Classification

[Mister Andersen]

Something I came across that struck me as useful:

Actually, need to know isn't so much a classification as a description of how folks who have that level of clearance are permitted access based upon their roll within the organization.  Top secret is the highest level of classification known to exist within the US government (though there are rumors that there are higher levels not made public), but even then, if you don't have a "need to know" the contents because of the details of your position, then it doesn't matter if you have that level of clearance, you won't be permitted access.

There is such a thing as compartmentalized which can be considered above top secret. In a way that is what the names are. In essence all it does is say who can access the information but it is often viewed as a higher security clearance.  In the end, it all comes down to need to know. Having a top secret clearance does not give you access to any top secret information. All it does is say that in theory, you are trust worthy enough to access the data if you have a need to know it. Generally speaking there are five basic
levels of clearance:

Sensitive, which usually deals with information like health records and such. Or in other words will not cause any real damage to the organization but might hurt the personnel

Confidential, information that can cause some damage to the organization if known

Secret, information that can cause severe damage to an organization if known

Top Secret, information that can cause extreme damage to an organization if known,

Top Secret compartmentalized, information that can cause even more extreme damage to an organization if known and generally deals with a project or time sensitive data.

First of all, much of this depends on the particulars of the organization.  The situation may be different in other countries, but I can say a bit about how it works in the U.S.

Within the Department of Energy complex, "need to know" is not a level of security.  (Frankly, I doubt it's a level of security anywhere.)  In order to access classified information, of any level, a person must have _2_ things;

1) the appropriate security clearance level

2) an official "need to know", which certifies that the person in question cannot perform his or her mandatory work duties without accessing the information in question.

In other words, merely having the equivalent clearance level is not sufficient to gain access to classified information.  "Need to know" is bestowed administratively, via management, and it changes routinely as a person's work duties change.  Within the DOE, the official designator for need-to-know is called Sigma-- which sigmas you have attached to your clearance designate your officially sanctioned need to know.  For
instance, and making up an example, if you "have sigma 26", it means you officially have need-to-know for a specific kind of information.

If somebody accesses classified information while having (1) and not (2), that's an unauthorized disclosure.  The guilty party (the person responsible for the disclosure, not necessarily the recipient) gets a reprimand, and a block spot on the record.  This is not good.

If somebody accesses classified information without having (1), that's a breach of security.  In this case the responsible party is guilty of a federal crime, and has a very bad day.  Note that mishandling classified information can also be a federal crime.

Note also that "classification" is really 2-dimensional, not simply 1-d. In other words, there are classification _levels_ and classification _categories_.  A security clearance pertains to a set of combinations of levels & categories that a person has been "cleared" to handle.  Sigma pertains to the details of the information in question.  Yes, it's confusing.  It's the government, what do you expect?  ;-P

Also, different organizations (e.g, the Department of Energy, the Department of Defense, etc.) have different terms for different classification levels and categories.  There is no such thing as a "universal" security clearance or classification level.  "Secret" in one organization might be equivalent to "Top Secret" somewhere else.

And *please* note that these don't carry over from organization to organization. For example, a 5-star general with, say, a DoD Top Secret clearance can't simply walk in to the CIA and look at their Top Secret information.  Not unless he or she *also* holds the relevant CIA clearances and need-to-know.  This is one of the most unrealistic
depictions of security- and classification-related matters in books, films, and television.

Another huge mistake in a lot of fiction is when characters discuss classified information at home, in their cars, in the grocery store... You can only discuss classified information inside a facility that has been constructed and certified to very rigorous standards.  If you want to discuss Top Secret information, you can only do that in a facility that is certified for that level of information.

Anybody who discusses classified information outside of the relevant facility (e.g., outside the building they work in) is guilty of a felony.

And don't even think about having people discuss this stuff on the telephone, or by email, or what have you.  Not unless they're using special telephones on dedicated lines.

[Rhishisikk]

Two skills:  Bluff and Falsify

CAN you get information?  Quite easily.  But you'd best have a Hacker on your team and about a week's head start.

Paranoia Security clearance: Red, Orange, Yellow, Green, Blue, Indigo, Violet.  An elegant system that some of my villain organizations have adopted.

OPSEC system, which I last saw in XXX: Green (public), Yellow (classified), Orange (secret), Red (top secret), Black (eyes only, no paper copies, never leaves base), Double Black (oral record only, President not authorized for plausible deniability)

[Salsa]

LOL I wonder how many times people in "24" have commited such felonies

[TheTSKoala]

Something I came across that struck me as useful:

Actually, need to know isn't so much a classification as a description of how folks who have that level of clearance are permitted access based upon their roll within the organization.  Top secret is the highest level of classification known to exist within the US government (though there are rumors that there are higher levels not made public), but even then, if you don't have a "need to know" the contents because of the details of your position, then it doesn't matter if you have that level of clearance, you won't be permitted access.

