Recommendations 2 and 3: A Two-tiered Classification System and the Use of Identifiable Levels of Protection to Define Classification Level
“It is time to reexamine the long-standing tension between secrecy and openness, and develop a new way of thinking about government secrecy as we move into the next century.” -Report of the Commission on Protecting and Reducing Government Secrecy, 1997, Senate Document 105-2, Public Law 236.
Document Courtesy of the National Security Agency
After extensive research and discussions with stakeholders in and outside Government, the Board has concluded that the current classification system is too antiquated to fully support today’s national security mission. The system keeps too many secrets, and keeps them too long. Its practices are overly complex, and serve to obstruct desirable information sharing inside of government and with the public. There are many explanations for over-classification: much classification occurs essentially automatically; criteria and agency guidance have not kept pace with the information explosion; and despite numerous Presidential orders to refrain from unwarranted classification, a culture persists that defaults to the avoidance of risk rather than its proper management.
To partially address the concerns of excessive classification, we recommend that classification be simplified and rationalized by placing national security information in only two categories. This would allow proper alignment with the actual two-tiered practices existing throughout most of government for information protection security clearances, physical safeguarding, and information system accreditation.
Top Secret would remain the Higher-Level category, retaining its current, high level of protection. All other classified information would be categorized at a Lower-Level, which would follow standards for a lower level of protection. Both categories would include compartmented and special access information, as they do today.
Newly established criteria for classifying information in the two tiers would identify the needed levels of protection against disclosure of the information. Identifiable risk should be the basis for determining if a level of protection is needed and if classification is warranted and, if so, at what level and duration.
The difficulty of applying the current concept of presumed “damage” during derivative classification would be replaced by a more concrete application of the level of protection necessary for sharing and protecting. This change in guidance would reflect how classification is actually practiced by derivative classifiers – deciding how much protection is needed based on the sensitivity of the information to both protect and share appropriately.
We understand that the adoption of a two-tiered model will pose greater challenges for those agencies whose internal practices are more dependent upon current distinctions between Secret and Confidential. We are not advocating for simply eliminating the Confidential category of classification, thereby exacerbating problems of over-classification in the system. Rather, we believe the adoption of a two-tiered model would align the classification system to what is actually occurring in practice throughout Government. Confidential information is safeguarded on Secret-level systems. The Lower-level of classification in the two-tiers will be defined by the appropriate levels of protection needed to ensure the classified information may be secured and shared appropriately. Guidance must be updated and longstanding practices of rote classification in the current system must be redesigned to make classifiers re-think deep-rooted cultural biases that favor classification and instead choose not to classify in the first instance unless a risk assessment proves protection is needed.