Congressional Record: September 28, 2006 (Senate)
Page S10463-S10471


 
          STATEMENT ON INTRODUCED BILLS AND JOINT RESOLUTIONS


      By Mr. AKAKA (for himself and Mr. Lautenberg):
  S. 3968. A bill to affirm the authority of the Comptroller General to 
audit and evaluate the programs, activities, and financial transactions 
of the intelligence community, and for other purposes; to the Select 
Committee on Intelligence.
  Mr. AKAKA. Mr. President, I rise to introduce ``The Intelligence 
Community Audit Act of 2006,'' with Senator Lautenberg which would 
reaffirm the Comptroller General of the United States and head of the 
Government Accountability Office's, GAO, authority to audit the 
financial transactions and evaluate the programs and activities of the 
intelligence community (IC). Representative Bennie Thompson, ranking 
member of the House Homeland Security Committee, is introducing similar 
legislation.
  The bill Senator Lautenberg and I offer today is in keeping with 
legislation introduced in 1987 by Senator John Glenn, the former 
chairman of the Governmental Affairs Committee, to ensure more 
effective oversight of the Central Intelligence Agency (CIA) in the 
wake of the Iran-Contra scandal.

[[Page S10464]]

  The need for greater oversight and availability of information to 
appropriate congressional committees is not new. What is new is that 
Congress does not have the luxury of failure in this era of terrorism. 
Failure brings terrible consequence.
  Since 9/11, effective oversight is needed now more than ever for two 
very basic reasons: First, intelligence reforms have spawned new 
agencies with new intelligence functions demanding even more inter-
agency cooperation. The Congress needs to ensure that these agencies 
have the assets, resources, and capability to do their job in 
protecting our national security. However, now the Congress cannot do 
its job properly, in part, because its key investigative arm, the 
Government Accountability Office, is not given adequate access to the 
intelligence community, led by the Director of National Intelligence 
(DNI).
  Moreover, intelligence oversight is no longer the sole purview of the 
Senate and House intelligence committees. Other committees have 
jurisdiction over such departments as Homeland Security, State, 
Defense, Justice, Energy, and even Treasury and Commerce, which, in 
this war on terrorism, have intelligence collection and sharing 
responsibilities. Nor is the information necessary for these committees 
to exercise their oversight responsibilities restricted to the two 
intelligence committees as their organizing resolutions make clear. 
Unfortunately, the intelligence community stonewalls the GAO when 
committees of jurisdiction request that GAO investigate problems 
despite the clear responsibility of Congress to ensure that these 
agencies are operating effectively to protect America.
  This is not always the case. Some agencies recognize the valuable 
contribution that GAO makes in improving the quality of our 
intelligence. As Lieutenant General Lew Allen, Jr., then Director of 
the National Security Agency (NSA), observed in testimony before the 
Senate Select Committee To Study Governmental Operations With Respect 
To Intelligence Activities, on October 29, 1975: ``Another feature of 
congressional review is that since 1955 resident auditors of the 
General Accounting Office have been assigned at the Agency to perform 
on-site audits. Additional GAO auditors were cleared for access in 
1973, and GAO, in addition to this audit, is initiating a classified 
review of our automatic data processing functions.'' Not surprisingly, 
this outpost of the GAO still exists at the NSA.
  Second, and equally important, is the inability of Congress to ensure 
that unfettered intelligence collection does not trample civil 
liberties. New technologies and new personal information data bases 
threaten our individual right to a secure private life, free from 
unlawful government invasion. The Congress must ensure that private 
information being collected by the intelligence community is not 
misused and is secure.
  Over 30 years ago, Senator Charles Percy urged Congress to ``act now 
to gain control over the Government's dangerously proliferating police, 
investigative, and intelligence activities.'' He noted that ``we find 
ourselves threatened by the specter of a `watchdog' Government, 
breeding a nation of snoopers.''
  The privacy concerns expressed by our former colleague have become 
vastly more complicated. As I have noted, the institutional landscape 
has become littered with new intelligence agencies with ever-increasing 
demands and responsibilities on law enforcement at every level of 
government since the establishment of the Department of Homeland 
Security and the passage of the Intelligence Reform and Terrorism 
Prevention Act of 2004. They have the legitimate mission to protect the 
country against potential threats. Congress' role is to ensure that 
their mission remains legitimate.
  The intelligence community today consists of 19 different agencies or 
components: the Office of the Director of National Intelligence; 
Central Intelligence Agency; Department of Defense; Defense 
Intelligence Agency; National Security Agency; Departments of the Army, 
Navy, Marine Corps, and Air Force; Department of State; Department of 
Treasury; Department of Energy; Department of Justice; Federal Bureau 
of Investigation; National Reconnaissance Office; National Geospatial-
Intelligence Agency; Coast Guard; Department of Homeland Security, and 
the Drug Enforcement Administration.
  I ask unanimous consent that a memorandum prepared by the 
Congressional Research Service, entitled ``Congressional Intelligence 
Oversight,'' be included in the Record.
  As both House Rule 48 and Senate Resolution 400 establishing the 
intelligence oversight committees state, ``Nothing in this [charter] 
shall be construed as amending, limiting, or otherwise changing the 
authority of any standing committee of the [House/Senate] to obtain 
full and prompt access to the product of the intelligence activities of 
any department or agency of the Government relevant to a matter 
otherwise within the jurisdiction of such committee.''
  Despite this clear and unambiguous statement, the ability of non-
intelligence committees to obtain information, no matter how vital to 
improving the security of our Nation, has been restricted by the 
various elements of the intelligence community.
  Two recent incidents have made this situation disturbingly clear. At 
a hearing entitled ``Access Delayed: Fixing the Security Clearance 
Process, Part II,'' before the Subcommittee on Oversight of Government 
Management, the Federal Workforce, and the District of Columbia on 
which I serve as Ranking Member, on November 9, 2005, GAO was asked 
about steps it would take to ensure that the Office of Personnel 
Management (OPM), the Office of Management and Budget, and the 
intelligence community met the goals and objectives outlined in the OPM 
security clearance strategic plan. Fixing the security clearance 
process, which is on GAO's high-risk list, is essential to our national 
security. But as GAO observed in a written response to a question 
raised by Senator Voinovich, ``while we have the authority to do such 
work, we lack the cooperation we need to get our job done in that 
area.'' The intelligence community is blocking GAO's work in this 
essential area.
  A similar case arose in response to a GAO investigation for the 
Senate Homeland Security Committee and the House Government Reform 
Committee on how agencies are sharing terrorism-related and sensitive 
but unclassified information. The report, entitled ``Information 
Sharing, the Federal Government Needs to Establish Policies and 
Processes for Sharing Terrorism-Related and Sensitive but Unclassified 
Information'' (GAO-06-385), was released in March 2006.
  At a time when Congress is criticized by members of the 9-11 
Commission for failing to implement its recommendations, we should 
remember that improving terrorism information sharing among agencies 
was one of the critical recommendations of the 9-11 Commission. 
Moreover, the Intelligence Reform and Terrorism Prevention Act of 2004 
mandated the sharing of terrorism information through the creation of 
an Information Sharing Environment. Yet, when asked by GAO for comments 
on the GAO report, the Office of the Director of National Intelligence 
refused, stating that ``the review of intelligence activities is beyond 
GAO's purview.''
  However, as a Congressional Research Service memorandum entitled 
``Overview of `Classified' and `Sensitive but Unclassified' 
Information,'' concludes, ``it appears that pseudo-classification 
markings have, in some instances, had the effect of deterring 
information sharing for homeland security.'' I ask unanimous consent 
that the memo be printed in the Record following my remarks.
  Unfortunately I have more examples, that predate the post 9-11 
reforms. Indeed, in July 2001, in testimony entitled ``Central 
Intelligence Agency, Observations on GAO Access to Information on CIA 
Programs and Activities'' (GAO-01-975T) before the House Committee on 
Government Reform, the GAO noted, as a practical matter, ``our access 
is generally limited to obtaining information on threat assessments 
when the CIA does not perceives [sic] our audits as oversight of its 
activities.'' I ask consent that this testimony also be printed 
following my remarks.
  It is inconceivable that the GAO--the audit arm of the U.S. 
Congress--has been unable to conduct evaluations of the CIA for over 40 
years.

