Classification Guidelines
And Distribution Controls

Original and Derivative Classification

Executive Order 12958, April 17, 1995, sets U.S. Government policy for classifying national security information that must be protected from unauthorized disclosure. Information is classified in one of two ways -- originally or derivatively.

Original classification is the initial determination that information requires protection. Only U.S. Government officials to whom this authority has been delegated in writing and who have been trained in classification requirements have the authority for original classification. Original classification authorities issue security classification guides that others use in making derivative classification decisions. Most government employees and contractors make derivative classification decisions.

Derivative classification is the act of classifying a specific item of information or material on the basis of an original classification decision already made by an authorized original classification authority. The source of authority for derivative classification ordinarily consists of a previously classified document or a classification guide issued by an original classification authority.

For example, Defense contractors make derivative classification decisions based on the Contract Security Classification Specification that is issued with each classified contract. If a contractor develops an unsolicited proposal or originates information not in the performance of a classified contract, the following rules apply. If the information was previously identified as classified, it should be classified derivatively. If the information was not previously classified, but the contractor believes the information may be or should be classified, the contractor should protect the information as though classified at the appropriate level and submit it to the agency that has an interest in the subject matter for a classification determination. In such a case, the material should be marked CLASSIFICATION DETERMINATION PENDING. Protect as though classified (TOP SECRET, SECRET, or CONFIDENTIAL).

The full text of Executive Order 12958 is available at the Security Policy Board's Internet site, Classification guidelines for defense contractors are in Chapter 4 of the National Industrial Security Program Operating Manual. Full text of the NISPOM is available on the Defense Security Service Internet site,

Classification Levels

Information that must be controlled to protect the national security is assigned one of three levels of classification, as follows:

  • TOP SECRET information is information which, if disclosed without authorization, could reasonably be expected to cause exceptionally grave damage to the national security.
  • SECRET information is information which, if disclosed without authorization, could reasonably be expected to cause serious damage to the national security.
  • CONFIDENTIAL information is information which, if disclosed without authorization, could reasonably be expected to cause damage to the national security.

Atomic energy information is classified under the Atomic Energy Act of 1954, and the procedures differ from those prescribed for National Security Information. Atomic energy information is automatically classified and remains classified until a positive action is taken to declassify it. It may be declassified only by the Department of Energy. Consult your security officer for information on marking and handling atomic energy information. There are two types:

  • RESTRICTED DATA covers "all data concerning (1) design, manufacture, or utilization of atomic weapons; (2) the production of special nuclear material; or (3) the use of special nuclear material in the production of energy," except for data that has been declassified or removed from the Restricted Data category.
  • FORMERLY RESTRICTED DATA is information which has been removed from the Restricted Data category after Department of Energy and Department of Defense have jointly determined that the information relates primarily to the military utilization of atomic weapons and can be adequately safeguarded as National Security Information. The word "formerly" only means that such information is no longer subject to controls under the Atomic Energy Act. Formerly Restricted Data remains classified and subject to controls on National Security Information. Such data may not be given to any other nation except under specially approved agreements.  It is identified and handled as RESTRICTED DATA when sent outside the United States.

RESTRICTED DATA and FORMERLY RESTRICTED DATA should also be marked with one of the three classification levels -- TOP SECRET, SECRET, or CONFIDENTIAL.

Distribution Controls

In addition to its classification, especially sensitive information may also be subject to other controls on its distribution and handling. A few of these markings have been discontinued but are still seen on many older documents. It is your responsibility to understand the control markings on classified information. If you are not sure, contact your security office.These control markings include:

  • Dissemination and Extraction of Information Controlled by Originator (ORCON) or (OC) means that any additional distribution or inclusion in another document must be approved by the originator of the document. It is used on intelligence information that could permit identification of a sensitive intelligence source or method.
  • Not Releasable to Contractors/Consultants (NOCONTRACT) has been discontinued but is still seen on older documents. Check with the originator of the document regarding any ongoing controls on the use of such a document.  This caveat was used on intelligence information that is provided by a source on the express or implied condition that it not be made available to contractors; or that, if disclosed to a contractor, would actually or potentially give him/her a competitive advantage or cause a conflict of interest with his/her obligation to protect the information.
  • Caution - Proprietary Information Involved (PROPIN) or (PR) is used with or without a security classification to identify information provided by a commercial firm or private source under an express or implied understanding that the information will be protected as a trade secret or proprietary data with actual value.
  • U.S. Only (UO) is for intelligence information that may not be passed to foreign nationals.
  • NOFORN means the information may not be passed to foreign nationals.
  • Authorized for Release to ____ (REL) signifies intelligence information that is releasable to or has been released through proper disclosure channels to the named foreign government or international organization.
  • Sensitive Compartmented Information (SCI) applies to certain intelligence sources, methods, or analytical processes that are subject to a formal access control system established by the Director of Central Intelligence. Special approval is required for access to SCI.
  • Communications Security (COMSEC) refers to information that must by handled through SCI channels.
  • Cryptographic Material (CRYPTO) identifies information or materials that must be handled through special cryptographic channels.
  • Warning Notice - Intelligence Sources or Methods Involved (WNINTEL) has been discontinued but is still seen on older documents.  It was used on intelligence information that identifies or would reasonably permit identification of an intelligence source or method that is susceptible to countermeasures that could nullify or reduce its effectiveness.
  • Critical Nuclear Weapons Design Information (CNWDI) or (N) applies to information that reveals the theory of operation or design of the components of a thermonuclear or fission bomb, warhead, demolition munition, or test device. Special handling procedures are required.

Related Topics: Marking Classified Information, Handling Classified Information, For Official Use Only (FOUO), Foreign Government Classified Information.