On February 4, 2015, the Department of Energy’s (“DOE”) Office of the Inspector General released a report on the Federal Energy Regulatory Commission’s (“Commission”) treatment of nonpublic information within the Commission (“Inspection Report”). The “Inspection Report: Review of Controls for Protecting Nonpublic Information at the Federal Energy Regulatory Commission” concluded that the “Commission’s controls, processes and procedures for protecting nonpublic information were severely lacking.”
In particular, the Inspection Report focused on the public release of a March 2013, Commission-created analysis (“March 2013 analysis”) that identified critical substations within the bulk power system and featured substation failure simulations. The Inspection Report states that Commission staff had previously described the contents of the March 2013 analysis as “highly sensitive, nonpublic, unclassified information, noting that the improper disclosure could have significant national energy implications.” Therefore, due to the nature of the information and potential for harm if made public, the Senate Committee on Energy and Natural Resources, and the Commission’s ethics official requested that DOE’s Inspector General review the events that led to the release of the information. In response, the Inspector General initiated a review of whether the Commission had adequate controls in place to prevent the release of such nonpublic information.
Upon completion of its review, the Inspector General found that Commission staff “did not have or implement effective processes to appropriately handle and share Commission-generated electric grid analysis” that contained nonpublic information. Specifically, the Inspection Report noted that when Commission analyses are created using industry information (as was the case with the March 2013 analysis), the analyses are categorized as critical energy infrastructure information (“CEII”) and must be protected under the Commission’s CEII Guidelines, i.e., maintained in a locked area when not in use. Despite these guidelines, the Inspection Report found instances where the March 2013 analysis was not maintained in a locked environment when not in use, and was removed from Commission premises without proper authorization. The Inspection Report also found instances where Commission staff failed to follow CEII guidelines by improperly sharing the March 2013 analysis with other agencies and congressional staff without first obtaining a nondisclosure agreement.
Furthermore, the Inspection Report noted that the Commission failed to receive a timely classification of the March 2013 analysis. The report noted that under an executive order on classified national security information, if an agency employee is unsure about the classification status of a document, that employee must first obtain confirmation from an authorized official before releasing the information. The executive order also requires an agency to obtain a classification within 30 days after being notified of potentially classified information. However, the Inspector General’s review of the Commission’s processes revealed at least four instances where Commission officials expressed concern regarding the classification of the March 2013 analysis, yet Commission staff failed to obtain a formal classification review of the information for almost a year.
The Inspection Report concluded that several factors contributed to the Commission’s improper handling of nonpublic information, including inadequate training and unclear guidelines. The Inspection Report noted that the Commission staff who handled the March 2013 analysis were unfamiliar with Commission policy when handling and sharing CEII information, and were never trained on CEII Guidelines. In addition, even if Commission staff were aware of Commission policy when handling the analysis, the Inspection Report stated that there is no triggering mechanism within the Commission’s CEII guidelines to alert staff to seek a classification review. Finally, the Inspection Report cited a “culture of reluctance to classify certain nonpublic information” within the Commission that contributed to the mishandling of the March 2013 analysis. As a result of the review, the Inspection Report recommended, that in order to protect nonpublic information going forward, the Commission should:
- Ensure Commission employees are aware of and properly trained on their responsibilities related to CEII;
- Ensure Commission employees possess the necessary security clearances and receive adequate initial and refresher training concerning the identification and protection of classified information;
- Ensure that established CEII processes to protect and control nonpublic information are current and that such policies are disseminated and properly implemented;
- Work with appropriate officials to address the apparent confusion between the Commission and DOE regarding respective roles, responsibilities and authorities to classify Commission-created information; and
- Determine whether to seek specific authority to protect or classify as necessary Commission-developed documents and develop necessary guides and training associated with any authorities obtained.
A copy of the report is available here.