The Protection of Classified Information:
The Legal Framework
Jennifer K. Elsea
Legislative Attorney
January 10, 2011
Congressional Research Service
7-5700
www.crs.gov
RS21900
CRS Report for Congress
P
repared for Members and Committees of Congress
The Protection of Classified Information: The Legal Framework
Summary
The publication of secret information by WikiLeaks and multiple media outlets has heightened
interest in the legal framework that governs security classification, access to classified
information, agency procedures for preventing and responding to unauthorized disclosures, and
penalties for improper disclosure. Classification authority generally rests with the executive
branch, although Congress has enacted legislation regarding the protection of certain sensitive
information. While the Supreme Court has stated that the President has inherent constitutional
authority to control access to sensitive information relating to the national defense or to foreign
affairs, no court has found that Congress is without authority to legislate in this area. This report
provides an overview of the relationship between executive and legislative authority over national
security information, and summarizes the current laws that form the legal framework protecting
classified information, including current executive orders and some agency regulations pertaining
to the handling of unauthorized disclosures of classified information by government officers and
employees. The report also summarizes criminal laws that pertain specifically to the unauthorized
disclosure of classified information.
Congressional Research Service
The Protection of Classified Information: The Legal Framework
Contents
Background ................................................................................................................................ 1
Executive Order 13526 ............................................................................................................... 3
Handling of Unauthorized Disclosures ........................................................................................ 5
Information Security Oversight Office................................................................................... 6
Intelligence Community........................................................................................................ 7
Department of Defense ......................................................................................................... 8
Penalties for Unauthorized Disclosure....................................................................................... 10
Criminal Penalties............................................................................................................... 10
Civil Penalties and Other Measures ..................................................................................... 10
Contacts
Author Contact Information ...................................................................................................... 12
Congressional Research Service
The Protection of Classified Information: The Legal Framework
Background
Prior to the New Deal, classification decisions were left to military regulation.1 In 1940, President
Franklin Roosevelt issued an executive order authorizing government officials to protect
information pertaining to military and naval installations.2 Presidents since that time have
continued to set the federal government’s classification standards by executive order, but with one
critical difference: while President Roosevelt cited specific statutory authority for his action, later
presidents have cited general statutory and constitutional authority.3
The Supreme Court has never directly addressed the extent to which Congress may constrain the
executive branch’s power in this area. Citing the President’s constitutional role as Commander-in-
Chief,4 the Supreme Court has repeatedly stated in dicta that “[the President’s] authority to
classify and control access to information bearing on national security ... flows primarily from
this Constitutional investment of power in the President and exists quite apart from any explicit
congressional grant.”5 This language has been interpreted by some to indicate that the President
has virtually plenary authority to control classified information. On the other hand, the Supreme
Court has suggested that “Congress could certainly [provide] that the Executive Branch adopt
new [classification procedures] or [establish] its own procedures—subject only to whatever
limitations the Executive Privilege may be held to impose on such congressional ordering.”6 In
fact, Congress established a separate regime in the Atomic Energy Act for the protection of
nuclear-related “Restricted Data.”7
Congress has directed the President to establish procedures governing the access to classified
material so that no person can gain such access without having undergone a background check.8
1 See Harold Relyea, The Presidency and the People’s Right to Know, in THE PRESIDENCY AND INFORMATION POLICY 1,
16-18 (1981).
2 Exec. Order No. 8,381 (1940).
3 Compare Exec. Order No. 10,501 (1953) with, e.g., Exec. Order No. 13,292 (2003). The most recent Executive Order
on classified information, Exec. Order No. 13,526 (Dec. 29, 2009), also cites constitutional authority.
4 U.S. CONST., art. II, § 2.
5 Department of the Navy v. Egan, 484 U.S. 518, 527 (1988) (quoting Cafeteria Workers v. McElroy, 367 U.S. 886,
890 (1961). In addition, courts have also been wary to second-guess the executive branch in areas of national security.
See, e.g., Haig v. Agee, 453 U.S. 280, 291 (1981) (“Matters intimately related to foreign policy and national security
are rarely proper subjects for judicial intervention.”). The Court has suggested, however, that it might intervene where
Congress has provided contravening legislation. Egan at 530 (“Thus, unless Congress specifically has provided
otherwise, courts traditionally have been reluctant to intrude upon the authority of the Executive in military and
national security affairs.”)(emphasis added).
