The IT Law Wiki


The White House, Executive Order 13526, "Classified National Security Information," 75 Fed. Reg., No. 2 (Dec. 29, 2009) (full-text).


This Executive Order prescribes a uniform system for classifying, safeguarding, and declassifying national security information, including information relating to defense against transnational terrorism. Under this system, the President, Vice President, agency heads, and any other officials designated by the President may classify information upon a determination that the unauthorized disclosure of such information could reasonably be expected to damage national security.[1] Such information must be owned by, produced by, or under the control of the federal government, and must concern one of the following:

This Order improves the process by which government information becomes "classified," and how long it remains classified. It provides clarified, and stricter, standards for classifying information. It further provides that government information "shall not be considered for classification unless its unauthorized disclosure could reasonably be expected to cause identifiable or describable damage to the national security" according to specified criteria, and furthermore provides explicit reasons for which classification is prohibited.

Information may be classified at one of three levels based on the amount of danger that its unauthorized disclosure could reasonably be expected to cause to national security.[3] Information is classified as "Top Secret" if its unauthorized disclosure could reasonably be expected to cause "exceptionally grave damage" to national security. The standard for "Secret" information is "serious damage" to national security, while for "confidential" information the standard is "damage" to national security. Significantly, for each level, the original classifying officer must identify or describe the specific danger potentially presented by the information's disclosure.[4] In case of significant doubt as to the need to classify information or the level of classification appropriate, the information is to remain unclassified or be classified at the lowest level of protection considered appropriate.[5]

The officer who originally classifies the information establishes a date for declassification based upon the expected duration of the information's sensitivity. If the office cannot set an earlier declassification date, then the information must be marked for declassification in 10 years, or 25 years, depending on the sensitivity of the information.[6] The deadline for declassification can be extended if the threat to national security still exists.[7]

Classified information is required to be declassified "as soon as it no longer meets the standards for classification."[8] The original classifying agency has the authority to declassify information when the public interest in disclosure outweighs the need to protect that information.[9] On December 31, 2006, and every year thereafter, all information that has been classified for 25 years or longer and has been determined to have "permanent historical value" under Title 44 of the U.S. Code will be automatically declassified, although agency heads can exempt from this requirement classified information that continues to be sensitive in a variety of specific areas.[10] But the Order provides that no information may remain classified indefinitely.

Agencies are required to review classification determinations upon a request for such a review that specifically identifies the materials so that the agency can locate them, unless the materials identified are part of an operational file exempt under the Freedom of Information Act (FOIA) or are the subject of pending litigation.[11] This requirement does not apply to information that has undergone declassification review in the previous two years; information that is exempted from review under the National Security Act;[12] or information classified by the incumbent President and staff, the Vice President and staff (in the performance of executive duties), commissions appointed by the President, or other entities within the Executive Office of the President that advise the President.[13] Each agency that has classified information is required to establish a system for periodic declassification reviews.[14] The National Archivist is required to establish a similar systemic review of classified information that has been transferred to the National Archives.[15]

Access to classified information is generally limited to those who demonstrate their eligibility to the relevant agency head, sign a nondisclosure agreement, and have a need to know the information.[16] The need-to-know requirement can be waived, however, for former Presidents and Vice Presidents, historical researchers, and former policy-making officials who were appointed by the President or Vice President.[17] The information being accessed may not be removed from the controlling agency's premises without permission. Each agency is required to establish systems for controlling the distribution of classified information.[18]

Executive Order 13526 also establishes a National Declassification Center (NDC) within the National Archives and Records Administration (NARA).[19] The National Declassification Center is charged with streamlining the declassification process, overseeing quality assurance of agency declassification efforts, and implementing standardized training for the declassification of government records determined to have permanent historical value. Finally, the Order instructs the Information Security Oversight Office (ISOO) within the National Archives Office to implement the Order by issuing directives, "binding on the agencies."[20]

ISOO is headed by a Director, who is appointed by the Archivist of the United States, and who has the authority to order declassification of information that, in the Director's view, is classified in violation of the aforementioned classification standards.[21] In addition, there is an Interagency Security Classifications Appeals Panel ("the Panel"), headed by the ISOO Director and made up of representatives of the heads of various agencies, including the Departments of Defense, Justice, and State, as well as the Central Intelligence Agency, and the National Archives.[22] The Panel is empowered to decide appeals of classifications challenges[23] and to review automatic and mandatory declassifications. If the ISOO Director finds a violation of Executive Order 13526 or its implementing directives, then the Director must notify the appropriate classifying agency so that corrective steps can be taken.

