The Protection of Classified Information: The Legal Framework




The Protection of Classified Information:
The Legal Framework

Updated February 2, 2023
Congressional Research Service
https://crsreports.congress.gov
RS21900




The Protection of Classified Information: The Legal Framework

Summary
This report provides an overview of the relationship between executive and legislative authority
over national security information. It summarizes the current laws that form the legal framework
protecting classified information, including current executive orders and some agency regulations
pertaining to the handling of unauthorized disclosures of classified information by government
officers and employees. The report also summarizes criminal laws that pertain specifically to the
unauthorized disclosure of classified information, as well as civil and administrative penalties.
Finally, the report discusses managing the risk of insider threats.
Congressional Research Service

link to page 4 link to page 9 link to page 12 link to page 13 link to page 15 link to page 16 link to page 18 link to page 19 link to page 19 link to page 20 link to page 21 link to page 25 link to page 27 link to page 30 The Protection of Classified Information: The Legal Framework

Contents
Background ..................................................................................................................................... 1
Executive Order 13,526 ................................................................................................................... 6
Handling of Unauthorized Disclosures ........................................................................................... 9
Information Security Oversight Office.................................................................................... 10
Intelligence Community .......................................................................................................... 12
Department of Defense ........................................................................................................... 13
Department of State ................................................................................................................. 15
Penalties for Unauthorized Disclosure .......................................................................................... 16
Criminal Penalties ................................................................................................................... 16
Civil Penalties and Other Measures ........................................................................................ 17
Declassification vs. Leaks and “Instant Declassification” ............................................................ 18
Special Considerations for the President ....................................................................................... 22
Insider Threat Risk Management .................................................................................................. 24

Contacts
Author Information ........................................................................................................................ 27

Congressional Research Service

The Protection of Classified Information: The Legal Framework

Background
Prior to the New Deal, decisions regarding classification of national security information were
left to military regulation.1 In 1940, President Franklin D. Roosevelt issued an executive order
authorizing government officials to protect information pertaining to military and naval
installations.2 Presidents since that time have continued to set the federal government’s
classification standards by executive order, but with one critical difference: while President
Roosevelt cited specific statutory authority for his action,3 later Presidents have cited general
statutory and constitutional authority.4
The Supreme Court has never directly addressed the extent to which Congress may constrain the
executive branch’s power in this area. Citing the President’s constitutional role as commander in
chief,5 the Supreme Court has repeatedly stated in dicta (i.e., language that does not constitute a
legal determination) that “[the President’s] authority to classify and control access to information
bearing on national security . . . flows primarily from this Constitutional investment of power in
the President and exists quite apart from any explicit congressional grant.”6 This language has
been interpreted to indicate that the President has plenary authority to control classified
information.7 On the other hand, the Supreme Court has suggested that “Congress could certainly

1 See Harold C. Relyea, The Presidency and the People’s Right to Know, in THE PRESIDENCY AND INFORMATION POLICY
1, 16-18 (1981).
2 Exec. Order No. 8381, 5 Fed. Reg. 1147 (Mar. 22, 1940).
3 See id. (citing the Act of Jan. 12, 1938, 52 Stat. 3, § 1).
4 See, e.g., Exec. Order No. 10,501, 18 Fed. Reg. 7049 (Nov. 5, 1953) (executive order issued by President Dwight D.
Eisenhower citing “the authority vested in me by the Constitution and statutes”); Exec. Order No. 13,292, 68 Fed. Reg.
15315 (Mar. 25, 2003) (executive order issued by George W. Bush citing “the authority vested in me as President by
the Constitution and the laws of the United States of America”). President Barack Obama’s executive order on
classified information also cites constitutional authority. Exec. Order No. 13,526, 75 Fed. Reg. 707 (Dec. 29, 2009); see
also
75 Fed. Reg. 1013 (Jan. 8, 2010). The Trump Administration did not issue a new executive order pertaining to
classified information and, to date, neither has the Biden Administration.
5 U.S. CONST., art. II, § 2; CONG. RSCH. SERV., Historical Background on Commander in Chief Clause, CONSTITUTION
ANNOTATED, https://constitution.congress.gov/browse/essay/artII-S2-C1-1-1/ALDE_00013463/ (last visited Dec. 1,
2022).
6 Dep’t of Navy v. Egan, 484 U.S. 518, 527 (1988) (citing Cafeteria Workers v. McElroy, 367 U.S. 886, 890 (1961)). In
addition, courts have also been wary to second-guess the executive branch in areas of national security. See, e.g., Haig
v. Agee, 453 U.S. 280, 292 (1981) (“Matters intimately related to foreign policy and national security are rarely proper
subjects for judicial intervention.”). The Supreme Court has suggested, however, that it might intervene where
Congress has provided contravening legislation. Egan, 484 U.S. at 530 (“Thus, unless Congress specifically has
provided otherwise
, courts traditionally have been reluctant to intrude upon the authority of the Executive in military
and national security affairs.”) (emphasis added).
7 For example, in a signing statement, President George W. Bush objected to some provisions of the Intelligence
Reform and Terrorism Prevention Act, Pub. L. No. 108-458, 118 Stat. 3638 (2004) that he viewed as impeding on
presidential prerogatives in classifying information:
Several provisions of the Act, including Title III and section 7601, purport to regulate access to
classified national security information. The Supreme Court of the United States has stated that the
President’s authority to classify and control access to information bearing on national security flows
from the Constitution and does not depend upon a legislative grant of authority. The executive branch
shall construe such provisions in a manner consistent with the Constitution’s commitment to the
President of the executive power, the power to conduct the Nation’s foreign affairs, and the authority
as Commander in Chief.
Statement on Signing the Intelligence Reform and Terrorism Prevention Act of 2004, 3 PUB. PAPERS 3118, 3119 (Dec.
17, 2004). President Bush used similar language to object to other provisions regarding congressional notification. See,
e.g., 1 PUB. PAPERS 46, 47–48 (Jan. 10, 2002); 2 PUB. PAPERS 1870 (Oct. 23, 2002); 2 PUB. PAPERS 1217 (Sept. 30,
Congressional Research Service

1

The Protection of Classified Information: The Legal Framework

. . . provide[ ] that the Executive Branch adopt new [classification] procedures or . . . establish[]
its own procedures—subject only to whatever limitations the Executive Privilege may be held to
impose on such congressional ordering.”8 In fact, Congress established a separate regime in the
Atomic Energy Act for the protection of nuclear-related “Restricted Data.”9
Congress has also directed the President to establish procedures governing the access to classified
material so that generally no person can gain such access without having undergone a background
check.10 In addition, Congress directed the President, in formulating the classification procedures,
to adhere to certain minimum standards of due process with regard to access to classified
information.11 These standards include establishing uniform procedures for, inter alia,
background checks, denial of access to classified information, and notice of such denial.12 There
is an exception to the due process requirements, however, where compliance could damage
national security, although the statute directs agency heads to submit a report to the congressional
intelligence committees in such a case.13
With the authority to determine classification standards vested in the President, these standards
often change when a new administration takes control of the White House.14 The differences

2003); id. at 1603 (Nov. 22, 2003); 2 PUB. PAPERS 1494 (Aug. 5, 2004); 2 PUB. PAPERS 1794 (Nov. 30, 2005); id. at
1901 (Dec. 30, 2005); 1 PUB. PAPERS 1152, 1153 (June 15, 2006); 2 PUB. PAPERS 1733 (Sept. 29, 2006). President
Trump used nearly identical language to object to a provision in the Consolidated Appropriations Act 2017, Pub. L. No.
115-31, 131 Stat. 135 (2017), that requires 30 days’ advance congressional notification prior to establishing a new
special access program. In his signing statement, President Trump wrote:
The President’s authority to classify and control access to information bearing on the national
security flows from the Constitution and does not depend upon a legislative grant of authority.
Although I expect to be able to provide the advance notice contemplated by section 8009 in most
situations as a matter of comity, situations may arise in which I must act promptly while protecting
certain extraordinarily sensitive national security information. In these situations, I will treat these
sections in a manner consistent with my constitutional authorities, including as Commander in Chief.
Statement by President Donald J. Trump on Signing H.R. 244 into Law (May 5, 2017),
https://trumpwhitehouse.archives.gov/briefings-statements/statement-president-donald-j-trump-signing-h-r-244-law/;
see also Steven Aftergood, Trump Objects to Legislated Limits on Secrecy, FED’N AM. SCIENTISTS: SECRECY NEWS
(May 8, 2017), https://fas.org/blogs/secrecy/2017/05/trump-saps/ (noting similarity between the Supreme Court’s
dictum in Egan and President Trump’s claim).
8 EPA v. Mink, 410 U.S. 73, 83 (1973), superseded in part on other grounds by statute, 5 U.S.C. § 552(b)(1)(B).
9 42 U.S.C. §§ 2162-2169. For a more detailed discussion on these and other regulatory regimes for the protection of
sensitive government information, see CRS Report R41404, Criminal Prohibitions on Leaks and Other Disclosures of
Classified Defense Information
, by Stephen P. Mulligan and Jennifer K. Elsea. In addition, the Invention Secrecy Act,
35 U.S.C. §§ 181-188, authorizes the Commissioner of Patents to keep secret those patents on inventions in which the
government has an ownership interest and the widespread knowledge of which would, in the opinion of the interested
agency, harm national security.
10 Counterintelligence and Security Enhancements Act of 1994, tit. VIII, Pub. L. No. 103-359, 108 Stat. 3423, 3434
(codified at 50 U.S.C. §§ 3161-3164). Congress has also required specific regulations regarding personnel security
procedures for employees of the National Security Agency. See Act of Mar. 26, 1964, Pub. L. No. 88-290, 78 Stat. 168
(codified at 50 U.S.C. §§ 831-835).
11 50 U.S.C. § 3161(a).
12 Id.
13 Id. § 3161(b)(1)-(2). The House Conference Report that accompanied this legislation in 1994 suggests that Congress
understood that the line defining the boundaries of executive and legislative authority in this area is blurry at best. The
conferees made explicit reference to the Egan case, expressing their desire that the legislation not be understood to
affect the President’s authority with regard to security clearances. See H.R. REP. NO. 103-753, at 54 (1994).
14 See Report of the Commission on Protecting and Reducing Government Secrecy, S. DOC. NO. 105-2, at 11 (1997).
Congressional Research Service

2

The Protection of Classified Information: The Legal Framework

between the standards of one administration and the next have at times been significant. As one
congressionally authorized commission put it in 1997:
The rules governing how best to protect the nation’s secrets, while still ensuring that the
American public has access to information on the operations of its government, past and
present, have shifted along with the political changes in Washington. Over the last 50 years,
with the exception of the Kennedy Administration, a new executive order on classification
was issued each time one of the political parties regained control of the Executive Branch.
These have often been at variance with one another . . . at times even reversing outright the
policies of the previous order.15
Historically, various congressional committees have investigated ways to bring some continuity
to the classification system and to limit the President’s broad powers to shield information from
public examination.16 In 1966, Congress passed the Freedom of Information Act (FOIA),17
creating a presumption that government information will be open to the public unless it falls into
one of FOIA’s exceptions. One such exception covers information that, under executive order,
must be kept secret for national security or foreign policy reasons.18 In 2000, Congress enacted
the Public Interest Declassification Act of 2000,19 which established the Public Interest
Declassification Board to advise the President on matters regarding the declassification of certain
information. The act expressly disclaims any intent to restrict agency heads from classifying or
continuing the classification of information under their purview, and it does not create any rights
or remedies that may be enforced in court.20 In 2010, Congress also passed the Reducing Over-
Classification Act, which, among other things, requires executive branch agencies’ inspectors
general to conduct assessments of their agencies’ implementation of classification policies.21
Congress occasionally takes an interest in declassification of specific materials that might be
deemed essential for some public purpose. The procedural rules of both the Senate and House
provide a means for disclosing classified information in the intelligence committees’ possession
where the intelligence committee of the respective house (either the House Permanent Select
Committee on Intelligence (HPSCI) or the Senate Select Committee on Intelligence (SSCI))
determines by vote that such disclosure would serve the public interest.22 In the event an
intelligence committee votes to disclose classified information submitted by the executive branch,
and the executive branch requests that it be kept secret, the committee is required to notify the

