Vol. X, No. 3
Protecting Vulnerability Assessments Through Application of Exemption Two
When processing records for disclosure under the Freedom of Information Act, it is sometimes difficult for FOIA officers to immediately recognize the sensitivity of information warranting protection under the Act's exemptions. One type of record for which that should not be so, however, is a record in which an agency specifically assesses its vulnerability (or that of another institution or installation) to some form of outside interference or other wrongful harm. Indeed, vulnerability assessments can be among the most sensitive records maintained by federal agencies.
Vulnerability assessments generally are designed to ensure the security of an institution or installation by safeguarding against possible interference, circumvention or unlawful action by outsiders. Typically, a vulnerability assessment first seeks to identify an institution's assets, programs or systems that are deemed to be most sensitive. In so doing, it usually pays particular attention to the ones that are believed to be, for one reason or another, especially vulnerable to external harm. Further, in analyzing an item of identified vulnerability, such an assessment commonly will describe the specific security measures (as well as possible countermeasures) that can be employed to combat that vulnerability.
Thus, by its very nature, a vulnerability assessment necessarily consists of sensitive information that, in the wrong hands, can itself do great harm.Applicability of Exemption 2
Fortunately, there now exists a firm basis for protecting against such harm when vulnerability assessments are requested under the FOIA -- through the application of an important part of Exemption 2 of the Act.
By its own quite general terms, Exemption 2 covers records "related solely to the internal personnel rules and practices of an agency." 5 U.S.C. §552(b)(2). This exemption now has been construed and applied by the courts in two distinct ways, in accordance with its underlying legislative intent. As the Supreme Court recognized long ago, one intended aspect of Exemption 2 is its applicability to "routine" administrative matters "in which the public could not reasonably be expected to have an interest." Department of the Air Force v. Rose, 425 U.S. 352, 369-70 (1976). This aspect of the exemption, sometimes referred to as "low 2," merely shields an agency from burden in some instances and is entirely unrelated to concerns about the sensitivity of information or any kind of disclosure harm. See FOIA Update, Winter 1984, at 10-11.
More recently, though, the courts have recognized and broadly applied a second type of Exemption 2 protection, sometimes called "high 2," that is designed to prevent a certain kind of harm that can be caused by disclosure. In its seminal decision in Crooker v. BATF, 670 F.2d 1051, 1074 (D.C. Cir. 1981) (en banc), involving an inmate's FOIA request for a BATF agent training manual, the D.C. Circuit Court of Appeals established that Exemption 2 can protect "predominantly internal" agency records wherever disclosure "significantly risks circumvention of agency regulations or statutes." The underlying concern in such matters, of course, is that a FOIA disclosure should not "benefit those attempting to violate the law and avoid detection." Id. at 1053. As the D.C. Circuit recognized in Crooker, it is a matter of "common sense" that Congress did not intend the FOIA to compel any disclosure that would undermine the effective enforcement of our laws. Id. at 1074."Circumvention" Protection
This "circumvention" protection afforded by Exemption 2 is well suited for application to the sensitive information contained in vulnerability assessments. Although originally, as in Crooker, this protection was applied almost exclusively to sensitive portions of law enforcement manuals, it has since been extended well beyond that realm -- first to civil enforcement and regulatory matters, see, e.g., Dirksen v. HHS, 803 F.2d 1456, 1458-59 (9th Cir. 1986) (protecting Medicare claims processing guidelines in order to prevent circumvention of eligibility requirements), and beyond that even to matters that have nothing necessarily to do with law enforcement in any ordinary sense, see, e.g., Kaganove v. EPA, 856 F.2d 884, 889 (7th Cir. 1988) (extending Exemption 2 protection to "crediting plans" used to evaluate job applicants, because they "are effective only when kept confidential"), cert. denied, 109 S. Ct. 798 (1989); NTEU v. Customs Service, 802 F.2d 525, 528-31 (D.C. Cir. 1986) (same). Further, the D.C. Circuit has expressly declined to impose any requirement that a particular statute or regulation be involved. See id. at 530-31 ("Where disclosure of a particular [record] would render [it] operationally useless, the Crooker analysis is satisfied whether or not the agency identifies a specific statute or regulation threatened by disclosure.").
