Secretary of Defense Lloyd J. Austin III this week ordered a widescale review of how secret information is handled and managed by the military following the leak of dozens of highly sensitive Pentagon documents apparently at the hands of a low-level Massachusetts Air National Guard airman.
In the April 17 directive, Austin directed the Under Secretary of Defense for Intelligence and Security (USD(I&S)) – in coordination with the Chief Information Officer (CIO) and the Director of Administration and Management (DA&M) – to lead a comprehensive review to assess possible changes in how secret materials are distributed, and who has access to them.
“Within 45 days, [investigators] will provide the Secretary with initial findings and recommendations to improve the department’s policies and procedures related to the protection of classified information,” Deputy Press Secretary, Sabrina Singh, said during a Pentagon news briefing. “We’ll have more to say soon on more immediate actions that we will be taking.”
Meanwhile, Austin has also directed Department of Defense (DoD) components to immediately review and assess their adherence to standards for protecting classified national security information and report their findings to the USD(I&S) no later than May 2.
Specifically, Austin has ordered DoD components to ensure their organizations adhere to the following standards:
DoD components are required to comply with policy requirements to designate a Top Secret (TS) Control Officer and maintain accountability by recording the receipt, reproduction, transfer, transmission, downgrading, declassification, and destruction of TS information.
DoD Components are required to re-emphasize control measures, to re-emphasize compliance with pre-publication review processes to validate the security clearance for individuals requesting classified national security information and to ensure end-of-day security checks are conducted.
Storage and Destruction
Classified information is required to be secured and maintained under conditions adequate to deter and detect access by unauthorized persons. In addition, personnel must appropriately destroy non-record copies of classified national security information when those documents are no longer necessary for ongoing tasks.
Transmission and Transportation
DoD components are required to ensure classified national security information is appropriately packaged in transit, using lock bags or other approved means, and transported by credentialed couriers.
Security Education and Training
DoD components are required to ensure compliance with security and education policy which includes mandatory initial and annual refresher training for classified national security and controlled unclassified information.
Austin also emphasized that DoD components should leverage their supporting counterintelligence and security professionals to provide refresher training to the workforce.
“This training should address the risks and consequences of unauthorized disclosures, which may include, administrative penalties, such as termination of employment, or criminal prosecution, as appropriate,” he wrote.
Reporting of Security Incidents Involving Classified Information
All DoD personnel who become aware of the loss or potential compromise of classified national security information are required to immediately report such information to their chain of command and their security manager. DoD personnel may also report incidents to their Office of the Inspector General.
“Leaders must reinforce their expectation that their workforce will immediately report all security incidents to the chain of command and their security manager or the Office of their Inspector General and must ensure individuals in their workforce are empowered to make these reports,” Austin wrote.
Specifically for electronic transmissions, DoD personnel are required to transmit classified national security information only over secure communications networks approved for the transmission of the information at the specified level of classification.
DoD components will need to immediately review their adherence to existing policies and guidance to ensure compliance with system access controls, audibility, and user activity monitoring on classified networks. Additionally, DoD components should further adhere to “least privilege” principles in granting access to classified data.
Transmission on Private Sector Communications Channels is Expressly Prohibited
Finally, Austin emphasized that non-DoD-controlled electronic messaging services are not authorized to process non-public DoD information, regardless of the service’s perceived appearance of security.
Based on insight from the 45-day review and the DoD components review of their adherence to standards the USD(I&S), DoD CIO, and DA&M will provide the defense secretary with advice on any necessary security policy changes and will identify any necessary enhanced requirements for accessing the Pentagon’s most sensitive systems, information, and facilities.