Oversight

Details: Category: Oversight; Published: 03 July 2023; Hits: 21

PDF Index: ODNI Releases Intelligence Community Procedures Implementing New Safeguards in Executive Order 14086 July 3, 2023 - The Office of the Director of National Intelligence (ODNI), in coordination with elements of the Intelligence Community (IC), today releases the IC elements’ policies and procedures to implement the privacy and civil liberties safeguards specified in Executive Order 14086 “Enhancing Safeguards for United States Signals Intelligence Activities” (October 7, 2022). When the President signed Executive Order (EO) 14086, the White House released a statement that the EO “direct[s] the steps that the United States will take to implement the U.S. commitments under the European Union-U.S. Data Privacy Framework (EU-U.S. DPF).” The statement continued that the EO “bolsters an already rigorous array of privacy and civil liberties safeguards for U.S. signals intelligence activities.” EO 14086 added further safeguards for U.S. signals intelligence activities, including that such activities: “take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence” and “be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.” The Order mandates handling requirements and extends compliance and oversight responsibilities. The IC elements’ procedures released today further implement the EO’s requirements, and thereby the United States’ commitments under the EU-U.S. DPF. As required by the EO, each IC element developed its procedures in consultation with the Attorney General, the ODNI Civil Liberties Protection Officer (CLPO), and the Privacy and Civil Liberties Board. In implementing the EO’s safeguards, each set of procedures is tailored to the authorities, missions, and responsibilities of the IC elements. Additional Information Also today, Attorney General Merrick Garland designated the European Union and the three additional countries (Iceland, Liechtenstein, and Norway) making up the European Economic Area (EEA) as ‘qualifying states’ for purposes of implementing the redress mechanism established under Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities. The Attorney General’s designation of the EU/EEA as qualifying states enables EU/EEA individuals to use the redress mechanism established under the Executive Order if they believe they have been unlawfully targeted by U.S. signals intelligence activities. For information about the designation, please see the Department of Justice website at https://www.justice.gov/opcl/redress-data-protection-review-court. IC Elements’ EO 14086 Procedures Central Intelligence Agency (CIA) Procedures Drug Enforcement Administration (DEA) Office of National Security Intelligence (ONSI) Procedures Federal Bureau of Investigation (FBI) Procedures National Reconnaissance Office (NRO) Procedures National Security Agency (NSA) Procedures Office of the Director of National Intelligence (ODNI) Procedures Department of Energy Office of Intelligence and Counterintelligence (IN) Procedures Department of Homeland Security (DHS) Office of Intelligence and Analysis (IA) Procedures Department of Homeland Security (DHS) United States Coast Guard (USCG) Procedures Department of State Bureau of Intelligence and Research (INR) Procedures Department of Treasury Office of Intelligence and Analysis (OIA) Procedures
PDF Display Style: Document Link
PDF Manual Edit: Index from PDF
Item Type: Official Statement

ODNI Releases Intelligence Community Procedures Implementing New Safeguards in Executive Order 14086

July 3, 2023 - The Office of the Director of National Intelligence (ODNI), in coordination with elements of the Intelligence Community (IC), today releases the IC elements’ policies and procedures to implement the privacy and civil liberties safeguards specified in Executive Order 14086 “Enhancing Safeguards for United States Signals Intelligence Activities” (October 7, 2022).

When the President signed Executive Order (EO) 14086, the White House released a statement that the EO “direct[s] the steps that the United States will take to implement the U.S. commitments under the European Union-U.S. Data Privacy Framework (EU-U.S. DPF).” The statement continued that the EO “bolsters an already rigorous array of privacy and civil liberties safeguards for U.S. signals intelligence activities.” EO 14086 added further safeguards for U.S. signals intelligence activities, including that such activities: “take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence” and “be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.” The Order mandates handling requirements and extends compliance and oversight responsibilities.

The IC elements’ procedures released today further implement the EO’s requirements, and thereby the United States’ commitments under the EU-U.S. DPF. As required by the EO, each IC element developed its procedures in consultation with the Attorney General, the ODNI Civil Liberties Protection Officer (CLPO), and the Privacy and Civil Liberties Board. In implementing the EO’s safeguards, each set of procedures is tailored to the authorities, missions, and responsibilities of the IC elements.

