(Editor’s Note: The authors share their insights on U.S. government classification and declassification process on the Just Security Podcast. Listen to the episode here).
The discovery of classified documents in the personal residences and offices of Donald Trump, Mike Pence, and Joe Biden have reinvigorated a public conversation surrounding the U.S. government’s classification system that seems to emerge every few years. In 2015, it was former Secretary of State Hillary Rodham Clinton’s use of a private email server. In 2010 and 2013, it was disclosures by Chelsea Manning and Edward Snowden, respectively. Yet, despite the long history of classified document scandals, many journalists, judges, lawyers, and other outside observers hold fundamental misconceptions about how classification and declassification actually work in the federal government on a day-to-day basis. Since the Mar-a-Lago scandal broke, numerous well-intentioned articles have attempted (see here, here, and here) to explain classification and declassification to the public, along with prolific pontificating from “experts” on Twitter, but this commentary often overlooks basic realities about how the U.S. classification system operates. Drawing from the authors’ experiences at the Central Intelligence Agency and Department of Defense, this article seeks to dispel several myths that have emerged about classification and declassification, particularly regarding presidential and vice-presidential authority, while also providing perspective on how these processes are carried out in the real world.
Classification 101
At its core, classified information is information relating to national security that warrants special protection from unauthorized disclosure, due to the damage to national security that may result from its release. Ostensibly, this information assists presidents in carrying out their constitutional duties as commander-in-chief and other responsibilities relating to national security and foreign affairs. But in reality, only a small fraction of this information actually reaches the president; the vast majority is used by rank-and-file government employees who perform a broad range of national security functions to support these presidential powers. It is also important to understand that the executive branch’s consistent position across administrations is that classified information is created, owned, and controlled by the president, and that Congress and the courts have extremely limited power to intrude on the president’s authority over this information.
The classification regime is governed by an executive order issued by the president, the current version of which is Executive Order 13526. The order sets forth who can classify and declassify information, which categories of information can be classified, marking and handling instructions for classified records, and several other rules and restrictions. Information is classified as Top Secret, Secret, or Confidential depending on the level of harm to national security that “reasonably could be expected to result” from its unauthorized disclosure. This phrase is key, yet most explainers overlook it. It means that it does not have to be certain that the release of such information would harm national security, just that it “reasonably could be expected.” The difference between “will” and “could” is an important distinction that is often overlooked.
Another underappreciated fact is that information is classified, not documents. Documents are marked as classified depending on the information they contain. The classification marking on the document reflects the highest level of classification for the information contained in the document. But technically speaking, the document isn’t classified; it’s the information in the document that is classified. This distinction is important to understanding how derivative classification and declassification work, as explained further below.
Reality #1: The Role and Importance of “Original Classification Authorities” is Vastly Overstated
There are two types of government officials in the world of classified information: original classification authorities, commonly referred to as “OCAs,” and derivative classifiers. Every document, image, map, notebook, or email with a classification marking must receive that marking from either an OCA or a derivative classifier. Most explainers and commentators focus on the importance of OCAs in the classification system and treat the OCA title with a sort of reverence while typically overlooking the role of derivative classifiers.
An OCA is an official who has been granted special authority under Executive Order 13526 “to classify information in the first instance,” meaning they may determine what level of classification is appropriate (Top Secret, Secret, or Confidential), the duration of classification, and whether the other core requirements of Executive Order 13526 have been met. The president and vice president are OCAs, as are agency heads designated by the president and other officials who have been delegated this authority in writing. As of 2021, there were 1,491 OCAs within the federal government. For comparison, approximately 2.2 million Americans hold and use a security clearance. OCAs are required to receive annual training, and whenever the government files a declaration in court explaining why information is properly classified, it always comes from an OCA. That said, the vast majority of OCAs have regular duties that are wholly unrelated to classification, but automatically receive the OCA authority by virtue of their position.
While being an OCA sounds like an important responsibility, the reality is that the vast majority of OCAs never exercise that authority. As a practical matter, almost all records within the federal government are not classified by OCAs; instead, they are derivatively classified by rank-and-file government employees. Derivative classification is set forth in section 2of the Executive Order 13526 and is typically overlooked. Derivative classification can occur in two ways. First, if a government employee is creating a new document and pulls in classified source material from another document, that official is required to “carry forward” the classification markings for the sourced information. Second, information can be derivatively classified in accordance with classification guides, when an employee consults a published guide to determine the appropriate classification level (more on that below).