Thus, Exemption 2 should be fully available to protect vulnerability assessments, wherever it reasonably is determined that disclosure risks circumvention of the law or of some lawful requirement. See, e.g., Institute for Policy Studies v. Department of the Air Force, 676 F. Supp. 3, 5 (D.D.C. 1987) (according Exemption 2 protection to record revealing the most sensitive portions of agency system and which "could be used to seek out the [system's] vulnerabilities"). Accord Abbotts v. NRC, 766 F.2d 604, 606-08 (D.C. Cir. 1985) (protecting "baseline threat levels" regarding the security of nuclear facilities) (Exemption 1). Given the fundamental nature and contents of vulnerability assessments -- concentrated security details that would ideally aid any attempted security breach or circumvention of law as to the items assessed -- this touchstone element of harm should be found heavily present in such records. But see also 5 U.S.C § 552(b) (requiring disclosure of "reasonably segregable" nonsensitive portions).Computer Security Plans
A prime example of vulnerability assessments warranting protection under Exemption 2 are the computer security plans that all federal agencies are now required by law to prepare.
Last year, Congress enacted the Computer Security Act of 1987, Pub. L. No. 100-235, 101 Stat. 1724 (1988), for the purpose of "developing increased awareness of the importance of computer security and the potential loss or disruption of vital government programs that would result from unauthorized access to Federal computers." H.R. Rep. No. 153, 100th Cong., 1st Sess., pt. 2, at 6 (1987). This legislation "requires each agency to identify its own sensitive information which may need protection and, in addition, develop a computer security plan outlining its proposed efforts to protect this information." Id. at 8. Under Section 6 of the Act, 40 U.S.C. § 759 note (1982 & Supp. V 1987), these plans are also transmitted for review by the National Institute of Standards and Technology, which holds overall responsibility for "assess[ing] the vulnerability of government computers and communications." Id. at 10.
Such computer security plans, if ever made the subject of a FOIA request, would be well entitled to Exemption 2 protection. By design, they must describe the most sensitive portions of federal computer systems, pinpoint their vulnerabilities, and then specify the security measures taken to protect the integrity of those vital systems. Such information can itself pose great risk to computer system security, of course, given the harmful use to which it obviously could be placed. As one court noted in according Exemption 2 protection to details of an agency's computer system, gaining access even to "the procedures involved in utilizing the [system] would give individuals incentive to attempt to obtain access to the [system] in order to use the knowledge they have obtained." Oliva v. Department of Justice, Civil No. 84-5741, slip op. at 2 (S.D.N.Y. Feb. 28, 1986).
In fact, courts have had occasion in a number of cases to apply Exemption 2's "circumvention" protection to items of sensitive computer-related information. See, e.g., Dirksen v. HHS, 803 F.2d at 1457 ("instructions for computer coding"); Wightman v. BATF, 755 F.2d 979, 982 (1st Cir. 1985) (computer codes); see also Hall v. Department of Justice, Civil No. 87-0474, slip op. at 4-5 (D.D.C. Mar. 8, 1989) (protecting various items that "could facilitate unauthorized access to [agency] communications systems"). In one case, involving a sensitive computer program found to require protection under Exemption 2, the court even went so far as to observe that disclosure would be like "putting a fox inside the chicken coop." Windels, Marx, Davies & Ives v. Department of Commerce, 576 F. Supp. 405, 413 (D.D.C. 1983). Certainly, disclosure of the very plans designed to ensure the security of a computer system could in like fashion arm potential violators of it, a risk which the "circumvention" protection of Exemption 2 is well designed to prevent.Conclusion
In sum, FOIA officers should be mindful of the inherent sensitivity of vulnerability assessments and that, as the D.C. Circuit observed in a related context, disclosure "would quickly render those documents obsolete for the purpose for which they were designed." NTEU v. Customs Service, 802 F.2d at 530. In processing any FOIA request for such records, agencies should carefully apply the full measure of protection afforded by Exemption 2 wherever necessary to prevent "circumvention" harm.
Go to: FOIA Update Home Page