NARA has taken important steps to implement the Order and to ensure that agencies comply with it. In January 2011, the Director of ISOO advised senior agency officials with responsibility to undertake comprehensive review of their classification standards and to facilitate their declassification efforts to issue periodic status reports on their progress. In June 2010, the National Declassification Center created by the Order held an open forum seeking public participation and feedback in response to the NDC's draft plan to implement the Order and to prioritize declassification efforts. The NDC made clear that its efforts would focus on the declassification of government documents "determined to be of high public interest." Following that forum and publication of a draft implementation plan, the NDC issued a final public plan to implement the Order, on which it continues to invite public comment. The NDC also plans biannual reports tracking progress on agency declassification efforts.

Handling of unauthorized disclosures[]

Under Executive Order 13526, each respective agency is responsible for maintaining control over classified information it originates and is responsible for establishing uniform procedures to protect classified information and automated information systems in which classified information is stored or transmitted. Standards for safeguarding classified information, including the handling, storage, distribution, transmittal, and destruction of and accounting for classified information, are developed by the ISOO. Agencies that receive information classified elsewhere are not permitted to transfer the information further without approval from the classifying agency.

Persons authorized to disseminate classified information outside the executive branch are required to ensure it receives protection equivalent to those required internally. In the event of a knowing, willful, or negligent unauthorized disclosure (or any such action that could reasonably be expected to result in an unauthorized disclosure), the agency head or senior agency official is required to notify ISOO and to "take appropriate and prompt corrective action." Officers and employees of the United States (including contractors, licensees, etc.) who commit a violation are subject to sanctions that can range from reprimand to termination.[24]


  1. Executive Order No. 13526. §1.1. The unauthorized disclosure of foreign government information is presumed to damage national security. Id. §1.1(b).
  2. Id. §1.4. In addition, when classified information which is incorporated, paraphrased, restated, or generated in a new form, that new form must be classified at the same level as the original. Id. §§2.1-2.2.
  3. Id. §1.2.
  4. Id. Classifying authorities are specifically prohibited from classifying information for reasons other than protecting national security, such as to conceal violations of law or avoid embarrassment. Id. §1.7(a).
  5. Id. §§1.1-1.2. This presumption is a change from the predecessor order.
  6. Id. §1.5. Exceptions to the time guidelines are reserved for information that can be expected to reveal the identity of a human intelligence source or key design concepts of weapons of mass destruction. Id.
  7. Id. §1.5(c).
  8. Id. §3.1(a).
  9. Id. §3.1(d).
  10. Id. §3.3.
  11. Id. §3.5.
  12. 50 U.S.C. §§403-5c, 403-5e, 431.
  13. Executive Order 13526, §3.5.
  14. Id. §3.4. "Need-to-know" is based on a determination within the executive branch in accordance with relevant directives that a prospective recipient "requires access to specific classified information in order to perform or assist in a lawful and authorized governmental function." Id. §6.1(dd).
  15. Id. §3.4.
  16. Id. §4.1.
  17. Id. §4.4.
  18. Id. §4.2.
  19. Id. §3.7.
  20. The Open Government Directive also requires agencies to include information about their declassification activities as part of their Open Government plans.
  21. Id. §3.1(c).
  22. Id. §5.3.
  23. Id. §5.3(b)(1)-(3). For example, an authorized holder of classified information is allowed to challenge the classified status of such information if the holder believes that status is improper. Id. §1.8.
  24. Id. §5.5. Specifically, administrative sanctions available with respect to "officers and employees of the United States Government, and its contractors, licensees, certificate holders, and grantees" accused of violating government security regulations, "knowingly, willfully, or negligently," include "reprimand, suspension without pay, removal, termination of classification authority, loss or denial of access to classified information, or other sanctions in accordance with applicable law and agency regulation."


See also[]