15 Id.
16 See, e.g., Availability of Information from Federal Departments and Agencies: Hearings Before the H. Comm. on
Gov’t Operations
, 85th Cong. (1955).
17 Pub. L. No. 89-554, 80 Stat. 383 (1966) (codified as amended at 5 U.S.C. § 552).
18 5 U.S.C. § 552(b)(1). The Supreme Court honored Congress’s deference to executive branch determinations in this
area. See EPA v. Mink, 410 U.S. 73, 81 (1973) (“Congress chose to follow the Executive’s determination in these
matters and that choice must be honored.”). Congress, concerned that the executive branch may declare some
documents to be “national security information” that were not vital to national security, added a requirement that such
information be “properly classified pursuant to such Executive order” in the interest of national defense or foreign
policy. 5 U.S.C. § 552(b)(1)(B). Congress also provided for de novo judicial review of the propriety of an agency’s
invocation of an exception, 5 U.S.C. § 552(a)(4)(B), in order to strike an effective balance that between disclosure and
national security. CIA. v. Sims, 471 U.S. 159, 189 (1985) (Marshall, J., concurring) (observing that Congress had
effectively overridden Mink insofar as it prevented courts from conducting in camera reviews of documents to
determine whether information was improperly withheld).
19 Pub. L. No. 106-567, tit. VII, 114 Stat. 2831, 2856 (2000) (codified as amended at 50 U.S.C. §§ 3355–3355g).
20 50 U.S.C. §§ 3355c, 3355e.
21 Pub. L. No. 111-258, § 6, 124 Stat. 2648, 2651 (2010) (codified at 50 U.S.C. § 3161 note).
22 Rules of the House of Representatives, 118th Cong., Rule X, 11(g)(1); S. Res. 400, 94th Cong. § 8(a).
Congressional Research Service

3

The Protection of Classified Information: The Legal Framework

President prior to disclosure. The intelligence committee may disclose the information after five
days following notification unless the President formally objects and certifies that the threat to the
U.S. national interest outweighs any public interest in disclosing it, in which case the question
may be referred to the full chamber.23
It appears that, to date, the House has invoked its procedure for disclosing classified information
in one instance, when the HPSCI voted to release a memorandum authored by its chairman,
Representative Devin Nunes, relating to the Committee’s investigation into the use of the Foreign
Intelligence Surveillance Act (FISA) during the 2016 presidential election cycle.24 Former White
House Counsel Donald McGahn objected, arguing that the unilateral release by the legislative
branch would raise “significant separation of powers concerns” and that the White House would
treat the Committee’s notification as “a request for declassification pursuant to the President’s
authority.”25 McGahn relayed to the chairman that President Trump had agreed to declassify the
document, obviating the need for a full House vote.26 The Committee subsequently voted to
release the HPSCI minority members’ memorandum.27 The President declined to declassify the
minority memorandum but expressed an inclination to declassify it if the Committee would agree
to redactions proposed by the Department of Justice (DOJ).28 In another instance, the SSCI voted
to request that part of its study of the Central Intelligence Agency’s detention and interrogation
program be declassified, and the study was eventually released after the Committee negotiated
redactions with the Obama Administration.29
An example of a bicameral congressional declassification procedure involved the 28 pages of
classified text from the report of the Joint Inquiry of the HPSCI and the SSCI into the Intelligence
Community Activities Before and After the Terrorist Attacks of September 11, 2001.30 The report
of the Joint Inquiry was completed in 2002 and referred to the executive branch for a
classification review. The executive branch determined that three of the four parts of the report
could be disclosed to the public, but that disclosing a portion of the report would pose national
security risks.31 Despite calls by some Members and former Members of Congress to release the

23 Rules of the House of Representatives, 118th Cong., Rule X, 11(g)(2); S. Res. 400, 94th Cong. § 8(b). The House
and Senate Rules regarding the vote to disclose classified information are substantially similar, although the Senate
Manual additionally requires notification to the Majority and Minority Leaders.
24 See Letter from White House Counsel Donald F. McGahn II to Devin Nunes, Chairman, House Permanent Select
Committee on Intelligence (Feb. 2, 2018) (McGahn Letter),
https://static01.nyt.com/packages/pdf/20180202_memo/HMTG-115-IG00-20180129-SD001.pdf.
25 Id. at 1.
26 Id. at 2. President Trump authorized declassification of the memorandum after consultation with the Office of the
Director of National Intelligence and the Department of Justice. Id.
27 Letter from White House Counsel Donald F. McGahn II to Devin Nunes, Chairman, House Permanent Select
Committee on Intelligence (Feb. 9, 2018), http://cdn.cnn.com/cnn/2018/images/02/09/2.9.2018.letter.pdf.
28 Id. at 1-2.
29 See, e.g., S. REP. NO. 114-8, at 12 (2015) (describing negotiations between the Chairman of the SSCI and the Obama
Administration regarding redactions necessary to release an unclassified version of the Committee’s executive
summary to its report on the Central Intelligence Agency’s detention and interrogation of detainees).
30 H.R. REP. NO. 107-792 (2002).
31 See Director of National Intelligence, Statement by the ODNI on the Declassification of Part Four of the SSCI and
HPSCI’s 2002 Report on the Committees’ Joint Inquiry into Intelligence Community Activities Before and After the
Terrorist Attacks of September 11, 2001
(July 15, 2016), https://www.dni.gov/index.php/newsroom/congressional-
testimonies/congressional-testimonies-2016/item/1612-statement-by-the-odni-on-the-declassification-of-part-four-of-
the-ssci-and-hpsci-s-2002-report-on-the-committees-joint-inquiry-into-intelligence-community-activities-before-and-
after-the-terrorist-attacks-of-september-11-2001.
Congressional Research Service

4

The Protection of Classified Information: The Legal Framework

28 pages,32 and legislative proposals to urge or mandate disclosure,33 the intelligence committees
awaited a declassification review by the Intelligence Community before releasing the material in
redacted form.34
Another instance in which Congress sought and procured the declassification of government
information involved records pertaining to prisoners of war and personnel listed as missing in
action after the Vietnam War (POW/MIA).35 Congress initially required certain agencies to
provide information regarding “live-sightings” of such personnel to next of kin, with the
exception of “information that would reveal or compromise sources and methods of intelligence
collection.”36 Congress subsequently directed the Department of Defense (DOD) to create an
accessible library of documents related to POW/MIA, excluding records that would be exempt
under certain provisions of FOIA.37 The Senate Select Committee on POW/MIA Affairs
considered invoking the procedural rule described above to declassify relevant documents, but
deemed that untested avenue unsuitable because it would have required the Committee to identify
the documents beforehand and to have them in its possession. Furthermore, enforcement of the
measure would have required the full vote of the Senate.38 Instead, Members wrote to President
George H. W. Bush requesting an executive order to accomplish the declassification of relevant
records,39 which was followed by a resolution expressing the sense of the Senate that the
President should expeditiously issue an executive order for the declassification, without
compromising national security, of relevant documents.40 President Bush complied.41
Congress has directed the President or agency heads through legislation to undertake a
declassification review of records pertaining to specific matters and to release them as
appropriate. For example, Congress in 1998 enacted the Nazi War Crimes Disclosure Act,
directing the President to establish an interagency working group to “locate, identify, inventory,
recommend for declassification, and make available to the public at the National Archives and
Records Administration, all classified Nazi war criminal records of the United States.”42 Congress
in 2000 directed the President to “order all Federal agencies and departments that possess relevant
information [about the murders of churchwomen in El Salvador] to make every effort to
declassify and release” such information to the victims’ families “as expeditiously as possible.”43
In 2002, Congress directed the Secretary of Defense to submit to Congress and to the Secretary of

32 See Carl Hulse, Claims Against Saudis Cast New Light on Secret Pages of 9/11 Report, N.Y. TIMES (Feb. 4, 2015),
https://www.nytimes.com/2015/02/05/us/claims-against-saudis-cast-new-light-on-secret-pages-of-9-11-report.html.
33 E.g., S. 1471, 114th Cong. (2015); H.R. Res. 779, 114th Cong. (2016); H.R. Res. 14, 114th Cong. (2015)
34 See CRS Report RL33533, Saudi Arabia: Background and U.S. Relations, by Christopher M. Blanchard, appendix
C.
35 See Report of the Select Committee on POW/MIA Affairs, S. REP. NO. 103-1, at 233-44,
https://irp.fas.org/congress/1993_rpt/pow-exec.html.
36 Pub. L. No. 100-453 § 404, 102 Stat. 1904, 1909 (1988) (codified at 50 U.S.C. § 3161 note).
37 Pub. L. No. 102-190, div. A, § 1082, 105 Stat. 1290, 1480 (1991) (codified at 50 U.S.C. § 3161 note). The
POW/MIA database was created at the Library of Congress and may be accessed at
https://www.loc.gov/collections/vietnam-era-pow-mia-database/about-this-collection/.
38 S. REP. NO. 103-1, at 237.
39 Id.
40 S. Res. 324, 102d Cong (1992).
41 Exec. Order No. 12,812, 57 Fed. Reg. 32879 (July 22, 1992).
42 Pub. L. No. 105-246, § 2(c)(1), 112 Stat. 1859, 1860 (1998), (codified as amended at 5 U.S.C. § 552 note). See also
Japanese Imperial Government Disclosure Act of 2000, Pub. L. No. 106-567, title VIII, 114 Stat. 2864 (2000),
(codified as amended at 5 U.S.C. § 552 note) (establishing similar interagency group).
43 Pub. L. No. 106-429, § 587, 114 Stat. 1900, 1900A-58 (2000).
Congressional Research Service

5

The Protection of Classified Information: The Legal Framework

Veterans Affairs “a comprehensive plan for the review, declassification, and submittal” of all
information related to Project 112—a series of biological and chemical warfare vulnerability tests
conducted by the DOD44—that would be relevant for that project’s participants’ health care.45 The
DOD complied, issuing its final report to Congress on June 30, 2003.46 In 2004, Congress
directed the Secretary of Defense to “review and, as determined appropriate, revise the
classification policies of the DOD with a view to facilitating the declassification of data that is
potentially useful for the monitoring and assessment of the health of members of the Armed
Forces who have been exposed to environmental hazards during deployments overseas.”47 In
2007, Congress directed the Director of the Central Intelligence Agency (CIA) to make public a
version of the executive summary of the CIA Office of the Inspector General report on “CIA
Accountability Regarding Findings and Conclusions of the Joint Inquiry into Intelligence
Community Activities Before and After the Terrorist Attacks of September 11, 2001,” declassified
“to the maximum extent possible, consistent with national security.”48 In 2014, Congress directed
the Director of National Intelligence (DNI) to conduct a declassification review of documents
collected during the raid that killed Osama bin Laden, requiring a justification for materials that
remain classified after the review.49 In 2021, Congress directed the Public Interest
Declassification Board (PIDB) to conduct “a study on the feasibility of carrying out a
declassification review relating to nuclear weapons, chemical weapons, or ballistic missile tests
conducted by the United States in the Marshall Islands, including with respect to cleanup
activities and the storage of waste relating to such tests.”50 In 2022, Congress directed the DNI to
conduct a declassification review to “determine what, if any, additional information relating to the
terrorist attacks of September 11, 2001” can be released to the public.51
Executive Order 13,526
The current standards for classifying and declassifying information were last amended on
December 29, 2009, by Executive Order 13,526.52 Under these standards, the President, Vice
President, agency heads, and any other officials designated by the President may classify
information upon a determination that the unauthorized disclosure of such information could