6 EPA v. Mink, 410 U.S. 73, 83 (1973).
7 42 U.S.C. § 2011 et seq. In addition, the Invention Secrecy Act (codified at 35 U.S.C. § 181 et seq.) authorizes the
Commissioner of Patents to keep secret those patents on inventions in which the government has an ownership interest
and the widespread knowledge of which would, in the opinion of the interested agency, harm national security. For a
more detailed discussion of these and other regulatory regimes for the protection of sensitive government information,
see CRS Report RL33502, Protection of National Security Information, by Jennifer K. Elsea; CRS Report RL33303,
“Sensitive But Unclassified” Information and Other Controls: Policy and Options for Scientific and Technical
Information, by Genevieve J. Knezo.
8 Counterintelligence and Security Enhancement Act of 1994, Title VIII of P.L. 103-359 (codified at 50 U.S.C. § 435 et
seq.). Congress has also required specific regulations regarding personnel security procedures for employees of the
National Security Agency, P.L. 88-290, 78 Stat. 168, codified at 50 U.S.C. §§ 831 - 835. Congress has also prohibited
the Department of Defense from granting or renewing security clearances for officers, employees, or contract personnel
who had been convicted of a crime (and served at least one year prison time) and for certain other reasons, with a
(continued...)
Congressional Research Service
1
The Protection of Classified Information: The Legal Framework
Congress also directed the President, in formulating the classification procedures, to adhere to
certain minimum standards of due process with regard to access to classified information.9 These
include the establishment of uniform procedures for, inter alia, background checks, denial of
access to classified information, and notice of such denial.10 The statute also explicitly states that
the agency heads are not required to comply with the due process requirement in denying or
revoking an employee’s security clearance where doing so could damage national security,
although the statute directs agency heads to submit a report to the congressional intelligence
committees in such a case.11
With the authority to determine classification standards vested in the President, these standards
tend to change whenever a new administration takes control of the White House.12 The
differences between the standards of one administration and the next have often been dramatic.
As one congressionally authorized commission put it in 1997:
The rules governing how best to protect the nation’s secrets, while still insuring that the
American public has access to information on the operations of its government, past and
present, have shifted along with the political changes in Washington. Over the last fifty
years, with the exception of the Kennedy Administration, a new executive order on
classification was issued each time one of the political parties regained control of the
Executive Branch. These have often been at variance with one another ... at times even
reversing outright the policies of the previous order.13
Various congressional committees have investigated ways to bring some continuity to the
classification system and to limit the President’s broad powers to shield information from public
examination.14 In 1966, Congress passed the Freedom of Information Act (FOIA), creating a
presumption that government information will be open to the public unless it falls into one of
FOIA’s exceptions. One exception covers information that, under executive order, must be kept
secret for national security or foreign policy reasons.15 In 2000, Congress enacted the Public
Interest Declassification Act of 2000,16 which established the Public Interest Declassification
Board to advise the President on matters regarding the declassification of certain information, but
the act expressly disclaims any intent to restrict agency heads from classifying or continuing the
classification of information under their purview, nor does it create any rights or remedies that
(...continued)
waiver possible only in “meritorious cases,” P.L. 106-398 § 1, Div. A, Title X, § 1071(a), 114 Stat. 1654, 10 U.S.C.
§ 986.
9 50 U.S.C. § 435(a).
10 Id.
11 Id. § 435(b). The House Conference Report that accompanied this legislation in 1994 suggests that Congress
understood that the line defining the boundaries of executive and legislative authority in this area is blurry at best. The
conferees made explicit reference to the Egan case, expressing their desire that the legislation not be understood to
affect the President’s authority with regard to security clearances. See H.R. REP. 103-753, at 54.
12 See Report of the Commission on Protecting and Reducing Government Secrecy, S. DOC. NO. 105-2, at 11 (1997).
13 Id.
14 See, e.g., Availability of Information from Federal Departments and Agencies: Hearings Before the House
Committee on Government Operations, 85th Cong. (1955).