IC Elements’ EO 14086 Procedures

Details: Category: Oversight; Published: 03 July 2023; Hits: 0

PDF Index: UNCLASSIFIED Executive Order 14086 Implementing Policy and Procedures DEPARTMENT OF ENERGY OFFICE OF INTELLIGENCE AND COUNTERINTELLIGENCE DOE-IN POLICY GUIDANCE NUMBER28.2 Intelligence and CounterintelIigence POLICY AND PROCEDURES IMPLEMENTING EXECUTIVE ORDER 14086 REGARDING USE, MAINTENANCE AND HANDLING OF SIGNALS INTELLIGENCE INFORMATION (Effective: June 27, 2023) A. INTRODUCTION: Executive Order (E.O.) 14086, Enhancing Safeguards for United States Signals Intelligence Activities (October 7, 2022), bolsters privacy and civil liberty safeguards for U.S. signals. intelligence activities and creates an independent and binding mechanism enabling individuals in qualifying states ( defined as countries and regional economic integration organizations), as designated under the E.O., to seek redress through the submission of a qualifying complaint if they believe their personal data was collected through U.S. signals intelligence in a manner that violated applicable U.S. law. Among other provisions, Section 2(c)(iv) of E.O. 14086 requires the head of each element of the Intelligence Community (IC) to: continue to apply relevant policies and procedures issued pursuant to Presidential Policy Directive 28 of January 17, 2014; update those policies and procedures as necessary to implement the privacy and civil liberties safeguards in E.O. 14086; and release the updated policies and procedures publicly to the maximum extent possible. This document constitutes the updated policies and procedures of the Department of Energy, Office of Intelligence and Counterintelligence (DOE-IN). DOE-IN is an element of the IC pursuant to Section 3 of the National Security Act of 1947, as amended, and Section 3.5(h) of E.O. 12333, as amended. DOE-IN provides all-source intelligence analysis and information to support the Secretary of Energy and other Department officials and is responsible for all intelligence and counterintelligence activities throughout the DOE complex, including nearly thirty· intelligence and counterintelligence offices nationwide. DOE-IN protects vital national security information and technologies, representing intellectual property of incalculable value; provides leading-edge, scientifically-based and technically-sound foreign nuclear and energy security intelligence analysis that enables U.S. policy makers to address critical national security issues; serves in a liaison capacity for DOE with the IC and represents the UNCLASSIFIED UNCLASSIFIED INPG28.2 Department in a variety of intelligence-related fora; and manages and operates the Department's Top Secret/Sensitive Compartmented Information network. B. AUTHORITY: Pursuant to Section l.7(i) of E.O. 12333, as amended, DOE-IN is to "[c]ollect (overtly or through publicly available sources), analyze, produce, and disseminate information, intelligence, and counterintelligence to support national and departmental missions." DOE-IN is not authorized to conduct - and does not conduct - signals intelligence collection activities. However, DOE-IN is authorized to receive intelligence reporting containing signals intelligence from other IC agencies authorized to collect such intelligence. C. PURPOSE: This policy guidance replaces DOE-IN Policy Guidance 28.1, Implementation of PPD-28, and updates DOE-IN's policies and procedures related to the use, maintenance, and handling of signals intelligence information. This policy guidance fulfills the necessity and proportionality requirements of E.O. 14086, Section 2(a)(ii)-(iii). D. APPLICABILITY: This policy guidance applies to all components of DOE-IN including Headquarters, Field Intelligence Elements, and Counterintelligence Field Offices. These polices and procedures shall be used by all DOE-IN employees and contractors, and employees of other elements or departments who are detailed to DOE-IN and perform DOEIN work under the direction and supervision of DOE-IN. E. PROCEDURES TO SAFEGUARD PERSONAL INFORMATION COLLECTED THROUGH SIGNALS INTELLIGENCE: The followjng policies and procedures apply to DOE-IN' s safeguarding of personal information of non-U.S. persons collected through signals intelligence activities. 1 1. Minimization. DOE-IN does not access unevaluated, raw, or unminimized signals intelligence under DOE authorities, including signals intelligence collected in bulk. However, it may receive, from other IC elements, signals intelligence information2 that has been evaluated, minimized, or otherwise included in finished intelligence products subject to - among other requirements - the provisions of E.O. 14086. 2. Dissemination. DOE-IN will disseminate personal information of non-U.S. persons collected through signals intelligence activities only if dissemination of comparable information concerning U.S. persons would be permitted under Section 2.3 of E.O. 12333 and the Attorney General approved guidelines, the 1 References to signals intelligence and signals intelligence activities in this document also apply to intelligence collected and activities conducted pursuant to Section 702 of the Foreign Intelligence Surveillance Act. These procedures do not alter the rules applicable to U.S. persons found in the Foreign Intelligence Surveillance Act, E.O. 12333, DOE-IN's guidelines approved by the Attorney General pursuant to Sec. 2.3 of E.O. 12333, or other applicable law. 2 Absent signals intelligence classification caveats or warnings, whether an evaluated or finished intelligence product received from another intelligence agency contains signals intelligence is sometimes unknown. UNCLASSIFIED 2 UNCLASSIFIED .INPG28.2 DOE Procedures for Intelligence Activities. DOE-IN will disseminate personal information concerning a non-U.S. person on the basis that it is foreign intelligence or counterintelligence only if the information relates to an authorized intelligence requirement and not solely because of the person's foreign nationality or country· of residence. Unless it possesses specific information to the contrary, DOE-IN will presume that any evaluated or minimized signals intelligence information it receives from other IC elements that have adopted procedures to implement E.O. 14086 meets these standards. DOE-IN shall disseminate within the U.S. Government personal information collected through signals intelligence only if an authorized and appropriately trained individual has a reasonable belief that the personal information will be appropriately protected and that the recipient has a need to know the information. DOE-IN shall take due account of the purpose of the dissemination, the nature and extent of the personal information being disseminated, and the potential for harmful impact on the person or persons concerned before disseminating personal information collected through signals intelligence to recipients outside the U.S. Government, including a foreign government or international organization. Personal· information collected through signals intelligence activities will not be disseminated for the purpose of circumventing the provisions of E.O. 14086. For purposes of these policies and procedures, "dissemination" shall mean the transmission, communication, sharing, or passing of information outside of DOE-IN by any means, including oral, electronic, or physical. 3. Retention and Deletion. DOE-IN will retain personal information of non-U.S. persons collected through signals intelligence activities only if retention of comparable information concerning U.S. persons would be permitted under applicable law and the DOE Procedures for Intelligence Activities. DOE-IN will retain personal information concerning a non-U.S. person on the basis that it is . foreign intelligence or counterintelligence in accordance with applicable DOE-IN policies and procedures, consistent with Section 2(c)(iii)(A)(2) of E.O. 14086, including that information relate to an authorized intelligence requirement and not be retained solely because of the person's foreign nationality or country of residence. Unless it possesses specific information to the contrary, DOE-IN will · presume that any evaluated or minimized signals intelligence information it receives from other IC elements that have adopted procedures to implement E.O. 14086 meets these standards. DOE-IN will retain such information in accordance with applicable record retention policies and shall subject it to the same retention periods that would apply to comparable information concerning U.S. persons. Non-U.S. person information collected through signals intelligence that does not meet the threshold for retention by DOE-IN, will be deleted in accordance with deletion policy standards and procedures for USPI consistent with E.O. 14086 Section 2(c)(iii)(A)(2)(c). For purposes of these policies and procedures, "retention" shall mean the maintenance of signals intelligence containing nonU. S. person informatioh in either hard copy of electronic format. 3 UNCLASSIFIED UNCLASSIFIED INPG 28.2 4. Data Access and Security. Access to all personal information collected through signals intelligence activities - irrespective of the nationality of the person whose information is collected - is restricted to those personnel who have a need to access that information in the performance of authorized duties in support of DOE-IN or Department missions. Such information will be maintained in either electronic or physical form in secure facilities protected by physical and technological safeguards, and with access limited by appropriate security measures. Such information will be safeguarded in accordance with applicable laws, rules, and policies, including those of DOE-IN, the Department, and the IC. Classified information will be stored appropriately in a secured, certified, and accredited facility, in secured databases or containers, and in accordance with other applicable requirements. DOE-IN's electronic system in which such information may be stored will comply with applicable law, Executive Orders, and IC and Department policies and procedures regarding information security, including with regard to access controls and monitoring. The DOE-IN Chief Information Officer and DOE-IN Chief Information Security Officer, in consultation with the DOE-IN Civil Liberties and Privacy Officer (CLPO) and DOE Assistant General Counsel for International and National Security Programs (GC-74), will ensure that the electronic systems in which signals intelligence information is stored are certified under and adhere to established standards. 5. Data Quality. Personal information collected through signals intelligence activities - where such information can be so identified - shall be included in DOE-IN intelligence products only as consistent with applicable IC standards of analytic tradecraft, including such standards for accuracy and objectivity, as set forth in relevant directives,' including Intelligence Community Directive 203, Analytic Standards. Particular care should be taken to apply standards relating to the relevance, quality, and reliability of the information, consideration of alternative sources of information anci interpretations of data, and objectivity in performing analysis. F. OVERSIGHT: The DOE-IN CLPO shall review implementation of these policies and procedures annually, focusing particularly on relevant provisions of E.O. 14086 regarding privacy and civil liberties, and shall report to the Director, DOE-IN regarding the application of the safeguards contained herein and in E.O. 14086 more generally, as applicable. All DOE-IN personnel should report potential instances of non-compliance with these policies and procedures to the DOE-IN CLPO. The DOE-IN CLPO, in coordination with GC-74, shall promptly report instances of non-compliance to relevant entities to ensure their remediation, consistent with existing reporting requirements under applicable law, regulation, Presidential direction, and policy. Should the DOE-IN CLPO, in coordination with GC-74, determine that an incident of non-compliance is a "significant incident of non- compliance" as defined in Section of 4 of E.O. 14086, the DOE-IN CLPO shall promptly report it to the 4 UNCLASSIFIED UNCLASSIFIED INPG 28.2 Director, DOE-IN, and the Director of National Intelligence, who shall ensure that any necessary actions are taken to remediate it and prevent its recurrence and shall further ensure that any other relevant officials are notified, as appropriate. G. TRAINING: DOE-IN personnel whose duties require access to information collected through signals intelligence activities will receive annual training on the requirements of these policies and procedures. Successful completion of such training is a prerequisite to initial and continued access, and DOE-IN will monitor completion of training requirements to ensure compliance with this provision. H. ASSISTANCE TO THE OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE CIVIL LIBERTIES AND PRIVACY OFFICER (ODNI CLPO): DOE-IN components shall provide the ODNI CLPO with access to information necessary to conduct the reviews described in either Section 3(c)(i) or Section 3(d)(i) of E.O. 14086, consistent with the protection of intelligence sources and methods. DOE-IN personnel shall not take any action designed to impede or improperly influence the ODNI CLPO's review of qualifying complaints, or the Data Protection Review Court's review of the ODNI CLPO's determination of such pursuant to the Signals Intelligence Redress Mechanism. DOE-IN components shall comply with any ODNI CLPO determination to undertake appropriate remediation, subject to any contrary determination by the Data Protection Review Court, and further, shall comply with any determination by a Data Protection Review Court panel to undertake appropriate remediation. I. ASSISTANCE TO THE PRIVACY AND CIVIL LIBERTIES OVERSIGHT BOARD: DOE-IN components shall provide the Privacy and Civil Liberties Oversight Board with access to information necessary to conduct the annual review of the signals intelligence redress mechanism described in Section 3(e) of E.O. 14086, consistent with the protection of intelligence sources and methods. J. DEVIATIONS FROM THESE PROCEDURES: The Director, DOE-IN together with GC-74 must approve in advance any departures from these procedures, after consultation with ODNI and the National Security Division of the Department of Justice. If there is not time for such approval and a departure from these procedures is necessary because of the immediacy or gravity of a threat to the safety of persons or property or to the national security, the Director, DOE-IN may approve a departure from these procedures. GC-74 will be notified as soon thereafter as possible. DOE-IN will also provide prompt written notice of any such departures stating why advance approval was not possible and describing the actions taken to ensure activities were conducted lawfully to ODNI and the National Security Division of the Department of Justice. Notwithstanding this paragraph, all activities in all circumstances must be carried out in a manner consistent with the Constitution and laws of . the United States, and E.O. 12333 and E.O. 14086. K. INTERPRETATION: These procedures are set forth solely for internal guidance within DOE-IN. Questions on the applicability or interpretation of these procedures should be directed to the DOE-IN CLPO, who shall determine such applicability or interpretation, in consultation with GC-74, as appropriate. 5 UNCLASSIFIED UNCLASSIFIED L. EFFECTIVE DATE: This policy is effective upon signature. SIGNATURE AND DATE. S ~IaciCDirector Office of Intelligence and Counterintelligence Department of Energy UNCLASSIFIED Date INPG 28.2 6
PDF Display Style: Document Link
PDF Manual Edit: Index from PDF
PDF File: /assets/documents/702-documents/oversight/Energy_INPG_EO_14086_Policy.pdf
Item Type: Original Document

