traffmonetizer Ad

startmail ad

Understanding Information Classification: Who Designates and Determines Classification Levels

2023-06-12 — Written by SimeonOnSecurity — 13 min read

An image depicting a person with a magnifying glass analyzing classified documents and a lock symbol in the background.

Edit Page

Table of Contents

Who Designates Whether Information is Classified and Its Classification Level

Information classification plays a critical role in safeguarding sensitive data and ensuring national security. Understanding who designates whether information is classified and determines its classification level is essential for anyone working with sensitive government information, contractors in the defense industry, or students of national security policy. This comprehensive guide explores the entities, processes, and regulations involved in information classification within the United States.

Introduction

Information classification is the systematic process of categorizing data based on its level of sensitivity, the potential damage that could result from its unauthorized disclosure, and the corresponding level of protection required. By assigning appropriate classification levels, organizations control access to information and implement security measures proportionate to the risk. But who has the authority to designate whether information is classified, and who determines its classification level? This article provides detailed answers to these critical questions.

Who Designates Whether Information is Classified?

The authority to designate whether information is classified rests with specific individuals who have been granted Original Classification Authority (OCA). These are not arbitrary designations—they are carefully controlled positions established through executive orders and government directives.

Original Classification Authority (OCA)

The Original Classification Authority (OCA) is an individual who has been explicitly authorized by the President, agency heads, or other officials designated under Executive Order 13526 to make initial determinations that information requires classification in the interest of national security.

Key characteristics of OCAs include:

Presidential Authority: The President has the highest classification authority and can classify or declassify any information.
Agency Heads: Directors of major government agencies (such as the Secretary of Defense, Secretary of State, CIA Director) typically hold OCA designation.
Delegated Officials: Senior officials within agencies who have been formally delegated OCA by agency heads.
Training Requirements: OCAs must receive specialized training on classification principles, procedures, and the proper application of classification levels.

For example, a senior military intelligence officer with OCA designation can make the original determination that a newly developed signals intelligence capability requires classification. Similarly, a State Department official with OCA can classify diplomatic cables containing sensitive negotiations.

Derivative Classification

While OCAs make original classification decisions, many more government employees and contractors perform derivative classification. This is the process of incorporating, paraphrasing, restating, or generating in new form information that is already classified, and marking the new material consistent with the classification markings on the source information.

Important distinctions:

Derivative classifiers do not decide if information should be classified—they apply existing classification decisions.
They must receive formal training in derivative classification.
They are responsible for carrying forward classification markings and properly citing sources.

According to the Information Security Oversight Office (ISOO) , there are approximately 1.3 million derivative classifiers across the U.S. government, but only about 2,000 original classification authorities.

Who Determines the Classification Level?

Once the decision has been made that information requires classification, the OCA who designated the information as classified is also responsible for determining its classification level. This determination is not subjective—it must be based on established criteria outlined in Executive Order 13526.

Classification Level Determination Criteria

When determining the appropriate classification level, the OCA must assess the potential damage to national security that could reasonably be expected from unauthorized disclosure. Executive Order 13526 provides specific definitions:

Top Secret

“Top Secret shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security.”

Real-world examples include:

Nuclear weapon designs and specifications: Detailed technical data on nuclear warhead construction, yield calculations, and deployment systems
Intelligence sources and methods: The identity of human intelligence assets in hostile countries or the technical capabilities of satellite reconnaissance systems
War plans: Operational plans for potential military conflicts, including troop movements, target lists, and strategic objectives
Cryptographic systems: Advanced encryption algorithms used for secure communications by military and intelligence agencies
Covert action programs: CIA or military special operations programs conducted without acknowledgment

The compromise of Top Secret information has historically led to significant national security incidents. For example, the unauthorized disclosure of classified nuclear weapon information to foreign adversaries would fundamentally alter strategic balance and could lead to proliferation.

Secret

“Secret shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security.”

