SecurityArchitecture.comGAO weighs in on need for consistent data classification
In the wake of the recent release of the Report and Recommendations of the Presidential Task Force on Controlled Unclassified Information, the Government Accountability Office on December 15 released a report on Managing Sensitive Information that addresses many of the same issues raised by the task force. The GAO report focuses specifically on the fact that a multi-agency report containing sensitive-but-unclassified (“SBU”) information about U.S. nuclear facilities was published on a publicly available Government Printing Office website. While a number of factors contributed to this inadvertent disclosure, the GAO report highlighted the lack of consistent data classification terminology among different federal agencies involved as a significant problem, and recommended that the agencies working with this information create an interagency agreement regarding the designation, marking, and handling of sensitive information. The presidential memorandum that created the task force on controlled unclassified information (ironically issued just three weeks after the nuclear site information was published) noted some 107 different classification schemes in use among various federal agencies for sensitive-but-unclassified information or its equivalent. In the case of the nuclear facility report, problems with document designation included the use of an international sensitivity designation that has no legal standing in the United States, and the subsequent recommendation that the document be labeled sensitive but unclassified despite the apparent lack of understanding of the meaning and implications of a SBU designation among both executive agencies and legislative offices, leading to what GAO called an incorrect determination that the material could be published. Unfortunately, this incident is just one among many cases of inappropriate disclosure where the problem lies not in malicious intent, but in a lack of awareness and understanding of relevant security policies and the actions needed to follow them.