Details: Category: Oversight; Published: 03 July 2023; Hits: 3

PDF Index: DATE: UNCLASSIFIED (U) NSA/CSS POLICY 12-3 ANNEX C SUPPLEMENTAL PROCEDURES FOR THE COLLECTION, PROCESSING, QUERYING, RETENTION, AND DISSEMINATION OF SIGNALS INTELLIGENCE INFORMATION AND DATA CONTAINING PERSONAL INFORMATION OF NON-UNITED STATES PERSONS (U) 29 June 2023 (See Document History.) OFFICE OF PRIMARY INTEREST: (U) Civil Liberties, Privacy, and Transparency (D5), 969-8225 (secure) RELEASABILITY: AUTHORITY: ISSUED: (U) No section of this document shall be released without approval from the Office of Policy (P12). The official document is available on the Office of Policy website ("go policy"). (U) Paul M. Nakasone, General, U.S. Army; Director, NSA/Chief, CSS (U) 29 June 2023 (U) PURPOSE AND SCOPE 1. (U) This policy prescribes binding policy guidance for NSA/CSS personnel and other members of the United States Signals Intelligence (SIG INT) System (USSS) that implements Executive Order 14086, "Enhancing Safeguards for United States Signals Intelligence Activities" (Reference a), and National Security Memorandum (NSM)-14, "National Security Memorandum on Partial Revocation of Presidential Policy Directive 28" (Reference b), which revoked Presidential Policy Directive (PPD) 28, "Signals Intelligence Activities" (Reference c ), except for sections 3 and 6 of that directive and the Classified Annex to that directive, which remain in effect. 2. (U) The Supplemental Procedures included in this policy address the privacy and civil liberties safeguards required by Executive Order 14086 (Reference a) for U.S. SIGINT activities, including orders of and procedures approved by the Foreign Intelligence Surveillance Court. These Supplemental Procedures must be followed for all SIG INT activities of NSA/CSS or the USSS authorized under Executive Order 12333, "United States Intelligence Activities" (Referenced), the Foreign Intelligence Surveillance Act (Reference e), or other authorities. 3. (U) This policy applies to all NSA/CSS employees and all elements of the USSS and shall be applied consistent with the scope of PPD-28's (Reference c) application to such activities prior to PPD-28's partial revocation by NSM-14 (Reference b). UNCLASSIFIED UNCLASSIFIED Annex C to Policy 12-3 29 June 2023 4. (U) If an NSA/CSS official determines that a departure from these procedures is necessary because of the immediacy or gravity of a threat to the safety of persons or property or to the national security, they may approve an emergency departure from these procedures but must notify the Director, NSA/Chief, Central Security Service (DIRNSA/CHCSS), the NSA General Counsel (D2), and the NSA Civil Liberties, Privacy, and Transparency (CLPT, D5) Director as soon thereafter as possible. The NSA General Counsel will provide prompt written notice of any departures stating why advance approval was not possible and describing the actions taken to ensure activities were conducted lawfully to the Office of the Director of National Intelligence (ODNI) General Counsel and the Assistant Attorney General for National Security. (U) POLICY 5. (U) In recognition that SIGINT activities must take into account that all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and that all persons have legitimate privacy interests in the handling of their personal information as required by Executive Order 14086 (Reference a), the USSS shall: a. (U) Conduct SIGINT collection activities only following a determination that a specific SIG INT collection activity, based on a reasonable assessment of all relevant factors, is necessary to advance a validated intelligence priority in the National Intelligence Priorities Framework (NIPF) or any successor framework (as determined in accordance with the terms of the National Security Act of 1947, as amended, (Reference f) and other applicable laws and policy direction), although SIGINT does not have to be the sole means available or used for advancing aspects of the validated intelligence priority; b. (U) Conduct SIGINT activities only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorized, with the aim of achieving a proper balance between the importance of the validated intelligence priority being advanced and the impact on the privacy and civil liberties of all persons, regardless of their nationality or wherever they might reside; c. (U) Conduct SIG INT collection activities only in pursuit of one or more of the legitimate objectives listed in section 2(b )(i) of Executive Order 14086 (Reference a); d. (U) Conduct SIGINT collection activities only as validated in accordance with the process identified in section 2(b )(iii) of Executive Order 14086 (Reference a); and e. (U) Not conduct SIG INT collection activities for the purposes of prohibited objectives listed in section 2 of Executive Order 14086 (Reference a), including for the purposes of: 1) (U) suppressing or burdening criticism or dissent, or the free expression of ideas or political opinions by individuals or the press; C-2 UNCLASSIFIED UNCLASSIFIED Annex C to Policy 12-3 29 June 2023 2) (U) suppressing or restricting legitimate privacy interests; 3) (U) suppressing or restricting a right to legal counsel; 4) (U) disadvantaging persons based on their ethnicity, race, color, gender, gender identity, sexual orientation, or religion; or 5) (U) affording a competitive advantage to United States companies or United States business sectors commercially. 6. (U) SIGINT collection activities shall be as tailored as feasible to advance foreign intelligence requirements that have been approved in the manner prescribed by Executive Order 14086 (Reference a), National Security Act of 194 7 (Reference f), and other applicable laws and policy direction. (U) SUPPLEMENTAL PROCEDURES 7. (U) The following safeguards, which apply to the collection, processing and querying, retention, and dissemination of SIG INT by any element of NSA/CSS or the USSS, implement the principles articulated in sections 2(a)(ii) and (iii) of Executive Order 14086 (Reference a). (U) Collection 8. (U) In determining whether to collect SIG INT, all elements of NSA/CSS and the USSS shall consider the availability, feasibility, and appropriateness of other less intrusive sources and methods for collecting the information necessary to advance a validated intelligence priority, including from diplomatic and public sources. Such alternatives to SIGINT shall be prioritized. 9. (U) Whenever practicable, SIG INT collection will occur through the use of one or more selection terms in order to focus the collection on specific foreign intelligence targets ( e.g., a specific, known international terrorist or terrorist group) or specific foreign intelligence topics ( e.g., the proliferation of weapons of mass destruction by a foreign power or its agents). 10. (U) Application of privacy and civil liberties safeguards to the collection of SIG INT. Consistent with U.S. SIG INT Directive (USS ID) 18, "Protection of Civil Liberties and Privacy of U.S. Person Information When Conducting SIGINT Missions" (Reference g), and section 2 of Department of Defense Manual (DoDM) S-5240.01-A, "Procedures Governing the Conduct of DoD Intelligence Activities: Annex Governing Signals Intelligence Information and Data Collected Pursuant to Section 1.7(c) ofE.O. 12333" (Reference h), targeted SIGINT collection shall be prioritized over bulk SIGINT collection. For example, NSA/CSS will conduct targeted collection using selection terms whenever practicable. NSA shall only engage in bulk collection upon a determination that it is necessary to engage in bulk collection in order to advance a validated intelligence priority. In addition to confirming advancement of a validated intelligence priority and considering alternatives to SIGINT, when conducting collection or C-3 UNCLASSIFIED UNCLASSIFIED Annex C to Policy 12-3 29 June 2023 developing SIGINT collection techniques, NSA/CSS employees and USSS personnel are further required to consider all of the following: a. (U) Methods to limit the types and aspects of the information collected to those necessary and proportionate to one or more of the legitimate objectives listed in section 2 of Executive Order 14086 (Reference a) ( or any authorized updates to the list or new priorities established consistent with the criteria in section 2 of Executive Order 14086 (Reference a)); b. (U) Whether mission requirements can be met by filtering non-pertinent information as soon as practicable after collection; and c. (U) Whether additional approvals or civil liberties and privacy protections are needed to ensure that collection is conducted consistent with the principles listed in section 2(a), including that it is necessary and proportionate to one or more of the legitimate objectives listed in section 2 of Executive Order 14086 (Reference a) (or any authorized updates to the list or new priorities established consistent with the criteria in section 2 of Executive Order 14086 (Reference a)), and, if so, the USSS entities responsible for implementing those requirements. These requirements apply regardless of whether a specific SIGINT collection activity will be performed through targeted collection or bulk collection. 