DoD Issues New Information Security Regulation

The Department of Defense has published its long-awaited new information security regulation that finally brings the Department into conformity with the Obama Administration’s 2009 executive order on national security classification policy.

The new regulation, published in four volumes as DoD Manual 5200.01 and dated 24 February 2012, replaces Information Security Regulation 5200.1-R, which dates from 1997.

DoD is by far the largest and most prolific generator of classified information in the government.  So every shift in DoD information policy (as well as every failure to shift) has significant ramifications for the secrecy system as a whole.

The new regulation generally follows the classification guidelines set by the Obama executive order but it also elaborates on them in interesting ways.  It presents comprehensive guidance on practically every aspect of classification and declassification policy, including an extended discussion of how to respond to unauthorized disclosures of classified information (in volume 3, Enclosure 6).

Other notable provisions in the first volume of the new regulation include the following.

“If holders of information have substantial reason to believe that the information is improperly or unnecessarily classified, they shall communicate that belief to their security manager or the OCA [original classification authority] to bring about any necessary correction….  The Heads of the DoD Components shall ensure that no retribution is taken against any individual for questioning a classification or making a formal challenge to a classification.” (Vol. 1, p. 49)

Each DoD component is required to establish a self-inspection program, which “shall include regular review and assessment of representative samples of the DoD Component’s classified products. Appropriate officials shall be authorized to correct misclassification of information.” (p. 13)

The Assistant Secretary of Defense (NII) shall “Direct the use of technical means to prevent unauthorized copying of classified data and for anomaly detection to recognize unusual patterns of accessing, handling, downloading, and removal of digital classified information.” (p. 12)

“DoD military and civilian personnel may be subject to criminal or administrative sanctions if they knowingly, willfully, or negligently:
(a) Disclose to unauthorized persons information properly classified in accordance with this Volume.
(b) Classify or continue the classification of information in violation of this Volume.
(c) Create or continue a SAP [special access program] contrary to the requirements of… this Volume….”  (p.32)

The Fundamental Classification Guidance Review, which was mandated by the executive order to eliminate obsolete classification instructions, shall encompass “a broad range of perspectives,” the new regulation states. The involvement of outside experts is essential, the regulation seems to recognize, in order to compensate for self-interest, prejudice, and habitual patterns of thought.  “Contributions of subject matter experts with sufficient expertise in narrow specializations must be balanced by the participation of managers and planners who have broader organizational vision and relationships. Additionally, to the extent practicable, input should also be obtained from external subject matter experts and external users of the classification guidance.”  (p. 73)

The new regulation is effective immediately.

A February 16 report from DoD on the Fundamental Classification Guidance Review indicated that of the 1069 security classification guides that had been reviewed by the end of December 2011, no fewer than 318 guides had been scheduled for retirement or cancellation.  (“DoD Reports ‘Impressive Strides’ in Updating Classification,” Secrecy News, February 22.)