Module 2: National Security Classification Levels

Step 1 – Why IT Pros Should Care About National Security Classification

Even if you only touch unclassified systems, you will see references to Confidential, Secret, Top Secret, SCI, SAP, FCL, PCL in:

• RFPs and statements of work
• Contract clauses (especially DoD and Intelligence Community work)
• Facility and network requirements (e.g., SCIFs, classified enclaves)

This module focuses on the traditional US national security classification system defined by Executive Order (EO) 13526, which has governed classification since December 2009 and remains in force as of today (late 2025).

You’ll learn:

• What Confidential, Secret, and Top Secret actually mean
• How Special Access Programs (SAPs) and Sensitive Compartmented Information (SCI) sit on top of these levels
• The difference between personnel clearance (people) and system authorization (IT systems)
• Why all of this matters when you bid on or support federal and defense IT work

Keep Module 1 in mind: classification is one piece of the broader US federal information protection landscape (which also includes FISMA, FedRAMP, CUI, etc.).

Step 2 – EO 13526: The Legal Basis for National Security Classification

Executive Order 13526 – Classified National Security Information (signed 2009, still current in 2025) is the core policy for national security classification.

Key points relevant to IT work:

1. What can be classified?

• Only information that could reasonably be expected to cause damage to national security if disclosed without authorization.
• It must fall into specific categories (e.g., military plans, foreign government information, intelligence activities, nuclear weapons design info, etc.).

1. Who can classify?

• Only authorized officials (Original Classification Authorities, or OCAs) can originally classify info.
• Others may apply derivative classification by following existing guidance (e.g., using classification guides).

1. Three levels, not more:

• EO 13526 explicitly allows only Confidential, Secret, Top Secret as classification levels.
• "SCI" and "SAP" are control frameworks on top of these levels, not separate levels.

1. Declassification and duration:

• Classification is not supposed to be permanent; EO 13526 sets rules for automatic and systematic declassification.
• For IT, this affects retention, sanitization, and archival requirements.

For you as an IT service provider, EO 13526 is the backdrop that explains why systems have to be protected differently when they process national security information.

Step 3 – The Three Classification Levels: Confidential, Secret, Top Secret

EO 13526 defines three levels based on expected damage to national security if information is disclosed.

1. Confidential (C)

• Unauthorized disclosure could reasonably be expected to cause damage to national security.
• Examples: Some diplomatic communications, basic operational details, certain logistics data.

1. Secret (S)

• Unauthorized disclosure could reasonably be expected to cause serious damage to national security.
• Examples: Many military plans, some intelligence sources and methods, certain weapons system details.

1. Top Secret (TS)

• Unauthorized disclosure could reasonably be expected to cause exceptionally grave damage to national security.
• Examples: Detailed war plans, high‑sensitivity intelligence sources, some nuclear and cyber capabilities.

Visual analogy (mental picture):

• Imagine three nested circles:
• Inner circle: Top Secret – highest potential damage
• Middle circle: Secret – serious damage
• Outer circle: Confidential – damage, but less severe

For IT work, higher levels typically mean:

• Stronger technical controls (encryption, segmentation, auditing)
• Stricter physical controls (SCIFs, guards, safes)
• More limited user populations and more complex accreditation processes

Step 4 – Practical Examples for Each Level (IT-Focused)

Consider a fictional defense contractor, SecureNet Solutions, working on a Navy program.

1. Confidential example

• Data: Ship maintenance schedules and non-sensitive configuration details.
• Classification: Confidential, because disclosure could help an adversary plan minor disruptions.
• IT impact: Needs a classified network, but controls are less stringent than higher levels.

1. Secret example

• Data: Detailed vulnerability assessments of a fleet’s network architecture.
• Classification: Secret, because disclosure could cause serious damage (e.g., enabling cyber attacks).
• IT impact: Systems must meet Secret-level requirements, often including:
• Accredited Secret network enclave
• Approved encryption devices (e.g., Type 1 crypto)
• Controlled physical access and cleared admins

1. Top Secret example

• Data: Real-time intelligence feeds about adversary cyber tools and zero-day exploits.
• Classification: Top Secret, because disclosure could cause exceptionally grave damage (e.g., revealing how the US knows what it knows).
• IT impact:
• TS/SCI-capable secure network
• Stronger compartmentalization (need-to-know enforced by both tech and policy)
• More rigorous authorization/accreditation and continuous monitoring

Notice: The same type of system (e.g., SIEM, ticketing tool) can exist at different classification levels, but the environment and rules around it change dramatically.

