But the SF86 isn't actually classified. It's just Privacy Act information and FOUO. The Privacy Act says how to protect other people's information and FOUO means "For Official Use Only," but he's not breaking any laws by having his own SF86 on a public email service. He's fine as long as he isn't using it for unofficial business (which I'm not sure how) and he doesn't have other people's SF86 .

Thanks for this clarifying comment. Open issue IMHO is if CIA's "actual process" is subject to levels of scrutiny/protection beyond the statuatory minimum(s). This being an exec appointment w/ senate confirmation etc.