There is such a thing as compartmentalized which can be considered above top secret. In a way that is what the names are. In essence all it does is say who can access the information but it is often viewed as a higher security clearance.  In the end, it all comes down to need to know. Having a top secret clearance does not give you access to any top secret information. All it does is say that in theory, you are trust worthy enough to access the data if you have a need to know it. Generally speaking there are five basic
levels of clearance:

Sensitive, which usually deals with information like health records and such. Or in other words will not cause any real damage to the organization but might hurt the personnel

Confidential, information that can cause some damage to the organization if known

Secret, information that can cause severe damage to an organization if known

Top Secret, information that can cause extreme damage to an organization if known,

Top Secret compartmentalized, information that can cause even more extreme damage to an organization if known and generally deals with a project or time sensitive data.

First of all, much of this depends on the particulars of the organization.  The situation may be different in other countries, but I can say a bit about how it works in the U.S.

Within the Department of Energy complex, "need to know" is not a level of security.  (Frankly, I doubt it's a level of security anywhere.)  In order to access classified information, of any level, a person must have _2_ things;

1) the appropriate security clearance level

2) an official "need to know", which certifies that the person in question cannot perform his or her mandatory work duties without accessing the information in question.

In other words, merely having the equivalent clearance level is not sufficient to gain access to classified information.  "Need to know" is bestowed administratively, via management, and it changes routinely as a person's work duties change.  Within the DOE, the official designator for need-to-know is called Sigma-- which sigmas you have attached to your clearance designate your officially sanctioned need to know.  For
instance, and making up an example, if you "have sigma 26", it means you officially have need-to-know for a specific kind of information.

If somebody accesses classified information while having (1) and not (2), that's an unauthorized disclosure.  The guilty party (the person responsible for the disclosure, not necessarily the recipient) gets a reprimand, and a block spot on the record.  This is not good.

If somebody accesses classified information without having (1), that's a breach of security.  In this case the responsible party is guilty of a federal crime, and has a very bad day.  Note that mishandling classified information can also be a federal crime.

Note also that "classification" is really 2-dimensional, not simply 1-d. In other words, there are classification _levels_ and classification _categories_.  A security clearance pertains to a set of combinations of levels & categories that a person has been "cleared" to handle.  Sigma pertains to the details of the information in question.  Yes, it's confusing.  It's the government, what do you expect?  ;-P

Also, different organizations (e.g, the Department of Energy, the Department of Defense, etc.) have different terms for different classification levels and categories.  There is no such thing as a "universal" security clearance or classification level.  "Secret" in one organization might be equivalent to "Top Secret" somewhere else.


And *please* note that these don't carry over from organization to organization. For example, a 5-star general with, say, a DoD Top Secret clearance can't simply walk in to the CIA and look at their Top Secret information.  Not unless he or she *also* holds the relevant CIA clearances and need-to-know.  This is one of the most unrealistic
depictions of security- and classification-related matters in books, films, and television.
Another huge mistake in a lot of fiction is when characters discuss classified information at home, in their cars, in the grocery store... You can only discuss classified information inside a facility that has been constructed and certified to very rigorous standards.  If you want to discuss Top Secret information, you can only do that in a facility that is certified for that level of information.

Anybody who discusses classified information outside of the relevant facility (e.g., outside the building they work in) is guilty of a felony.

And don't even think about having people discuss this stuff on the telephone, or by email, or what have you.  Not unless they're using special telephones on dedicated lines.

Bold is not accurate.  Classification levels are handled, monitored and assigned by the NSA.  If something is Top Secret for one Dept., it's Top Secret for everyone.  If not, you'd have Defense Couriers who were really really confused and access Vaults who would be slated as Violation every other day.  (Which, in the Classification world, you NEVER want a violation.)

I believe what the poster is discussing is SBU/CPI/FOUO/LES.  Which is non-class, non-official sensitive material but which is deemed critical or sensitive by the issuing body.

2nd Bold is slightly misleading.  All Security Clearances are equal & issued universally.  Access lists are how they determine what that clearance gains you access to.  "Top Secret" is "Top Secret".