11. (U) Bulk collection of SIG INT. Bulk collection may not be undertaken as part of a SIG INT collection activity authorized pursuant to section 702 of the Foreign Intelligence Surveillance Act of 1978 (Reference e). Moreover, when SIGINT collection is necessary to advance a validated intelligence priority, targeted collection shall be prioritized over bulk collection. If a determination is made that NSA/CSS or another element of the USSS must engage in bulk collection in order to advance a validated intelligence priority ( e.g., an international terrorist target engages in activities to conceal the target's communications methods so bulk collection is necessary to discover how the target is communicating), the bulk collection shall, nevertheless, be as circumscribed as possible, proportionate to the intelligence objective, and occur only for the minimum period of time the collection element determines is necessary to satisfy the objective. Unless further authorized by the President in light of new national security imperatives, such as new or heightened threats to the national security of the United States, information collected through bulk SIG INT collection may only be used for one or more of the following objectives consistent with section 2(c)(ii)(C) of Executive Order 14086 (Reference a): a. (U) Counterterrorism-protecting against terrorism conducted by or on behalf of a foreign government, foreign organization, or foreign person; b. (U) Rescue and recovery of captives-protecting against the taking of hostages, and the holding of individuals captive (including the identification, location, and rescue of hostages and captives) conducted by or on behalf of a foreign government, foreign organization, or foreign person; C-4 UNCLASSIFIED UNCLASSIFIED Annex C to Policy 12-3 29 June 2023 c. (U) Hostile foreign or other intelligence activities-protecting against espionage, sabotage, assassination, or other intelligence activities conducted by, on behalf of, or with the assistance of, a foreign government, foreign organization, or foreign person; d. (U) Counterproliferation of weapons of mass destruction-protecting against threats from the development, possession, or proliferation of weapons of mass destruction or related technologies and threats conducted by, on behalf of, or with the assistance of, a foreign government, foreign organization, or foreign person; e. (U) Cybersecurity threats-protecting against cybersecurity threats created or exploited by, or malicious cyber activities conducted by or on behalf of a foreign government, foreign organization, or foreign person; f. (U) Threats of harm-protecting against threats to the personnel of the United States or of its allies or partners; g. (U) Transnational crime--protecting against transnational criminal threats, including illicit finance and sanction evasion related to one or more of the objectives listed in section 2 of Executive Order 14086 (Reference a). 12. (U) Bulk SIGINT Collection Considerations. Consistent with the SIGINT collection considerations included in section 2 of DoDM S-5240.01-A (Reference h), in any circumstance when application of the above procedures results in a determination that it is necessary for the USSS to engage in bulk collection of SIG INT in order to advance a validated intelligence priority, bulk collection must be limited to circumstances where the NSA Director, or designees, in consultation with the NSA CLPT Director, determines all of the following: a. (U) the information cannot reasonably be obtained by targeted collection or alternatives to SIGINT; b. (U) the information is necessary to advance a validated intelligence priority identified in section (c)(ii)(B) of Executive Order 14086 (Reference a) or authorized by the President in light of new national security imperatives, such as new or heightened threats to the national security of the United States as provided for at section 2( c )(ii)(C) in Executive Order 14086 (Reference a); and c. (U) reasonable methods and technical measures to limit the data collected to only what is necessary to advance a validated intelligence priority, while minimizing the collection of non-pertinent information, will be applied. 13. (U) Consistent with the SIGINT collection considerations included in section 2 of DoDM S-5240.01-A (Reference h) and section 2(b )(ii)(D) of Executive Order 14086 (Reference a), the data acquired as part of a targeted SIG INT collection activity that temporarily uses data acquired without the use of discriminants ( e.g., without specific identifiers or selection terms) may only be used to support the initial technical phase of the targeted SIG INT collection C-5 UNCLASSIFIED UNCLASSIFIED Annex C to Policy 12-3 29 June 2023 activity and retained for the short period of time required to complete this phase and thereafter must be deleted. (U) Processing and Querying 14. (U) Data security and access. Consistent with existing requirements in section 6 of DoDM S-5240.01-A (Reference h) and pursuant to requirements in section 2( c )(iii)(B) of Executive Order 14086 (Reference a), all personal information collected through SIGINT shall: a. (U) Be processed and stored under conditions that include auditing and internal controls to limit access to authorized personnel who have received appropriate training and have a need to know the information to perform their mission; b. (U) Be accessed only by individuals who have been approved by supervisory or other appropriate personnel; and c. (U) When no final retention determination has been made, be accessed only in order to make or support such a determination or to conduct authorized administrative, testing, development, security, or oversight functions, including compliance functions. 15. (U) Queries of SIGINT collection. Consistent with the SIGINT processing and query requirements included in section 3 ofDoDM S-5240.01-A (Reference h), queries of information acquired through SIGINT may be conducted by the USSS for the legitimate objectives of identifying foreign intelligence, counterintelligence, and support to military operations purposes and for the purpose of protecting the safety or enabling the recovery of a person reasonably believed to be held captive outside the United States. Queries of SIGINT obtained pursuant to authorizations issued under the authority of the Foreign Intelligence Surveillance Act (Reference e) must conform to these procedures and any additional requirements imposed by applicable procedures adopted and approved in the manner prescribed by the Foreign Intelligence Surveillance Act (Reference e), including the documentation of justifications, to the extent reasonable, as provided for by this policy. a. (U) Queries using selection terms that identify any person. Further consistent with existing requirements in section 3 of DoDM S-5240.01-A (Reference h), queries using selection terms that identify any person, regardless of nationality or wherever they might reside, shall be designed to defeat, to the extent practicable under the circumstances, the retrieval of personal information that is not relevant, necessary, nor proportionate to advance a validated intelligence priority listed in section 2(a)(ii) of Executive Order 14086 (Reference a) ( or any authorized updates to the list or new priorities established consistent with the criteria in section 2 of Executive Order 14086 (Reference a)). b. (U) Queries of bulk SIG INT Collection. In addition to the above requirements, queries of information acquired through bulk SIGINT collection must be consistent with the permissible uses of SIGINT obtained in bulk as specified in section 2( c )(ii) of Executive Order 14086 (Reference a), including taking into account the impact C-6 UNCLASSIFIED UNCLASSIFIED Annex C to Policy 12-3 29 June 2023 on the privacy and civil liberties of all persons, regardless of nationality or where they might reside. (U) Retention 16. (U) Application of privacy and civil liberties safeguards to the retention of nonU. S. persons' personal information. Non-U.S. persons' personal information collected through SIG INT may be retained only if the retention of comparable U.S. person information is permitted under section 4 ofDoDM S-5240.01-A (Reference h), including the retention periods applicable to unevaluated SIGINT for which no final retention period has been made. Personal information of non-U.S. persons collected through SIG INT that does not meet these requirements shall be deleted. Personal information of a non-U.S. person retained on the basis that it is foreign intelligence must relate to an authorized intelligence requirement and cannot be retained solely because of the non-U.S. person's foreign status. (U) Dissemination 17. (U) All SIGINT products and services shall be written so as to focus solely on the provision of foreign intelligence to support national and departmental missions, including support for the conduct of military operations, hostage recovery efforts, or like purposes. 