U.S. Department of Justice United States Attorney Southern District of New York 86 Chambers Street New York, New York 10007 November 10, 2015 By Electronic Mail David E. McCraw, Esq. Jeremy A. Kutner, Esq. The New York Times Company 620 Eighth Avenue New York, NY 10018 E-mail: mccrad@nytimes.com jeremy.kutner@nytimes.com Re: The New York Times Co. and Charlie Savage v. National Security Agency, 15 Civ. 2383 (KBF) Dear David and Jeremy: This Office represents the National Security Agency (“NSA”), the defendant in the above-referenced matter. Pursuant to the Scheduling Order, dated May 15, 2015, NSA has completed its review and processing of the attached documents. NSA is releasing 10 documents with redactions. Information has been redacted from these documents pursuant to 5 U.S.C. §§ 552(b)(1) and (b)(3). Each redacted document being released has been marked with the applicable FOIA exemption or exemptions. Please let me know if you have any questions. Sincerely, PREET BHARARA United States Attorney for the Southern District of New York By: Attachments /s/ Andrew E. Krause ANDREW E. KRAUSE Assistant United States Attorney Telephone: (212) 637-2769 Facsimile: (212) 637-2786 E-mail: andrew.krause@usdoj.gov ID 4248568 NATIONAL SECURITY AGENCY CENTRAL. SECURITY SERVICE roar GEORGE rs. MEAD-E, Hanvuun zone-awe November 30, 2009 The Honorable Silvestre Reyes Chairman, Ponnanent Select Committee on Intelligence United States Heuse of Representatives H405, The Capitol Washington, DC 20515 Dear Representative Reyes: (Um The Foreign Intelligence Surveillance Act Amendments Act of 2008 (FAA) authorizes the NSA Inspector General to assess the Agency?s compliance with procedures for targeting certain persons outside the United States, other than United States persons. Except as otherwise stated, I have no reason to believe that any intelligence activities of the National Security Agency during the period I September 2003 through 31 August 2009 were unlawful. (UH-18593 My of?ce noviews the collection, processing, and reporting of data at least quarterly. Incidents involving compliance with procedures for targeting certain persons outside the United States, other than United States persons, and incidents involving minimization of United States person information are reported to the OIG as they occur and quarterly. Each incident is evaluated against the targeting and minimization procedures set forth directives. {blill {busy?Pi. as-ss In compliance with the targeting and minimization procedures of ?702 of the FAA, NSAJCSS disseminatedl:lintelli ence reports between FAA implementation on 1 September 2008 and 31 August 2009. Of th disseminations, reports contained a reference to a United States person identity. Additionally, NSA released names of US. identities in response to tomer requests. During this reporting foreign targets WW outside the United States at the time of taskin were later 5 . United States. (bll1l .L. 86-36 use 793 use 3024a} We found and reportedElinstances of ?702 targeting or minimization mistakes to the President?s Intelligence Oversight Board tlnough the Assistant to the Secretary of Defense for Intelligence Oversight: oftware mal?inctions had caused unintended collection Emmet selectors had been tasked under an incorrect ?102 certi?cation categon oreirtn intelligence tare as had been atoms): tasked for ?702 collectionl: . ?an? 35-35 Approved for Release bv NBA on 11?10-2015. Case 80120 tlitioationi was later found to have us. citizenship There wag-E delays in removing the target selectors from collection systems and delays in purging unauthorized collection ?'orn NSA databases. (U) Action was taken to correct the mistakes and processes were reviewed and adjustecl to reduce the risk of unauthorized acquisition and improper retention ofU.S. person communications. Of?ce of Inspector General continues to exercise oversight of Agency intelligence activities. {bun was 4 at 36-36 GEORGE LARD Inspector General 1' Copy Furnished: The Honorable Peter Hoekstre. Ranking Member, Pennenent Select Committee on Intelligence DOCID: 4248584 WSW NATIONAL SECURITY AGENCYICENTRAL SECURITY SERVICE INSPECTOR GENERAL REPORT WP) Report on the Audit of NSA Controls to Comply with the Foreign Intelligence Surveillance Court Order Regarding Pen Register and Trap and Trace Devices 36-36 DERIVED FROM: Manual L52 DATED: 03 January DECLASSIFY ON Eggreved for Release by NBA on 1 1-10-2015. FOFA Case 80120 {litigation} DOCID: 4248584 (U) OFFICE OF THE INSPECTOR GENERAL (U) Chartered by the Director, CSS, the Of?ce oftlte