44 See U.S. Dep’t of Veterans Affairs, Public Health, About Project 112 and Project SHAD,
https://www.publichealth.va.gov/exposures/shad/basics.asp (last visited Dec. 15, 2022).
45 Pub. L. No. 107-314, div. A, § 709, 116 Stat. 2458, 2586 (2002) (previously codified at 10 U.S.C. § 1074 note). For
information about Project 112 and related veterans’ health benefits, visit the Department of Veterans Affairs website at
http://www.benefits.va.gov/COMPENSATION/claims-postservice-exposures-project_112_shad.asp.
46 See U.S. GOV’T ACCOUNTING OFFICE, GAO-04-410, CHEMICAL AND BIOLOGICAL DEFENSE 3 (2004).
47 Pub. L. No. 108-375, div. A, § 735, 118 Stat. 1900, 1999 (2004) (codified as amended at 10 U.S.C. § 1074 note).
48 Pub. L. No. 110-53, § 605, 121 Stat. 266, 337 (2007).
49 Pub. L. No. 113-126, § 313, 128 Stat. 1390, 1399 (2014).
50 Pub. L. No. 117-81, § 1685, 135 Stat. 1541, 2125 (2021).
51 Pub. L. No. 117-103, div. X, § 310, 136 Stat. 49, 972 (2022) (codified at 50 U.S.C. § 3161 note). Prior to enactment,
in 2021, President Biden directed the Attorney General and other agency heads to review for declassification certain
information pertinent to litigation related to possible Saudi government involvement in September 11, Declassification
Reviews of Certain Documents Concerning the Terrorist Attacks of September 11, 2001, Exec. Order No. 14,040, 86
Fed. Reg. 50,439 (Sept. 3, 2021).
52 Classified National Security Information, Exec. Order No. 13,526, 75 Fed. Reg. 707 (Dec. 29, 2009), as amended by
75 Fed. Reg. 1013 (Jan. 8, 2010)) (revoking Exec. Order No. 12,958, 60 Fed. Reg. 19825 (Apr. 17, 1995); Exec. Order
No. 13,292, 68 Fed. Reg. 15315 (Mar. 25, 2003)). For a more detailed description and analysis of Executive Order
13526, see CRS Report R41528, Classified Information Policy and Executive Order 13526.
Congressional Research Service

6

The Protection of Classified Information: The Legal Framework

reasonably be expected to damage national security.53 Such information must be owned by,
produced by, or under the control of the federal government, and must concern one of the
following:
 military plans, weapons systems, or operations;
 foreign government information;
 intelligence activities, intelligence sources/methods, cryptology;
 foreign relations or foreign activities of the United States, including confidential
sources;
 scientific, technological, or economic matters relating to national security;
 federal programs for safeguarding nuclear materials or facilities;
 vulnerabilities or capabilities of national security systems; or
 weapons of mass destruction.54
Information may be classified at one of three levels based on the amount of danger that its
unauthorized disclosure could reasonably be expected to cause to national security.55 Information
is classified as “Top Secret” if its unauthorized disclosure could reasonably be expected to cause
“exceptionally grave damage to the national security.”56 The standard to classify information as
“Secret” is if its unauthorized disclosure could reasonably be expected to cause “serious damage
to the national security,” and classification as “Confidential” is if the unauthorized disclosure of
such information could reasonably be expected to cause “damage to the national security.”57
Significantly, for each level, the original classifying officer must identify or describe the specific
danger potentially presented by the information’s disclosure.58 In case of significant doubt as to
the need to classify information or the level of classification appropriate, the information is to
remain unclassified or be classified at the lowest level of protection considered appropriate.59
The officer who originally classifies the information establishes a date for declassification based
upon the expected duration of the information’s sensitivity.60 If the office cannot set an earlier
declassification date, then the information must be marked for declassification in 10 years’ time
or 25 years, depending on the sensitivity of the information.61 The deadline for declassification
can be extended if the threat to national security still exists.62

53 Exec. Order No. 13,526 § 1.1. “The unauthorized disclosure of foreign government information is presumed to cause
damage to the national security.” Id. § 1.1(d).
54 Id. § 1.4(a)–(g). In addition, when classified information is incorporated, paraphrased, restated, or generated in a new
form, that new form must be classified at the same level as the original. Id. §§ 2.1–2.2.
55 Id. § 1.2(a).
56 Id. § 1.2(a)(1).
57 Id. § 1.2(a)(2), (3).
58 Id. § 1.2(a)(1)–(3). Classifying authorities are specifically prohibited from classifying information for reasons other
than protecting national security, such as to conceal violations of law or avoid embarrassment. Id. § 1.7(a).
59 Id. §§ 1.1(b), 1.2(c). This presumption is a change from the predecessor order.
60 Id. § 1.5.
61 Id. § 1.5(b). Exceptions to the time guidelines are reserved for information that can be expected to reveal the identity
of a human intelligence source or key design concepts of weapons of mass destruction. Id. § 1.5(a).
62 Id. § 1.5(c).
Congressional Research Service

7

The Protection of Classified Information: The Legal Framework

Classified information is required to be declassified “as soon as it no longer meets the standards
for classification.”63 The original classifying agency has the authority to declassify information
when the public interest in disclosure outweighs the need to protect that information.64 The DNI
has the authority to declassify or downgrade information or intelligence relating to intelligence
sources, methods, or activities, after consultation with the head of the originating Intelligence
Community element or department.65 Beginning December 31, 2006, and every year thereafter,
all information that has been classified for 25 years or longer and has been determined to have
“permanent historical value” is to be automatically declassified, although agency heads can
exempt from this requirement classified information that continues to be sensitive in a variety of
specific areas.66
Agencies are required to review classification determinations upon a request for such a review
that specifically identifies the materials so that the agency can locate them, unless the materials
identified are part of an operational file exempt under FOIA67 or are the subject of pending
litigation.68 This requirement does not apply to information that has undergone declassification
review in the previous two years;69 information that is exempted from review under the National
Security Act;70 or information classified by the incumbent President and staff, the Vice President
and staff (in the performance of executive duties), commissions appointed by the President, or
other entities within the executive office of the President that advise the President.71 Each agency
that has classified information is required to establish a system for periodic declassification
reviews.72 The National Archivist is required to establish a similar systematic review of classified
information that has been transferred to the National Archives.73
Access to classified information is generally limited to those who demonstrate their eligibility to
the relevant agency head, sign a nondisclosure agreement, and have a need to know the
information.74 Agency heads or senior agency officials of originating agencies may make waivers
of the need-to-know requirement available for former Presidents and Vice Presidents, historical
researchers, and former policy-making officials who were appointed by the President or Vice
President.75 The information being accessed may not be removed from the controlling agency’s

63 Exec. Order No. 13,526 § 3.1(a).
64 Id. § 3.1(d).
65 Id. § 3.1(c).
66 Id. § 3.3. “ ‘Records having permanent historical value’ means Presidential papers or Presidential records and the
records of an agency that the Archivist has determined should be maintained permanently in accordance with title 44,
United States Code.” Id. § 6.1(ii).
67 5 U.S.C. § 552. For more information, see CRS Report R46238, The Freedom of Information Act (FOIA): A Legal
Overview
, by Daniel J. Sheffner and CRS In Focus IF12301, Congress and the Freedom of Information Act (FOIA), by
Benjamin M. Barczewski and Meghan M. Stuessy.
68 Exec. Order No. 13,526 § 3.5.
69 Id. § 3.5(d).
70 50 U.S.C. §§ 3141–3143.
71 Exec. Order No. 13,526 § 3.5.
72 Id. § 3.4.
73 Id. Executive Order No. 13,526 creates a new National Declassification Center (NDC) within the National Archives
to facilitate and standardize the declassification process. Id. § 3.7. For more information about the NDC, see CRS
Report R41528, Classified Information Policy and Executive Order 13526.
74 Exec. Order No. 13,526 § 4.1. “Need-to-know” is based on a “determination within the executive branch in
accordance with [relevant] directives . . . that a prospective recipient requires access to specific classified information
in order to perform or assist in a lawful and authorized governmental function.” Id. § 6.1(dd).
75 Id. § 4.4.
Congressional Research Service

8

link to page 20 link to page 20 link to page 19 The Protection of Classified Information: The Legal Framework

premises without permission.76 Each agency is required to establish systems for controlling the
distribution of classified information.77
The Information Security Oversight Office (ISOO)—an office within the National Archives—is
charged with overseeing compliance with the classification standards and promulgating directives
to that end.78 ISOO is headed by a Director, who is appointed by the Archivist of the United
States, and who has the authority to order declassification of information that, in the Director’s
view, is classified in violation of the aforementioned classification standards.79 In addition, there
is an Interagency Security Classification Appeals Panel (ISCAP), headed by the ISOO Director
and made up of representatives of the heads of various agencies, including the Departments of
Defense, Justice, and State, as well as the CIA, and the National Archives.80 ISCAP is empowered
to decide appeals of classifications challenges81 and to review automatic and mandatory
declassifications. If the ISOO Director finds a violation of Executive Order 13,526 or its
implementing directives, then the Director must notify the appropriate classifying agency so that
corrective steps can be taken.
Handling of Unauthorized Disclosures
Under Executive Order 13,526, each respective agency is responsible for maintaining control
over classified information it originates and is responsible for establishing uniform procedures to
protect classified information and automated information systems in which classified information
is stored or transmitted. Standards for safeguarding classified information, including the handling,
storage, distribution, transmittal, and destruction of and accounting for classified information, are
developed by the ISOO.82 Persons authorized to disseminate classified information outside the
executive branch are required to ensure it receives protection equivalent to those required
internally.83 In the event of a knowing, willful, or negligent unauthorized disclosure (or any such
action that could reasonably be expected to result in an unauthorized disclosure), the agency head
or senior agency official is required to notify ISOO and to “take appropriate and prompt
corrective action.”84 Officers and employees of the United States (including contractors,
licensees, etc.) who commit a violation may be subject, at a minimum, to administrative sanctions
that can range from reprimand to termination.85

76 Id. § 4.1(d).
77 Id. § 4.2.
78 Id. § 5.2.
79 Id. § 3.1(c).
80 Id. § 5.3.
81 Id. § 5.3(b)(1)–(3). For example, an authorized holder of classified information is allowed to challenge the classified
status of such information if the holder believes that status is improper. Id. § 1.8.
82 Id. § 5.1.
83 Id. § 4.1(e).
84 Id. § 5.5(e).
85 Id. § 5.5. Specifically, administrative sanctions available with respect to “[o]fficers and employees of the United
States Government, and its contractors, licensees, certificate holders, and grantees” accused of violating government
security regulations, “knowingly, willfully, or negligently,” include such civil remedies as “reprimand, suspension
without pay, removal, termination of classification authority, loss or denial of access to classified information, or other
sanctions in accordance with applicable law and agency regulation.” Id. See infra section “Civil Penalties and Other
Measures.”
Violators may also be referred to the DOJ for potential criminal prosecution. 32 C.F.R. § 2001.48(e). See
infra
section “Criminal Penalties.”
Congressional Research Service