[[Page S10465]]

  If the GAO had been able to conduct basic auditing functions of the 
CIA, perhaps some of the problems that were so clearly exposed 
following the terrorist attacks in September 2001 would have been 
resolved. And yet, it is extraordinary that five years after 9-11 the 
same problems persist.
  Once more I refer to Senator Glenn's bill S. 1458, the ``General 
Accounting Office-Central Intelligence Agency Audit Act of 1987.'' On 
its introduction he said, ``in the long run, I believe carefully 
controlled GAO audits of CIA will lower the probability of future 
abuses of power, boost the credibility of CIA management, increase the 
essential public support the Agency's mission deserves, assist the 
Congress in conducting meaningful oversight, and in no way compromise 
the CIA mission.'' Unfortunately, S. 1458 did not become law, and 
nearly 20 years later, the CIA's apparent management challenges led to 
the creation of the Director of National Intelligence with the 
Intelligence Reform Act of 2004. If Senator Glenn's proposal made in 
1987 had been accepted, perhaps, again, some of the problems that 
became apparent with our intelligence agencies following 9-11 might 
never have occurred.
  I want to be clear that my legislation does not detract from the 
authority of the intelligence committees. In fact, the language makes 
explicit that the Comptroller General may conduct an audit or 
evaluation of intelligence sources and methods or covert actions only 
upon the request of the intelligence committees or at the request of 
the congressional majority or minority leaders. The measure also 
prescribes for the security of the information collected by the 
Comptroller General.
  However, my bill reaffirms the authority of the Comptroller General 
to conduct audits and evaluations--other than those relating to sources 
and methods, or covert actions--relating to the management and 
administration of elements of the intelligence community in areas such 
as strategic planning, financial management, information technology, 
human capital, knowledge management, information sharing, and change 
management for other relevant committees of the Congress.
  Attached is a detailed description of the legislation. I urge my 
colleagues to join me in supporting this legislation.
  I ask unanimous consent that the text of the bill be printed in the 
Record.
  There being no objection the materials were ordered to be printed in 
the Record, as follows:

                               Congressional Research Service,

                               Washington, DC, September 14, 2006.
     Subject: Congressional Oversight of Intelligence.
     From: Alfred Cumming, Specialist in Intelligence and National 
         Security Foreign Affairs, Defense, and Trade Division.

       This memorandum examines the intelligence oversight 
     structure established by Congress in the 1970s, including the 
     creation of the congressional select intelligence committees 
     by the U.S. House of Representatives and the Senate, 
     respectively. It also looks at the intelligence oversight 
     role that Congress reserved for congressional committees 
     other than the intelligence committees; examines certain 
     existing statutory procedures that govern how the executive 
     branch is to keep the congressional intelligence committees 
     informed of U.S. intelligence activities; and looks at the 
     circumstances under which the two intelligence committees are 
     expected to keep congressional standing committees, as well 
     as both chambers, informed of intelligence activities.
       If I can be of further assistance, please call at 707-7739.

                               Background

       In the wake of congressional investigations into 
     Intelligence Community activities in the mid-1970s, the U.S. 
     Senate in 1976 created a select committee on intelligence to 
     conduct more effective oversight on a continuing basis. The 
     U.S. House of Representatives established its own 
     intelligence oversight committee the following year.
       Until the two intelligence committees were created, other 
     congressional standing committees--principally the Senate and 
     House Armed Services and Appropriations committees--shared 
     responsibility for overseeing the intelligence community. 
     Although willing to cede primary jurisdiction over the 
     Central Intelligence Agency (CIA) to the two new select 
     intelligence committees, these congressional standing 
     committees wanted to retain jurisdiction over the 
     intelligence activities of the other departments and agencies 
     they oversaw. According to one observer, the standing 
     committees asserted their jurisdictional prerogatives for two 
     reasons--to protect ``turf,'' but also to provide ``a hedge 
     against the possibility that the newly launched experiment in 
     oversight might go badly.''

             Intelligence Committees' Statutory Obligations

       Under current statute, the President is required to ensure 
     that the congressional intelligence committees are kept 
     ``fully and currently informed'' of U.S. intelligence 
     activities, including any ``significant anticipated 
     intelligence activity, and the President and the intelligence 
     committees are to establish any procedures as may be 
     necessary to carry out these provisions.
       The statute, however, stipulates that the intelligence 
     committees in turn are responsible for alerting the 
     respective chambers or congressional standing committees of 
     any intelligence activities requiring further attention. The 
     intelligence committees are to carry out this responsibility 
     in accordance with procedures established by the House of 
     Representatives and the Senate, in consultation with the 
     Director of National Intelligence, in order to protect 
     against unauthorized disclosure of classified information, 
     and all information relating to sources and methods.
       The statute stipulates that: ``each of the congressional 
     intelligence committees shall promptly call to the attention 
     of its respective House, or to any appropriate committee or 
     committees of its respective House, any matter relating to 
     intelligence activities requiring the attention of such House 
     or such committee or committees.''
       This provision was included in statute after being 
     specifically requested in a letter from then Senate Foreign 
     Relations Chairman Frank Church and Ranking Minority Member 
     Jacob Javits in an Apr. 30, 1980 letter to then-intelligence 
     committee Chairman Birch Bayh and Vice Chairman Barry 
     Goldwater.

          Intelligence Committee Obligations Under Resolution

       In an apparent effort to address various concerns relating 
     to committee jurisdiction, the House of Representatives and 
     the Senate, in the resolutions establishing each of the 
     intelligence committees, included language preserving 
     oversight roles for those standing committees with 
     jurisdiction over matters affected by intelligence 
     activities.
       Specifically, each intelligence committee's resolution 
     states that: ``Nothing in this [Charter] shall be construed 
     as prohibiting or otherwise restricting the authority of any 
     other committee to study and review any intelligence activity 
     to the extent that such activity directly affects a matter 
     otherwise within the jurisdiction of such committee.''
       Both resolutions also stipulate that:
       Nothing in this [charter] shall be construed as amending, 
     limiting, or otherwise changing the authority of any standing 
     committee of the [House/Senate] to obtain full and prompt 
     access to the product of the intelligence activities of any 
     department or agency of the Government relevant to a matter 
     otherwise within the jurisdiction of such committee.
       Finally, both charters direct that each intelligence 
     committee alert the appropriate standing committees, or the 
     respective chambers, of any matter requiring attention. The 
     charters state:
       The select committee, for the purposes of accountability to 
     the [House/Senate] shall make regular and periodic reports to 
     the [House/Senate] on the nature and extent of the 
     intelligence activities of the various departments and 
     agencies of the United States. Such committee shall promptly 
     call to the attention of the [House/Senate] or to any other 
     appropriate committee or committees of the [House/Senate] any 
     matters requiring the attention of the [House/Senate] or such 
     other appropriate committee or committees.

                         Cross-over Membership

       Both resolutions also direct that the membership of each 
     intelligence committee include members who serve on the four 
     standing committees that historically have been involved in 
     intelligence oversight. The respective resolutions designate 
     the following committees as falling in this category: 
     Appropriations, Armed Services, Judiciary, and the Senate 
     Foreign Relations Committee and the House International 
     Relations Committee.
       Although each resolution directs that such cross-over 
     members be designated, neither specifies whether cross-over 
     members are to play any additional role beyond serving on the 
     intelligence committees. For example, neither resolution 
     outlines whether cross-over members are to inform colleagues 
     on standing committees they represent. Rather, each 
     resolution directs only that the ``intelligence committee'' 
     shall promptly call such matters to the attention of standing 
     committees and the respective chambers if the committees 
     determine that they require further attention by those 
     entities.

                          Summary Conclusions

       Although the President is statutorily obligated to keep the 
     congressional intelligence committees fully and currently 
     informed of intelligence activities, the statute obligates 
     the intelligence committees to inform the respective 
     chambers, or standing committees, of such activities, if 
     either of the two committees determine that further oversight 
     attention is required.
       Further, resolutions establishing the two intelligence 
     committees make clear that the intelligence committees share 
     intelligence oversight responsibilities with other standing 
     committees, to the extent that certain intelligence 
     activities affect matters that fall under the jurisdiction of 
     a committee other than the intelligence committees.
       Finally, the resolutions establishing the intelligence 
     committees provide for the designation of ``cross-over'' 
     members representing certain standing committees that

[[Page S10466]]

     played a role in intelligence oversight prior to the 
     establishment of the intelligence committees in the 1970s. 
     The resolutions, however, do not specify what role, if any, 
     these ``cross-over'' members play in keeping standing 
     committees on which they serve informed of certain 
     intelligence activities. Rather, each resolution states that 
     the respective intelligence committee shall make that 
     determination.
                                  ____


             Congressional Research Service, July 18, 2006.