15 5 U.S.C. § 552(b)(1). The Supreme Court has honored Congress’s deference to executive branch determinations in
this area. EPA v. Mink, 410 U.S. 73 (1973). Congress, concerned that the executive branch may have declared some
documents to be “national security information” that were not vital to national security, added a requirement that such
information be “properly classified pursuant to an executive order.” 5 U.S.C. § 552(b)(1)(B).
16 P.L. 106-567, title VII, Dec. 27, 2000, 114 Stat. 2856, 50 U.S.C. § 435 note.
Congressional Research Service
2
The Protection of Classified Information: The Legal Framework
may be enforced in court.17 Most recently, Congress passed the Reducing Over-Classification Act,
P.L. 111-258, which, among other things, requires executive branch agencies’ inspectors general
to conduct assessments of their agencies’ implementation of classification policies.18
Executive Order 13526
The present standards for classifying and declassifying information were last amended on
December 29, 2009.19 Under these standards, the President, Vice President, agency heads, and
any other officials designated by the President may classify information upon a determination that
the unauthorized disclosure of such information could reasonably be expected to damage national
security.20 Such information must be owned by, produced by, or under the control of the federal
government, and must concern one of the following:
• military plans, weapons systems, or operations;
• foreign government information;
• intelligence activities, intelligence sources/methods, cryptology;
• foreign relations or foreign activities of the United States, including confidential
sources;
• scientific, technological, or economic matters relating to national security;
• federal programs for safeguarding nuclear materials or facilities;
• vulnerabilities or capabilities of national security systems; or
• weapons of mass destruction.21
Information may be classified at one of three levels based on the amount of danger that its
unauthorized disclosure could reasonably be expected to cause to national security.22 Information
is classified as “Top Secret” if its unauthorized disclosure could reasonably be expected to cause
“exceptionally grave damage” to national security. The standard for “Secret” information is
“serious damage” to national security, while for “confidential” information the standard is
“damage” to national security. Significantly, for each level, the original classifying officer must
identify or describe the specific danger potentially presented by the information’s disclosure.23 In
case of significant doubt as to the need to classify information or the level of classification
17 Id. §§ 705 and 707.
18 P.L. 111-258, § 6, codified at 50 USC § 435 note.
19 Classified National Security Information, Exec. Order No. 13,526, 3 C.F.R. 298 (2009). For a more detailed
description and analysis, see CRS Report R41528, Classified Information Policy and Executive Order 13526, by Kevin
R. Kosar.
20 Exec. Order No. 13,526 § 1.1. The unauthorized disclosure of foreign government information is presumed to
damage national security. Id. § 1.1(b).
21 Id. § 1.4. In addition, when classified information which is incorporated, paraphrased, restated, or generated in a new
form, that new form must be classified at the same level as the original. Id. §§ 2.1 - 2.2.
22 Id. § 1.2.
23 Id. Classifying authorities are specifically prohibited from classifying information for reasons other than protecting
national security, such as to conceal violations of law or avoid embarrassment. Id. § 1.7(a).
Congressional Research Service
3
The Protection of Classified Information: The Legal Framework
appropriate, the information is to remain unclassified or be classified at the lowest level of
protection considered appropriate.24
The officer who originally classifies the information establishes a date for declassification based
upon the expected duration of the information’s sensitivity. If the office cannot set an earlier
declassification date, then the information must be marked for declassification in 10 years’ time
or 25 years, depending on the sensitivity of the information.25 The deadline for declassification
can be extended if the threat to national security still exists.26
Classified information is required to be declassified “as soon as it no longer meets the standards
for classification.”27 The original classifying agency has the authority to declassify information
when the public interest in disclosure outweighs the need to protect that information.28 On
December 31, 2006, and every year thereafter, all information that has been classified for 25
years or longer and has been determined to have “permanent historical value” under Title 44 of
the U.S. Code will be automatically declassified, although agency heads can exempt from this
requirement classified information that continues to be sensitive in a variety of specific areas.29
Agencies are required to review classification determinations upon a request for such a review
that specifically identifies the materials so that the agency can locate them, unless the materials
identified are part of an operational file exempt under the Freedom of Information Act (FOIA)30
or are the subject of pending litigation.31 This requirement does not apply to information that has
undergone declassification review in the previous two years; information that is exempted from
review under the National Security Act;32 or information classified by the incumbent President
and staff, the Vice President and staff (in the performance of executive duties), commissions
appointed by the President, or other entities within the executive office of the President that
advise the President.33 Each agency that has classified information is required to establish a
system for periodic declassification reviews.34 The National Archivist is required to establish a
similar systemic review of classified information that has been transferred to the National
Archives.35
24 Id. §§ 1.1-1.2. This presumption is a change from the predecessor order.
25 Exec. Order No. 13,526 at § 1.5. Exceptions to the time guidelines are reserved for information that can be expected
to reveal the identity of a human intelligence source or key design concepts of weapons of mass destruction. Id.
