The opinion of the court was delivered by: JOHN GARRETT PENN
This is an action under the Freedom of Information Act ("FOIA"), 5 U.S.C. section 552, in which plaintiff Vigdor Schreibman seeks access to records or documents pertaining to federal computer systems from defendant U.S. Department of Commerce ("DOC"). This case presently comes before the Court on a Motion to Dismiss filed by DOC. After careful consideration of the motion, the opposition thereto, and the entire record in this case, the Court concludes that the motion should be granted in part and denied in part.
On August 27, 1990, plaintiff filed a FOIA request with the National Institute of Standards and Technology ("NIST"). Plaintiff sought access to records regarding federal computer systems identified by the Land and Natural Resources Division of the Department of Justice pursuant to the Computer Security Act of 1987. Plaintiff also sought documents concerning plans for the security and privacy of those computer systems. Finally, plaintiff requested copies of the Presidential directive establishing data security policy and standards. On September 14, 1990, NIST provided plaintiff with a copy of the requested Presidential directive. NIST also informed plaintiff that the other records sought were exempt from disclosure. By letter dated August 27, 1990, plaintiff filed an administrative FOIA appeal. The appeal was decided by DOC on December 21, 1990. DOC advised plaintiff that the withheld documents were exempt from disclosure. DOC has withheld five documents in their entirety on the basis of exemptions (b)(2) and (b)(5) of FOIA. On February 14, 1991, plaintiff filed this suit alleging that the requested records have been improperly withheld.
Defendants argue that this case should be dismissed because no documents have been improperly withheld and the documents are exempt from public disclosure under FOIA exemptions 2 and 5. Although defendants have filed a motion to dismiss, the Court will treat the motion as one for summary judgment because the parties have submitted affidavits and other documents in support of their positions. A motion for summary judgment must be granted if "there is no genuine issue as to any material fact and . . . the moving party is entitled to a judgment as a matter of law." Fed. R. Civ. P. 56(c). The burden of justifying nondisclosure of requested documents in a FOIA case is placed upon the defendant agency. Summary judgment is appropriate where the agency's affidavits are sufficiently detailed to explain each properly claimed FOIA exemption. In addition, there must be no contradictory evidence on the record, nor evidence of bad faith on the part of the agency. Military Audit Project v. Casey, 211 App. D.C. 135, 656 F.2d 724, 728 (D.C. Cir. 1981). The Court must review the agency's claimed exemptions de novo, but afford affidavits "substantial weight" in the review. The agency must create as full a record as possible, with descriptions of the nature of documents and agency justifications for nondisclosure. The court must determine if there is a sufficient basis for making a decision.
DOC has submitted the Declaration of Dennis K. Branstad, Acting Chief of the Computer Security Division, National Institute of Standards and Technology (hereinafter "Branstad Declaration") pertaining to the files identified as responsive to plaintiff's request. The Branstad Declaration identifies those records which are responsive to plaintiff's FOIA request and explains the basis for the various FOIA exemptions invoked by DOC. The five documents withheld from disclosure are each titled "Computer Security Plan Review Project Comments and Recommendations." They contain an evaluation of the five computer security plans submitted to NIST by the Land and Natural Resources Division at the Department of Justice pursuant to the requirements of the Computer Security Act of 1987, 40 U.S.C. section 759. This Act requires each federal agency to identify its computer systems which are under their supervision and which contain sensitive information, and to develop a computer security plan to protect the system. Such plans are to be submitted to NIST and the National Security Agency for advice and comment. According to the Branstad Declaration, the five documents withheld from disclosure consist of the advice and comment that resulted from a review of the five computer security plans submitted by the Land and Natural Resources Division of the Department of Justice. These records note problems with the computer security plans and contain advice and recommendations on measures that can be taken to insure the security of the computer systems. In Branstad's view, these documents are classic "vulnerability assessments" and are exempt from public disclosure under FOIA.
First, the documents are "predominantly internal." The documents are evaluations created by one federal agency, NIST, for the sole purpose of advising another agency, the Land and Natural Resources Division at the Department of Justice. According to the Branstad Declaration, these assessments are not made available to any other individual or entity other than the agency that developed the security plan.
Also applicable is the second prong of the Crooker analysis, which protects material the disclosures of which would risk circumvention of lawful agency laws or regulations. In this case, the requested documents contain an assessment of the vulnerabilities of the computer security plans submitted by the Land and Natural Resources Division. If public disclosure were required, there would be a significant risk that the security required for the computer systems would be circumvented. The government correctly argues that if this information was disclosed to the public, there would be no constraint on the ability of persons to utilize this information to obtain unauthorized access to the system resulting in the potential alternation, loss, damage or destruction of data contained in the computer system. Such unauthorized access may result in damage to government programs in circumvention of the purposes of the Computer Security Act. Moreover, public disclosure of the contents of NIST's review of computer security plans may render such plans "operationally useless." See National Treasury Employees 's Union v. Customs Service, 255 App. D.C. 449, 802 F.2d 525, 530 (D.C. Cir. 1986). Consequently, the Court concludes that the withheld documents are exempt from disclosure under exemption 2 of FOIA.
Having made this determination, the Court will turn to plaintiff's claim that segregable factual portions of the five withheld documents were not released. Under FOIA, any reasonable segregable portion of a record must be provided to a requester after deletion of the portions which are exempt. 5 U.S.C. section 552(b). While plaintiff is not entitled to disclosure of the assessments of the computer security plans, defendants have not convinced the Court that these documents are not segregable. In his FOIA request, plaintiff sought two categories of documents. In addition to documents evaluating the security plans, plaintiff sought records regarding federal computer systems identified by the Land and Natural Resources Division. In the Court's view, portions of the documents which merely identify the computer systems, rather than the security plans, should be disclosed. Thus, the Court will require defendants to release to plaintiff all segregable factual portions of the documents which merely identify the Land and Natural Resources Division's computer systems. In view of the foregoing, the Court will grant defendant's motion for summary judgment in part and deny the motion in part. The Court will enter judgment for defendant with respect to its invocation of exemption 2 and further require defendant to release to the plaintiff segregable portions of the documents as described above.
An appropriate Order accompanies this Memorandum.