Audit report

Auditor Reports Inconsistency in DOD’s Security Classification Guides

The Department of Defense’s security classification guides are not consistent with existing federal policies, according to the results of an audit.

In a June 21 report, the DOD Office of Inspector General explained that maintaining the SCG consistency is the responsibility of original classification authorities, individuals appointed by the president, vice president or an agency head.

OCAs classify sensitive information in the first instance and develop SCGs for derivative classifiers, DOD OIG said.

According to the auditor, the SCGs inaccuracies and inconsistencies could cause derivative classifiers to incorrectly interpret them, resulting in over-classification or under-classification.

Over-classification can result in a lack of transparency in DOD programs, while under-classification could cause sensitive information to be disclosed to threat actors, the auditor warned.

OIG attributed the failures to a lack of oversight from the undersecretary of defense for intelligence and security as well as to the incompleteness of instructions in the Defense Technical Information Center index for SCGs.

The conclusions were based on an audit of 50 SCGs. OIG projected that OCAs failed to consistently maintain 83.7 percent of the 1,501 SCGs that exist in total.

OIG’s top recommendation is for USDI&S to direct component heads to immediately review SCGs under their authorities. The DTIC administrator disagreed with the inspector general’s recommendation to establish business rules for the SCG index.

According to the administrator, the recommendation would add complexity and increase opportunities for error.