9

The Protection of Classified Information: The Legal Framework

Executive Order 12,333, United States Intelligence Activities,86 spells out the responsibilities of
members of the Intelligence Community (IC)87 for the protection of intelligence information,
including intelligence sources and methods. Under Section 1.7 of Executive Order 12,333, heads
of departments and agencies with organizations in the IC (or the heads of such organizations, if
appropriate) must report possible violations of federal criminal laws to the Attorney General “in a
manner consistent with the protection of intelligence sources and methods.”
In 2019, Congress amended the National Security Act of 194788 to require the heads and
inspectors general (IGs) of IC elements to submit semi-annual reports to the congressional
intelligence committees regarding the opening and completion of investigations of unauthorized
public disclosure of classified information.89 The same provision requires the Assistant Attorney
General for National Security of the DOJ, in consultation with the Director of the Federal Bureau
of Investigation, to provide semi-annual reports to the congressional intelligence committees, the
Committee on the Judiciary of the Senate, and the Committee on the Judiciary of the House of
Representatives a report on the status of each referral made to DOJ by any IC element regarding
an unauthorized disclosure of classified information made during the preceding year or remaining
open as of the reporting date.90
Information Security Oversight Office
ISOO Directive No. 1 (32 C.F.R. Part 2001) provides further direction for agencies with
responsibilities for safeguarding classified information. Section 2001.41 states:
Authorized persons who have access to classified information are responsible for: (a)
Protecting it from persons without authorized access to that information, to include
securing it in approved equipment or facilities whenever it is not under the direct control
of an authorized person; (b) Meeting safeguarding requirements prescribed by the agency
head; and (c) Ensuring that classified information is not communicated over unsecured
voice or data circuits, in public conveyances or places, or in any other manner that permits
interception by unauthorized persons.91

86 46 Fed. Reg. 59941 (Dec. 4, 1981), as amended by Exec. Order No. 13,284, 68 Fed. Reg. 4075 (Jan. 23, 2003); Exec.
Order No. 13,355, 69 Fed. Reg. 53593 (Aug. 27, 2004); and Exec. Order No. 13,470, 73 Fed. Reg. 45325 (July 30,
2008)) (reprinted at 50 U.S.C. § 3001 note).
87 The Intelligence Community is defined by 50 U.S.C. § 3003(4) and Executive Order 12,333 to include the Office of
the Director of National Intelligence (ODNI), the Central Intelligence Agency (CIA), the Bureau of Intelligence and
Research (INR) of the Department of State, the National Security Service of the Federal Bureau of Investigation (FBI),
the Office of Intelligence and Analysis of the Department of Homeland Security (DHS), the Office of Coast Guard
Intelligence (CGI), other DHS elements concerned with the analysis of intelligence information, the Office of
Intelligence and Analysis of the Department of the Treasury, the Department of Energy, the Drug Enforcement
Administration (DEA), the Defense Intelligence Agency (DIA), the National Security Agency (NSA), the National
Reconnaissance Office (NRO), the National Geospatial-Intelligence Agency (NGA), Army Intelligence, Air Force
Intelligence, Navy Intelligence, and Marine Corps Intelligence, as well as “[s]uch other elements of any department or
agency as may be designated by the President, or designated jointly by the Director of National Intelligence and the
head of the department or agency concerned, as an element of the intelligence community.” Id. § 3003(4)(L).
88 Act July 26, 1947, ch. 343, 61 Stat. 495 (codified as amended at 50 U.S.C. §§ 3001–3243).
89 National Defense Authorization Act for Fiscal Year 2020, Pub. L. No. 116-92, § 6718, 113 Stat. 1198, 2228 (2019)
(codified at 50 U.S.C. § 3235). “[U]nauthorized public disclosure of classified information” is defined as “unauthorized
disclosure of classified information to a journalist or media organization.” 50 U.S.C. § 3235(a)(4).
90 Id. § 3235(c). “Unauthorized disclosure of classified information” applies to disclosures made to any recipient. Id. §
3235(a)(3).
91 32 C.F.R. § 2001.41.
Congressional Research Service

10

The Protection of Classified Information: The Legal Framework

Section 2001.45 of ISOO Directive No. 192 requires agency heads to establish a system of
appropriate control measures to limit access to classified information to authorized persons.
Section 2001.46 requires that classified information is transmitted and received in an authorized
manner that facilitates detection of tampering and precludes inadvertent access.93 Persons who
transmit classified information are responsible for ensuring that the intended recipients are
authorized to receive classified information and have the capacity to store classified information
appropriately.94 Documents classified “Top Secret” that are physically transmitted outside secure
facilities must be properly marked and wrapped in two layers to conceal the contents, and must
remain under the constant and continuous protection of an authorized courier.95 In addition to the
methods prescribed for the outside transmittal of Top Secret documents, documents classified at
Secret or Confidential levels may be mailed in accordance with the prescribed procedures.96
Agency heads are required to establish procedures for receiving classified information in a
manner that precludes unauthorized access, provides for detection of tampering and confirmation
of contents, and ensures the timely acknowledgment of the receipt (in the case of Top Secret and
Secret information).97
Section 2001.48 prescribes measures to be taken in the event of loss, possible compromise, or
unauthorized disclosure. It states: “Any person who has knowledge that classified information has
been or may have been lost, possibly compromised or disclosed to an unauthorized person(s)
shall immediately report the circumstances to an official designated for this purpose.”98
Agency heads are required to establish appropriate procedures to conduct an inquiry or
investigation into the loss, possible compromise or unauthorized disclosure of classified
information, in order to implement “appropriate corrective actions” and to “ascertain the degree
of damage to national security.”99 The department or agency in which the compromise occurred
must also advise any other government agency or foreign government agency whose interests are
involved of the circumstances and findings that affect their information or interests.100 Agency
heads are to establish procedures to ensure coordination with legal counsel in any case where a
formal disciplinary action beyond a reprimand is contemplated against a person believed
responsible for the unauthorized disclosure of classified information.101 Whenever a criminal
violation appears to have occurred and a criminal prosecution is contemplated, agency heads are
to ensure coordination with the DOJ and the legal counsel of the agency where the individual
believed to be responsible is assigned or employed.102 ISOO must be notified in case of a
violation that (1) is reported to congressional oversight committees; (2) may attract significant
public attention; (3) involves large amounts of classified information; or (4) reveals a potential
systemic weakness in security practices.103

92 Id. § 2001.45.
93 Id. § 2001.46(a).
94 Id.
95 Id. § 2001.46(b)(1).
96 Id. § 2001.46(c).
97 Id. § 2001.46(f).
98 Id. § 2001.48(a).
99 Id. § 2001.48(c).
100 Id. § 2001.48(b).
101 Id. § 2001.48(e).
102 Id.
103 Id. § 2001.48(d).
Congressional Research Service

11

The Protection of Classified Information: The Legal Framework

Intelligence Community
The most recent Intelligence Community directives related to the safeguarding of classified
information appear to be Intelligence Community Directive (ICD) 700, Protection of National
Intelligence, effective June 7, 2012;104 ICD 701, Unauthorized Disclosures of Classified National
Security Information, effective December 22, 2017;105 and ICD 703, Protection of Classified
National Intelligence, Including Sensitive Compartmented Information, effective June 21,
2013.106 Damage assessments in the event of an unauthorized disclosure or compromise of
classified national intelligence are governed by ICD 732, Damage Assessments, effective June
27, 2014.107
ICD 700 mandates an integration of counterintelligence and security functions for the purpose of
protecting national intelligence and sensitive information and, among other things, to strengthen
“deterrence, detection, and mitigation of insider threats, defined as personnel who use their
authorized access to do harm to the security of the US through espionage, terrorism, unauthorized
disclosure of information, or through the loss or degradation of resources or capabilities.”108
Under ICD 701, in the event of a possible unauthorized disclosure,109 the head of the originating
IC element is to conduct an internal investigation to determine if the filing of a Crimes Report
with DOJ is warranted.110 If the investigation determines that a confirmed unauthorized disclosure
is likely to cause damage to the national security, the head of the originating IC element is to
report the incident to the DOJ with notification to the element’s inspector general (IG), the
Intelligence Community Inspector General (ICIG), and the Director of the National
Counterintelligence and Security Center.111 If the DOJ declines prosecution, the ICIG may
conduct an independent administrative investigation in coordination with the relevant IC
element’s IG.112 Significant unauthorized disclosures that may cause “substantial risk to U.S.
national security interests” are to be reported to the congressional intelligence committees.113 The
DNI may prohibit the ICIG from conducting any investigation if it is determined that such a
prohibition would be necessary to protect vital national security interests, but has to report to the
congressional intelligence committees any exercise of this authority.114

104 Office of Dir. of Nat’l Intelligence, Intelligence Community Directive 700: Protection of National Intelligence (June
7, 2012), https://www.dni.gov/files/documents/ICD/ICD_700.pdf.
105 Office of Dir. of Nat’l Intelligence, Intelligence Community Directive 701: Unauthorized Disclosure of Classified
National Security Information
(Dec. 22, 2017), https://www.dni.gov/files/documents/ICD/10-3-17_Atch1_ICD-701-
Unauthorized-Disclosures_17-00047_U_SIGNED.pdf.
106 Office of Dir. of Nat’l Intelligence, Intelligence Community Directive 703: Protection of Classified National
Intelligence, Including Sensitive Compartmented Information
(June 21, 2013), https://www.dni.gov/files/documents/
ICD/ICD%20703.pdf.
107 Office of Dir. of Nat’l Intelligence, Intelligence Community Directive 732: Damage Assessments (June 27, 2014),
https://www.dni.gov/files/documents/ICD/ICD%20732.pdf.
108 ICD 700 § D(4)(c).
109 An “unauthorized disclosure” is a “communication, confirmation, acknowledgement, or physical transfer of
classified information, including the facilitation of, or actual giving, passing, selling, or publishing of, or in any way
making such information available to an unauthorized recipient.” ICD 701 § D(1).
110 Id. § E(4)(a).
111 Id. § D(3).
112 Id. § D(4).
113 Id. § D(6).
114 Id. § D(7) (citing 50 U.S.C. § 3033(f)).
Congressional Research Service

12

The Protection of Classified Information: The Legal Framework

Department of Defense
Department of Defense Directive No. 5210.50, Management of Serious Security Incidents
Involving Classified Information, October 27, 2014,115 prescribes policy and responsibilities for
handling unauthorized disclosures of classified information to the public and other serious
security incidents. More detailed procedures governing specific types of information possibly
compromised appear in Volume 3 of the DOD Manual No. 5200.01, Enclosure 6, Security
Incidents Involving Classified Information, February 24, 2012.116 In the event of a known or
suspected disclosure of classified information, the heads of DOD components must take prompt
action to decide the nature and circumstances of the disclosure, determine the extent of damage to
national security, and take appropriate corrective action.117 If the inquiry or investigation turns up
information suggestive of a criminal or counterintelligence nature, component heads are to cease
investigation pending coordination with the relevant Deputy Chief Information Officer (DCIO) or
Defense Counter-Intelligence (CI) component.118
Security inquiries are to be initiated and completed within 10 duty days unless an extension is
required.119 The inquiry is aimed at discovering:
(a) When, where, and how did the incident occur? What persons, situations, or conditions
caused or contributed to the incident?
(b) Was classified information compromised?
(c) If a compromise occurred, what specific classified information and/or material was
involved? What is the classification level of the information disclosed?
(d) If classified material is alleged to have been lost, what steps were taken to locate the
material?
(e) Was the information properly classified?
(f) Was the information officially released?
(g) In cases of compromise involving the public media:
1. In what specific media article, program, book, Internet posting or other item did the
classified information appear?
2. To what extent was the compromised information disseminated or circulated?
3. Would further inquiry increase the damage caused by the compromise?
(h) Are there any leads to be investigated that might lead to identifying the person(s)
responsible for the compromise?
(i) If there was no compromise, and if the incident was unintentional or inadvertent, was
there a specific failure to comply with established security practices and procedures that
could lead to compromise if left uncorrected and/or is there a weakness or vulnerability in

