PDF Version



  H.R. 6193, THE ``IMPROVING PUBLIC ACCESS TO DOCUMENTS ACT OF 2008''

=======================================================================

                                HEARING

                               before the

               SUBCOMMITTEE ON INTELLIGENCE, INFORMATION
                 SHARING, AND TERRORISM RISK ASSESSMENT

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             SECOND SESSION

                               __________

                             JUNE 11, 2008

                               __________

                           Serial No. 110-121

                               __________

       Printed for the use of the Committee on Homeland Security


[GRAPHIC] [TIFF OMITTED] TONGRESS.#13




  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html

                               __________

                     U.S. GOVERNMENT PRINTING OFFICE
44-047 PDF                 WASHINGTON DC:  2008
---------------------------------------------------------------------
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ÿ091800
Fax: (202) 512ÿ092104 Mail: Stop IDCC, Washington, DC 20402ÿ0900012008


                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman

Loretta Sanchez, California          Peter T. King, New York
Edward J. Markey, Massachusetts      Lamar Smith, Texas
Norman D. Dicks, Washington          Christopher Shays, Connecticut
Jane Harman, California              Mark E. Souder, Indiana
Peter A. DeFazio, Oregon             Tom Davis, Virginia
Nita M. Lowey, New York              Daniel E. Lungren, California
Eleanor Holmes Norton, District of   Mike Rogers, Alabama
Columbia                             David G. Reichert, Washington
Zoe Lofgren, California              Michael T. McCaul, Texas
Sheila Jackson Lee, Texas            Charles W. Dent, Pennsylvania
Donna M. Christensen, U.S. Virgin    Ginny Brown-Waite, Florida
Islands                              Gus M. Bilirakis, Florida
Bob Etheridge, North Carolina        David Davis, Tennessee
James R. Langevin, Rhode Island      Paul C. Broun, Georgia
Henry Cuellar, Texas                 Candice S. Miller, Michigan
Christopher P. Carney, Pennsylvania
Yvette D. Clarke, New York
Al Green, Texas
Ed Perlmutter, Colorado
Bill Pascrell, Jr., New Jersey

       Jessica Herrera-Flanigan, Staff Director & General Counsel

                     Rosaline Cohen, Chief Counsel

                     Michael Twinchek, Chief Clerk

                Robert O'Connor, Minority Staff Director

                                 ______

 SUBCOMMITTEE ON INTELLIGENCE, INFORMATION SHARING, AND TERRORISM RISK
                               ASSESSMENT

                     Jane Harman, California, Chair

Norman D. Dicks, Washington          David G. Reichert, Washington
James R. Langevin, Rhode Island      Christopher Shays, Connecticut
Christopher P. Carney, Pennsylvania  Charles W. Dent, Pennsylvania
Ed Perlmutter, Colorado              Peter T. King, New York (Ex
Bennie G. Thompson, Mississippi (Ex  Officio)
Officio)

                 Thomas M. Finan, Director and Counsel

                        Brandon Declet, Counsel

                   Natalie Nixon, Deputy Chief Clerk

        Deron McElroy, Minority Senior Professional Staff Member

                                  (II)


                            C O N T E N T S

                              ----------
                                                                   Page

                               Statements

The Honorable Jane Harman, a Representative in Congress From the
  State of California, and Chair, Subcommittee on Intelligence,
  Information Sharing, and Terrorism Risk Assessment.............     1
The Honorable David G. Reichert, a Representative in Congress
  From the State of Washington, and Ranking Member, Subcommittee
  on Intelligence, Information Sharing, and Terrorism Risk
  Assessment.....................................................     2

                               Witnesses

Ms. Meredith Fuchs, General Counsel, National Security Archive:
  Oral Statement.................................................     9
  Prepared Statement.............................................    11
Ms. Patrice McDermott, Director, OpenTheGovernment.org:
  Oral Statement.................................................    15
  Prepared Statement.............................................    17
Ms. Caroline Fredrickson, Director, Washington Legislative
  Office, American Civil Liberties Union:
  Oral Statement.................................................    20
  Prepared Statement.............................................    21

                             For the Record

American Civil Liberties Union:
  Letter.........................................................     6
  Letter.........................................................     8


  H.R. 6193, THE ``IMPROVING PUBLIC ACCESS TO DOCUMENTS ACT OF 2008''

                              ----------


                        Wednesday, June 11, 2008

             U.S. House of Representatives,
                    Committee on Homeland Security,
    Subcommittee on Intelligence, Information Sharing, and
                                 Terrorism Risk Assessment,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10:06 a.m., in
Room 311, Cannon House Office Building, Hon. Jane Harman [chair
of the subcommittee] presiding.
    Present: Representatives Harman, Langevin, Carney,
Reichert, and Dent.
    Ms. Harman. The subcommittee will come to order.
    We expect other members to arrive shortly. But the Ranking
Member and I are here, and we are ready to begin with our all-
women panel.
    I have to tell you before I do anything else that the
Ranking Member just told me that when he was sheriff in
Washington State, his entire command staff was female, and many
of his other key jobs were held by females, and that, of
course, is why he was successful.
    Ms. McDermott. There you go.
    Ms. Harman. The subcommittee is meeting today to receive
testimony on H.R. 6193, the ``Improving Public Access to
Documents Act of 2008.''
    From the start of the 110th Congress, this subcommittee has
focused on two huge obstacles to accurate, actionable and
timely information-sharing: first, our Nation's broken
classification system; and, second, the explosion in the number
and use of ``sensitive but unclassified'' control markings.
Later today, the subcommittee will take legislative action to
address these twin problems with a markup of H.R. 4806, the
``Reducing Overclassification Act of 2007,'' and a new bill
that is the subject of today's hearing.
    Last Thursday, Dave Reichert and I were joined by six other
members of the Homeland Security Committee in introducing H.R.
6193, the ``Improving Public Access to Documents Act of 2008,''
the so-called IPAD Act. The IPAD Act will give life to the
newly released Controlled Unclassified Information Framework--
that is a mouthful--prepared by the program manager of the
information-sharing environment, Ambassador Ted McNamara, who
is well-known to this subcommittee and who testified before us
on this subject last spring.
    Wherever you are, Ambassador McNamara, we commend you for
crafting a framework that appears to be a workable replacement
for the out-of-control SBU practices, policies and procedures
that have plagued the Federal Government. Indeed, some 28
distinct policies for the protection of ``sensitive but
unclassified'' information presently exist. Security experts
believe that there are more than 100 individual agency control
markings that have stymied both the sharing of unclassified
information within the Intelligence Community and disclosures
of that information to the public.
    Unlike classified records, moreover, there has been no
monitoring of the use or impact of SBU control markings.
Ambassador McNamara's CUI framework promises to bring order to
the chaos. Ranking Member Reichert and I and our Members want
to help. The legislation we have put together requires the
Department of Homeland Security to adopt the new CUI framework
implementation plan with rigorous policy development, training
and auditing requirements. Accountability is what will make
this new approach succeed, and the IPAD Act is aimed at getting
it right.
    After working together on the bill for months and now with
significant input from the privacy, civil liberties and
government oversight communities, we believe the legislation
will make DHS the gold standard when it comes to getting the
CUI framework up and running and working.
    The potential dividends for more and better homeland
security are enormous. Implementing the new framework at DHS
will not only improve information-sharing with the Department's
State, local and tribal partners but also will help decrease
the exorbitant information security costs that the current SBU
regime imposes and undo misguided SBU control marking practices
that needlessly limit public access to information.
    Bottom line, doing this will improve public access to
information. The public has a right to know about material in
many of these documents. These markings cannot be an excuse to
cover material up, to protect somebody's either political
interests or mistakes.
    That is why I am glad to be joined by our three female
witnesses today. Each will be sharing her views on how the IPAD
Act will promote not only more robust information sharing
within Government and with the public, but also more
transparency regarding how our Nation is working to secure
itself from terrorist attacks.
    That transparency will foster greater public confidence by
requiring DHS to keep faith with the Constitution and the rule
of law as it does its work. That may sound a little trite, but
keeping faith with the Constitution and the rule of law may
have been lost in some of these overclassification and pseudo-
classification exercises in recent years.
    I want to thank our Ranking Member and our other Members
for supporting the critical legislation, and look forward to
the witnesses' testimony this morning.
    I now yield to Sheriff Reichert, employee of many senior
females in his past occupation, for his opening remarks.
    Mr. Reichert. Thank you, Madam Chair. I do have to say, we,
in the last year-and-a-half, have developed a great friendship
and a great working relationship, and it is built on trust. I
think, as you hear my opening statement, I will mention that,
because I think the information-sharing system is a system that
must be built on trust also. I think everyone would agree to
that. You know, there are a lot of directions that we come at
this, but it has been a joy and pleasure to work with you,
Madam Chair, on this issue.
    Both of our hearts are at a place where we really believe
that this legislation and some of the others that we will
consider today is very, very important to the protection of our
country and our community and also the protection of our civil
liberties and the rights that we enjoy under the protection of
the Constitution, guaranteed to us by the Constitution.
    My job as the sheriff was to, of course, make sure that
those laws were enforced and that we did protect people and
ensure that their rights were protected too. So here I am in a
little different role but certainly understanding where we are
going with this. I have worked with this at a local level with
a lot of Federal agencies.
    So I want to thank you all for being here today to talk
about H.R. 6193, the ``Improving Public Access to Documents
Act.'' I applaud the intent of this legislation to make sure
that information that needs to be protected remains protected
and information that should be disclosed is available to the
public.
    It is essential that the brand-new controlled unclassified
information, CUI, framework is successful. Designating a
document CUI to protect sensitive information will directly
help fix the overclassification issues and problems that are
rampant in our Federal Government.
    Currently, agencies often overclassify information as
``secret'' because they do not trust the protections for
``official use only'' and ``sensitive but unclassified.''
Because misunderstanding of these markings often leads to
public disclosure of sensitive information, agencies would
rather stamp ``secret'' on the document because they know it
will be protected.
    Consolidating all of these legacy markings under the new
CUI framework will help our Federal Government protect
information in a way that allows for quick sharing with State
and local law enforcement and other public and private
stakeholders that may not have clearances.
    But as I have heard and experienced over and over again,
information sharing, as I said earlier, is really about trust.
We need to ensure that when we implement any final CUI
framework it will not only apply to the Department of Homeland
Security but all Government agencies. We cannot have the FBI or
the CIA and other Federal law enforcement and intelligence
agencies distrusting the process and keeping their information
from DHS. That is a concern that I think both the Chair and I
share.
    As I said, I have witnessed some of this in my days as the
sheriff. Information-sharing breaks down in the same--you know,
as you work with other agencies, if you have a different set of
standards, I have discovered that the FBI, DEA, ATF--of course,
when they supplied information to the sheriff's office back in
my days, they were then subject to the public disclosure laws
of the State of Washington, and therefore the information they
shared with us was open to request. So there was a reluctance
then to share that information. However, we were successful in
some instances in prying that information loose. It was not
easy, however.
    So I look forward to working with all of you. I sure
appreciate you being here this morning, and I look forward to
your testimony.
    Again, it has just been a pleasure to work with the Chair
on these important bills. I yield back the balance of my time.
    Ms. Harman. I thank the Ranking Member for his comments.
Moments of bipartisanship are all too rare around here. As I
was telling our witnesses just before the hearing, I expect
that we will not only have bipartisan support for this bill and
the others I mentioned but unanimous support, as we mark them
up later today. Everyone should focus on that short moment
because, come tomorrow, other things may overtake this. But
this is what Congress should be about, in my view, and that is
working together to solve hard problems. I believe we have a
very good solution before us.
    Other Members have not arrived, so I don't need to announce
that their statements will be inserted for the record.
    I welcome our witnesses this morning.
    Our first witness, Meredith Fuchs, is the general counsel
of the National Security Archive, an independent
nongovernmental research institute and library at the George
Washington University that collects and publishes declassified
documents obtained through the Freedom of Information Act.
    I was talking to Ms. Fuchs about one of the founders of the
National Archive, Scott Armstrong, who has been a witness
before us and who is a valued friend and has been consulted by
us often, as we develop not just this legislation but other
things. I just want to send my enormous wishes to Mr.
Armstrong.
    Ms. Fuchs previously was a partner with the law firm of
Wiley, Rein and Fielding here in Washington, where she
developed a significant e-commerce and privacy practice. She is
a frequent lecturer and author on both data privacy and e-
commerce liability issues. Formerly a Supreme Court assistance
project fellow with the Public Citizen Litigation Group, and
also a law clerk with the U.S. Court of Appeals for the
District of Columbia and the U.S. District Court for the
District of Columbia.
    She is a graduate of New York University School of Law.
    Our second witness, Patrice McDermott, is the director of
OpenTheGovernment.org, an organization that seeks to advance
the public's right to know and to reduce secrecy in government.
    She previously served as the deputy director of the Office
of Government Relations at the American Library Association's
Washington office, where she had lead responsibility for
government information and privacy policy and e-government
policy issues.
    Ms. McDermott has also served as the assistant director for
the Office of Intellectual Freedom of the American Library
Association, taught information politics at Clark Atlanta
University, and worked at the National Archives and Records
Administration.
    She has her doctorate in political science from the
University of Arizona and is the author of ``Who Needs to Know?
The State of Public Access to Federal Government Information.''
    Our third witness, Caroline Fredrickson, is the director of
the Washington legislative office of the ACLU. She is the
organization's top lobbyist and supervises a nearly 60-person
team in promoting ACLU priorities in Congress.
    Ms. Fredrickson has years of experience as a senior staffer
on Capitol Hill, having previously served as chief of staff for
Senator Maria Cantwell and as deputy chief of staff to Senate
Minority Leader Tom Daschle.
    In 1998 and 1999, she was special assistant to the
President for legislative affairs, a position that required her
to work closely with both parties in the Senate to forge
bipartisan agreements on the White House's legislative
priorities.
    Ms. Fredrickson is a Colombia University Law School
graduate, where she was a Harlan Fiske scholar.
    Without objection, the witnesses' full statements will be
inserted in the record. I understand we have some letters of
support for the bill from both the organizations you represent
and other organizations. Without objection, they, too, will be
inserted in the record.
    [The information follows:]

