What is the process of using existing classified information to create a new document?

Classification Management is the marking, safeguarding, identification, declassification, and destruction of classified national security information (CNSI) and determines the information’s life cycle. Information Security Program staff provide guidance to Department of Commerce operating units and security specialists on classification management and facilitate Subject Matter Expert (SME) reviews of CNSI as part of the Mandatory Declassification Review (MDR) process.

Original Classification

Original Classification Authority (OCA) to originally classify information as Secret or Confidential may be exercised by the Secretary of Commerce and by officials to whom such authority is specifically delegated. No Department official is authorized to originally classify information as Top Secret. This authority was reissued in December 29, 2009, Presidential order entitled, Original Classification Authority. This order designates those agency heads and officials as having the authority to classify information.

OCA is further delegated to the Department’s Director for Security, and the Deputy Under Secretary for the Bureau of Industry and Security in addition to the Secretary of Commerce. These are the only three OCAs within the Department.

The Department has published a DOC National Security Information Classification Guide (CUI//FEDCON) (Commerce personnel only) to assist derivative classifiers in the classification of CNSI. The Commerce OCA makes the final decision on Mandatory Declassification Review recommendations following the Subject Matter Expert review.

Derivative Classification

Derivative Classification is the extracting, paraphrasing, restating, or generating in new form information that is already classified and marking the newly developed material consistent with the classification markings that apply to the source information or classification guidance. The duplication or reproduction of an existing classified document is not derivative classification.

Examples of Derivative Classification:

• Extracting occurs when information is taken directly from an authorized classification guidance source and is stated verbatim in a new or different document.
• Paraphrasing or restating occurs when information is taken from an authorized source and is re-worded in a new or different document. (Paraphrasing is strongly discouraged)
• Generating is when information is taken from an authorized source and generated into another form or medium.

Derivative classifiers must carefully analyze the material they are classifying to determine what information it contains or reveals and evaluate that information against authorized classification guidance (Security Classification Guide (SCG), Classified Document, or DD-254). Unmarked does not mean unclassified.

COMPILATION, combining two or more pieces of unclassified information can result in an aggregate that is classified. This occurrence is called compilation, or aggregation. New material may include classified information that is contained in the classification guidance (e.g., the SCG). Or, because of the way it is organized or structured, the new material may reveal classified information that did not specifically appear in the classification guidance used to create it. Finally, the new material may aggregate, or bring together, pieces of information that are unclassified, or have one classification level, but when you present them together it either renders the new information classified or increases its classification level.

REVEALED BY, applies when derivative classifiers incorporate classified information from an authorized source into a new document that is not clearly or explicitly stated in the source document.

CONTAINED IN, when derivative classifiers incorporate classified information from an authorized source into a new document, and no additional interpretation or analysis is needed to determine the classification of that information. The concept also applies to the use of a SCG. Sometimes, the guidance in an SCG may explicitly apply to the content you incorporate into a new document.

Classification Challenges

A substantial cause for doubt regarding improper or unnecessary classification requires an informal challenge. Start by asking for a second opinion from another clearance holder with a need-to-know for the classified topic. Then take steps to contact the classifying agency to review their SCG.  Prepare a formal classification challenge if an alternate source is not found to confirm the classification level. Alternatively, if a classification challenge is warranted, contact your Facility Security Officer or the Information Security Division to informally resolve the issue. The informal method will resolve the issue timelier than a formal notice. Until a decision has been issued for any classification challenge, the markings shall be honored and information protected as marked.

Mandatory Declassification Review

Mandatory Declassification Review (MDR) is a process supporting access to information maintained by the US government. This is similar to FOIA but focused on CNSI. Both processes allow an individual or entity to request any Federal agency to review agency records for release.

MDR is a route to the declassification and release of classified Department records under the terms of E.O. 13526. The process addresses requests for classified information for declassification, regardless of its age or origin.

The agency (or agencies) on record for generating the original document are asked to review the content related to their mission. A Subject-Matter-Expert (SME) shall review the document to determine mission related content. The SME shall then evaluate the current CNSI impact of the mission related content to determine if it may be declassified. The assigned SME shall coordinate with the Information Security Division once a declassification recommendation he been determined to add to the MDR package.

Changes to mission of the component agencies of the Department can be an obstacle to finding a SME to evaluate the MDR. Department agencies often performed an analysis role for the finished classified document. Positions contributing to the production of the original classified document may no longer exist in the Department. In addition, the classification of the final document can exceed the maximum classification from a Department OCA, Secret.

The Department OCA makes the final MDR decision. The requesting agency collects the MDR responses from the separate contributing agencies to determine if the document can be declassified. Congressional records classified by the executive branch, and information from past Presidential administrations are subject to MDR. Requests for MDR to the Department may be sent to the Director for Security at:

U.S. Department of Commerce

Information Security Division (ISD), Office of Security (OSY), room 1521

1401 Constitution Avenue, NW

Washington, DC 20230

Freedom Of Information Requests (FOIA)

The MDR and Freedom of Information Act (FOIA) request are separate and distinct procedures. Classified documents identified during a FOIA request require an MDR before completing the FOIA request.

Destruction

Classified documents are only destroyed by authorized methods, e.g., burning, pulping, or shredding on an authorized shredder listed on the National Security Agency’s (NSA) Evaluated Products List. HCHB maintains the capacity to support shredding paper with NSA crosscut shredders. Classified documents are reduced to an unrecoverable slurry; shards measuring 1 millimeter by 5 millimeter or less. This standard is applied to paper only.

Electronic media, i.e., discs, must be destroyed with a strip shredder to shatter the rigid device. Larger electronic devices shall be destroyed with a demagnetizer, to wipe the data, and a defragmenter, to disassemble.

Resources

15 CFR Part 4a, Classification, Declassification, and Public Availability of National Security Information, June 10, 2020

Original Classification Authority, December 29, 2009 Presidential Order,

DOC National Security Information Classification Guide, October 2020 (Commerce personnel only)

Information Security Oversight Office (ISOO) Classification Management Training Aids

Classified Impromptu Meetings Checklist

When creating a derivatively classified document what actions must be taken to ensure the document is properly marked?

What is extension derivative classification?

What is the first step in derivative classification?

What is classification by compilation?