Inspector General (01(3) conducts audits, and investigations and inspections. Its mission is to ensure the integrity, ef?ciency, and effectiveness operations, provide intelligence oversight, protect against fraud, waste, and mismanagement of resources, and ensure that activities are conducted in compliance with the law, executive orders, and regulations. The GIG also serves as ombudsman, assisting employees, civilian and military. (U) AUDITS (U) The audit function provides independent assessment of programs and organizations. Performance audits evaluate the eflectiveness and ef?ciency ofentities and programs and assesses whether program objectives are being met and whether operations comply with law and regulations. Financial audits determine the accuracy of an entity?s financial statements. All audits are conducted in accordance with standards established by the Comptroller General of the United States. (U) INVESTIGATIONS AND SPECIAL INQUIRIES (U) The administers a systetn for receiving and acting upon requests for assistance or complaints (including anonymous tips} about fraud, waste and mismanagement. Investigations and Special Inquiries may be undertaken as a result ofsuch requests, complaints. at the request of management, as the result of irregularities that surface during inspections and audits, or at the initiative of the Inspector General. (U) FIELD INSPECTIONS (U) The inspection function consists of organizational and functional reviews undertaken as part of the 016?s annual plan or by management request. Inspections yield accurate, up-to-date information on the effectiveness and efficiency of entities and programs, along with an assessment ofcompliance with law and regulations. The Of?ce ofField Inspections also partners with Inspectors General of the Service Elements to conduct joint inspections of consolidated facilities. Far, .EEREEFEBF DOCID: 424858 4 OFFICE 01" THE INSPECTOR GENERAL NATIONAL SECURITY AGENCY CENTRAL SECURITY SERVICE 35$ SUBJECT: Advisory Report on the Audit of NSA Controls to Comply with the Foreign Intelligence Surveillance Court Order Regarding Pen Register and Trap and Trace MEMORANDUM TO: DISTRIBUTION Wi?his advisory report summarizes results of testing by the Office of the Inspector General in support of the Audit of NSA Controls to with the Foreign Intelligence Surveillance Court Order Regarding Pen Register and Trap and Trace Devices 35-33 2. We determined that querying controls were adequate to provide reasonable assurance of compliance with the terms of the Order. Based on our review, no management response is required for this report. 3. To discuss this report further, please contact: on 963?0922Is) or by email at 4. We appreciate the courtesy and cooperation extended to the audit team throughout the review. 36-36 I. ll). - 3-) gK (I .l weIr?. GEORGE ELLARD Inspector General IDCKIID: 4248584 [UM-Fatwa TD cc: Dirt: ?tor OGC SV 8w SW12 8 1? s2 821 8214 8332 T1 T12 T122 T1222 OGCIGPOC I 11JIG POC36-35 DOCID: 4248584 [built-PL. 86-36 {bnser? 6-36 . (U) EXECUTIVE SUMMARY We conducted this review to determine whether the controls we tested as part of yearlong review of N34 compliance with seven provisions of the Business Records Order were adequate to provide reasonable assurance of compliance with similar provisions of the Pen Register and Tra and Trace Order. Of the queries rnade hemeenl Ithe date when the Foreign intelligence Surveillance Court signed] landl we found no errors or instances cinch-compliance with the ?ve provisions of the Order related to querying that we tested. We therefore judged these controls to be adecuate to provide reasonable assurance of compliance with the Order. as-ss The Pan Register and Trap and Trace Order ibnn [him-PL. ss-ss (bust-so use 3024?; The Foreign Intelligence Surveillance Court granted NSA the authority to collect certain categories of metadata with the assistance of certain United States based telecommunications service providers and to analyze that metadata in support of investigations to protect against international terrorism. The Order authorizes NSA to collect and analyze bulk metadata from providers within the United States. metadata includes communication: a W%addressing information the ?from,? and ?lice? ?elds WThe Order prohibits collection of content of communications. The FISC renews the Order approximately every 90 days. NSA, in consultation with the Department ofJustice, did not seek an immediate renewal and allowed the Order to expire in I tbtt1} 86-36 DOCID: 4.248584 {bill} 86-36 35-35 I Ibecause of