    

    

    

    

    Ms. Harman. I would now ask Ms. Fuchs to summarize her
statement for 5 minutes. I would point out that there is a
little clock that will start ticking off the time. When it
starts blinking red, please conclude.

STATEMENT OF MEREDITH FUCHS, GENERAL COUNSEL, NATIONAL SECURITY
                            ARCHIVE

    Ms. Fuchs. Thank you. Good morning, Chairwoman Harman and
Mr. Reichert. Thank you for this opportunity to testify about
the ``Improving Public Access to Documents Act of 2008.''
    I represent the National Security Archive, a
nongovernmental research institute at George Washington
University. The archive conducted a governmentwide comparison
of ``sensitive but unclassified'' control-labeled policies in
2006, and we concluded that the SBU practices of agencies could
interfere with information-sharing and be abused for
administrative convenience or to cover up information.
    As the leading nonprofit user of the Freedom of Information
Act and other programs designed to release information, the
Archive is concerned about the impending implementation of the
Controlled Unclassified Information Framework that is described
in the President's May 9 memorandum. I will call it the CUI
framework for short.
    I submitted written comments for the record, and this
subcommittee is already well aware of the dangerous impact of
the proliferation of ``sensitive but unclassified'' record
control labels both on information-sharing and public
disclosure. So in my summary statement today, I would like to
focus only on a couple of key points.
    First, the CUI framework perpetuates and extends a system
of information control that has been abused in the past and
left us vulnerable to harm in the past. While the establishment
of trusted pathways for information is obviously essential to
coordination amongst Federal, State, local and tribal
governments and private parties, those pathways are susceptible
to manipulation and failure, just as individual agencies that
jealously guard their secrets and turf.
    True information-sharing is best accomplished by the
elimination of unnecessary secrecy and the minimization of
information controls. The perspective adopted in the CUI
framework, that the public should be left out of homeland
security and terrorism matters, ignores the reality that the
public will be affected by any attacks, has an interest in
preventing attacks, and needs information to protect their
families when first preventers and first responders are
unavailable.
    Think about the crime reports that most of us receive in
our communities. When we learn that our community is being
targeted, we can take measures to protect ourselves. In other
words, sometimes information should be made available to the
public not because of a Freedom of Information Act requests but
simply because the public needs it. I hope this CUI framework
does not lead to situations where such information is withheld
or delayed because of a fear that it should stay secret. Thus,
the provision in this bill requiring DHS to consult with public
interest organizations helps bring the public back into the
recognized stakeholder community.
    Although this CUI framework itself has laudable and
important goals, it does not include measures to reduce
information control labelling and secrecy. Several of the
provisions of H.R. 6193 that are designed to discourage
unnecessary labelling are much-needed. We hope they are
included in the National Archives implementing regulations for
the CUI framework.
    In particular, the establishment of a system for employee
challenges to improper labelling, including incentives and
rewards for challenges, is an internal check on abuse. The
requirement that a list be maintained and available of records
with CUI labels and the provision for Inspector General audits
will remind information controllers that their decisions are
subject to review. In addition, limiting the number of
controllers will ensure that those who are granted the
authority to put a CUI label on a record can be better trained
and supervised.
    I suggest one other measure be considered. The CUI
framework does not provide any substantive definition of CUI.
It merely is information pertinent to U.S. national interests
or other important interests that requires protection. That is
a broad description, and it is eventually going to be defined
within each agency based on the type of information that agency
handles.
    Agencies will be far more likely to define categories of
CUI in a narrow fashion if their designations are subject to
public review and comment. Accordingly, I recommend that DHS be
required to provide transparency as it developed its
substantive criteria for a CUI label.
    My second concern--and I am going to close with this one--
is that the CUI framework will have an impact on FOIA
decisionmaking. The CUI label, in fact, should not really
inform or otherwise influence FOIA release decisions. This bill
is helpful for making that clear.
    The CUI label has no duration. It does not recognize
changes in factual circumstances. It doesn't consider a FOIA
requester's identity or their reason for requesting the record
or changes in FOIA policy concerning discretionary release of
information. There is no basis in FOIA for any other statute to
add as a new criterion a CUI label.
    Each of those items I talked about are things that are
considered in FOIA release decisions, and with the CUI label
being considered, it could wait against release.
    I spelled out more details in my written statement about
this, and I will not repeat them now, other than to urge you to
make the legislative history on this point clear: CUI should
not have an impact on FOIA.
    This bill provides protection against abuse of the new CUI
framework and would make the framework work better. I do hope
that it will be adopted Government-wide. I thank you for
permitting me to testify, and I am happy to respond to your
questions.
    [The statement of Ms. Fuchs follows:]
                  Prepared Statement of Meredith Fuchs
                             June 11, 2008

    Thank you Chairwoman Harman, Mr. Reichert, and Members of the
subcommittee for this opportunity to comment on the ``Improving Public
Access to Documents Act of 2008.''
    I represent the National Security Archive, a non-governmental
research institute at George Washington University. The Archive is one
of the leading non-profit users of the Freedom of Information Act
(FOIA) and the mandatory declassification review process, and relies on
releases of government records to document important U.S. foreign
relations, national security, and intelligence policy matters in our
many publications.
    In 2006 the Archive issued a report entitled: ``Pseudo-Secrets: A
Freedom of Information Audit of the U.S. Government's Policies on
Sensitive but Unclassified Information,'' which was the first
Government-wide comparison of the ways that Federal agencies mark and
protect unclassified, but sensitive, materials.\1\ That report
identified 28 different and uncoordinated control marking policies with
no system to monitor or report on the use of control markings, no
challenge or appeal mechanism to remove such markings, no ``sunset''
for the duration of most markings, few limits on who is authorized to
put a control marking on material, and few limits on improper labeling
of materials. The Archive's Director Tom Blanton testified before the
Subcommittee on Emerging Threats of the House of Representatives
Committee on Government Reform that the report concluded that neither
the Congress nor the public could conclude whether the sensitive but
unclassified policies were working to safeguard security or being
abused for administrative convenience or cover-up. Indeed one of the
government witnesses at that hearing acknowledged that there was no way
to count or estimate the frequency of use of control markings.
---------------------------------------------------------------------------
    \1\ National Security Archive, ``Pseudo-Secrets: A Freedom of
Information Audit of the U.S. Government's Policies on Sensitive but
Unclassified Information,'' (March 14, 2006), available at http://
www.gwu.edu/ nsarchiv/NSAEBB/NSAEBB183/press.htm.
---------------------------------------------------------------------------
    I thank the subcommittee for its efforts to improve interagency
information sharing and to simultaneously protect the public's access
to government information. History teaches us that government secrecy
is a natural bureaucratic tendency, although it is often intensified
during times of perceived danger. As the National Commission on
Terrorist Attacks Upon the United States (``9/11 Commission'') found,
prior to the September 11, 2001, attacks on our Nation, the
Government's intelligence and law enforcement communities too often
controlled information to the detriment of effective security. In
reaction to those attacks, agencies developed new forms of secrecy out
of concern that sensitive information could reach the wrong hands, thus
perpetuating the same problem that left the United States vulnerable to
attack. It is against that background that Congress directed the
President in the Intelligence Reform and Terrorism Prevention Act of
2004 to create an Information Sharing Environment that facilitates the
sharing of terrorism information. While there are reflexive actions
such as a short-term reduction in information disclosure that can be
expected in the wake of a tragedy like the 9/11 attacks, the multi-year
and multi-stakeholder process of developing the ISE had the benefit of
resources and broad stakeholder input to reach a better balancing of
all the relevant public interests.
    The President's long-awaited Memorandum for the Heads of Executive
Departments and Agencies on the Sharing of Controlled Unclassified
Information (May 9, 2008) (the ``Presidential Memorandum'') and the CUI
Framework, which is the name being given to the policies and procedures
that govern handling of what will now be called Controlled Unclassified
Information (CUI), are responsive to some of the concerns that open
government advocates have expressed about the proliferation of varied
categories of sensitive but unclassified information.
    Thus, over time, the Framework should reduce the over 100 different
record control labels used throughout the Federal Government down to
three primary labels with limits on the unnecessary expansion of that
number of labels. The procedures for handling materials marked with the
new labels set forth under the CUI Framework will be uniform across
agencies. If properly implemented, the CUI Framework should undoubtedly
improve the ability of agencies to share information with other
agencies, as well as State, local, and tribal officials, and other
parties. Further, the Framework should make it easier for members of
the public to understand the significance of CUI labels so that the
labeling of records may not appear as arbitrary and inappropriate as it
has in the past.
    On the other hand, many of the most critical concerns of the open
government community are not specifically addressed in the CUI
Framework. I would like to address two broad concerns and discuss how
the ``Improving Public Access to Documents Act of 2008'' (H.R. 6193)
would have an impact on these concerns. I also hope that many of these
issues will be addressed in the implementing regulations of the
Executive Agent of the CUI Framework, the National Archives and Records
Administration (NARA), as this bill would apply only to the Department
of Homeland Security.

