FY15: ISOO SELF-INSPECTION: FINALWCOVERLETTER

Approved for Release: 2022/01/27 C06896750 //ruuy Central Intelligence Washington, D.C. 20505 5 November 2015 Mr. John P. Fitzpatrick, Director Information Security Oversight Office National Archives and Records Administration Washington, D.C. 20408-0001 Dear Mr. Fitz trick: (Ti) In response to the Information Security Oversight Office (1500), the Central Intelligence Agency (CIA) submits the enclosed FY 2015 Agency Annual Self-Inspection Program Data Report. This report covers the period from 1 October 2014 to 30 September 2015. (U//FOU0) CIA built upon its successes from last year's report and continues to find great value in this exercise. In the 2,614 documents we reviewed, we found that portion marking continues to be a great shortcoming, but derivative classifiers tend to classify at the right level for the right reasons. We also found our OCA training numbers to be low, but this is due in part to shifts in personnel from OCA positions to newly created mission centers and directorates. CIA will review its OCA delegations in the coming months, likely increasing the number of OCAs to accommodate ten new mission centers and one new directorate. CIA will also use this review as opportunity to ensure that far more of our OCAs are properly trained by the end of FY 2016. UNCLASSIFI OUO Approved for Release: 2022/01/27 C06896750 Approved for Release: 2022/01/27 C06896750 (U) Please contact Mr. Harry Cooper, Chief, Classification Management and Collaboration Group, at 703- if you have any questions regarding the FY 2015 self-inspection report. Jo ph W. Lambert Director, Information Management Services UNCLASSIFIED//FOLIO _Approved for Release: 2022/01/27 C06896750 Approved for Release: 2022/01/27 C06896750 Enclosure 2 AGENCY ANNUAL SELF-INSPECTION PROGRAM DATA: FY 2015 (Submissions must be unclassified.) I. Enter the agency name. PART A: Identifying Information 1. Central Intelligence Agency 2. Enter the date of this report. 2. November 3, 2015 3. Enter the name, title, address, phone, fax and e-mail address of the Senior Agency Official (SAO) (as defined in E.O. 13526, section 5.4(d)) responsible for this report. 3. Joseph W. Lambert Director, Information Management Services (IMS) CIA Washington DC 20505 ( 4. Enter the name, title, phone, fax, and e-mail address of the individual or office responsible for conducting self-inspections and reporting findings. 4. Harry P. Cooper, Jr. Chief, Classification Management and Collaboration Group (CMCG) CIA Wachinnton no 7r)r) ( 5. Enter the name, title, phone, fax, and e-mail address for the point-of- contact responsible for answering questions regarding this report. 5. Harry P. Cooper, Jr. Chief, Classification Management and Collaboration Group (CMCG) CIA, Washington, DC 20505 (t PART B: Classified National Security Information (CNSI) Program Profile Information 6. Has your agency been designated/delegated as an original classification authority (OCA)? 6. 0 Yes 0 No 7. Does your agency perform original classification activity? 7. 0 Yes 0 No 8. Does your agency perform derivative classification activity? 8. 0 Yes 0 No 9. Does your agency have an approved declassification guide and declassify CNSI? 9. 0 Yes 0 No PART C: Self-Inspection Program Activity: Number of Self-Inspections Conducted In FY 2014 and prior years, this information was reported on Standard Form 311, "Agency Security Classification Management Program Data." 10. Enter the number of self-inspections of the classified national security information program that were conducted by your agency during the reporting period. (Note that this does not include routine after-hours security checks.) 10. 1 7 PART D: Description of the Program A description of the agency's self-inspection program to include activities assessed, program areas covered, and methodology utilized. The description must demonstrate how the self-inspection program provides the SAO with information necessary to assess the effectiveness of the CNSI program within individual agency activities and the agency as a whole. Responsibility 11. How is the SAO involved in the self-inspection program? (Describe his or her involvement with the self-inspection program.) The SAO delegates responsibility to CMCG for the self-inspection program, approves the annual self-inspection plan, receives briefings on its results and recommendations, and approves follow-on actions. 12. How is the self-inspection program structured to provide the SAO with information necessary to assess the agency's CNSI program in order to fulfill his or her responsibilities under section 5.4(d) of E.O. 13526? During FY15, while conducting ongoing self-inspection of documents in the Washington Metro Area (WMA), CMCG engaged field location counterparts through travel. Following each travel opportunity, the SAO received a memo with the results. The self-inspection is designed to cover compliance with all 5.4(d) areas of responsibility and to identify best practices and areas of improvement. 