Statistics bear this out. In 2017, approximately 99.88 percent of all classification decisions were derivative, rather than being original classification decisions made by an OCA. This means that in the government’s daily classified workflow, OCAs might as well not exist – except to the limited extent necessary to create the classification guides. As one example, over a five year period, only one CIA employee – the head of the agency’s classification program – exercised their OCA authority. Presidents and vice presidents also rarely exercise their OCA authority. Most documents they handle are derivatively classified before ever reaching their desks. They might originally classify their notes and other documents they create in the first instance, but rarely go beyond that.
Because of how derivative classification authority works, most employees will never consult with an OCA regarding classification decisions. Instead, they look to one of 2,116 classification guides that exist within the federal government. Classification guides are prepared by a very small subset of OCAs – either the senior official in charge of classification for the agency or the OCA responsible for the information at issue. Some agencies, like the CIA, have one classification guide covering the entire agency. In contrast, the Department of Defense, which has multiple agencies and departments within its sprawling organization, has over 1,500 guides!
The classification guide of the Office of the Director of National Intelligence (ODNI) illustrates how the guides operate. Sections 3.1-3.8 of the guide set forth categories of information and the level at which they should be classified. If an ODNI employee drafts a report using ODNI information, they consult the guide to decide how to classify the document. For instance, if the document contained information about an intelligence collection capability, the author would consult the “Collection” section of the guide (section 3.3) and determine at what level the information should be classified, which generally depends on how specific the information is and to what degree it could expose the collection method. In this scenario, the derivative classifier is not actually classifying the information in the document; the OCA who wrote the guide has already classified that broad category of information, and the employee is simply deciding which categories apply to the information at issue and then marking the document appropriately. If the author also relied on information from another document, such as a CIA cable, they should “carry forward” the classification level for the cable’s information into the new document. In theory, the author should “portion mark” each paragraph in the document with the appropriate classification level for that paragraph, although in reality, this often doesn’t happen except in formal documents. Finally, the author should then give the document an overall classification level (indicated in its header and footer) that reflects the highest classification level of the information it contains. To enforce all of this, IT systems for national security agencies typically require employees to classify a document, with reference to the applicable guide section, prior to saving it (or prior to sending an email).
At least this is how it’s supposed to work. The reality is that many government employees don’t give much thought to the proper classification level for the documents they create. They are too busy, they are not classification experts, and the guides are dense and far from user-friendly. A typical employee might have a general feel for when a document should be classified Confidential versus Secret versus Top Secret, but they will not typically spend much time analyzing that question and will spend even less time reading the guide itself. As mentioned, IT systems typically require the author to cite the applicable classification guide section when saving documents or sending an email, but the systems also let employees create “favorites” that allow them to quickly select the classification level (with reference to a specific guide section, like “Collection-Top Secret”) with a single click.
If OCAs hold a power that is almost irrelevant to our classification system, why do commentators give them so much attention? One reason is that when classified information is litigated in court – such as in Freedom of Information Act (FOIA) proceedings, state secrets assertions, or criminal prosecutions – the government invariably files declaration from an OCA explaining why the information is currently and properly classified. In doing so, however, the OCA is not exercising their OCA authority to classify the information at issue. Almost always, the information has already been derivatively classified by a lower-level employee who created the relevant documents. The OCA is instead supporting a classification decision that was already made, (although in some instances, they might revise it slightly). Viewed this way, the OCA essentially serves as an expert witness who is testifying as to why the information is currently and properly classified. In theory, any employee with requisite experience could file these declarations, but courts and the Department of Justice have grown to accept that this testimony should come from an OCA. The “OCA” title is simply an expert qualification, like having an advanced degree.
Reality #2: Declassification Authority Is More Important than Original Classification Authority
All that said, there is a closely-related authority that matters quite a bit in these OCA declarations, and that is declassification authority. Declassification authority is the power to take information that was previously classified and render it unclassified and therefore releasable to the public. Section 3.1(b) of Executive Order 13526 explains that an OCA can declassify information only if they originally classified it or are the successor to the person who originally classified it. As explained above, OCAs rarely classify information originally, so this type of declassification authority is somewhat toothless. However, OCAs or other officials can separately receive “delegated declassification authority in writing by the agency head or the senior [classification] official at the agency.” This delegated authority gives the recipients broader authority to declassify information originating from their agency. It might apply to all information originating from the agency, or only to information originating from a specific department of the agency. Given the weightier responsibilities, only a fraction of OCAs also have this delegated declassification authority.
