On to Appendix C.
CLASSIFIABLE AREAS OF NATIONAL SECURITY
For information to be classified as National Security Information (NSI), it must fall into at least one of the ten classifiable national security areas that are specified in Sect. 1.3(a) of Executive Order (EO) 12356.*, 1 Determining whether information falls into one of those NSI areas is the second of the five major steps in determining whether information should be classified as NSI (see Chapter 3).+ Those ten areas are set forth in the subsequent sections of this appendix, along with a brief description of each area.
* EO 12065, promulgated by President Carter in 1978, was the first Executive Order to specifically identify classifiable NSI areas. Seven NSI areas were identified [EO 12065, Fed. Reg., 43, 28949 (July 3, 1978), §1-301]. The three NSI areas not included in EO 12065, but included in EO 12356, were vulnerabilities or capabilities, cryptology, and confidential sources.MILITARY PLANS, WEAPONS, OR OPERATIONS
+ For atomic energy information, the comparable step is to determine whether the information falls within the definition of Restricted Data or Formerly Restricted Data and has not been declassified or transclassified to NSI.
Military operations information is "information pertaining to a strategic or tactical military action, including training, movement of troops and equipment, supplies, and other information vital to the success of any battle or campaign."2 Military weapon information concerns the design, manufacture, and use of military weapons. It also includes information on countermeasures to those weapons. The Department of Defense (DoD) has the primary responsibility for classifying information in this area.++ An exception is for information on nuclear weapons, which is classified by the Atomic Energy Act of 1954, as amended. The classification decisions concerning military plans, weapons, or operations that are made by most other federal agencies generally will be derivative classification decisions based on DoD's original classification determinations. Appendixes C and D discuss specifics of classification of military operations information and military weapons information, respectively.
++ Of the estimated 511,868 original classification decisions in the United States in FY 1991, about 19% were by DoD ["Information Security Oversight Office (ISOO) 1991 Report to the President," March 1992, p. 13]. Of the estimated 6,595,149 total derivative classification decisions in the United States in FY 1991, about 64% were by DoD [Ibid., pp. 15–16].VULNERABILITIES OR CAPABILITIES OF SYSTEMS,
INSTALLATIONS, PROJECTS, OR PLANS RELATING
TO NATIONAL SECURITY
A vulnerability is an exploitable capability or an exploitable security weakness or deficiency. Examples include vulnerabilities in the protection of U.S. facilities against terrorist attacks (e.g., governmental buildings in the United States and embassies in foreign countries) and in the physical protection of the President.3 Also included in this NSI area is information concerning the readiness of U.S. Army units.4 Statements by government officials "in the know" that the United States is significantly behind a major adversary in a certain area and, therefore, possibly vulnerable to attack could be classified.
Information on major weaknesses of operational military weapons systems should be classified, especially before those vulnerabilities have been corrected.5 If a system essential to national security is vulnerable (e.g., a design flaw in a deployed missile) and that vulnerability could be exploited by an adversary, then the information about the vulnerability should be classified.6 See Appendix D for more details about classification of vulnerabilities of military weapons systems.
FOREIGN GOVERNMENT INFORMATION
EO 12356 defines foreign government information (FGI) as:(1) information provided by a foreign government or governments, an international organization of governments, or any element thereof with the expectation, express or implied, that the information, the source of the information, or both, are to be held in confidence; orFGI either retains the classification assigned to it by the foreign government or is assigned a U.S. classification at least equivalent to the foreign government classification level.8 Documents containing FGI "shall include either the marking `FOREIGN GOVERNMENT INFORMATION,' or a marking that otherwise indicates that the information is foreign government information," except when the fact that the document contains FGI must be concealed.9 FGI is not usually declassified by the United States without the express permission of the foreign government that generated the information.
(2) information produced by the United States pursuant to or as a result of a joint arrangement with a foreign government or governments or an international organization of governments, or any element thereof, requiring that the information, the arrangement, or both, are to be held in confidence.7
Because FGI is generally identifiable from its source (e.g., a foreign government) and because it is presumed classified (see Chapter 4), there will be little further discussion in this document about its classification.