        THE PROBLEM OF UNNECESSARY CONTROL LABELING OF MATERIALS

    The CUI Framework focuses on standardization of CUI practices
without sufficient attention to the need to reduce unnecessary
protection of information. For example, in its statement of purpose,
the Presidential Memorandum makes no mention of reducing the use of
CUI-type labeling.
    True information sharing is best accomplished by the elimination of
unnecessary secrecy and information controls. We know well from the
security classification realm that too much information is made secret
when there are no incentives to reduce secrecy. In the classified area,
authorities typically protect classifiable information (and sometimes
information that does not even merit classification) without any
consideration of the costs to national security or to the public
interest incurred by the classification. Indeed, numerous high level
Government officials from then-Secretary of Defense Donald Rumsfeld,\2\
to then-Chair of the House Permanent Select Committee on Intelligence
Porter Goss,\3\ to the Deputy Secretary of Defense for
Counterintelligence and Security,\4\ have recognized that a tremendous
amount of information is improperly and unnecessarily classified. The
cost of such over-classification also has been acknowledged within
Government. Overclassification interferes with information sharing,
breeds contempt for the security classification system, is
undemocratic, and unnecessarily expends taxpayer funds.
---------------------------------------------------------------------------
    \2\ Donald Rumsfeld, War of the Worlds, Wall St. J., July 18, 2005,
at A12 (``I have long believed that too much material is classified
across the Federal Government as a general rule . . .'').
    \3\ 9/11 Commission Hearing, (Testimony of then Chair of the House
Permanent Select Committee on Intelligence Porter Goss) (2003), http://
www.9-11commission.gov/archive/hearing2/9-11Commission_Hearing_2003-05-
22.htm#panel_two (``[W]e overclassify very badly. There's a lot of
gratuitous classification going on, and there are a variety of reasons
for them.'').
    \4\ Subcommittee on National Security, Emerging Threats and
International Relations of the House Committee on Gov't Reform Hearing,
108th Cong. (2004) (testimony of Carol A. Haave), http://www.fas.org/
sgp/congress/2004/082404transcript.pdf (stating under repeated
questioning from Members of Congress that approximately 50 percent of
classification decisions are over-classifications).
---------------------------------------------------------------------------
    CUI certainly is vulnerable to the same unnecessary secrecy.
Currently, all records within an agency may receive an FOUO (for
official use only) or OUO (official use only) label simply because the
record is an official government record. The CUI Framework sketched out
in the Presidential Memorandum does not confront this problem directly.
It provides only the barest explanation of what can substantively be
called CUI: information that is ``pertinent'' to U.S. national
interests or ``important interests'' of other entities and ``requires
protection.'' President's Memorandum   3(a). Thus, CUI is an easily
expandable concept.
    There are, however, some touchstones in the President's Memorandum
to support additional measures to reduce unnecessary control labeling.
The Memorandum provides for portion marking where feasible, rather than
the marking of complete documents when the material contains both CUI
and non-CUI. Id.   15. It also provides that information should not be
labeled as CUI for an improper purpose. Id.   26. The Presidential
Memorandum further provides that if information is required to be made
public or has already been released then it may not be labeled CUI and
that non-CUI should not be subject to handling and dissemination
controls. Id.    18 and 26. The Background on the Controlled
Unclassified Information Framework (May 20, 2008) provides further
support, as it recognizes the goal of ``control[ling] only information
that should be controlled.''\5\
---------------------------------------------------------------------------
    \5\ Indeed, we are pleased that the Archivist of the United States,
as the head of the Executive Agent NARA, has directed the office that
will implement the framework ``to ensure that only information which
genuinely requires the protections afforded by the President's
memorandum will be introduced into the CUI Framework.'' NARA Press
Release (May 22, 2008); see also Memorandum of Allen Weinstein,
Archivist of the United States to the Executive Department and Agencies
on the Establishment of the Controlled Unclassified Information Office
(May 21, 2008). We hope that NARA's implementing regulations will
include this goal and will include many of the good ideas included in
H.R. 6193 to help accomplish this goal across the entire Federal
Government.
---------------------------------------------------------------------------
    None of those provisions, however, directly counteract the many
incentives to insert a control marking on a government record. For
example, there are enforcement mechanisms and penalties built in to the
CUI framework, id.   22(i) and 24(g), that fail to mention the
possibility that they would apply to improper or unnecessary labeling.
H.R. 6193 adds several additional requirements with respect to the
Department of Homeland Security's CUI program that may, if enacted into
law and implemented, be far more likely than the Presidential
Memorandum to reduce the labeling of records as CUI.
    First, H.R. 6193 recognizes that the harmful impacts of excessive
secrecy include interference with inter-agency information sharing, as
well as increased costs of information security and obstacles to the
release of information to the public. H.R. 6193, Findings   2(1). Those
findings provide a critical context for the CUI Framework because they
encourage the Department to move away from the flawed and dangerous
``secrecy equals security'' paradigm. When considered in conjunction
with the instruction to the Secretary of Homeland Security to implement
the CUI Framework in a manner that would ``maximize the disclosure to
the public'' of information and to consult with ``organizations with
expertise in civil liberties, civil rights, and government oversight,''
id.   3 (210F(a)), the bill should encourage consideration of the costs
of secrecy and of the benefits of disclosure, which are too often
absent from government disclosure decisionmaking. Moreover, the
requirement that DHS consult with public interest, non-governmental
organizations recognizes the reality that members of the public are
stakeholders who care about the effectiveness of the CUI Framework and
about protecting important rights.
    Second, the establishment of a system that permits employee
challenges to the use of CUI markings and rewards appropriate use of
the challenge procedure will put in an internal check on abuses of the
CUI labeling framework at the Department. This is a necessary
counterbalance to the incentives included in the Presidential
Memorandum to err on the side of marking information as CUI, such as
the enforcement and penalty provisions and the requirement that
disclosure of CUI be reported to the originating agency. The internal
check on over-controlling information could be substantially
strengthened by a specific requirement that the Inspector General
audits of the CUI program assess the extent that the control labels are
used unnecessarily or excessively.
    Third, the legislation provides for a publicly available list of
materials marked as CUI that notes whether they have been withheld
under the FOIA and a process for the public to challenge such CUI
markings. Importantly, this requirement will discourage thoughtless use
of the CUI stamp. Personnel with authority to label records as
controlled will take a moment to consider whether the label is
necessary if they know that their decision will be tracked and
reviewable.
    Fourth, the bill's requirement that the Department limit the number
of people who can put a control stamp on materials will decrease the
unnecessary labeling of materials. The Archive's 2006 study determined
that the Department of Homeland Security permits any employee to
designate sensitive unclassified information for protection. Under the
bill, the Department would have to limit the individuals with authority
to use control markings and ensure they are properly trained in the
appropriate use of such markings.
    In addition to these many useful limits on the expansion of CUI, we
recommend that the bill require the Department to provide transparency
regarding any new directives, regulations, or guidance promulgated
pursuant to the Presidential Memorandum and provided to the Executive
Agent that relate to the substantive description of what will be
labeled as CUI within the Department. Public notice and comment
regarding the definition of CUI at DHS will increase the likelihood
that such measures would be narrowly tailored.

                IMPACT ON THE FREEDOM OF INFORMATION ACT

    My second major area of comment is the need to build in mechanisms
to discourage agencies from treating CUI labels as de facto
determinations of FOIA exemption. Prior to the issuance of the
Presidential Memorandum, agencies were split as to whether SBU labels
were relevant to FOIA determinations. Some agencies only labeled
records as SBU if a FOIA exemption applied. Others claimed SBU had
nothing to do with FOIA. The Memorandum says that a control label ``may
inform but do[es] not control'' the decision whether to disclose
information under the FOIA. There are several problems with this
formulation.
    First, the applicability of FOIA exemptions changes over time. For
example, a record classified under Executive Order 12958 one day may be
declassified a year later.\6\ Similarly, a law enforcement
investigation may end, rendering records about the investigation newly
releasable. Yet, CUI control labels do not have expiration dates or
take account of changing circumstances.
---------------------------------------------------------------------------
    \6\ See Exec. Order No. 12,958 (as amended by Exec. Order No.
13,292), 68 Fed. Reg. 15315 (Mar. 25, 2003).
---------------------------------------------------------------------------
    Second, FOIA policy changes over time, as illustrated by the
different policy memoranda issued by Attorney General Reno and Attorney
General Ashcroft.\7\ Thus, Government agencies may change their policy
with respect to making discretionary releases under the FOIA and the
CUI label will not incorporate any consideration of these policy
changes.
---------------------------------------------------------------------------
    \7\ See New Attorney General FOIA Memorandum Issued, FOIA Post
(Department of Justice, Washington, DC), Oct. 15, 2001, http://
www.usdoj.gov/oip/foiapost/2001foiapost19.htm.
---------------------------------------------------------------------------
    Third, the identity of the requester and the reason for the request
may affect the releasability of the record under FOIA. For example, in
cases raising privacy issues, the identity of the requester may affect
whether an agency would conclude that there is a ``clearly unwarranted
invasion of privacy'' under Exemption 6 or an ``unwarranted invasion of
privacy'' under Exemption 7(C) of the FOIA. 5 U.S.C.    552(b)(6) and
(b)(7)(C). The purpose for which the record is sought also is relevant
under the privacy exemptions because it informs the evaluation of the
public interest served by the requested release.
    For all of these reasons, any consideration of a CUI label in the
FOIA process presents a true risk that the label may weight disclosure
decisions against disclosure even when the FOIA exemptions would no
longer apply.
    H.R. 6193 would encourage the Department to base its disclosure
decisions on the presumption that its records are public absent a
legitimate reason not to disclose the record. This perspective properly
places the burden on the Department to justify non-disclosure, rather
than on the public to justify why a record should not be withheld. The
most critical parts of the bill are the provision that ``controlled
unclassified information markings are not a determinant of public
disclosure pursuant to [the FOIA],'' H.R. 6193   3 (210F(c)(3)(D)) and
the provision which provides that the Secretary make available to the
public under FOIA ``all controlled unclassified information and other
unclassified information in its possession.'' Id.   3 (Section
210F(d)).
    The existing standards in the classification system and the FOIA
system for disclosure are sufficiently broad to address the need to
protect sensitive information. They apply Government-wide and are not
subject to the whims of a particular agency. That will not be the case
with CUI, which will be substantively defined by each agency within its
discretion. There is no congressional or Presidential mandate to label
any particular records as CUI. It is, at best, an administrative
management measure by agencies to help them communicated better with
each other. Further, as mentioned above, the FOIA standards recognize
the expiration of sensitivities, while the CUI Framework does not.
Without the two provisions barring the CUI Framework from having an
impact on FOIA disclosure the bill will have only a negligible impact
on preservation of the public right to know.
    Indeed, I recommend the subcommittee consider going even further to
ensure that FOIA disclosure is not impacted by the CUI Framework.
Although the Presidential Memorandum makes clear that CUI is not
intended to act as a security classification standard,\8\ the
systematization of the CUI Framework may elevate the status of the
previously disorganized SBU system for agencies, Congress, and the
courts. I recommend adding a clear statement that the CUI label does
not warrant judicial deference relating to public disclosure of
materials. As noted above, the substantive requirements for a CUI label
will be decided by each agency pursuant to its own perspective. There
is no basis for a court to defer on the question of whether a CUI
record is properly withheld from the public. Courts should continue to
look to the well-established standards of the Executive Order on
Classification, EO 12958, as amended, and the FOIA.
---------------------------------------------------------------------------
    \8\ Presidential Memorandum   1 (``The memorandum's purpose . . .
[is] not to classify or declassify new or additional information'');
id.   3(a) (CUI is unclassified information that ``does not meet the
standards for National Security Classification under Executive Order
12958, as amended'').
---------------------------------------------------------------------------
    Thank you for the opportunity to testify. I would be happy to
respond to your questions.