13. Whom has the SAO designated to assist in directing and administering the self-inspection program? Who conducts the self-inspections? (If the SAO conducts the self-inspections, which may be the case in smaller agencies, indicate this.) The Chief of CMCG, an SES-level officer, is designed to assist in directing and administering the self-inspection program. A number of classification specialists in CMCG conduct the self-inspections. Approach 14. What means and methods are employed in conducting self-inspections? (For example: interviews, surveys, data calls, checklists, analysis, etc.) CMCG continues to utilize best practices developed during FY14, including a standard operating procedure, working with records management colleagues to capture electronic records, and collaborating with colleagues in the field to access their records. CMCG further refined its assessment worksheets to streamline collection and better address questions posed by the SAO, CMCG, and ISO�. )(3) )(3) )(3) INFORMATION SECURITY OVERSIGI.IT OFFICE Approved for Release: 2022/01/27 C06896750 AUTIIORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 Approved for Release: 2022/01/27 C06896750 Enclosure 2 is. If your agency performs different types of inspections (e.g., component self-inspections, command inspections, compliance reviews, etc.), describe each of them and explain how they are used. If not, indicate NA. CMCG continued to review documents across all components of CIA through document sampling and classification assistance throughout FY15. CMCG also engaged in 16 field location visits during FY15, which are counted as separate self-inspections in Part C, above. CMCG continued to conduct the annual Classification Count and analysis. 16. Do your agency's self-inspections evaluate adherence to the principles and requirements of E.O. 13526 and its implementing effectiveness of agency programs covering the following areas? (Select all that apply.) directive and the Management and oversight [i] Original classification 0 Security violations 0 Safeguarding 0 0 Derivative classification 0 Declassification 0 Security education and training 17. Do your self-inspections include a review of relevant security directives and instructions? 17. ()Yes ONo 18. Do your self-inspections include interviews with producers (where applicable) and users of classified information? 18. ()Yes ONo Approach: Representative Sample (If your agency does not classify information, indicate NA.) 19. Do your self-inspections include reviews of representative samples of original and derivative classification actions to evaluate the appropriateness of classification and the proper application of document markings? 19. ()Yes 0 No ONA 20. Do these reviews encompass all agency activities that generate classified information? 20. �Yes 0 No ONA 21. Describe below how the agency identifies activities and offices whose documents are to be included in the sample of classification actions. (Indicate if NA.) In the WMA, CMCG deliberately sampled documents that reflect the five major business areas of the agency. In field locations, CMCG worked closely with officers to ensure that the reviewed documents reflected an accurate depiction of their unique missions. The diversity of locations provided CMCG with a sample of all the activities encompassed by CIA's mission. 22. Do the reviews include a sampling of various types of classified information in document and electronic formats? 22. ()Yes 0 No ONA 23. How do you ensure that the materials reviewed provide a representative sample of the agency's classified information? (Indicate if NA.) In the WMA, CMCG worked with IMS records management colleagues to collect a sample of documents that covered all agency components. This yielded material across the spectrum of the CIA mission. CMCG also reviewed analysis and reporting published on internal portals so as to evaluate trends of classified materials disseminated outside of the agency. CMCG continued to conduct visits to field locations, which provided a unique sample of documents related to the day-to-day mission critical activities of CIA. 24. How do you determine that the sample is proportionally sufficient to enable a credible assessment of your agency's classified product? (Indicate if NA.) CMCG has continually assessed the documents reviewed to ensure the sample represents all major business areas and the missions/responsibilities of those areas. CMCG deemed that this sample was sufficient to enable a credible assessment, based on the requirements of 32 CFR 2001.60. CMCG also determined that documents from 16 field locations represent the spectrum of documents associated with CIA operations. 25. Who conducts the review of the classified product? (Indicate if NA.) Designated CMCG full-time classification specialists conduct document reviews. For field reviews, CMCG designates teams of three individuals to conduct classification reviews, interview field personnel, and provide training on classification policies, practices, and employee obligations regarding their secrecy agreements. 26. Are the personnel who conduct the reviews knowledgeable of the classification and marking requirements of E.O. 13526 and its implementing directive? 26. 'Yes ONo ONA 27. Do they have access to pertinent security classification guides? (Indicate if NA.) 27. ()Yes ONo ONA 28. Have appropriate personnel been designated to correct misclassification actions? (Indicate if NA.) 28a. If so, identify below. 28. ()Yes �No ONA Frequency 29. How frequently are self-inspections conducted? CMCG conducts the self-inspection year round. 16 field location visits took place over approximately seven months of FY15. 