Step 5 – SCI and SAP: Not New Levels, but Extra Protection Layers

Two terms you will see often in defense/IC work are SCI and SAP. They are not additional classification levels, but special handling frameworks applied to Confidential/Secret/Top Secret information.

1. Sensitive Compartmented Information (SCI)

• Refers mainly to intelligence sources and methods.
• Usually (but not always) Top Secret//SCI.
• Access requires:
• A Top Secret clearance, plus
• A specific SCI eligibility and indoctrination into one or more compartments.
• IT impact: Systems must operate in a SCIF (Sensitive Compartmented Information Facility) or equivalent accredited environment.

1. Special Access Programs (SAPs)

• Programs with enhanced security requirements and access controls beyond normal classification.
• Can exist at any classification level, though many are Secret or Top Secret.
• Governed by DoD and other agency policies (e.g., DoD SAP policy under DoD directives and manuals).
• IT impact: SAP systems often have:
• Separate, tightly controlled enclaves
• Additional auditing and access restrictions
• Very limited admin and user populations

For IT service providers, the key takeaway:

• SCI and SAP work usually requires both cleared personnel and specially accredited systems/facilities.
• Bids mentioning TS/SCI or SAP support signal much higher entry barriers than standard unclassified or even Secret work.

Step 6 – Personnel Clearance vs. System Authorization

Two big concepts often get mixed up:

1. Personnel Security Clearance (PCL)

• Applies to people.
• Levels: Confidential, Secret, Top Secret, with additional eligibility for SCI and/or SAP.
• Granted after a background investigation and adjudication.
• Managed via systems like DISS or successor systems (depending on agency; the DoD has been modernizing clearance IT systems through NBIS and related tools).

1. System Authorization / Accreditation

• Applies to information systems and networks.
• For national security systems, often governed by DoD Instruction 8510.01 (RMF for DoD IT) and related standards (e.g., CNSSI 1253, NIST SP 800-37 framework, even though national security systems are formally outside FISMA scope).
• Result: an Authorization to Operate (ATO) or equivalent decision.
• Must match or exceed the highest classification level and protection requirements of the data processed.

Key relationship:

• A cleared person (e.g., TS/SCI) cannot access classified data on an unauthorized/unaccredited system, even if they are fully cleared.
• A classified system cannot be used by uncleared personnel, even if the system itself is perfectly accredited.

You need both:

• Right people (PCL) + Right system (ATO) + Need-to-know = legal access to classified info.

Step 7 – Thought Exercise: Matching People and Systems

Work through this scenario mentally (or jot notes):

Your company, CloudBridge IT, wants to support a Secret-level logistics system for the US Army. The system processes:

• Secret deployment schedules
• Some unclassified inventory data

Current state:

• You have an unclassified FedRAMP Moderate cloud environment.
• Two engineers have Secret clearances.
• No classified networks or facilities.

Questions to consider:

1. Can your two cleared engineers legally administer the Secret system from your current unclassified environment? Why or why not?
2. What system-side changes would be needed before you could host or manage this Secret system?
3. If the RFP mentions that some data may later be upgraded to Top Secret//SCI, how would that change your:

• Personnel planning?
• Facility planning (e.g., SCIF)?
• Cloud or on-prem architecture?

Pause and think through your answers before moving on. Focus on separating:

• Personnel clearance needs vs.
• System authorization and facility needs.

Step 8 – Quick Check: Classification Levels

Answer this to confirm your understanding of the three core levels.

Step 9 – Quick Check: Clearance vs. System Authorization

Now test your understanding of personnel vs. system requirements.

Step 10 – Flashcard Review of Key Terms

Use these flashcards to reinforce the core terminology from this module.

Step 11 – Why This Matters for Unclassified-Only IT Providers

Even if your company never plans to host classified data, understanding this system is practical for three reasons:

1. Reading and responding to RFPs

• You will see phrases like “support to TS/SCI networks,” “Secret-cleared admin staff,” “SAP environment”.
• You must quickly recognize when a requirement implies:
• Personnel clearance needs
• Facility needs (e.g., SCIF, closed areas)
• System authorization and network segregation needs

1. Interfacing with classified environments

• Many unclassified systems (e.g., logistics, HR, ticketing) exchange data with classified systems.
• You may need to:
• Implement cross-domain solutions or data guards
• Respect data spill procedures (what happens if classified data appears in your unclassified system)

1. Strategic planning for your company

• Deciding whether to invest in:
• Facility clearances (FCLs) and secure spaces
• Recruiting and sponsoring cleared personnel
• Building or partnering for classified hosting capabilities

Understanding national security classification helps you scope work realistically, price bids correctly, and avoid legal and security missteps when your unclassified services touch the edges of the classified world.