This classification level applies to information such as:

Intelligence reports: Finished intelligence assessments on foreign military capabilities, terrorist organizations, or geopolitical developments
Military readiness data: Specific information about unit deployment status, equipment capabilities, or operational readiness levels
Advanced weapon system details: Technical specifications of new fighter aircraft, missile defense systems, or naval vessels that aren’t yet public but aren’t at the highest sensitivity level
Diplomatic cables: Sensitive communications between U.S. embassies and the State Department discussing bilateral negotiations or assessments of foreign leaders
Counterintelligence operations: Information about ongoing investigations into foreign espionage activities

The disclosure of Secret information could seriously compromise military operations, intelligence collection, diplomatic relations, or counterintelligence efforts.

Confidential

“Confidential shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security.”

Examples of Confidential information include:

Law enforcement tactics: Specific procedures used by federal agencies for surveillance, arrests, or investigations
Budget data: Detailed budget information for classified programs that could reveal priorities or capabilities
Technical manuals: Unclassified equipment with classified operational procedures or limitations
Personnel security information: Security clearance investigation files or background check results
Diplomatic negotiation positions: Early-stage negotiating positions on international agreements before they become public

While Confidential is the lowest level of classified information, its unauthorized disclosure could still cause demonstrable damage to national security interests, law enforcement operations, or diplomatic relations.

Additional Classification Categories

Beyond the three primary classification levels, there are additional categories and special access programs:

Sensitive Compartmented Information (SCI)

SCI refers to classified information concerning intelligence sources, methods, or analytical processes that requires handling within formal access control systems. SCI is not a classification level itself but an additional layer of control applied to Top Secret information. Examples include:

SIGINT (Signals Intelligence) compartments
HUMINT (Human Intelligence) compartments
Imagery intelligence analysis
Special intelligence programs

Access to SCI requires a Top Secret clearance plus additional adjudication and indoctrination into specific compartments based on need-to-know.

Special Access Programs (SAP)

SAPs provide additional security measures beyond those required for the classification level. They are established for specific programs and technologies requiring extraordinary protection. Types include:

Acquisition SAPs: Protect advanced weapon system development
Operations SAPs: Protect sensitive military operations
Intelligence SAPs: Protect unique intelligence capabilities

According to the Defense Counterintelligence and Security Agency (DCSA) , there are approximately 150 SAPs across the Department of Defense, each with rigorously controlled access lists.

Sensitive But Unclassified (SBU) and Controlled Unclassified Information (CUI)

Not all sensitive information meets the threshold for classification. Controlled Unclassified Information (CUI) is a standardized framework that replaced numerous legacy markings like “For Official Use Only (FOUO)” and “Sensitive But Unclassified (SBU).”

CUI categories include:

Law Enforcement Sensitive: Information that could compromise investigations
Personally Identifiable Information (PII): Social security numbers, medical records, financial data
Procurement Sensitive: Proprietary business information or source selection data
Export Controlled: Technical data subject to export control regulations
Privacy Information: Information protected under the Privacy Act

The CUI Registry maintained by the National Archives provides the authoritative list of CUI categories and handling procedures.

The Classification Process: Step-by-Step

Understanding who designates whether information is classified requires examining the complete classification process:

Step 1: Information Creation or Discovery

Classified information can originate from various sources:

Intelligence collection activities
Military operations and planning
Weapons system development
Diplomatic communications
Scientific research with national security implications

Step 2: Classification Determination

An Original Classification Authority (OCA) reviews the information and determines:

Does it require classification? Would unauthorized disclosure cause damage to national security?
What classification level is appropriate? Top Secret, Secret, or Confidential based on potential damage
What is the classification rationale? Which specific category under EO 13526 justifies classification (e.g., military plans, intelligence sources and methods, foreign government information)
What is the duration? When should the information be declassified or reviewed for declassification

Step 3: Marking and Dissemination

Once classified, the information must be properly marked according to standardized procedures outlined in the Classified National Security Information Marking System .