concern the Agency could not comply with the order as written. I Ithe FISC issued an Order substantially different from the previous versions in that, among other things, it rede?ned ?facilities? lHowever, the provisions that limit the selectors on which NSA may query, as well as provisions to track and report on dissemination, remained essentially unchanged and are 38-36 similar to those in the current Business Records Order, which authorizes the collection of bulk telephony metadata. The PRITT Order tonal-50 use 3024pincludes a series of provisions to protect the privacy of United States persons lUSPsl because the bulk metadata collected under the Order includes I 1USP communications, the vast majority of which are unrelated to investigations to protect against international terrorism. (U) This Review began this review inl:lbut suspended it when NSA allowed the Order to expire. We then conducted a yearlong Audit of NSA Controls to Comply with the Foreign Intelligence Surveillance Court Order Regarding Business Records using a continuous auditing methodology to test certain controls related to querying and dissemination. As part of that review, we evaluated the adequacy ofcontrols to ensure compliance with seven requirements tested against Standards of Intemnl Control in the Federal Goueniment. Because the requirements, controls, and processes used to query and to disseminate information are essentially the same under the Order and the BR Order, we relied on the overall evaluation of controls conducted under and used the same test objectives and plans for both reviews. See Appendix A for details on the objective, scope, and methodology as well as a list of reports issued on our tests of BR controls. For this review, we tested NBA compliance with ?ve provisions olthe PHj'i'l? Order related to querying forl I Iwhile an active Order was in place. Although the Order lblt3l'P-L- 35-35 ?rst became active inl [after the Agency had allowed it to expire, the A enc did not resume co. action and querying of metadata until ?which closely mirrors its ?rst renewal}. lblt3l-P-L- 33-35 (U) Test Results and Objectives Related to Querying Of the made during our test period, we found no errors or instances of non?compliance with the five provisions of the PRHT Order related to queryng that we tested. For the period reviewed] Iisslled from l?ltj'lil? metadzeil 11nd appropriately reported ii the 3U-tltl renewal reporl. [lower-er. the dissemination did not contain l?lt- I'l'?dcrivcd USP 35.35 inliinniitiml. Willi stablg we did not formally test dissemination objectives. 2 DOCID: 4248584 86-36 - WAccess: Were all queries to the metadata made by authorized individuals [c.gg. intelligence and approved technical support personnel]? Reasonable Articulnble Suspicion Approval of Queried Selectors: Did all queries use RAB-approved seed selectors? O?ice ofGen-eral Counsel Retteto of USP Selectors: Did OGC verify that RAB determinations of all queried seed selectors associated with USPS had not been based solelyr on activities protected by the First Amendment to the Constitution? - WChnining Were all queries chained to no more than two hops? - onueried Selectors: ere all queried foreign and USP seed selectors revalidated within the Court?s time frames?~ one year and 180 days, respectively?and approved by an authorized Homeland Mission Coordinator? W'I'hese provisions limit access to the bulk metadata and the selectors that NSA is authorized to query. See Appendix for details of test results. (U) Test Results and Objectives Related to Dissemination The Order also required that NSA track and report information shared outside the Agencv. I 36-36 WW 30?Day Reports: Did NSA accurately and completely report disseminations of metadata outside - Dissemination ofScrializcd SKI-INT Reports with PRX YT Metutirtto: Was all information disseminated through serialized reports approved by the Chief oflnformation Sharing Services {812} or other authorized individuals? (U) Conclusion Our tests of queries made under the Order parallel the ?ndings of our review of BR controls: querying controls are adequate to provide reasonable assurance of compliance with the provisions tested but NBA management must ensure that controls remain effective. I I we must rely on findings of our BR review that the largely manual process to disseminate is manageable given the small amount ofinformation Wiles-3 (him 3 86-36 DOCID: 4248584 86-36 disseminated in ?2010? We make no recommendations in this report because the implementation of recommendations in will be tracked