Most officials who sign declarations in court have declassification authority in addition to being an OCA. This declassification authority is critical, and it is the authority that they actually exercise when filing their declarations. In hyper-technical terms, they are actually declining to exercise their declassification authority. Because the information at issue was normally classified before coming before the court, there is nothing to classify originally. Instead, the declarant is really explaining why the information remains properly classified and therefore cannot be publicly released pursuant to the declarant’s declassification authority. This nuance is lost even on many government attorneys, however, so the declarations typically just read more like an explanation of why the information was properly classified in the first instance.
Reality #3: There are Three Distinct Types of Declassification
Although the term “declassification” has now entered the public discourse, thanks in part to former President Donald Trump’s unsupported claims that he declassified the White House records he took to his Mar-a-Lago home, most commentators overlook the fact that there are actually three distinct types of declassification. Executive Order 13526 defines declassification as “the authorized change in the status of information from classified information to unclassified information.” That’s easy enough to understand, but from there things get more complicated. While with each type of declassification, information is taken from classified to unclassified, how, and why one gets to that point differs in meaningful ways.
The first type of declassification is the most common but doesn’t have a name, so let’s just call it “routine” declassification. Routine declassification occurs when the information “no longer meets the standards for classification under” Executive Order 13526. It simply means that someone, likely a derivative classifier, considered the information classified at one point in time, but now the declassification authority reviewing the information has determined that it no longer meets the executive order’s classification requirements. This most commonly occurs because the official determines that public disclosure of the information could no longer be expected to harm national security, either (1) due the passage of time or changed circumstances or (2) because the derivative classifier misclassified the information in the first instance. Routine declassification may be carried out by the OCA who classified the information originally, their successor, their supervisor, or officials who have specifically been granted delegated declassification authority (referenced above). The Director of National Intelligence and other senior, designated ODNI officials may also declassify sources and methods information. Routine declassification most regularly occurs when reviewing records for release under a FOIA request and other public release programs, and agencies typically grant declassification authority to officials who supervise these releases.
The second type of declassification is “public interest” declassification, which can occur when the “public interest in disclosure outweighs the damage to the national security.” It differs from routine declassification in two important ways: First, with routine declassification, an official has determined that the release of the information would not harm national security, but with public interest declassification, the official believes it would still harm national security, but that the public interest outweighs the need to protect the information. Second, public interest declassification may only be exercised by the agency head or the senior classification official at the agency, which is a much more limited universe of people than routine classification. Not surprisingly, then, public interest declassification is exercised more sparingly. Some examples include declassifying information for use in espionage, leaks, or terrorism prosecutions, or the declassification of information about Russia’s war plans in the lead up to its invasion of Ukraine.
Prudent government lawyers typically recommend that any public interest declassification decisions be documented in a memorandum from the agency head, so there is a clear record of what was declassified. The memorandum also provides evidence that the declassification was a deliberate, carefully considered decision. Whenever “X” information is declassified, outsiders (FOIA requestors, criminal defendants, and others) will often then claim that “Y” and “Z” information should be declassified too. If the government has a public interest declassification memo to point to, it can make it easier to explain that this was a one-time, discretionary decision based on a careful public interest balancing, and that the declassification did not extend further by careful design. But this documentation is not a requirement and as discussed below, this type of formality often does not take place when the president declassifies the information.
The third type of declassification is “automatic” declassification, which occurs solely based on the passage of time, when the duration of classification surpasses the limits set forth in Executive Order 13526. Under section 3.3 of the Order, automatic declassification requirements typically begin 25 years after the information was classified, but there are exemptions that can extend protection for particularly sensitive information. The rules on automatic declassification are complicated, but it is important to understand that automatic declassification is similar to public interest declassification in that the release of the information might actually harm national security, but the president has determined (through the rules set forth in Executive Order 13526) that it should still be released due to the passage of time and the public’s interest in accessing this historical information.
The term “declassification” is thrown around quite frequently, but it is important to always stop and consider which type of declassification is being discussed. Even many government officials do not understand these distinctions, and it’s doubtful that someone like Trump considered which type of declassification he was employing when he attempted to declassify various Russia-related documents. In addition, readers now know not to be fooled into thinking that a significant public release is imminent whenever a president calls for a “declassification review” of certain records. That can simply refer to a “routine” declassification review, which means that any information that is currently classified will remain that way at the conclusion of the review. If you want a forward-leaning review, look for indicators of a “public interest” declassification review.
