and extra time was necessary to complete the action properly. Since another originally classified document will reach its declassification date in 2014, the declassification process needs to work more quickly. To ensure the free flow of information, according to EO 13526, routine, secure and effective declassification is an important priority. Requirements for Original Classifier Training Were Mostly Met The former Administrator received training for original classifiers in 2011 and 2012. As noted in chapter 1, the regulations require that the annual training for OCAs must include proper classification and declassification, and emphasize avoiding over-classification. We found that the 2012 training materials failed to cover declassification, one of the required training elements. We were unable to evaluate the adequacy of the 2011 training because that training material was not available. We believe the former Administrator demonstrated adequate knowledge of classification management procedures. During her 4 years in the position, the 14-P-0017 9 ------- former Administrator made only three original classification decisions, all related to the same scientific report. Given her infrequent use of her original classification authority, she relied on assistance from EPA experts to help her make classification decisions. However, the former Administrator was aware of the importance of avoiding over-classification. Conclusion Because of the OIG's questions about the originally classified documents we reviewed, NHSRC agreed to make corrections and offered reasonable explanations for its classification decisions. As a result, these documents may need to undergo another original classification decision. In addition, the EPA needs to improve several activities related to the original classification of information, including the process and speed with which (1) security classification guides are approved so information can be derivatively classified in a proper and uniform manner and (2) originally classified documents are declassified so the information may flow freely as stated in the EO 13526. Also, NHSRC needs a classification guide that will cover both past original classification decisions and future work. Recommendations We recommend that the Assistant Administrator for the Office of Administration and Resources Management: 1. Work with the Office of Research and Development to: a. Correct the marking errors in the two originally classified documents reviewed by the OIG (the scientific report and security classification guide). b. Change the classification levels for portions of the scientific report. c. Correct the security classification guide. 2. Provide annual OCA training to the Administrator that complies with the regulatory requirements. 3. Develop a process for declassifying, within 60 days, information classified by EPA. We recommend that the Associate Administrator for the Office of Homeland Security: 4. Work with the Assistant Administrator for OARM to develop a process for approving classification guides within the 30 days specified in EO 13526. 14-P-0017 10 ------- We recommend that the Assistant Administrator for the Office of Research and Development: 5. Submit to the NSI program team a single, unclassified classification guide that covers both past and future EPA scientific research to replace the multiple guides. Agency Comments and OIG Evaluation On behalf of the three action officials, the Assistant Administrator for OARM provided official comments on our draft report. Agency comments are in Appendix C. Appendix D is "Attachment 2" cited in the agency comments. The agency's comments included suggested wording changes, which we incorporated as appropriate. The agency action officials concurred with recommendations 1, 2 and 5. For recommendation 3 (which was recommendation 4 in the draft report), an alternative action was proposed. We considered the alternative action acceptable and revised the recommendation accordingly. The response included timeframes for completing the actions on recommendations 2, 3 and 5, so these recommendations are resolved and open pending completion of the agreed-to actions. A specific date for completing the corrective action on recommendation 1 was not given; this recommendation is unresolved until it is provided. The Office of Homeland Security did not concur with recommendation 4 (which was recommendation 3 in the draft report) regarding a process to approve classification guides. To support its position, OHS indicated it is the EPA's position, supported by ISOO, that classification guides are not required. However, responding to one of our prior reports,3 the Deputy Administrator stated in a memorandum to the Inspector General dated December 22, 2011, that the EPA would prepare classification guides. Below is an excerpt from that memorandum. Recommendation 4 is unresolved. The audit resolution process starts immediately upon report issuance. In consultation with the Office of Homeland Security, the Office of Administration and Resources Management and the Office of General Counsel, we have determined that these recommendations [to approve and distribute classification guides] are helpful in light of evolving information-sharing initiatives for classified EPA products. The agency will implement them beginning with an initial classification guide that addresses materials most recently originally classified. . . . 3 EPA Should Prepare and Distribute Security Classification Guides (Report No. 1 l-P-0722 issued September 29, 2011). 