[Congressional Record: January 4, 2007 (Senate)] [Page S86-S91] STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS By Mr. AKAKA (for himself and Mr. Lautenberg): S. 82. A bill to reaffirm the authority of the Comptroller General to audit and evaluate the programs, activities, and financial transactions of the intelligence community, and for other purposes; to the Select Committee on Intelligence. Mr. AKAKA. Mr. President, I rise to introduce ``The Intelligence Community Audit Act of 2007,'' with Senator Lautenberg. This legislation reaffirms the authority of the Comptroller General of the United States and head of the Government Accountability Office (GAO) to audit the financial transactions and evaluate the programs and activities of the intelligence community (IC). Our bill is identical to S. 3968, introduced in the last Congress by Senator Lautenberg and myself, and to H.R. 6252, introduced in the House by Representative Bennie Thompson. The need for more effective oversight and accountability of our intelligence community has never been greater. In the war against terrorism, intelligence agencies are both the spear and the shield: the first line of our attack and of our defense. Failure can bear terrible consequences. Congress has two responsibilities: the first is to ensure that our intelligence community is performing its mission effectively, and the second is to ensure that in performing its mission, the intelligence community is not violating the constitutional rights of individual Americans. Yet the ability of Congress to ensure that the intelligence community has sufficient resources and capability of performing its mission has never been more in question. The establishment of the Department of Homeland Security and the passage of the Intelligence Reform and Terrorism Prevention Act of 2004 created a new institutional landscape littered by new intelligence agencies with ever increasing demands and responsibilities. These new agencies became members of an already populated club of organizations performing intelligence related functions. The intelligence community today consists of 19 different agencies or components: the Office of the Director of National Intelligence; Central Intelligence Agency; Department of Defense; Defense Intelligence Agency; National Security Agency; Departments of the Army, Navy, Marine Corps, and Air Force; Department of State; Department of Treasury; Department of Energy; Department of Justice; Federal Bureau of Investigation; National Reconnaissance Office; National Geospatial- Intelligence Agency; Coast Guard; Department of Homeland Security, and the Drug Enforcement Administration. Congress too has increased its oversight responsibilities. Committees other than the intelligence committees of the House and Senate have jurisdiction over such departments as Homeland Security, State, Defense, Justice, Energy, Treasury, and Commerce. But all of these ``non-intelligence'' committees are restricted in their ability to conduct effective oversight of intelligence function of the agencies under their jurisdiction because, unfortunately, the intelligence community stonewalls the Government Accountability Office (GAO) when committees [[Page S87]] of jurisdiction request that GAO investigate problems. This is happening despite the clear responsibility of Congress to ensure that these agencies are operating effectively to protect America. It is inconceivable that the GAO--the audit arm of the U.S. Congress--has been unable to conduct evaluations of the CIA for over 40 years. If the GAO had been able to conduct basic auditing functions of the CIA, perhaps some of the problems that were so clearly exposed following the terrorist attacks in September 2001 would have been resolved. And yet, it is extraordinary that five years after 9-11, the same problems persist. Two recent incidents have made this situation disturbingly clear. At a hearing entitled, ``Access Delayed: Fixing the Security Clearance Process, Part II,'' before my Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia, on November 9, 2005, GAO was asked about steps it would take to ensure that the Office of Personnel Management (OPM), the Office of Management and Budget, and the intelligence community met the goals and objectives outlined in the OPM security clearance strategic plan. Fixing the security clearance process, which is on GAO's high-risk list, is essential to our national security. But as GAO observed in a written response to a question raised by Senator Voinovich, ``while we have the authority to do such work, we lack the cooperation we need to get our job done in that area.'' A similar case arose in response to a GAO investigation for the Senate Homeland Security Committee and the House Government Reform Committee on how agencies are sharing terrorism-related and sensitive but unclassified information. The report, entitled ``Information Sharing, the Federal Government Needs to Establish Policies and Processes for Sharing Terrorism-Related and Sensitive but Unclassified Information'' (GAO-06-385), was released in March 2006. At a time when Congress is criticized by members of the 9-11 Commission for failing to implement its recommendations, we should remember that improving terrorism information sharing among agencies was one of the critical recommendations of the Commission. Moreover, the Intelligence Reform and Terrorism Prevention Act of 2004 mandated the sharing of terrorism information through the creation of an Information Sharing Environment. Yet, when asked by GAO for comments on the GAO report, the Office of the Director of National Intelligence refused, stating that ``the review of intelligence activities is beyond GAO's purview.'' A Congressional Research Service memorandum entitled, ``Overview of `Classified' and `Sensitive but Unclassified' Information,'' concludes, ``it appears that pseudo-classification markings have, in some instances, had the effect of deterring information sharing for homeland security.'' Unfortunately I have more examples that predate the post 9-11 reforms. Indeed, in July 2001, in testimony, entitled ``Central Intelligence Agency, Observations on GAO Access to Information on CIA Programs and Activities'' (GAO-01-975T) before the House Committee on Government Reform, the GAO noted, as a practical manner, ``our access is generally limited to obtaining information on threat assessments when the CIA does not perceives [sic] our audits as oversight of its activities.'' The bill I introduce today does not detract from the authority of the intelligence committees. In fact, the language makes explicit that the Comptroller General may conduct an audit or evaluation of intelligence sources and methods or covert actions only upon the request