    Ms. Harman. Thank you very much.
    Ms. McDermott, please summarize your statement in 5
minutes.

STATEMENT OF PATRICE MCDERMOTT, DIRECTOR, OPENTHEGOVERNMENT.ORG

    Ms. McDermott. Thank you. Good morning. Thank you,
Chairwoman Harman and Mr. Reichert, for the opportunity to
speak today on the proposed legislation.
    In March 1972, speaking about his executive order on
national security classification, President Richard Nixon noted
that, ``When information which properly belongs to the public
is systematically withheld by those in power, the people soon
become ignorant of their own rights, distrustful of those who
manage them, and eventually incapable of determining their own
destinies.'' He had it right then, and it is still true now.
    A month ago, as you know, the White House issued a
memorandum to all heads of executive departments and agencies
that intends to contain and constrain the proliferation of
unclassified control markings within the information-sharing
environment. The goal is to standardize practices to facilitate
and enhance the sharing of what is now called controlled
unclassified information, but only with and among those who are
already sending and receiving it.
    I would like to make three points about the implementation
of that memorandum, with the focus on your legislation to
direct how it is implemented at the Department of Homeland
Security.
    First of all, the default must be openness. We are very
pleased that you have designated your legislation as the
``Improving Public Access to Documents Act,'' although, as you
know, the name alone will not determine the reality.
    As noted in the findings section, the proliferation of SBU
control markings needlessly limits public access to information
and increases the costs of information security, which are
already extraordinarily high. Indeed, assessing the costs
associated with creating and safeguarding CUI are something
that you may want to consider adding to the important auditing
mechanism that this bill creates.
    The White House memorandum makes only a minimal nod toward
public access and no acknowledgement of the benefits of
openness to our society and to our safety. This bill takes
important steps toward ensuring that those benefits are
considered in decisions about whether and how to put controls
on access and disclosure of information that might be
considered CUI.
    The default bureaucratic position is to not take risk.
Unfortunately that message has been given to officials in our
government, that openness is risky. This is not only a
dangerous mindset in an open society, but, as you note, it
stands in the way of a safer and more secure homeland. We are
all agreed that there is information that does need to be
protected for some time. The tension, though, is not between
openness and security. It is between information control for
bureaucratic turf, power and, more than occasionally, political
reasons and the reality that empowering the public makes us
safer.
    To counter the impulse toward nondisclosure, the bill has
three provisions we think are very important. We urge you to
protect these provisions throughout the legislative process to
ensure their inclusion in any final legislation that may be
signed into law.
    The first of these establishes that CUI markings are not a
determinant of public disclosure pursuant to FOIA. As I noted
in my submitted written testimony, a 2006 GAO report clearly
indicated that agencies think of the several FOIA exemptions,
the current FOIA exemptions, as creating control categories.
They consider them CUI. The effect on access to information
through FOIA has been pernicious.
    To ensure that this provision is properly implemented, the
legislation contains two critically important requirements: to
maintain a publicly available list of documents designated and
marked in whole or part as CUI and indicating which have been
withheld in response to a request; and to create a process
through which the public may seek the removal of such a
designation and marking. Both of those are entirely absent in
the White House framework.
    This list of documents is essential not only for ensuring
that CUI markings do not preclude disclosure under FOIA but as
a critical tool for oversight and for maintaining a check on
agencies' demonstrated impulse to overcontrol and overdesignate
information.
    From our perspective, the focus on FOIA, while critical,
should not obscure that this is a fallback channel for public
access to agency information on homeland security and related
topics. If disclosure under FOIA is seen as the primary
alternative to classification or control, an impossible burden
may be placed on the FOIA process.
    The second key set of provisions concerns controlling the
controllers. Ms. Fuchs has addressed some of these. The
tracking of employees' markings and use and the ability and the
requirement that the Department consult with outsiders, with
other stakeholders, and also that this plays a role in
determining how many people have designation authority.
    We also urge you to protect throughout the legislative
process, as Ms. Fuchs noted, the inclusion of outside groups,
public interest groups, because these help to promote trust and
accountability.
    Third, information sharing must include the public. We have
experienced a trend in our country away from trusting the
public to a need-to-know mindset. We need to move away from
that, and this legislation takes an important step toward doing
that.
    We look forward to opportunities to work with you on this
bill and to ensure that this legislation begins the process of
ensuring that public access to documents including CUI is truly
improved.
    Thank you again for this opportunity, and I would be
pleased to answer any questions.
    [The statement of Ms. McDermott follows:]

                Prepared Statement of Patrice McDermott
                             June 11, 2008

    Thank you, Chairwoman Harman, Mr. Reichert, and Members of the
subcommittee, for the opportunity to speak today on the proposed
legislation that would require the implementation of the Controlled
Unclassified Information framework within the Department of Homeland
Security in a manner that will ensure, promote and improve public
access to documents within, and those shared with and by, the
Department.
    My name is Patrice McDermott. I am the Director of
OpenTheGovernment.org, a coalition of consumer and good government
groups, library associations, journalists, environmentalists, labor
organizations and others united to make the Federal Government a more
open place in order to make us safer, strengthen public trust in
Government, and support our democratic principles.

                               BACKGROUND

``Fundamental to our way of life is the belief that when information
which properly belongs to the public is systematically withheld by
those in power, the people soon become ignorant of their own rights,
distrustful of those who manage them, and--eventually--incapable of
determining their own destinies.''

    The author of that statement was Richard M. Nixon in March 1972, in
his ``Statement on Establishing a New System of Classification and
Declassification of Government Documents Relating to National
Security.'' President Nixon had it right.
    Three years ago, in our 2005 Secrecy Report Card,\1\ we identified
50 types of restrictions on unclassified information, implemented
through laws, regulations or mere assertions by government officials
that information should not be released to the public. These
designations fall entirely outside the national security classification
system, which is governed by executive order, and they are subject to
none of its constraints or timelines.
---------------------------------------------------------------------------
    \1\ http://www.openthegovernment.org/otg/SRC2007.pdf.
---------------------------------------------------------------------------
    GAO, in a 2006 report,\2\ identified 56 designations. While
different agencies may use the same marking to denote information that
is to be handled as SBU, a chosen category of information is often
defined differently from agency to agency, and agencies may impose
different handling requirements. Some of these marking and handling
procedures are not only inconsistent, but are contradictory. Some
protections are necessary for unclassified information, such as
personal privacy information or trade secrets--which are protected by
statutes and exemptions to the FOIA that openly cover them.
---------------------------------------------------------------------------
    \2\ GAO: March 2006: Information Sharing: The Federal Government
Needs to Establish Policies and Processes for Sharing Terrorism-Related
and Sensitive but Unclassified Information: GAO-06-385 http://
www.gao.gov/new.items/d06385.pdf.
---------------------------------------------------------------------------
    GAO found that more than half the agencies reported challenges in
sharing such information. Thirteen agencies designate information For
Official Use Only, which does not have prescribed criteria. Sometimes
agencies used different labels and handling requirements for similar
information and, conversely, similar labels and requirements for very
different kinds of information. The numerous designations can be
confusing for recipients of this information, such as State and local
law enforcement agencies, which must understand and protect the
information according to each agency's own rules. It is clear that the
unconstrained proliferation of these tags has not been a boon to
sharing--or to the safety and security of the American public.
    Most of the agencies GAO reviewed have no policies for determining
who and how many employees should have authority to make sensitive but
unclassified designations, providing them training on how to make these
designations, or performing periodic reviews to determine how well
their practices are working. They seem to be applied with little
thought and, according to a 2005 New York Times story,\3\ employees
could visit the agency's Web site and easily print out a bright-yellow
``sensitive security information'' cover sheet.
---------------------------------------------------------------------------
    \3\ http://www.nytimes.com/2005/07/03/politics/03secrecy.html.
---------------------------------------------------------------------------
    Also, clearly not all of the categories listed by the agencies in
GAO's report should be included as ``sensitive but unclassified''
designations. Exemptions created by the Freedom of Information Act
(other than by what are called (b)(3) statutes) and the Privacy Act do
not logically constitute what we understand as SBU-like designations
(i.e., as generally having little grounding in statute and as limiting
access to otherwise public information). Nevertheless, the agencies
apparently think of them in this way. It is important to note that the
new Controlled Unclassified Information (CUI) Framework recently
announced will apply only to agency-generated markings. It will not
apply to statutorily created restrictions, including (b)(3) exemptions
to the Freedom of Information Act--which are also proliferating.
    As you know, the White House issued a Memorandum to all heads of
executive departments and agencies a month ago. The intent of the
Memorandum is to contain and constrain the proliferation of
unclassified control markings--within the Information Sharing
Environment. The goal is to standardize practices to facilitate and
enhance the sharing of what is now called Controlled Unclassified
Information, but only with and among those who are already sending and
receiving it.