Essential markings include:

Overall classification level (TOP SECRET, SECRET, or CONFIDENTIAL)
Classification authority: Name and position of the OCA
Classification reason: Citation to EO 13526 classification category
Declassification instructions: Date, event, or exemption
Portion markings: Indicating the classification of individual paragraphs or sections
Dissemination controls: Limiting who can access the information (e.g., NOFORN, ORCON)

Step 4: Access Control

Classified information can only be accessed by individuals who:

Hold an appropriate security clearance at the required level or higher
Have a demonstrated need-to-know for the specific information
Have received proper security briefings and training
Are working in a properly accredited facility

The need-to-know principle is fundamental—even individuals with Top Secret clearances cannot access all Top Secret information. Access is strictly limited to what is necessary for job performance.

Step 5: Declassification Review

Executive Order 13526 requires periodic review of classified information for potential declassification. Most classified documents have:

Automatic declassification dates: Typically 25 years from classification date
Event-based declassification: Tied to specific events (e.g., end of a military operation)
Exemptions: Information that is exempt from automatic declassification due to extraordinarily sensitive nature

The National Declassification Center at the National Archives coordinates declassification efforts across the government.

Government Regulations and Compliance

Information classification is governed by a comprehensive regulatory framework designed to ensure consistency, protection of sensitive information, and appropriate declassification procedures.

Executive Order 13526: Classified National Security Information

Executive Order 13526 , signed by President Barack Obama on December 29, 2009, is the current governing authority for classification of national security information. It superseded previous executive orders and established:

Uniform standards for classification, safeguarding, and declassification
Original classification authority designation procedures
Classification categories: Eight specific categories of classifiable information
Automatic declassification processes for permanent historical records
Overclassification reform measures to reduce improper classification

The order emphasizes that information shall not be classified to:

Conceal violations of law or inefficiency
Prevent embarrassment
Restrain competition
Prevent or delay public release of information that does not require protection

National Industrial Security Program Operating Manual (NISPOM)

The NISPOM (currently DoD Manual 5220.22-M, being replaced by 32 CFR Part 117) provides comprehensive guidance for protecting classified information held by defense contractors. It covers:

Personnel security clearances: Procedures for investigations and adjudications
Facility security: Physical security requirements for cleared facilities
Information system security: Technical controls for classified computer networks
Classified contract management: Procedures for administering contracts involving classified information
Self-inspection programs: Requirements for contractor oversight

The NISPOM affects approximately 13,000 cleared contractor facilities and over 1 million cleared contractor employees according to DCSA statistics.

International Traffic in Arms Regulations (ITAR)

ITAR , administered by the U.S. Department of State, controls the export of defense articles and services. While not exclusively focused on classified information, ITAR:

Restricts export of technical data, including some classified information
Requires registration of manufacturers and exporters of defense articles
Imposes strict controls on foreign nationals’ access to controlled information
Establishes penalties for unauthorized disclosures, including criminal prosecution

Violations of ITAR can result in fines up to $1 million per violation and imprisonment up to 20 years for willful violations.

Classification Management and Oversight

The Information Security Oversight Office (ISOO) , part of the National Archives, oversees government-wide implementation of classification policy. ISOO:

Issues implementing directives for Executive Order 13526
Conducts oversight of agency classification programs
Provides annual reports to the President on classification statistics
Offers training and resources for classification management

ISOO’s annual reports reveal trends in classification and declassification, providing transparency into the classification system’s operation.

Common Misconceptions About Classification

Several misconceptions exist about who designates whether information is classified and the classification process:

Misconception 1: Anyone Can Classify Information

Reality: Only designated Original Classification Authorities (OCAs) can make original classification determinations. The OCA designation is formally granted and requires specific training and position authority.

Misconception 2: Everything Labeled “Classified” is Top Secret

Reality: “Classified” is an umbrella term for information at Top Secret, Secret, or Confidential levels. The majority of classified information is actually at the Secret or Confidential level. According to ISOO reports, less than 10% of classification actions result in Top Secret designations.