Reality #4: Presidents Have Broad Declassification Authority and Need Not Follow Any Formal Procedures
Trump’s unsupported claims that he declassified the White House records at Mar-a-Lago also generated conversation about the president’s power to declassify information. Here, too, much of the commentary was misinformed. Everyone rightly agrees that the president has broad declassification authority. Focusing just on its language, Executive Order 13526 grants declassification authority to “a supervisory official of either the originator or his or her successor in function, if the supervisory official has original classification authority.” As head of the executive branch, the president would plainly qualify as a “supervisory official” over all other OCAs. Even putting that language aside, given that classified information is created by and for the president under the Order, the president also has inherent authority to declassify information (1) as the creator of Executive Order 13526 and (2) through their constitutional authority over national security information. See, e.g., Dept. of the Navy v. Egan, 484 U.S. 518, 527 (1988) (“[Presidential] authority to classify and control access to information bearing on national security…flows primarily from this constitutional investment of [Commander in Chief] power in the President.”).
The only question then is: must the president follow any specific declassification procedures? The answer is a resounding no for two reasons. First, Executive Order 13526 on its face contains no such declassification procedures. The Order sets forth (1) who may declassify information and (2) what standards they should apply, but beyond that, there is no additional process required. While both individual agencies and the Information and Security Oversight Office have developed additional rules about how declassification should be carried out, none of these procedures apply to the president. Second, given the president’s constitutional authority over both classified information and the administration of presidential executive orders, even if Executive Order 13526 did establish constraints, they are at most self-constraints that the president has the power to ignore.
Yet, again, commentators regularly got this point wrong, instead claiming that there are formal declassification procedures that apply to the president. They often cite New York Times v. Central Intelligence Agency, in which the Second Circuit stated that “declassification, even by the President, must follow established procedures,” citing Executive Order 13526. This is a great example of how even courts and, in some instances, the Department of Justice itself (which asserted the same proposition in its appellate brief), do not fully understand declassification. Executive Order 13526 is a public document and relatively short. If it outlines declassification procedures that apply to the president, it should not be hard to find them. But neither the commentators nor the Second Circuit cite to any specific provisions in the Order, and for good reason – they do not exist.
Ideally, the President should normally follow certain procedures when declassifying information. The obvious correctness of this proposition is likely what led to the Second Circuit’s mistake, along with the fact that it was bending over backwards to avoid finding that Trump declassified a covert program with a single tweet. It sounds like the right answer, but it’s not legally supported. In a perfect world, anytime the president wanted to declassify something, they would (1) consult with senior officials from the agencies that originated the information, as well as those with an interest in the information (for instance, the State Department if the information had diplomatic repercussions) and (2) document the decision in writing so that agencies could properly implement it, including by downgrading and properly marking documents that contained the declassified information. But even then, the president should be free to declassify information by whatever means they choose. For instance, on the night of the Osama bin Laden raid, President Obama was fully within his power to promptly declassify the existence of the operation via his nationally televised speech. One could imagine other scenarios where the president determines that it is a national security imperative to quickly declassify information to share it with the public. It would be unwise to impose formal processes and documentation requirements in these types of situations, even if the best practices outlined above should still be followed where possible.
If Congress is interested in legislating in this area, the best solution is to require that anytime the president orders the declassification of certain information, the congressional oversight committees be promptly notified in writing of what was declassified and why. A similar requirement already exists with covert action notification under 50 U.S.C. § 3093without unduly inhibiting the president, even though ordering covert action is an important presidential authority. While this provision would not require the president to follow any procedures before declassifying information, the necessity of informing Congress in writing after the fact would have the practical effect of imposing some discipline on the process.
Reality #5: Presidents Rarely Declassify Information
Another important point missing from the commentary about presidential declassification authority is that presidents rarely exercise these powers. This is true for several reasons, including the fact that White House and National Security Council (“NSC”) staff typically don’t want to burden the president with personally declassifying information. This is especially true when the underlying events being declassified generate bad publicity. Instead, what normally happens is that the White House and NSC staff, after consulting with the president, direct the relevant agencies to carry out a declassification process, while at most providing general guidance as to what they want to be disclosed and how forward-leaning the agencies should be during their reviews. This is not ordering declassification, but rather initiating a declassification process.