of the intelligence committees or at the request of the congressional majority or minority leaders. The measure also prescribes for the security of the information collected by the Comptroller General. As both House Rule 48 and Senate Resolution 400 establishing the intelligence oversight committees state, ``Nothing in this [charter] shall be construed as amending, limiting, or otherwise changing the authority of any standing committee of the, House/Senate, to obtain full and prompt access to the product of the intelligence activities of any department or agency of the Government relevant to a matter otherwise within the jurisdiction of such committee.'' Despite this clear and unambiguous statement, the ability of non- intelligence committees to obtain information, no matter how vital to improving the security of our nation, has been restricted by the various elements of the intelligence community. My bill reaffirms the authority of the Comptroller General to conduct audits and evaluations--other than those relating to sources and methods, or covert actions--relating to the management and administration of elements of the intelligence community in areas such as strategic planning, financial management, information technology, human capital, knowledge management, information sharing, and change management for other relevant committees of the Congress. As I mentioned earlier in my statement, Congress also has the responsibility of ensuring that unfettered intelligence collection does not trample civil liberties. New technologies and new personal information data bases threaten our individual right to a secure private life, free from unlawful government invasion. We must ensure that private information collected by the intelligence community is not misused and is secure. Intelligence agencies have a legitimate mission to protect the country against potential threats. However, Congress' role is to ensure that their mission remains legitimate. Attached is a detailed description of the legislation that I ask unanimous consent be printed in the Record. I urge my colleagues to join me in supporting this legislation. I ask unanimous consent that the text of the legislation I am introducing be printed in the Record. There being no objection, the text of the material was ordered to be printed in the Record, as follows: Report Language Section 1 of the Act provides that the Act may be cited as the ``Intelligence Community Audit Act of 2007''. Section 2(a) of the Act adds a new Section (3523a) to title 31, United States Code, with respect to the Comptroller General's authority to audit or evaluate activities of the intelligence community. New Section 3523a(b)(1) reaffirms that the Comptroller General possesses, under his existing statutory authority, the authority to perform audits and evaluations of financial transactions, programs, and activities of elements of the intelligence community and to obtain access to records for the purposes of such audits and evaluations. Such work could be done at the request of the congressional intelligence committees or any committee of jurisdiction of the House of Representatives or Senate (including the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate), or at the Comptroller General's initiative, pursuant to the existing authorities referenced in new Section 3523a(b)(1). New Section 3523a(b)(2) further provides that these audits and evaluations under the Comptroller General's existing authority may include, but are not limited to, matters relating to the management and administration of elements of the intelligence community in areas such as strategic planning, financial management, information technology, human capital, knowledge management, information sharing, and change management. These audits and evaluations would be accompanied by the safeguards that the Government Accountability Office (GAO) has in place to protect classified and other sensitive information, including physical security arrangements, classification and sensitivity reviews, and restricted distribution of certain products. This reaffirmation is designed to respond to Executive Branch assertions that GAO does not have the authority to review activities of the intelligence community. To the contrary, GAO's current statutory audit and access authorities permit it to evaluate a wide range of activities in the intelligence community. To further ensure that GAO's authorities are appropriately construed in the future, the new Section 3523a(e), which is described below, makes clear that nothing in this or any other provision of law shall be construed as restricting or limiting the Comptroller General's authority to audit and evaluate, or obtain access to the records of, elements of the intelligence community absent specific statutory language restricting or limiting such audits, evaluations, or access to records. New Section 3523a(c)(1) provides that Comptroller General audits or evaluations of intelligence sources and methods, or covert actions may be undertaken only upon the request of the Select Committee on Intelligence of the Senate, or the Permanent Select Committee on Intelligence of the House of Representatives, or the majority or the minority leader of the Senate or the House of Representatives. This limitation is intended to recognize the heightened sensitivity of audits and evaluations relating to [[Page S88]] intelligence sources and methods, or covert actions. The new Section 3523a(c)(2)(A) provides that the results of such audits or evaluations under Section 3523a(c) may be disclosed only to the original requestor, the Director of National Intelligence, and the head of the relevant element of the intelligence community. Since the methods GAO uses to communicate the results of its audits or evaluations vary, this provision restricts the dissemination of GAO's findings under Section 3523a(c), whether through testimony, oral briefings, or written reports, to only the original requestor, the Director of National Intelligence, and the head of the relevant element of the intelligence community. Similarly, under new Section 3523a(c)(2)(B), the Comptroller General may only provide information obtained in the course of such an audit or evaluation to the original requestor, the Director of National Intelligence, and the head of the relevant element of the intelligence community. The new Section 3523a(c)(3)(A) provides that notwithstanding any other provision of law, the Comptroller General may inspect records of any element of the intelligence community relating to intelligence sources and methods, or covert actions in order to perform audits and evaluations pursuant to Section 3523a(c). The Comptroller General's access extends to any records which belong to, or are in