HHS Adopted, Administered, and Generally Followed Classified Information Policies
WHY WE DID THIS STUDY
The Reducing Over-Classification Act of 2010 mandates that the Inspector General of each agency of the United States with an officer or employee who is authorized to make original classification decisions conduct two evaluations. One evaluation is intended to (1) assess whether applicable classification policies have been adopted, effectively administered, and followed; and (2) identify practices that may contribute to misclassification of material. This evaluation must be completed by September 30, 2013. A second evaluation must be completed by September 30, 2016, and must review progress made pursuant to the results of the first. This report pertains to the first required evaluation and assesses whether HHS has adopted, effectively administered, and followed polices regarding classified national security information (NSI). The second objective is addressed in the report entitled Originally and Derivatively Classified Documents Met Most Federal Requirements (OEI 07 12-00401).
HOW WE DID THIS STUDY
We identified and reviewed all of HHS's classified NSI guidance documents to determine their scope and content. We compared HHS's National Security Information Handbook (Handbook) to an Executive Order and its implementing Directive to determine whether it was consistent with Federal requirements. We interviewed officials responsible for ensuring that HHS's classified NSI policies are effectively administered and followed. Finally, we surveyed Classification Security Officers responsible for providing guidance and oversight to their operating or staff divisions.
WHAT WE FOUND
HHS has adopted policies for classified NSI that are consistent with Federal requirements. Further, HHS used annual status reports and self-inspections to ensure that its classified NSI policies are effectively administered. Finally, HHS provided guidance and training to individuals who access classified NSI to ensure that its classified NSI policies are followed; however, not all Classification Security Officers received guidance or training.
WHAT WE RECOMMEND
We recommend that the Office of Security and Strategic Information (OSSI), working on behalf of the Office of the Secretary, clarify who is responsible for ensuring that Classification Security Officers receive training and ensure that all Classification Security Officers receive guidance and training regarding classified NSI. OSSI concurred with both recommendations and described actions taken to address them.