26 Id. § 1.5(c).
27 Id. § 3.1(a).
28 Id. § 3.1(d).
29 Id. § 3.3.
30 5 U.S.C. § 552. For more information, see CRS Report R41406, The Freedom of Information Act and Nondisclosure
Provisions in Other Federal Laws, by Gina Stevens.
31 Exec. Order No. 13,526 § 3.5.
32 50 U.S.C. §§ 403-5c, 403-5e, 431.
33 Exec. Order No. 13,526 § 3.5.
34 Id. § 3.4. “Need-to-know” is based on a determination within the executive branch in accordance with relevant
directives that a prospective recipient “requires access to specific classified information in order to perform or assist in
a lawful and authorized governmental function.” Id. § 6.1(dd).
35 Id. § 3.4. Exec. Order No. 13,526 creates a new National Declassification Center (NDC) within the National
Archives to facilitate and standardize the declassification process. Id. § 3.7. For more information about the NDC, see
CRS Report R41528, Classified Information Policy and Executive Order 13526, by Kevin R. Kosar
Congressional Research Service
4
The Protection of Classified Information: The Legal Framework
Access to classified information is generally limited to those who demonstrate their eligibility to
the relevant agency head, sign a nondisclosure agreement, and have a need to know the
information.36 The need-to-know requirement can be waived, however, for former Presidents and
Vice Presidents, historical researchers, and former policy-making officials who were appointed by
the President or Vice President.37 The information being accessed may not be removed from the
controlling agency’s premises without permission. Each agency is required to establish systems
for controlling the distribution of classified information.38
The Information Security Oversight Office (ISOO)—an office within the National Archives—is
charged with overseeing compliance with the classification standards and promulgating directives
to that end.39 ISOO is headed by a Director, who is appointed by the Archivist of the United
States, and who has the authority to order declassification of information that, in the Director’s
view, is classified in violation of the aforementioned classification standards.40 In addition, there
is an Interagency Security Classifications Appeals Panel (“the Panel”), headed by the ISOO
Director and made up of representatives of the heads of various agencies, including the
Departments of Defense, Justice, and State, as well as the Central Intelligence Agency, and the
National Archives.41 The Panel is empowered to decide appeals of classifications challenges42 and
to review automatic and mandatory declassifications. If the ISOO Director finds a violation of
E.O. 13526 or its implementing directives, then the Director must notify the appropriate
classifying agency so that corrective steps can be taken.
Handling of Unauthorized Disclosures
Under E.O. 13526, each respective agency is responsible for maintaining control over classified
information it originates and is responsible for establishing uniform procedures to protect
classified information and automated information systems in which classified information is
stored or transmitted. Standards for safeguarding classified information, including the handling,
storage, distribution, transmittal, and destruction of and accounting for classified information, are
developed by the ISOO. Agencies that receive information classified elsewhere are not permitted
to transfer the information further without approval from the classifying agency. Persons
authorized to disseminate classified information outside the executive branch are required to
ensure it receives protection equivalent to those required internally. In the event of a knowing,
willful, or negligent unauthorized disclosure (or any such action that could reasonably be
expected to result in an unauthorized disclosure), the agency head or senior agency official is
required to notify ISOO and to “take appropriate and prompt corrective action.” Officers and
employees of the United States (including contractors, licensees, etc.) who commit a violation are
subject to sanctions that can range from reprimand to termination.43
36 Id. § 4.1.
37 Id. § 4.4.
38 Id. § 4.2.
39 Id. § 5.2.
40 Id. § 3.1(c).
41 Id. § 5.3.
42 Id. § 5.3(b)(1) - (3) For example, an authorized holder of classified information is allowed to challenge the classified
status of such information if the holder believes that status is improper. Id. § 1.8.
