6.6 Information Security Oversight Office
The Information Security Oversight Office (ISOO) is a component of NARA and receives its policy and program guidance from the Assistant to the President for National Security Affairs. ISOO supports the President by ensuring that the Government protects and provides proper access to information to advance the national and public interest. ISOO leads efforts to standardize and assess the management of classified and controlled unclassified information through oversight, policy development, guidance, education, and reporting. The ISOO mission extends into numerous areas, and those listed below directly support open government.
In order to keep the public informed on the state of classification and declassification in the government, ISOO collects statistical data from all the relevant agencies about their programs. ISOO reports its findings annually to the President and makes the report available to the public. ISOO will continue to monitor and report on the state of classification and declassification in government through its annual Report to the President. ISOO will provide guidance and report on agency adherence to the Fundamental Classification Guidance Review (FCGR) as required by Executive Order.
The Director of ISOO is the Executive Secretary of the Interagency Security Classification Appeals Panel (ISCAP). ISOO provides all staff support for the ISCAP. The ISCAP plays a unique role in open government by serving as an impartial appeal resource for any member of the public who submits mandatory declassification review requests to a federal agency. Since 1996, the ISCAP has acted on a total of 2,407 documents. Of these, the Panel declassified additional information in 75 percent of the documents. Specifically, the Panel declassified 694 documents (29 percent) in their entirety, declassified 1108 documents (46 percent) in part, and fully affirmed the declassification decisions of agencies in 605 documents (25 percent). ISOO will continue to support the ISCAP by facilitating meetings, preparing documents for review by the panel and posting information about decisions on the ISCAP website, to include the documents declassified and released by the panel. Agencies consider the decisions of the ISCAP when determining their own declassification decisions, helping to provide current and consistent decision-making across agencies. Additionally, ISOO will support the ISCAP during the 2017 declassification exemption review required by Executive Order.
The Director of ISOO is the Executive Secretary of the Public Interest Declassification Board (PIDB). ISOO provides all staff support for the PIDB and the PIDB’s Declassification Technology Working Group, established in 2015. The PIDB is a committee that advises and makes recommendations to the President and other executive branch officials on declassification in order to promote the fullest possible public access to a thorough, accurate, and reliable documentary record of significant U.S. national security decisions and activities. The President included many PIDB recommendations in his Executive Order, including establishing the National Declassification Center in 2009. The Second Open Government National Action Plan includes recommendations from the PIDB’s Report to the President on Transforming the Security Classification System. These include creating the Security Classification Reform Committee to drive reform in the areas of classification and declassification and calling for the systematic review and declassification of historical data on nuclear activities. The President’s Third Open Government National Action Plan continues building upon technological modernization for classification, declassification, and records management recommended by the PIDB. ISOO will continue to provide all staff support for the PIDB and its Declassification Technology Working Group and will assist the Security Classification Reform Committee when requested to fulfill the President’s transformation tasking.
In order to improve the efficiency and accuracy of the declassification process, ISOO operates an on-site review program that examines and grades recent declassification products. This on-site review program covers all agencies ISOO deems possessing significant declassification programs. These reviews focus on three major areas of concern - missed equities, improper exemptions, and improper referrals.
- Missed equities indicate instances of a declassification review not identifying for referral the security classification interest of one agency found in the record of another agency;
- Improper exemptions indicate instances of a declassification review resulting in the attempt to exempt a record from automatic declassification under an exemption category not permitted by that agency’s declassification guide as approved by the Interagency Security Classification Appeals Panel;
- Improper referrals indicate instances of a declassification review resulting in the referral of records to agencies lacking the authority to exempt information from declassification or waiving their interest in declassification.
One of the main benefits of this program comes from its ability to identify weaknesses in agency staff training and experience. ISOO addresses those weaknesses with focused training support. This program is one of ISOO’s most successful on-site review programs. Since 2008 when ISOO launched the program, agencies’ graded scores improved from averages in the high 70s to the high 90s. ISOO concluded its initial five-year assessment period in Fiscal Year 2012, accomplishing its strategic goal of improving the quality of agency declassification review programs. ISOO now uses an updated assessment plan and revised scoring methodology to balance the use of ISOO and agency resources with the need to monitor automatic declassification review proficiency.
ISOO also conducts general on-site reviews of agency security classification programs. The reviews examine numerous topics, but the central feature is the analysis of classification policies and procedures, to include the evaluation of a sampling of classified products. ISOO will continue its on-site security classification assessment program with the strategic goal of helping agencies continue to improve their programs and maintain high scores for their reviews.
Controlled Unclassified Information
ISOO fulfills Executive Agent (EA) responsibilities for the Controlled Unclassified Information (CUI) Program, which were designated by Executive Order 13556 to NARA. The CUI Program mission is to standardize the way the Executive branch handles unclassified information that requires protection consistent with and pursuant to law, federal regulation, and Government-wide policy, while emphasizing and enhancing the openness, transparency, and uniformity of government-wide practices.
The EA advanced its policy development strategy by completing a draft implementing directive and issuing a proposed rule on CUI (32 CFR 2002), which included an opportunity for public comment. With the issuance of 32 CFR 2002, the EA plans to issue phased implementation schedule for the Executive branch. In addition to the CUI Advisory Council, established during FY 2013 to improve consultative functions, the CUI EA obtained direct input on the draft directive from public interest groups through meetings and submission of comments. ISOO continues publishing requirements and providing training resources through the CUI EA website and online CUI Registry. The EA continues to broaden its outreach activities through meetings with Senior Agency Officials and their staffs, particularly those of the President’s Cabinet, as well as State, local, and private sector entities, and public interest groups.
The EA and Office of Information Policy (Department of Justice) jointly published a memorandum to expand upon the Fiscal Year 2012 issuance of Guidance Regarding CUI and the Freedom of Information Act (FOIA). ISOO will continue developing CUI baseline training on final policy and guidance in anticipation of the CUI Program’s target date for Initial Operating Capability. All CUI training modules are publicly available at the CUI website for either direct access or download. Training source code is available to allow mission-specific modification and implementation for agencies.