14-P-0017 11 ------- Chapter 3 Derivative Classification Decisions Did Not Comply With Requirements None of the 19 derivatively classified documents the OIG reviewed completely met the requirements of EO 13526 and 32 CFR Part 2001. The derivative classifiers did not include some required information and did not correctly transfer information from the source documents. As a result, those who later access the information may not know how to protect the information or be able to properly identify or use it as a source for their own derivative decision. During fiscal year 2012, the EPA NSI program team started reviewing derivative classification decisions and reported to ISOO problems with derivative decisions similar to the problems we found. We identified a lack of training for derivative classifiers and incorrect information in the annual refresher training given to all clearance holders as management practices that may be contributing to misclassification of material or incorrect markings. EPA had not updated the guidance it provided to cleared staff members. Not all cleared employees who needed one had an element relating to designation and management of classified information as part of their performance evaluation. Required Information Was Missing or Incorrect All 19 derivatively classified documents reviewed either lacked required information and/or included incorrect information. The regulations require that each derivative document identify who classified the document, the source document(s) from which the classified information was derived, and a declassification date or instructions. The information appears in what is called a classification authority block (referred to as the classification block in the NSI Handbook). The NSI Handbook instructs that every classified document must contain a classification block in the lower-left corner on the front cover, title page, or first page. Besides the classification block, classified documents must have proper overall markings (e.g., the classification level at the top and bottom of each page), portion markings, and dissemination control and handling markings. We considered these and other requirements when reviewing the derivative documents. Appendix B is a summary of the number of derivative documents reviewed, along with the key information missing. Classification Authority Block Required information related to derivative classifier identification, source documents and declassification date was not always present in EPA derivative documents. Six of the 19 derivative documents had no classification authority block. For these six instances, we had to ask the EPA staff responsible for the 14-P-0017 12 ------- document to identify the derivative classifier and the source documents. Seven of the 13 documents with a classification block did not identify the derivative classifier. Prior to the June 2010 effective date for EO 13526, regulations did not require derivative classifier identification in the classification block. Five of these seven instances occurred during a 19-month period between the EO effective date and the January 2012 revision of the EPA NSI Handbook, which was updated to include the derivative classifier identification requirement. Agency guidance lagging behind the policy changes may have resulted in derivative classifiers not identifying themselves in the classification block. Thus, derivative classifiers relying on EPA guidance may have been unaware of the new requirement. List of Sources Of the 13 derivative documents with a classification block, eight indicated they were derived from multiple sources. When there are multiple sources, the derivative classifier must include a listing of all the source materials on, or attached to, each derivatively classified document. None of the eight documents had a source list on or attached to it. For seven of the eight documents, someone other than the derivative classifier prepared the list after the fact because the derivative classifier had left the EPA. The classifier for the eighth document had the list but it was not with the document. Also, one of the derivative documents that identified only one source document was actually derived from multiple sources. Overall Page Markings Eleven documents had page marking errors. Most were relatively minor, like a misplaced page banner. Four were more serious—one because the classification level was incorrect and three because a dissemination control marking was missing. Portion Markings Eighteen of the 19 documents had errors in their portion markings. In total, one-third of the pages had one or more portion marking errors. Some were minor errors, like having only one slash instead of the required two slashes between marking categories. Others were more serious, such as not marking some portions of the document. Without proper portion marks, those with access to the document will not know what level of classification and safeguarding applies to the document. Also, if they want to use the information in a derivatively classified document they will not know how to correctly mark it. Date Ten of the 19 derivative documents had no date. Of the nine with a date, three showed only the month and year, not a specific date. A date is needed so that it can be cited when describing the source of a derivative document, as required by the regulations. 14-P-0017 13 ------- Information Was Incorrectly Transferred Derivative classifiers did not always correctly transfer information from the source documents to the derivative document. We compared 18 of the 19 derivative classified documents to their identified source documents and found that all 18 documents had mistakes in transferring information. These mistakes ranged from portion-marking errors to document-level issues. The EPA organization responsible for the derivative documents was unable to provide the source document for one of the sample items. Appendix B identifies the number of documents with transfer problems. Cited Source Was an Inappropriate Basis for a Derivative Decision We found EPA derivatively classifying EPA-originated research on a basis not allowed by the regulations. Three of the derivative documents were reports on scientific studies that EPA performed for another federal agency. As their source, these three derivative documents cited an instructional email from an outside agency. This instructional email contained vague classification instructions (which themselves were classified) and did not meet the requirements in the regulations to be a security classification guide. The EPA derivative