DoD Regulation 5200 – Classification of Information

DoD Regulation 5200 - Classification of Information

DoD Regulation establishes policies and procedures for DoD Components regarding classification of information. However, USD(I&S) recently found that OCAs from certain components did not properly cancel three Special Classified Groups (SCGs), reporting them back to DTIC without doing so themselves – this represents a serious breach and will be addressed in future revisions of this Regulation.

Identifying Classified Information

Classifying information is an integral component of DoD’s security program, helping ensure only authorized personnel have access and use of classified material, while also protecting against unintended disclosure which could inform threat actors about DoD programs and systems. Furthermore, properly classified data offers insight and transparency for DoD stakeholders. As the USD(I&S) oversees DoD Component security classification processes in accordance with DoD guidance.

DoD Components must ensure classified information is identified and protected, so each must develop, issue, and update Security Classification Guides (SCGs) and associated supplemental materials. An SCG is a document which defines the level and duration of protection needed for systems, plans, programs, projects or missions; Air Force and Marine Corps both utilize SCGs to identify specific information that requires protection; derivative classification is the practice of taking existing classified material and reformulating it into new material while marking it according to SCG markings – similar processes are employed when creating derivative classification-marked derivative material with different markings than documented within an SCG document.

DoD components may not classify information that does not require protection, such as basic scientific research results. They should also not classify performance reviews of individuals to embarrass or restrict competition; the classified status must not be used to embarrass anyone or restrict competition.

At each activity participating in the SCG development process, each activity should determine if the information it wishes to protect should be classified. If so, an SCG is then developed for every project or system that contains this data that provides protection at various levels (Top Secret, Secret, Confidential), time frames required and any supplementary materials necessary.

If an activity lacks the expertise to classify its information itself or requires higher-level decision making to protect it, they should seek assistance from an original classification authority (OCA). An OCA is defined as an individual authorized in writing by either the President, Vice President or agency head to classify sensitive data at first instance and responsible for developing and maintaining Security Classification Guidelines (SCGs). Furthermore, these OCAs must provide training sessions for personnel delegated responsibility for classification decisions.

Managing Classified Information

DoD archivists must be cognizant of classification issues when processing documents donated by individuals. Such papers often contain classified national security information that is unknown to their donors – for instance military or intelligence information that might otherwise remain classified and protected using various markings such as “FOUO,” Limited Official Use or Sensitive but Unclassified labels.

Marking classified information has the purpose of informing those with access to it that it is classified; to identify what kind of data needs protection; and facilitate excerpting or other uses. In addition, markings help prevent accidental disclosure of classified material while providing guidance for downgrading/declassifying requirements as well as alerting holders of special access, control or safeguarding requirements that need to be followed.

Every classified document must include its classification level and reason for classification; electronic messages containing Restricted Data or Formerly Restricted Data must also bear an “(TS)” or code word digraph to indicate this fact.

Whenever classification is determined based on association rather than on individual parts of a document, an explanation for its classification must also be included. For instance, a training schedule that contains both IOC testing and new unit personnel training must be marked CONFIDENTIAL.

Marking requirements vary by format, and any formatting or layout decisions should be reviewed with care before applying them to any document. If an individual is uncertain as to what marking would best suit a certain document type, they should seek guidance from either their supervisor or OCA.

DoD component heads and their security managers must ensure that DoD personnel responsible for creating draft classification guidance complete OCA classification training. In addition, they should be cognizant of existing classification guides before submitting new drafts for OCA approval, conducting extensive research before doing so and responding quickly when reports arise regarding potential conflicts between different classification guidelines.

Marking Classified Information

DoD components must clearly mark all classified documents and portions thereof that require protection, its level of classification, special access control measures or safeguard requirements, etc. Markings should serve to inform holders about the existence of classified information while at the same time identify its specific area(s), its purpose and level(s). When possible, apply markings prior to processing so as to eliminate later revision or erasure requirements; Notes, rough drafts, informal working papers and any preliminary materials should all be treated as classified and marked accordingly.

Classification markings must be clearly displayed on the outer cover (if any), title page, and first page of any document. They should also be conspicuously placed at the top and bottom of each interior page – though blank interior pages do not require marking. A document’s classification depends on identifying its highest level of information within its body – this information being carried forward into individual pages by way of classification markings; where applicable the original classification authority should be noted on “Classified by” line while extensions to original classification should be indicated on “Declassify on” line – when an original classification authority extension occurs, length should be indicated on “Declassify on” line to make clear when classification changes take place or changes are being extended further on either “Classified by” line to reflect their impact.

Documents containing foreign government information that has not been downgraded should bear a warning on the cover or first page that indicates it contains foreign government material, with “THIS DOCUMENT CONTAINS FOREIGN GOVERNMENT INFORMATION.” In the “Derived From” line for such documents should also include identification of all classification sources used – both domestic and foreign- as well as any reasons for classification which need to remain concealed (if required). Furthermore, FGI documents should never be declassified below their level in accordance with their level in addition to disclosure without their written approval or disclosure without their written agreement from said foreign governments.

When using an original classified document as the basis for a derivative document, its level should be indicated on the “Derived From” line and any declassification instructions provided on “Classified by” should also be carried forward for this derivative document. If an original classified document has been declassified since being made derivative, its declassification instructions must also be revised on all subsequent copies of it.

Protecting Classified Information

DoD must ensure that classified information remains secure throughout its lifecycle and any unauthorized disclosures of classified material are declassified swiftly. This requires creating and enforcing policies and procedures that identify and protect classified data when created, transferred, handled, used, stored, communicated or communicated; making consistent reclassification decisions; as well as creating and sustaining a comprehensive information protection program.

Security training must be provided to Original Classification Authorities (OCAs), Derivative Classifiers, and Declassification Authority Holders before exercising their authority, and on an annual basis after that. In addition, OCAs should make sure their SCGs accurately reflect both what information has been authorized for classification as well as its level. They should review these SCGs at least every five years in order to maintain consistency and accuracy.

OCAs should enact and implement policies to restrict the release of sensitive information without proper approval from senior officials, including their designated OCA or other senior official. Release of sensitive data should only occur for authorized purposes such as national security or law enforcement issues.

DoD programs must also implement consistent and uniform information protection requirements, with appropriate protection being applied across files, folders, databases and electronic communications of the DoD. In particular, notes, rough drafts and informal working papers generated within DoD must also include appropriate marking of notes as being “Derived From Restricted Data/Formerly Restricted Data” at the bottom of documents/transmittal letters.

DoD must allocate sufficient resources for reviewing information classified as TOP SECRET or SECRET and making decisions as to its declassification or downgrade. Insufficient resources may lead to reduced visibility into DoD programs and systems performance as well as increase threat actors gaining unauthorised access to essential DoD activities.

Sam is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.