115 See U.S. Dep’t of Def., Directive No. 5210.50: Management of Serious Security Incidents Involving Classified
Information
(Oct. 27, 2014), https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodd/521050p.pdf.
116 DoD Information Security Program: Protection of Classified Information, DOD Manual No. 5200.01, Vol. 3 (Feb.
24, 2012), https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/520001m_vol3.pdf.
117 Id. Encl. 6, § 6(a).
118 Id. § 6(b).
119 Id. § 6(d)(2).
Congressional Research Service

13

The Protection of Classified Information: The Legal Framework

established security practices and procedures that could result in a compromise if left
uncorrected? What corrective action is required?120
Section 7(f) of the DOD Manual No. 5200.01, Enclosure 6 lists factors for determining whether
to initiate an additional investigation by a DCIO or the DOJ in the event classified information
appears in the public media:
(1) The accuracy of the information disclosed.
(2) The damage to national security caused by the disclosure and whether there were
compromises regarding sensitive aspects of current classified projects, intelligence
sources, or intelligence methods.
(3) The extent to which the disclosed information was circulated, both within and outside
the Department of Defense, and the number of persons known to have access to it.
(4) The degree to which an investigation shall increase the damage caused by the
disclosure.
(5) The existence of any investigative leads.
(6) The reasonable expectation of repeated disclosures.121
If classified DOD information appears in a newspaper or other media, the head of the appropriate
DOD component is responsible for the preparation of a “DOJ Media Leak Questionnaire” to
submit to the Under Secretary of Defense for Intelligence, who prepares a letter for the Chief,
Internal Security Section of the Criminal Division at the DOJ.122 The following eleven questions
are to be promptly and fully addressed:
 What is the date and identity of the media source (article, blog, television, or
other oral presentation) containing classified information?
 What specific statement(s) are classified, and is the information properly
classified?
 Is the disclosed information is accurate?
 Did the information come from a specific document, and if so, the originating
office and person responsible for its security?
 What is the extent of official circulation of the information?
 Has the information been the subject of prior official release?
 Was prepublication clearance or release sought?
 Has sufficient information or background data been published officially or in the
press to make educated speculation on the matter possible?
 Will the information be made available for use in a criminal prosecution and is
the person competent to testify on its classification?
 Was declassification considered?
 What effect does the disclosure have on the national defense?123

120 Id. § 6(d)(4).
121 Id. § 7(f).
122 Id. § 7(g).
123 DOJ Media Leaks Questionnaire, DOD Manual No. 5200.01, Vol. 3, Encl. 6, App. 2. The questions apparently
originated as part of a Memorandum of Understanding concluded between the DOJ and elements of the Intelligence
Community. See Concerning Unauthorized Disclosure of Classified Information: Hearing Before the S. Select Comm.
Congressional Research Service

14

The Protection of Classified Information: The Legal Framework

Department of State
Information security at the Department of State124 is governed by Parts 500 and 600 in Volume 12
of the Foreign Affairs Manual (FAM).125 The Bureau of Administration is responsible for
implementing Executive Order 13,526 as it applies to the classification and declassification of
material, the marking of classified material, and relevant training and guidance.126 The Bureau of
Diplomatic Security (DS) is responsible for protecting classified information and special access
programs.127 Senior agency officials have the primary responsibility for overseeing their
respective agency’s information security program, while supervisors are charged with
safeguarding classified information within their organizational units.128 Individual employees
having access to classified material are responsible for maintaining its security.129
Security incidents are to be reported through the appropriate security officer to DS.130 The
employee suspected of having caused the incident is given an opportunity to provide a statement
of defense or mitigating circumstances, after which the incident is referred to his or her supervisor
and to DS.131 DS is responsible for evaluating security incidents and performing final
adjudication of them and initiation of any further action deemed necessary.132 Investigations of
loss, unauthorized disclosure, or serious compromise of classified information are covered in 12
FAM 228.4 and are the responsibility of the Professional Responsibility Division (DS/ICI/PR) of
the Office of Investigations and Counterintelligence.133 In the event of a “media leak” of
classified information, the originating agency is to undertake an initial investigation to determine
if any other agency had access to the information, and if necessary request that such receiving
agency conduct an appropriate investigation into the unauthorized disclosure.134 The manual notes
that DOJ may decide to prosecute those who disclose classified information without authority, but
does not provide a list of reporting criteria.135

on Intelligence, 106th Cong. (June 14, 2000) (statement of Janet Reno, Att’y Gen., DOJ),
https://sgp.fas.org/othergov/renoleaks.pdf.
124 12 FAM Pts. 500 (Information Security), 600 (Information Security Technology), https://fam.state.gov/Volumes/
Details/12FAM. Part 500 applies to all national security and sensitive information that is “owned by, originated by,
produced by or for, or under the control of Foreign Affairs Agencies” at all State Department-controlled locations. Id.
at 511.1. Foreign Affairs Agencies include the Department of State, U.S. Agency for International Development, U.S.
International Development Finance Corporation, U.S. Trade and Development Program, and all other executive branch
personnel located under the jurisdiction of a chief of mission. Id.
125 12 FAM Pts. 500, 600.
126 12 FAM 512.1-1a(1)(a).
127 Id. at 512.1-1a(1)(b).
128 Id. at 512.1-1b.
129 Id. at 512.1-3.
130 Id. at 554.
131 Id. at 555(c)(2), (d)(2).
132 Id. at 556.
133 Id. at 226.7-1.
134 Id. at 226.7-4(c).
135 See id.
Congressional Research Service

15

The Protection of Classified Information: The Legal Framework

Penalties for Unauthorized Disclosure
In addition to administrative penalties agencies may employ to enforce information security, there
are several statutory provisions that address the protection of classified information as such, but
only certain types of information or in specific situations. There is no blanket prohibition on the
unauthorized disclosure of classified information.136 The Espionage Act itself does not mention
classified information, but prohibits transmittal of national defense information with the relevant
intent or state of mind.137
Criminal Penalties
Generally, federal law prescribes a prison sentence of no more than five years and/or a fine for
officers and employees of the federal government who knowingly remove classified material
without the authority to do so and with the intention of keeping that material at an unauthorized
location.138 The Espionage Act provides for a penalty of up to ten years for unlawful collection,
receipt, retention, communication, or transmission of national security materials or
information.139 Stiffer penalties—fines and imprisonment for any term of years or for life, or the
death sentence in certain circumstances—attach when anyone transmits classified information to
an individual who they have reason to believe is an agent of a foreign government.140 A fine and a
10-year prison term may also be imposed if an individual publishes, makes available to an
unauthorized person, or otherwise uses to the United States’ detriment classified information
regarding the codes, cryptography, and communications intelligence utilized by the United States

136 For a broader overview of statutory provisions applicable to specific types of sensitive information, see CRS Report
R41404, Criminal Prohibitions on Leaks and Other Disclosures of Classified Defense Information, by Stephen P.
Mulligan and Jennifer K. Elsea.
137 18 U.S.C. §§ 793–794. For a detailed description of the Espionage Act, see CRS Report R41404, Criminal
Prohibitions on Leaks and Other Disclosures of Classified Defense Information
, by Stephen P. Mulligan and Jennifer
K. Elsea.
138 18 U.S.C. § 1924.
139 Id. § 793. A government contractor was sentenced to 63 months in prison for removing classified material from a
government facility and providing it to The Intercept in violation of 18 US.C. § 793(e). Press Release, U.S. Dep’t Just.,
Federal Government Contractor Sentenced for Removing and Transmitting Classified Materials to a News Outlet (Aug.
23, 2018), https://www.justice.gov/opa/pr/federal-government-contractor-sentenced-removing-and-transmitting-
classified-materials-news. WikiLeaks founder Julian Assange was indicted for soliciting, aiding and abetting in the
transmission of, and receiving classified materials (18 U.S.C. § 793(b), (c), (d), (e), and (g)), as well as conspiracy to
commit computer intrusion under 18 U.S.C. §§ 371 and 1030. Press Release, U.S. Dep’t Just., WikiLeaks Founder
Julian Assange Charged in 18-Count Superseding Indictment, https://www.justice.gov/opa/pr/wikileaks-founder-julian-
assange-charged-18-count-superseding-indictment. Assange is detained in the United Kingdom pursuant to an
extradition request from the United States. Press Release, U.S. Dep’t Just., WikiLeaks Founder Charged in Superseding
Indictment (Jun. 24, 2020), https://www.justice.gov/usao-edva/pr/wikileaks-founder-charged-superseding-indictment.
Edward Snowden was indicted in 2013 on espionage charges under 18 U.S.C. §§ 793(d) 798(a) as well as theft of
government property, 18 U.S.C. § 641. Snowden, a former contractor working as a computer systems administrator at
an NSA facility in Hawaii, was charged in connection with leaking top-secret documents related to certain NSA data-
collection programs to the Guardian (UK) and the Washington Post. Mark Mazzetti and Michael S. Schmidt, Ex-
Worker at C.I.A. Says He Disclosed U.S. Surveillance,
N.Y. TIMES (Jun. 10, 2013),
https://www.nytimes.com/2013/06/10/us/former-cia-worker-says-he-leaked-surveillance-data.html.
140 18 U.S.C. § 794. Aldrich Ames was sentenced to life in prison after pleading guilty to charges of providing
intelligence documents to the Soviet Union in violation of 18 U.S.C. § 794(d). Bill Miller and Walter Pincus, Ames
Pleads Guilty to Spying, Gets Life Term
, WASH. POST (April 29, 1994),
https://www.washingtonpost.com/archive/politics/1994/04/29/ames-pleads-guilty-to-spying-gets-life-term/ed7b651d-
d9a6-4de2-b15a-131715c12fb1/.
Congressional Research Service

16

The Protection of Classified Information: The Legal Framework

or a foreign government.141 Finally, the disclosure of classified information that reveals any
information identifying a covert agent,142 when done intentionally by a person with authorized
access to such identifying information, is punishable by imprisonment for up to 15 years.143 A
similar disclosure by one who learns the identity of a covert agent as a result of having authorized
access to classified information is punishable by not more than 10 years’ imprisonment.144 Under
the same provision, a person who undertakes a “pattern of activities intended to identify and
expose covert agents” with reason to believe such activities would impair U.S. foreign
intelligence activities, and who then discloses the identities uncovered as a result is subject to
three years’ imprisonment, whether or not the violator has access to classified information.145
Persons subject to the Uniform Code of Military Justice may face court-martial for violation of
these statutes146 or analogous military crimes.147
Civil Penalties and Other Measures
In addition to the criminal penalties outlined above, the executive branch employs numerous
means of deterring unauthorized disclosures by government personnel using administrative
measures based on terms of employment contracts. The agency may impose disciplinary action or
revoke a person’s security clearance. The revocation of a security clearance is usually not
reviewable by the Merit Systems Protection Board148 and may mean the loss of government
employment.149 Government employees may also be subject to monetary penalties for disclosing