classifier told us he could not verify the email author's identity. Since the EPA performed the research but did not have an appropriate basis to derivatively classify the results, we concluded that the EPA should have originally classified these research reports. Proposal Reviews Were Over-Classified Three derivative documents marked "Secret" were reviews of proposed scientific studies prepared for an outside agency. One of the reviews contained only an unclassified proposal title, a document control number and the name of the reviewer but was still marked "Secret." Another of these reviews was of a proposal that had no portion markings. However, none of the review comments contained excerpts from this proposal. Similarly, for the third review, none of the reviewer's comments included classified portions in the proposal. The form used for these reviews came from the outside organization and had a dropdown field to select the overall classification level. The EPA reviewer could not recall if he had selected the classification level or if the form came with the level already selected. Transfer Errors or Omissions Of the 18 derivative documents we compared to source document(s), the derivative classifiers did not properly transfer the declassification date for 13 documents. The derivative classifier must carry forward the instructions on the "Declassify On" line from the source document to the derivative document. If there was more than one source document, the "Declassify On" line must reflect the longest duration of any of its sources. However, the derivative classifier incorrectly transferred the declassification date for seven documents. For six other 14-P-0017 14 ------- documents, the declassification date from the appropriate source was not transferred because the derivative document did not have a classification block. Three of the derivative documents contained classified portions that did not come from the identified sources. For these, we concluded there were one or more unidentified source documents. For example, one portion mentioned activity in 2011 even though none of the sources were dated later than 2010. Another portion without a source in this same document was marked "Secret"; the NSI representative told us this was a mistake and the derivative classifier (who is no longer with EPA) was being over-zealous. There were multiple errors with another document derived from three sources. One portion from the first source was over-classified in the derivative document. Parts of the derivative document came from a second source, which had no portion marks, so we could not determine whether it was under- or over-classified. Portions that came from the third source were under-classified; the information classified in the third source as "Secret" was marked "Confidential" in the derivative document. The third source was an EPA-generated research report that, according to the derivative classifier, should have been classified as "Confidential" even though it was marked "Secret." NSI Program Team Found and Reported Problems With Derivative Decisions As part of its 2012 self-inspection, the EPA reported to ISOO problems with derivative decisions similar to the problems we found. During fiscal year 2012, the EPA NSI program team started reviewing derivative classification decisions. Their reviews were to ensure that: (1) classification markings are carried over and applied appropriately, (2) the overall classification is applied throughout each document, and (3) the derivative classification block contains the applicable information to include identifying sources. They reviewed 56 derivative classification decisions— approximately 25 percent of EPA's derivative decisions at the time. In the November 2012 report to ISOO, the EPA reported that none of the sampled decisions included a list of sources used when derived from multiple sources. During fiscal year 2013, the NSI program team reviewed 26 recent derivative decisions. They found the multiple-source issue persisted as the multiple-source list was not present in 14 documents. In addition, they found: • An incorrect declassification date in 16 documents. • Portion marking errors in 13 documents. • Overall classification marking errors in six documents. • The Classification block missing in six documents. • The "classified by" line missing in four documents. • Working paper marking errors in four documents. 14-P-0017 15 ------- Derivative Classifier Training Not Implemented The EPA has not met the requirements in the regulations for training the derivative classifiers. The NSI program team proposed additional training for derivative classifiers but has not yet implemented the training. EPA does not offer derivative classifier training. As noted in chapter 1, the training must emphasize avoiding over-classification and cover certain information. Without this required training at least every 2 years, the regulations require the EPA to suspend the authority of the individual to apply derivative classification markings. We found EPA derivative classifiers had gaps in their knowledge of derivative classification procedures. None of the four derivative classifiers we interviewed succeeded in answering all of our knowledge test questions. In addition, some of the subjects' knowledge gaps appeared to lead to marking errors in their documents. For example, when asked if a list of source documents was kept with documents derived from multiple sources, one respondent told us the list was kept separate. This respondent created one of the documents derived from multiple sources that did not have a source list with the document. Although the EPA does not offer training for derivative classifiers, it is available elsewhere. An example is the Web-based Classification Management and the IC [Intelligence Community] Markings System course offered by the Office of the Director of National Intelligence. This course meets the minimum national training requirements for derivative classifiers established in EO 13526 and the regulations. In its 2012 annual