                               Memorandum

     Subject: Overview of ``Classified'' and ``Sensitive but 
         Unclassified'' Information
     From: Harold C. Relyea, Specialist in American National 
         Government, Government and Finance Division
       Prescribed in various ways, federal policies may require 
     the protection of, or a privileged status for, particular 
     kinds of information. This memorandum provides a brief 
     introduction to, and overview of, two categories of such 
     information policy. The first category is demarcated largely 
     in a single policy instrument--a presidential executive 
     order--with a clear focus and in considerable detail: the 
     classification of national security information in terms of 
     three degrees of harm the disclosure of such information 
     could cause to the nation, resulting in Confidential, Secret, 
     and Top Secret designations. The second category is, by 
     contrast with the first, much broader in terms of the kinds 
     of information it covers, to the point of even being nebulous 
     in some instances, and is expressed in various instruments, 
     the majority of which are non-statutory: the marking of 
     sensitive but unclassified (SBU) information for protective 
     management, although its public disclosure may be permissible 
     pursuant to the Freedom of Information Act (FOIA). These two 
     categories are reviewed in the discussion set out below.


                    Security Classified Information

       Current security classification arrangements, prescribed by 
     an executive order of the President, trace their origins to a 
     March 1940 directive issued by President Franklin D. 
     Roosevelt as E.O. 8381. This development was probably 
     prompted somewhat by desires to clarify the authority of 
     civilian personnel in the national defense community to 
     classify information, to establish a broader basis for 
     protecting military information in view of growing global 
     hostilities, and to manage better a discretionary power 
     seemingly of increasing importance to the entire executive 
     branch. Prior to this 1940 order, information had been 
     designated officially secret by armed forces personnel 
     pursuant to Army and Navy general orders and regulations. The 
     first systematic procedures for the protection of national 
     defense information, devoid of special markings, were 
     established by War Department General Orders No. 3 of 
     February 1912. Records determined to be ``confidential'' were 
     to be kept under lock, ``accessible only to the officer to 
     whom intrusted.'' Serial numbers were issued for all such 
     ``confidential'' materials, with the numbers marked on the 
     documents, and lists of same kept at the offices from which 
     they emanated. With the enlargement of the armed forces after 
     the entry of the United States into World War I, the registry 
     system was abandoned and a tripartite system of 
     classification markings was inaugurated in November 1917 with 
     General Orders No. 64 of the General Headquarters of the 
     American Expeditionary Force.
       The entry of the United States into World War II prompted 
     some additional arrangements for the protection of 
     information pertaining to the nation's security. Personnel 
     cleared to work on the Manhattan Project for the production 
     of the atomic bomb, for instance, in committing themselves 
     not to disclose protected information improperly, were 
     ``required to read and sign either the Espionage Act or a 
     special secrecy agreement,'' establishing their awareness of 
     their secrecy obligations and a fiduciary trust which, if 
     breached, constituted a basis for their dismissal.
       A few years after the conclusion of World War II, President 
     Harry S. Truman, in February 1950, issued E.O. 10104, which, 
     while superseding E.O. 8381, basically reiterated its text, 
     but added a fourth Top Secret classification designation to 
     existing Restricted, Confidential, and Secret markings, 
     making American information security categories consistent 
     with those of our allies. At the time of the promulgation of 
     this order, however, plans were underway for a complete 
     overhaul of the classification program, which would result in 
     a dramatic change in policy.
       E.O. 10290, issued in September 1951, introduced three 
     sweeping innovations in security classification policy. 
     First, the order indicated the Chief Executive was relying 
     upon ``the authority vested in me by the Constitution and 
     statutes, and as President of the United States'' in issuing 
     the directive. This formula appeared to strengthen the 
     President's discretion to make official secrecy policy: it 
     intertwined his responsibility as Commander in Chief with the 
     constitutional obligation to ``take care that the laws be 
     faithfully executed.'' Second, information was now classified 
     in the interest of ``national security,'' a somewhat new, but 
     nebulous, concept, which, in the view of some, conveyed more 
     latitude for the creation of official secrets. It replaced 
     the heretofore relied upon ``national defense'' standard for 
     classification. Third, the order extended classification 
     authority to nonmilitary entities throughout the executive 
     branch, to be exercised by, presumably, but not explicitly 
     limited to, those having some role in ``national 
     security'' policy.
       The broad discretion to create official secrets granted by 
     E.G. 10290 engendered widespread criticism from the public 
     and the press. In response, President Dwight D. Eisenhower, 
     shortly after his election to office, instructed Attorney 
     General Herbert Brownell to review the order with a view to 
     revising or rescinding it. The subsequent recommendation was 
     for a new directive, which was issued in November 1953 as 
     E.O. 10501. It withdrew classification authority from 28 
     entities, limited this discretion in 17 other units to the 
     agency head, returned to the ``national defense'' standard 
     for applying secrecy, eliminated the ``Restricted'' category, 
     which was the lowest level of protection, and explicitly 
     defined the remaining three classification areas to prevent 
     their indiscriminate use.
       Thereafter, E.G. 10501, with slight amendment, prescribed 
     operative security classification policy and procedure for 
     the next two decades. Successor orders built on this reform. 
     These included E.O. 11652, issued by President Richard M. 
     Nixon in March 1972, followed by E.O. 12065, promulgated by 
     President Jimmy Carter in June 1978. For 30 years, these 
     classification directives narrowed the bases and discretion 
     for assigning official secrecy to executive branch documents 
     and materials. Then, in April 1982, this trend was reversed 
     with E.O. 12356, issued by President Ronald Reagan. This 
     order expanded the categories of classifiable information, 
     mandated that information falling within these categories be 
     classified, authorized the reclassification of previously 
     declassified documents, admonished classifiers to err on the 
     side of classification, and eliminated automatic 
     declassification arrangements.
       President William Clinton returned security classification 
     policy and procedure to the reform trend of the Eisenhower, 
     Nixon, and Carter Administrations with E.O. 12958 in April 
     1995. Adding impetus to the development and issuance of the 
     new order were changing world conditions: the democratization 
     of many eastern European countries, the demise of the Soviet 
     Union, and the end of the Cold War. Accountability and cost 
     considerations were also significant influences. In 1985, the 
     temporary Department of Defense (DOD) Security Review 
     Commission, chaired by retired General Richard G. Stilwell, 
     declared that there were ``no verifiable figures as to the 
     amount of classified material produced in DOD and in defense 
     industry each year.'' Nonetheless, it concluded that ``too 
     much information appears to be classified and much at higher 
     levels than is warranted.'' In October 1993, the cost of the 
     security classification program became clearer when the 
     General Accounting Office (GAO) reported that it was ``able 
     to identify government-wide costs directly applicable to 
     national security information totaling over $350 million for 
     1992.'' After breaking this figure down--it included only $6 
     million for declassification work--the report added that 
     ``the U.S. government also spends additional billions of 
     dollars annually to safeguard information, personnel, and 
     property.'' E.O. 12958 set limits for the duration of 
     classification, prohibited the reclassification of properly 
     declassified records, authorized government employees to 
     challenge the classification status of records, reestablished 
     the balancing test of E.O. 12065 weighing the need to protect 
     information vis-a-vis the public interest in its disclosure, 
     and created two review panels--one on classification and 
     declassification actions and one to advise on policy and 
     procedure.
       Most recently, in March 2003, President George W. Bush 
     issued E.O. 13292, amending E.O. 12958. Among the changes 
     made by this order were adding infrastructure vulnerabilities 
     or capabilities, protection services relating to national 
     security, and weapons of mass destruction to the categories 
     of classifiable information; easing the reclassification of 
     declassified records; postponing the automatic 
     declassification of protected records 25 or more years old, 
     beginning in mid-April 2003 to the end of December 2006; 
     eliminating the requirement that agencies prepare plans for 
     declassifying records; and permitting the Director of Central 
     Intelligence to block declassification actions of the 
     Interagency Security Classification Appeals Panel, unless 
     overruled by the President.
       The security classification program has evolved during the 
     past 66 years. One may not agree with all of its rules and 
     requirements, but attention to detail in its policy and 
     procedure result in a significant management regime. The 
     operative executive order, as amended, defines its principal 
     terms. Those who are authorized to exercise original 
     classification authority are identified. Exclusive categories 
     of classifiable information are specified, as are the terms 
     of the duration of classification, as well as classification 
     prohibitions and limitations. Classified information is 
     required to be marked appropriately along with the identity 
     of the original classifier, the agency or office of origin, 
     and a date or event for declassification. Authorized holders 
     of classified information who believe that its protected 
     status is improper are ``encouraged and expected'' to 
     challenge that status through prescribed arrangements. 
     Mandatory declassification reviews are also authorized to 
     determine if protected records merit continued classification 
     at their present level, a lower level, or at all. 
     Unsuccessful classification challenges

