Posted On March 26, 2014 by Print This Post

Adam Firestone: I’m Sorry Ma’am, That’s Classified: Security Clearances and Classified Information Basics for Writers

Instead of his usual instructional posts on weaponry, today ADAM FIRESTONE lifts up the curtain on the shadowy world of secrets and classified information.

If you’ve read this column with any regularity, you’re probably aware that I’m a little “funny” when it comes to technical and procedural accuracy in fiction.  There are few mechanisms by which an author can lose a reader’s respect and interest more rapidly than the use of blatantly erroneous information about, well, the way things WORK.  If we were to survey all the subjects where this hard left into negative perception happens, few would show up more frequently than in discussions of classified information and security clearances.  In this month’s piece, we’ll take a look at how things are classified, what classification means and how the concept of “clearance” flows from information classification.  To bound the problem, we’ll look at the classification and clearance issue through the lens of those mechanisms used by the United States Department of Defense (DoD). However, it is important to recognize that other US government agencies (e.g., the Intelligence Community, the Department of Justice, the Department of Energy, etc.) maintain their own classification and clearance mechanisms.

Principle 1:  The Only Thing That Can be Classified is INFORMATION

Information is the only commodity that can be classified.  This can be almost any kind of information from descriptive data (e.g., “My laptop sleeve is black.”) to information about intentions and plans (e.g., “I’m going to go out for Ethiopian food at 7:00.”) to  information about the “fact of” an occurrence or state (e.g., “Jack and Katie are secretly dating.”).

With respect to national security issues, however, information is classified based on the level of damage that can be caused by its unauthorized disclosure.   The safeguarding requirements implicit to a particular level of classification are often augmented by organizational security policies and procedures.

There are three levels of classification for national security information, each of which is described below:[1]

CONFIDENTIAL – the lowest level of classification applied to information, the unauthorized disclosure of which reasonably could be expected to cause identifiable damage to national security.

SECRET – intermediate level of classification applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to national security.

TOP SECRET – highest level of classification applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to national security. Information systems are classified at the same level as the highest classification of data managed regardless of the overall composition of the data in question.  Thus, a system storing, processing or transmitting Top Secret data will receive a Top Secret classification regardless of whether most of the data managed is classified at the Secret or Confidential levels. A single datum is enough to determine a system’s overall classification.

topsecret2_THEME

 

Principle 2:  Accesses and Compartments are NOT Classification Levels

Within the overall rubric of classified information is Sensitive Compartmented Information (SCI).  SCI is not a classification level per se, but rather an access control mechanism for a particular subset of information that is classified at a given level.  Despite this, SCI is usually treated as a subset of classified information concerning or derived from sensitive intelligence sources, methods, or analytical processes.  All SCI must be handled within formal access control systems established by the Director of National Intelligence (DNI).

Let’s reiterate a key point:  SCI is NOT a classification.  Instead, it refers to an information set of any given classification level, access to which requires special eligibility, need-to-know and explicit permission.  The confusion arises because, while a particular SCI not a classification, the technical safeguards between SCI compartments and sub-compartments are similar to those between different classification levels.[2]

While not contemplated within the scope of Executive Order 13526 (the document which outlines the handling and classification of national security information in the United States), organizational policies exert influence comparable to formal classifications and compartments with respect to the safeguarding and sharing of information.  It is within the scope of an agency’s purview to set policies and procedures for sharing information in general and classified information in particular.  For example, the Navy may choose to share certain information assets with the Army only within given time frames.  Alternately, a member of the intelligence community may choose to share information only with systems that have certain IP addresses.  Compliance with such organizational information sharing rules is a necessary component of any classified information management mechanism.

Principle 3:  Classified Information CAN be Shared, but Only in a Very Careful Manner

“Unauthorized disclosure” is a technical term of art that refers to any improper transfer of classified information to a human or mechanical recipient.  This includes the transfer of information from a more highly classified system to either an unclassified system or one classified at a lower level or from one compartment/sub-compartment to another.  Moreover, the term applies regardless of the actual classification of the information transferred.

For example, unless specific authorization is received from either the owners of, the Defense Security Service (DSS) Office of the Designated Approval Authority (ODAA)[3] or the system accrediting authority for a specific piece of information, the transfer of a file classified at the Secret level residing on a system classified at the Top Secret level to a system classified at the Secret level results in an unauthorized disclosure, even though there is no practical impact.

To guard against both malicious (i.e., deliberate) and inadvertent unauthorized disclosure, organizations that handle classified information maintain separate, redundant computer networks.  As a result, an organization that routinely manages Top Secret/Sensitive Compartmented Information (SCI) may find itself running three (or more) parallel and unconnected networks:  One at the Top Secret/SCI level, one at the collateral Top Secret or Secret level and one at the unclassified level. Also, organizations may stand up additional parallel networks to manage organizational information sharing concerns.