the possession and control of, the element of the intelligence community regardless of who was the original owner of such information. Under new Section 3523a(c)(3)(B), the Comptroller General may enforce the access rights provided under this subsection pursuant to section 716 of title 31. However, before the Comptroller General files a report pursuant to 31 U.S.C. 716(b)(1), the Comptroller General must consult with the original requestor concerning the Comptroller General's intent to file a report. The new Section 3523a(c)(4) reiterates the Comptroller General's obligations to protect the confidentiality of information and adds special safeguards to protect records and information obtained from elements of the intelligence community for audits and evaluations performed under Section 3523a(c). For example, pursuant to new Section 3523a(c)(4)(B), the Comptroller General is to maintain on site, in facilities furnished by the element of the intelligence community subject to audit or evaluation, all workpapers and records obtained for the audit or evaluation. Under new Section 3523a(c)(4)(C), the Comptroller General is directed, after consulting with the Select Committee on Intelligence of the Senate and the Permanent Select Committee on Intelligence of the House of Representatives, to establish procedures to protect from unauthorized disclosure all classified and other sensitive information furnished to the Comptroller General under Section 3523a(c). Under new Section 3523a(c)(4)(D), prior to initiating an audit or evaluation under Section 3523a(c), the Comptroller General shall provide the Director of National Intelligence and the head of the relevant element of the intelligence community with the name of each officer and employee of the Government Accountability Office who has obtained appropriate security clearances. The new Section 3523a(d) provides that elements of the intelligence community shall cooperate fully with the Comptroller General and provide timely responses to Comptroller General requests for documentation and information. The new Section 3523a(e) makes clear that nothing in this or any other provision of law shall be construed as restricting or limiting the Comptroller General's authority to audit and evaluate, or obtain access to the records of, elements of the intelligence community absent specific statutory language restricting or limiting such audits, evaluations, or access to records. ____ Congressional Research Service, July 18, 2006. From: Harold C. Relyea, Specialist in American National Government, Government and Finance Division. Subject: Overview of ``Classified'' and ``Sensitive but Unclassified'' Information. Prescribed in various ways, federal policies may require the protection of, or a privileged status for, particular kinds of information. This memorandom provides a brief introduction to, and overview of, two categories of such information policy. The first category is demarcated largely in a single policy instrument--a presidential executive order--with a clear focus and in considerable detail: the classification of national security information in terms of three degrees of harm the disclosure of such information could cause to the nation, resulting in Confidential, Secret, and Top Secret designations. The second category is, by contrast with the first, much broader in terms of the kinds of information it covers, to the point of even being nebulous in some instances, and is expressed in various instruments, the majority of which are non-statutory: the marking of sensitive but unclassified (SBU) information for protective management, although its public disclosure may be permissible pursuant to the Freedom of Information Act (FOIA). These two categories are reviewed in the discussion set out below. security classified information Current security classification arrangements, prescribed by an executive order of the President, trace their origins to a March 1940 directive issued by President Franklin D. Roosevelt as E.O. 8381. This development was probably prompted somewhat by desires to clarify the authority of civilian personnel in the national defense community to classify information, to establish a broader basis for protecting military information in view of growing global hostilities, and to manage better a discretionary power seemingly of increasing importance to the entire executive branch. Prior to this 1940 order, information had been designated officially secret by armed forces personnel pursuant to Army and Navy general orders and regulations. The first systematic procedures for the protection of national defense information, devoid of special markings, were established by War Department General Orders No. 3 of February 1912. Records determined to be ``confidential'' were to be kept under lock, ``accessible only to the officer to whom intrusted.'' Serial numbers were issued for all such ``confidential'' materials, with the numbers marked on the documents, and lists of same kept at the offices from which they emanated. With the enlargement of the armed forces after the entry of the United States into World War I, the registry system was abandoned and a tripartite system of classification markings was inaugurated in November 1917 with General Order No. 64 of the General Headquarters of the American Expenditionary Force. The entry of the United States into World War II prompted some additional arrangements for the protection of information pertaining to the nation's security. Personnel cleared to work on the Manhattan Project for the production of the atomic bomb, for instance, in committing themselves not to disclose protected information improperly, were ``required to read and sign either the Espionage Act or a special secrecy agreement,'' establishing their awareness of their secrecy obligations and a fiduciary trust which, if breached, constituted a basis for their dismissal. A few years after the conclusion of World War II, President Harry S. Truman, in February 1950, issued E.O. 10104, which, while superseding E.O. 8381, basically reiterated its text, but added a fourth Top Secret classification designation to existing Restricted, Confidential, and Secret markings, making American information security categories consistent with those of our allies. At the time of the promulgation of this order, however, plans were underway for a complete overhaul of the classification program, which would result in a dramatic change in policy. E.O. 10290, issued in September 1951, introduced three sweeping innovations in security classification policy. First, the order indicated the Chief Executive was relying upon ``the authority vested in me by the Constitution and statutes, and as President of the United States'' in issuing the directive. This