43 Id. § 5.5. Specifically, administrative sanctions available with respect to “officers and employees of the United States
(continued...)
Congressional Research Service
5
The Protection of Classified Information: The Legal Framework
Executive Order 12333, United States Intelligence Activities,44 spells out the responsibilities of
members of the Intelligence Community45 for the protection of intelligence information,
including intelligence sources and methods. Under section 1.7 of E.O. 12333, heads of
departments and agencies with organizations in the Intelligence Community (or the heads of such
organizations, if appropriate) must report possible violations of federal criminal laws to the
Attorney General “in a manner consistent with the protection of intelligence sources and
methods.”
Information Security Oversight Office
ISOO Directive No. 1 (32 CFR Part 2001) provides further direction for agencies with
responsibilities for safeguarding classified information. Sec. 2001.41 states:
Authorized persons who have access to classified information are responsible for: (a)
Protecting it from persons without authorized access to that information, to include securing
it in approved equipment or facilities whenever it is not under the direct control of an
authorized person; (b) Meeting safeguarding requirements prescribed by the agency head;
and (c) Ensuring that classified information is not communicated over unsecured voice or
data circuits, in public conveyances or places, or in any other manner that permits
interception by unauthorized persons.
Sec. 2001.45 of ISOO Directive No. 1 requires agency heads to establish a system of appropriate
control measures to limit access to classified information to authorized persons. Sec. 2001.46
requires that classified information is transmitted and received in an authorized manner that
facilitates detection of tampering and precludes inadvertent access. Persons who transmit
classified information are responsible for ensuring that the intended recipients are authorized to
receive classified information and have the capacity to store classified information appropriately.
Documents classified “Top Secret” that are physically transmitted outside secure facilities must
be properly marked and wrapped in two layers to conceal the contents, and must remain under the
constant and continuous protection of an authorized courier. In addition to the methods prescribed
for the outside transmittal of Top Secret documents, documents classified at Secret or
Confidential levels may be mailed in accordance with the prescribed procedures. Agency heads
(...continued)
Government, and its contractors, licensees, certificate holders, and grantees” accused of violating government security
regulations, “knowingly, willfully, or negligently,” include “reprimand, suspension without pay, removal, termination
of classification authority, loss or denial of access to classified information, or other sanctions in accordance with
applicable law and agency regulation.” See infra section “Civil Penalties and Other Measures”
44 46 Fed. Reg. 59,941 (1981), as amended by Exec .Order No. 13284, 68 Fed. Reg. 4,077 (2003), Exec. Order No.
13,355, 69 Fed. Reg. 53,593 (2004) and Exec. Order No. 13,470, 73 Fed. Reg. 45,328 (2008). A version of the Order as
amended is available at http://www.fas.org/irp/offdocs/eo/eo-12333-2008.pdf.
45 The Intelligence Community is defined by 50 U.S.C. ' 401a(4) and E.O. 12333 to include the Office of the Director
of National Intelligence (ODNI), the Central Intelligence Agency (CIA), the Bureau of Intelligence and Research of the
Department of State (INR), the National Security Service of the Federal Bureau of Investigation (FBI), the Office of
Intelligence and Analysis of the Department of Homeland Security (DHS), the Office of Intelligence or the Coast
Guard (CG), other DHS elements concerned with the analysis of intelligence information, the Office of Intelligence and
Analysis of the Treasury Department, the Energy Department, the Drug Enforcement Agency (DEA), the Defense
Intelligence Agency (DIA), the National Security Agency (NSA), the National Reconnaissance Office (NRO), the
National Geospatial Intelligence Agency (NGA), Army Intelligence, Air Force Intelligence, Navy Intelligence, and
Marine Corps Intelligence, as well as “[s]uch other elements of any other department or agency as may be designated
by the President, or designated jointly by the Director of National Intelligence and the head of the department or agency
concerned, as an element of the intelligence community.”
Congressional Research Service
6
The Protection of Classified Information: The Legal Framework
are required to establish procedures for receiving classified information in a manner that
precludes unauthorized access, provides for detection of tampering and confirmation of contents,
and ensures the timely acknowledgment of the receipt (in the case of Top Secret and Secret
information).