                        DEFAULT MUST BE OPENNESS

    We are very pleased that you have designated your legislation as
the ``Improving Public Access to Documents Act of 2008''. As you note
in the Findings section, the proliferation of SBU control markings
needlessly limits public access to information, and increases the costs
of information security, which are already extraordinarily high.
Indeed, assessing the costs associated with creating and safeguarding
CUI are something that you may want to consider adding to the important
auditing mechanism this bill creates.
    The White House Memorandum makes only a minimal nod toward public
access and no acknowledgement of the benefits of openness to our
society and to our safety. This bill takes important steps toward
ensuring that those benefits are considered in decisions about whether
and how to put controls on access and disclosure of information that
might be considered as CUI.
    The default bureaucratic position is to not take risks.
Unfortunately, the message that has been given to officials in our
government is that openness is risky. This is not only a dangerous
mindset in an open society, but, as the findings to the legislation
under discussion today note, it stands in the way of a safer and more
secure homeland. We are all agreed that there is information that does
need to be protected for some period of time. The tension, though, is
not between openness and security; it is between information control
for bureaucratic turf, power, and more than occasionally political
reasons and the reality that empowering the public makes us safer.
Secrecy does not make for a more secure society; it makes for a more
vulnerable society and less accountable governments.
    To counter the impulse toward non-disclosure, the bill has three
provisions that we think are very important. We urge you to protect
these provisions throughout the legislative process to ensure their
inclusion in any final legislation that may be signed into law.
    The first set of these establishes that CUI markings are not a
determinant of public disclosure pursuant to the Freedom of Information
Act. As I noted earlier, the 2006 GAO clearly indicated that the
agencies think of several of the FOI exemptions as creating control
categories. The effect on access to information through FOIA has been
pernicious, from what we have heard from the requestor community. To
ensure that this provision is properly implemented, the legislation
contains two critically important requirements. The Department is
required to:
   maintain a publicly available list of documents designated
        and marked, in whole or in part, as controlled unclassified
        information, indicating which have been withheld in response to
        a request made pursuant to section 552 of title 5, United
        States Code (commonly referred to as the ``Freedom of
        Information Act''); and
   create a process through which the public may seek the
        removal of such a designation and marking.
    The list of documents is essential not only for ensuring that CUI
markings do not preclude disclosure under the FOIA, but also as a
critical tool for oversight and for maintaining a check on agencies'
demonstrated impulse to over-control and over-designate information.
    The creation of a process empowering employees to challenge the use
of CUI marking and to be rewarded for successful challenges resulting
in the removal of the markings is an additional safeguard of public
accountability. It is critical, however, that the legislation also
ensure that employees do not face reprisals for protecting openness.
The legislation should clarify that disclosures of any violation of
applicable procedures, including those made in the course of an
employee's routine job duties or in the context of an Inspector General
audit, are protected under the Whistleblower Protection Act (WPA). Over
the years, employees routinely have lost whistleblower retaliation
cases because of activist interpretations of the whistleblower law that
removed protection for employees in similar contexts. Employees need to
know they will be protected from reprisal for helping to enforce the
provisions of this act.
    The second key set of provisions, critical to ensuring maximal
openness, concerns controlling the controllers. The legislation takes
two strong steps in this direction. The first is a requirement that the
Department's CUI framework ensure that the number of Department
employees and contractors with original and derivative CUI designation
authority is appropriately limited--as determined through consultation
with stakeholders designated in the bill.
    The second provision requires the tracking, by particular employee,
of the marking of documents, when and how they are shared, and the
misuse of CUI marking. This capability is key both to the IG auditing
mechanism established by the bill and to evaluation and promotion
decisions about individual employees.
    These are each important improvements on the White House Memorandum
and we will urge NARA to adopt them for governmentwide implementation.

                  PROCESS MUST BE AS OPEN AS POSSIBLE

    The third key provision that we urge you to protect throughout the
legislative process is the inclusion of organizations with expertise in
civil rights, civil liberties, and government oversight in the list of
those with whom the Department must consult in the development of
policies, procedures and programs to implement the CUI framework within
the Department. Meaningful engagement with such organizations is
critical both to ensure the proper implementation of the important
provisions of the legislation noted above, and to foster public trust
in the application of the markings and the information that is shared
within the information-sharing environment.
    The White House Memorandum enshrines the practice to date, which is
to include only State, local, tribal, and private sector entities in
the process. The argument made to those of us on the outside is that
only these entities have responsibility for marking and handling CUI.
This committee understands that the benefits of openness and the risks
to privacy, civil rights, and civil liberties can easily be lost or
forgotten in such inner-circle discussions. Members of the public are
also stakeholders in this process.

              INFORMATION SHARING MUST INCLUDE THE PUBLIC

    We have experienced a trend in our country away from trust in the
public to a ``need-to-know'' mindset. A few, primarily Federal,
departments and entities have either, in a few cases, been designated
or have arrogated to themselves the power to say who has a need-to-know
and only governments and a few private sector entities have been deemed
worthy. The public and the press have been almost entirely excluded. At
one point, the Department of Homeland Security even attempted to make
congressional staff sign non-disclosure agreements in order to prove
they could be trusted into the inner circle of those legitimate few.
    Again, there is absolutely some finite amount of information that,
for a certain amount of time, needs to be shared only in a limited
fashion. The problem for the public is that we have ``translucence, not
transparency, i.e., transparency within the network, but opacity to
those outside.''\4\ The ``need-to-share'' cannot be limited to agencies
within governments and defense and homeland security contractors; it
also must include, to the greatest extent possible, sharing relevant
information with the public. The White House Memorandum and this
legislation both recognize this by requiring ``portion marking,'' so
that information in a document that is eligible for disclosure can be
made public.
---------------------------------------------------------------------------
    \4\ Elizabeth Rindskopf Parker, ``Translucence Not Transparency:
Reviewing Alasdair Roberts, Blacked Out: Government Secrecy In The
Information Age.'' I/S: A Journal Of Law And Policy For The Information
Society, Vol. 2, Issue 1 (2006). http://www.is-journal.org/V02I01/
2ISJLP141.pdf.
---------------------------------------------------------------------------
    We look forward to opportunities to work with you on this bill and
to ensure that this legislation begins the process of ensuring that
public access to documents, including CUI, within the Department of
Homeland Security is truly improved.
    Thank you, again, for this opportunity to discuss this critical
issue and your bill. I will be pleased to answer any questions.

    Ms. Harman. Thank you very much.
    Ms. Fredrickson, please summarize your testimony in 5
minutes.

    STATEMENT OF CAROLINE FREDRICKSON, DIRECTOR, WASHINGTON
       LEGISLATIVE OFFICE, AMERICAN CIVIL LIBERTIES UNION

    Ms. Fredrickson. Good morning, Chair Harman, Ranking Member
Reichert, Members of the subcommittee.
    Thank you so much for this opportunity to testify on behalf
of the American Civil Liberties Union about an issue of
critical importance to all Americans, the right of the people
to know what our Government is doing. I also would say I
appreciate very much the opportunity to testify with such a
distinguished panel.
    We testified today in support of the ``Improving Public
Access to Documents Act of 2008,'' which would create a more
accountable government by compelling the Department of Homeland
Security to develop policies to limit and regulate the Federal
Government's use of control markings on unclassified documents.
This important bill makes clear that controlled unclassified
information, or CUI, can be shared with State, local and tribal
governments, the private sector and the public, as appropriate.
    Our Nation has often faced grave threats to our security
but has recognized that abandoning our fundamental democratic
principles does not make us stronger. During the height of the
Cold War, President John F. Kennedy said, ``The very word
`secrecy' is repugnant in a free and open society.'' We decided
long ago that the dangers of excessive and unwarranted
concealment of pertinent facts far outweighed the dangers which
are cited to justify it.
    Despite the near-universal recognition that the failure to
effectively share information was a contributing factor in the
intelligence breakdowns that led to 9/11, Government agencies
have increasingly been using unregulated control designations
that restrict the free flow of information and increase
confusion regarding what information may be shared, with whom
and how.
    Testimony before this subcommittee last year revealed that
20 Federal agencies use at least 107 different control
markings. All the information subject to these 107 unregulated
control markings is, by law, unclassified. Federal agencies
began using control markings on unclassified documents they
considered sensitive in the 1970's, but the term ``sensitive
but unclassified,'' or SBU, has never been defined in statutory
law.
    Last month the White House issued a memorandum that adopts
CUI as the sole SBU--excuse me for the acronyms--designation
for the Federal Government. The executive order seeks to
standardize practices and thereby improve the sharing of
information, not to classify or declassify new or additional
information.
    The ACLU has grave concerns that once a CUI framework is
developed, officials could ignore this lofty purpose and use
CUI markings to improperly withhold unclassified documents from
public disclosure. That is why legislative guidance is so
necessary to ensure that Government officials use CUI markings
to increase information-sharing rather than restrict it.
    Any legislation that establishes a legal framework for
controlling unclassified information must be drafted carefully
to ensure that it does not inadvertently create a secondary
classification system that further restricts the public's
access to information. The ``Improving Public Access to
Documents Act'' accomplishes this feat by requiring the
Secretary of the Department of Homeland Security to develop CUI
policies, quote, ``in order to maximize the disclosure to the
public.''
    Requiring DHS to coordinate and consult with the archivist
of the National Archives, State, local and tribal governments,
as well as civil liberties organizations and the private
sector, will ensure that all stakeholders have a say in the
development of these DHS policies and procedures.
    Congress recognized the public's right to information held
by our Government when it passed the Freedom of Information Act
in 1966 and voted to strengthen it in 1974, 1976, 1986, 1996,
and again last year.
    Your bill includes two critically important provisions:
Establishing that CUI markings are not allowed to undermine
FOIA; and ensuring public access to unclassified information
even if marked CUI under an appropriate FOIA request. These
must be included in any legislation that may be signed into
law.
    The bill properly limits what types of information may be
designated CUI and prohibits use of CUI markings to conceal
violations of law or prevent embarrassment to an agency.
    The bill includes many other important provisions that my
colleagues have mentioned already, so I will conclude by saying
that we are very happy to support the ``Improving Public Access
to Documents Act of 2008'' and look forward to working with you
to see it moved to statute with all of its provisions intact.
    Thank you.
    [The statement of Ms. Fredrickson follows:]

               Prepared Statement of Caroline Fredrickson
                             June 11, 2008

    Good morning Chair Harman, Ranking Member Reichert, and Members of
the subcommittee. Thank you for the opportunity to testify on behalf of
the American Civil Liberties Union, its hundreds of thousands of
members and 53 affiliates Nation-wide, about an issue of critical
importance to all Americans: the right of the people to know what our
Government is doing and to have access to documents created at taxpayer
expense. As this committee knows, excessive government secrecy harms
our national security and undermines our democratic institutions.
Secrecy interferes with the timely sharing of accurate and actionable
information, unnecessarily increases government costs, and frustrates
democratic accountability by improperly limiting public access to
information.
    We testify today in support of the ``Improving Public Access to
Documents Act of 2008,'' which is an important step toward creating a
more accountable government by compelling the Department of Homeland
Security to develop policies and programs that limit and regulate the
Federal Government's use of control markings on unclassified documents.
This important bill makes clear that controlled unclassified
information (CUI) can be shared with State, local, and tribal
governments, the private sector, and the public, as appropriate.

   THE NEED FOR LEGISLATION TO REDUCE UNNECESSARY GOVERNMENT SECRECY

    Our Nation has often faced grave threats to our security, but
abandoning our fundamental democratic principles to address those
threats does not make us stronger. During the height of the Cold War
President John F. Kennedy said,

``The very word `secrecy' is repugnant in a free and open society; and
we are as a people inherently and historically opposed to secret
societies, to secret oaths and to secret proceedings. We decided long
ago that the dangers of excessive and unwarranted concealment of
pertinent facts far outweighed the dangers which are cited to justify
it. Even today, there is little value in opposing the threat of a
closed society by imitating its arbitrary restrictions. Even today,
there is little value in insuring the survival of our Nation if our
traditions do not survive with it.''\1\
---------------------------------------------------------------------------
    \1\ John F. Kennedy, Address Before the American Newspaper
Publisher's Association, New York, NY, (Apr. 1, 1961), available at
http://www.jfklibrary.org/Historical+Resources/Archives/Reference+Desk/
Speeches/JFK/003POF03NewspaperPublishers04271961.htm.

