Need to know is a government and intelligence community term designed to keep snoops and sneaks out. Just because you have a security clearance doesn’t mean you need to know all classified information. Much like the term security clearance (which is a fancy way of saying ‘eligibility to access classified information’) need to know is more of an informal colloquialism vs. a policy designation.
What are SCI and SAP?
Perhaps you’ve heard the term Sensitive Compartmented Information, or SCI. SCI is an access determination granted to certain cleared individuals. This type of information requires special access controls – which might just be considered a fancy form of need to know. Just because you have a security clearance does not mean you have access to SCI. Similarly, SAP refers to a Special Access Program. Just because you have a clearance doesn’t mean you have access to any and every SCI or SAP program – you generally have to meet specific security and suitability criteria governed by the agency and organization controlling the program. In other words – you need to have need to know.
In the wake of Reality Winner stuffing classified information into her pantyhose, and Edward Snowden sharing passwords to sneak secrets to the press, need to know increases in importance. More agencies are looking to how to reduce the number of individuals holding security clearances, and specifically security clearances at the highest levels. Both government agencies and contractors are also considering more closely what their ‘crown jewel’ programs are – and making sure only those with need to know have access.
Need to know can be an annoying term if it’s thrown around by squirrely security officers and program managers. But the heart of the policy is a good one: protecting classified information. So, if you don’t have need to know? You don’t need to know.