141 18 U.S.C. § 798.
142 “Covert agent” is defined as a present or retired IC employee or member of the Armed Forces assigned to duty with
an intelligence agency whose identity as such is classified; a U.S. citizen who acts as an agent or informant to an
intelligence agency or the FBI whose relationship with the U.S. government is classified; or a non-U.S. citizen who acts
as a present or former agent of or source of operational assistance to an intelligence agency and whose intelligence
relationship to the U.S. government is classified. 50 U.S.C. § 3126(4)(A)-(C).
143 Id. § 3121(a).
144 Id. § 3121(b).
145 Id. § 3121(c). “[C]lassified information” for the purpose of this section is defined as “information or material
designated and clearly marked or clearly represented, pursuant to the provisions of a statute or Executive order (or a
regulation or order issued pursuant to a statute or Executive order), as requiring a specific degree of protection against
unauthorized disclosure for reasons of national security.” Id. § 3126(1).
146 10 U.S.C. § 934 (general article, which is used to assimilate state and federal crimes not covered by specific articles
of the UCMJ). PFC Chelsea Manning (formerly Bradley Manning) was charged under 10 U.S.C. § 134 for violating 18
U.S.C. § 793 and was sentenced to 35 in prison for providing a trove of classified information to WikiLeaks. Charlie
Savage and Emmarie Huetteman, Manning Sentenced to 35 Years for a Pivotal Leak of U.S. Files, N.Y. TIMES (Aug.
21, 2013), https://www.nytimes.com/2013/08/22/us/manning-sentenced-for-leaking-government-secrets.html. President
Obama commuted her sentence in 2017. Press Release, White House Office of the Press Secretary, President Obama
Grants Commutations and Pardons, Obama White House Archives (Jan. 17, 2017),
https://obamawhitehouse.archives.gov/the-press-office/2017/01/17/president-obama-grants-commutations-and-pardons.
147 10 U.S.C. §§ 903a (espionage), 903b (aiding the enemy, including by providing intelligence).
148 See Dep’t of Navy v. Egan, 484 U.S. 518, 526-29 (1988). Federal courts may review constitutional challenges based
on the revocation of security clearance. Webster v. Doe, 486 U.S. 592 (1988).
149 Exec. Order No. 13,526 § 5.5(c) (“Sanctions may include reprimand, suspension without pay, removal, termination
of classification authority, loss or denial of access to classified information, or other sanctions in accordance with
applicable law and agency regulation.”).
Congressional Research Service

17

The Protection of Classified Information: The Legal Framework

classified information.150 Violators of the Espionage Act and the Atomic Energy Act provisions
may additionally be subject to loss of their retirement pay.151
Agencies also rely on contractual agreements with employees, who typically must sign
nondisclosure agreements prior to obtaining access to classified information,152 sometimes
agreeing to submit all materials that the employee desires to publish to a review by the agency.
The Supreme Court enforced such a contract against a former employee of the CIA, upholding
the government’s imposition of a constructive trust on the profits from a book the employee
sought to publish without first submitting it to CIA for review.153
In 1986, the Espionage Act was amended to provide for the forfeiture of any property derived
from or used in the commission of an offense that violates the Espionage Act.154 Violators of the
Atomic Energy Act may be subjected to a civil penalty of up to $100,000 for each violation of
Energy Department regulations regarding dissemination of unclassified information about nuclear
facilities.155
Under some circumstances, the government can also use injunctions to prevent disclosures of
information. In at least one instance, a court upheld an injunction against a former employee’s
publishing of information learned through access to classified information.156 The Supreme Court
also upheld the State Department’s revocation of passports for overseas travel by persons
planning to expose U.S. covert intelligence agents; the travel’s purpose was to disrupt U.S.
intelligence activities rather than to assist a foreign government.157
Declassification vs. Leaks and
“Instant Declassification”
As noted above, Executive Order 13,526 sets the official procedures for the declassification of
information. Once information is declassified, it may be released to persons without a security
clearance.158 Some argue the President has the authority to disclose classified information without

150 See 42 U.S.C. § 2282(b) (2017) (providing for fine of up to $100,000 for violation of Department of Energy security
regulations).
151 5 U.S.C. § 8312 (listing violations of 18 U.S.C. §§ 793, 798; 42 U.S.C. §§ 2272–2276; and 50 U.S.C. § 421, among
those for which forfeiture of retirement pay or annuities may be imposed).
152 See United States v. Marchetti, 466 F.2d 1309, 1311–13 (4th Cir.), cert. denied, 409 U.S. 1063 (1972) (enforcing
contractual nondisclosure agreement by former employee regarding “secret information touching upon the national
defense and the conduct of foreign affairs” obtained through employment with CIA).
153 See Snepp v. United States, 444 U.S. 507 (1980) (per curiam); see also Alan E. Garfield, Promises of Silence:
Contract Law and Freedom of Speech
, 83 CORNELL L. REV. 261, 274 (1998) (noting the remedy in Snepp was enforced
despite the agency’s stipulation that the book did not contain any classified information). The Justice Department in
2020 obtained a judgment of approximately $5.2 million dollars against Edward Snowden for a book and multiple
public speeches without submitting the materials for prepublication review in accordance with a non-disclosure
agreement. Department of Justice, United States Obtains Final Judgment and Permanent Injunction Against Edward
Snowden
(Oct. 1, 2020), https://www.justice.gov/opa/pr/united-states-obtains-final-judgment-and-permanent-
injunction-against-edward-snowden.
154 See 18 U.S.C. §§ 793(h), 794(d), 798(d).
155 42 U.S.C. § 2168(b).
156 See Marchetti, 466 F.2d at 1311 (affirming an injunction to prevent a former CIA agent from publishing a book
disclosing government secrets).
157 See Haig v. Agee, 453 U.S. 280, 310 (1981).
158 See generally Report of the Commission on Protecting and Reducing Government Secrecy, S. DOC. NO. 105-2, ch. 3
Congressional Research Service

18

The Protection of Classified Information: The Legal Framework

going through the established procedures for declassification.159 Leaks, by contrast, might be
defined as the release of classified information to persons without a security clearance, often
journalists. In 2012, some allegedly high-profile leaks of information regarding sensitive covert
operations in news stories that seemed to some to portray the Obama Administration in a
favorable light160 raised questions regarding the practice of “instant declassification,” or whether
disclosure of classified information to journalists may ever be said to be an “authorized
disclosure” by a senior official.
The processes for declassification set forth in Executive Order 13,526 seem to presuppose that
agencies and classifying officials will not have any need or desire to disclose classified
information in their possession other than to comply with the regulations, but there seems to be an
informal process for “instant declassification” of information whose release to the public serves
an immediate need.161 Representative William Moorhead, at the time chairman of the Foreign
Operations and Government Information Subcommittee of the House Government Operations
Committee, stated in 1974:
Critics of the present system of handling classified information within the Executive
Branch point to an obvious double standard. On one hand, the full power of the
Government’s legal system is exercised against certain newspapers for publishing portions
of the Pentagon Papers and against someone like Daniel Ellsberg for his alleged role in
their being made public. This is contrasted with other actions by top Executive officials
who utilize the technique of “instant declassification” of information they want leaked.
Sometimes it is an “off-the-record” press briefing or “backgrounders” that becomes “on-
the-record” at the conclusion of the briefing or at some future politically strategic time.
Such Executive Branch leaks may be planted with friendly news columnists. Or, the
President himself may exercise his prerogative as Commander in Chief to declassify
specific information in an address to the Nation or in a message to the Congress seeking
additional funds for a weapons system.162
Executive Order 13,526 does not address an informal procedure for releasing classified
information. Section 1.1 of the Order provides that “[c]lassified information shall not be
declassified automatically as a result of any unauthorized disclosure of identical or similar
information,” but does not address what happens in the event of a disclosure that was in fact
authorized. By definition, classified information is designated as classified based on whether its
unauthorized disclosure can reasonably be expected to cause a certain level of damage to national

(1997), https://www.govinfo.gov/app/details/GPO-CDOC-105sdoc2/context.
159 Jack Goldsmith, Can Trump Sell U.S. National Security Secrets with Impunity? LAWFARE (Oct. 31, 2020, 10:28
AM), https://www.lawfareblog.com/can-trump-sell-us-national-security-secrets-impunity.
160 See National Security Leaks and the Law: Hearing Before the Subcomm. on Crime, Terrorism & Homeland Sec. of
the H. Comm. on the Judiciary
, 112th Cong. 1–2 (2012) (statement of Rep. Sensenbrenner) (citing Obama Order Sped
Up Wave of Cyberattacks Against Iran
, N.Y. TIMES, June 1, 2012, at A1; Secret ‘Kill List’ Proves a Test of Obama’s
Principles and Will
, N.Y. TIMES, May 29, 2012, at A1; Stuxnet Was the Work of U.S. and Israeli Experts, Officials Say,
WASH. POST, June 2, 2012).
161 William S. Moorhead, Operation and Reform of the Classification System in the United States 90, in SECRECY AND
FOREIGN POLICY (Thomas M. Franck & Edward Weisband eds., 1974).
162 Id. For an account of notable government leaks in the 1970s, see id. at 89; Information Security: Classification of
Government Documents
, 85 HARV. L. REV. 1189, 1206–07 (1972). For a more recent chronology of government leaks,
see Mary-Rose Papandrea, Lapdogs, Watchdogs, and Scapegoats: The Press and National Security Information, 83
IND. L.J. 233, 251–53 (2008) (quoting various high-level officials who admitted to leaking information in order to
generate public support for a program or to promote some other political or bureaucratic agenda); David E. Pozen, The
Leaky Leviathan: Why the Government Condemns and Condones Unlawful Disclosures of Information
, 127 HARV. L.
REV. 512, 559 (2013) (discussing “[p]lanting,” or authorized leaking, as a “critical policymaking and communications
tool”).
Congressional Research Service

19

The Protection of Classified Information: The Legal Framework

security.163 This definition may be read to suggest that disclosures may be authorized under such
circumstances when no damage to national security is reasonably expected. Nothing in the order
provides explicit authority to release classified information that exists apart from the authority to
declassify, but it is possible that such discretionary authority is recognized to release information
outside the community of authorized holders without formally declassifying it.
Part 4 of Executive Order 13,526 describes safeguarding of classified information from
unauthorized disclosure164 and preventing access to such information by “unauthorized
persons.”165 Most of the provisions appear to envision classified documents or communications
and storage devices used for classified information rather than the spoken word. Section 4.1(g)
requires agency heads and the DNI to “establish controls to ensure that classified information is
used, processed, stored, reproduced, transmitted, and destroyed under conditions that provide
adequate protection and prevent access by unauthorized persons.” If “transmitted” is interpreted
to include oral dissemination and “unauthorized persons” is interpreted to mean persons who do
not meet the criteria set forth in Section 4.1(a),166 then it would seem that agency heads who
approve leaks could be in breach of their responsibilities under the Order.
There is also provision for “emergency disclosure” of classified information “when necessary to
respond to an imminent threat to life or in defense of the homeland” to “an individual or
individuals who are otherwise not eligible for access.”167 Section 4.2(b) provides that such
disclosures must be in accordance with implementing regulations or procedures the classifying
agency implements; must be undertaken in such a way as to minimize the information disclosed
and the number of individuals who receive it; and must be reported promptly to the originator.
Information disclosed under this provision is not deemed to be declassified. The existence of this
provision could be read to cut against an interpretation that permits selected release of classified
information to reporters for broader dissemination. However, it could also be read to allow a
different procedure by which an agency head, who is the original classifying authority for the
information at issue, might simply authorize remarks to the press that reference classified
information in such a way as to minimize harm to national security.
As a practical matter, however, there is seemingly little to stop agency heads and other high-
ranking officials from releasing classified information to persons without a security clearance
when it is seen as suiting government needs. The Attorney General has prosecutorial discretion to
choose which leaks to prosecute.168 If, in fact, a case could be brought that a senior official has
disclosed or authorized the disclosure of classified information, successful prosecution under
current laws may be difficult because the scienter requirement is not likely to be met. The
Espionage Act of 1917, for example, requires proof that the discloser has the intent or reason to