30. Describe the factors that were considered in establishing this time period? Field location visits require extensive coordination with the respective offices to facilitate access in a manner that would not disrupt mission critical activities. Document inspection in the WMA continued year-round in order to allow CMCG sufficient time to identify possible data gaps within the sample and to provide opportunity to return to IMS records management partners for additional documents. INFORMATION SECURITY OVERSIGI IT OFFICE Approved for Release: 2022/01/27 C06896750 AUTIIORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 Approved for Release: 2022/01/27 C06896750 Enclosure 2 Coverage 31. How do you determine what offices, activities, divisions, etc., are covered by your self-inspection program? What agency activities are assessed? CMCG engaged in document review and personnel interviews in field locations and performed extensive document review and data analysis in the WMA. CIA had five major business areas, and CMCG deliberately sampled documents that reflect these components and their respective areas of responsibility within the broader CIA. 32. How is the self-inspection program structured to assess individual agency activities and the agency as a whole? CMCG carefully considers the type of function performed in each component and the types of documents that each of these components produces. Classification assistance questions and results from previous years self-inspections help to shape this consideration. CMCG also considers the demanding circumstances surrounding work in the field and in high-tempo areas of CIA as it pertains to understanding how officers in the field classify information. Special Access Programs (SAP) (If your agency does not have the authority to create SAPs, indicate NA.) 33. If your agency has any special access programs, are self-inspections of the SAP programs conducted annually? 33. ()Yes ONo ONA 34. Do the self-inspections confirm that the agency head or principal deputy has reviewed each special access program annually to determine if it continues to meet the requirements of E.O. 13526? 34. �Yes ONo ONA 35. Do the self-inspections determine if officers and employees are aware of the prohibitions and sanctions for creating or continuing a special access program contrary to the requirements of E.O. 13526? 35. �Yes ONo ONA Reporting 36. What is the format for documenting self-inspections in your agency? CMCG documents its self-inspection through standardized document checklists, followed by data aggregation spreadsheets. CMCG also uses standardized forms for field personnel interviews. Following each field visit, CMCG prepares a classified trip report that analyzes findings and after-action opportunities related to classification training and practice improvements. As requested, CMCG briefs the SAO on these visits and overall progress. At the end of the self-inspection, CMCG prepares the annual report and briefing materials for the SAO and other senior officials, as necessary. 37. Who receives the reports? The SAO; Chief of CMCG; the Chief Information Officer; other agency senior officials, as necessary; 500. 38. Who compiles/analyzes the reports? The CMCG Analysis and Review Staff. 39. How are the findings analyzed to determine if there are problems of a systemic nature? CMCG aggregates data from the document checklists and personnel interviews in spreadsheets, then develops formulas that identify opportunities for improvement in the reporting areas required by ISO�. CMCG also tracks and analyzes trends in classification derivative choices, application of dissemination controls, classification differences between WMA and field locations, and classification differences between the five major agency components. The final analysis helps CMCG identify potential areas for improvement in both customized and agency-wide original and derivative classifier training. 40. 1-low and when are the results of the self-inspections reported to the SAO? CMCG briefs the SAO after completion of data analysis and production of draft findings and recommendations. The annual self-inspection program data form is submitted to the SAO before it is released to 'SOO. Once the SAO approves the findings and recommendations, CMCG submits the form to [SOO and begins implementation of recommendations as necessary. 41. How is it determined if corrective actions are required? CMCG carefully analyzes its document review and interview data for opportunities for improvement in agency-wide classification practices. If/when patterns are evident, either in a particular business area or agency-wide, CMCG develops possible corrective action for consideration by the SAO. 42. Who takes the corrective actions? This depends on the finding: CMCG, IMS records management partners, field offices when necessary. 43. How are the findings from your agency's self-inspection program distilled for the annual report to the Director of ISOO? CMCG continues to conduct analysis of documents via spreadsheet. This information is distilled into findings for the Director of !SOO. Self-inspection findings are also supported by day-to-day classification support, training provided by CMCG to CIA, and data collected during the annual classification count. 44. Has the SAO formally endorsed this self-inspection report? If yes, please provide documentation. 44. 0 Yes ONo INFORMATION SECURITY OVERSIGI IT OFFICE Approved for Release: 2022/01/27 C06896750 AUTIIORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 Approved for Release: 2022/01/27 C06896750 Enclosure 2 PART E: A summary of the findings of your agency's self-inspection program The summary should present specific, concise findings from your self-inspection program for each of the required program areas below. It is not a description of the requirements of the agency's CNSI program. Rather, the summary outlines the essential self-inspection findings based on the compilation and/or distillation of the information contained in the agency's internal self-inspection reports, checklists, etc. In large agencies where findings are drawn from multiple agency offices and activities, the findings that are reported here may be the most significant or most frequently occurring. 45. Original Classification: The self-inspection determined that the number of original classifiers (OCAs) was kept at the lowest possible level, based on demonstrable and continuing need to exercise this authority, per E.O. 13526, Sec. 1.3. Original classifier training was frequently provided and, in keeping with this training, OCAs understood that their authority is only to be exercised in the rare case that an Agency classification guide does not provide sufficient guidance, and there appears to be a need for classification, based on E.O. 13526 criteria. 