Sec. 2001.48 prescribes measures to be taken in the event of loss, possible compromise or
unauthorized disclosure. It states:
Any person who has knowledge that classified information has been or may have been lost,
possibly compromised or disclosed to an unauthorized person(s) shall immediately report the
circumstances to an official designated for this purpose.
Agency heads are required to establish appropriate procedures to conduct an inquiry or
investigation into the loss, possible compromise or unauthorized disclosure of classified
information, in order to implement “appropriate corrective actions” and to “ascertain the degree
of damage to national security.” The department or agency in which the compromise occurred
must also advise any other government agency or foreign government agency whose interests are
involved of the circumstances and findings that affect their information or interests. Agency heads
are to establish procedures to ensure coordination with legal counsel in any case where a formal
disciplinary action beyond a reprimand is contemplated against a person believed responsible for
the unauthorized disclosure of classified information. Whenever a criminal violation appears to
have occurred and a criminal prosecution is contemplated, agency heads are to ensure
coordination with the Department of Justice and the legal counsel of the agency where the
individual believed to be responsible is assigned or employed. Violators are generally subject to
imprisonment or fine, and in some cases, loss of retirement or other benefits.
Intelligence Community
The most recent intelligence community directives related to the safeguarding of classified
information appear to be Intelligence Community Directive (ICD) 700, Protection of National
Intelligence, effective September 21, 2007,46 and ICD 701, Security Policy Directive for
Unauthorized Disclosures of Classified Information, effective March 14, 2007.47 ICD 700 assigns
Senior Officials of the Intelligence Community (SOICs)48 the responsibility to protect national
intelligence and intelligence sources and methods from unauthorized disclosure. SOICs are to
implement “aggressive security and counterintelligence initiatives” to identify, apprehend, and
assist in the prosecution where appropriate of “insiders who endanger national security
interests.”49 Under ICD 701, SOICs are to promptly notify the DNI (and if appropriate, law
enforcement authorities) of any actual or suspected unauthorized disclosure of classified
information, including any media leak, that is likely to cause damage to national security
interests, unless the disclosure is the subject of a counterespionage or counterintelligence
investigation. Disclosures to be reported include:
46 Available at http://www.fas.org/irp/dni/icd/icd-700.pdf.
47 Available at http://www.fas.org/irp/dni/icd/icd-701.pdf.
48 Senior Officials of the Intelligence Community (SOICs) means “heads of departments and agencies with
organizations in the Intelligence Community or the heads of such organizations.” Exec. Order No. 12,333 at § 1.7.
49 ICD 700 at § E(3)(h).
Congressional Research Service
7
The Protection of Classified Information: The Legal Framework
Unauthorized disclosure to an international organization, foreign power, agent of a foreign
power, or terrorist organization;
National intelligence activities or information that may be at risk of appearing in the public
media, either foreign or domestic, without official authorization;
Loss or compromise of classified information that poses a risk to human life;
Loss or compromise of classified information that is indicative of a systemic compromise;
Loss or compromise of classified information storage media or equipment;
Discovery of clandestine surveillance and listening devices;
Loss or compromise of classified information revealing U.S. or a foreign intelligence
partner’s intelligence operations or locations, or impairing foreign relations;
Such other disclosures of classified information that could adversely affect activities related
to US national security; and
Loss or compromise of classified information revealing intelligence sources or methods, US
intelligence requirements, capabilities and relationships with the US Government.
Upon determining that a compromise meeting the above reporting criteria has or may have
occurred, the SOIC is required promptly to report it to the DNI, through the Special Security
Center (SSC), and to any other element with responsibility for the material at issue. The SOIC is
then required to provide updated reports as appropriate (or as directed). This process occurs in
tandem with any required reporting to law enforcement authorities.
The required formal notification to the DNI is to include a complete statement of the facts, the
scope of the unauthorized disclosure, sources and methods that may be at risk, the potential effect
of the disclosure on national security, and corrective or mitigating actions. SOICs are further
required to identify all factors that contributed to the compromise of classified information and
take corrective action or make recommendations to the DNI.