self-inspection report, the EPA informed ISOO it had identified a need for additional training related to marking derivative documents, identifying multiple sources where applicable, and marking requirements in the electronic environment (specifically as it relates to email on the Homeland Secure Data Network). It told ISOO that clearance holders would be provided with derivative classifier training as part of its mandatory 2012 NSI annual refresher training. However, as discussed below, we found this was not done. The EPA also told ISOO it would make stand-alone derivative classifier training available to clearance holders during fiscal year 2013 and ensure that all clearance holders are trained. However, this has not yet been done. Annual Refresher Training Lacked Required Elements The regulations require that annual refresher training be given to all cleared employees who create, process or handle classified information. However, the training EPA provided in 2011 and 2012 was inconsistent with some aspects of the regulations. It also did not cover all the information needed by derivative classifiers, so it did not fulfill the requirements for derivative classifier training. 14-P-0017 16 ------- The 2011 annual refresher training did not cover seven of the nine required elements for derivative classifiers, and the 2012 training did not cover four of these elements. The four elements required for derivative classifiers not covered by either the 2011 or 2012 refresher training concerned classification prohibitions and limitations, sanctions, classification challenges and information sharing. In addition, neither the 2011 nor 2012 training emphasized avoiding over-classification. The annual refresher training in 2011 included information inconsistent with the regulations. For example, the training omitted that a derivative classifier may make a derivative classification decision based on a security classification guide. Instead, the training only mentioned derivatively classifying an item based on a classified original document. This lack of a reference to security classification guides limited what source a derivative classifier might use to classify information. The annual refresher training in 2012 also included information that was inconsistent with the regulations. The training mistakenly instructed that: • The classification block of a derivatively classified document should include a "Reason" line; the regulations do not require a "Reason" line. • When the "Derived from" line indicates multiple sources, the list of these sources must be attached; the regulations allow the derivative classifier the option of incorporating the list in the document. • A security classification guide is an aggregation of items from an originally classified document; the regulations require a security classification guide to identify elements of information that must be protected without stipulating that the information must already be in an originally classified document. Also, the training slides had no examples of overall markings or portion marking with more than one category, such as "SECRET//NOFORN" or "(S//NF)." Not All Classifiers Were Evaluated on NSI Requirements Not all cleared employees who needed it had an element or item relating to designation and management of classified information in their performance evaluation. EO 13526 requires such an element or item to be evaluated in the rating for personnel whose duties significantly involve handling classified information, including those who regularly apply derivative classification markings. We reviewed the performance evaluations—specifically, the critical element related to national security—for SMD staff and the derivative classifiers we interviewed. The performance evaluations for three of the four derivative classifiers interviewed included a critical element related to NSI activities. The fourth derivative classifier, who was also a NSI representative, did not have a critical element related to NSI-related responsibilities. 14-P-0017 17 ------- EO 13526, 32 CFR 2001 and the NSIHandbook all provide that sanctions can be imposed for violating NSI requirements. Further, the Reducing Over- Classification Act authorizes agencies under Chapter 45 of Title 5, U.S. Code, to consider an employee's consistent and proper classification of information when making cash awards; however, this assumes that the Office of Management and Budget is again allowing discretionary monetary awards. Conclusion EO 13526 requires the EPA to protect information critical to our nation's security. The errors we found in the 19 derivatively classified documents make it harder for those with access to each document to know what level of classification and safeguarding applies to it. During fiscal year 2012, the EPA NSI program team started reviewing derivative classification decisions to ensure they complied with EO 13526 and the regulations. They found deficiencies in ancillary issues not directly affecting the appropriateness of the derivative classification decision, and the deficiencies persisted into fiscal year 2013. Although the NSI program team identified lack of derivative classifier training as a weakness, the team has not provided the required training to date. Moreover, as long as incorrect information is presented in the annual refresher training given to all clearance holders, EPA lacks assurance that its cleared staff are aware of their responsibilities. This is occurring even though employees may be subject to appropriate sanctions if they violate any provisions of the EO or the regulations. Recommendations We recommend that the Assistant Administrator for the Office of Administration and Resources Management: 6. Assist the appropriate EPA organizations in bringing the derivative documents reviewed by the OIG into compliance with EO 13526 and 32 CFR Part 2001. For example: a. Attach or incorporate a source document list if derived from multiple sources. b. Correct the classification blocks to include the name and position or personal identifier of the derivative classifier. c. Declassify proposal reviews and other documents deemed over-classified. d. Convert derivatively classified documents to original classifications. e. Ensure consistency in portion marks from sources applied to original documents. 