What are agencies supposed to do about WikiLeaks? We had some concerns about the directives for agencies issued in the wake of the November WikiLeaks disclosures and wrote to the administration on January 28, along with some of our allies, seeking clarification. On March 29, Jacob Lew, Director of the Office of Management and Budget (OMB) responded to our letter—but we’re still confused. And if we’re confused, then we suspect some of the agencies might be as well.
In our January 28 letter, POGO and other good government groups raised concerns about the assessments required by a memo issued to agencies on January 3rd as follow-up guidance to a November memo. The agencies were directed to assess their policies and practices for safeguarding classified information. While we thought the assessments were a natural and appropriate response to the WikiLeaks disclosures, some of the items on the checklist for the assessments were troubling. Contained in the checklist and questions for the assessment teams were suggestions that agencies consider:
- Tracking employees' pre- and post-employment activities on websites like WikiLeaks,
- Requiring employees to report any contact with the media, and even
- Measuring the “relative happiness” and “despondence and grumpiness as a means to gauge waning trustworthiness”
POGO and our partners noted that such policies could lead to infringement of constitutional rights of federal employees, targeting employees for reasons other than safeguarding classified information, and could also lead to retaliation for whistleblowing or those who simply may be unhappy with their agency or supervisor.
In response, OMB Director Jack Lew wrote that the guidance didn't actually impose any new requirements on agencies:
You have raised the concern that some of the items in the January 3, 2011, checklist distributed to departments and agencies may be viewed as imposing new requirements on certain agencies. As the cover memo from the Director of the Information Security Oversight Office and the National Counterintelligence Executive notes, however, the checklist reflects "existing requirements and questions" for assessment teams to utilize, as appropriate, in reviewing the current state of information systems security.The checklist does not impose any new agency requirements, and agencies accordingly are directed only to self-assess their compliance with existing requirements. (Emphasis POGO's)
POGO's glad to hear that that's the case. From the wording in the opening paragraph of that cover memo, it's easy to see why the agencies may not have been under that impression:
"These assessments were intended to build upon the existing requirement in Executive Order 13526 (“Classified National Security Information”) for departments and agencies to establish and maintain ongoing self-inspection programs, in furtherance of the Executive Branch’s comprehensive and enduring effort to strengthen our safeguarding and counterintelligence postures to enhance the protection of classified national security information." (Emphasis POGO's)
We imagine that many agencies might also have understood the assessment checklist to be a roadmap of sorts for improving their policies and procedures for handling classified information, not just an inventory of existing policies. We hope the Obama administration will be providing more explicit guidance to clarify this in writing for all agencies.
Lew also invited POGO and the other groups to meet with his Office and two other relevant agencies, the Information Security Oversight Office (ISOO) and the Office of the National Counterintelligence Executive, to discuss the guidance in person. We are looking forward to this discussion and hope to ensure that employees' constitutional rights are maintained throughout the process of safeguarding classified information.