46. Derivative Classification: From a sample of over 2,100 documents, the self-inspection found that 5.02% of documents were overclassified and 3.03% were underclassified. Specifically, 17.31% of documents classified as TOP SECRET (TS) were overclassified, including 16.83% that should have been SECRET (S). 2.84% of documents classified S were overclassified, with 2.07% that should have been CONFIDENTIAL (C). Less that 1% of C documents were overclassified, but 1.76% of C documents were underclassified. Most prominently, the self-inspection found that 87% of sampled documents lacked portion marking. CMCG also noted that 2% of sampled documents had an inappropriate ORCON/NOFORN caveat. 47. Declassification: CIA continued declassification program improvements with additional metrics and statistical reports to better manage Freedom of Information Act (FOIA), Privacy Act (PA), and Mandatory Declassification Review (MDR) declassification efforts. In FY15, initial FOIA/PA backlog increased 43% and MDR backlog decreased 45%. The Agency reduced the FOIA/PA appeals backlog by 4% and the MDR backlog by 18%. The Agency closed nine of the 10 oldest FOIA initial cases and five of the 10 oldest FOIA appeals cases. The CIA automatic declassification program in FY15 received a 100% score in the !SOO assessment (external !SOO assessment vice "self-assessment"). The 'SOO assessment evaluated missed exemptions, missed referrals, and improper exemptions. Our own internal quality assurance program for automated review, which looks at 100% of declassified documents, has identified a less than 2% error rate prior to official declassification (errors are subsequently corrected). Once released, errors identified by ourselves, other government agencies, or the public are rare. 48. Safeguarding: The review found that the Agency has a robust program for safeguarding classified information. Within the components, instructions are in place and staff and contract employees are aware of the policies and procedures. The Agency has a diverse training and education program designed to address each aspect of safeguarding national classified information such as classification; personnel reporting requirements; and cyber security. Within each of the safeguarding disciplines, the Agency strives to develop proactive measures versus reactive measures to secure classified information. Following E.O. 13526 and the Intelligence Community Directives (ICDs), the Agency has revised numerous regulatory issuances to provide specific guidance to employees and contractors. 49. Security Violations: The review determined that the Agency has a well-developed program to ensure security violations are investigated, adjudicated, and recorded in alignment with E.O. 13526, Presidential Decision Directive 12, ICDs 703 and 704, and with procedures established by the Department of Justice and the Federal Bureau of Investigation. Violations are recorded and tracked to prevent repeated violations. Employees receive one-on-one counseling when incidents do occur. The Agency has a sustained record of providing training and employee awareness to prevent security violations. The Agency's number of security violations has remained consistent between FY14 and FY15. 50. Security Education and Training: The review concluded that the Agency's program for Security Education and Training supports multiple training levels--from orientation for new hires, to mandatory refresher courses, to in-depth, area-specific training for employees and contractors. Employee awareness is high as a result of regularly offered special courses and lectures. The Agency's program to record all training and enforce mandatory training requirements ensure the opportunity for all employees to demonstrate a sound understanding of safeguarding classified information. 51. Management and Oversight: CMCG provides year-round classification assistance to CIA and its partners. This includes professional courses for classification specialists, training for new personnel in the fundamentals of classification, as well as training for various components and federal partners. CMCG also provides original and derivative classifier refresher training and a classification assistance service that provides real-time assistance to Agency personnel. Based on the initial success of the program in FY14, CMCG has increased the number of classification referents deployed to Agency business areas, which provides improved classification assistance to a second business area. These functions provide insight into the types of problems that are encountered on a daily basis and helps CMCG strengthen classification training, classification guide development, and regulatory policy adjustments which provide meaningful support to the workforce. CMCG brings issues to the attention of the SAO, who consults with the CIO, Agency Executive Director, and others as appropriate. INFORMATION SECURITY OVERSICIIT OFFICE __Approved for Release: 2022/01/27 C06896750 AUTIIORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 Approved for Release: 2022/01/27 C06896750 Enclosure 2 PART F: An assessment of the findings of your agency's self-inspection program The assessment discerns what the findings mean. The assessment is an evaluation of the state of each element of your agency's CNS1 program based on an analysis of the specific, concise findings of the self-inspection program. It reports what you have determined the findings indicate about the state of your agency's CNSI program. The assessment should inform the SAO and other decision makers of significant issues that impact the CNSI program. It should be used to determine how security programs can be improved, whether the agency regulation or other policies and procedures must be updated, and if necessary resources are committed to the effective implementation of the CNSI program. The assessment should report trends that were identified during the reporting period across the agency or in particular activities, as well as trends detected by making comparisons with earlier reporting periods. It can be used to support assertions about the successes and strengths of an agency's program. 