7. Provide NSI annual refresher training that is consistent with regulatory requirements. 14-P-0017 18 ------- 8. Enforce the requirements in 32 CFR 2001.71(d) regarding derivative classifier training. 9. Remind the heads of EPA organizations that their staff who hold a security clearance should have included in their performance evaluation a critical element or item on the designation and management of classified information if the individual is a security manager or specialist or has duties that significantly involve creating or handling classified information (e.g., NSI representatives). Agency Comments and OIG Evaluation The action official concurred with recommendations 6, 7 and 8. For recommendation 9, an alternative action was proposed. We considered the alternative acceptable, but did not revise the recommendation since OARM is still the action official. The response included timeframes for completing these actions. Thus, these recommendations are resolved and open pending completion of the agreed-to actions. 14-P-0017 19 ------- Status of Recommendations and Potential Monetary Benefits RECOMMENDATIONS POTENTIAL MONETARY BENEFITS (In $000s) Rec. No. Page No. Subject Status1 Action Official Planned Completion Date Claimed Amount Ag reed-To Amount 10 Work with the Office of Research and Development U to: a. Correct the marking errors in the two originally classified documents reviewed by the OIG (the scientific report and security classification guide). b. Change the classification levels for portions of the scientific report. c. Correct the security classification guide. 10 Provide annual OCA training to the Administrator 0 that complies with the regulatory requirements. 10 Develop a process for declassifying, within 60 days, information classified by EPA. 10 Work with the Assistant Administrator for OARM to develop a process for approving classification guides within the 30 days specified in EO 13526. 11 Submit to the NSI program team a single, unclassified classification guide that covers both past and future EPA scientific research to replace the multiple guides 18 Assist the appropriate EPA organizations in bringing the derivative documents reviewed by the OIG into compliance with EO 13526 and 32 CFR Part 2001. For example: a. Attach or incorporate a source document list if derived from multiple sources. b. Correct the classification blocks to include the name and position or personal identifier of the derivative classifier. c. Declassify proposal reviews and other documents deemed over-classified. d. Convert derivatively classified documents to original classifications. e. Ensure consistency in portion marks from sources applied to original documents. 18 Provide NSI annual refresher training that is consistent with regulatory requirements. 19 Enforce the requirements in 32 CFR 2001.71(d) regarding derivative classifier training. Assistant Administrator for Administration and Resources Management Assistant Administrator for Administration and Resources Management Assistant Administrator for Administration and Resources Management Assistant Administrator for Administration and Resources Management 12/30/13 3/30/14 Assistant Administrator for Administration and Resources Management Assistant Administrator for Administration and Resources Management Associate Administrator for Homeland Security Assistant Administrator for 12/30/13 Research and Development 9/30/14 12/30/13 3/30/14 14-P-0017 20 ------- RECOMMENDATIONS POTENTIAL MONETARY BENEFITS (In $000s) Rec. No. Page No. Subject Status1 Action Official Planned Completion Date 19 Remind the heads of EPA organizations that their staff who hold a security clearance should have included in their performance evaluation a critical element or item on the designation and management of classified information if the individual is a security manager or specialist or has duties that significantly involve creating or handling classified information (e.g., NSI representatives). Assistant Administrator for Administration and Resources Management 12/30/13 Claimed Amount Ag reed-To Amount 1 0 = Recommendation is open with agreed-to corrective actions pending. C = Recommendation is closed with all agreed-to actions completed. U = Recommendation is unresolved with resolution efforts in progress. 14-P-0017 21 ------- Appendix A EPA 01G Reports Address Section 6(b) of Public Law 111-258 Section 6(b) of the Reducing Over-Classification Act (PL 111-258) requires the Inspector General of each agency with an officer or employee who is authorized to make original classifications, in consultation with the ISOO, to carry out no less than two evaluations of that agency. The first evaluation shall be completed by September 30, 2013, and the second by September 30, 2016. The evaluations are to cover the following, with the second evaluation being a review of the progress made pursuant to the results of the first evaluation: • Assess whether applicable classification policies, procedures, rules, and regulations have been adopted, followed, and effectively administered within such department, agency, or component. • Identify policies, procedures, rules, regulations, or management practices that may be contributing to persistent misclassification of material within such department, agency or component. In consultation with ISOO, the Council of the Inspectors General on Integrity and Efficiency issued a guide for conducting the initial evaluation under the Reducing Over-Classification Act. The guide's goal is to ensure that the OIG evaluations meet the above requirements and follow a consistent methodology to allow for cross-agency comparisons. It identified five researchable questions. The table below lists each question and the EPA OIG report that addressed it. Thus, we completed the work required for the first