Information transfer between networks (of varying classification levels), when permitted[4], is typically handled via a process known as “Trusted Downloading.”  There are a number of mechanisms by which Trusted Downloading can be implemented, including:

  • A High Assurance Guard (HAG)[5] can be used to provide a controlled, automated interface between different security domains (e.g., unclassified to Secret).
  • A manual process (usually featuring two person integrity, or TPI) by which a man-in-the-loop can write selected information stored on the more highly classified system to media, physically transport the media to the less highly classified system, and move the selected information from the media to the less highly classified system[6].
  • Booting the systems in question to an equivalent protection level[7] and transferring the information between the two directly (with approval and supervision).

Trusted downloading is essential in many operational circumstances, especially when highly classified exploited intelligence information is provided to tactical users whose information environment is generally classified at a lower level.  For example, the original version of overhead imagery provided to an infantry platoon may contain metadata about the sources and methods used to obtain the raw intelligence.  This metadata, classified at the Top Secret/SCI level results in the overall image being classified at the same level.  In order to provide the imagery to the infantry platoon, a version of the image that is stripped of all information classified at levels higher than Secret must be produced. (A single document, image or record may contain information classified at different levels; the overall classification of the document is that of the most highly classified constituent information.)  This version is then moved to a machine classified at the Secret level using trusted downloading procedures and forwarded to the infantry platoon.

Similar practices impact intelligence organizations nominally operating at the same classification level.  For example, one organization may specialize in deriving intelligence from space-based imagery platforms, another from intercepted communications signals and a third from information gained from human sources.  While all of this information is ostensibly classified at the Top Secret level, it is separated into different compartments, most often to protect sources and methods.  In order to provide the information derived from the intelligence from one compartment to analysts working within another compartment, a version sanitized with respect to the compartmentalizing data or metadata must be generated.  This results in an information set that is either effectively decompartmented or compartmented such that it can be used by the receiving analysts.

Principle 4:  What’s in a Security Clearance?

So far, the only thing we’ve discussed is how information is classified.  The other part of the puzzle is how the access individuals have to classified information is controlled.   The mechanism used, the “security clearance” has three components:  Eligibility, access and need-to-know.

People who occupationally require access to classified information undergo a voluntary background investigation. (In fact, most of the information used in the investigation is provided by the subject.) This investigation is designed to determine if there is anything in the person’s history that would adversely impact an ability to safeguard information that might have an impact on national security.  Upon conclusion of the investigation and a positive adjudication of the material disclosed and/or discovered, the individual is categorized as eligible for access to information classified at  given level. It’s important to note that eligibility does not mean the same this as access.

Access to classified information is granted only after an eligible individual enters into employment where she is required to handle classified information.  Put another way:  Just because your protagonist has been found eligible to have access to information at the Top Secret level doesn’t mean she can walk into a government or contractor office and enter restricted spaces where classified information is handled.

The final component to the clearance puzzle is “need-to-know.”  Under need-to-know restrictions, even if a person has all the necessary official approvals to access certain information, she would not be given access to such information unless access to the information is necessary for the conduct of her official duties.

This is best illustrated with an example.  Let’s say that Jack and Katie have both had positively adjudicated background investigations for access to information classified up to the Top Secret level.  They work in the same office on the same program, and therefore have access to Top Secret information.  However, Katie handles information stemming from signals intelligence sources while Jack handles information derived from overhead imagery.  In this case, Jack, while requiring information pertinent to the imagery would not be permitted access to information about the signals intelligence that Katie handles.

Conclusion You’re now well equipped to control information and clear the characters in your stories.  However, there’s a lot more to classification and access management than would fit into the scope of this column.  Let’s just leave it at this:  The next time you write about Confidential Top Secret information or have a character with eligibility but no need to know waltzing into an office and flipping through a classified file, bad things – doubleplus ungood things – are going to happen.  What sorts of things?  Well, I’d tell you, but then I’d have to . . . Happy writing!



[1] The classification levels derive from Executive Order 13526 “Classified National Security Information” (see  http://www.whitehouse.gov/the-press-office/executive-order-classified-national-security-information)
[2] SCI is all intelligence information and material that requires special controls for restricted handling within compartmented channels and for which compartmentalization is established.
[3] ODAA was established in 2004 to improve timeliness and consistency through centralized management and de-centralized execution of the certification and accreditation (C&A) process. ODAA is accountable for timely, consistent policy implementation and C&A determinations nationwide by DSS. The ODAA works closely with cleared defense industry, government contracting activities and other DSS Industrial Security personnel.
[4] Whether Trusted Downloading is permitted depends on the protection level of each system and whether or not there is a process that has been approved, in writing, by the owner of the information.  It is generally permitted only at government facilities and with rare exception at contractor facilities.
[5] A HAG is an approved multi-level security computer device that is used to communicate between different security domains.
[6] This process is colloquially referred to as “sneakernet.”
[7] Protection levels (PL), as defined by Director of Central Intelligence Directive (DCID) 6/3 and the National Industrial Security Program Operating Manual (NISPOM – DoD 5220.22M), dealing with automated means for ensuring information confidentiality.  They range from PL1 through PL5 and are allocated based on the clearance levels of the system’s users and the portions of the user base that have access and/or need to know.