52. Original Classification: During FY15, 9 of the 14 OCA actions involved approval of new classification guides developed in collaboration with business areas in order to provide meaningful protection guidance to officers working with these equities. CMCG continues to work closely with subject matter experts throughout the Agency to identify other business areas, projects, programs, and/or topics that would benefit from more customized guidance associated with classified material. 53. Derivative Classification: CMCG continues to strive toward the highest standard for classifying material and continues to include lessons learned during the self-inspection in planning for future actions. Proper portion marking continues to be a major shortcoming agency-wide and will be a specific point of emphasis in all future training. Issues with classified information in cables and email signatures has been raised in many discussions and agency authorities have sent reminders to users in the field to be especially vigilant about this reoccurring error. By the end of FY15, CIA has created 24 Security Classification Guides (SCGs) and is in the process of developing another 23. Through FY16, CMCG will continue to provide live support to personnel and develop on-demand web-based training and assistance that can reach officers worldwide. 54. Declassification: IMS is pursuing a major new information technology initiative, Next Generation Information Management (NGIM). This initiative includes new tools based on machine learning and artificial intelligence designed to significantly improve review accuracy, equity identification, and review efficiency. The Agency continues to refine processes and management to improve its declassification efforts. The Information Review and Release Group is also taking advantage of new resources and opportunities to increase training and outreach within the Agency and around the US Government. The Agency understands that declassification work will continue to increase at a staggering pace and CIA will continue to identify and leverage new partnerships and opportunities to meet the challenges ahead. 55. Safeguarding: The Agency's safeguarding measures meet the needs of the mission; however, the Agency continues to seek advancement through innovation and use of technology while testing the current methods. The Agency is increasingly implementing metadata schema to enforce system safeguards. Improvements to these metadata systems will enable greater precision with document security practices. The Agency continues to revise and update policies and procedures to reflect modernization. 56. Security Violations: The self-inspection affirmed that the Agency's education and training programs have developed a work force that appropriately report security violations. The Agency is a front running within the IC with respect to developing, implementing, and improving programs to enhance employee compliance with security regulations. For example, the Agency had a comprehensive program for reporting contact with foreign nationals prior to the Presidential Decision Directive 12. We continue to advance policy and procedures to inform the workforce and raise awareness. 57. Security Education and Training: The Agency's security education and training program provides instruction for all levels and multiple aspects of safeguarding classified information, specifically adapted to our mission. The Agency's modernization has resulted in a comprehensive review of Agency training and employee development, including security education. The Agency maintains a fully developed curriculum to ensure safeguarding of classified information; essential security education is mandatory for all employees and contractors. For FY16, the Agency's web-based training for derivative classifiers will be compliant with the Americas with Disabilities Act, ensuring increased accessibility for derivative classifiers. 58. Management and Oversight: The self-inspection continues to provide unique opportunities for CMCG to interact with personnel from all over the Agency and around the world. Travel allowed CMCG to better understand CIA's most active and sensitive programs, provide in-person guidance and training, and hear firsthand about the ways CMCG can improve support to its colleagues. CMCG will continue to improve its outreach to the Agency workforce and work with its colleagues to develop meaningful, timely solutions for every situation. INFORMATION SECURITY OVERSIGI IT OFFICE Approved for Release: 2022/01/27 C06896750 AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 Approved for Release: 2022/01/27 C06896750 Enclosure 2 PART G: Focus Questions Answer the questions below. If the response identifies a deficiency, it should be explained in Part D, Summary of Findings, under the relevant program area, and should be addressed in Part H, Corrective Actions. Training for Original Classification Authorities Original classification authorities are required to receive training in proper classification and declassification each calendar year. (Section 1.3(d) of E.O. 13526 and � 2001.70(c) of 32 C.F.R. Part 2001) (Indicate NA ifyour agency does not have original classification authority.) 