U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Was this page helpful?

Information Security and Classification Management

The Office of Security’s (OSY) Classification Management Program supports Department operating units, bureaus, and offices throughout the classification life cycle for Classified National Security Information (CNSI). OSY familiarizes clearance holders within the Department with regards to the management of CNSI and services provided by the Information Security Division (ISD) and bureau Field Servicing Security Offices (FSSO).

Classification management involves the identification, marking, safeguarding, declassification, and destruction of Classified National Security Information (CNSI) generated within government and industry.  It encompasses the life-cycle management of CNSI from original classification to destruction. The three levels of classification are Top Secret, Secret, and Confidential. Unclassified is a marking used to denote information that does not meet the requirements for classification and Controlled Unclassified Information is a marking used to denote dissemination controls of certain unclassified information. Information Security Program staff provide guidance, training, and oversight to Department operating units and security specialists on classification management and facilitates Subject Matter Expert (SME) reviews of CNSI with respect to Information Security, Industrial Security, Communications Security, and Operations Security.

There are two ways to classify information – Original Classification and Derivative Classification. Original classification is the initial determination made by an Original Classification Authority (OCA) that information is required, in the interest of national security and for protection against unauthorized disclosure. Derivative Classification is the process of incorporating, paraphrasing, restating, or generating in a new form, information that has already been classified and can only be performed by a trained Derivative Classifier.


Original Classification

An OCA may originally classify information as Confidential, Secret, or Top Secret, and may be exercised by properly trained and appointed individuals. Currently, OCA is delegated to the Secretary of Commerce, the Department’s Director for Security, and the Deputy Under Secretary for the Bureau of Industry and Security to originally classify information up to the Secret level. These are the only three OCAs within the Department. No Department official is authorized to originally classify information as Top Secret. This authority was reissued on December 29, 2009, via a Presidential order entitled, Original Classification Authority. This order designates those agency heads and officials as having the authority to classify information.


Derivative Classification

Derivative Classification is the incorporating, paraphrasing, restating, or generating in a new form of information that has already been classified. Derivative Classification can only be performed by a trained Derivative Classifier using existing, properly marked, classified source documentation. The duplication or reproduction of an existing classified document is not a derivative classification.

Examples of Derivative Classification:

  • Incorporation occurs when information is extracted directly from an authorized classification guidance source and is stated verbatim in a new or different document.
  • Paraphrasing or restating occurs when information is taken from an authorized source and is re-worded in a new or different document. Paraphrasing is strongly discouraged as it closely resembles reproduction.
  • Generating is when information is taken from an authorized source and generated into another form or medium.

Derivative classifiers must carefully analyze the material they are classifying to determine what information it contains or reveals and evaluate that information against authorized classification guidance (Security Classification Guide [SCG], Classified Source Document, or DD Form 254). Unmarked does not mean unclassified. Derivative classifiers must have access to the source being cited. If the SCG is not accessible for reference, it may not be used as a source.

A Compilation, combining two or more pieces of unclassified information, can result in an aggregate that is classified. New material may include classified information that is contained in the classification guidance (e.g., the SCG). Due to the way it is organized or structured, the new material may reveal classified information that did not specifically appear in the classification guidance used to create it. Finally, the new material may aggregate, or bring together, pieces of information that are unclassified, or have one classification level, but when you present them together it either renders the new information classified or increases its classification level.

Revealed By applies when derivative classifiers incorporate classified information from an authorized source into a new document that is not clearly or explicitly stated in the source document.

Contained In occurs when derivative classifiers incorporate classified information from an authorized source into a new document, and no additional interpretation or analysis is needed to determine the classification of that information. The concept also applies to the use of an SCG. Sometimes, the guidance in an SCG may explicitly apply to the content incorporated into a new document. The Department has published a National Security Information Classification Guide (Commerce personnel only) to assist derivative classifiers in the classification of CNSI.

Classification Challenges

Authorized holders of information who, in good faith, believe that its classification status is improper are encouraged and expected to challenge the classification status of the information in accordance with agency procedures. An informal challenge should be initiated by first contacting your FSSO or the ISD to assist with informally resolving the issue.

If the concerns cannot be resolved by an informal classification challenge, a formal classification challenge should be initiated. Authorized holders of classified information, including authorized holders outside the classifying agency, who want to challenge the classification status of information shall present such challenges to an OCA with jurisdiction over the information. A formal challenge must be in writing but need not be any more specific than to question why information is or is not classified or is classified at a certain level.