[Krensky]

Also, different organizations (e.g, the Department of Energy, the Department of Defense, etc.) have different terms for different classification levels and categories.  There is no such thing as a "universal" security clearance or classification level.  "Secret" in one organization might be equivalent to "Top Secret" somewhere else.

Bold is not accurate.  Classification levels are handled, monitored and assigned by the NSA.  If something is Top Secret for one Dept., it's Top Secret for everyone.  If not, you'd have Defense Couriers who were really really confused and access Vaults who would be slated as Violation every other day.  (Which, in the Classification world, you NEVER want a violation.)

I believe what the poster is discussing is SBU/CPI/FOUO/LES.  Which is non-class, non-official sensitive material but which is deemed critical or sensitive by the issuing body.

What the original commenter (Not Mr A) might also have meant was that different groups, agencies, and people can interpret the somewhat differently resulting in a (hopefully) temporary condition where it has different classifications in different places until one of the clearinghouses notices. This is usually caused by one or more agencies not being aware the same information was generated (or acquired) in several different places at once and not having the same amount of knowledge regarding it and it's context to make a proper classification. I've seen this in declassified historical stuff (1940s - 1960s) with this sort of confusion on it and it's been known to happen for one group to allow something to become declassified due to time or FOIA requests only to have another (usually the CIA) throw a panic fit and have it reclassified, which is often pointless as the documents in question have dozens of legal (as far as I know) copies in various people and institutions' libraries, on interweb, and often their contents have been written about extensively by historians.

It is worth noting this is an edge case and mainly relates to the time between when something is tentatively classified by the generating agency (if I remember the terminology right) and when the NSA officially classifies it. Mistakes do happen though and I'm sure there's some stuff in the system that one group thinks is one level and a second things is another. It is rare though, probably vanishingly so.

[TheTSKoala]

Also, different organizations (e.g, the Department of Energy, the Department of Defense, etc.) have different terms for different classification levels and categories.  There is no such thing as a "universal" security clearance or classification level.  "Secret" in one organization might be equivalent to "Top Secret" somewhere else.

Bold is not accurate.  Classification levels are handled, monitored and assigned by the NSA.  If something is Top Secret for one Dept., it's Top Secret for everyone.  If not, you'd have Defense Couriers who were really really confused and access Vaults who would be slated as Violation every other day.  (Which, in the Classification world, you NEVER want a violation.)

I believe what the poster is discussing is SBU/CPI/FOUO/LES.  Which is non-class, non-official sensitive material but which is deemed critical or sensitive by the issuing body.

What the original commenter (Not Mr A) might also have meant was that different groups, agencies, and people can interpret the somewhat differently resulting in a (hopefully) temporary condition where it has different classifications in different places until one of the clearinghouses notices. This is usually caused by one or more agencies not being aware the same information was generated (or acquired) in several different places at once and not having the same amount of knowledge regarding it and it's context to make a proper classification. I've seen this in declassified historical stuff (1940s - 1960s) with this sort of confusion on it and it's been known to happen for one group to allow something to become declassified due to time or FOIA requests only to have another (usually the CIA) throw a panic fit and have it reclassified, which is often pointless as the documents in question have dozens of legal (as far as I know) copies in various people and institutions' libraries, on interweb, and often their contents have been written about extensively by historians.

It is worth noting this is an edge case and mainly relates to the time between when something is tentatively classified by the generating agency (if I remember the terminology right) and when the NSA officially classifies it. Mistakes do happen though and I'm sure there's some stuff in the system that one group thinks is one level and a second things is another. It is rare though, probably vanishingly so.

As a mistake, yes.  Agencies are human and are bound by our errs.  However, as an motus operandi, we try to keep everything on the same page.  (And yes.. the CIA is infamous for the either complete utter screw up or being 7 steps behind on national issues at times...)

[Rhishisikk]

So:

Agency Intel:  We can't tell you that, it's Top Secret.
Agent C: Got it!
Agency Intel:  What do you mean, 'Got it'?
Agent C:  My friend in the other agency knows it.

Is a viable Spycraft occurance?  (Provided we, the GC, know the information hasn't been restricted to only Agency Intel?)  I'm going to allow it in my games either way, but wanted to know the 'official' ruling. 

Note a difference that hasn't been stated openly, yet: dissemination.  (Eyes only, FOUO (For official use only))
Take for example the unit tracker used by the US Army Striker units.  It's classified SECRET.  Because EVERYONE had it, it was only a matter of time before a screen shot showed up on the news (complete with red SECRET banner).  The more people that know something, the easier it is to find out.

[Psion]

Bold is not accurate.  Classification levels are handled, monitored and assigned by the NSA.  If something is Top Secret for one Dept., it's Top Secret for everyone.

