Four years after President Barack Obama signed an executive order telling agencies to settle on a single set of standards for handling unclassified information, agencies are still using their own labels and their own rules to decide when information should be withheld from public disclosure.
The point was illustrated on Thursday with the release of a new Congressional investigation into practices within the Transportation Security Administration. The report, compiled by House Oversight and Government Reform committee staff found that TSA had been routinely misusing one of its own information labels: “Sensitive Security Information,” in some cases manipulating the definition of “SSI” in order to withhold documents that posed no threat to aviation security but were merely embarrassing, and in other cases releasing documents without consulting its own security review experts.
TSA also repeatedly violated its own policies that required the agency’s administrator to make a written determination when the agency decided that information should be tagged with the SSI label, the report concluded. “Failures by TSA officials to submit written determinations supporting the release or withholding of SSI caused a rift between senior TSA leadership and the SSI office,” said Rep. John Mica (R-Fla.), the chairman of the government operations subcommittee. “This rift resulted in an inconsistent application of the SSI designation, and such inconsistency, unfortunately, has also shown to be detrimental to the process of protecting sensitive transportation security information.”
The committee found problems with TSA’s use of the SSI designation dating back to at least 2004. The agency says it has made several changes in recent years, including the issuance of an SSI handbook and updated training for TSA staff, and has refined the program further in response to the congressional inquiry.
“I’m very confident that the new measures we have put in place have significantly improved the way we handle SSI,” said Annmarie Lontz, the director of TSA’s security services and assessments division. “It is much more consistent, there is a memorialization of any and all SSI reviews that are done. It is comprehensive in the training. We can customize it depending on various programs so they get a more in-depth understanding of what SSI is and is not.”
Irrespective of whether TSA has fixed problems with that particular designation, under the 2010 White House directive, the SSI label isn’t even supposed to exist in its current form. Nor are the 116 other stamps that agencies across government routinely apply to unclassified information in order to protect it from public disclosure.
The 2010 executive order was a response to a proliferation of what the National Archives and Records Administration has termed a “confusing and inefficient patchwork of agency-specific practices” for tagging and protecting unclassified information. The mix includes the pervasive “For Official Use Only” stamp, “Limited Official Use,” “Law Enforcement Sensitive” and dozens of others that are more narrowly descriptive of the type of data involved. Many of the labels were mandated by Congress or by formal agency rulemaking, but many others have no legal basis whatsoever.
The Obama order effectively told agencies they were no longer free to make up their own rules for the “pseudo-classification” of information. It created a single label, “Controlled Unclassified Information.” Unclassified data that agencies have legitimate legal authority to withhold would be covered beneath that umbrella, and extralegal labeling schemes were supposed to go by the wayside. The order also made clear that the new “CUI” label doesn’t trump the Freedom of Information Act.
Patrice McDermott, the executive director of OpenTheGovernment.org, said the order itself was a major victory for open government advocates. “The agency policy markings are going to be ended. The question is when, and regrettably, that’s where the rub comes in,” she said.
In order to do away with agencies’ ad-hoc processes for handling unclassified information, the federal government needs to publish a final rule that implements the intent of the 2010 executive order. But federal agencies, advocacy groups and NARA have not been able to reach a consensus on what the CUI program should look like until very recently. NARA — the agency in charge of creating a master registry of what constitutes legitimate CUI and what doesn’t — finally submitted a draft regulation to OMB earlier this month. When the regulation is finalized, it will take several more years before the concept takes hold.
McDermott doesn’t fault NARA, which has been working since 2010 to survey current agency practices in order to build a map for the CUI program. But she said federal agencies appear to have worked to slow the process down and hold onto their current information management practices for as long as possible.
When NARA first invited agencies to make their case for which of their information labeling habits should make their way into the CUI program, it received 2,200 submissions.
“I think that reflects a level of latitude they felt they had to do as they pleased, or wished, or felt was most effective for them,” said John Fitzpatrick, the director of NARA’s information oversight office. “In other cases, they said ‘My agency directive says I can do this,’ and so they submitted it. Well, that’s below the threshold, so it did not make it into the registry.”
The current version of the CUI registry is still fairly expansive, and includes 22 categories and 85 subcategories of unclassified information to which agencies could apply the new CUI label, but its use is not mandatory until a final regulation is adopted.
Fitzpatrick said the government’s slow movement toward CUI is somewhat understandable: Federal agencies hold a vast amount of unclassified information, and some the rules that agencies currently use to block that information from disclosure were, indeed, created out of whole cloth by internal agency policies.
But NARA has found 314 separate laws, regulations and governmentwide policies that have been enacted over the years which explicitly order various agencies to protect unclassified information in several different ways. Unpacking that system and repackaging it into something that operates in a uniform manner is no small task, Fitzpatrick said.
“A lot of agencies are authorized to withhold information, and our program was created to identify which of those are so that you can know which information types aren’t,” he said. “I am sympathetic to the amount of time that this is taking. When you understand the scope of this and how many agencies have this type of information, trying to understand all of their practices in order to create a uniform baseline that all will observe is a very time-consuming effort.”
In Thursday’s hearing, members of Congress were generally unforgiving of the delayed implementation of the CUI program, and some questioned whether it makes any sense in the first place.
Rep. Darrell Issa (R-Calif), the chairman of the Oversight and Government Reform Committee, is highly suspicious of the basic notion of creating categories of information that are not classified but still need to be protected from public release.
“There’s a CUI council, but how do I know it’s not a CYA council?” asked Issa, who has confronted the Obama administration with demands for records on numerous matters, and believes agencies have shielded information from Congress even when his committee issued subpoenas for those records.
“I think the whole idea that there’s anything below secret is hogwash, he said. “This is information that people in the government get to see without a background check, people get to handle without knowing whether they’re pedophiles, whether they’re drunks, whether they’re going through personal traumas in their lives, in other words, we have no security on them other than they’re a federal employee or a federal contractor. They get to see all this information. And then when Congress subpoenas it, we don’t even get it.”
Issa also sees a potential conflict with the DATA act, which Congress passed earlier this year and the President signed earlier this week.
“That act intends on making across the vast majority of information that is exists in our databases searchable, addressable, downloadable, and would include a system in which, because of the strength of the metadata, you’d be able to exclude personally identifiable information. You’d be able to say that a particular data point is not to be released, such as personally identifiable information, locations or times, certain things like that, predictive information about events that have not yet occurred. If we’re going to open that up, we can’t have these levels of classification, because it will essentially close systematically all these databases.”