18. (U) The USSS may not disseminate personal information collected through SIGINT solely because of the persons' nationality or country ofresidence or for the purpose of circumventing Executive Order 14086 (Reference a). Disseminations to U.S. Government personnel must be limited to recipients who are reasonably believed to appropriately protect and have a need to know the information. Disseminations to recipients outside of the U.S. Government shall only occur after NSA/CSS and USSS personnel take due account of the purpose of the dissemination, the nature and extent of the personal information being disseminated, and the potential for harmful impact on the person or persons concerned, before disseminating personal information collected through SIGINT. 19. (U) Application of privacy and civil liberties safeguards to the dissemination of non-U.S. persons' personal information. Non-U.S. persons' personal information collected through SIGINT, may only be disseminated in accordance with Executive Order 14086 (Reference a) and consistent with existing requirements in section 5 of DoDM S-5240.01-A (Reference h) and other applicable Intelligence Community (IC) and USSS dissemination standards and directives. 20. (U) Data quality. Consistent with existing requirements in DoDM S-5240.01-A (Reference h) and Executive Order 14086 (Reference a), for data quality purposes, the USSS elements that handle personal information collected through SIG INT shall include such personal information in intelligence products only as consistent with applicable IC standards of analytic tradecraft, for accuracy and objectivity, as set forth in relevant directives, including IC Directive 203 , "Analytic Standards" (Reference i), with a focus on applying standards relating to the quality and reliability of the information, consideration of alternative sources of information and interpretations of data, and objectivity in performing analysis. C-7 UNCLASSIFIED UNCLASSIFIED Annex C to Policy 12-3 29 June 2023 (U) Oversight and Training 21. (U) Documentation. In order to facilitate the oversight processes included in Executive Order 14086 (Reference a), the USSS shall maintain documentation for each of its SIG INT collection activities to the extent reasonable in light of the nature and type of collection at issue and the context in which it is collected. The content of any such documentation may vary based on the circumstances, but shall, to the extent reasonable, provide the factual basis under which the USSS has, based on a reasonable assessment of all relevant factors, assessed that the SIGINT collection activity is necessary to advance a validated intelligence priority. For example, the content of documentation will likely differ depending upon the specific type of SIG INT collection activity, the location at which the activity is conducted, and the element ofNSA/CSS or the USSS carrying out the SIGINT collection activity. However, consistent with existing requirements in section 5 of DoDM S-5240.01-A (Reference h), NSA/CSS and USSS personnel will document and annually review the use of selection terms as the basis for collection to ensure compliance with applicable authorities, including Executive Order 14086 (Reference a). 22. (U) Legal, oversight, cybersecurity, and compliance officials. NSA has multiple senior-level legal, oversight, cybersecurity, and compliance officials, as further addressed in the responsibilities section of this policy, that meet or exceed all requirements of Executive Order 14086 (Reference a), including ensuring that such officials have access to all information pertinent to carrying out their compliance and oversight responsibilities, that appropriate actions are taken to remediate an incident of non-compliance, and that such officials are free from actions designed to impede or improperly influence their oversight responsibilities. 23. (U) Noncompliance. As determined by the NSA Director of Compliance, or designee, after coordination with the NSA CLPT Office (D5) and NSA Office of General Counsel (OGC, D2), when a significant issue of noncompliance arises involving personal information of any person, regardless of nationality, collected as a result of SIG INT activities, the issue shall, in addition to any existing reporting requirements, be reported promptly to DIRNSA or DIRNSA's designee, for follow-on reporting to ODNI, DoD, the Department of Justice, and/or the Foreign Intelligence Surveillance Court in accordance with Executive Order 14086 (Reference a), applicable implementing guidance, and other applicable laws, policies, and procedures. 24. (U) Training. Consistent with other existing requirements and section 2( c )(iii)(B)(2) of Executive Order 14086 (Reference a), all NSA/CSS employees and USSS personnel with access to unevaluated SIG INT shall receive training that includes knowing and understanding the requirements of Executive Order 14086 (Reference a)). Such training is a prerequisite to initial and continued access and includes policies and procedures for reporting and remediating incidents of noncompliance. Existing PPD-28 (Reference c) training will be updated, as appropriate, to reflect the issuance of Executive Order 14086 and National Security Memorandum 14 (References a and b ), and the Supplemental Procedures included in this policy. NSA will monitor completion of training requirements to ensure compliance with this provision. 25. (U) Redress. All USSS elements shall provide the ODNI Civil Liberties and Privacy Office (CLPO) with access to any information necessary to conduct the reviews described in C-8 UNCLASSIFIED UNCLASSIFIED Annex C to Policy 12-3 29 June 2023 sections 3(c)(i) and 3(d)(i) of Executive Order 14086 (Reference a) consistent with the protection of intelligence sources and methods, and shall not take any actions designed to impede or improperly influence these reviews. All NSA/CSS and USSS personnel shall comply with any CLPO determination to undertake appropriate remediation, subject to any contrary determination of a panel of the U.S. Data Protection Review Court, and, further, shall comply with any determination by a Data Protection Review Court panel to undertake appropriate remediation. 26. (U) Auditing and Internal Controls. Consistent with DoDM S-5240.01-A (Reference h), the USSS will create and maintain sufficient auditing records to verify compliance with this annex, and protect auditing records against unauthorized access, modification, or deletion. The USSS will periodically review the effectiveness of its auditing to ensure the key requirements of Executive Order 14086 (Reference a) remain satisfied. 27. (U) Privacy and Civil Liberties Oversight Board. The NSA shall provide the ODNI CLPO and the PCLOB with access to information necessary to conduct the annual review of the redress process described in Executive Order 14086 (Reference a), consistent with the protection of sources and methods. (U) RESPONSIBILITIES (U) NSA/CSS Office of the Inspector General (OIG, I) 28. (U) The NSA/CSS OIG (I) shall perform the appropriate oversight ofNSA/CSS activities to prevent or detect violations of these Supplemental Procedures consistent with the Inspector General Act of 1978, as amended (Reference j). (U) NSA Office of General Counsel (OGC, D2) 29. (U) The NSA OGC (D2) shall provide legal advice and assistance, as appropriate, regarding the requirements of Executive Order 14086 (Reference a) and the implementation guidance contained in these Supplemental Procedures, including the development of appropriate documentation standards in order to facilitate the oversight processes specified by Executive Order 14086 (Reference a). The OGC, as appropriate, will coordinate closely with the NSA CLPT (D5) to ensure alignment and coordination for the Agency's implementation of the privacy and civil liberties safeguards required by Executive Order 14086 (Reference a). (U) NSA/CSS Civil Liberties, Privacy, and Transparency (CLPT, DS) 30. (U) NSA/CSS CLPT (D5) shall: a. (U) Provide civil liberties and privacy advice and assistance regarding the requirements of Executive Order 14086 (Reference a) and the implementation guidance contained in these Supplemental Procedures, including developing appropriate documentation standards in order to facilitate the oversight process specified in Executive Order 14086 (Reference a); C-9 UNCLASSIFIED UNCLASSIFIED Annex C to Policy 12-3 29 June 2023 b. (U) Implement the guidance issued by ODNI CLPO for conducting SIGINT reviews and assessments from a civil liberties and privacy perspective under IC Directive 126, "Implementation Procedures for the Signals Intelligence Redress Mechanism Under Executive Order 14086" (Reference k), including assessments of the adequacy of safeguards to protect personal information that are either proposed or in place for new or unique SIG INT collection programs; and c. (U) Receive, review, and respond to redress requests from ODNI CLPO, including providing ODNI CLPO with access to information necessary to conduct the reviews described in either section 3(c)(i) or section 3(d)(i) of Executive Order 14086 (Reference a) consistent with the protection of intelligence sources and methods. (U) Risk Management Office (RMO, D9) 31 . (U) The RMO (D9) shall provide risk management advice and assistance regarding the requirements of Executive Order 14086 (Reference a) and the implementation guidance contained in these procedures consistent with the implementation of risk management efforts across