Department of Defense
Department of Defense Directive 5210.50, “Unauthorized Disclosure of Classified Information to
the Public” (July 22, 2005)50 governs procedures for handling unauthorized disclosures of
classified information to the public. In the event of a known or suspected disclosure of classified
information, the heads of DoD components must report the incident to the Deputy Secretary of
Defense of Intelligence and conduct a preliminary investigation to confirm that classified
information was disclosed, identify the particulars of the incident and who was involved,
ascertain whether the information was properly classified or was authorized to be released, and
identify any leads that might identify the person or persons responsible. The preliminary
investigation should also ascertain whether further inquiry might increase the damage caused by
the compromise.
50 Available at http://www.dtic.mil/whs/directives/corres/pdf/521050p.pdf.
Congressional Research Service
8
The Protection of Classified Information: The Legal Framework
Enclosure 2 to Directive 5210.50 lists factors for determining whether to initiate an additional
investigation by military, criminal, or counterintelligence investigative organizations, or the
Department of Justice:
The accuracy of the information disclosed.
The damage to national security caused by the disclosure and whether there were
compromises regarding sensitive aspects of current classified projects, intelligence sources,
or intelligence methods.
The extent to which the disclosed information was circulated and the number of persons
known to have access to it.
The degree to which an investigation shall increase the damage caused by the disclosure.
The existence of any investigative leads.
The reasonable expectation of repeated disclosures.
The extent to which the classified information was circulated outside the Department of
Defense.
If classified DoD information appears in a newspaper or other media, the head of the appropriate
DoD component is responsible for the preparation of a “DOJ Media Leak Questionnaire” to
submit to the Deputy Secretary of Defense for Intelligence, who prepares a letter for the Chief,
Internal Security Section of the Criminal Division at the Department of Justice. The following
eleven questions51 are to be promptly and fully addressed:
• Date and identity of the article containing classified information.
• Specific statements that are classified, and whether the information is properly
classified.
• Whether disclosed information is accurate.
• Whether the information came from a specific document, and if so, the
originating office and person responsible for its security.
• Extent of official circulation of the information.
• Whether information has been the subject of prior official release.
• Whether pre-publication clearance was sought.
• Whether sufficient information or background data has been published officially
or in the press to make educated speculation on the matter possible.
• Whether information is to be made available for use in a criminal prosecution.
• Whether information has been considered for declassification.
51 The questions are listed in enclosure 4 of DoDD 5210.50, and apparently are part of a Memorandum of
Understanding concluded between the Department of Justice and elements of the Intelligence Community. See U.S.
Congress, Senate Select Committee on Intelligence, Concerning Unauthorized Disclosure of Classified Information,
106th Cong., 2nd sess., June 14, 2000 (Statement of Attorney General Janet Reno).
Congressional Research Service
9
The Protection of Classified Information: The Legal Framework
• The effect the disclosure of the classified data might have on the national
defense.
Penalties for Unauthorized Disclosure
In addition to administrative penalties agencies may employ to enforce information security, there
are several statutory provisions that address the protection of classified information as such. No
blanket prohibition exists to make it unlawful simply to disclose without authority any
information that is classified by the government for national security reasons.52
Criminal Penalties
Generally, federal law prescribes a prison sentence of no more than a year and/or a $1,000 fine
for officers and employees of the federal government who knowingly remove classified material
without the authority to do so and with the intention of keeping that material at an unauthorized
location.53 Stiffer penalties—fines of up to $10,000 and imprisonment for up to 10 years—attach
when a federal employee transmits classified information to anyone that the employee has reason
to believe is an agent of a foreign government.54 A fine and a 10-year prison term also await
anyone, government employee or not, who publishes, makes available to an unauthorized person,
or otherwise uses to the United States’ detriment classified information regarding the codes,
cryptography, and communications intelligence utilized by the United States or a foreign
government.55 Finally, the disclosure of classified information that discloses any information
identifying a covert agent, when done intentionally by a person with authorized access to such
identifying information, is punishable by imprisonment for up to ten years.56 A similar disclosure
by one who learns the identity of a covert agent as a result of having authorized access to
classified information is punishable by not more than five years’ imprisonment. Under the same
provision, a person who undertakes a “pattern of activities intended to identify and expose covert
agents” with reason to believe such activities would impair U.S. foreign intelligence activities,
and who then discloses the identities uncovered as a result is subject to three years’ imprisonment,
whether or not violator has access to classified information.57
Civil Penalties and Other Measures
In addition to the criminal penalties outlined above, the executive branch employs numerous
means of deterring unauthorized disclosures by government personnel using administrative
measures based on terms of employment contracts. The agency may impose disciplinary action or
52 For a broader overview of statutory provisions applicable to specific types of sensitive information, see CRS Report
R41404, Criminal Prohibitions on the Publication of Classified Defense Information, by Jennifer K. Elsea.
