Who has the authority to classify information in the first place?
Classifying information is not something any employee can do on a whim. In the U.S. system, the power to mark information as classified is tightly controlled, flowing from law and executive policy down to a limited set of named officials.
Where the authority comes from
The framework for classifying national security information is set primarily by executive order, with oversight from the National Archives’ Information Security Oversight Office (ISOO). This system establishes who may classify, what categories of information qualify, and the rules everyone must follow. Agencies build their own internal guidance on top of that foundation, but they cannot exceed it.
Original classification authority
The right to classify information for the first time is called original classification authority (OCA). It is granted to a relatively small group of senior officials and must be delegated in writing.
- The President and Vice President hold it inherently.
- Agency heads and certain senior officials may receive it.
- Lower-level officials can be delegated OCA only when there is a genuine, demonstrated need.
An original classifier must determine that the information falls within a permitted subject area (for example, military plans, intelligence sources, or foreign relations) and that unauthorized disclosure could reasonably be expected to cause identifiable damage to national security. They also assign the classification level and set a duration for how long it stays classified.
Derivative classification
Most classification in practice is derivative, not original. When someone restates, paraphrases, or incorporates already-classified information into a new document, they carry forward the existing markings. This does not require OCA, but it does require following the source’s classification guidance accurately.
Built-in limits
The system deliberately constrains the power to classify:
- Information may not be classified to conceal violations of law, prevent embarrassment, or delay the release of information that does not need protection.
- Doubts are supposed to favor not classifying, or classifying at the lowest appropriate level.
- Every classification eventually faces declassification review.
Understanding who holds this authority helps explain why declassification is a structured, accountable process rather than a simple reversal. You can explore related concepts on the declassification topic hub.
Sources & further reading
Authoritative government and non-profit references.
- Information Security Oversight Office (ISOO) — National Archives (NARA)
- Records management laws — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). Who has the authority to classify information in the first place?. Records Management University. https://www.recordsmgmt.org/questions/who-has-authority-to-classify-information/
MLA
RM University Editorial. "Who has the authority to classify information in the first place?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/who-has-authority-to-classify-information/.
Related questions
- Can a hospital or research university hold classified records, and how do FCL and HIPAA rules interact?
- Can a law firm representing a government client retain classified discovery, and who declassifies it after the case?
- Can a multinational company use ISO 15489 as a single recordkeeping standard across all of its countries?
- Can a private citizen request that a specific classified record be declassified?
- Can AI and machine learning reliably assist with declassification review of classified records?