formula appeared to strengthen the President's discretion to make official secrecy policy: it intertwined his responsibility as Commander in Chief with the constitutional obligation to ``take care that the laws be faithfully executed.'' Second, information was now classified in the interest of ``national security,'' a somewhat new, but nebulous, concept, which, in the view of some, conveyed more latitude for the creation of official secrets. It replaced the heretofore relied upon ``national defense'' standard for classification. Third, the order extended classified authority to nonmilitary entitie throughout the executive branch, to be exercised by, presumably, but not explicitly limited to, those having some role in ``national security'' policy. The broad discretion to create official secrets granted by E.O. 10290 engendered widespread criticism from the public and the press. In response, President Dwight D. Eisenhower, shortly after his election to office, instructed Attorney General Herbert Brownell to review the order with a view to revising or rescinding it. The subsequent recommendation was for a new directive, which was issued in November 1953 as E.O. 10501. It withdrew classification authority from 28 entities, limited this discretion in 17 other units to the agency head, returned to the ``national defense'' standard for applying secrecy, eliminated the ``Restricted'' category, which was the lowest level of protection, and explicitly defined the remaining three classification areas to prevent their indiscriminate use. Thereafter, E.O. 10501, with slight amendment, prescribed operative security classification policy and procedure for the next two decades. Successor orders built on this reform. These included E.O. 11652, issued by President Richard M. Nixon in March 1972, followed by E.O. 12065, promulgated by President Jimmy Carter in June 1978. For 30 years, these classification directives narrowed the bases and discretion for assigning official secrecy to executive branch documents and materials. Then, in April 1982, this trend was reversed with E.O. 12356, issued by President Ronald Reagan. This order expanded the categories of classifiable information, mandated that information falling within these categories be classified, authorized the reclassification of previously declassified documents, admonished classifiers to err on the side classification, and eliminated automatic declassification arrangements. President William Clinton returned security classification policy and procedure to the reform trend of the Eisenhower, Nixon, and Carter Administrations with E.O. 12958 in April 1995. Adding impetus to the development and issuance of the new order were [[Page S89]] changing world conditions: the democratization of many eastern European countries, the demise of the Soviet Union, and the end of the Cold War. Accountability and cost considerations were also significant influences. In 1985, the temporary Department of Defense (DOD) Security Review Commission, chaired by retired General Richard G. Stilwell, declared that there were ``no verifiable figures as to the amount of classified material produced in DOD and in defense industry each year.'' Nonetheless, it concluded that ``too much information appears to be classified and much at higher levels than is warranted.'' In October 1993, the cost of the security classification program became clearer when the General Accounting Office (GAO) reported that it was ``able to identify government-wide costs directly applicable to national security information totaling over $350 million for 1992.'' After breaking this figure down--it included only $6 million for declassification work--the report added that ``the U.S. government also spends additional billions of dollars annually to safeguard information, personnel, and property.'' E.O. 12958 set limits for the duration of classification, prohibited the reclassification of properly declassified records, authorized government employees to challenge the classification status of records, reestablished the balancing test of E.O. 12065 weighing the need to protect information vis-a-vis the public interest in its disclosure, and created two review panels--one on classification and declassification actions and one to advise on policy and procedure. Most recently, in March 2003, President George W. Bush issued E.O. 13292, amending E.O. 12958. Among the changes made by this order were adding infrastructure vulnerabilities or capabilities, protection services relating to national security, and weapons of mass destruction to the categories of classifiable information; easing the reclassification of declassified records; postponing the automatic declassification of protected records 25 or more years old, beginning in mid-April 2003 to the end of December 2006; eliminating the requirement that agencies prepare plans for declassifying records; and permitting the Director of Central Intelligence to block declassification actions of the Interagency Security Classification Appeals Panel, unless overruled by the President. The security classification program has evolved during the past 66 years. One may not agree with all of its rules and requirements. but attention to detail in its policy and procedure result in a significant management regime. The operative executive order, as amended, defines its principal terms. Those who are authorized to exercise original classification authority are identified. Exclusive categories of classifiable information are specified, as are the terms of the duration of classification, as well as classification prohibitions and limitations. Classified information is required to be marked appropriately along with the identity of the original classifier, the agency or office of origin, and a date or event for declassification. Authorized holders of classified information who believe that its protected status is improper are ``encouraged and expected'' to challenge that status through prescribed arrangements. Mandatory declassification reviews are also authorized to determine if protected records merit continued classification at their present level, a lower level, or at all. Unsuccessful classification challenges and mandatory declassification reviews are subject to review by the Intragency Security Classification Appeals Panel. General restrictions on access to classified information are prescribed, as are distribution controls for classified information. The Information Security Oversight Office (ISOO) within the National Archives and Records Administration (NARA) is mandated to provide central management and oversight of the security classification program. If the director of this entity finds that a violation of the order or its implementing directives