Marking sensitive compartmented information (SCI) implies following strict rules and procedures that vary depending on classification levels of that particular document/file. Given the high importance of properly handling sensitive compartmented information, we decided to share some guidance in this blog on how SCI has to be marked to avoid inadvertent disclosure of classified information. Additionally, we provide some insights into the incidents that require disclosure of classified information as well as outline some best practices on how to properly redact classified information.
What guidance is available for marking sensitive compartmented information
Sensitive compartmented information (SCI) is a subset of classified national intelligence. It represents information about intelligence sources and methods and can include information related to sensitive collection systems, analytical processing, and targeting, or which is derived from it.
The guidelines for marking sensitive compartmented information imply specific requirements. One of such requirements is the mandatory usage of color-coded cover sheets and markings for each SCI document.
The cover sheet must contain color-coded bars in the upper right-hand corner of the cover page. Each color indicates the compartment that a document is classified under. For SCI compartments, the color code is yellow.
The classification markings are shown in the classification or banner line, displayed at the top and bottom of every document and usually has three parts, divided by double slashes:
Classification level // SCI or SAP compartment // Dissemination marking
Besides the three main classification levels (i.e. TOP SECRET (TS); SECRET; CONFIDENTIAL), a series of Sensitive Compartmented Information (SCI) codes further control the access to the documents.
There are three SCI systems in published Register:
- COMINT (SI) – a control system for communications intercepts or Signals Intelligence
- GAMMA (-G) subcontrol system of COMINT, for highly sensitive communication intercepts;
- TALENT KEYHOLE (TK) – control system for products of overhead collection systems, such as satellites and reconnaissance aircraft.
HUMINT (HCS) – a control system that is intended to provide enhanced protection to exceptionally fragile HUMINT sources, methods, and activities based on assessed value and vulnerability of information.
Best practices when handling SCI
How do you avoid inadvertent disclosure of classified information? By handling SCI properly. Some of the best practices in that regard include:
- Ensuring that you mark classified information appropriately;
- Use proper markings, including paragraph portion markings
- Use Security Classification Guides
- Use Classification Management Tool (CMT) (ICS 500-8) for email and electronic documents
- Attaching appropriate cover sheets
- Taking precautions when transporting classified information through unclassified areas
- Completing annually required classification training
What are the incidents that require disclosing classified information?
There are various scenarios in which disclosure of classified information may occur, namely:
- As a result of information access or declassification request: i.e. after reviewing materials in response to a Freedom of Information Act (FOIA) request, as well as a mandatory declassification review request, discovery request, subpoena, etc.
- After review as part of the Department’s systematic declassification review program;
- After the elapse of the time or the occurrence of the event detailed at the time of classification;
- By operation of the automatic declassification provisions of section 3.3 of the Executive Order with respect to material more than 25 years old.
When there is doubt regarding the classification of a document, it must be sent out for review to the Director, ONS, and to an agency with proper subject matter interest and original classification authority – at which point that the agency will decide to declassify, or extend the initial classification level.
How to protect classified information through proper redaction techniques
What are the dangers of improper redaction?
With the tools currently available, the days of manually redacting documents with redaction tape or a black marker should be long gone. That said, many agencies still tackle redactions manually. But today, way too many records must be plowed through, and humans can barely scratch the surface before accuracy suffers. Plus, no tape or marker will scrub the metadata from electronic records, which can reveal everything contained in a file – even deleted text.
Over the years, agency personnel have developed redaction methods such as using software tools to apply black boxes or a series of X’s over text or to change the font to white. The results may look good on the surface, but the redactions fail spectacularly at protecting sensitive information. Some examples of such redaction fails include:
- Publishing leaked NSA documents in 2014, three redactions made by The New York Times were intended to obscure sensitive national security information. The information was uncovered with the same type of copy and paste technique used in the Manafort case.
- More recently, court records regarding an SEC fraud settlement included an affidavit with 100 pages of financial transactions blacked out in a PDF file. The black boxes vanished when the file was uploaded to another application.
Such cases will continue to crowd the headlines as more people become aware of the ease of accessing improperly redacted information.
Best practices of redacting classified information
Redaction is a critical and costly aspect of the document disclosure process – even more so when your agency must deal with the consequences of not doing it correctly.
Some high-level redaction best practices include:
Don’t rely on forms to locate sensitive information.
Though it’s tempting to save time by doing a simple keyword search to locate personal information, such as Social Security numbers, it is not a safe practice, as a lot of other classified information might “hide” within the document. This is why it is essential to thoroughly scan through documents to not miss an important detail. Luckily, these days, modern eDiscovery technology can easily streamline this process.
Include a reason code for each redaction.
When redacting information, you must provide a reason for each redaction you make should a recipient challenge that redaction. Thus, it is a best practice to automatically provide the reason for redaction, usually in the form of white text on the black redaction box.
Fortunately, if the user defines the reasons for a redaction when defining a rule for an automated search, the same technology that identifies classified information for redaction can automatically code the reason for the redaction.
Make sure that you remove all classify information, not just cover within the document
To avoid inadvertent disclosure of classified information, you must entirely strip that information out of the documents / files. This is often a very time-consuming and prone-to-error process when done manually. In that sense, automatic redaction technology will completely obscure the text and ‘burn-in’ the redaction box, so that the box cannot be removed later on.
Remove classified information from text files and metadata
Files are typically accompanied by metadata files (i.e. load files and data files), some of which might contain the same information that was redacted from the original file. Therefore, it is essential that these sources of information are also stripped and sanitized to ensure no inadvertent disclosure occurs.
Use modern technology to make your redaction process more efficient
Having the right technology, such as that used for eDiscovery, arms personnel with search, analytics, and automation tools to redact with ease and confidence when making public records disclosures.
There’s really only one way to tackle this digital age challenge for an industrial age process: through the use of modern technology to streamline an otherwise error-prone task and deliver efficient, consistent, and reliable redactions.
When armed with the right technology, legal professionals can:
- Quickly and accurately find sensitive information. Data analytics classify information according to predefined exemption codes. Using powerful search capabilities, reviewers quickly and accurately find all exempt information. The exemption reasons are also tracked and instantly available for reporting.
- Easily redact everything at once. Mass or bulk redaction of information combines redacting with search so that multiple occurrences of a word, phrase or patterns such as social security or credit card numbers are redacted all at once.
- Balance caution and transparency. FOIA personnel use technology to work together to verify redacted content prior to release and flag documents that may require a second look. Reviewers can quickly locate all documents where redactions are made and create redaction reports, Vaughn indexes, and audit histories of when information was redacted and by whom.
- Handle redactions correctly. Most importantly, sensitive information must be permanently stripped completely from the disclosed document, not just covered up. Metadata must also be removed to ensure thorough sanitization.
For a detailed demonstration of just how well eDiscovery technology helps U.S. cities and counties respond more efficiently to public records requests, please watch the recording of ZyLAB’s webinar.