Misconception 3: Once Classified, Always Classified

Reality: Executive Order 13526 presumes declassification. Most information is automatically declassified after 25 years unless it meets specific exemption criteria. The government declassifies millions of pages of historical documents annually.

Misconception 4: Security Clearance Equals Access to All Information at That Level

Reality: Security clearances are necessary but not sufficient for access. The need-to-know principle requires that individuals only access classified information essential to their job duties, even if they hold an appropriate clearance.

Misconception 5: Classification Decisions Cannot Be Challenged

Reality: Executive Order 13526 establishes procedures for challenging classification decisions. Employees can question whether information is properly classified, and whistleblower protections exist for reporting overclassification or improper classification.

Best Practices for Handling Classified Information

For individuals working with classified information, adherence to best practices is essential:

For Original Classification Authorities

Training: Maintain current certification in OCA responsibilities
Proportionality: Apply the lowest classification level consistent with security needs
Specificity: Clearly articulate classification rationale and cite specific EO 13526 categories
Declassification planning: Establish appropriate declassification instructions at the time of original classification
Regular review: Periodically review classification decisions for continued necessity

For Derivative Classifiers

Source verification: Ensure source materials are properly classified
Accurate marking: Apply portion markings and overall classification consistently
Source citation: Document sources used for derivative classification
Classification guidance: Consult classification guides and original classifiers when uncertain
Training compliance: Complete required derivative classifier training every two years

For All Cleared Personnel

Need-to-know adherence: Only access classified information required for job performance
Proper storage: Store classified materials in approved repositories (safes, SCIFs)
Spillage reporting: Immediately report potential compromises of classified information
Foreign contact reporting: Report contacts with foreign nationals that may involve security implications
Annual training: Complete required security training and refreshers

Consequences of Unauthorized Disclosure

Understanding who designates whether information is classified carries weight because unauthorized disclosure of classified information has serious consequences:

Administrative Consequences

Security clearance suspension or revocation: Loss of clearance typically results in

employment termination for positions requiring clearances

Disciplinary action: Reprimands, suspension, or termination from government service
Civil penalties: Fines and restitution for damages caused

Criminal Consequences

Several federal statutes criminalize unauthorized disclosure of classified information:

Espionage Act (18 U.S.C. § 793, 794): Punishable by up to life imprisonment for espionage
Intelligence Identities Protection Act (50 U.S.C. § 3121): Criminalizes unauthorized disclosure of intelligence officers’ identities
Atomic Energy Act (42 U.S.C. § 2274, 2277): Specific penalties for nuclear secrets disclosure
Classified Information Procedures Act: Establishes procedures for handling classified information in criminal trials

High-profile cases like those of Chelsea Manning , Edward Snowden , and Reality Winner demonstrate the government’s commitment to prosecuting unauthorized disclosures.

Conclusion

The authority to designate whether information is classified and determine its classification level is a carefully controlled responsibility vested in Original Classification Authorities (OCAs) throughout the U.S. government. This system, governed primarily by Executive Order 13526, strikes a balance between protecting legitimate national security interests and promoting government transparency through eventual declassification.

Key takeaways include:

Only designated OCAs can make original classification determinations—typically agency heads and senior officials they delegate
Classification levels (Top Secret, Secret, Confidential) are determined based on potential damage to national security from unauthorized disclosure
The classification process is governed by Executive Order 13526 and implementing regulations like the NISPOM and ITAR
Derivative classifiers apply existing classification decisions but do not make original determinations
All classification decisions must include declassification instructions to ensure information doesn’t remain classified longer than necessary

For anyone working with classified information, understanding these authorities, processes, and regulations is essential to properly protecting national security while respecting the public’s right to government transparency.

References

SimeonOnSecurity

Simeon is a seasoned cybersecurity expert with a wealth of experience, certified in various IT domains. Proficient in compliance, automation, and network security. Known for sharing knowledge and mentoring, with a passion for ensuring privacy and data protection. A valuable contributor to open-source projects and a recognized professional in the field.

Comments

Tags

#information security #government regulations #national security #data protection #data privacy

traffmonetizer Ad