has occurred, it must be reported to the head of the agency or to the appropriate senior agency official so that corrective steps, if appropriate, may be taken While Congress, thus far, has elected not to create statutorily mandated security classification policy and procedures, the option to do so has been explored in the past, and its legislative authority to do so has been recognized by the Supreme Court. Congress, however, has established protections for certain kinds of information-- such as Restricted Data in the Atomic Energy Acts of 1946 and 1954, and inte1ligence sources and methods in the National Security Act of 1947--which have been realized through security classification arrangements. It has acknowledged properly applied security classification as a basis for withholding records sought pursuant to the Freedom of Information Act. Also, with a view to efficiency and economy, as well as effective records management, committees of Congress, on various occasions, have conducted oversight of security classification policy and practice, and have been assisted by GAO and CRS in this regard. Sensitive but Unclassified Information The widespread existence and use of information control markings other than those prescribed for the security classification of information came to congressional attention in March 1972 when a subcommittee of what is now the House Committee on Government Reform launched the first oversight hearings on the administration and operation of the Freedom of Information Act (FOIA). Enacted in 1966, FOIA had become operative in July 1967. In the early months of 1972, the Nixon Administration was developing new security classification policy and procedure, which wou1d be prescribed in E.O. 11652, issued in early March. Preparatory to this hearing, the panel had surveyed the departments and agencies in August 1971, asking, among other questions, ``What legend is used by your agency to identify records which are not classifiable under Executive Order 10501 [the operative order at the time] but which are not to be made available outside the government?'' Of 58 information control markings identified in response to this question, the most common were For Official Use Only (11 agencies); Limited Official Use (nine agencies); Official Use Only (eight agencies); Restricted Data (five agencies); Administratively Restricted (four agencies); Formerly Restricted Data (four agencies); and Nodis, or no dissemination (four agencies). Seven other markings were used by two agencies in each case. A CRS review of the agency responses to the control markings question prompted the following observation. Often no authority is cited for the establishment or origin of these labels; even when some reference is provided it is a handbook, manual, administrative order, or a circular but not statutory authority. Exceptions to this are the Atomic Energy Commission, the Defense Department and the Arms Control and Disarmament Agency. These agencies cite the Atomic Atomic Energy Act, N.A.T.O. related laws, and international agreements as a basis for certain additional labels. The Arms Control and Disarmament Agency acknowledged it honored and adopted State and Defense Department labels. Over three decades later, it appears that approximately the same number of these information control markings are in use; that the majority of them are administratively, not statutorily, prescribed; and that many of them have an inadequate management regime, particularly when compared with the detailed arrangements which govern the management of classified information. A recent press account illustrates another problem. In late January 2005, GCN Update, the online, electronic news service of Government Computer News, reported that ``dozens of classified Homeland Security Department documents'' had been accidently made available on a public Internet site for several days due to an apparent security glitch at the Department of Energy. Describing the contents of the compromised materials and reactions to the breach, the account stated the ``documents were marked `for official use only,' the lowest secret-level classification.'' The documents, of course, were not security classified, because the marking cited is not authorized by E.O. 12958. Interestingly, however, in view of the fact that this misinterpretation appeared in a story to which three reporters contributed, perhaps it reflects, to some extent, the current confusion of these information control markings with security classification designations. Broadly considering the contemporary situation regarding information control markings, a recent information security report by the JASON Program Office of the MITRE Corporation proffered the following assessment. The status of sensitive information outside of the present classification system is murkier than ever. . . . ``Sensitive but unclassified'' data is increasingly defined by the eye of the beholder. Lacking in definition, it is correspondingly lacking in policies and procedures for protecting (or not protecting) it, and regarding how and by whom it is generated and used. A contemporaneous Heritage Foundation report appeared to agree with this appraisal, saying: The process for classifying secret information in the federal government is disciplined and explicit. The same cannot be said for unclassified but security-related information for which there is no usable definition, no common understanding about how to control it, no agreement on what significance it has for U.S. national security, and no means for adjudicating concerns regarding appropriate levels of protection. Concerning the current Sensitive but Unclassified (SBU) marking, a 2004 report by the Federal Research Division of the Library of Congress commented that guidelines for its use are needed, and noted that ``a uniform legal definition or set of procedures applicable to all Federal government agencies does not now exist.'' Indeed, the report indicates that SBU has been utilized in different contexts with little precision as to its scope or meaning, and, to add a bit of chaos to an already confusing situation, is ``often referred to as Sensitive Homeland Security Information.'' Assessments of the variety, management, and impact of information control markings, other than those prescribed for the classification of national security information, have been conducted by CRS, GAO, and the National Security Archive, a private sector research and resource center located at The George Washington University. In March 2006, GAO indicated that, in a recent survey, 26 federal agencies reported using 56 different information control markings to protect sensitive information other than classified national security material. That same month, the