    Despite the near-universal recognition that the failure to
effectively share information was a contributing factor in the
intelligence breakdowns that led to 9/11, Government agencies have been
increasingly using a multitude of unregulated control designations that
restrict the free flow of information and increase confusion among
agencies regarding what information may be shared, with whom, and how.
The improper use of control markings can forestall the sharing of
critical information with State, local and tribal law enforcement
officials making it all the more difficult for local law enforcement to
know the vulnerabilities in their own communities.
    In testimony before this subcommittee last year, Ambassador Ted
McNamara, Program Manager of the Director of National Intelligence
Information Sharing Environment, revealed that 20 Federal Government
departments and agencies use at least 107 different control markings
with more than 131 different procedures for handling what those
agencies considered ``sensitive'' information.\2\ McNamara concluded,
not surprisingly, that the confusion over how information marked with a
particular control designation should be handled reduced information
sharing. What should be shocking to the American public, however, is
that all the information subject to these 107 unregulated control
markings is, by law, unclassified. According to the Congressional
Research Service, Federal agencies began using control markings on
unclassified documents they considered ``sensitive'' in the 1970's, but
the term ``sensitive but unclassified'' (SBU) has never been defined in
statutory law.\3\
---------------------------------------------------------------------------
    \2\ The Over-Classification and Pseudo-Classification of
Governmental Information: The Response of the Program Manager of the
Information Sharing Environment: Hearing Before the Subcommittee on
Intelligence, Information Sharing, and Terrorism Risk Assessment H.
Committee on Homeland Security, 110th Cong. (Apr. 26, 2007) (Statement
of Ambassador Ted McNamara, Program Manager, Information Sharing
Environment), available at http://homeland.house.gov/SiteDocuments/
20070427081925-82568.pdf.
    \3\ Genevieve J. Knezo, SENSITIVE BUT UNCLASSIFIED INFORMATION AND
OTHER CONTROLS: POLICY OPTIONS FOR SCIENTIFIC AND TECHNICAL
INFORMATION, CRS Report for Congress (Dec. 29, 2006), available at
http://www.fas.org/sgp/crs/secrecy/RL33303.pdf.
---------------------------------------------------------------------------
    The Government regulates the disclosure of ``national security
information'' through a classification system established in Executive
Order 12958, as amended. ``National security information'' subject to
classification under the executive order is defined through
extraordinarily broad categories of information:
   military plans, weapon systems, or operations;
   foreign government information;
   intelligence activities, sources and methods, or cryptology;
   foreign relations or foreign activities of the United
        States, including confidential sources;
   scientific, technological, or economic information related
        to the national security;
   U.S. programs for safeguarding nuclear material and
        facilities;
   vulnerabilities and capabilities of U.S. systems,
        installations, infrastructure, projects, plans or protection
        services related to the national security; and
   weapons of mass destruction.\4\
---------------------------------------------------------------------------
    \4\ Exec. Order No. 13,292, amending Exec. Order No. 12,958, (Mar.
25, 2003), available at http://www.whitehouse.gov/news/releases/2003/
03/20030325-11.html.
---------------------------------------------------------------------------
    By definition, any information designated SBU falls outside these
broad categories, so any national security argument for restricting the
distribution of SBU information is greatly diminished.
    Moreover, the problem with the unrestricted use of SBU markings by
Government agencies is not limited to impeding effective sharing of
intelligence information among Federal agencies and their partners in
State, local and tribal government. The unchecked ability to shield
government documents from disclosure encourages agencies to hide their
mistakes and thwarts effective oversight. The Director of the Defense
Capabilities and Management at the Government Accountability Office
(GAO), Davi M. D'Agostino, studied how the Departments of Energy and
Defense handled CUI and noted:

`` . . . neither Departments' policies identify what would be an
inappropriate use of the FOUO [For Official Use Only] or OUO [Official
Use Only] designation. Without such guidance, the Departments cannot be
confident that their personnel will not use these markings to conceal
mismanagement, inefficiencies, or administrative errors, or to prevent
embarrassment.''\5\
---------------------------------------------------------------------------
    \5\ Drowning in a Sea of Faux Secrets: Policies on Handling of
Classified and Sensitive Information: Hearing Before the Subcomm. on
National Security, Emerging Threats, and International Relations of the
H. Committee on Government Reform, 109th Cong. 243 (2006) (Statement of
Davi M. D'Agostino Director of the Defense Capabilities and Management
at the Government Accountability Office (GAO)).

    SBU designations have even been used to obstruct congressional
oversight. Representative Henry Waxman, Chairman of the House
---------------------------------------------------------------------------
Government Reform and Oversight Committee, noted in 2006:

``Last year, Chairman Shays and I sought documents from three agencies,
the Defense Department, State Department, and the Department of
Homeland Security, that had been restricted as `Sensitive But
Unclassified' or `For Official Use Only.' To date, we have received
none of these documents. It is particularly telling that in their
responses, the agencies claimed they had no way to provide such
information because they don't keep track of it. As another agency
wrote, there is no regulatory or other national policy governing the
use of `For Official Use Only,' this designation, as opposed to the
controls on classified national security information.''\6\
---------------------------------------------------------------------------
    \6\ Drowning in a Sea of Faux Secrets: Policies on Handling of
Classified and Sensitive Information: Hearing Before the Subcomm. on
National Security, Emerging Threats, and International Relations of the
H. Committee on Government Reform, 109th Cong. 8-9 (2006) (Statement of
Rep. Waxman, Ranking Member, H. Comm. on Government Reform).

    Last month the White House issued a memorandum to the heads of all
executive branch agencies that adopts ``Controlled Unclassified
Information'' (CUI) as the sole SBU designation for the Federal
Government and establishes a framework for its use. The stated purpose
of this executive order is ``to standardize practices and thereby
improve the sharing of information, not to classify or declassify new
or additional information.''\7\ The ACLU has grave concerns that once a
CUI framework is developed executive branch officials could ignore this
lofty purpose and use CUI markings to improperly withhold unclassified
documents from public disclosure, much the way the classification
system is currently over-used and abused. Providing legislative
guidance is both necessary and appropriate to ensure that executive
branch officials use CUI markings in the manner intended, to increase
information sharing rather than to restrict it.
---------------------------------------------------------------------------
    \7\ Memorandum from George W. Bush to the Heads of Executive
Departments and Agencies, ``Designation and Sharing of Controlled
Unclassified Information'', May 9, 2008, http://www.whitehouse.gov/
news/releases/2008/05/20080509-6.html.
---------------------------------------------------------------------------
    Congress recognized the public's right to information held by our
Government when it passed the Freedom of Information Act in 1966, and
voted to strengthen it in 1974, 1976, 1986, 1996, and again last year.
FOIA exemptions permit the government to withhold information that is
properly classified for national security or law enforcement purposes;
trade secrets and privileged and confidential commercial or financial
information; interagency deliberations; and personnel files requiring
privacy, among other types of information. By creating these broad
exemptions Congress has already established a process for limiting
disclosure of information that might harm the national security or some
other important Government or private interest. CUI markings should
never be allowed to undermine FOIA and interfere with the public's
right to know.

 FEDERAL AGENCIES NEED CONSISTENT STANDARDS AND STATUTORY GUIDANCE TO
LIMIT THE USE OF CUI DESIGNATIONS AND ENSURE APPROPRIATE PUBLIC ACCESS
                      TO UNCLASSIFIED INFORMATION

    As the findings in the Improving Public Access to Documents Act of
2008 indicate, the proliferation of SBU control markings interferes
with accurate, actionable and timely information sharing, unnecessarily
increases costs, and needlessly limits public access to information.
The finding acknowledging the negative impact the overuse of control
markings has on our national security is crucial to correcting the
trend toward secrecy that, as the bill states, is antithetical to the
concept of an information sharing environment.
    The ACLU has long been concerned about the unregulated use of SBU
markings, and any legislation that establishes a legal framework for
controlling unclassified information must be drafted carefully to
insure that it does not inadvertently create a secondary classification
system that further restricts the public's access to information
inappropriately. The Improving Public Access to Documents Act of 2008
accomplishes this feat by requiring the Secretary of the Department of
Homeland Security to develop CUI policies ``in order to maximize the
disclosure to the public.'' Requiring the DHS Secretary to coordinate
and consult with the Archivist of the National Archives and Records
Administration, representatives of State, local and tribal governments,
as well as civil liberties and Government oversight organizations and
the private sector will ensure that all stakeholders have a say in the
development of these DHS policies and procedures.
    The bill includes two critically important provisions establishing
that CUI markings are not a determinant of public disclosure pursuant
to FOIA and ensuring public access to unclassified information, even if
marked CUI, under an appropriate FOIA request. We urge you to protect
these provisions throughout the legislative process to ensure their
inclusion in any final legislation that may be signed into law.
    The bill properly limits what types of information may be
designated CUI, and prohibits use of CUI markings to conceal violations
of law or prevent embarrassment to an agency. The bill also properly
limits the number of employees who are authorized to make CUI markings,
and establishes mechanisms to track their decisions and hold them
responsible, which hopefully will change the current culture from need-
to-know to need-to-share.
    The bill includes other important elements that will ensure proper
oversight of the implementation of the CUI framework, including an
ongoing auditing mechanism administered by the DHS Inspector General
that will assess whether CUI markings are being used properly, with a
requirement for annual reporting to Congress. Establishing a reward
process where employees can challenge CUI markings will also be helpful
to limiting improper designations. And the requirement that DHS
maintain a publicly available list of documents marked CUI that have
been withheld under FOIA will increase public oversight, and hopefully
will compel more thorough deliberation when marking or withholding
requested documents.

                               CONCLUSION

    Without a legal framework, Federal agencies' use of SBU control
markings can intentionally or inadvertently obscure critical
information from the public as well as from State, local, and tribal
law enforcement. The Improving Public Access to Documents Act of 2008
would enhance information sharing with State, local, and tribal
governments by requiring a more uniform standard for handling CUI and
alleviating confusion about what information can be shared. Definitive
statements that CUI markings are not a determinant of public disclosure
under FOIA will ensure that the purpose of this bill is realized by
improving public access to documents. We are happy to support the
Improving Public Access to Documents Act of 2008 and look forward to
working with you to protect its most essential provisions as it moves
through the legislative process.