[[Page S10467]]

     and mandatory declassification reviews are subject to review 
     by the Interagency Security Classification Appeals Panel. 
     General restrictions on access to classified information are 
     prescribed, as are distribution controls for classified 
     information. The Information Security Oversight Office (ISOO) 
     within the National Archives and Records Administration 
     (NARA) is mandated to provide central management and 
     oversight of the security classification program. If the 
     director of this entity finds that a violation of the order 
     or its implementing directives has occurred, it must be 
     reported to the head of the agency or to the appropriate 
     senior agency official so that corrective steps, if 
     appropriate, may be taken.
       While Congress, thus far, has elected not to create 
     statutorily mandated security classification policy and 
     procedures, the option to do so has been explored in the 
     past, and its legislative authority to do so has been 
     recognized by the Supreme Court. Congress, however, has 
     established protections for certain kinds of information--
     such as Restricted Data in the Atomic Energy Acts of 1946 and 
     1954, and intelligence sources and methods in the National 
     Security Act of 1947--which have been realized through 
     security classification arrangements. It has acknowledged 
     properly applied security classification as a basis for 
     withholding records sought pursuant to the Freedom of 
     Information Act. Also, with a view to efficiency and economy, 
     as well as effective records management, committees of 
     Congress, on various occasions, have conducted oversight of 
     security classification policy and practice, and have been 
     assisted by GAO and CRS in this regard.


                 Sensitive but Unclassified Information

       The widespread existence and use of information control 
     markings other than those prescribed for the security 
     classification of information came to congressional attention 
     in March 1972 when a subcommittee of what is now the House 
     Committee on Government Reform launched the first oversight 
     hearings on the administration and operation of the Freedom 
     of Information Act (FOIA). Enacted in 1966, FOIA had become 
     operative in July 1967. In the early months of 1972, the 
     Nixon Administration was developing new security 
     classification policy and procedure, which would be 
     prescribed in E.O. 11652, issued in early March. Preparatory 
     to this hearing, the panel had surveyed the departments and 
     agencies in August 1971, asking, among other questions, 
     ``What legend is used by your agency to identify records 
     which are not classifiable under Executive Order 10501 [the 
     operative order at the time] but which are not to be made 
     available outside the government?'' Of 58 information control 
     markings identified in response to this question, the most 
     common were For Official Use Only (11 agencies); Limited 
     Official Use (nine agencies); Official Use Only (eight 
     agencies); Restricted Data (five agencies); Administratively 
     Restricted (four agencies); Formerly Restricted Data (four 
     agencies); and Nodis, or no dissemination (four agencies). 
     Seven other markings were used by two agencies in each case. 
     A CRS review of the agency responses to the control markings 
     question prompted the following observation.
       Often no authority is cited for the establishment or origin 
     of these labels; even when some reference is provided it is a 
     handbook, manual, administrative order, or a circular but not 
     statutory authority. Exceptions to this are the Atomic Energy 
     Commission, the Defense Department and the Arms Control and 
     Disarmament Agency. These agencies cite the Atomic Energy 
     Act, N.A.T.O. related laws, and international agreements as a 
     basis for certain additional labels. The Arms Control and 
     Disarmament Agency acknowledged it honored and adopted State 
     and Defense Department labels.
       Over three decades later, it appears that approximately the 
     same number of these information control markings are in use; 
     that the majority of them are administratively, not 
     statutorily, prescribed; and that many of them have an 
     inadequate management regime, particularly when compared with 
     the detailed arrangements which govern the management of 
     classified information. A recent press account illustrates 
     another problem. In late January 2005, GCN Update, the 
     online, electronic news service of Government Computer News, 
     reported that ``dozens of classified Homeland Security 
     Department documents'' had been accidently made available on 
     a public Internet site for several days due to an apparent 
     security glitch at the Department of Energy. Describing the 
     contents of the compromised materials and reactions to the 
     breach, the account stated the ``documents were marked `for 
     official use only,' the lowest secret-level classification.'' 
     The documents, of course, were not security classified, 
     because the marking cited is not authorized by E.O. 12958. 
     Interestingly, however, in view of the fact that this 
     misinterpretation appeared in a story to which three 
     reporters contributed, perhaps it reflects, to some extent, 
     the current confusion of these information control markings 
     with security classification designations.
       Broadly considering the contemporary situation regarding 
     information control markings, a recent information security 
     report by the JASON Program Office of the MITRE Corporation 
     proffered the following assessment.
       The status of sensitive information outside of the present 
     classification system is murkier than ever. ``Sensitive but 
     unclassified'' data is increasingly defined by the eye of the 
     beholder. Lacking in definition, it is correspondingly 
     lacking in policies and procedures for protecting (or not 
     protecting) it, and regarding how and by whom it is generated 
     and used.
       A contemporaneous Heritage Foundation report appeared to 
     agree with this appraisal, saying:
       The process for classifying secret information in the 
     federal government is disciplined and explicit. The same 
     cannot be said for unclassified but security-related 
     information for which there is no usable definition, no 
     common understanding about how to control it, no agreement on 
     what significance it has for U.S. national security, and no 
     means for adjudicating concerns regarding appropriate levels 
     of protection.
       Concerning the current Sensitive but Unclassified (SBU) 
     marking, a 2004 report by the Federal Research Division of 
     the Library of Congress commented that guidelines for its 
     use are needed, and noted that ``a uniform legal 
     definition or set of procedures applicable to all Federal 
     government agencies does not now exist.'' Indeed, the 
     report indicates that SBU has been utilized in different 
     contexts with little precision as to its scope or meaning, 
     and, to add a bit of chaos to an already confusing 
     situation, is ``often referred to as Sensitive Homeland 
     Security Information.
       Assessments of the variety, management, and impact of 
     information control markings, other than those prescribed for 
     the classification of national security information, have 
     been conducted by CRS, GAO, and the National Security 
     Archive, a private sector research and resource center 
     located at The George Washington University. In March 2006, 
     GAO indicated that, in a recent survey, 26 federal agencies 
     reported using 56 different information control markings to 
     protect sensitive information other than classified national 
     security materia1. That same month, the National Security 
     Archive offered that, of 37 agencies surveyed, 24 used 28 
     control markings based on internal policies, procedures, or 
     practices, and eight used 10 markings based on statutory 
     authority. These numbers are important in terms of the 
     variety of such markings. GAO explained this dimension of the 
     management problem.
       [T]here are at least 13 agencies that use the designation 
     For Official Use Only [FOUO], but there are at least five 
     different definitions of FOUO. At least seven agencies or 
     agency components use the term Law Enforcement Sensitive 
     (LES), including the U.S. Marshals Service, the Department of 
     Homeland Security (DHS), the Department of Commerce, and the 
     Office of Personnel Management (OPM). These agencies gave 
     differing definitions for the term. While DHS does not 
     formally define the designation, the Department of Commerce 
     defines it to include information pertaining to the 
     protection of senior government officials, and OPM defines it 
     as unclassified information used by law enforcement personnel 
     that requires protection against unauthorized disclosure to 
     protect the sources and methods of investigative activity, 
     evidence, and the integrity of pretrial investigative 
     reports.
       Apart from the numbers, however, is another aspect of the 
     management problem, which GAO described in the following 
     terms.
       There are no governmentwide policies or procedures that 
     describe the basis on which agencies should use most of these 
     sensitive but unclassified designations, explain what the 
     different designations mean across agencies, or ensure that 
     they will be used consistently from one agency to another. In 
     this absence, each agency determines what designations to 
     apply to the sensitive but unclassified information it 
     develops or shares.
       These markings also have implications in another regard. 
     The importance of information sharing for combating terrorism 
     and realizing homeland security was emphasized by the 
     National Commission on Terrorist Attacks Upon the United 
     States. That the variously identified and marked forms of 
     sensitive but unclassified (SBU) information could be 
     problematic with regard to information sharing was recognized 
     by Congress when fashioning the Homeland Security Act of 
     2002. Section 892 of that statute specifically directed the 
     President to prescribe and implement procedures for the 
     sharing of information by relevant federal agencies, 
     including the accommodation of ``homeland security 
     information that is sensitive but unclassified.'' On July 29, 
     2003, the President assigned this responsibility largely to 
     the Secretary of Homeland Security. Nothing resulted. The 
     importance of information sharing was reinforced two years 
     later in the report of the Commission on the Intelligence 
     Capabilities of the United States Regarding Weapons of Mass 
     Destruction. Congress again responded by mandating the 
     creation of an Information Sharing Environment (ISE) when 
     legislating the Intelligence Reform and Terrorism Prevention 
     Act of 2004. Preparatory to implementing the ISE provisions, 
     the President issued a December 16, 2005, memorandum 
     recognizing the need for standardized procedures for SBU 
     information and directing department and agency officials to 
     take certain actions relative to that objective. In May 2006, 
     the newly appointed manager of the ISE agreed with a March 
     GAO assessment that, oftentimes, SBU information, designated 
     as such with some marking, was not being shared due to 
     concerns about the ability of recipients to adequately 
     protect it. In brief, it appears that pseudo-classification 
     markings have, in some instances, had the effect of deterring 
     information sharing for homeland security purposes.
       Congressional overseers have probed executive use and 
     management of information

