Information Security Oversight Office Releases its Annual Report to the President
Press Release · Wednesday, June 3, 2015

Washington, DC

Today, the Information Security Oversight Office (ISOO) released online its Report to the President for Fiscal Year (FY) 2014. This annual report covers government agencies’ security classification activities, shares cost estimates for these activities, and provides an update on the Controlled Unclassified Information (CUI) program. This annual report was mandated by Executive Order 13526, Classified National Security Information.

FY 2014 report declassification highlights include:

• A 20 percent reduction in original classification activity, for a 2014 total of 46,800 decisions.
• A three percent decrease in derivative classification action, down to 77,515,636 decisions.
• Under automatic, systematic, and discretionary declassification review, agencies reviewed 64,627,008 pages and declassified 27,819,266 pages of historically valuable records.
• Agencies reviewed 597.498 pages under mandatory declassification review and declassified 372,134 pages in their entirety, declassified 190,654 pages in part, and retained classification of 34,710 pages in their entirety.
• Progress by Interagency Security Classification Appeals Panel to adjudicate declassification appeals and post decisions online. This year, the Panel declassified 451 documents that had been received under appeal.

Classification

ISOO continues to monitor agencies’ self-assessments of their classified information programs. While many agency reports show improvement, others are lacking. ISOO will continue to help agencies with these assessments to ensure compliance.

Controlled Unclassified Information program

ISOO continues to advance its policy development strategy:

• ISOO submitted a proposed federal CUI to the Office of Management and Budget.
• ISOO initiated a CUI Program appraisal process to assist Executive branch agencies in preparing for implementation by providing agency planners with a baseline.
• ISOO developed an updated training module clarifying the distinction between the CUI Program and the Freedom of Information Act.
• ISOO worked with National Institute of Standards and Technology on Special Publication 800-171, ”Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organization.“ This publication, expected to be finalized in later this year, provides information system protection standards for CUI in the nonfederal environment.

Industrial Security

The National Industrial Security Program Policy Advisory Committee showed progress in the areas of personnel security clearances and certification and accreditation of information systems. ISOO continues its role on the Senior Information Sharing and Safeguarding Steering Committee, leading efforts to incorporate the requirements of the National Insider Threat Policy, and related responses to unauthorized disclosures, into the National Industrial Security Program policy and guidance.

Increase in Costs for Information Systems that process Classified Information

Estimated costs associated with Protection and Maintenance for Classified Information Systems was $7.57 billion, an increase of $3.17 billion, or 72 percent, from the estimate reported for FY 2013. The main driver of this change was the report of the Department of Defense, whose estimate rose from 3.4 billion in FY 2013 to 6.6 billion for FY 2014, a net increase of $3.2 billion.

ISOO and the Department of Defense attribute the increase to many new initiatives following a number of serious security breaches. In response to E.O. 13587, “Structural Reforms to Improve the Security of Classified Networks, and the Responsible Sharing and Safeguarding of Classified Information,” agencies are developing and implementing greater technical safeguards for national security systems, aiming to improve network security by reducing anonymity, enhancing access controls and user monitoring, establishing enterprise auditing, restricting the removal of media, and, developing insider threat programs. Such improvements are costly.

Another reason for the increase is that the DoD has changed its baseline data collection to provide greater precision in reporting additional expenses. Improved insight into cost data led to discovery and attribution of additional information system security expenditures. Previously, DoD reporting of these expenses corresponded to approximately 25 program elements directly identifiable with information system security. This year, funding planning figures include both funding for these program elements plus an additional 40 percent drawn from other program elements not previously assessed as information system security costs, such as those related to command and control and IT). With the new data in hand, which also permitted retrospective analysis, it can now be seen that this increase occurred over prior years between FY 2012 and FY 2013 and between FY 2013 and FY 2014. The combination of the increased scope of reporting and the two annual increases accounts for the near-doubling of DoD reporting in this category.

The Information Security Oversight Office, established in 1978, is responsible to the President for overseeing the Government-wide security classification program, and receives policy and program guidance from the National Security Council. ISOO has been part of the National Archives and Records Administration since 1995. ISOO consists of three parts:

• The Classification Management Staff develops security classification policies for classifying, declassifying and safeguarding national security information generated in Government and industry.
• The Industry and Operations Staff evaluates the effectiveness of the security classification programs established by Government and industry to protect information vital to our national security interests.
• The Controlled Unclassified Information Staff develops standardized Controlled Unclassified Information policies and procedures to protect sensitive information through effective data access and control measures.

The National Archives and Records Administration is an independent Federal agency that preserves and shares with the public records that trace the story of our nation, government, and the American people. From the Declaration of Independence to accounts of ordinary Americans, the holdings of the National Archives directly touch the lives of millions of people. The National Archives is a public trust upon which our democracy depends, ensuring access to essential evidence that protects the rights of American citizens, documents the actions of the government, and reveals the evolving national experience. The National Archives carries out its mission through a nationwide network of archives, records centers, and Presidential Libraries, and online www.archives.gov.

# # #

For press information please contact the National Archives Public Affairs staff at 202-357-5300.

15-67