NSA/CSS. (U) Director, Operations (X) and Director, Cybersecurity (C) 32. (U) The Director, Operations (X), and, as applicable and relevant, the Director, Cybersecurity (C) shall: a. (U) Inform and ensure all personnel conducting SIGINT activities under DIRNSA's authorities understand their responsibilities and maintain a high degree of awareness and sensitivity to the requirements of these Supplemental Procedures; b. (U) Apply the provisions of these Supplemental Procedures to all SIG INT activities governed by Executive Order 14086 (Reference a) that are conducted under DIRNSA's authorities; c. (U) Conduct necessary reviews of SIG INT production activities and practices, including development of required assessments, governed by Executive Order 14086 (Reference a) to ensure consistency with these Supplemental Procedures. These reviews will include periodic auditing against the standards required by these Supplemental Procedures; d. Participate in the development of appropriate documentation standards in order to facilitate the oversight processes specified by Executive Order 14086 (Reference a); and e. (U) Ensure that all new major requirements levied on the USSS or internally generated activities are considered for review by the OGC (D2). All activities that raise questions of law or the proper interpretation of these Supplemental Procedures must be reviewed by the OGC prior to acceptance or execution. C-10 UNCLASSIFIED UNCLASSIFIED Annex C to Policy 12-3 29 June 2023 (U) Chief, Compliance (P7) 33. (U) The Chief, Compliance (P7), shall provide compliance advice, formal and updated training, and assistance regarding the requirements of Executive Order 14086 (Reference a) and the implementation guidance contained in these procedures, including developing appropriate documentation standards in order to facilitate the compliance and oversight process specified in Executive Order 14086 (Reference a). (U) Chief Information Officer (CIO, Y) 34. (U) The CIO (Y) shall ensure that proper data security, access, and quality is maintained within all capabilities operated by NSA/CSS. (U) Directors, NSA/CSS Chief of Staff, Extended Enterprise Commanders/Chiefs 35. (U) Directors, the NSA/CSS Chief of Staff, and extended Enterprise commanders/chiefs shall: a. (U) Recognize, understand, and execute NSA/CSS authorities in a compliant manner; b. (U) Manage, monitor, and perform mission activities in a manner consistent with the provisions of law and policy that are designed to protect civil liberties and privacy in accordance with NSA/CSS Policy 12-2, "NSA/CSS Mission Compliance and Intelligence Oversight" (Reference l); c. (U) Enable training for NSA/CSS employees and USSS personnel who have access to operations information regarding DoD Directive (DoDD) 5148.13, "Intelligence Oversight" (Reference m), DoDM 5240.01 , "Procedures Governing the Conduct of DoD Intelligence Activities" (Reference n), DoDM S-5240.01-A (Reference h), and this policy on the requirements for collecting, processing, querying, retaining, and disseminating SIGINT information; d. (U) Apply the provisions of this policy to all SIG INT mission activities under their cognizance and ensure that all publications, directives, and instructions for which they are responsible are in compliance with this policy; e. (U) Conduct a periodic review of the SIG INT mission activities and practices conducted in or under the cognizance of their respective organizations to ensure consistency with the laws and authorities listed in the references section of this policy; f. (U) Ensure that all new requirements levied on NSA/CSS and the USSS or internally generated NSA/CSS requirements for mission activities are considered for review and approval by the NSA OGC (D2) and NSA/CSS CLPT (D5) as required and comport with Compliance (P7) requirements and controls; C-11 UNCLASSIFIED UNCLASSIFIED Annex C to Policy 12-3 29 June 2023 g. (U) Ensure that the NSA OGC reviews mission activities that may raise a question of law or regulation before their acceptance or execution; h. (U) Ensure that necessary special security clearances and access authorizations are provided to the NSA OGC, the IG (1), NSA/CSS CLPT, and the Chief of Compliance in order to enable them to meet their assigned responsibilities; and i. (U) Report as required in this policy and otherwise assist the NSA/CSS CLPT and NSA OGC with carrying out their responsibilities. (U) NSA/CSS Employees and United States Signals Intelligence System (USSS) Personnel: 36. (U) NSA/CSS employees and USSS personnel shall: a. (U) Implement these Supplemental Procedures upon publication; b. (U) Immediately inform the Director, Operations (X) staff of any tasking or instructions that appear to require actions at variance with these Supplemental Procedures; c. (U) In accordance with existing procedures, report to the OIG (I) and consult with the OGC on all activities that may raise a question of compliance with these Supplemental Procedures; d. (U) If a non-U.S. person's personal information is improperly stored, accessed, collected, analyzed, queried, retained or disseminated, then the incident must be reported to the NSA/CSS Office of Compliance for Cybersecurity and Operations (P75) via NSA's Incident Reporting Tool (go IRT) (or any successor tool) within 24 hours upon recognition; e. (U) Comply with the procedures outlined in DoDM 5240.01 (Reference n) and DoDM S-5240.01 -A (Reference h); f. (U) Complete all required compliance training and ensure that all required documentation ( e.g., precondition agreements for memoranda of understanding/ memoranda of agreement) is approved before data access is granted; g. (U) Conduct mission activities lawfully and in a manner that protects privacy and civil liberties in accordance with this policy and USSID 18 (Reference g), including the compliance and oversight requirements in NSA/CSS Policy 12-2 (Reference l); and h. (U) Report potential SIGINT mission compliance incidents, Questionable Intelligence Activities (QIAs), and/or Significant or Highly Sensitive Matters (S/HSMs) as defined in DoDD 5148.13 (Reference m) immediately upon recognition in NSA's IRT ( or any successor tool). Any potential S/HSM that is not mission-related must be reported to the NSA Intelligence Oversight Officer (NSA 100) via the alias DL NSA 100. C-12 UNCLASSIFIED UNCLASSIFIED Annex C to Policy 12-3 29 June 2023 (U) REFERENCES a. (U) Executive Order 14086, "Enhancing Safeguards for United States Signals Intelligence Activities," dated 7 October 2022 b. (U) NSM-14, "Partial Revocation of Presidential Policy Directive 28," dated 7 October 2022 c. (U) PPD-28, "Signals Intelligence Activities," with Annex: "Policy Review of Sensitive Signals Intelligence Collection Activities," dated 17 January 2014 d. (U) Executive Order 12333, "United States Intelligence Activities," dated 4 December 1981 , and as amended e. (U) Foreign Intelligence Surveillance Act of 1978, 50 U.S. Code (U.S.C.) §§1801 et seq., as amended f. (U) National Security Act of 1947, 50 U.S.C. §§3001 et seq., as amended g. (U) USSID 18, "Protection of Civil Liberties and Privacy of U.S. Person Information When Conducting SIG INT Missions," issued 10 January 2022 h. (U) DoDM S-5240.01-A, "Procedures Governing the Conduct of DoD Intelligence Activities: Annex Governing Signals Intelligence Information and Data Collected Pursuant to Section 1. 7 ( c) of Executive Order 12333," dated 7 January 2021 i. (U) Intelligence Community Directive 203, "Analytic Standards", dated 2 January 2015 j. (U) United States Code, Title 5, Section 401-424, "Inspector General Act of 1978", as amended, dated 12 October 1978 k. (U) Intelligence Community Directive 126, "Implementation Procedures for the Signals Intelligence Redress Mechanism Under Executive Order 14086," 6 December 2022 1. (U) NSA/CSS Policy 12-2, "NSA/CSS Mission Compliance and Intelligence Oversight," dated 16 May 2022 m. (U) DoDD 5148.13, "Intelligence Oversight," dated 26 April 2017 n. (U) DoDM 5240.01 , "Procedures Governing the Conduct ofDoD Intelligence Activities," dated 8 August 2016 o. (U) NSA/CSS Policy 12-3, "Protection of Civil Liberties and Privacy of U.S. Person Information When Conducting NSA/CSS Mission and Mission-Related Activities," dated 10 January 2022 C-13 UNCLASSIFIED UNCLASSIFIED Annex C to Policy 12-3 29 June 2023 (U) GLOSSARY (U) This annex carries forward the same definitions provided in NSA/CSS Policy 12-3, "Protection of Civil Liberties and Privacy of U.S. Person Information When Conducting NSA/CSS Mission and Mission-Related Activities" (Reference o). Any terms not otherwise defined in DoDD 5148.13 (Reference m) that are included in these Supplemental Procedures shall have the same definitions contained in Executive Order 14086 (Reference a), Executive Order 12333 (Referenced), DoDM 5240.01 (Reference n), and DoDM S-5240.01-A (Reference h). (U//FOUO) Date 29 June 2023 (U) DOCUMENT HISTORY Approved by Description Paul M. Nakasone, Policy 12-3 Annex C issuance General, U.S. Army; Director, NSA/Chief, CSS C-14 UNCLASSIFIED (U//FOUO)
PDF Display Style: Document Link
PDF Manual Edit: Index from PDF
PDF File: /assets/documents/702-documents/oversight/NSA_EO_14086_Procedures_Policy_12-3_Annex_C.pdf
Item Type: Original Document