INTELLIGENCE ACTIVITIES (INCLUDING SPECIAL
ACTIVITIES) OR INTELLIGENCE SOURCES
Intelligence activities also include counterintelligence and foreign intelligence activities. Intelligence sources are the persons or technical means that provide intelligence. Intelligence methods are the means of gathering and analyzing intelligence information. Nearly all of the original classification decisions in this area will be made by the Central Intelligence Agency, the Department of Justice (mostly with respect to the Federal Bureau of Investigation's counterintelligence activities),10 or other U.S. intelligence organizations.* The classification decisions of all other federal agencies in this area will generally be derivative classification decisions based on the intelligence agencies' original classification determinations. Appendix E discusses classification of intelligence activities, sources, and methods.
* Twenty-eight percent of the original classification decisions in the United States in FY 1991 were by the Department of Justice (DoJ) and 13% were by the Central Intelligence Agency (CIA) [Information Security Oversight Office (ISOO) 1991 Report to the President, March 1992, p. 13]. Twenty-seven percent of all derivative classification decisions in the United States in FY 1991 were by the CIA and 8% were by the DoJ [Information Security Oversight Office (ISOO) 1991 Report to the President, March 1992, pp. 15–16].FOREIGN RELATIONS OR FOREIGN ACTIVITIES
OF THE UNITED STATES
Foreign relations are the connections between nations, and foreign activities are actions related to those connections. The Department of State determines and implements U.S. foreign policy and has the primary responsibility for classifying information on foreign relations and foreign activities.+ In this NSI area, most classification actions of all other federal organizations will be derivative classification decisions based on Department of State classification guidance. See Appendix F for additional information on the classification of foreign relations or foreign activities information.
+ Thirty-eight percent of the original classification decisions in the United States in FY 1991 were by the Department of State [Information Security Oversight Office (ISOO) 1991 Report to the President, March 1992, p. 13]. The Department of State treats all of its classification decisions as original classification decisions and, therefore, reported no derivative classification decisions for FY 1991 ["Information Security Oversight Office (ISOO) 1991 Report to the President," March 1992, p. 14].SCIENTIFIC, TECHNOLOGICAL, OR ECONOMIC MATTERS
RELATING TO NATIONAL SECURITY
This category includes basic and applied research, technological developments, and economic information concerning the United States. EO 12356 prohibits the classification of "basic scientific research information not clearly related to the national security."11 Classification of scientific and technical information is discussed frequently in the chapters of this document concerning principles of original classification of information. It appears that only rarely do economic matters warrant classification for national security reasons (see the discussion on the meanings of the terms national security and national defense in Chapter 5). Therefore, this document gives little attention to the classification of economic matters.
U.S. GOVERNMENT PROGRAMS FOR SAFEGUARDING
NUCLEAR MATERIALS OR FACILITIES
This is a rather specialized area and will not be discussed further in this document. Department of Energy classification guidance covers this topic rather thoroughly.
Cryptology includes methods to keep messages secret (to construct codes) and methods to intercept and decipher messages from adversaries. The government needs codes to be able to efficiently and in a timely manner communicate sensitive information to units of the military services, to its representatives located in foreign nations, and for other purposes and yet keep the communicated sensitive information from adversaries. Conversely, it is very desirable to be able to understand adversaries' codes so that their plans and capabilities are known to our government. Successes in breaking codes are usually kept secret for a long time so that other nations are not alerted to possible deficiencies in their codes.
The field of cryptology has long been considered to be a very sensitive area of intelligence. It was given special attention by the Espionage Act of 1917.12 A later statute specifically criminalized certain disclosures of classified information related to cryptography.13 Another statute criminalized the disclosure of any matter that was obtained from intercepts of coded transmissions between a foreign country and its diplomatic mission in the United States.14
Until relatively recently, cryptologic information was mostly of interest only to governments. However, when businesses began to use the telegraph or radio to transmit commercial information, the private sector became more interested in cryptology. This private-sector interest has been particularly keen in recent years as computers have been widely used to store and transmit vital business data. This has led to much private research in cryptology, which in turn has led to National Security Administration concerns about the results of this research helping other nations to our detriment.*, 15 These government concerns have not yet been resolved. The government has no specific authority to classify results of private cryptographic research other than by the Invention Secrecy Act.16
* For example, the National Security Administration is concerned that the results of the private research will become available to some of the less technologically advanced nations and could enable those nations to improve their diplomatic codes and make it harder for the United States to break those codes.Cryptology was specifically identified in EO 12356 as a classifiable NSI area (it was not mentioned in the immediately prior Executive Order on classification, EO 12065) to make clear that communications security information was classifiable.17 It is somewhat surprising that unauthorized disclosure of classified cryptologic information is not presumed to cause damage to the national security, because having difficult-to-decipher codes for certain government communications is essential to the national security.