evaluation. We plan to start work on the second evaluation during fiscal 2015. Question EPA OIG Report 1. To what extent has the organization adopted classification policies, procedures, rules and regulations? EPA Should Prepare and Distribute Security Classification Guides (Report No. 11-P-0722 issued September 29, 2011) EPA's National Security Information Program Could Be Improved (Report No. 12-P-0543 issued June 18, 2012) 2. To what extent do the organization classification policies, procedures, rules and regulations comply with existing Federal classification requirements, guidelines, etc? 3. To what extent have the organization classification policies, procedures, rules, and regulations been effectively followed and administered? EPA's National Security Information Program Could Be Improved (Report No. 12-P-0543 issued June 18, 2012) EPA Does Not Adequately Follow National Security Information Classification Standards (Report No. 14-P-0017 issued November 15, 2013) 4. To what extent, if any, and in what manner have information and materials been over-classified within the organization? EPA Does Not Adequately Follow National Security Information Classification Standards (Report No. 14-P-0017 issued November 15, 2013) EPA's National Security Information Program Could Be Improved (Report No. 12-P-0543 issued June 18, 2012) 5. To what extent, if any, and in what manner have policies, procedures, rules, regulations, or management practices contributed to any over- classifications? Source: OIG analysis. 14-P-0017 22 ------- Appendix B Errors in the Derivative Documents Description OHS (out of 1 )4 Number of Documents OIG NHSRC (out of 7) (Out of 11) Total (Out of 19) Required Information Was Missing Document had no date of origin for the document. (32 CFR 2001.22(a) and 2001.22(c)) 1 2 7 10 There was no classification authority block. (32 CFR 2001.22) 0 0 6 6 Information in the classification block was incomplete or incorrect. (32 CFR 2001.22) 1 7 5 13 Multiple sources were cited in the classification block, but the list of sources was missing. (32 CFR 2001.22(c)) 0 7 1 85 Page marking had errors. (32 CFR 2001.21(b)) 0 6 5 11 Portion marking had errors. (32 CFR 2001.21 (c)) 0 7 11 18 Transfer Errors6 Source was not a proper basis for a derivative decision. (32 CFR 2001.22(a) and 2001.22(c)) 0 0 3 3 Document contained no classified information so it can be declassified. (EO 13526, Section 3.1) 0 0 5 5 Declassification date was not correctly transferred from the source document(s) to the derivative document (32 CFR 2001.22(e)) 0 7 6 13 Other information was incorrectly transferred from the source document(s). (32 CFR 2001.22) 0 3 5 8 4 We were unable to compare the derivative document to the source document. 5 Only eight of the 19 documents cited multiple sources in the classification block. 6 We evaluated 18 of the derivative documents for transfer errors since the source for one of the derivative documents was not available. 14-P-0017 23 ------- Appendix C Agency Response to Draft Report UNITED STATES ENVIRONMENTAL PROTECTION AGENCY WASHINGTON, D.C. 20460 SEP 23 2013 OFFICE OF ADMINISTRATION AND RESOURCES MANAGEMENT MEMORANDUM SUBJECT: Response to Office of Inspector General Draft Report No. OPE-FY13-0009, "EPA Does Not Sufficiently Follow National Security Information Classification Standards," dated September 6, 2013 FROM: Craig E. Hooks, Assistant Administrator /s/ TO: Jeffrey Harris, Acting Deputy Assistant Inspector General Office of Program Evaluation Thank you for the opportunity to respond to the issues and recommendations in the subject draft audit report. The following is a summary of the agency's overall position, with an attached table of responses to each of the report recommendations (Attachment 1). For those recommendations with which the agency agrees, we have provided intended corrective actions and estimated completion dates. For report recommendations the agency does not agree with, we have explained our position. Overall Position The agency agrees with recommendations 1, 2 and 5-8. The responsible office, OARM, agrees with the intent of recommendation 9 but proposes another means to address the recommendation. The responsible office, OHS, disagrees with recommendations 3 and 4; OARM proposes an alternative for recommendation 4. 14-P-0017 24 ------- Recommendations for Changes to Draft Report Text The report would present a clearer picture of the agency's classification program if it mentioned its small size. Since 2004, the agency has originally classified only eight documents. Our derivative classification program is also small. In a 2011 message to the EPA, the Acting Director of the Information Security Oversight Office said, "EPA only has one OCA; unlike at almost all other agencies, it may not be delegated. Additionally, unlike almost all other agencies, it has a very minute amount of classification activity" (Attachment 2). The agency believes the phrase "flawed numerical data" ("At a Glance" and p. 7) implies that the scientific report has flawed data. The scientific report does not have flawed data, and we recommend that the text be changed to reflect that fact. We agree that the Originally Classified Security Classification Guide contained two numbers that were incorrectly transferred from the source document. The agency recommends revising the OIG finding that the scientific report and classification guide, once corrected, needs to go through the original classification process again. ORD reported to the OIG one marking error (a "U//FOUO" marked paragraph containing one Secret fact) which will be corrected. Because the Secret fact was already classified elsewhere in the scientific report, the documents may not need to go through the original classification process. We recommend that the documents must be evaluated to determine if they need to go through the original classification process again. OARM, ORD and OHS will continue collaborating to strengthen the agency's classification program. If you have questions regarding OARM responses, please contact