[[Page S10468]]

     control markings other than those prescribed for the 
     classification of national security information, and the 
     extent to which they result in ``pseudo-classification'' or a 
     form of overclassification. Relevant remedial legislation 
     proposed during the 109th Congress includes two bills (H.R. 
     2331 and H.R. 5112) containing sections which would require 
     the Archivist of the United States to prepare a detailed 
     report regarding the number, use, and management of these 
     information control markings and submit it to specified 
     congressional committees, and to promulgate regulations 
     banning the use of these markings and otherwise establish 
     standards for information control designations established by 
     statute or an executive order relating to the classification 
     of national security information. A section in the Department 
     of Homeland Security appropriations legislation (H.R. 5441), 
     as approved by the House, would require the Secretary of 
     Homeland Security to revise DHS MD (Management Directive) 
     11056 to include (1) provision that information that is three 
     years old and not incorporated in a current, active 
     transportation security directive or security plan shall be 
     determined automatically to be releasable unless, for each 
     specific document, the Secretary makes a written 
     determination that identifies a compelling reason why the 
     information must remain Sensitive Security Information (SSI); 
     (2) common and extensive examples of the individual 
     categories of SSI cited in order to minimize and standardize 
     judgment in the application of SSI marking; and (3) provision 
     that, in all judicial proceedings where the judge overseeing 
     the proceedings has adjudicated that a party needs to have 
     access to SSI, the party shall be deemed a covered person for 
     purposes of access to the SSI at issue in the case unless TSA 
     or DHS demonstrates a compelling reason why the specific 
     individual presents a risk of harm to the nation. A May 25, 
     2006, statement of administration policy on the bill strongly 
     opposed the section, saying it ``would jeopardize an 
     important program that protects Sensitive Security 
     Information (SSI) from public release by deeming it 
     automatically releaseable in three years, potentially 
     conflict with requirements of the Privacy and Freedom of 
     Information Acts, and negate statutory provisions providing 
     original jurisdiction for lawsuits challenging the 
     designation of SSI materials in the U.S. Courts of Appeals.'' 
     The statement further indicated that the section would create 
     a ``burdensome review process'' for the Secretary of Homeland 
     Security and ``would result in different statutory 
     requirements being applied to SSI programs administered by 
     the Departments of Homeland Security and Transportation.''
       It is not anticipated that this memorandum will be updated 
     for reissuance.
                                  ____


 Testimony Before the Subcommittee on Government Efficiency, Financial 
  Management and Intergovernmental Relations, and the Subcommittee on 
   National Security, Veterans Affairs, and International Relations, 
       Committee on Governmental Reform, House of Representatives

                United States General Accounting Office

                      CENTRAL INTELLIGENCE AGENCY

     Observations on GAO Access to Information on CIA Programs and 
                               Activities

     Statement of Henry L. Hinton, Jr., Managing Director Defense 
                      Capabilities and Management

       Messrs. Chairmen and Members of the Subcommittees:
       We are pleased to be here to discuss the subject of access 
     by the General Accounting Office (GAO) to information from 
     the Central Intelligence Agency (CIA). Specifically, our 
     statement will provide some background on CIA and its 
     oversight mechanisms, our authority to review CIA programs, 
     and the history and status of GAO access to CIA information. 
     As requested, our remarks will focus on our relationship with 
     the CIA and not with other intelligence agencies. Our 
     comments are based upon our review of historic files, our 
     legal analysis, and our experiences dealing with the CIA over 
     the years.


                                Summary

       Oversight of the CIA generally comes from two select 
     committees of Congress and the CIA's Inspector General. We 
     have broad authority to evaluate CIA programs. In reality, 
     however, we face both legal and practical limitations on our 
     ability to review these programs. For example, we have no 
     access to certain CIA ``unvouchered'' accounts and cannot 
     compel our access to foreign intelligence and 
     counterintelligence information. In addition, as a practical 
     matter, we are limited by the CIA's level of cooperation, 
     which has varied through the years. We have not actively 
     audited the CIA since the early 1960s, when we discontinued 
     such work because the CIA was not providing us with 
     sufficient access to information to perform our mission. The 
     issue has arisen since then from time to time as our work has 
     required some level of access to CIA programs and 
     information. However, given a lack of requests from the 
     Congress for us to do specific work at the CIA and our 
     limited resources, we have made a conscious decision not to 
     further pursue the issue.
       Today, our dealings with the CIA are mostly limited to 
     requesting information that relates either to governmentwide 
     reviews or analyses of threats to U.S. national security on 
     which the CIA might have some information. The CIA either 
     provides us with the requested information, provides the 
     information with some restrictions, or does not provide the 
     information at all. In general, we are most successful at 
     getting access to CIA information when we request threat 
     assessments and the CIA does not perceive our audits as 
     oversight of its activities.


                               Background

       As you know, the General Accounting Office is the 
     investigative arm of the Congress and is headed by the 
     Comptroller General of the United States--currently David M. 
     Walker. We support the Congress in meeting its constitutional 
     responsibilities and help improve the performance 
     and accountability of the federal government for the 
     American people. We examine the use of public funds, 
     evaluate federal programs and activities, and provide 
     analyses, options, recommendations, and other assistance 
     to help the Congress make effective oversight, policy, and 
     funding decisions. Almost 90 percent of our staff days are 
     in direct support of Congressional requestors, generally 
     on the behalf of committee chairmen or ranking members.
       The U.S. Intelligence Community consists of those Executive 
     Branch agencies and organizations that work in concert to 
     carry out our nation's intelligence activities. The CIA is an 
     Intelligence Community agency established under the National 
     Security Act of 1947 to coordinate the intelligence 
     activities of several U.S. departments and agencies in the 
     interest of national security. Among other functions, the CIA 
     collects, produces, and disseminates foreign intelligence and 
     counterintelligence; conducts counterintelligence activities 
     abroad; collects, produces, and disseminates intelligence on 
     foreign aspects of narcotics production and trafficking; 
     conducts special activities approved by the President; and 
     conducts research, development, and procurement of technical 
     systems and devices.


                      Oversight of CIA Activities

       Currently, two congressional select committees and the 
     CIA's Inspector General oversee the CIA's activities. The 
     Senate Select Committee on Intelligence was established on 
     May 19, 1976, to oversee the activities of the Intelligence 
     Community. Its counterpart in the House of Representatives is 
     the House Permanent Select Committee on Intelligence, 
     established on July 14, 1977. The CIA's Inspector General is 
     nominated by the President and confirmed by the Senate. The 
     Office of the Inspector General was established by statute in 
     1989 and conducts inspections, investigations, and audits at 
     headquarters and in the field. The Inspector General reports 
     directly to the CIA Director. In addition, the President's 
     Foreign Intelligence Advisory Board assesses the quality, 
     quantity, and adequacy of intelligence activities. Within the 
     Board, there is an intelligence oversight committee that 
     prepares reports on intelligence activities that may be 
     unlawful or otherwise inappropriate. Finally, the Congress 
     can charter commissions to evaluate intelligence agencies 
     such as CIA. One such commission was the Commission on the 
     Roles and Capabilities of the United States Intelligence 
     Community, which issued a report in 1996.


