A lack of oversight and inconsistent implementation of the Department of Defense’s information security program are increasing the risk of misclassification, the Government Accountability Office has said.
It said misclassification of national security information reduces information sharing, provides adversaries with information in some ways, and cost millions in administrative costs.
The Pentagon’s information security program is decentralized to the DoD component level, and the office of the under secretary of defense for intelligence — responsible for information security — has limited involvement with, or oversight of, component information security programs, according to GAO-06-706.
It said that while some DoD components manage effective programs, others have weaknesses in classification management training, self-inspections, and classification guides.
Training at nine of 19 components GAO looked at did not cover fundamental classification management principles, such as how to properly mark classified information or determine how long it should be classified, the report said.
It said these weaknesses are consistent with others it found in the way DoD implements its information security program, and that the accuracy of DoD’s classification decision estimates is questionable because they are arrived at differently across the department.
The report said however that beginning with the fiscal 2005 estimates, OUSD-I would review estimates of DoD components, which could improve the accuracy of DoD’s classification decision estimates — provided their methodology becomes more consistent.
