32 CFR § 2001.60 - General.
(a) Purpose. This subpart sets standards for establishing and maintaining an ongoing agency self-inspection program, which shall include regular reviews of representative samples of the agency's original and derivative classification actions.
(b) Responsibility. The senior agency official is responsible for directing and administering the agency's self-inspection program. The senior agency official shall designate agency personnel to assist in carrying out this responsibility. The program shall be structured to provide the senior agency official with information necessary to assess the effectiveness of the classified national security information program within individual agency activities and the agency as a whole, in order to enable the senior agency official to fulfill his or her responsibility to oversee the agency's program under section 5.4(d) of the Order.
(c) Approach. The senior agency official shall determine the means and methods for the conduct of self-inspections.
(1) Self-inspections should evaluate the adherence to the principles and requirements of the Order and this directive and the effectiveness of agency programs covering original classification, derivative classification, declassification, safeguarding, security violations, security education and training, and management and oversight.
(2) Regular reviews of representative samples of the agency's original and derivative classification actions shall encompass all agency activities that generate classified information. They shall include a sample of varying types of classified information (in document and electronic format such as e-mail) to provide a representative sample of the activity's classification actions. The sample shall be proportionally sufficient to enable a credible assessment of the agency's classified product. Agency personnel who are assigned to conduct reviews of agencies' original and derivative classification actions shall be knowledgeable of the classification and marking requirements of the Order and this directive, and have access to pertinent security classification guides. In accordance with section 5.4(d)(4) of the Order, the senior agency official shall authorize appropriate agency officials to correct misclassification actions.
(3) Self-inspections should include a review of relevant security directives and instructions, as well as interviews with producers and users of classified information.
(d) Frequency. Self-inspections shall be regular, ongoing, and conducted at least annually with the senior agency official setting the frequency on the basis of program needs and the degree of classification activity. Activities that generate significant amounts of classified information shall include a representative sample of their original and derivative classification actions.
(e) Coverage. The senior agency official shall establish self-inspection coverage requirements based on program and policy needs. Agencies with special access programs shall evaluate those programs in accordance with sections 4.3(b)(2) and (4) of the Order, at least annually.
(f) Reporting. Agencies shall document the findings of self-inspections internally.
(1) Internal. The senior agency official shall set the format for documenting self-inspection findings. As part of corrective action for findings and other concerns of a systemic nature, refresher security education and training should address the underlying cause(s) of the issue.
(2) External. The senior agency official shall report annually to the Director of ISOO on the agency's self-inspection program. This report shall include:
(i) A description of the agency's self-inspection program to include activities assessed, program areas covered, and methodology utilized;
(ii) The assessment and a summary of the findings of the agency self-inspections in the following program areas: Original classification, derivative classification, declassification, safeguarding, security violations, security education and training, and management and oversight;
(iii) Specific information with regard to the findings of the annual review of the agency's original and derivative classification actions to include the volume of classified materials reviewed and the number and type of discrepancies that were identified;
(iv) Actions that have been taken or are planned to correct identified deficiencies or misclassification actions, and to deter their reoccurrence; and
(v) Best practices that were identified during self-inspections.