National Security Archive offered that, of 37 agencies surveyed, 24 used 28 control markings based on internal policies, procedures, or practices, and eight used 10 markings based on statutory authority. These [[Page S90]] numbers are important in terms of the variety of such markings. GAO explained this dimension of the management problem. [T]here are at least 13 agencies that use the designation For Official Use Only [FOUO], but there are at least five different definitions of FOUO. At least seven agencies or agency components use the term Law Enforcement Sensitive (LES), including the U.S. Marshals Service, the Department of Homeland Security (DHS), the Department of Commerce, and the Office of Personnel Management (OPM). These agencies gave differing definitions for the term. While DHS does not formally define the designation, the Department of Commerce defines it to include information pertaining to the protection of senior government officials, and OPM defines it as unclassified information used by law enforcement personnel that requires protection against unauthorized disclosure to protect the sources and methods of investigative activity, evidence, and the integrity of pretrial investigative reports. Apart from the numbers, however, is another aspect of the management problem, which GAO described in the following terms. There are no governmentwide policies or procedures that describe the basis on which agencies should use most of these sensitive but unclassified designations, explain what the different designations mean across agencies, or ensure that they will be used consistently from one agency to another. In this absence, each agency determines what designations to apply to the sensitive but unclassified information it develops or shares. These markings also have implications in another regard. The importance of information sharing for combating terrorism and realizing homeland security was emphasized by the National Commission on Terrorist Attacks Upon the United States. That the variously identified and marked forms of sensitive but unclassified (SBU) information could be problematic with regard to information sharing was recognized by Congress when fashioning the Homeland Security Act of 2002. Section 892 of that statute specifically directed the President to prescribe and implement procedures for the sharing of information by relevant federal agencies, including the accommodation of ``homeland security information that is sensitive but unclassified.'' On July 29, 2003, the President assigned this responsibility largely to the Secretary of Homeland Security. Nothing resulted. The importance of information sharing was reinforced two years later in the report of the Commission on the Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction. Congress again responded by mandating the creation of an Information Sharing Environment (ISE) when legislating the Intelligence Reform and Terrorism Prevention Act of 2004. Preparatory to implementing the ISE provisions, the President issued a December 16, 2005, memorandum recognizing the need for standardized procedures for SBU information and directing department and agency officials to take certain actions relative to that objective. In May 2006, the newly appointed manager of the ISE agreed with a March GAO assessment that, oftentimes, SBU information, designated as such with some marking, was not being shared due to concerns about the ability of recipients to adequately protect it. In brief, it appears that pseudo-classification markings have, in some instances, had the effect of deterring information sharing for homeland security purposes. Congressional overseers have probed executive use and management of information control markings other than those prescribed for the classification of national security information, and the extent to which they result in ``pseudo- classification'' or a form of overclassification. Relevant remedial legislation proposed during the 109th Congress includes two bills (H.R. 2331 and H.R. 5112) containing sections which would require the Archivist of the United States to prepare a detailed report regarding the number, use, and management of these information control markings and submit it to specified congressional committees, and to promulgate regulations banning the use of these markings and otherwise establish standards for information control designations established by statute or an executive order relating to the classification of national security information. A section in the Department of Homeland Security appropriations legislation (H.R. 5441), as approved by the House, would require the Secretary of Homeland Security to revise DHS MD (Management Directive) 11056 to include (1) provision that information that is three years old and not incorporated in a current, active transportation security directive or security plan shall be determined automatically to be releasable unless, for each specific document, the Secretary makes a written determination that identifies a compelling reason why the information must remain Sensitive Security Information (SS1); (2) common and extensive examples of the individual categories of SSI cited in order to minimize and standardize judgment in the application of SSI marking; and (3) provision that, in all judicial proceedings where the judge overseeing the proceedings has adjudicated that a party needs to have access to SSI, the party shall be deemed a covered person for purposes of access to the SSI at issue in the case unless TSA or DHS demonstrates a compelling reason why the specific individual presents a risk of harm to the nation. A May 25, 2006, statement of administration policy on the bill strongly opposed the section, saying it ``would jeopardize an important program that protects Sensitive Security Information (SSI) from public release by deeming it automatically releaseable in three years, potentially conflict with requirements of the Privacy and Freedom of Information Acts, and negate statutory provisions providing original jurisdiction for lawsuits challenging. the designation of SSI materials in the U.S. Courts of Appeals.'' The statement further indicated that the section would create a burdensome review process'' for the Secretary of Homeland Security and would result in different statutory requirements being applied to SSI programs administered by the Departments of Homeland Security and Transportation.'' ____ Congressional Research Service, Washington, DC., September 14, 2006. From: Alfred Cumming, Specialist in Intelligence and National Security, Foreign Affairs, Defense, and Trade Division. Subject: Congressional Oversight of Intelligence. This memorandum examines the intelligence oversight structure established by Congress