The informal method will resolve the issue faster than a formal notice. Until a decision has been issued for any classification challenge, the markings shall be honored, and information protected as marked.


Automatic Declassification

CNSI records that are more than 25 years old and have been determined to have permanent historical value under title 44, United States Code, shall be automatically declassified whether or not the records have been reviewed. Subsequently, all classified records shall be automatically declassified on December 31 of the year that is 25 years from the date of its original classification following a thorough review.  

Systematic Declassification Review

Each agency that has originated classified information under this order or its predecessors shall establish and conduct a program for systematic declassification review. This program shall apply to records of permanent historical value exempted from automatic declassification under this order. Agencies shall prioritize the systematic review of records based upon the degree of researcher interest and the likelihood of declassification upon review.  

Mandatory Declassification Review

Mandatory Declassification Review (MDR) is a means by which any individual or entity can request any Federal agency to review classified information for declassification, regardless of its age or origin, subject to certain limitations. MDR is another route to the declassification and release of classified agency records under the terms of E.O. 13526. All information classified under the Order or predecessor orders by the originating agency (i.e. DoD, CIA, FBI); Congressional records classified by the executive branch; and information from past Presidential administrations is subject to MDR. This process is similar to the one in the Freedom of Information Act (FOIA) but focused on CNSI. Both processes allow an individual or entity to request any federal agency to review agency records for release. Classified documents identified during a FOIA request require an MDR before completing the FOIA request.

All MDR requests must be submitted in writing to the applicable agency. Information on where to send MDR requests at each agency can be found on the Information Security Oversight Office (ISOO) website at http://www.archives.gov/isoo/contact/mdr-contact.html.

The request must describe the document or material containing the information with sufficient specificity to enable the agency to locate it with a reasonable amount of effort.

The agency or agencies on record for generating the original document shall review the content related to their mission. An SME shall review the document to determine its mission-related content. The SME shall then evaluate the current CNSI impact of the mission-related content to determine if it may be declassified. The assigned SME shall coordinate with the ISD once a declassification recommendation exists.

Changes to the mission of the component agencies of the Department can be an obstacle to finding a SME to evaluate an MDR. Department agencies often perform an analysis role for the finished classified document. Sometimes, positions contributing to the production of the original classified document may no longer exist in the Department. Furthermore, the classification of the final document can exceed the maximum Secret classification from a Department OCA.

A Commerce OCA makes the final decision on all Mandatory Declassification Review recommendations following a SME review.

The requesting agency collects the MDR responses from the separate contributing agencies to determine if the document can be declassified. Congressional records classified by the executive branch, and information from past presidential administrations are subject to MDR. Requests for MDR to the Department may be sent to the Director for Security through the ISD:

Assistant Director, Information Security Division
U.S. Department of Commerce
14th and Constitution Avenue, NW, Room 1069
Washington, DC 20230


Information That is Not Subject to MDR

Information originated by the incumbent President or Vice President or their White House staff; committees, commissions, or boards appointed by the incumbent President; other entities within the Executive Office of the President that solely advise and assist the incumbent President; or information classified under the Atomic Energy Act of 1954 (Restricted Data/Formerly Restricted Data).

_____________________________________________________________________________________

Destruction

Classified documents may only be destroyed by authorized methods such as burning, pulping, or shredding on an authorized shredder listed on the National Security Agency’s Evaluated Products List. The Department maintains the capacity to support shredding paper with NSA crosscut shredders. Classified documents are reduced to an unrecoverable slurry; shards measuring 1 millimeter by 5 millimeter or less. This standard is applied to paper only. Electronic media, i.e., discs, must be destroyed with a strip shredder to shatter the rigid device. Larger electronic devices shall be destroyed with a demagnetizer, to wipe the data, and a defragmenter, to disassemble. Contact your FSSO for electronic media destruction if an approved method is not available.


Links

15 CFR Part 4a, Classification, Declassification, and Public Availability of National Security Information, June 10, 2020

Original Classification Authority, December 29, 2009 Presidential Order

DOC National Security Information Classification Guide, October 2020 (Commerce personnel only)

Information Security Oversight Office (ISOO) Classification Management Training Aids

Commerce Learning Center – (Search for Annual CNSI Security Clearance Holder Training)

 

 

_____________________________________________________________________________________

 


 

Attachment Size
DOC CNSI Security Classification Guide 59.24 KB