                 GAG's Authority to Review CIA Programs

       Generally, we have broad authority to evaluate agency 
     programs and investigate matters related to the receipt, 
     disbursement, and use of public money. To carry out our audit 
     responsibilities, we have a statutory right of access to 
     agency records. Federal agencies are required to provide us 
     information about their duties, powers, activities, 
     organization, and financial transactions. This requirement 
     applies to all federal agencies, including the CIA. Our 
     access rights include the authority to file a civil action to 
     compel production of records, unless (a) the records relate 
     to activities the President has designated as foreign 
     intelligence or counterintelligence activities, (b) the 
     records are specifically exempt from disclosure by statute, 
     or (c) the records would be exempt from release under the 
     Freedom of Information Act because they are predecisional 
     memoranda or law enforcement records and the President or 
     Director of the Office of Management and Budget certifies 
     that disclosure of the record could be expected to impair 
     substantially the operations of the government.
       The National Security Act of 1947 charges the CIA Director 
     with protecting intelligence sources and methods from 
     unauthorized disclosure. In terms of our statutory access 
     authority, however, the law creates only one specific 
     exemption: the so-called ``unvouchered'' accounts. The 
     exemption pertains to expenditures of a confidential, 
     extraordinary, or emergency nature that are accounted for 
     solely on the certification of the Director. These 
     transactions are subject to review by the intelligence 
     committees. Amendments to the law require the President to 
     keep the intelligence committees fully and currently informed 
     of the intelligence activities of the United States. The CIA 
     has maintained that the Congress intended the intelligence 
     committees to be the exclusive means of oversight of the CIA, 
     effectively precluding oversight by us.
       While we understand the role of the intelligence committees 
     and the need to protect intelligence sources and methods, we 
     also believe that our authorities are broad enough to cover 
     the management and administrative functions that the CIA 
     shares with all federal agencies.
       We have summarized the statutes relevant to our 
     relationship with the CIA in an appendix attached to this 
     testimony.

[[Page S10469]]

                gao's access to the cia has been limited

       We have not done audit work at the CIA for almost 40 years. 
     Currently, our access to the CIA is limited to requests for 
     information that relates either to governmentwide reviews or 
     programs for which the CIA might have relevant information. 
     In general, we have the most success obtaining access to CIA 
     information when we request threat assessments, and the CIA 
     does not perceive our audits as oversight of its activities.


             gao access to cia has varied through the years

       After the enactment of the National Security Act of 1947, 
     we began conducting financial transaction audits of vouchered 
     expenditures of the CIA. This effort continued into the early 
     1960s. In the late 1950s, we proposed to broaden its work at 
     the CIA to include an examination of the efficiency, economy, 
     and effectiveness of CIA programs. Although the CIA Director 
     agreed to our proposal to expand the scope of our work, he 
     placed a number of conditions on our access to information. 
     Nonetheless, in October 1959, we agreed to conduct program 
     review work with CIA-imposed restrictions on access.
       Our attempt to conduct comprehensive program review work 
     continued until May 1961, when the Comptroller General 
     concluded that the CIA was not providing us with sufficient 
     access to the information necessary to conduct comprehensive 
     reviews of the CIA's programs and announced plans to 
     discontinue audit work there. After much discussion and 
     several exchanges of correspondence between GAO, the CIA, and 
     the cognizant congressional committees, the Chairman of the 
     House Armed Services Committee wrote to the Comptroller 
     General in July 1962 agreeing that, absent sufficient GAO 
     access to CIA information, GAO should withdraw from further 
     audit activities at the CIA. Thus, in 1962, we withdrew from 
     all audits of CIA activities.
       The issue of our access has arisen periodically in the 
     intervening years as our work has required some level of 
     access to CIA programs and activities. In July 1975, 
     Comptroller General Elmer Staats testified on our 
     relationship with the intelligence community and cited 
     several cases where CIA had not provided us with the 
     requested information. In July 1987, Senator John Glenn 
     introduced a bill (S. 1458) in the 100th Congress to clarify 
     our audit authority to audit CIA programs and activities. In 
     1994, the CIA Director sought to further limit our audit work 
     of intelligence programs, including those at the Department 
     of Defense. We responded by writing to several key members of 
     the Congress, citing our concerns and seeking assistance. As 
     a result, we and the CIA began negotiations on a written 
     agreement to clarify our access and relationship. 
     Unfortunately, we were unable to reach any agreement with CIA 
     on this matter. Since then, GAO has limited its pursuit of 
     greater access because of limited demand for this work from 
     Congress, particularly from the intelligence committees. 
     Given a lack of Congressional requests and our limited 
     resources, we have made a conscious decision to deal with the 
     CIA on a case-by-case basis.


               current access falls into three categories

       Currently, the CIA responds to our requests for information 
     in three ways: it provides the information, it provides the 
     information or a part of it with some restriction, or it does 
     not provide the information at all. Examples of each of these 
     three situations, based on the experiences of our audit staff 
     in selected reviews in recent years, are listed below.
       Sometimes the CIA straightforwardly fulfills our requests 
     for briefings or reports related to threat assessments. This 
     is especially true when we ask for threat briefings or the 
     CIA's assessments or opinions on an issue not involving CIA 
     operations.
       For our review of the State Department's Anthrax 
     Vaccination Program for the Senate Foreign Relations and 
     House International Relations Committees, we requested a 
     meeting to discuss the CIA's perspective on a recent threat 
     assessment of chemical and biological threats to U.S. 
     interests overseas. The CIA agreed with our request, provided 
     a meeting within 2 weeks, and followed up with a written 
     statement.
       While we were reviewing U.S. assistance to the Haitian 
     justice system and national police on behalf of the Senate 
     Foreign Relations and House International Relations 
     Committees, we requested a meeting to discuss the Haitian 
     justice system. The CIA agreed with our request and met with 
     our audit team within 3 weeks of our request.
       For our review of chemical and biological terrorist threats 
     for the House Armed Services Committee, and subcommittees of 
     the House Government Reform Committee and the House Veterans 
     Affairs Committee, we requested meetings with CIA analysts on 
     their threat assessments on chemical and biological weapons. 
     The CIA cooperated and gave us access to documents and 
     analysts.
       On several of our reviews of counterdrug programs for the 
     House Government Reform Committee and the Senate Foreign 
     Relations Committee we requested CIA assessments on the drug 
     threat and international activities. The CIA has provided us 
     with detailed briefings on drug cultivation, production, and 
     trafficking activities in advance of our field work overseas.
       During our reviews of Balkan security issues and the Dayton 
     Peace Accords for the House Armed Services Committee and the 
     Senate Foreign Relations Committee, we asked the CIA for 
     threat assessments relevant to our review objectives. The CIA 
     provided us with appropriate briefings and agreed to provide 
     one of our staff members with access to regular intelligence 
     reports.
       In some instances, the CIA provides information with 
     certain access restrictions or discusses an issue with us 
     without providing detailed data or documentation.
       During our evaluation of equal employment opportunity and 
     disciplinary actions for a subcommittee of the House 
     Committee on the Post Office and Civil Service, the CIA 
     provided us with limited access to information. CIA officials 
     allowed us to review their personnel regulations and take 
     notes, but they did not allow us to review personnel folders 
     on individual disciplinary actions. This was in contrast to 
     the National Security Agency and Defense Intelligence Agency, 
     which gave us full access to personnel folders on individual 
     terminations and disciplinary actions.
       For our review of the Department of Defense's efforts to 
     address the growing risk to U.S. electronic systems from 
     high-powered radio frequency weapons for the Joint Economic 
     Committee, the CIA limited our access to one meeting. 
     Although the technology associated with such systems was 
     discussed at the meeting, the CIA did not provide any 
     documentation on research being conducted by foreign nations.
       On some of our audits related to national security issues, 
     the CIA provides us with limited access to its written threat 
     assessments and analyses, such as National Intelligence 
     Estimates. However, the CIA restricts our access to reading 
     the documents and taking notes at the CIA or other locations. 
     Examples include our readings of National Intelligence 
     Estimates related to our ongoing work evaluating federal 
     programs to combat terrorism.
       In other cases, the CIA simply denies us access to the 
     information we requested. The CIA's refusals are not related 
     to the classification level of the material. Many of our 
     staff have the high-level security clearances and accesses 
     needed to review intelligence information. But the CIA 
     considers our requests as having some implication of 
     oversight and denies us access.
       For our evaluation of national intelligence estimates 
     regarding missile threats for the House National Security 
     Committee, the CIA refused to meet with us to discuss the 
     general process and criteria for producing such estimates or 
     the specific estimates we were reviewing. In addition, 
     officials from the Departments of Defense, State, and Energy 
     told us that CIA had asked them not to cooperate with us.
       During our examination of overseas arrests of terrorists 
     for the House Armed Services Committee and a subcommittee of 
     the House Government Reform Committee, the CIA refused to 
     meet with us to discuss intelligence issues related to such 
     arrests. The CIA's actions were in contrast to those of two 
     other departments that provided us full access to their staff 
     and files.
       On our review of classified computer systems in the federal 
     government for a subcommittee of the House Government Reform 
     Committee, we requested basic information on the number and 
     nature of such systems. The CIA did not provide us with the 
     information, claiming that they would not be able to 
     participate in the review because the type of information is 
     under the purview of congressional entities charged with 
     overseeing the Intelligence Community.
       For our review of the policies and procedures used by the 
     Executive Office of the President to acquire and safeguard 
     classified intelligence information, done for the House Rules 
     Committee, we asked to review CIA forms documenting that 
     personnel had been granted appropriate clearances. The CIA 
     declined our request, advising us that type of information we 
     were seeking came under the purview of congressional entities 
     charged with overseeing the intelligence community.


