U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Was this page helpful?

Classification Management

Classification management involves the identification, marking, safeguarding, declassification, and destruction of Classified National Security Information (CNSI) generated within government and industry.  It encompasses the life-cycle management of CNSI from original classification to destruction. The three levels of classification are Top Secret, Secret, and Confidential. Unclassified is a marking used to denote information that does not meet the requirements for classification and Controlled Unclassified Information is a marking used to denote dissemination controls of certain unclassified information. Information Security Program staff provide guidance, training, and oversight to Department operating units and security specialists on classification management and facilitates Subject Matter Expert (SME) reviews of CNSI with respect to Information Security, Industrial Security, Communications Security, and Operations Security.

There are two ways to classify information – Original Classification and Derivative Classification. Original classification is the initial determination made by an Original Classification Authority that information is required, in the interest of national security and for protection against unauthorized disclosure. Derivative Classification is the process of incorporating, paraphrasing, restating, or generating in a new form, information that has already been classified and can only be performed by a trained Derivative Classifier.

Original Classification

Original Classification Authority (OCA) originally classifies information as Confidential, Secret, or Top Secret, and may be exercised by properly trained and appointed individuals. Currently, OCA is delegated to the Secretary of Commerce, the Department’s Director for Security, and the Deputy Under Secretary for the Bureau of Industry and Security to originally classify information up to the Secret level. These are the only three OCAs within the Department. No Department official is authorized to originally classify information as Top Secret. This authority was reissued on December 29, 2009, Presidential order entitled, Original Classification Authority. This order designates those agency heads and officials as having the authority to classify information.

Derivative Classification

Derivative Classification is the incorporating, paraphrasing, restating, or generating in a new form, information that has already been classified. Derivative Classification can only be performed by a trained Derivative Classifier using existing, properly marked, classified source documentation. The duplication or reproduction of an existing classified document is not a derivative classification.

Examples of Derivative Classification:

  • Incorporation occurs when information is extracted directly from an authorized classification guidance source and is stated verbatim in a new or different document.
  • Paraphrasing or restating occurs when information is taken from an authorized source and is re-worded in a new or different document. Paraphrasing is strongly discouraged as it closely resembles reproduction.
  • Generating is when information is taken from an authorized source and generated into another form or medium.

Derivative classifiers must carefully analyze the material they are classifying to determine what information it contains or reveals and evaluate that information against authorized classification guidance (Security Classification Guide (SCG), Classified Source Document, or DD Form 254). Unmarked does not mean unclassified.

A Compilation, combining two or more pieces of unclassified information, can result in an aggregate that is classified. New material may include classified information that is contained in the classification guidance (e.g., the SCG). Due to the way it is organized or structured, the new material may reveal classified information that did not specifically appear in the classification guidance used to create it. Finally, the new material may aggregate, or bring together, pieces of information that are unclassified, or have one classification level, but when you present them together it either renders the new information classified or increases its classification level.

Revealed By applies when derivative classifiers incorporate classified information from an authorized source into a new document that is not clearly or explicitly stated in the source document.

Contained In occurs when derivative classifiers incorporate classified information from an authorized source into a new document, and no additional interpretation or analysis is needed to determine the classification of that information. The concept also applies to the use of an SCG. Sometimes, the guidance in an SCG may explicitly apply to the content incorporated into a new document. The Department has published a National Security Information Classification Guide (Commerce personnel only) to assist derivative classifiers in the classification of CNSI.

Classification Challenges

Authorized holders of information who, in good faith, believe that its classification status is improper are encouraged and expected to challenge the classification status of the information in accordance with agency procedures. An informal challenge should be initiated by first contacting your Field Servicing Security Office or the Information Security Division to assist with informally resolving the issue.

If the concerns cannot be resolved by an informal classification challenge, a formal classification challenge should be initiated. Authorized holders of classified information, including authorized holders outside the classifying agency, who want to challenge the classification status of information shall present such challenges to an OCA with jurisdiction over the information. A formal challenge must be in writing but need not be any more specific than to question why information is or is not classified or is classified at a certain level.

The informal method will resolve the issue faster than a formal notice. Until a decision has been issued for any classification challenge, the markings shall be honored, and information protected as marked.

Mandatory Declassification Review

Mandatory Declassification Review (MDR) is a means by which any individual or entity can request any Federal agency to review classified information for declassification, regardless of its age or origin, subject to certain limitations. MDR is another route to the declassification and release of classified agency records under the terms of E.O. 13526. All information classified under the Order or predecessor orders by the originating agency (i.e. DoD, CIA, FBI); Congressional records classified by the executive branch; and information from past Presidential administrations is subject to MDR. This process is similar to the one in the Freedom of Information Act (FOIA) but focused on CNSI. Both processes allow an individual or entity to request any federal agency to review agency records for release. Classified documents identified during a FOIA request require an MDR before completing the FOIA request.

All MDR requests must be submitted in writing to the applicable agency. Information on where to send MDR requests at each agency can be found on the Information Security Oversight Office (ISOO) website at http://www.archives.gov/isoo/contact/mdr-contact.html.

The request must describe the document or material containing the information with sufficient specificity to enable the agency to locate it with a reasonable amount of effort.

The agency or agencies on record for generating the original document shall review the content related to their mission. An SME shall review the document to determine its mission-related content. The SME shall then evaluate the current CNSI impact of the mission-related content to determine if it may be declassified. The assigned SME shall coordinate with the Information Security Division once a declassification recommendation exists.

Changes to mission of the component agencies of the Department can be an obstacle to finding a SME to evaluate an MDR. Department agencies often perform an analysis role for the finished classified document. Sometimes, positions contributing to the production of the original classified document may no longer exist in the Department. Furthermore, the classification of the final document can exceed the maximum Secret classification from a Department OCA.

A Commerce OCA makes the final decision on all Mandatory Declassification Review recommendations following a SME review.

The requesting agency collects the MDR responses from the separate contributing agencies to determine if the document can be declassified. Congressional records classified by the executive branch, and information from past presidential administrations are subject to MDR. Requests for MDR to the Department may be sent to the Director for Security through the Information Security Division:

Assistant Director, Information Security Division
U.S. Department of Commerce

14th and Constitution Avenue, NW, Room 1069

Washington, DC 20230

Information That is Not Subject to MDR

Information originated by the incumbent President or Vice President or their White House staff; committees, commissions, or boards appointed by the incumbent President; other entities within the Executive Office of the President that solely advise and assist the incumbent President; or information classified under the Atomic Energy Act of 1954 (Restricted Data/Formerly Restricted Data).



Classified documents may only be destroyed by authorized methods such as burning, pulping, or shredding on an authorized shredder listed on the National Security Agency’s Evaluated Products List. The Department maintains the capacity to support shredding paper with NSA crosscut shredders. Classified documents are reduced to an unrecoverable slurry; shards measuring 1 millimeter by 5 millimeter or less. This standard is applied to paper only. Electronic media, i.e., discs, must be destroyed with a strip shredder to shatter the rigid device. Larger electronic devices shall be destroyed with a demagnetizer, to wipe the data, and a defragmenter, to disassemble.


15 CFR Part 4a, Classification, Declassification, and Public Availability of National Security Information, June 10, 2020

Original Classification Authority, December 29, 2009 Presidential Order

DOC National Security Information Classification Guide, October 2020 (Commerce personnel only)

Information Security Oversight Office (ISOO) Classification Management Training Aids

Commerce Learning Center – (Search for Annual CNSI Security Clearance Holder Training)