What Should Be Classified? A Framework with Application to the Global Force Management Data Initiative

Many Department of Defense (DoD) organizations are developing large-scale integrated data systems that bring together databases from multiple sources and for multiple users through DoD networks. The Global Force Management Data Initiative (GFM DI) is one such system for sharing DoD-authorized force-structure information. GFM DI makes the entire DoD-authorized force structure visible, understandable, and accessible in a common format for the first time, which can help support a wide range of DoD business, readiness, and force management systems. GFM DI offers DoD users many potential benefits, among them a complete picture, derived from unclassified sources and systems, of the force structure. If that picture is not protected appropriately, however, adversaries might also benefit in that gaining access to it would offer significant advantages over the usual practice of gathering data piecemeal. Thus, analyzing the security vulnerabilities of and potential security mitigation approaches for force-structure data in GFM DI is essential. For this assessment, RAND Corporation researchers developed a general framework for judging classification decisions and then analyzed the material GFM DI brings together to determine whether it met such criteria. From this assessment, we developed recommendations about how to handle potential vulnerabilities associated with GFM DI. This monograph documents this assessment and recommendations. ISBN: 978-0-8330-5001-4; LCCN: 2010940485.