in the 1970s, including the creation of the congressional select intelligence committees by the U.S. House of Representatives and the Senate, respectively. It also looks at the intelligence oversight role that Congress reserved for congressional committees other than the intelligence committees; examines certain existing statutory procedures that govern how the executive branch is to keep the congressional intelligence committees informed of U.S. intelligence activities; and looks at the circumstances under which the two intelligence committees are expected to keep congressional standing committees, as well as both chambers, informed of intelligence activities. If can be of further assistance, please call at 707-7739. Background In the wake of congressional investigations into Intelligence Community activities in the mid-1970s, the U.S. Senate in 1976 created a select committee on intelligence to conduct more effective oversight on a continuing basis. The U.S. House of Representatives established its own intelligence oversight committee the following year. Until the two intelligence committees were created, other congressional standing committees--principally the Senate and House Armed Services and Appropriations committees--shared responsibility for overseeing the intelligence community. Although willing to cede primary jurisdiction over the Central Intelligence Agency (CIA) to the two new select intelligence committees, these congressional standing committees wanted to retain jurisdiction over the intelligence activities of the other departments and agencies they oversaw. According to one observer, the standing committees asserted their jurisdictional prerogatives for two reasons--to protect ``turf,'' but also to provide ``a hedge against the possibility that the newly launched experiment in oversight might go badly.'' intelligence committees; statutory obligations Under current statute, the President is required to ensure that the congressional intelligence committees are kept ``fully and currently informed'' of U.S. intelligence activities, including any ``significant anticipated intelligence activity,'' and the President and the intelligence committees are to establish any procedures as may be necessary to carry out these provisions. The statute, however, stipulates that the intelligence committees in turn are responsible for alerting the respective chambers or congressional standing committees of any intelligence activities requiring further attention. The intelligence committees are to carry out this responsibility in accordance with procedures established by the House of Representatives and the Senate, in consultation with the Director of National Intelligence, in order to protect against unauthorized disclosure of classified information, and all information relating to sources and methods. The statute stipulates that: ``each of the congressional intelligence committees shall promptly call to the attention of its respective House, or to any appropriate committee or committees of its respective House, any matter relating to intelligence activities requiring the attention of such House or such committee or committees. This provision was included in statute after being specifically requested in a letter from then Senate Foreign Relations Chairman Frank Church and Ranking Minority Member Jacob Javits in an Apr. 30, 1980 letter to then-intelligence committee Chairman Birch Bayh and Vice Chairman Barry Goldwater. Intelligence Committee Obligations Under Resolution In an apparent effort to address various concerns relating to committee jurisdiction, the House of Representatives and the Senate, in the resolutions establishing each of the intelligence committees, included language preserving oversight roles for those standing committees with jurisdiction over matters affected by intelligence activities. Specifically, each intelligence committee's resolution states that: ``Nothing in this [Charter] shall be construed as prohibiting or otherwise restricting the authority of any other committee to study and review any intelligence activity to the extent that such activity directly affects a matter otherwise within the jurisdiction of such committee.'' [[Page S91]] Both resolutions also stipulate that: Nothing in this [charter] shall be construed as amending, limiting, or otherwise changing the authority of any standing committee of the [House/Senate] to obtain full and prompt access to the product of the intelligence activities of any department or agency of the Government relevant to a matter otherwise within the jurisdiction of such committee. Finally, both charters direct that each intelligence committee alert the appropriate standing committees, or the respective chambers, of any matter requiring attention. The charters state: The select committee, for the purposes of accountability to the [House/Senate] shall make regular and periodic reports to the [House/Senate] on the nature and extent of the intelligence activities of the various departments and agencies of the United States. Such committee shall promptly call to the attention of the [House/Senate] or to any other appropriate committee or committees of the [House/Senate] any matters requiring the attention of the [House/Senate] or such other appropriate committee or committees. Cross-over Membership Both resolutions also direct that the membership of each intelligence committee include members who serve on the four standing committees that historically have been involved in intelligence oversight. The respective resolutions designate the following committees as falling in this category: Appropriations, Armed Services, Judiciary, and the Senate Foreign Relations Committee and the House International Relations Committee. Although each resolution directs that such cross-over members be designated, neither specifies whether cross-over members are to play any additional role beyond serving on the intelligence committees. For example, neither resolution outlines whether cross-over members are to inform colleagues on standing committees they represent. Rather, each resolution directs only that the ``intelligence committee'' shall promptly call such matters to the attention of standing committees and the respective chambers if the committees determine that they require further attention by those entities. Summary Conclusions Although the President is statutorily obligated to keep the congressional intelligence committees fully and currently informed of intelligence activities, the statute obligates the intelligence committees to inform the respective chambers, or standing committees, of such activities, if either of the two committees determine that further oversight attention is required. Further, resolutions establishing