Tami Franklin, Director of the OARM/OA/ Security Management Division at (202) 564-9218. For questions on ORD responses, please contact Deborah Heckman at 202-564-7274. For questions on OHS responses, please contact Juan Reyes, Acting Associate Administrator, at (202) 564-4188. Attachments (2) cc: LekKadeli Juan Reyes John Showman Steve Blankenship Brandon McDowell Eric Lewis Christine Baughman 14-P-0017 25 ------- AGENCY'S RESPONSE TO REPORT RECOMMENDATIONS Agreements No. Recommendation/ Responsible Office High-Level Intended Corrective Action(s) Estimated Completion by Quarter and FY 1 a-c Responsible Office: OARM Work with the appropriate EPA organization to: a. Correct the marking errors in the two originally classified documents reviewed by the OIG (the scientific report and security classification guide). b. Change the classification levels for portions of the scientific report. c. Correct the erroneous data in the security classification guide. The National Security Information Program Team will review all corrections and changes submitted, to ensure the markings are appropriately placed and at the correct classification level. The NSI Program Team review will be completed within 30 calendar days of receipt of a document. 2 Responsible Office: OARM Provide annual Original Classification Authority training to the Administrator that complies with the regulatory requirements. The NSI Program Team will ensure that CY13 OCA training complies with all regulatory requirements. (NOTE: EO 13526 training requirements are stated in terms of calendar vear. The OIG response template calls for completion dates by fiscal vear. As a result, some lines in this document refer to CY and FY.) Fully compliant OCA training will be provided to the Administrator by the end of Q1FY14. 14-P-0017 26 ------- No. Recommendation/ Responsible Office High-Level Intended Corrective Action(s) Estimated Completion by Quarter and FY 5. Responsible Office: ORD Submit to the NSI program team a single, unclassified classification guide that covers both past and future EPA scientific research to replace the multiple guides. ORD will prepare and submit to the NSI Program Team an unclassified classification guide to cover past and future scientific research. The document will be submitted to the NSI Program Team by the end of Q1FY14. 6. Responsible Office: OARM Assist the appropriate EPA organizations in bringing the derivative documents reviewed by the OIG into compliance with EO 13526 and 32 CFR 2001. For example: a. Attach or incorporate a source document list if derived from multiple sources b. Correct the classification blocks to include the name and position or personal identifier of the derivative classifier c. Declassify proposal reviews and other documents deemed over-classified d. Convert derivatively classified documents to original classifications e. Ensure consistency in portion markings from sources applied to original documents OARM will assist appropriate EPA organizations in bringing the derivative documents reviewed by the OIG into compliance with EO 13526 and 32 CFR Part 2001. The cooperation of the appropriate EPA organizations (ORD, OHS, and the OIG) is essential for the completion of this recommended action. The NSI Program Team will complete its review of/assistance with the documents within 30 days of receipt. The documents cannot be brought into compliance without the active involvement of the appropriate EPA organizations. OARM anticipates completion by the end of Q4FY14. 14-P-0017 27 ------- No. Recommendation/ Responsible Office High-Level Intended Corrective Action(s) Estimated Completion by Quarter and FY 7. Responsible Office: OARM Provide NSI annual refresher training that is consistent with regulatory requirements. The NSI computer-based refresher training module for CY13 has been developed, although not yet disseminated. The NSI Program Team, to be fully consistent with regulatory requirements, will supplement the training with outreach material. CY14 computer-based refresher training will be fully consistent with regulatory requirements. Supplemental outreach for CY13 will be completed and provided to clearance holders by the end of Q1FY14. Refresher training for CY14 will be provided to clearance holders by the end of Q1FY15. 8. Responsible Office: OARM Enforce the requirements in 32 CFR 2001.71(d) regarding derivative classifier training. Computer-based derivative classifier training will meet the requirements in 32 CFR 2001.71(d) Derivative classifier training will be developed by the end of Q2FY14. Disagreements No. Recommendation/ Responsible Office Agency Explanation/ Response Proposed Alternative 3 Responsible Office: OHS Work with the assistant administrator for OARM to develop a transparent process for approving classification guides within the 30 days specified in EO 13526. (Note: OHS provided the following to OARM.) "OHS non-concurs with recommendation No. 3. It is the current EPA position supported by ISOO that Classification Guides are not required." Note: OHS did not provide to OARM a proposed alternative to include in this response. 4 Responsible Office: OHS Work with the assistant administrator for OARM to develop a transparent process for declassifying, within 60 days, information classified by EPA. (Note: OHS provided the following to OARM.) "OHS non-concurs with recommendation No. 4. Under the current and existing delegation, it is the By the end of Q2FY14, information classified by EPA will be declassified, if appropriate, 14-P-0017 28 ------- No. Recommendation/ Responsible Office Agency Explanation/ Response Proposed Alternative responsibility of OARM to develop a transparent declassification review process in accordance with EO 13526." OARM has a draft process for declassifying, within 60 days, information classified by the EPA. OARM has traditionally included OHS in this process as a collaborative partner, but given OHS's position and the OIG's finding that declassification must be timelier, OARM accepts responsibility for this recommendation and will work with subject matter experts to provide declassification recommendations for the Administrator's approval. within 60 days of the NSI Program Team's receipt of the request. 