Right, but that's because one law defines top secret. But there are different laws that also cover handling of sensitive material. For example, when I worked on navy nuclear plants, not only did everything carry a classification marking from DOD, it also carried a "restricted data" marking which stems from another law.

So I wouldn't say the bold is inaccurate so much as imprecise.

[Psion]

Agency Intel:  We can't tell you that, it's Top Secret.
Agent C: Got it!
Agency Intel:  What do you mean, 'Got it'?
Agent C:  My friend in the other agency knows it.

Is a viable Spycraft occurance?

Well, that depends. It was pretty viable up to the last sentence.

If someone cannot verify your clearance level and need to know, even if you do know, they shouldn't be telling you.

But if they think or know that you DON'T have the clearance level and need to know and you know not because you actually do have the clearance, but because a friend with the clearance told you, you are asking agency intel to slam you with a security violation.

[TheTSKoala]

Bold is not accurate.  Classification levels are handled, monitored and assigned by the NSA.  If something is Top Secret for one Dept., it's Top Secret for everyone.

Right, but that's because one law defines top secret. But there are different laws that also cover handling of sensitive material. For example, when I worked on navy nuclear plants, not only did everything carry a classification marking from DOD, it also carried a "restricted data" marking which stems from another law.

So I wouldn't say the bold is inaccurate so much as imprecise.

Imprecise is a better way to put it.  I agree.  And yes, Sensitive vs. Classified.. vs.. Authoring Body.. vs.. Handling Body.. .etc etc.  *slams head into desk* I feel better again. lol

[TheTSKoala]

Agency Intel:  We can't tell you that, it's Top Secret.
Agent C: Got it!
Agency Intel:  What do you mean, 'Got it'?
Agent C:  My friend in the other agency knows it.

Is a viable Spycraft occurance?

Well, that depends. It was pretty viable up to the last sentence.

If someone cannot verify your clearance level and need to know, even if you do know, they shouldn't be telling you.

But if they think or know that you DON'T have the clearance level and need to know and you know not because you actually do have the clearance, but because a friend with the clearance told you, you are asking agency intel to slam you with a security violation.

...and a Violation is the last thing you ever want.  ...ever. 

[Slippery_jim_digris]

Well, that depends. It was pretty viable up to the last sentence.

If someone cannot verify your clearance level and need to know, even if you do know, they shouldn't be telling you.

But if they think or know that you DON'T have the clearance level and need to know and you know not because you actually do have the clearance, but because a friend with the clearance told you, you are asking agency intel to slam you with a security violation.

...and a Violation is the last thing you ever want.  ...ever. 

Pardon my ignorance but what happens if you get a Violation?  And what would that mean in game terms?

[TheTSKoala]

Hypothetically, if the event should occur and if the event had a governing body that knew what to do.. then... if you get a Violation, there can be any number of issues.  The least of the issue would be a formal inquiry by the governing body, revocation of your clearance permanently, removal from all access lists, and alot of paperwork.  If you had a high enough leak, you could possibly find your players being hunted by an NSA, FBI, NCIS, Military Police & possibly the Secret Service.  And if it does get that high, the orders would be "Recover with any means seen neccisary."  You can take that phrase into game terms however you see fit.

[Psion]

Pardon my ignorance but what happens if you get a Violation?  And what would that mean in game terms?

The Koala hit on the big issue. If what you are doing gets judged to be espionage, that's a different matter. But the biggest things you would have to worry about is suspension of security clearance (which, if your job requires a security clearance = your fired), plus whatever regulations your agency/department might levy. I wasn't able to dig up any specific language about consequences from the executive order.

However, while I was looking, I did happen by the wiki page pertaining to classification in the US:
http://en.wikipedia.org/wiki/Classified_information_in_the_United_States
(and actually, there's a general one and ones for various countries, though I don't know how they compare in quality.)

It's pretty good, and answers the question about different agencies issuing their own clearance. The short answer is they used to, but that's pretty much OBE now. If you are runniing a historical game, that could be significant.

In game terms...

In game terms, reprimand/security violation equates to rep loss, though you might invoke other "wanted" events or subplot depending upon the players' legal status.

[TheTSKoala]

Also, to clarify.  The "higher response" I had eluded to would occur under circumstances that an authorized body could forsee the individual(s) who caused the leak or spill as a Present and Persistant threat.  (If they flee when the investigation starts, that's normally a big red flag.)

*Edit* Operational Procedure, hypothetically, would probably be listed under an LES umbrella.