the two intelligence committees make clear that the intelligence committees share intelligence oversight responsibilities with other standing committees, to the extent that certain intelligence activities affect matters that fall under the jurisdiction of a committee other than the intelligence committees. Finally, the resolutions establishing the intelligence committees provide for the designation of ``cross-over'' members representing certain standing committees that played a role in intelligence oversight prior to the establishment of the intelligence committees in the 1970s. The resolutions, however, do not specify what role, if any, these ``cross- over'' members play in keeping standing committees on which they serve informed of certain intelligence activities. Rather, each resolution states that the respective intelligence committee shall make that determination. ____ S. 82 Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Intelligence Community Audit Act of 2007''. SEC. 2. COMPTROLLER GENERAL AUDITS AND EVALUATIONS OF ACTIVITIES OF ELEMENTS OF THE INTELLIGENCE COMMUNITY. (a) Reaffirmation of Authority; Audits of Intelligence Community Activities.--Chapter 35 of title 31, United States Code, is amended by inserting after section 3523 the following: ``Sec. 3523a. Audits of intelligence community; audit requesters ``(a) In this section, the term `element of the intelligence community' means an element of the intelligence community specified in or designated under section 3(4) of the National Security Act of 1947 (50 U.S.C. 401a(4)). ``(b) Congress finds that-- ``(1) the authority of the Comptroller General to perform audits and evaluations of financial transactions, programs, and activities of elements of the intelligence community under sections 712, 717, 3523, and 3524, and to obtain access to records for purposes of such audits and evaluations under section 716, is reaffirmed; and ``(2) such audits and evaluations may be requested by any committee of jurisdiction (including the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate), and may include matters relating to the management and administration of elements of the intelligence community in areas such as strategic planning, financial management, information technology, human capital, knowledge management, information sharing (including information sharing by and with the Department of Homeland Security), and change management. ``(c)(1) The Comptroller General may conduct an audit or evaluation of intelligence sources and methods or covert actions only upon request of the Select Committee on Intelligence of the Senate or the Permanent Select Committee on Intelligence of the House of Representatives, or the majority or the minority leader of the Senate or the House of Representatives. ``(2)(A) Whenever the Comptroller General conducts an audit or evaluation under paragraph (1), the Comptroller General shall provide the results of such audit or evaluation only to the original requestor, the Director of National Intelligence, and the head of the relevant element of the intelligence community. ``(B) The Comptroller General may only provide information obtained in the course of an audit or evaluation under paragraph (1) to the original requestor, the Director of National Intelligence, and the head of the relevant element of the intelligence community. ``(3)(A) Notwithstanding any other provision of law, the Comptroller General may inspect records of any element of the intelligence community relating to intelligence sources and methods, or covert actions in order to conduct audits and evaluations under paragraph (1). ``(B) If in the conduct of an audit or evaluation under paragraph (1), an agency record is not made available to the Comptroller General in accordance with section 716, the Comptroller General shall consult with the original requestor before filing a report under subsection (b)(1) of that section. ``(4)(A) The Comptroller General shall maintain the same level of confidentiality for a record made available for conducting an audit under paragraph (1) as is required of the head of the element of the intelligence community from which it is obtained. Officers and employees of the Government Accountability Office are subject to the same statutory penalties for unauthorized disclosure or use as officers or employees of the intelligence community element that provided the Comptroller General or officers and employees of the Government Accountability Office with access to such records. ``(B) All workpapers of the Comptroller General and all records and property of any element of the intelligence community that the Comptroller General uses during an audit or evaluation under paragraph (1) shall remain in facilities provided by that element of the intelligence community. Elements of the intelligence community shall give the Comptroller General suitable and secure offices and furniture, telephones, and access to copying facilities, for purposes of audits and evaluations under paragraph (1). ``(C) After consultation with the Select Committee on Intelligence of the Senate and with the Permanent Select Committee on Intelligence of the House of Representatives, the Comptroller General shall establish procedures to protect from unauthorized disclosure all classified and other sensitive information furnished to the Comptroller General or any representative of the Comptroller General for conducting an audit or evaluation under paragraph (1). ``(D) Before initiating an audit or evaluation under paragraph (1), the Comptroller General shall provide the Director of National Intelligence and the head of the relevant element with the name of each officer and employee of the Government Accountability Office who has obtained appropriate security clearance and to whom, upon proper identification, records, and information of the element of the intelligence community shall be made available in conducting the audit or evaluation. ``(d) Elements of the intelligence community shall cooperate fully with the Comptroller General and provide timely responses to Comptroller General requests for documentation and information. ``(e) Nothing in this section or any other provision of law shall be construed as restricting or limiting the authority of the Comptroller General to audit and evaluate, or obtain access to the records of, elements of the intelligence community absent specific statutory language restricting or limiting such audits, evaluations, or access to records.''. (b) Technical and Conforming Amendment.--The table of sections for chapter 35 of title 31, United States Code, is amended by inserting after the item relating to section 3523 the following: ``3523a. Audits of intelligence community; audits and requesters.''. ______