When Derivatively Classifying Information: Where Can You Find the Guidance You Need?
If you've ever been tasked with creating a new document that pulls from classified sources, you've probably asked yourself this question: "Where am I actually supposed to find the rules for doing this?" It's a fair question — and honestly, one that trips up a lot of people even after they've been working with sensitive material for years.
The short answer is: there are specific places you need to go to find the authority and guidance to derivatively classify information. Skip them, and you're either over-classifying (wasting resources) or under-classifying (creating a security risk). Neither is a good look Worth keeping that in mind. Took long enough..
You'll probably want to bookmark this section.
Let's break down where to find what you need, why it matters, and how to do it right Most people skip this — try not to. No workaround needed..
What Is Derivative Classification?
Derivative classification is the process of creating new documents, presentations, or products that incorporate, paraphrase, or restate information that's already been classified by someone else. You're not inventing a new classification category — you're taking existing classified material and transforming it into something new And it works..
Think of it this way: an original classifier decides that a specific piece of information is secret because it reveals something sensitive. On top of that, your job, when you use that information, is to make sure the new product you create carries the same protection level. That's derivative classification.
It's different from original classification, which is when someone with the authority decides for the first time that information needs to be protected at a certain level. Most people in government and contractor roles are doing derivative classification, not original classification — and that's exactly why knowing where to find the right guidance matters so much That's the part that actually makes a difference. Simple as that..
Why the "Where Can You Find" Question Comes Up So Often
Here's the thing: derivative classification isn't something you figure out on your own. You need authorized sources to tell you what level of classification applies and how to mark the new product. Without those sources, you're essentially guessing — and guessing wrong has real consequences.
People get confused because there isn't a single document that says "here's everything.Plus, " Instead, the guidance is layered across several official sources, and you need to know which ones apply to your situation. That's exactly what we're going to walk through Simple as that..
Where Can You Find the Guidance to Derivatively Classify?
This is the core question, and it deserves a detailed answer. There are three main places you'll find the authority to derivatively classify information:
1. Classification Guides
Classification guides are your primary source. These are documents issued by the original classification authority (OCA) for a particular subject area. They tell you exactly what information within that topic is classified, at what level, and why The details matter here..
If you're working with intelligence reports, there's a guide for that. In real terms, if you're dealing with technical specifications for a weapons system, there's a guide for that too. The key is making sure you're using the current version — classification guides get updated periodically, and using an outdated guide is a common mistake It's one of those things that adds up. Nothing fancy..
You'll typically get access to these guides through your agency's security office or your organization's classification management team. They're usually specific to your agency or even your specific program.
2. Source Documents
Sometimes the guidance is right in front of you. On top of that, when you receive a classified document, that document itself carries classification instructions. The markings at the top — like "SECRET//NOFORN" or "TOP SECRET//SCI" — tell you exactly how that information is classified.
When you use information from that document to create something new, you're expected to apply the same classification level to your new product. This is the most straightforward form of derivative classification: the source tells you what to do, you just follow it Simple, but easy to overlook..
3. Agency Security Manuals and Policies
Beyond specific classification guides, your agency will have overarching policies that govern how classification works. These documents explain the overall framework — things like how to handle compromise incidents, what the declassification process looks like, and the general principles for determining classification levels.
People argue about this. Here's where I land on it.
Executive Order 13587, which deals with structural reforms to improve security of classified networks and sharing, is one example of a foundational policy. Your specific agency will have implementing regulations that expand on these principles.
How Derivative Classification Actually Works
Now that you know where to find the guidance, let's walk through how the process typically goes in practice.
Step one: identify your sources. What classified information are you working from? Are you pulling from a specific document with clear markings? Are you using a classification guide? Both? Make sure you've got the authoritative sources identified before you write anything The details matter here..