One example of this more informal process is when the president wants to give a speech on a topic of national importance, such as when Obama spoke about U.S. government drone strikes. A draft of the speech is written, marked and treated as classified, and remains classified while going through the interagency review process. Once the relevant parties are comfortable with the speech, the classification markings are removed and it is considered declassified. In some instances, a classification expert from the relevant agency might review it shortly before release to formally “bless” its declassified status, but this person would typically just defer to what that the interagency process produced. The point, however, is that there is typically no specific presidential declassification order associated with this process.
The same thing might happen if there is a pending document release, which could come through a FOIA case, the publication of a congressional report, or the discretionary release of historical documents. Here too there might be general direction from the White House and NSC staff to the agencies processing these releases, but the president will rarely get involved in the details, and formal written orders are rarely issued. Even when the famous “Bin Ladin Determined To Strike in US” Presidential Daily Brief was declassified and released in April 2004, it was Director of Central Intelligence George Tenet who declassified it, not President George W. Bush. More recently, President Biden got credit for ordering the declassification of certain documents about the September 11th attacks, including information about Saudi Arabia’s role, but when reading the order closely it becomes clear that he ordered the agencies to evaluate the records for declassification; Biden did not personally declassify anything, although he did encourage the agencies to lean forward and engage in public interest declassification.
Outside of a deliberate process, a president personally effectuating the declassification of information normally happens just by saying something publicly, or even Tweeting it. Again, on the night of the bin Laden raid, Obama decided in the span of a few hours to declassify the existence of the operation – no special formalities or written orders were required. In the strange era of Twitter under Trump, he declassified information on numerous occasions by simply hitting the “send” button, including the time he published a reportedly classified image of an Iranian missile site. Although it may have been unwise, this action was perfectly lawful, even if no formal process was involved.
Presidents perhaps most commonly make ad hoc information release decisions when engaging with foreign leaders on national security matters. There are formal inter-agency processes in place for clearing classified information for release to foreign governments, which the National Security Council typically follows when preparing presidents for discussions with foreign leaders. Presidents are not bound by this process, however, and can make on the spot decisions that result in sharing additional, uncleared classified information with those leaders. Whether this sharing results in declassification of that information is a complicated, fact-dependent question on what was was shared, with whom, and under what circumstances, but it’s still another example of where the president is not bound by the formal rules that apply to the rest of the Executive Branch.
The point of all this is that instances where the president personally orders the declassification of information are relatively rare. In May 2013, Obama declassified the fact that four Americans were killed in U.S. counterterrorism operations outside of areas of active hostilities, which was then disclosed in a letter to Congress from Attorney General Eric Holder. In April 2015, Obama declassified another U.S. counterterrorism operation that accidentally killed two hostages, one of whom was a U.S. citizen, Warren Weinstein. Ironically, one of the best example of a formal declassification order from a president over the last two decades comes from Trump, who issued a memo declassifying materials from the FBI’s Crossfire Hurricane investigation the day before he left office – Jan. 19, 2021. This order may end up undercutting Trump’s claims that he was declassifying documents in his head at the same time, given the formalities that he followed by issuing the memo.
Reality #6: Vice-Presidential Declassification Authority is Very Limited
Finally, due to the discovery of classified records at Biden’s home and personal residence from his time as vice president, and similar revelations involving Mike Pence, there has also been discussion about vice presidential declassification authority. The vice president does have declassification authority, but it is quite limited. Under Executive Order 13526, the vice president has original classification authority, which means they may also declassify information that they or their predecessor originally classified. However, as a practical matter, the vice president – like the president – originally classifies little, if any, information, rendering this declassification authority mostly moot. The only argument that the vice president has declassification authority beyond this would rest on distinct declassification authority provided for certain “supervisory officials.” But as a general matter, the vice president is not considered a supervisory official of other executive branch officials, so this broader declassification authority does not apply to the vice president.
Conclusion
The point of this article is not to pick on the commentators who missed the mark with their analysis. The U.S. classification regime is confusing, even for those who regularly operate within it. But it is important for outside observers to understand how classification and declassification actually work on a day-to-day basis, especially since those issues are now a regular part of the public discourse. With respect to presidential authorities, it is equally important for the public to understand that the classification system ultimately rests on the assumption that the president will act in good faith, not out of spite, and in the national interest, not personal predilection. Most presidents have done so to date, which is why we have not previously had dialogue about presidential declassification authority and what limits should be placed on it. Trump’s departure from those norms has shown the weakness of that assumption, and time will tell whether such conduct is a temporary anomaly or a new norm.