                               conclusion

       Our access to CIA information and programs has been limited 
     by both legal and practical factors. Through the years our 
     access has varied and we have not done detailed audit work at 
     CIA since the early 1960s. Today, our access is generally 
     limited to obtaining information on threat assessments when 
     the CIA does not perceives our audits as oversight of its 
     activities. We foresee no major change in our current access 
     without substantial support from Congress--the requestor of 
     the vast majority of our work. Congressional impetus for 
     change would have to include the support of the intelligence 
     committees, who have generally not requested GAG reviews or 
     evaluations of CIA activities. With such support, we could 
     evaluate some of the basic management functions at CIA that 
     we now evaluate throughout the federal government.
       This concludes our testimony. We would be happy to answer 
     any questions you may have.
       GAO Contacts and Staff Acknowledgment
       For future questions about this testimony, please contact 
     Henry L. Hinton, Jr., Managing Director, Defense Capabilities 
     and Management at (202) 512-4300. Individuals making key 
     contributions to this statement include Stephen L. Caldwell, 
     James Reid, and David Hancock.

              Appendix I: Legal Framework for GAO and CIA


                         gao's audit authority

       The following statutory provisions give GAO broad authority 
     to review agency programs and activities:

[[Page S10470]]

       31 U.S.C. 712: GAO has the responsibility and authority for 
     investigating matters relating to the receipt, disbursement, 
     and use of public money, and for investigating and reporting 
     to either House of Congress or appropriate congressional 
     committees.
       1 U.S.C. 717: GAO is authorized to evaluate the results of 
     programs and activities of federal agencies. Reviews are 
     based upon the initiative of the Comptroller General, an 
     order from either House of Congress, or a request from a 
     committee with jurisdiction.
       31 U.S.C. 3523: This provision authorizes GAO to audit 
     financial transactions of each agency, except as specifically 
     provided by law.
       31 U.S.C. 3524: This section authorizes GAO to audit 
     unvouchered accounts (i.e., those accounted for solely on the 
     certificate of an executive branch official). The President 
     may exempt sensitive foreign intelligence and 
     counterintelligence transactions. CIA expenditures on objects 
     of a confidential, extraordinary, or emergency nature under 
     50 U.S.C. 403j(b) are also exempt. Transactions in these 
     categories may be reviewed by the intelligence committees.


                   gao's access-to-records authority

       31 U.S.C. 716: GAO has a broad right of access to agency 
     records. Subsection 716(a) requires agencies to give GAO 
     information it requires about the ``duties, powers, 
     activities, organization, and financial transactions of the 
     agency.'' This provision gives GAO a generally unrestricted 
     right of access to agency records. GAO in turn is required to 
     maintain the same level of confidentiality for the 
     information as is required of the head of the agency from 
     which it is obtained.
       Section 716 also gives GAO the authority to enforce its 
     requests for records by filing a civil action in federal 
     district court. Under the enforcement provisions in 31 U.S.C. 
     716(d)(1), GAO is precluded from bringing a civil action to 
     compel the production of a record if:
       1. the record relates to activities the President 
     designates as foreign intelligence or counterintelligence 
     (see Executive Order No. 12333, defining these terms);
       2. the record is specifically exempted from disclosure to 
     GAO by statute; or
       3. the President or the Director of the Office of 
     Management and Budget certifies to the Comptroller General 
     and Congress that a record could be withheld under the 
     Freedom of Information Act exemptions in 5 U.S.C. 552(b)(5) 
     or (7) (relating to deliberative process and law enforcement 
     information, respectively), and that disclosure of the 
     information reasonably could be expected to impair 
     substantially the operations of the government.
       Although these exceptions do not restrict GAO's basic 
     rights of access under 31 U.S.C. 716(a), they do limit GAO's 
     ability to compel the production of particular records 
     through a court action.


                        relevant cia legislation

       The CIA has broad authority to protect intelligence-related 
     information but must keep the intelligence committees fully 
     and currently informed of the intelligence activities of the 
     United States.
       50 U.S.C. 403-3(c)(6) and 403g: Section 403-3 requires the 
     Director of the CIA to protect ``intelligence sources and 
     methods from unauthorized disclosure. . . .'' Section 403g 
     exempts the CIA from laws ``which require the publication or 
     disclosure of the organization, functions, names, official 
     titles, salaries, or numbers of personnel employed by the 
     Agency. With the exception of unvouchered expenditures, CIA's 
     disclosure of information to GAO would be an authorized and 
     proper disclosure under 31 U.S.C. 716(a).
       50 U.S.C. 403j: The CIA has broad discretion to use 
     appropriated funds for various purposes (e.g., personal 
     services, transportation, printing and binding, and purchases 
     of firearms) without regard to laws and regulations relating 
     to the expenditure of government funds. The statute also 
     authorizes the Director to establish an unvouchered account 
     for objects of a confidential, extraordinary, or emergency 
     nature. We recognize that the CIA's unvouchered account 
     authority constitutes an exception to GAO's audit and access 
     authority, but this account deals with only a portion of 
     CIA's funding activities.
       50 U.S.C. 413: This section provides a method for 
     maintaining congressional oversight over intelligence 
     activities within the executive branch. The statute requires 
     the President to ensure that the intelligence committees (the 
     Senate Select Committee on Intelligence and the House 
     Permanent Select Committee on Intelligence are kept fully and 
     currently informed of U.S. intelligence activities.
                                  ____