53 18 U.S.C. § 1924.
54 50 U.S.C. § 783.
55 18 U.S.C. § 798.
56 50 U.S.C. § 421.
57 “Classified information” for the purpose of this provision is defined as “information or material designated and
clearly marked or clearly represented, pursuant to the provisions of a statute or Executive order (or a regulation or order
issued pursuant to a statute or Executive order), as requiring a specific degree of protection against unauthorized
disclosure for reasons of national security.” 50 U.S.C. § 426.
Congressional Research Service
10
The Protection of Classified Information: The Legal Framework
revoke a person’s security clearance. The revocation of a security clearance is usually not
reviewable by the Merit System Protection Board58 and may mean the loss of government
employment. Government employees may be subject to monetary penalties for disclosing
classified information.59 Violators of the Espionage Act and the Atomic Energy Act provisions
may be subject to loss of their retirement pay.60
Agencies also rely on contractual agreements with employees, who typically must sign non-
disclosure agreements prior to obtaining access to classified information,61 sometimes agreeing to
submit all materials that the employee desires to publish to a review by the agency. The Supreme
Court enforced such a contract against a former employee of the Central Intelligence Agency
(CIA), upholding the government’s imposition of a constructive trust on the profits of a book the
employee sought to publish without first submitting it to CIA for review.62
In 1986, the Espionage Act was amended to provide for the forfeiture of any property derived
from or used in the commission of an offense.63 Violators of the Atomic Energy Act may be
subjected to a civil penalty of up to $100,000 for each violation of Energy Department regulations
regarding dissemination of unclassified information about nuclear facilities.64
Under some circumstances, the government can also use injunctions to prevent disclosures of
information. The courts have generally upheld injunctions against former employees’ publishing
information they learned through access to classified information.65 The Supreme Court also
upheld the State Department’s revocation of passports for overseas travel by persons planning to
expose U.S. covert intelligence agents, despite the fact that the purpose was to disrupt U.S.
intelligence activities rather than to assist a foreign government.66
58 See Department of Navy v. Egan, 484 U.S. 518, 526-29 (1988). Federal courts may review constitutional challenges
based on the revocation of security clearance. Webster v. Doe, 486 U.S. 592 (1988).
59 See 42 U.S.C. § 2282(b) (providing for fine of up to $100,000 for violation of Department of Energy security
regulations).
60 5 U.C.S. § 8312 (2001)(listing violations of 18 U.S.C. §§ 793 & 798, 42 U.S.C. § 2272-76, and 50 U.S.C. § 421,
among those for which forfeiture of retirement pay or annuities may be imposed).
61 See United States v. Marchetti, 466 F.2d 1309 (4th Cir.), cert. denied, 409 U.S. 1063 (1972) (enforcing contractual
non-disclosure agreement by former employee regarding “secret information touching upon the national defense and
the conduct of foreign affairs” obtained through employment with CIA).
62 See Snepp v. United States, 444 U.S. 507 (1980); see also Alan E. Garfield, Promises of Silence: Contract Law and
Freedom of Speech, 83 CORNELL L. REV. 261, 274 (1998)(noting the remedy in Snepp was enforced despite the
agency’s stipulation that the book did not contain any classified information).
63 See 18 U.S.C. §§ 793(h), 794(d), 798(d)..
64 42 U.S.C. § 2168(b).
65 See United States v. Marchetti, 466 F.2d 1309 (4th Cir. 1972) (granting an injunction to prevent a former CIA agent
from publishing a book disclosing government secrets).
66 See Haig v. Agee, 453 U.S. 280 (1981).
Congressional Research Service
11
The Protection of Classified Information: The Legal Framework
Author Contact Information
Jennifer K. Elsea
Legislative Attorney
jelsea@crs.loc.gov, 7-5466
Congressional Research Service
12