163 Exec. Order No. 13,526 § 1.2.
164 “Unauthorized disclosure” means “a communication or physical transfer of classified information to an
unauthorized recipient.” Id. § 6.1(rr). “Unauthorized” recipient is not defined.
165 Id. § 4.1(f).
166 Id. § 4.1(a). The criteria are (1) a favorable determination of eligibility for access has been made by an agency head
or the agency head’s designee; (2) the person has signed an approved nondisclosure agreement; and (3) the person has a
need-to-know the information. A person who meets these criteria is defined as an “authorized holder” under the
definitions section of the Order, id. § 6.1(c).
167 Id. § 4.2(b).
168 See Memorandum from the Acting Attorney General on Interim Guidance on Prosecutorial Discretion, Charging,
and Sentencing
(Jan. 29, 2021), https://www.justice.gov/ag/page/file/1362411/download. The Assistant Attorney
General of the National Security Division is generally responsible for decisions regarding the prosecution of national
security crimes. U.S. Dep’t of Just., Just. Manual § 9-90.010 (2020), https://www.justice.gov/jm/jm-9-90000-national-
security#9-90.100.
Congressional Research Service

20

The Protection of Classified Information: The Legal Framework

believe the information will be used against the United States or to the benefit of a foreign
nation.169 Although the nature and sensitivity of the information that was released are elements for
the jury to decide,170 knowledge that the information is classified may be enough to persuade a
court that damage to national security can be expected.171 However, in the event the disclosure
was made or authorized by a person who has the authority to make such determinations—as to
whether the information will be used against the United States or to the benefit of a foreign
nation—it may be that such deference would potentially result in not meeting the scienter
requirement absent some proof of ill intent. For example, a belief on the part of a lower level
official that a particular disclosure was authorized could serve as an effective defense to any
prosecution, and could entitle the defendant to depose high level government officials in
preparation for his or her defense.
Executive branch policy appears to treat an official disclosure as a declassifying event, while non-
attributed disclosures have no effect on the classification status of the information.172 For
example, the DOD instructs agency officials, in the event that classified information appears in
the media, to neither confirm nor deny the accuracy of the information.173 The Under Secretary of
Defense for Intelligence is then advised to “consult with the Assistant Secretary of Defense for
Public Affairs and other officials having a primary interest in the information to determine if the
information was officially released under proper authority.”174 The regulation does not clarify
what happens in the event the disclosure turns out to have been properly authorized. It appears no
further action need be taken, whether to inform employees that the information no longer needs to
be protected or to make annotations in classified records to reflect the newly declassified status of
the information. In any event, any documents that contain that information potentially contain
other classified information as well, in which case each such document would retain the highest
level of classification applicable to information in the document. Thus, it seems unlikely that the
authorized disclosure of classified information to the media would often result in the public
release of any records.
The Intelligence Authorization Act for FY2013, Section 504 requires a government official who
approves a disclosure of classified information to the media, or to another person for publication,
to first report the decision and other matters related to the disclosure to the congressional
intelligence committees.175 The provision applies to “national intelligence or intelligence related
to national security” that is classified or has been declassified for the purpose of making the
disclosure, where the disclosure is made by a government officer, employee, or contractor.
According to the original committee report, the reporting is intended to keep the intelligence

169 18 U.S.C. § 793. For more information about criminal laws proscribing leaks, see CRS Report R41404, Criminal
Prohibitions on Leaks and Other Disclosures of Classified Defense Information
, by Stephen P. Mulligan and Jennifer
K. Elsea. The level of knowledge required to prove an offense depends on the type of information alleged to have been
disclosed, and it is not necessarily a crime to disclose information merely because it is classified. See id.
170 See United States v. Morison, 844 F.2d 1057, 1073 (4th Cir.), cert. denied, 488 U.S. (1988) (upholding conviction
under 18 U.S.C. § 793 for delivery of classified photographs to publisher). Whether the information is “related to the
national defense” under this meaning is a question of fact for the jury to decide. Id.
171 See United States v. Kiriakou, 898 F. Supp. 2d 921, 925 (E.D. Va. 2012) (noting that defendant was a “government
employee trained in the classification system who could appreciate the significance of the information he allegedly
disclosed”). The court noted that the potentially damaging nature of intangible information due to its disclosure can
largely be inferred from the fact that information is classified. Id. at 921.
172 Exec. Order No. 13,526 § 1.1(c).
173 DOD Manual 5200.01, Vol. 3, Encl. 6, § 7(a).
174 Id. § 7(d).
175 Pub. L. No. 112-277, § 504, 126 Stat. 2468, 2477 (2013).
Congressional Research Service

21

link to page 7 The Protection of Classified Information: The Legal Framework

committees apprised of expected media disclosures of relevant classified information and to assist
in distinguishing between “authorized disclosures” and “unauthorized leaks.”176 Originally
scheduled to sunset after a year, the provision was made permanent in the Intelligence
Authorization Act for Fiscal Year 2014.177 Any reports to Congress of authorized disclosures
submitted pursuant to this provision apparently are classified.178
Special Considerations for the President
The President, as the head of the executive branch and commander in chief, has the responsibility
to protect national security information,179 which necessarily includes the authority to declassify
or downgrade information classified pursuant to the President’s Executive Order.180 Whether the
President is bound to comply with processes set forth in the Executive Order for declassification,
or any other procedure for declassification, is the subject of debate, especially following President
Trump’s claim, after leaving office, that Presidents have the authority to declassify information
without following any specific procedure or notifying others.181 In a 2020 decision, the U.S.
Court of Appeals for the Second Circuit appears to disagree, stating, in the FOIA context, that
“declassification, even by the President, must follow established procedures.”182 The court held
that a FOIA litigant seeking to demonstrate that information had been declassified by presidential
disclosure must show “first, that [the President’s] statements are sufficiently specific; and second,
that such statements subsequently triggered actual declassification.”183
While there does not seem to be one established procedure for presidential declassification of
national security information, examples from recent decades seem to demonstrate that Presidents
have sometimes formally ordered a declassification review by the relevant agency or agencies,184
and have typically consulted with agency heads before ordering information downgraded or
declassified. After President George W. Bush released a portion of his August 6, 2001,

176 S. REP. NO. 112-192 (2012).
177 Pub. L. No. 113-126, § 328, 128 Stat. 1390, 1405 (2014) (codified at 50 U.S.C. § 3349).
178 See Steven Aftergood, Report on Disclosures to the Media is Classified, FED’N AM. SCIENTISTS: SECRECY NEWS
(Oct. 9, 2014) (describing rejection of FOIA request for reports of authorized disclosures), https://fas.org/blogs/secrecy/
2014/10/authorized-disclosures/.
179 Dep’t of the Navy v. Egan, 484 U.S. 518, 527 (1988) (explaining constitutional basis of the President’s authority to
“classify and control access to information bearing on national security”); see also McGahn Letter, supra note 24, at 2
(“As the Supreme Court has recognized, it is the President’s responsibility to classify, declassify, and control access to
information bearing on our intelligence sources and methods and national defense.”) (citing Egan, 484 U.S. at 527).
180 Exec. Order No. 13,526 § 3.1.
181 See Julian Mark, Trump says presidents can declassify docs ‘even by thinking about it’, WASH. POST (Sept. 22,
2022), https://www.washingtonpost.com/national-security/2022/09/22/trump-hannity-declassify-documents/. For an
overview of criminal laws potentially at issue regarding the former President’s retention of documents at his Palm
Beach resort, see CRS Legal Sidebar LSB10810, The Mar-a-Lago Search Warrant: A Legal Introduction, by Stephen
P. Mulligan et al.
182 New York Times v. CIA, 965 F.3d 109, 123 (2d Cir. 2020).
183 Id. at 122.
184 See, e.g., Exec. Order No. 12,812 § 1, 57 Fed. Reg. 32879 (July 22, 1992) (“All executive departments and agencies
shall expeditiously review all documents, files, and other materials pertaining to American POWs and MIAs lost in
Southeast Asia for the purposes of declassification in accordance with the standards and procedures of Executive Order
No. 12356.”); Exec. Order No. 14,040 § 2, 86 Fed. Reg. 50439 (Sept. 3, 2021) (directing “[t]he Attorney General and
the heads of any other executive departments and agencies (agencies) that originated relevant information [to] complete
declassification reviews” of all responsive documents relevant to the September 11, 2001 attacks).
Congressional Research Service

22

link to page 7 The Protection of Classified Information: The Legal Framework

presidential daily intelligence brief (PDB) warning of Osama bin Laden’s intent to attack the
United States, a White House press briefing described the declassification process as follows:
While the President has the ultimate constitutional authority over the classification of
information, the Director of Central Intelligence has statutory responsibility to safeguard
intelligence sources and methods, and is one of the officials to whom authority to declassify
information is delegated by executive order. The President authorized, and Dr. Rice
requested, that the DCI review this PDB item to determine whether, in his judgment,
declassification and release of this item would damage intelligence sources and methods,
and is releasable in light of the relevant provisions of Executive Order on Classification
and Declassification of Information.
The DCI has advised Dr. Rice in writing that he has made the required determination and
has, in fact, declassified the PDB item. . . . . The DCI determined that three specific items
of information—the names of foreign intelligence or security services—must be redacted
in order to protect intelligence sources and methods. Those items are replaced with black
on the declassified and released version of the PDB you have.
The other redactions on the released version are the original classification of the document
as “Top Secret.” As the DCI’s written declassification order states, this declassification
and release “shall not be deemed to constitute any precedent concerning any future
declassification or release of any other PDB.”185
In response to litigation, President Obama ordered the declassification of four revoked Office of
Legal Counsel (OLC) memoranda analyzing the CIA’s enhanced interrogation program after
consultation with the Attorney General, the DNI, and others (presumably the Director of Central
Intelligence), with the President concluding that “exceptional circumstances surround these
memos and require their release.”186 The DOJ subsequently released the memoranda.187
Examples from the Trump Administration further illustrate the process for declassifying
information.188 On the day before leaving office in 2021, President Trump issued a memorandum
declassifying materials related to the FBI’s Crossfire Hurricane investigation following a
declassification review and after accepting redactions suggested by the FBI.189 President Trump

185 Press Release, White House, Background Briefing Via Conference Call on the President’s PDB of August 6, 2001
(Apr. 10, 2004), https://nsarchive2.gwu.edu/NSAEBB/NSAEBB116/background.htm.
186 Press Release, White House, Statement of President Barack Obama on Release of OLC Memos (Apr. 16, 2009),
https://obamawhitehouse.archives.gov/realitycheck/the-press-office/statement-president-barack-obama-release-olc-
memos; see also Mark Mazzetti & Scott Shane, Interrogation Memos Detail Harsh Tactics by the C.I.A., N.Y. TIMES
(Apr. 16, 2009), https://www.nytimes.com/2009/04/17/us/politics/17detain.html.
187 Press Release, U.S. Dep’t of Justice, Department of Justice Releases Four Office of Legal Counsel Opinions (Apr.
16, 2009), https://www.justice.gov/opa/pr/department-justice-releases-four-office-legal-counsel-opinions.
188 See, e.g., McGahn Letter, supra note 24, at 2 (asserting that President Trump “directed lawyers and national security
staff to assess the [House Permanent Select Committee on Intelligence] declassification request, consistent with
established standards governing the handling of classified information, including those under Section 3.1(d) of
Executive Order 13526. Those standards permit declassification when the public interest in disclosure outweighs any
need to protect the information. The White House review process also included input from the Office of the Director of
National Intelligence and the Department of Justice.”); Matt Zapotosky et al., Trump orders Justice Dept. to declassify
Russia-related material
, WASH. POST (Sept. 17, 2018) https://www.washingtonpost.com/world/national-security/trump-
orders-justice-dept-to-declassify-russia-related-material/2018/09/17/661b7c78-bac1-11e8-9812-
a389be6690af_story.html (quoting DOJ statement asserting that “When the President issues [a declassification order],
it triggers a declassification review process that is conducted by various agencies within the intelligence community, in
conjunction with the White House Counsel, to seek to ensure the safety of America’s national security interests”).
189 Memorandum from President Donald J. Trump on Declassification of Certain Materials Related to the FBI’s
Crossfire Hurricane Investigation
(Jan. 19, 2021), https://trumpwhitehouse.archives.gov/presidential-
actions/memorandum-declassification-certain-materials-related-fbis-crossfire-hurricane-investigation/ (describing
Congressional Research Service