Details: Category: Oversight; Published: 03 July 2023; Hits: 6

PDF Index: UNCLASSIFIED U.S. Department of State Bureau of Intelligence and Research Executive Order 14086 - Policy and Procedures I. Introduction Executive Order (E.O.)14086 of October 7, 2022, on Enhancing Safeguards for United States Signals Intelligence Activities, bolsters privacy and civil liberty safeguards for U.S. signals intelligence activities and creates an independent and binding mechanism enabling individuals in qualifying states (defined as countries and regional economic integration organizations), as designated under the E.O., to seek redress through the submission of a qualifying complaint if they believe their personal data was collected through U.S. signals intelligence in a manner that violated applicable U.S. law. Among other provisions, Section 2(c)(iv) of the E.O. requires the head of each element of the Intelligence Community (IC) to: continue to apply relevant policies and procedures issued pursuant to Presidential Policy Directive-28 of January 17, 2014; update those policies and procedures as necessary to implement the privacy and civil liberties safeguards in the E.O.; and release the updated policies and procedures publicly to the maximum extent possible. This document constitutes the updated policies and procedures of the Bureau of Intelligence and Research (INR). INR is a bureau of the U.S. Department of State (the "Department") and also an element of the IC pursuant to Section 3 of the National Security Act of 1947, as amended, and Section 3.5(h) of E. O. 12333, as amended. INR provides all-source intelligence analysis and information to support the Secretary of State, U.S. diplomats, and other Department officials; coordinates policymaker use of IC information in foreign engagements and public diplomacy; ensures that intelligence activities support foreign policy and national security purposes; serves as the focal point in the Department for facilitating policy review of covert action, sensitive intelligence, counterintelligence, and law enforcement activities; serves in a liaison capacity for the Department with the IC and represents the Department in a variety of intelligence-related fora; and manages and operates the Department's Top Secret/Sensitive Compartmented Information network. II. General Provisions and Authorities Pursuant to Section l.7(i) ofE. 0. 12333, as amended, INR is to "[c]ollect (overtly or through publicly available sources), analyze, produce, and disseminate information, intelligence, and counterintelligence to support national and departmental missions." INR is not authorized to conduct - and does not conduct - signals intelligence activities. 1 III. Safeguarding Personal Information Collected through Signals Intelligence The following policies and procedures fulfill the principles contained in Section 2(a)(ii)-(iii) ofE.O. 14086 and apply to INR's safeguarding of personal information of non-U.S. persons collected through signals intelligence activities conducted by IC agencies who are authorized to collect signals intelligence.2 These policies and procedures do not apply to information collected through diplomatic reporting. These policies and procedures shall be used by all INR employees and contractors, employees of other departments or agencies who are detailed to INR and perform INR work under the direction and supervision of INR, and any other State Department employees when they are performing intelligence activities authorized pursuant to E.O.12333 (collectively, "INR personnel"). 1 References to signals intelligence and signals intelligence activities in this document also apply to intelligence collected and activities conducted pursuant to Section 702 of the Foreign Intelligence Surveillance Act. 2 These procedures do not alter the rules applicable to U.S. persons found in the Foreign Intelligence Surveillance Act, Executive Order 12333, INR's guidelines approved by the Attorney General pursuant to Sec. 2.3 of Executive Order 12333, or other applicable lt.v. UNCLASSIFIED UNCLASSIFIED A. Minimization INR does not have access to unevaluated, raw, or unminimized signals intelligence, including signals intelligence collected in bulk, but it receives, from other IC elements, signals intelligence information3 that has been evaluated, minimized, or otherwise included in finished intelligence products subject to - among other requirements -the provisions ofE.0. 14086. Unless it possesses specific information to the contrary, INR will presume that any evaluated or minimized signals intelligence information it receives from other IC elements that have adopted procedures implementing E.O. 14086 and which has been disseminated is consistent with that Executive Order. L. Dissemination In limited situations where INR receives personal information of non-U.S. persons collected through signals intelligence activities, it will only disseminate such information if dissemination of comparable information concerning U.S. persons would be permitted under Section 2.3 ofE. 0.12333. INR will disseminate personal information collected through signals intelligence on the basis that it is foreign intelligence only if the information relates to an authorized intelligence requirement and not solely because of a person's nationality or country of residence. INR will disseminate within the U.S. Government personal information concerning a non-U.S. person that is foreign intelligence only if an authorized and appropriately trained individual has a reasonable belief that the personal information will be appropriately protected and that the recipient has a need to know the information. INR shall take due account of the purpose of the dissemination, the nature and extent of the personal information being disseminated, and the potential for harmful impact on the person or persons concerned before disseminating personal information collected through signals intelligence to recipients outside the 3 The sources of or methods of obtaining specific information contained in evaluated or finished intelligence products may not in all cases be evident to INR or to the Department as a recipient of such intelligence products. UNCLASSIFIED - UNCLASSIFIED U.S. government, including to a foreign government or international organization. INR shall not disseminate personal information collected through signals intelligence for the purpose of circumventing the provisions of E.O. 14086. For purposes of these policies and procedures, "dissemination" means the transmission, communication, sharing, or passing of information outside of INR by any means, including oral, electronic, or physical. ii. Retention INR will retain personal information ofnon-U.S. persons collected through signals intelligence activities only if retention of comparable information concerning U.S. persons would be permitted under applicable U.S. law. INR will retain personal information concerning a non-U.S. person that is foreign intelligence in accordance with applicable Bureau and IC policies and procedures, consistent with Section 2(c)(iii)(A)(2) ofE.O. 14086, including that information relates to an authorized intelligence requirement and not be retained solely because of the person's foreign nationality or country of residence. INR will retain personal information concerning a non-U.S. person under the same retention periods and manner of deletion that would apply to comparable information concerning U.S. persons. IfINR retains personal information of a non-U.S. person because it is foreign intelligence, the information must relate to an authorized intelligence requirement, and cannot be retained solely because of the non-U.S. person's foreign status. B. Data Security and Access Access to all personal information collected through signals intelligence activities - irrespective of the nationality or country of residence of the person whose information is collected - is restricted to authorized and appropriately trained personnel who UNCLASSIFIED UNCLASSIFIED have a need to access that information in the performance of authorized duties. Such information will be maintained in either electronic or physical form in secure facilities protected by physical and technological safeguards, and with access limited by appropriate security measures. Such information will be safeguarded in accordance with applicable laws, rules, and policies, including those ofINR, the Department, and the IC. Classified information will be stored appropriately in a secured, certified, and accredited facility, in secured databases or containers, and in accordance with other applicable requirements. The Chief Information Officer and Chief Information Security Officer for INR, in consultation with the Privacy and Civil Liberties Officer and Office of the Legal Adviser, as appropriate, will ensure that the electronic systems in which signals intelligence information is stored are certified under and adhere to established standards. Such electronic systems will comply with applicable law, Executive Orders, and IC and Department policies and procedures regarding information security, including with regard to access controls and monitoring. C. Data Quality Personal information collected through signals intelligence activities - when identifiable - shall be included in INR intelligence products only as consistent with applicable IC standards of analytic tradecraft as set forth in relevant IC directives, including ICD 203: Analytic Standards. Particular care should be taken to apply standards relating to the relevance, quality, and reliability of the information, consideration of alternative sources of information and interpretations of data, and objectivity in performing analysis. D. Oversight The Assistant Secretary of INR, or his or her designee, shall review implementation of these policies and procedures annually, focusing particularly on relevant provisions ofE.O. 14086 regarding privacy and civil liberties. UNCLASSIFIED UNCLASSIFIED Instances of non-compliance with these policies and procedures shall be reported to the INR Civil Liberties, Privacy and Transparency Officer, who, in consultation with the Office of the Assistant Legal Adviser for Law Enforcement and Intelligence, shall determine what corrective actions are necessary, if any. In addition, all INR personnel are required to report criminal activity, including fraud, waste, and abuse involving IC activities, operations, programs, or personnel to the Office of the Inspector General of the Intelligence Community. INR personnel may also report other potential instances of non-compliance with U.S. law, these policies and procedures, or other matters of concern to the IC IG. Significant instances of non-compliance with applicable U.S. law involving the personal information of any person collected through signals intelligence activities shall be reported promptly to the Assistant Secretary, the Secretary of State, and the Director of National Intelligence, consistent with Section 2( d)(iii) of E.O. 14086. E. Assistance to the Signals Intelligence Redress Mechanism INR shall provide the Civil Liberties and Privacy Officer for the Office of the Director ofNational Intelligence (ODNJ/CLPO) with access to information necessary to conduct the reviews described in either Section 3(c)(i) or Section 3(d)(i) ofE.O. 14086, consistent with the protection of intelligence sources and methods. INR personnel shall not take any action designed to impede or improperly influence the ODNI CLPO's review of qualifying complaints, or the Data Protection Review Court review of the CLPO's determination of such pursuant to the Signals Intelligence Redress Mechanism. INR shall comply with any determination by the ODNI CLPO to undertake appropriate remediation, subject to any contrary determination by the Data Protection Review Court, and, further shall comply with any determination of a Data Protection Review Court panel to undertake appropriate remediation. INR shall provide the Privacy and Civil Liberties Oversight Board with access to information necessary to conduct the annual review of the UNCLASSIFIED UNCLASSIFIED signals intelligence redress mechanism described in Section 3(e) ofE.O. 14086, consistent with the protection of intelligence sources and methods. IV. Training INR personnel whose duties require access to information collected through signals intelligence activities will receive annual training on the requirements of these policies and procedures. INR will monitor completion of training requirements to ensure compliance with this provision. V. Deviations from these Procedures The Assistant Secretary must approve in advance any departures from these procedures, after consultation with the Office of the Director ofNational Intelligence and the National Security Division of the Department of Justice. If there is not time for such approval and a departure from these procedures is necessary because of the immediacy or gravity of a threat to the safety of persons or property or to the national security, the Assistant Secretary, or the Assistant Secretary's senior representative present, may approve a departure from these procedures. The Assistant Secretary and the Office of the Legal Adviser will be notified as soon thereafter as possible. The Office of the Legal Adviser will provide prompt written notice of any such departures stating why advance approval was not possible and describing the actions taken to ensure activities were conducted lawfully to the National Security Division of the Department of Justice. Notwithstanding this paragraph, all activities in all circumstances must be carried out in a manner consistent with the Constitution and laws of the United States. VL Conclusion These procedures are set forth solely for internal guidance within INR. Questions on the applicability or interpretation of these procedures should be directed to the Assistant Secretary, who shall determine such applicability or interpretation, in UNCLASSIFIED UNCLASSIFIED consultation with the Office of the Assistant Legal Adviser for Law Enforcement and Intelligence, as appropriate. Approved: Date: UNCLASSIFIED
PDF Display Style: Document Link
PDF Manual Edit: Index from PDF
PDF File: /assets/documents/702-documents/oversight/State_INR_EO_14086_PP.pdf
Item Type: Original Document

