When Derivatively Classifying Information: Where Can You Find the Guidance You Need?
If you've ever been tasked with creating a new document that pulls from classified sources, you've probably asked yourself this question: "Where am I actually supposed to find the rules for doing this?" It's a fair question — and honestly, one that trips up a lot of people even after they've been working with sensitive material for years.
The short answer is: there are specific places you need to go to find the authority and guidance to derivatively classify information. Skip them, and you're either over-classifying (wasting resources) or under-classifying (creating a security risk). Neither is a good look Simple as that..
Let's break down where to find what you need, why it matters, and how to do it right.
What Is Derivative Classification?
Derivative classification is the process of creating new documents, presentations, or products that incorporate, paraphrase, or restate information that's already been classified by someone else. You're not inventing a new classification category — you're taking existing classified material and transforming it into something new.
Think of it this way: an original classifier decides that a specific piece of information is secret because it reveals something sensitive. And your job, when you use that information, is to make sure the new product you create carries the same protection level. That's derivative classification.
It's different from original classification, which is when someone with the authority decides for the first time that information needs to be protected at a certain level. Most people in government and contractor roles are doing derivative classification, not original classification — and that's exactly why knowing where to find the right guidance matters so much.
Why the "Where Can You Find" Question Comes Up So Often
Here's the thing: derivative classification isn't something you figure out on your own. You need authorized sources to tell you what level of classification applies and how to mark the new product. Without those sources, you're essentially guessing — and guessing wrong has real consequences Simple, but easy to overlook..
People get confused because there isn't a single document that says "here's everything.Here's the thing — " Instead, the guidance is layered across several official sources, and you need to know which ones apply to your situation. That's exactly what we're going to walk through.
Where Can You Find the Guidance to Derivatively Classify?
This is the core question, and it deserves a detailed answer. There are three main places you'll find the authority to derivatively classify information:
1. Classification Guides
Classification guides are your primary source. But these are documents issued by the original classification authority (OCA) for a particular subject area. They tell you exactly what information within that topic is classified, at what level, and why.
If you're working with intelligence reports, there's a guide for that. If you're dealing with technical specifications for a weapons system, there's a guide for that too. The key is making sure you're using the current version — classification guides get updated periodically, and using an outdated guide is a common mistake.
You'll typically get access to these guides through your agency's security office or your organization's classification management team. They're usually specific to your agency or even your specific program.
2. Source Documents
Sometimes the guidance is right in front of you. Day to day, when you receive a classified document, that document itself carries classification instructions. The markings at the top — like "SECRET//NOFORN" or "TOP SECRET//SCI" — tell you exactly how that information is classified But it adds up..
When you use information from that document to create something new, you're expected to apply the same classification level to your new product. This is the most straightforward form of derivative classification: the source tells you what to do, you just follow it.
3. Agency Security Manuals and Policies
Beyond specific classification guides, your agency will have overarching policies that govern how classification works. These documents explain the overall framework — things like how to handle compromise incidents, what the declassification process looks like, and the general principles for determining classification levels.
Executive Order 13587, which deals with structural reforms to improve security of classified networks and sharing, is one example of a foundational policy. Your specific agency will have implementing regulations that expand on these principles That's the part that actually makes a difference..
How Derivative Classification Actually Works
Now that you know where to find the guidance, let's walk through how the process typically goes in practice.
Step one: identify your sources. What classified information are you working from? Are you pulling from a specific document with clear markings? Are you using a classification guide? Both? Make sure you've got the authoritative sources identified before you write anything And it works..
Step two: determine the classification level. This is where you apply what your sources tell you. If the source document is marked SECRET, and you're incorporating that exact information, your new document is SECRET. If you're paraphrasing or extracting, the general rule is to apply the highest level of classification that appears in the source material you're using Nothing fancy..
Step three: apply the correct markings. This includes the classification level, any control markings (like NOFORN or ORCON), and the date when the information will be automatically declassified if that applies. Markings aren't optional — they're the way others know how to handle what you've created.
Step four: review and validate. Before you finalize and distribute, someone with the appropriate clearance and training should review your work to confirm the classification is correct. This is where a classification authority or your security office can catch mistakes Worth keeping that in mind. That alone is useful..
The "Classification by Compilation" Angle
Here's something that trips people up: sometimes putting unclassified information together in a specific way creates a classified result. This is called classification by compilation, and it's a form of derivative classification.
Here's one way to look at it: maybe each individual fact in your document is unclassified — but when someone sees all of them together, they can piece together something sensitive. Which means in that case, the compilation itself needs to be classified. Your classification guide should address whether compilation applies to your subject area Small thing, real impact..
Common Mistakes People Make
After years of working with classification programs, certain errors come up over and over. Here's what to watch out for:
Using outdated classification guides. This is probably the most common mistake. Guides get updated, and what was classified last year might be declassified now — or the level might have changed. Always check you're working with the current version.
Over-classifying. Some people play it "safe" by classifying everything at a higher level than necessary. The problem? It clogs the system, makes it harder to share information that should be shared, and wastes resources. Only classify at the level actually required But it adds up..
Under-classifying. The opposite problem — not applying the protection the information actually needs. This is a security risk, plain and simple Less friction, more output..
Ignoring the markings on your source material. If you're working from a document that's marked SECRET//NOFORN, your derivative product needs those same markings. Don't pick and choose.
Not getting the required reviews. Some classifications require sign-off from a specific authority before the document can be released. Skipping this step is a violation of procedure Simple as that..
Practical Tips for Getting It Right
A few things that actually help in the real world:
- Build a relationship with your security office. They're not just the people who enforce rules — they're a resource. When you're unsure, ask. It's better to ask than to get it wrong.
- Keep a log of your classification guides. Note the version, the date, and where to find the latest update. This is especially important if you work across multiple programs.
- When in doubt, classify higher temporarily — then get clarification from a classification authority before finalizing. You can always降级 (downgrade) later, but you can't un-release information that's been compromised.
- Document your reasoning. Write a brief note explaining why you classified something at a particular level. This helps if someone questions your decision later — and it helps you think through whether you got it right.
FAQ
Can I derivatively classify information without a classification guide?
You can use the markings on your source documents as authority, but a classification guide is the more comprehensive resource. If you're regularly working in a specific subject area, you should have access to the relevant guide.
What if my source documents have different classification levels?
You apply the highest level among them. If you're pulling from one SECRET document and one TOP SECRET document, your derivative product is TOP SECRET.
Who can I ask if I'm unsure about the correct classification?
Start with your agency's security office or your organization's classification authority. That's literally what they're there for.
Does derivative classification apply to contractor employees?
Yes. If you're a contractor working with classified information, you follow the same rules. Your company should have a facility security officer who can guide you.
What happens if I get it wrong?
It depends on whether it was an honest mistake or willful misconduct. Day to day, errors are typically addressed through training and correction. Willful violations — like intentionally removing classification markings or sharing information you know is classified — are serious and can result in criminal prosecution Most people skip this — try not to..
The Bottom Line
Derivative classification isn't something you guess your way through. Which means the guidance exists — in classification guides, in your source documents, and in your agency's policies. Your job is to find the right source, apply it correctly, and get the reviews your process requires Small thing, real impact..
It's not complicated once you know where to look. The challenge is making it a habit — checking your sources every time, not just when you think you need to. That's what separates someone who does it right from someone who creates problems down the line.
When in doubt, ask your security office. That's what they're there for Most people skip this — try not to..