                            Report Language

       Section 1 of the Act provides that the Act may be cited as 
     the ``Intelligence Community Audit Act of 2006''.
       Section 2(a) of the Act adds a new Section (3523a) to title 
     31, United States Code, with respect to the Comptroller 
     General's authority to audit or evaluate activities of the 
     intelligence community. New Section 3523a(b)(1) reaffirms 
     that the Comptroller General possesses, under his existing 
     statutory authority, the authority to perform audits and 
     evaluations of financial transactions, programs, and 
     activities of elements of the intelligence community and to 
     obtain access to records for the purposes of such audits and 
     evaluations. Such work could be done at the request of the 
     congressional intelligence committees or any committee of 
     jurisdiction of the House of Representatives or Senate 
     (including the Committee on Homeland Security of the House of 
     Representatives and the Committee on Homeland Security and 
     Governmental Affairs of the Senate), or at the Comptroller 
     General's initiative, pursuant to the existing authorities 
     referenced in new Section 3523a(b)(1). New Section 
     3523a(b)(2) further provides that these audits and 
     evaluations under the Comptroller General's existing 
     authority may include, but are not limited to, matters 
     relating to the management and administration of elements of 
     the intelligence community in areas such as strategic 
     planning, financial management, information technology, human 
     capital, knowledge management, information sharing, and 
     change management. These audits and evaluations would be 
     accompanied by the safeguards that the Government 
     Accountability Office (GAO) has in place to protect 
     classified and other sensitive information, including 
     physical security arrangements, classification and 
     sensitivity reviews, and restricted distribution of certain 
     products.
       This reaffirmation is designed to respond to Executive 
     Branch assertions that GAO does not have the authority to 
     review activities of the intelligence community. To the 
     contrary, GAO's current statutory audit and access 
     authorities permit it to evaluate a wide range of activities 
     in the intelligence community. To further ensure that GAO's 
     authorities are appropriately construed in the future, the 
     new Section 3523a(e), which is described below, makes clear 
     that nothing in this or any other provision of law shall be 
     construed as restricting or limiting the Comptroller 
     General's authority to audit and evaluate, or obtain access 
     to the records of, elements of the intelligence community 
     absent specific statutory language restricting or limiting 
     such audits, evaluations, or access to records.
       New Section 3523a(c)(1) provides that Comptroller General 
     audits or evaluations of intelligence sources and methods, or 
     covert actions may be undertaken only upon the request of the 
     Select Committee on Intelligence of the Senate, or the 
     Permanent Select Committee on Intelligence of the House of 
     Representatives, or the majority or the minority leader of 
     the Senate or the House of Representatives. This limitation 
     is intended to recognize the heightened sensitivity of audits 
     and evaluations relating to intelligence sources and methods, 
     or covert actions.
       The new Section 3523a(c)(2)(A) provides that the results of 
     such audits or evaluations under Section 3523a(c) may be 
     disclosed only to the original requestor, the Director of 
     National Intelligence, and the head of the relevant element 
     of the intelligence community. Since the methods GAO uses to 
     communicate the results of its audits or evaluations vary, 
     this provision restricts the dissemination of GAO's findings 
     under Section 3523a(c), whether through testimony, oral 
     briefings, or written reports, to only the original 
     requestor, the Director of National Intelligence, and the 
     head of the relevant element of the intelligence 
     community. Similarly, under new Section 3523a(c)(2)(B), 
     the Comptroller General may only provide information 
     obtained in the course of such an audit or evaluation to 
     the original requestor, the Director of National 
     Intelligence, and the head of the relevant element of the 
     intelligence community.
       The new Section 3523a(c)(3)(A) provides that 
     notwithstanding any other provision of law, the Comptroller 
     General may inspect records of any element of the 
     intelligence community relating to intelligence sources and 
     methods, or covert actions in order to perform audits and 
     evaluations pursuant to Section 3523a(c). The Comptroller 
     General's access extends to any records which belong to, or 
     are in the possession and control of, the element of the 
     intelligence community regardless of who was the original 
     owner of such information. Under new Section 3523a(c)(3)(B), 
     the Comptroller General may enforce the access rights 
     provided under this subsection pursuant to section 716 of 
     title 31. However, before the Comptroller General files a 
     report pursuant to 31 U.S.C. 716(b)(1), the Comptroller 
     General must consult with the original requestor concerning 
     the Comptroller General's intent to file a report.
       The new Section 3523a(c)(4) reiterates the Comptroller 
     General's obligations to protect the confidentiality of 
     information and adds special safeguards to protect records 
     and information obtained from elements of the intelligence 
     community for audits and evaluations performed under Section 
     3523a(c). For example, pursuant to new Section 
     3523a(c)(4)(B), the Comptroller General is to maintain on 
     site, in facilities furnished by the element of the 
     intelligence community subject to audit or evaluation, all 
     workpapers and records obtained for the audit or evaluation. 
     Under new Section 3523a(c)(4)(C), the Comptroller General is 
     directed, after consulting with the Select Committee on 
     Intelligence of the Senate and the Permanent Select Committee 
     on Intelligence of the House of Representatives, to establish 
     procedures to protect from unauthorized disclosure all 
     classified and other sensitive information furnished to the 
     Comptroller General under Section 3523a(c). Under new Section 
     3523a(c)(4)(D), prior to initiating an audit or evaluation 
     under Section 3523a(c), the Comptroller General shall provide 
     the Director of National Intelligence and the head of the 
     relevant element of the intelligence community with the name 
     of each officer and employee of the Government Accountability 
     Office who has obtained appropriate security clearances.

[[Page S10471]]

       The new Section 3523a(d) provides that elements of the 
     intelligence community shall cooperate fully with the 
     Comptroller General and provide timely responses to 
     Comptroller General requests for documentation and 
     information.
       The new Section 3523a(e) makes clear that nothing in this 
     or any other provision of law shall be construed as 
     restricting or limiting the Comptroller General's authority 
     to audit and evaluate, or obtain access to the records of, 
     elements of the intelligence community absent specific 
     statutory language restricting or limiting such audits, 
     evaluations, or access to records.
                                  ____


                                S. 3968

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Intelligence Community Audit 
     Act of 2006''.

     SEC. 2. COMPTROLLER GENERAL AUDITS AND EVALUATIONS OF 
                   ACTIVITIES OF ELEMENTS OF THE INTELLIGENCE 
                   COMMUNITY.

       (a) Reaffirmation of Authority; Audits of Intelligence 
     Community Activities.--Chapter 35 of title 31, United States 
     Code, is amended by inserting after section 3523 the 
     following:

     ``Sec. 3523a. Audits of intelligence community; audit 
       requesters

       ``(a) In this section, the term `element of the 
     intelligence community' means an element of the intelligence 
     community specified in or designated under section 3(4) of 
     the National Security Act of 1947 (50 U.S.C. 401a(4)).
       ``(b) Congress finds that--
       ``(1) the authority of the Comptroller General to perform 
     audits and evaluations of financial transactions, programs, 
     and activities of elements of the intelligence community 
     under sections 712, 717, 3523, and 3524, and to obtain access 
     to records for purposes of such audits and evaluations under 
     section 716, is reaffirmed; and
       ``(2) such audits and evaluations may be requested by any 
     committee of jurisdiction (including the Committee on 
     Homeland Security of the House of Representatives and the 
     Committee on Homeland Security and Governmental Affairs of 
     the Senate), and may include but are not limited to matters 
     relating to the management and administration of elements of 
     the intelligence community in areas such as strategic 
     planning, financial management, information technology, human 
     capital, knowledge management, information sharing (including 
     information sharing by and with the Department of Homeland 
     Security), and change management.
       ``(c)(1) The Comptroller General may conduct an audit or 
     evaluation of intelligence sources and methods or covert 
     actions only upon request of the Select Committee on 
     Intelligence of the Senate or the Permanent Select Committee 
     on Intelligence of the House of Representatives, or the 
     majority or the minority leader of the Senate or the House of 
     Representatives.
       ``(2)(A) Whenever the Comptroller General conducts an audit 
     or evaluation under paragraph (1), the Comptroller General 
     shall provide the results of such audit or evaluation only to 
     the original requestor, the Director of National 
     Intelligence, and the head of the relevant element of the 
     intelligence community.
       ``(B) The Comptroller General may only provide information 
     obtained in the course of an audit or evaluation under 
     paragraph (1) to the original requestor, the Director of 
     National Intelligence, and the head of the relevant element 
     of the intelligence community.
       ``(3)(A) Notwithstanding any other provision of law, the 
     Comptroller General may inspect records of any element of the 
     intelligence community relating to intelligence sources and 
     methods, or covert actions in order to conduct audits and 
     evaluations under paragraph (1).
       ``(B) If in the conduct of an audit or evaluation under 
     paragraph (1), an agency record is not made available to the 
     Comptroller General in accordance with section 716, the 
     Comptroller General shall consult with the original requestor 
     before filing a report under subsection (b)(1) of that 
     section.
       ``(4)(A) The Comptroller General shall maintain the same 
     level of confidentiality for a record made available for 
     conducting an audit under paragraph (1) as is required of the 
     head of the element of the intelligence community from which 
     it is obtained. Officers and employees of the Government 
     Accountability Office are subject to the same statutory 
     penalties for unauthorized disclosure or use as officers or 
     employees of the intelligence community element that provided 
     the Comptroller General or officers and employees of the 
     Government Accountability Office with access to such records.
       ``(B) All workpapers of the Comptroller General and all 
     records and property of any element of the intelligence 
     community that the Comptroller General uses during an audit 
     or evaluation under paragraph (1) shall remain in facilities 
     provided by that element of the intelligence community. 
     Elements of the intelligence community shall give the 
     Comptroller General suitable and secure offices and 
     furniture, telephones, and access to copying facilities, for 
     purposes of audits and evaluations under paragraph (1).
       ``(C) After consultation with the Select Committee on 
     Intelligence of the Senate and with the Permanent Select 
     Committee on Intelligence of the House of Representatives, 
     the Comptroller General shall establish procedures to protect 
     from unauthorized disclosure all classified and other 
     sensitive information furnished to the Comptroller General or 
     any representative of the Comptroller General for conducting 
     an audit or evaluation under paragraph (1).
       ``(D) Before initiating an audit or evaluation under 
     paragraph (1), the Comptroller General shall provide the 
     Director of National Intelligence and the head of the 
     relevant element with the name of each officer and employee 
     of the Government Accountability Office who has obtained 
     appropriate security clearance and to whom, upon proper 
     identification, records, and information of the element of 
     the intelligence community shall be made available in 
     conducting the audit or evaluation.
       ``(d) Elements of the intelligence community shall 
     cooperate fully with the Comptroller General and provide 
     timely responses to Comptroller General requests for 
     documentation and information.
       ``(e) Nothing in this section or any other provision of law 
     shall be construed as restricting or limiting the authority 
     of the Comptroller General to audit and evaluate, or obtain 
     access to the records of, elements of the intelligence 
     community absent specific statutory language restricting or 
     limiting such audits, evaluations, or access to records.''.
       (b) Clerical Amendment.--The table of sections for chapter 
     35 of title 31, United States Code, is amended by inserting 
     after the item relating to section 3523 the following:

``3523a. Audits of intelligence community; audits and requesters.''.
                                 ______