59. Does agency policy require training for original classifiers? 59. �Yes ONo ONA 60. Has the agency validated that this training has been received? 60. ()Yes ONo ONA 61. What percentage of the original classification authorities at your agency has received this training? 61. 67% 0 Actual 0 Estimated 62. Have any waivers to this requirement been granted? 62. �Yes ONo ONA Persons who Apply Derivative Classification Markings Persons who apply derivative classification markings are required to receive training in the proper application of the derivative classification principles of P.O. 13526, prior to derivatively classiffing information and at least once every two years thereafter. (Section 2.1(d) of E.O. 13526 and � 2001.70(d) of 32 C.F.R. Part 2001) (Indicate NA ifyour agency does not have any personnel who derivatively classify information.) 63. Does agency policy require training for derivative classifiers? 63. �Yes ONo ONA 64. Has the agency validated that this training has been received? 64. �Yes ONo ONA 65. What percentage of the derivative classifiers at your agency has received this training? 65. 93% 0 Actual 0 Estimated 66. Have any waivers to this requirement been granted? 66. ()Yes ONo ONA Initial Training All cleared agency personnel are required to receive initial training on basic security policies, principles, practices, and criminal, civil, and administrative penalties. ([2001.70(b) of 32 C.F.R. Part 2001) 67. Does agency policy require initial training? 67. ()Yes ONo 68. Has the agency validated that this training has been received? 68. ()Yes ONo 69. What percentage of cleared personnel at your agency has received this training? 69. 100% (0 Actual 0 Estimated Annual Refresher Training Agencies are required to provide annual refresher training to all employees who create, process, or handle classified information. ([2001.70(f) of 32 C.F.R. Part 2001) 70. Does agency policy require annual refresher training? 70. ()Yes ONo 71. Has the agency validated that this training has been received? 71. ()Yes ONo 72. What percentage of the cleared employees at your agency has received this training? 72. 93% 0 Actual 0 Estimated Identification of Derivative Classifiers on Derivatively Classified Documents Derivative classifiers must be identified by name and position, or by personal identifier on each classified document. ('ection 2.1(b)(1) of E.O. 13526 and � 2001.22(b) of 32 C.F.R. Part 2001) (Indicate NA ifyour agency does not derivatively classh(b information.) 73. Does your agency's review of classification actions evaluate if this requirement is being met? 73. �Yes ONo ONA 74. What percentage of the documents sampled meet this requirement? 74. 97.8% 75. What was the number of documents reviewed for this requirement? 75. 2,614 List of Sources on Documents Derivatively Classified from Multiple Sources A list of sources must be included on or attached to each derivatively classified document that is classified based on more than one source document or classification guide. (� 2001.22c(f)((b of 32 C.F.R. Part 2001) 76. Does your agency's review of classification actions evaluate if this requirement is being met? 76. �Yes ONo ONA 77. What percentage of the documents sampled meet this requirement? 77. 79.4% 78. What was the number of documents reviewed for this requirement? 78. 2,614 INFORMATION SECURITY OVERSIGI IT OFFICE Approved for Release: 2022/01/27 C06896750 AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 Approved for Release: 2022/01/27 C06896750 Enclosure 2 Performance Evaluations The performance contract or other rating system of original classification authorities, security managers, and other personnel whose duties significantly involve the creation or handling of classified information must include a critical element to be evaluated relating to designation and management of classified information. ('ection 5.4(d)(7) of E.O. 13526) 79. Does agency policy require this critical element in the performance evaluations of personnel in the categories required by E.O. 13526? 79. 0 Yes 0 No 80. Has the agency validated that this critical element is included in the performance evaluations of personnel in the categories required by E.O. 13526? 80. 0 Yes 0 No 81. What percentage of such personnel at your agency has this element in their performance evaluations? 81. 100% 0 Actual Estimated OCA Delegations OCA delegations shall be reported or made available by name or position to the Director of the Information Security Oversight Office. (Section 1.3(c)(5) of E.O. 13526). This can be accomplished by an initial submission followed by updates on a frequency determined by the SAO, but at least annually. (�2001.11(c) and �2001.90(a) of 32 C.F.R. Part 2001) 82. Have there been any changes in the delegations, by name and position, of original classification authority in your agency since delegations were reported to ISO� in 2010. 82. ()Yes ONo ONA 83. Have all delegations been limited to the minimum required based on a demonstrable and continuing need to exercise this authority? 83. �Yes ONo ONA 84. If changes have been made, have they been reported, by name or position, to ISOO? 84. ()Yes ONo ONA Classification Challenges An agency head or SAO shall establish procedures under which authorized holders of information, including authorized holders outside the classiffing agency, are encouraged and expected to challenge the classification of information that they believe is improperly classified or unclassified. (Section 1.8(b) of E.O. 13526) Classification challenges must be covered in the training for original classification authorities and persons who apply derivative classification markings. 