    Ms. Harman. Thank you, Ms. Fredrickson.
    I thank all the witnesses for observing the time limits,
and welcome three more members who are here to ask questions.
They will be recognized in the order that they arrived after
the Ranking Member and I ask our own questions.
    I now yield myself 5 minutes for questions.
    Everyone probably already knows the formal name of this
subcommittee is Intelligence, Information Sharing and Terrorism
Risk Assessment. Information sharing, all of us believe, is an
absolute key to getting and sharing intelligence with those who
need to know it. So we have been hammering on Government
agencies and others, for the better part of 2 years, to break
down old cultures.
    One of you mentioned the need-to-know culture, which is
still sadly alive. It must change to a need-to-share culture.
That is certainly a premise that underlies a lot of the work we
have been trying to do here. I am pleased to hear that all of
you support the work that we are doing on this legislation.
    Let me just ask two questions because I want to spend some
time on others.
    No. 1, as I made clear in my opening remarks, we are trying
to make DHS the gold standard with respect to implementing
these new guidelines. We are doing that for two reasons. One,
we think that DHS has critical jurisdiction and is part of the
problem and could change, should change for the better. But the
second is, we have jurisdiction over DHS. That should be
obvious.
    One of you mentioned that this should be a Government-wide
policy. I would just like to hear some more support for that
position or your additional comments on that. That is the first
thing.
    The second thing, one of you said that a reason that many
hide information or stamp information with protective
categories is bureaucratic turf and power. I obviously agree
with that, but I would like you to explain that.
    Let me just add one thing to that. As a member of the House
Intelligence Committee for 8 years, from 1996 with a little
interruption until 2006, I came to respect enormously what I
think is a good reason to protect information, and that is to
protect sources and methods. People die if sources or methods
are disclosed. Especially if, on an ongoing basis, we are
trying to learn the plans and intentions of bad guys, we have
to protect our sources and methods. But I never could find
another good reason for protecting information. So I don't
personally think that bureaucratic turf and power are good
reasons. I would just welcome, again, some comments to fill out
our record.
    So both of those are my questions and my only questions.
One is, should this approach that we are taking apply
Government-wide? The second is, please explain your comments
about bureaucratic turf and power. Let us know if you think
there are any good reasons, other than protecting sources and
methods, to hide information from the public.
    Ms. Fuchs.
    Ms. Fuchs. I would be happy to start off.
    I think that the reason that the standards need to be
applied Government-wide is that, while certainly DHS is
critical in terms of the information-sharing environment, the
reality is there are other agencies, law enforcement agencies,
intelligence agencies that do participate in the information-
sharing environment, and they all have similar problems to DHS.
    The CUI framework that the President has established
certainly provides some very positive aspects in order to
increase information sharing, but it really doesn't provide
protections against it being abused. I think that this bill
includes many of those protections. Indeed, we hope to make
similar comments as we have made today to the National Archives
to let them know that we would like to see this in their
implementing regulations if it does not become Government-wide
statute.
    Then simply to respond on the question about bureaucratic
turf and power, I mean, we see examples again and again in the
classification realm where information is improperly
classified, and when you actually see the information, the only
reason that you can identify the classification was because
they were embarrassed or they didn't want people to know the
position they are taking.
    You know, a good current example is some of the memos that
were written regarding torture and detention that were
classified, and now that those memos, parts of them are being
made public, it is clear that at least what was classified
probably could have been made public.
    My understanding is, for some of these memos that justified
surveillance, you know, not even general counsels within
Government agencies were allowed to look at those memos. That
doesn't make any sense to me. To me, that is clearly about
power and not the proper use of classification stamp.
    Ms. Harman. Thank you.
    Other comments?
    Ms. McDermott. Well, I think I am the one who said that
they tend to stand for bureaucratic turf and power. I know
anecdotally--obviously, I am not inside the Government--but we
heard in relation to the events of 9/11 that information was
not shared. Unclassified information, even, was not shared.
    We have seen in the GAO report that there is great
difficulty across Government and from Government to other
levels of Government in sharing information. It appears to be
that it is about controlling information in order to keep it
within the control of a particular bureaucracy, rather than
letting it get out to other agencies who may do other things
with it or may release it.
    So I think this is a--from what GAO has reported and what
we hear in the newspapers and what you have heard and released
here in the Congress, this is a severe problem with control for
its own sake and, also, control for avoidance of risk, which is
the flip side of that.
    We do agree that this--we would hope to the provisions in
this bill do become Government-wide policy because, as I noted
in my written testimony, there are many important provisions in
here: the auditing, the tracking, the encouragement of people
to challenge markings. We would add, as I do in my written
testimony, that there need to be whistleblower protections for
those people, as well.
    But DHS is a poster child for nondisclosure and
nontransparency, at the moment. If you can make DHS the gold
standard, I would think that will set a very strong example. We
also will be working with National Security Archives and our
other partners in the coalition to encourage the National
Archives, as they implement the White House framework, the CUI
framework, to adopt some of these policies that are contained
in your bill.
    Ms. Harman. Thank you.
    Ms. Fredrickson.
    Ms. Fredrickson. I associate myself with the comments of my
colleagues and only add one thing. I think, as Patrice rightly
said, it is not simply bureaucratic turf battles and control
and urge for power, but there is also a fear of risk. I think
your legislation addresses that very well by limiting the
number of individuals that actually can designate the documents
as CUI and also makes them accountable. Having the list of
documents published I think is a very important mechanism for
ensuring that people don't, out of fear or risk-averse
tendencies, decide to keep everything secret if they can. So
thank you for that.
    Ms. Harman. Thank you very much.
    I am aware that the answers of witnesses went over my time
limit, so I will afford other members the same courtesy.
    Mr. Reichert.
    Mr. Reichert. You have that prerogative, Madam Chair.
    I want to thank you again for being here today. A lot of
things that all three of you said, it just kind of brought back
flashes of my previous career and various things that we
confronted, as far as information-sharing and withholding
information.
    I started in law enforcement back in 1972. Don't worry, I
am not going to go through my whole career. But I did have dark
brown hair, by the way, back then.
    You know, there was a problem that when you worked--there
were street crimes units who worked on street crime, which
included a variety of crime, and then they worked with a drug
unit that worked on drug crimes. There was an inability or an
unwillingness, I should say, for those units to share
information because there was a turf battle, and it persists
today.
    But you rise above the local competition there between two
units within a police department or a sheriff's office, and now
you are talking about sheriff's offices and police departments
that don't share information between the two of them, or
especially in the Green River case back in Seattle where many,
many agencies were involved and there was a fear of sharing
information because they would be tied to the investigation.
The news media would be all over their backs, demanding, ``What
are you going to do to solve this case?'' They wanted to stay
out of it. I mean, they would just go on and on with the
reasons. But I clearly understand this issue.
    But I also want to point out that we have made great
progress since those days. The fusion centers that exist today,
the Joint Terrorism Task Force--there is this effort now for
agencies to share information between themselves. But I agree
with you, after September 11, as the sheriff in King County, we
had struggled greatly with the Federal Government to share
information with law enforcement leaders. I had 1,100 employees
that needed to know certain things were happening, and we were
not told. The police chief of Seattle will tell you that the
same thing happened. The State patrol chief will tell you the
same thing happened there.
    So not only do the law enforcement agencies need to have
that information, but I agree with you, the public does. In the
fusion centers, we have included people from the public, from
various businesses and other public entities in the communities
now are all a part of our fusion centers and sharing
information.
    I would like--you made a comment, Ms. Fredrickson, on the
risk of fear. What do you exactly mean by--the fear of risk, I
should say. What do you mean by that?
    Ms. Fredrickson. Well, you know, I think it is commendable,
and many law enforcement and in our government really want to
keep us safe, and I think we all appreciate that. I think,
though, there may not be an appreciation of the fact that
sometimes, I think as Meredith said specifically, that it is
actually providing of information that keeps us safe.
    So, that is why it is very critical that I think we
overcome some of what may seem to be risk-averse tendencies of
people to keep things classified or keep them secret or keep
them away from the public. That has very pernicious
consequences when that information is not appropriately
withheld.
    Mr. Reichert. Do you think there is a fear of lawsuits?
    Ms. Fredrickson. There may be. That is really not what I
was thinking of specifically.
    Mr. Reichert. One of the risks?
    Ms. Fredrickson. I am thinking of their higher intentions,
that there actually is a real desire to keep us safe but that
sometimes it may be misleading, in the sense that it leads to
actions that actually undermine our safety.
    Mr. Reichert. A question about FOIA requests. About how
many requests do you think are made a week, if anybody on the
panel would know? Do you know how many a week, a month? Or do
you keep track of the number of requests made?
    Ms. Fuchs. Yeah, Government-wide, there is something like
20 million--is that correct?
    Ms. McDermott. Yeah, I think that is right.
    Ms. Fuchs. But that includes privacy act requests, which
are when people, you know, veterans ask for their own records.
In terms of FOIA requests, it is probably a couple million each
year. They are a wide range in terms of how complicated or not
complicated they are.
    Mr. Reichert. Do you feel like you are getting prompt
responses or----
    Ms. Fuchs. No.
    Mr. Reichert. This is the response I expected, by the way.
    Ms. Harman. I planted this question.
    Ms. Fuchs. My organization, in fact, has done several
studies looking at the oldest FOIA requests in Government, and,
in fact, there are some that are 15, 18 years old. Of course,
those are the hardest ones. As you know, there was legislation
passed last year and enacted into law that we hope will help
improve FOIA responsiveness.
    But, of course, anything you can add to the FOIA
consideration process is going to slow it down. That is one of
the reasons why it is so critical that CUI not be yet another
hurdle that FOIA requesters are going to have to get past in
order to get their information.
    Mr. Reichert. Yeah. I had the same experience in the
sheriff's office with public disclosure requests. They can slow
down your entire organization. So I do have concern about that.
Hopefully we can work together in lessening our fear of how
that might affect FOIA requests.
    I yield back. Thank you, Madam Chair.
    Ms. Harman. Thank you, Mr. Reichert.
    Mr. Carney of Pennsylvania is now recognized for 5 minutes.
    Mr. Carney. Thank you, Madam Chair.
    I would suggest also that one of the reasons we see
overclassification sometimes is fear of embarrassment,
political embarrassing things. In my experience at the Pentagon
over a number of years, I did see some of that occur as well,
and I think that is awful. You know, we have to get a handle on
that, and we have to find ways to manage it.
    But we are talking about DHS today. Is there some of that,
actually, in this overclassification, do you think, hiding
politically embarrassing things?
    Ms. Fuchs. Well, I mean, I certainly think that there is
some of that. I mean, a good example of that would be the
Taguba report that first was looking at treatment of people in
Abu Ghraib, which was largely classified. Obviously there may
have been, you know, aspects of what happened that needed to be
classified. There also may have been reasons to manage how the
information was released. But, in fact, most of it did not
require classification and eventually was released.
    So I think there are numerous examples of the attempt to
cover up embarrassing things that happened. But, of course, the
reason we have these open-government laws is to expose those
things so we can do better. That is why it is so important not
to let that happen and why it is so important that this bill
has provisions for looking at the decisions to label and then
taking steps when it is improperly done.
    Ms. McDermott. I agree with that, certainly, with
overclassification. To the extent that we can tell, with the
CUI markings, that is a very high risk, because there has been
no control on them. There has been no control on who can create
them. There has been no mechanism for removing them. At least
with classified information, there are processes. So I think
that is a very high risk, that they are for hiding embarrassing
or inconvenient facts. So I think that is very important.
    I would also like to note that, in terms of the FOIA--I
know this wasn't your question--but if information is made
proactively available by agencies that can be made available,
it releases the need for FOIA.
    Ms. Fredrickson. At the risk of repeating something that
Meredith said earlier, I wouldn't necessarily classify it as
embarrassing information, but the torture memos or the memos
about interrogation methods that were prepared by the Office of
Legal Counsel, you know, obviously, there, again, maybe
sections of those that could have remained classified of what
we haven't seen yet, but really this is information we need to
know. The reason that it was classified was not because it was
essentially a document that needed to be withheld from the
public, but really because I think that the legal analysis that
was provided in those memos was so faulty.
    Mr. Carney. From a DHS perspective, what do you see as the
key DHS barriers to compliance with the Public Access to
Documents Act?
    Ms. Fuchs. I think the people I have dealt with at DHS seem
like they have a genuinely strong intent to try to get better
control over their information and to handle it properly.