Details: Category: Oversight; Published: 03 July 2023; Hits: 2

PDF Index: DRUG ENFORCEMENT ADMINISTRATION OFFICE OF NATIONAL SECURITY INTELLIGENCE EXECUTIVE ORDER 14086 – POLICY AND PROCEDURE POLICY NUMBER 4100 6/30/2023 TABLE OF CONTENTS 1.0 AUTHORITIES 2 2.0 INTRODUCTION 2 3.0 POLICY AND PROCEDURES 3 4.0 TRAINING 6 5.0 DEVIATIONS FROM THESE PROCEDURES 6 6.0 CONCLUSION 6 7.0 EFFECTIVE DATE/REVISION HISTORY 6 8.0 ACRONYMS 7 2 1.0 AUTHORITIES A. Executive Order (E.O.) 14086 Enhancing Safeguards for United States Signals Intelligence Activities B. E.O. 12333 United States Intelligence Activities C. Presidential Policy Directive (PPD-28) Signals Intelligence, January 17, 2014 D. National Security Act of 1947, as amended E. Intelligence Community Directive (ICD) 203, Analytic Standards 2.0 INTRODUCTION E.O. 14086 bolsters privacy and civil liberty safeguards for U.S. signals intelligence (SIGINT) activities and creates an independent and binding mechanism enabling individuals in qualifying states (defined as countries and regional economic integration organizations), as designated under the E.O., to seek redress through the submission of a qualifying complaint if they believe their personal data was collected through U.S. SIGINT in a manner that violated applicable U.S. law. Among other provisions, Section 2(c)(iv) of E.O. 14086 requires the head of each element of the Intelligence Community (IC) to: apply relevant policies and procedures issued pursuant to PPD-28, update those policies and procedures as necessary to implement the privacy and civil liberties safeguards identified in E.O. 14086, and release the updated policies and procedures publicly to the maximum extent possible. The Drug Enforcement Administration (DEA), Office of National Security Intelligence (ONSI), is an office within the DEA. Pursuant to Section 3 of the National Security Act of 1947, as amended, and Section 3.5(h) of E.O. 12333, as amended, ONSI is an element of the IC. Pursuant to Section l.7(i) of E.O. 12333, as amended, ONSI is only authorized to "[c]ollect (overtly or through publicly available sources), analyze, produce, and disseminate information, intelligence, and counterintelligence to support national and departmental missions." ONSI is not authorized to conduct – and does not conduct – SIGINT activities.1 Accordingly, ONSI does not engage in SIGINT collection or have access to unevaluated, raw, or unminimized SIGINT. 1 References to SIGINT and SIGINT activities in this document also apply to Section 702 information. 3 3.0 POLICY AND PROCEDURES The following applies to ONSI's safeguarding of personal information of non-U.S. persons collected through SIGINT activities, should ONSI knowingly come into possession of such information, and fulfill the principles contained in subsections 2.(a)(ii)-(iii) of E.O. 14086.2 These procedures apply to individuals who operate under ONSI’s EO 12333 authorities. Nothing in these procedures shall prohibit or regulate DEA’s activities pursuant to its statutory criminal law enforcement and civil regulatory missions. This includes DEA’s responsibilities pertaining to law enforcement information related to the domestic or foreign activities of U.S. persons. A. Minimization ONSI does not have access to unevaluated, raw, or unminimized SIGINT, including SIGINT collected in bulk. ONSI does receive finished intelligence products from other agencies that may include SIGINT information3 that has been evaluated, and minimized subject to – among other requirements – the provisions of E.O. 14086. 1. Dissemination a. Should ONSI knowingly handle SIGINT information, it will disseminate personal information of non-U.S. persons collected through SIGINT activities only if dissemination of comparable information concerning U.S. persons would be permitted under Section 2.3 of E.O. 12333. b. ONSI will disseminate personal information concerning a non-U.S. person on the basis that it is foreign intelligence only if the information relates to an authorized intelligence requirement, not solely because of the person’s foreign nationality or country of residence. Unless it possesses specific information to the contrary, ONSI will presume that any evaluated or minimized information it receives from other IC elements that have adopted procedures implementing E.O. 14086 meets this standard. ONSI will disseminate such information in accordance with applicable DEA and IC policies and procedures, consistent with Section 2 (c)(iii)(A)(1) of E.O. 14086. c. ONSI shall disseminate within the U.S. Government such personal information only if an authorized and appropriately trained individual has a reasonable belief that the personal information will be appropriately protected and that the recipient has a need to know the information. d. ONSI shall take due account of the purpose of the dissemination, the nature and extent of the personal information being disseminated, and the potential for harmful impact on the person or persons concerned before disseminating personal information collected through SIGINT to 2 These procedures do not alter the rules applicable to U.S. persons found in the Foreign Intelligence Surveillance Act, Executive Order 12333, ONSI's guidelines, or other applicable law. 3 The sources or methods of obtaining specific information contained in evaluated or finished intelligence products may not in all cases be evident to ONSI as a recipient of such intelligence products. 4 recipients outside the U.S. Government, including to a foreign government or international organization. e. ONSI shall disseminate personal information collected through SIGINT only in accordance with, and never to circumvent these procedures. f. For purposes of these policies and procedures, "dissemination" shall mean the transmission, communication, sharing, or passing of information outside of ONSI by any means, including oral, electronic, or physical. 2. Retention a. Should ONSI knowingly handle SIGINT information, it will retain personal information of non-U.S. persons collected through SIGINT activities only if retention of comparable information concerning U.S. persons would be permitted under Section 2.3 of E.O. 12333, shall subject such information to the same retention periods that would apply to comparable information concerning U.S. persons, and shall delete such information that may no longer be retained in the same manner that comparable information concerning U.S. persons would be deleted. b. ONSI will retain personal information concerning a non-U.S. person on the basis that it is foreign intelligence in accordance with applicable DEA and IC policies and procedures, consistent with Section 2(c)(iii)(A)(2) of E.O. 14086 only if the information relates to an authorized intelligence requirement and not solely because of the person’s foreign nationality or country of residence. c. Unless it possesses specific information to the contrary, ONSI will presume that any evaluated or minimized SIGINT information it receives from other IC elements that have adopted procedures implementing E.O. 14086 meets this standard. ONSI will retain such information in accordance with applicable record retention policies. B. Data Security and Access 1. Access to all personal information collected through SIGINT activities – irrespective of the nationality of the person whose information is collected – is restricted to those personnel who have a need to access that information in the performance of authorized duties in support of ONSI missions and have received appropriate training. Such information will be maintained in either electronic or physical form in secure facilities protected by physical and technological safeguards, including, but not limited to, adherence to certifications requirements and established standards, and with access limited by appropriate security measures. Such information will be safeguarded in accordance with applicable laws, rules and policies, including those in ONSI, DEA, and the IC, and through consultation with the Office of Chief Counsel (CC), as appropriate. 2. Classified information will be stored appropriately in a secured, certified, and accredited facility, in secured databases or containers, and in accordance with other applicable requirements. ONSI's electronic system in which such information may be stored will comply with applicable law, E.O.s, as well as IC 5 and DEA policies and procedures regarding information security, including access controls and monitoring. C. Data Quality ONSI does not produce intelligence products containing SIGINT; however, should it do so in the future, the personal information of both U.S. and non-U.S. persons collected through SIGINT activities – when identifiable – shall be included in ONSI intelligence products only as consistent with applicable IC standards of analytic tradecraft, accuracy, and objectivity as set forth in relevant IC directives, including Intelligence Community Directive 203: Analytic Standards. Particular care should be taken to apply standards relating to the relevance, quality, and reliability of the information, consideration of alternative sources of information and interpretations of data, and objectivity in performing analysis. D. Oversight 1. As applicable, the Assistant Administrator for Intelligence/Chief of Intelligence (NC), or their designee, shall review implementation of these policies and procedures annually, focusing particularly on relevant provisions of E.O. 14086 regarding privacy and civil liberties. 2. Instances of non-compliance with these policies and procedures shall be reported to the Deputy Chief of Intelligence (NN) for ONSI, who shall report them to NC. The NC, in consultation with CC, as appropriate, shall determine what corrective actions are necessary, including, but not limited to, reporting to the appropriate DEA and IC oversight and compliance officials. 3. Should the NN determine that an instance of non-compliance constitutes a significant instance of non-compliance with applicable U.S. law the NN shall report it promptly to the NC, who shall notify the DEA Administrator and the Director of National Intelligence, consistent with Section 2(d)(iii) of E.O. 14086. A significant incident of non-compliance shall be determined consistent with Section 4(l) of E.O. 14086 after consultation with CC, as appropriate. E. Redress Mechanism 1. ONSI shall provide the Office of the Director of National Intelligence (ODNI) Civil Liberties Protection Officer (CLPO) and the Privacy and Civil Liberties Oversight Board with access to information necessary to conduct the reviews described in either Section 3(c)(i), Section 3(d)(i), or Section 3(e)(i) of E.O. 14086, consistent with the protection of intelligence sources and methods. 2. ONSI personnel shall not take any actions designed to impede or improperly influence the CLPO’s review of qualifying complaints or the Data Protection Review Court (DPRC) review of the CLPO’s determination of such pursuant to the Signals Intelligence Redress Mechanism. 3. ONSI shall comply with any CLPO determination to undertake appropriate remediation, subject to any contrary determination of the DPRC, and, further, shall 6 comply with any determination by a DPRC panel to undertake appropriate remediation. 4.0 TRAINING ONSI personnel whose duties require access to personal information collected through SIGINT activities will receive annual training on the requirements of these policies and procedures pursuant to Section 3.0 paragraph D.1. of this policy and procedure. ONSI will monitor completion of training requirements to ensure compliance with this provision. 5.0 DEVIATIONS FROM THESE PROCEDURES The Principal Deputy Administrator must approve in advance any departures from these procedures after consultation with the ODNI and the National Security Division (NSD) of the Department of Justice (DOJ). If there is insufficient time to obtain approval and a departure from these procedures is necessary because of the immediacy or gravity of a threat to the safety of persons, property, or national security, the NC, or designee, may approve a departure from these procedures. In this event, consultation shall occur with the Chief of the Intelligence Law Section, CC, and NC. NC, or their designee, will provide prompt written notice to the ODNI and the NSD, DOJ of any such departures, stating why advance approval was not possible and describing the actions taken to ensure activities were conducted lawfully. Notwithstanding this paragraph, all activities of ONSI must always be carried out in a manner consistent with the Constitution and laws of the United States, and E.O. 12333 and 14086. 6.0 CONCLUSION These procedures are set forth solely for internal guidance within ONSI in the event ONSI knowingly handles SIGINT in the future. Questions on the applicability or interpretation of these procedures should be directed to the CC, who shall determine such applicability or interpretation, in consultation with the Assistant Attorney General for National Security and the ODNI, as appropriate. 7.0 EFFECTIVE DATE/REVISION HISTORY Table 1 Summary of Changes Date of Change Responsible Party Summary of Change 3/1/2023 Office of National Security Intelligence Initial Publication 6/30/2023 Office of National Security Intelligence The Office of the Director of Intelligence, the Privacy and Civil Liberties Oversight Board, and Department of Justice, National 7 Date of Change Responsible Party Summary of Change Security Division reviewed the above referenced Office of National Security Intelligence policy, and required several revisions to provide further clarification and consistency between the policies of the other Intelligence Community elements as much as possible given the different authorities among the elements. 8.0 ACRONYMS Table 2 Acronyms Acronym Defined CC Office of Chief Counsel CLPO Civil Liberties Protection Officer DEA Drug Enforcement Administration DOJ Department of Justice DPRC Data Protection Review Court E.O. Executive Order IC Intelligence Community ICD Intelligence Community Directive NC Assistant Administrator for Intelligence/Chief of Intelligence NN Deputy Chief of Intelligence NSD National Security Division ODNI Director of National Intelligence ONSI Office of National Security Intelligence* PPD Presidential Policy Directive SIGINT Signals Intelligence * Outside of DEA, the Office of National Security Intelligence is referred to as ONSI in place of NN.
PDF Display Style: Document Link
PDF Manual Edit: Index from PDF
PDF File: /assets/documents/702-documents/oversight/DEA_ONSI_EO_14086.pdf
Item Type: Original Document

Page 1 of 6

ODNI Releases IC Procedures Implementing New Safeguards in Executive Order 14086

ODNI Releases Intelligence Community Procedures Implementing New Safeguards in Executive Order 14086

Department of Energy Office of Intelligence and Counterintelligence (IN) Procedures (EO14086)

National Security Agency (NSA) Policies and Procedures (EO14086)

Department of State Bureau of Intelligence and Research (INR) Procedures (EO14086)

Drug Enforcement Administration (DEA) Office of National Security Intelligence (ONSI) Procedures (EO14086)