02001.71 (c) and (�2001.71(d) of 32 C.F.R. Part 2001) 85. Has your agency established procedures under which the classification of information can be challenged in accordance with section 1.8(b) of E.O. 13526 and �2001.14 of 32 C.F.R. Part 2001? 85. ()Yes ONo 86. Does your agency's training for OCAs and for personnel who apply derivative classification markings cover classification challenges? 86. ()Yes No 87. Does your agency's training for all other cleared personnel cover classification challenges? 87. �Yes 0 No Industrial Security The National Industrial Security Program (NISP) was established under E.O. 12829 to safeguard Federal Government classified information that is released to contractors, licensees, and grantees (hereinafter contractors) of the United States Government. The Secretary of Defense serves as Executive Agent for inspecting and monitoring the contractors, who require or will require access to, or who store or will store classified information, and for determining the eligibility for access to classified information of contractors and their respective employees. Besides the Department of Defense (DoD), there are four other agencies that are Cognizant Security Agencies (('SAs): the Office of the Director of National Intelligence (ODNI), the Department of Energy, the Nuclear Regulatory Commission, and the Department of Homeland Security, that are authorized to provide operational oversight of their contractors. The heads of other agencies, except the Central Intelligence Agency (CIA), are required to enter into agreements with the Secretary of Defense that establish the terms of the Secretary's responsibilities on behalf of these agency heads. The ODNI may enter into an agreement with the CIA authorizing the latter to inspect and monitor contractor programs requiring access to intelligence sources and methods, including Sensitive Compartmented Information. 88. Does your agency have contracts that require access to classified national security information (CNSI), hereinafter referred to as classified contracts? 88. ()Yes 0 No 89. Is your agency one of the CSAs designated by E.O. 12829? 89. �Yes 0 No 90. If your agency issues classified contracts and is not a CSA, has it entered into an agreement with the DoD to provide industrial security services, or in the case of the ODN1, with the CIA? 911 �Yes 0 No ONA 91. If your agency issues classified contracts, has your agency head designated a senior agency official for the NISP? 91. �Yes 0 No ONA 92. If your agency issues classified contracts, does it provide the contractor with current security classification guidance? 92. �Yes ONo ONA 93. Are the contractor's security requirements issued through either a specific contract clause or by a Contract Security Classification Specification (DD-254)? 93. ()Yes 0 No ONA AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 Approved for Release: 2022/01/27 C06896750 Approved for Release: 2022/01/27 C06896750 Enclosure 2 PART H: Findings of the Annual Review of Agency's Original and Derivative Classification Actions In this section provide specific information with regard to the findings of the annual review of the agency's original and derivative classification actions to include the volume of classified materials reviewed and the number and type of discrepancies identified. 94. Indicate the volume of classified materials reviewed during the annual review of agency's original and derivative classification actions. (If your agency does not classify information, indicate NA.) 94. 2,614 95. Indicate the number of discrepancies found during the annual review of classification actions for each category below. For additional information on marking, consult the ISO� marking guide. 95 (a) Over-classification: Information does not meet the standards for classification. 95 (a) 126 95 (b) Overgraded/Undergraded: Information classified at a higher/lower level than appropriate. 95 (b) 73 95 (c) Declassification: Improper or incomplete declassification instructions or no declassification instructions. 95 (c) 90 95 (d) Duration: A shorter duration of classification would be appropriate. 95 (d) 119 95 (e) Unauthorized classifier: A classification action was taken by someone not authorized to do so 95 (e) 0 95 (f) "Classified By" line: A document does not identify the OCA or derivative classifier by name and position or by personal identifier. ,5 (f) 28 95 (g) "Reason" line: An originally classified document does not cite a reason from section 1.4 of E.O. 13526. 95 (g) 0 95(h) "Derived From" line: A document fails to cite, or cites improperly, the classification source. The line should include type of document, date of document, subject, and office/agency of origin. 95 (h) 56 95(i) Multiple sources: A document cites "Multiple Sources" as the basis for classification, but a list of these sources is not included on or attached to the document. 95 (i) 20 95 (i) Marking: A document lacks overall classification markings or has improper overall classification markings. 95 (j) 959 95(k) Portion Marking: The document lacks some or all of the required portion markings 95 (k) 2,227 95 (1) Instructions from a classification guide are not properly applied. 95 (1) 943 95 (m) Other: Unauthorized ORCON/NOFORN caveat . 