23

link to page 26 The Protection of Classified Information: The Legal Framework

also directed the DOJ to conduct a declassification review with respect to certain documents
related to the investigation of Russian interference in the 2016 election, although it is not clear
whether the order was ever put into writing.190 President Biden ordered the downgrading and
declassification of intelligence information pertaining to Russia’s plans to invade and wage war
in Ukraine as a strategy to undermine Russia’s plans.191
There have also been reported examples of less formal presidential releases of classified
information. For example, in 2003, President Bush reportedly declassified information from a
National Intelligence Estimate to rebut Iraq war critics by directing Vice President Cheney to “get
out” the information, presumably by disclosing it to media outlets.192 President Trump publicly
released a classified satellite photograph of an explosion at an Iranian launch site, claiming he had
the “absolute right” to do so,193 thereby declassifying it.194
Former Presidents do not automatically receive access to classified national security information,
although most have continued to receive intelligence briefings after their term in office ends.195 It
is up to the incumbent President to decide whether to provide classified information to a former
President.196 Agency heads may also permit former Presidents to have access to classified
information under their purview by waiving the ordinary need-to-know requirement after
determining that the disclosure is in the national security interest and that the classified
information will be protected from unauthorized disclosure and will be properly stored.197
Insider Threat Risk Management
In October 2011 President Obama issued Executive Order 13,587, “Structural Reforms to
Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of

declassification review and ordering declassification of certain documents with redactions requested by the FBI).
190 Press Release, White House Office of the Press Secretary, Statement from the Press Secretary (Sept. 17, 2018),
https://trumpwhitehouse.archives.gov/briefings-statements/statement-press-secretary-34/; Zapotosky et al., supra note
188.
191 Dan De Luce, CIA Director Defends Declassifying Intel To Expose Russia’s Actions In Ukraine, NBC NEWS (Sept.
8, 2022) https://www.nbcnews.com/politics/national-security/cia-director-burns-defends-declassifying-intel-expose-
russias-actions-rcna46876 (quoting CIA Director William Burns that the strategy “has been carried out in a carefully
calibrated way designed to protect intelligence sources”).
192 Source: Bush Didn’t Specify Libby Should Leak, NBC NEWS (Apr. 6, 2006),
https://www.nbcnews.com/id/wbna12187153 (reporting that the White House stated the information had been
declassified but declined to provide details about the declassification process).
193 Geoff Brumfiel, Trump Tweets Sensitive Surveillance Image of Iran, NPR (Aug. 30, 2019),
https://www.npr.org/2019/08/30/755994591/president-trump-tweets-sensitive-surveillance-image-of-iran.
194 Sophia Ankel, Trump Declared He Could ‘Declassify Anything’ When Officials Tried To Stop Him Tweeting A Top-
Secret Intel Briefing In 2019, Report Says
, BUS. INSIDER (Aug. 17, 2022), https://www.businessinsider.com/trump-said-
he-could-declassify-anything-2019-intel-briefing-report-2022-8 (quoting former National Security Advisor John
Bolton).
195 Susan M. Gordon, A Former President Trump Won’t ‘Need To Know.’ Cut Off His Intelligence, WASH. POST (Jan.
15, 2021), https://www.washingtonpost.com/opinions/sue-gordon-trump-intelligence-briefings-former-
president/2021/01/15/94b15c72-5747-11eb-a817-e5e7f8a406d6_story.html (asserting “[e]very former president in the
modern era has benefited from a unique national security perk after leaving the White House: routine intelligence
briefings and access to classified information to support his continued involvement in advancing America’s interests.”).
196 David E. Sanger, Biden Bars Trump From Receiving Intelligence Briefings, Citing ‘Erratic Behavior’, N.Y. TIMES
(Feb. 5, 2021), https://www.nytimes.com/2021/02/05/us/politics/biden-trump-intelligence-briefings.html.
197 Exec. Order No. 13,526 § 4.4.
Congressional Research Service

24

link to page 21 link to page 21 The Protection of Classified Information: The Legal Framework

Classified Information.”198 Among other measures, it established an interagency Insider Threat
Task Force with a mandate to
develop a Government-wide program (insider threat program) for deterring, detecting, and
mitigating insider threats, including the safeguarding of classified information from
exploitation, compromise, or other unauthorized disclosure, taking into account risk levels,
as well as the distinct needs, missions, and systems of individual agencies. This program
shall include development of policies, objectives, and priorities for establishing and
integrating security, counterintelligence, user audits and monitoring, and other
safeguarding capabilities and practices within agencies.199
President Obama issued the resulting policy and minimum standards for agencies in
implementing their own insider threat programs in November 2012.200
Concerned about WikiLeaks and other disclosures of classified information by those with access,
the 112th Congress held at least two hearings on the topic of unauthorized disclosures of
classified information.201 Congress also passed a measure as part of the National Defense
Authorization Act for FY2012 to require the DOD to establish a “program for information sharing
protection and insider threat mitigation for the information systems of the DOD to detect
unauthorized access to, use of, or transmission of classified or controlled unclassified
information.”202 The program is required to make use of both technology based solutions as well
as a “governance structure and process” to integrate these technologies into existing security
measures.203
As initially reported by the Senate Intelligence Committee, S. 3454 (112th Cong.) contained a
number of measures to address the disclosure of classified information by federal employees,
whether authorized or not, especially if the disclosure were to the media. Opposition to these
measures resulted in a manager’s amendment to the bill with all but the reporting provision
regarding authorized disclosures removed.204 Some of the measures that were eliminated from the
bill involved restrictions on media access to government officials. One was a prohibition on
federal officers, employees, and contractors who have security clearances, including some who
have left government service within the prior year, from entering into agreements with the media
to provide analysis or commentary on matters related to classified intelligence activities or
intelligence related to national security.205 Another would have limited the individuals authorized
to provide background or off-the-record information to the media regarding intelligence activities

198 Exec. Order No. 13,587, 76 Fed. Reg. 63811 (Oct. 7, 2011).
199 Id. § 6.1.
200 Press Release, White House Office of the Press Secretary, Presidential Memorandum from President Barack Obama
on National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs (Nov. 21,
2012), https://obamawhitehouse.archives.gov/the-press-office/2012/11/21/presidential-memorandum-national-insider-
threat-policy-and-minimum-stand. The resulting standards are published at https://www.dni.gov/files/NCSC/
documents/nittf/National_Insider_Threat_Policy_Minimum_Standards.pdf.
201 National Security Leaks and the Law: Hearing Before the Subcomm. on Crime, Terrorism & Homeland Sec. of the
H. Comm. on the Judiciary
, 112th Cong. (2012); Disclosures of National Security Information and Impact on Military
Operations:
Hearing Before the H. Comm. on Armed Servs., 112th Cong. (2012).
202 Pub. L. No. 112-81, § 922, 125 Stat. 1298, 1537 (2011) (codified at 10 U.S.C. § 2224 note).
203 The Government Accountability Office (GAO) issued an assessment of DOD’s implementation of its Insider Threat
Program in 2015. U.S. GOV’T ACCOUNTABILITY OFF., GAO 15-544, INSIDER THREATS: DOD SHOULD STRENGTHEN
MANAGEMENT AND GUIDANCE TO PROTECT CLASSIFIED INFORMATION AND SYSTEMS (2015).
204 The bill was enacted in January 2013 as Public Law No. 112-277, § 504. See supra “Declassification vs. Leaks and
“Instant Declassification””
for an explanation of the reporting provision.
205 S. 3454, 112th Cong. § 505 (as reported).
Congressional Research Service

25

The Protection of Classified Information: The Legal Framework

to the Director and Deputy Directors or their equivalents of each agency and designated public
affairs officers.206 Another would have required the DNI to prescribe regulations regarding the
interaction of cleared personnel with the media.207 Such persons would have been required to
report all contacts with the media to the appropriate security office.208 Also eliminated was a
prohibition on federal officers, employees, and contractors from possessing a security clearance
after having made any unauthorized disclosure regarding the existence of, or classified details
relating to, a covert action as defined in 50 U.S.C. § 413(b) (now classified at 50 U.S.C.
§ 3091).209
The insider threat issue was revisited in the Intelligence Authorization Act for FY2016, and
passed as Division M of the Consolidated Appropriations Act 2016.210 Section 306 added a
requirement to Title 5, U.S. Code, for the DNI to direct agencies to each establish an “enhanced
personnel security program” to integrate a broader data set into reassessments of the continuing
eligibility of personnel to hold security clearances or sensitive positions. Specifically,
The enhanced personnel security program of an agency shall integrate relevant and
appropriate information from various sources, including government, publicly available
and commercial data sources, consumer reporting agencies, social media and such other
sources as determined by the Director of National Intelligence.211
The provision requires the agency programs to conduct random automated record checks of the
selected sources of data at least twice within a five-year period for each covered person, unless
that individual is subject to more frequent reviews.212 The deadline to implement the programs is
five years after enactment (December 15, 2020) or the date on which the backlog of overdue
periodic reinvestigations is eliminated, as determined by DNI.213 In 2019, Congress directed the
DNI and IC agency heads to develop policies to comply with the National Insider Threat Policy
and Minimum Standards for Executive Branch Insider Threat Programs.214
With respect to the backlog of security clearance adjudications, ODNI reported in 2022 that the
COVID-19 pandemic minimally impacted pending and completed cases.215 Going forward, ODNI
stated that Executive Branch departments and agencies (D/As) will not routinely conduct periodic
reinvestigations, which is forecast to help D/As “consistently maintain a steady state of pending
cases in order to reach the established timeliness goals related to security clearance
adjudications.”216

206 Id. § 506.
207 Id. § 507.
208 Id.
209 Id. § 512.
210 Pub. L. No. 114-113, 129 Stat. 2242, 2244 (2015) (codified at 50 U.S.C. § 11001).
211 5 U.S.C. § 11001(b)(1).
212 Id. § 11001(c).
213 Id. § 11001(a).
214 National Defense Authorization Act for Fiscal Year 2020, Pub. L. No. 116-92, div. E, tit. LXIII, § 6314, 133 Stat.
1198, 2194 (2019) (codified at 50 U.S.C. § 3024 note).
215 OFFICE OF THE DIRECTOR OF NAT’L INTELLIGENCE, BACKLOG OF PERSONNEL SECURITY CLEARANCE ADJUDICATIONS –
FISCAL YEAR 2020 QUARTERS 2, 3, AND 4 (Feb. 2022), https://www.odni.gov/files/NCSC/documents/Regulations/02-
17-22_Report_CDA%2012-49-2020_20-00729_Backlog_of_Personnel_Security_Clearance_Adjudications.pdf.
216 Id. at 2.
Congressional Research Service

26

The Protection of Classified Information: The Legal Framework


Author Information

Jennifer K. Elsea

Legislative Attorney



Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan
shared staff to congressional committees and Members of Congress. It operates solely at the behest of and
under the direction of Congress. Information in a CRS Report should not be relied upon for purposes other
than public understanding of information that has been provided by CRS to Members of Congress in
connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not
subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in
its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or
material from a third party, you may need to obtain the permission of the copyright holder if you wish to
copy or otherwise use copyrighted material.

Congressional Research Service
RS21900 · VERSION 20 · UPDATED
27