*** Does this answer your questions about security clearances and confidential information? Ask Adam in the comments below if you need more information.

On Friday, Vicky Koch – aka author Sophia Knightly – discusses “Why I chose a pen name and how it boosted my brand image.” 

***

Bio: Adam Firestone brings more than 25 years of experience with weapon systems including small arms, artillery, armor, area denial systems and precision guided munitions to Romance University. Additionally, Adam is an accomplished small arms instructor, editor, literary consultant and co-author of a recently published work on the production of rifles in the United States for Allied forces during the First World War. Adam has been providing general and technical editing services to authors and publishing houses specializing in firearms books since the early 2000s. Additionally, Adam provides literary consulting services to fiction authors including action scene choreography, technical vetting and technical editing. In this line of experience, Adam has had the fortune to work with well known authors including Shannon McKenna and Elizabeth Jennings. Check out Adam’s blog here: http://adamfirestoneconsultant.blogspot.com/

Similar Posts:

Share Button

Gun Expert Adam Firestone

Discussion

7 Responses to “Adam Firestone: I’m Sorry Ma’am, That’s Classified: Security Clearances and Classified Information Basics for Writers”

  1. My mom used to work inside a vault in a Top Secret area at Ft. Bragg. Every time she watches a show that has someone tell someone else, “That’s classified,” she lets out a raucous laugh and asks the people on the screen, “Classified what?” I’ve discovered that such questions need to be made clear: “That’s classified Top Secret,” etc. so they sound official. Agents of SHIELD does this fairly correctly, I believe. They’ll say, “That’s classified Level 8.” This opens things up to letting us viewers know what level various agents are, and seeing that not everyone’s on the same one.

    Posted by Carol A. Strickland | March 26, 2014, 8:50 am
  2. I had a secret clearance for 20 years. The FBI has a file on me. Defense and the space program. I still do not discuss what I did. For a reactivation of my clearance in 1982 I had to know every single place I had ever lived, every group or organization I h ad ever joined (Girl Scouts for example) every name (married, single) I had been known by – the list was far more extensive than these three questions. We were also charged with watching for breaches in file handling for example by other workers. It is similar to working for high-tech semiconductor companies. THey are very protective of their information (their patents, their designs, their research) The guy from Apple leaving a prototype in a bar is a serious violation. Drinking, drugs, you name it – things you did not do. The technology we have now makes policing the violations more difficult and companies have to monitor email and internet activity 24/7. I always felt someone was watching me day and night (not realistic) but you still worried about stepping wrong. Today’s employees as the news stories bare out – don’t give a crap. Drunk in a hallway overseas? Way to go secret service!

    Posted by Donnamaie White | March 26, 2014, 12:56 pm
    • Hi Donnamaie,

      The FBI is DoJ. Defense and space programs are DoD. The FBI does *not* have access to DoD security clearance data. (They actually have to file either a FOIA request or present a subpoena.)

      The organization that holds SF-86 investigation data after eligibility is the Defense Security Service.

      Thanks!

      ACF

      Posted by Adam Firestone | March 26, 2014, 5:04 pm
  3. Afternoon Adam!

    A question about the two person access….does that mean one person with a higher security clearance would manually write out the information in a file, then transfer it to say a thumb drive, then manually walk that drive over to a lower classed machine and transfer it? And that concludes one transfer of information?

    whew.

    and one more question..=) do any of the secured documents of any classification end up in “the cloud”? or is it all on something physical?

    carrie

    Posted by Carrie Spencer | March 26, 2014, 3:26 pm
    • Hi Carrie,

      Two person integrity means that you have two people of equal or greater clearance than the most highly classified system or information in question to execute the process. This way they can watch each other. It’s a procedural safeguard, not the process itself.

      Thanks!

      Adam

      Posted by Adam Firestone | March 26, 2014, 4:57 pm
  4. Adam – This makes me think of the old Mission: Impossible TV series, where the tape would self-destruct after the agents received their instructions. I never really thought about how complex the issue of security clearances were. I’ll be watching for this now, in books and in movies and TV shows. Thanks for opening my eyes to this!

    Posted by Becke Martin Davis | March 26, 2014, 4:10 pm
  5. Thanks so much for hanging out with us today, Adam, and thanks as always for another thought-provoking and informative post!

    Posted by Becke Martin Davis | March 27, 2014, 12:07 am

Post a comment

Upcoming Posts

  • Sep 26, 2014 10 Tips for a Stand-out Facebook Event by Kelsey Browning

Subscribe

Writer's Digest: 2013 Best Writing Websites (2013) 100-BEST-WEBSITES-2014 Top 10 badge 2012

Follow Us