A confidential source is defined by Sect. 6.1(f) of EO 12356 as "any individual or organization that has provided, or that may reasonably be expected to provide, information to the United States on matters pertaining to the national security with the expectation, express or implied, that the information or relationship, or both, be held in confidence." Information on foreign confidential sources is presumed classified (see Chapter 5).
The final NSI area specified by EO 12356 is titled "Other categories of information that are related to the national security and that require protection against unauthorized disclosure as determined by the President or by agency heads or other officials who have been delegated original classification authority by the President."18 Any original classification of information that does not fall under the previously specified nine classifiable areas of NSI must be reported promptly to the Director of the Information Security Oversight Office.
Table B.1 lists the ten areas of national security and indicates the agencies principally responsible for original classification determinations in those areas. It also indicates those areas where unauthorized disclosure of information is presumed to cause damage to national security (see Chapter 5).
Table B.1. The ten areas of National Security (NSI) Information
and related information
Responsible federal agencya
Is damage presumed to result from unauthorized disclosure?b
1. Military plans, weapons, or operations
2. Vulnerabilities or capabilities of systems, etc.
3. Foreign government information
DoS, CIA, and DoD
4. Intelligence activities or intelligence sources or methods
CIA and DoJ
Yes, for intelligence sources or methods
5. Foreign relations or foreign activities of the United States
6. Scientific, technological, or economic matters relating to national security
7. U.S. Government programs for safeguarding nuclear materials or facilities
DOE, DoD, DoS
9. Confidential source
Yes, for a foreign confidential source
10. Other areas related to national security
aThe agency or agencies listed are principally responsible for classification determinations in the area shown. CIA = Central Intelligence Agency; DOE = Department of Energy; DoD = Department of Defense; DoJ = Department of Justice; DoS = Department of State; NSA = National Security Agency.
bThe full question is, Can damage be presumed to result from an unauthorized disclosure?
1. Executive Order 12356, Fed. Reg., 47, 14874 (Apr. 6, 1982). Hereafter cited as "EO 12356."
2. U.S. Department of Defense, Department of Defense Handbook for Writing Security Classification Guidance, DoD 5200.1-H, March 1986, §5-2, p. 5-1.
3. A. F. Van Cook, "Information Security and Technology Transfer (An OUSD Overview of Executive Order 12356 and DoD's View Concerning Implementation)," J. Natl. Class. Mgmt. Soc., 18, 1–7 (1982), p. 3.
4. S. Garfinkel, "An Information Security Oversight Office Overview of Executive Order 12356 and Its Implementing Directive," J. Natl. Class. Mgmt. Soc., 18, 17–23 (1982), pp. 20–21. See also Chapt. 10, supra, discussing Taylor v. Department of the Army.
5. F. Seitz, Chairman, Office of the Director of Defense Research and Engineering, Report of the Defense Science Task Board Task Force on Secrecy, U.S. Department of Defense, July 1, 1970, p. 8.
6. F. J. Thomas, "Workshop A—Lifetime Cycles for Security Classification," J. Natl. Class. Mgmt. Soc., 7, 58–62 (1971), p. 61.
7. EO 12356, §6.1(d).
8. EO 12356, §1.5(d).
9. Information Security Oversight Office, "Directive No. 1," Fed. Reg., 47, 27836 (June 25, 1982), §2001.5(e)(4).
10. Information Security Oversight Office, Information Security Oversight Office (ISOO) 1991 Report to the President, Washington, D.C., March, 1992, p. 14.
11. EO 12356, §1.6(b).
12. 40 Stat. 217, 218 (1917).
13. 18 U.S.C. §798(a) (1982).
14. 18 U.S.C. §952 (1982).
15. M. M. Cheh, "Government Control of Private Ideas—Striking a Balance Between Scientific Freedom and National Security," Jurimetrics Journal, 23, 1–32 (1982), p. 11.
16. 35 U.S.C. §181–188 (1982).
18. EO 12356, §1.3(10).