Step two: determine the classification level. This is where you apply what your sources tell you. If the source document is marked SECRET, and you're incorporating that exact information, your new document is SECRET. If you're paraphrasing or extracting, the general rule is to apply the highest level of classification that appears in the source material you're using And it works..
Step three: apply the correct markings. This includes the classification level, any control markings (like NOFORN or ORCON), and the date when the information will be automatically declassified if that applies. Markings aren't optional — they're the way others know how to handle what you've created.
Step four: review and validate. Before you finalize and distribute, someone with the appropriate clearance and training should review your work to confirm the classification is correct. This is where a classification authority or your security office can catch mistakes Still holds up..
The "Classification by Compilation" Angle
Here's something that trips people up: sometimes putting unclassified information together in a specific way creates a classified result. This is called classification by compilation, and it's a form of derivative classification That's the part that actually makes a difference..
As an example, maybe each individual fact in your document is unclassified — but when someone sees all of them together, they can piece together something sensitive. On top of that, in that case, the compilation itself needs to be classified. Your classification guide should address whether compilation applies to your subject area Most people skip this — try not to..
Common Mistakes People Make
After years of working with classification programs, certain errors come up over and over. Here's what to watch out for:
Using outdated classification guides. This is probably the most common mistake. Guides get updated, and what was classified last year might be declassified now — or the level might have changed. Always check you're working with the current version.
Over-classifying. Some people play it "safe" by classifying everything at a higher level than necessary. The problem? It clogs the system, makes it harder to share information that should be shared, and wastes resources. Only classify at the level actually required.
Under-classifying. The opposite problem — not applying the protection the information actually needs. This is a security risk, plain and simple.
Ignoring the markings on your source material. If you're working from a document that's marked SECRET//NOFORN, your derivative product needs those same markings. Don't pick and choose Nothing fancy..
Not getting the required reviews. Some classifications require sign-off from a specific authority before the document can be released. Skipping this step is a violation of procedure That's the whole idea..
Practical Tips for Getting It Right
A few things that actually help in the real world:
- Build a relationship with your security office. They're not just the people who enforce rules — they're a resource. When you're unsure, ask. It's better to ask than to get it wrong.
- Keep a log of your classification guides. Note the version, the date, and where to find the latest update. This is especially important if you work across multiple programs.
- When in doubt, classify higher temporarily — then get clarification from a classification authority before finalizing. You can always降级 (downgrade) later, but you can't un-release information that's been compromised.
- Document your reasoning. Write a brief note explaining why you classified something at a particular level. This helps if someone questions your decision later — and it helps you think through whether you got it right.
FAQ
Can I derivatively classify information without a classification guide?
You can use the markings on your source documents as authority, but a classification guide is the more comprehensive resource. If you're regularly working in a specific subject area, you should have access to the relevant guide Less friction, more output..
What if my source documents have different classification levels?
You apply the highest level among them. If you're pulling from one SECRET document and one TOP SECRET document, your derivative product is TOP SECRET Practical, not theoretical..
Who can I ask if I'm unsure about the correct classification?
Start with your agency's security office or your organization's classification authority. That's literally what they're there for.
Does derivative classification apply to contractor employees?
Yes. And if you're a contractor working with classified information, you follow the same rules. Your company should have a facility security officer who can guide you Nothing fancy..
What happens if I get it wrong?
It depends on whether it was an honest mistake or willful misconduct. That's why errors are typically addressed through training and correction. Willful violations — like intentionally removing classification markings or sharing information you know is classified — are serious and can result in criminal prosecution.
The Bottom Line
Derivative classification isn't something you guess your way through. Because of that, the guidance exists — in classification guides, in your source documents, and in your agency's policies. Your job is to find the right source, apply it correctly, and get the reviews your process requires.
It's not complicated once you know where to look. The challenge is making it a habit — checking your sources every time, not just when you think you need to. That's what separates someone who does it right from someone who creates problems down the line.
When in doubt, ask your security office. That's what they're there for.