95(m) 53 PART I: Corrective Actions 96. Describe actions that have been taken or are planned to correct identified program deficiencies, marking discrepancies, or misclassification actions, and to deter their reoccurrence. CIA will continue to provide year-round classification training to all original and derivative classifiers. Efforts are underway to provide more web-based training and quick help videos which will be particularly helpful for officers in the field. Training for new employees will also continue and course administrators have updated the content and methods to provide a better learning experience. CIA intends to continue development of classification guides that address current practices in all business areas. CMCG believes that guides addressing CIA's key functions will lead to better derivative citations, provide better on-demand guidance, and reinforce declassification decisions. Thorough guides will also provide a strong foundation for any future automated classification assistance tools. Emphasis on portion marking will be a continued theme for outreach and training across the Agency. CMCG will reinforce the fact that almost all classified documents, regardless of how broad the dissemination, must be portion marked to ensure both proper protection and dissemination of information. CMCG has reiterated this in all training and outreach activities, and will continue to do so as long as necessary. CMCG has continued to increase the number of classification experts deployed to business areas, building on the recorded success of its pilot program in FY14. CMCG has found that Agency personnel appreciate the in-person assistance these forward-deployed classification officers (FDC0s) provide and that FDCOs make significant contributions to resolving the increasing number of classification questions CMCG regularly fields. AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 Approved for Release: 2022/01/27 C06896750 Approved for Release: 2022/01/27 C06896750 Enclosure 2 PART J: Best Practices Best practices are those actions or activities that make your self-inspection program and/or CNSI program more effective or efficient. They set your program apart through innovation or by exceeding the minimum program requirements. These are practices that may be utilized or emulated by other agencies. 97. Describe best practices that were identified during the self-inspection. CMCG built much of its FY15 self-inspection practices on successes developed during FY14, especially with travel, outreach, and data analysis. CMCG took time early in the process to revise the data collection worksheets in an effort to speed up the review process and to quickly produce data relevant to questions from !SOO and within CMCG. This effort increased production during the process of inspection, which resulted in a larger volume of documents reviewed. Travel to the field and in-person interviews with officers has produced unique insights into how some of our operational personnel interact with classification rules, tools, and training. CMCG is careful to inform all field locations that visits are for research on how to improve CIA's classification services, and will not lead to any punitive reaction. CMCG finds that a candid demeanor leads to candid responses. CMCG is actively mining these responses and the statistical data to refine training, software, and outreach. PART K: Explanatory Comments 98. Use this space to elaborate on any section of this form. If more space is needed, provide as an attachment to this form. Provide explanations for any significant changes in trends/numbers from the previous year's report. 028. CMCG often find that the reviewed documents cannot be easily edited to fix classification errors. However, CMCG highlights systematic errors for officers or their local classification specialists in an effort to prevent future errors. 034. Annual recertification of CIA's SAPs is conducted by ODNI. CIA responds to ODNI's annual data call to recertify its SAPS, which is a process separate from the annual self-inspection. 061. CIA just completed a modernization effort, which affected the number of staff in OCA positions during the end of the reporting period. Many staff moved from positions with OCA to newly created positions that do not yet have OCA. In FY16, CIA will reassess OCA roles in the new Agency structure and use the opportunity to ensure proper training is provided. 065. The reported 93% captures the Agency population within one year. This percentage may actually be higher than reported when assessing a two-year period. 070. CIA requires that all officers complete their derivative classifier training on an annual basis, which also serves as the annual refresher training. 095(h). This number represents the number of classified documents that failed to cite at least one correct CIA Security Classification Guide (SCG). Of these, 33 cited a legacy SCG, 8 incorrectly cited SCGs from other agencies, and 15 had no SCG in the classification block. CMCG further found that 751 documents failed to cite at least one correct SCG and 855 document should have cited another SCG to address all of the classified equities in the document. 095(k). As with previous years, CMCG found the lack of portion marking to be the greatest flaw in CIA's classification practices. CMCG found that, generally, documents intended for external readership (e.g. finished intelligence, disseminated human intelligence reporting, interagency memos, etc.) are portion marked and correctly, but documents intended for limited readership (e.g. emails, cables, spreadsheets, etc.) are not portion marked at all. The lack of portion marking is a problem with cable traffic moreso than other products. Changes to our cable preparation system will be considered as a means to solve this systematic issue. 095(I). This number represents the number of documents that 1) met the criteria for classification; 2) were marked as classified; 3) were classified at the correct level; and 4) had cited at least one correct CIA SCG, but were found to be missing other reasonable CIA SCGs. For ISOO USE Only ISOO Analyst: Date QC: Analyst Initials: AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 Approved for Release: 2022/01/27 C06896750