Facility Security Officers (FSOs) the security managers for cleared defense contractors, implement and direct security programs to protect classified information. As an FSO or a supporting security professional in this role, have you ever wondered how the classified information you protect gets its designation? We can find the answer in Presidential Executive Order 13292.
You may have heard and read reports of how over-classification results in unnecessary costs. You might also understand from similar reports of how under-classification can lead to compromise of sensitive information. To better prevent unauthorized disclosure and ensure that classification is assigned to only that information needing protection, the President has issued special guidelines. In cases where items may be assigned an original classification, four conditions must be met:
An original classification authority (OCA) is classifying the information; Specifically, only the President and in certain circumstances the Vice President, agency heads designated by the President in the Federal Register, and appointed U.S. Government Officials can serve as OCA's. Agency heads are responsible for ensuring that only the minimum amount of subordinate officials are delegated original classification authority. It is these Government checks and balances that ensure responsibility and accountability.
The President, Vice President, agency heads, and officials designated by the President can delegate TOP SECRET original classification authority. SECRET and CONFIDENTIAL original classification authority also may be given to senior agency officials who are designated by agency heads in writing. The authority may not be automatically re-delegated.
The original classification authorities attend training as identified in the executive order and other directives. The education is similar to annual security awareness training the FSOs are required to offer employees with security clearances. For example, they learn how to protect classified information, how to mark it, and how to handle dissemination in addition to learning how to determine the classification level.
An original classification authority may determine a classification on anything that is owned, produced or controlled by the U.S. Government. For example, the Government contracts a company to make a product important to national security. As part of the contract, the government will require that the company construct and assemble items that must be safeguarded at the SECRET level of classification. They will work with the contractor and provide direction and means for production, protection measures in addition to the stipulations of the contract. The company is then contracted to make defense articles or provide services that the Government owns.
The information to be classified should fall into one of the following categories: Military plans, weapons systems or operations; Foreign government information; Intelligence activities, sources or methods or cryptology; Foreign relations or activities of the United States including confidential sources; Scientific, technological, or economic matters relating to national security, including defense against transnational terrorism; U.S. programs for safeguarding nuclear materials or facilities; Vulnerabilities of systems, installations, infrastructures, projects, plans or protection services related to national security including terrorism; Weapons of mass destruction.
The OCA also should determine that the unauthorized disclosure of the information reasonably could be expected to result in damage national security, which includes defense against transnational terrorism, and they are able to identify or describe the damage. This is the fourth and final requirement that must be met before an original classification authority can assign a classification level. Classification levels are designed to implement the proper level of protection. It is part of the risk management component of security. The consequence of loss of the information is part of the categorization process.
The impact of disclosure is categorized from reasonably causing "damage" for CONFIDENTIAL information through "serious damage" for SECRET information to "seriously grave damage" for TOP SECRET information. The EO 13292 states that the impact of loss or compromise of the information must be at one of the three defined levels in order to be assigned a classification. The other part is that the classifier should be able to describe or identify the damage. This measure again informs the user that the information is to be safeguarded at a necessary level and also to prevent the original classification authority from assigning a classification level needlessly.
Cleared Defense Contractors protect information classified by the OCA's. Understanding the reasoning behind the classification is not critical, but it may give a better comprehension of the National Industrial Security Program. Such information could lead to better security measures or heightened awareness of the sensitive nature of classified information.