9 Responsible Office: OARM Remind the heads of EPA organizations that their staff who hold a security clearance should have included in their performance evaluation a critical element or item on the designation and management of classified information if the individual is a security manager or specialist or has duties that significantly involve creating or handling classified information (e.g., derivative classifiers and NSI representatives). We fully agree with the intent of this recommendation, but propose that the reminder be sent from the director of the Security Management Division to the NSI representatives newly appointed by each organization's head to act as that organization's liaison to the NSI Program Team. The designations were made in response to an August 16, 2013, formal request from the AA, OARM to the heads of EPA organizations. The NSI representatives will ensure that all cleared employees have the appropriate critical element added to their PARS. The director of the Security Management Division will send the reminder by the end of Q1 FY14. 14-P-0017 29 ------- Appendix D Email From the Information Security Oversight Office The following email was submitted by ISOO to the EPA on June 1, 2011. Subject: EPA Classification Policy EPA has asked ISOO if it needs to create a classification guide in accordance with Section 2.2 of Executive Order 13526 ("the Order"). Finding: ISOO does not believe that EPA needs to create a classification guide. ISOO does not believe that EPA is in violation of section 2.2 of the Order. ISOO continues to believe that EPA has strong and sufficient controls in place with regard to its original classification program. Background and supporting observations: 1. In the past seven fiscal years, EPA has originally classified a total of six documents. See FY list at the bottom of this e-mail message. 2. EPA is one of few agencies granted Original Classification Authority by the President. Under the Order, only the Administrator serves as the OCA and she may not delegate this authority. EPA's situation is unique in that the OCA may not be delegated and it rarely needs to exercise this OCA authority. 3. EPA has developed a meticulous and rigorous process for deciding to originally classify records. ISOO conducted a detailed on-site review in September 2005 that among other items, commended EPA for its decision-making process. At that time, ISOO found that EPA's detailed process ensured that each possible classification decision was well-thought out, rationale, and informed. Further, ISOO found that this process involved all appropriate staff and offices, including the Office of the Administrator. 4. Since this detailed on-site audit, ISOO has met yearly with EPA officials to discuss its classified national security program. Additionally, ISOO is in regular communication with EPA security staff to discuss EPA's classified national security program. Finally, ISOO regularly monitors EPA's classified national security program and evaluates EPA's reports and responses to ISOO data calls and requests. 5. EPA has strong processes in place to ensure that classification decisions are appropriate and in accordance with the Order. 6. The purpose of Section 2.2 of the Order is to ensure that those agencies that have several OCAs and make many classification decisions are doing so in an effective and efficient manner that aids the classification system by ensuring uniformity and consistency. EPA only has one OCA; unlike at almost all other agencies, it may not be delegated. Additionally, unlike almost all other agencies, it has a very minute amount of classification activity. Concluding remarks: While the exact letter of the Order seems to suggest that all agencies granted OCA authority by the President must have classification guides, there is still room for judgement (sic) and common sense. In our view, looking at the program and its activity in its 14-P-0017 30 ------- entirety, EPA's program is fully functioning and has the appropriate checks and balances place to ensure that its classification program is consistent and effective. 2010- Original-O Derivative-16 2009- Original- 0 Derivative-4 2008- 0riginal-3 Derivative-10 2007- Original-O Derivative-13 2006- Original-O Derivative-46 2005- 0-2 D-5 2004- 0-1 D-0 14-P-0017 ------- Appendix E Distribution Office of the Administrator Assistant Administrator for Administration and Resources Management Principal Deputy Assistant Administrator for Research and Development Associate Administrator for Homeland Security Agency Follow-Up Official (the CFO) Agency Follow-Up Coordinator General Counsel Associate Administrator for Congressional and Intergovernmental Relations Associate Administrator for External Affairs and Environmental Education Principal Deputy Assistant Administrator, Office of Administration and Resources Management Director, Office of Policy and Resource Management, Office of Administration and Resources Management Deputy Director, Office of Policy and Resource Management, Office of Administration and Resources Management Director, Office of Regional Operations Director, Office of Administration, Office of Administration and Resources Management Director, Security Management Division, Office of Administration and Resources Management Chief, Personnel Security Branch, Office of Administration and Resources Management Team Leader, National Security Information Program Team, Office of Administration and Resources Management Director, National Homeland Security Research Center, Office of Research and Development Audit Follow-Up Coordinator, Office of the Administrator Audit Follow-Up Coordinator, Office of Administration and Resources Management Audit Follow-Up Coordinator, Office of Research and Development Audit Follow-Up Coordinator, Office of Policy and Resource Management, Office of Administration and Resources Management 14-P-0017 32 ------- |