Although, I know that other agencies actually have a lot of
problems with how DHS has handled information. So I think that,
you know, DHS continues to struggle with the same problems that
it has had, which are that it is a very large agency with lots
of different missions and components. The CUI framework is
going to require them to get some organization. I think Chair
Harman mentioned, you know, bring order to the chaos, and I
think that that is a big challenge at DHS and will continue to
be so.
    However, by reducing the number of controllers so you can
focus on people who are going to put the labels on the
information and by training them and supervising them properly,
I think it will have a good impact.
    Ms. McDermott. I agree with Ms. Fuchs that there are good
people with good intent in the Department. But I was the one
that said that they are the poster child of nontransparency,
and they are. It is impossible to find information on their
site. I have bookmarked regulatory information, submitted
comments and gone back the next day, and they were gone, they
were unfindable.
    So I think it is going to be a serious challenge for the
Department to implement this in a transparent and open manner.
I think it is going to take continual oversight.
    Again, I agree with Ms. Fuchs that there are good people
with good intent, but the tendency of the Department is not
toward transparency. Maybe with other agencies, but not with
the public.
    Ms. Fredrickson. Just quickly, I would just like to comment
that the legislation that we are discussing today is actually
not just an open-government bill but also a good-government
bill, in the sense that I think there are real efficiencies in
reducing the number of designations that are allowed. I think
the cost savings that could result from Government actually
being able to talk to other elements and getting the influence
or advice of outside stakeholders is very critical to making it
work better. So we support it on that basis, as well.
    Mr. Carney. Thank you.
    No further questions, ma'am.
    Ms. Harman. Thank you.
    I would just note for the record, as we discuss documents
that supposedly explain the legal framework for Government
programs, that, as a member of the Intelligence Committee all
those years, we continually demanded to see those documents.
They were never shown to us, at least during the time that I
served on that committee.
    On this committee, we have had an ongoing request to DHS
about the legal underpinnings of the proposed National
Applications Office, the NAO, which will task military
satellites to do surveillance activities over the United
States. We think that may pose some problems under posse
comitatus and some other issues. But, at any rate, that
conversation is ongoing. We are not satisfied that we have seen
a document explaining the legal underpinnings. That document
should be available to Congress, which has responsibility for
faithfully executing the laws, and the public should understand
what the legal basis for government programs is, in my view.
    I now yield 5 minutes for questions to Mr. Dent of
Pennsylvania.
    Mr. Dent. Thank you, Madam Chair.
    From your viewpoint, is there ``sensitive but
unclassified'' information out there that needs to be
protected? Or do you believe that all unclassified information
should be releasable without restriction by the Government,
even if that information is sensitive? I would just be curious
to get your thoughts on that.
    Ms. McDermott. Oh, absolutely, there is controlled
unclassified information that does need to be protected for at
least a certain amount of time. I think the White House
framework is intended to do that. I think that this bill takes
important steps toward building in provisions to ensure that
that is reviewed on a regular basis. The framework also
includes portion marking, so that where there is a document, a
portion of which needs to be kept safeguarded for a particular
amount of time, that portion can be separated out and shared
with those who need to have only that protected information,
but the rest of the information can be shared more generally
with the public.
    So, absolutely, yes. But, as with classified information,
most classified information also has a shelf life, except for
sources and methods. There needs to be opportunities to review
it and to remove the controls.
    Mr. Dent. Ms. Fuchs.
    Ms. Fuchs. I agree. I think that there is a need for some
controls. I mean, to take it away from the specific information
we are talking about, it is just like in any business, there is
certain information you don't leave on your desk. Certainly CUI
information, whether it is privacy information or it is
information about a law enforcement investigation, it shouldn't
be left around for, you know, the janitor to pick up. That is
absolutely clear.
    What I think we advocate for, though, is understanding what
really needs that protection and not spending time and money on
things that don't need that protection. That is why I think the
CUI framework is necessary. But this bill fortunately would
make sure the CUI framework does not become so broad that it
pulls in too much information.
    Mr. Dent. Thank you.
    Ms. Fredrickson.
    Ms. Fredrickson. I don't have too much to add to that. I
entirely agree with the previous comments.
    Just to say, I think it is important, as the Chair
mentioned, that we need to move from a need-to-know to a need-
to-share system, that the presumption has been too much on the
side of nondisclosure. So where there are categories that are
clearly--there is a heightened sensitivity, there needs to be a
heightened sensitivity that we need to disclose as much as
possible.
    Mr. Dent. My next question, then, really deals with--the
legislation that we are discussing today, H.R. 6193, applies
only to the Homeland Security Department. Do you think that a
CUI framework should be established throughout the entire
Federal Government? If so, what do you think is the best way to
establish such a framework? What sorts of standards should be
set in establishing that kind of a framework? Anyone want to
take a shot at that?
    Ms. Fredrickson. Sure. I think we spoke to that a little
bit earlier. I think there is general agreement that it should
be Government-wide. This bill provides, I think, a very good
framework for expansion to other parts of the government.
    Ms. McDermott. Well, I think we are all agreed that the
current situation with what we previously called ``sensitive
but unclassified'' information is untenable. It is untenable
for the Government, it is untenable for the public, it is
untenable for other governments who need to get information
from the Government.
    So a framework to deal with this is essential. The White
House memorandum has established, sort of, the bare bones of
that. We are pleased that the implementation has been put in
the National Archives, which has a commitment to openness and
would very much like to see most of the provisions of this bill
adopted by NARA as it goes out to the information-sharing
environment and then as other agencies adopt this framework.
    Ms. Fuchs. I would just agree with what my other
copanelists have said.
    Mr. Dent. That is fine.
    I yield back. Thank you.
    Ms. Harman. Thank you, Mr. Dent.
    Mr. Langevin is now recognized for 5 minutes for questions.
    Mr. Langevin. Thank you, Madam Chair.
    I want to thank our witnesses for the testimony today.
    I especially want to thank the Chair for holding this
important meeting, this hearing today.
    The Chair and I both have an appreciation for and love of
intelligence work, and we can deeply appreciate views
associated with a need for classified information. But equally
important, we share an understanding that we need to get the
information into the hands of those who need it and, equally
important, giving the information to the public for their
understanding of information as well.
    Most of the questions that I had have really already been
asked, but I do have a question with respect to how we proceed
from here.
    As we move forward with the implementation of the CUI
designation, what are the most important things that Congress
should be doing to ensure appropriate oversight? What do you
see we need to do, in terms of overcoming the likely challenges
with the implementation of CUI?
    Ms. Fredrickson. That is a very good question, I think.
That has obviously been a challenge for Congress for the past
several years, oversight with this Government, particularly
with its inclination toward secrecy, I think has really impeded
a full and thorough oversight process. But I think the
engagement of this committee and your commitment on the issue I
think is clearly a very, very good step in the right direction.
    Maintaining your attention on these issues, I think, will
be required. I think, as Patrice had suggested, it will be a
real task, I think, to push DHS forward and to ensure that the
language of the legislation is actually implemented in a way
that is full and effective. So we are very eager to work with
you. I also think it is also very important that the
legislation does include the role of civil liberties and open-
government organizations as well as the private sector to help
ensure that the process moves forward effectively. I think,
working together, perhaps we can really make that difference.
    Ms. McDermott. I agree with Ms. Fredrickson.
    I would also note that some of the provisions in this bill
will be really important Government-wide. One of, I think, the
most important ones for congressional oversight is the audits
and the provision in the bill that also tracks the markings and
uses by individual employees.
    I think both of those--that should include a report to
Congress also about specified individuals, but I think a
reporting requirement to Congress and to the appropriate
committees--yours for DHS and others as this goes out further--
are essential to both the public trust in this and to
Congress's ability to engage in oversight.
    Then I also think the two other provisions, the ability for
the public to ask for removal, because that gets us out in a
more transparent realm, and the ability of employees to
challenge the markings, is critical. Again, protection for
employees that do that, because it is very nice to say they
have the ability, but we know from experience that those
challenges often lead to repercussions on the employees.
    Ms. Fuchs. If I could just add a couple of other points. I
think, it is very important for Congress to keep in mind the
impact of this on the Freedom of Information Act and to not
permit a memorandum that sets up the CUI framework to undermine
the FOIA, which is a congressionally enacted statute.
    I also think that Congress should be keeping an eye on the
development of substantive definitions for CUI within each
agency. This committee looks at the Department of Homeland
Security, but every other committee should be looking at their
own agencies that they conduct oversight over and make sure
that the CUI definition does not become too expansive.
    Finally, and this relates to what Ms. McDermott just said,
I think it is important for Congress to keep an eye on how this
is working, because, as I mentioned in my testimony, these
trusted pathways could be corrupted just like an agency could
be corrupted. In order for them to work, we need to make sure
that those who are sharing the information understand that they
are expected to use it properly and use those trusted pathways
to help protect the country.
    Mr. Langevin. I appreciate all those answers. I think this
legislation could be and should be a model Government-wide. I
think Mr. Dent raised the question, should we--this applies to
the Department of Homeland Security, but should it be
Government-wide? I clearly think it should.
    You know, classifying information runs the gamut. I think
we have all been frustrated by this overclassification in a
number of areas. You know, it seems to run the gamut from doing
it out of an abundance of caution, to maybe protecting
politically sensitive or embarrassing information, to just pure
laziness.
    We have all been frustrated, those of us who see classified
information, a lot of times you look at it and say, and we have
asked often, is there really a need to classify this? What is
classified about this information? I think it does come down
sometimes to just pure laziness. So we need someone that is
going to actually ask the question, why do we really need to
classify this information?
    So I think this legislation moves us in the right direction
so that we can ensure that the public has access to information
it needs, that we get information that may be sensitive into
the hands of those who need to see it so we are ensuring proper
information-sharing, and that we are only classifying those
things that really do need to be classified.
    So I commend the Chair for the legislation and for the
hearing. With that, I will yield back. Thank you.
    Ms. Harman. Thank you, Mr. Langevin.
    I have asked the Members to my right whether they have
additional questions. They don't.
    Do you have any additional questions?
    Well, okay. Then let me just make a couple of comments, and
we will adjourn, followed by the markup that has been
announced, in 15 minutes after adjournment, of the four bills.
My comments are as follows.
    First, thank you to our witnesses and to other outside
groups and administration experts for contributing to our work
on this piece of legislation. I think it is a much better piece
of legislation because we consulted widely and because we
worked together. Mr. Reichert and his staff were enormously
helpful in improving the legislation.
    Second, we are building on a Bush administration framework.
I am saying this; it is true. Ambassador McNamara is the fellow
who came out with the CUI guidelines. He was tasked to do this.
We are trying to find a way to make DHS, the Department of
Homeland Security, the gold standard for implementing those
guidelines correctly. So here we have a committee of Congress
building on Bush administration guidelines. It will be a rare,
I think final, example of such a thing. But I think we are
going to build something important because of the way we worked
on this.
    Finally, one of you was talking about the need to involve
the public in advance--I think this is what you said, or this
is certainly what I wanted you to say because I agree with it--
in advance in understanding the terror threats we face. Let's
understand what the motivation of terrorists is. They want to
terrify us. Some of them may also want to kill as many of us as
possible. But that is the point of their activity, is to
terrify us.
    I believe that an informed and prepared public is much less
likely to be terrified. How do we inform the public? Well, part
of it is sharing information with the public, having a
presumption that unless there is a good reason not to share it,
it must be shared. Second, having public officials who, in a
thoughtful and useful way, brief the public on what the threats
are and what to do to protect themselves--not terrify them, not
scare them; brief them, inform them. An informed public, I
think, is our best protection of democracy. It is also our best
protection against terrorism.
    So I want to say that, by doing this legislation and by
enacting the other bills on public access that we will enact, I
believe we will enact today on a unanimous basis, I think we
are taking a giant step toward one of the big missions of this
committee, which is protecting the homeland.
    I want to thank you all for your contribution to this.
    I also want to say that if any Members have additional
questions for the witnesses, we will ask you to respond
expeditiously in writing to those questions.
    Hearing no further business, the subcommittee stands
adjourned.
    [Whereupon, at 11:12 a.m., the subcommittee was adjourned.]