by the Office of the Inspector General follow?up process. DOCID: 4.248584 (U) APPENDIX A (U) About the Audit DOC-ID: 4248584 33.35 This page intentionally left blank. DOCID 4248584 -P.L. 85-36 (U) ABOUT THE AUDIT (U) Objectives Witt-i] The objective of this audit was to test whether controls to ensure that NSA compliance with key terms of the Pen Register and Trap and Trace Order were operating effectively. Specifically, we tested NSA compliance with live provisions of the Order related to querying to assess the adequacy of controls. We tested these provisions because they were relatively stable, at risk for technical non?compliance or violation ofprivacy rights, and testable. For a requirement to be testable, compliance must be clearly objective and verifiable by supporting data. i I (b 86-36 (U) Scope and Methodology ibil?ll {busy?PL. 86-36 36-36 From January through Februaryl IWE- tested queries of ram meta-flats .madel during -'w'hic'h NSA was operating unded Outside of testing, we based our evaluation ofcontrols on work conducted as part of the Business Records review For querying, all selectors that were documented inl:l audit logs as having been queried were compared against access lists maintained by and reasonable articulable suspicion approvals and Office of General Counsel reviews documented inI lie corporate contact chaining system. It stores metadata from multiplc?bnsl'P'L' 36"? sources, storing metadata in a separate realm. performs data quality, preparation and sorting functions and summarizes contacts in the processed data. is the selector tracking application used for and ER querying. We also counted the number of hops chained for each selector as documented in audit logs. We researched anomalies to make a ?nal determination of compliance. {hm} thirst?P 86-36 We intended to verify that serialized Signals Intelligence reports erive from metadata, as documented in were supported by dissemination authorizations and included in Reports provided to the Foreign Intelligence Surveillance Court a management information system for SIGINT production, contains statistical information and customer feedback about serialized reports. 3-1 DOCID: 42 48 584 35-36 We did not plan to test whether non?serialized reports were approved by the Chief, Information Sharing Services [812], orother authorized of?cials because approvals were documented in e-mails rather than formal dissemination authorizations. For the same reason, we did not plan to test whether 30?Day Reports accuratelyr and completely disclosed non-serialized reports. During the audit on. NSA Controls to Comply with Foreign intelligence Sunreillance Court Order Regarding Business Records we met with individuals from OGC, the Office of the Director ol'Cornpliance, the SIGINT Directorate and the Technology Directorate, including the SID 86-36 Office of Oversight and Compliance, Information Sharing Services, Homeland Security Analysis Center, SID Issues Support Staff, Analytic Capabilities, I Information obtained from these meetings was used as a basis to conduct the PRITT review. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we perform the audit to obtain suf?cient, appropriate evidence to provide a reasonable basis for our ?ndings and conclusions according to our audit objectives. We believe that the evidence obtained provides a reasonable basis for our ?ndings and conclusions according to our audit. objectives. (U) Prior OIG Coverage WI ("him sees Supplemental Report to IG Reportl Assessment oannogenient Controls to implement the FISC Order Authorizing NSA to Collect Infomuition Using Tl?Deuice, 86-36 W) Related OIG Coverage of the BR Order We issued the following reports as part. ofour Audit Controls to Comply with the Foreign Intelligence Sumeillonee Court Order Regarding Business Records These reports provide details on the processes and controls in place to ensure compliance with the BR and PRITT Orders. Advisory Report on the Audit of NSA Controls to Comply with the Foreign Intelligence Surveillance Court Order Regarding Business Records 1'2 May 2010 DOCID: 4248584 -P.L. 36-36 Audit ofl?ISA Controls to Conwlg with the Foreign Intelligence Surveillance Court Order Regarding Business Records January to March 2010 ?l?est Results 1 June 2010 - Audit ofl?ilSA Controls to with the Foreign Intelligence Sunieillance Court Order Regarding Business Records April 2010 Test Results 10 June 2010 - WSW Audit Report Controls to Comply with. the Foreign. Intelligence Surveillance Court Order Regarding Business Records Contml Weaknesses 29 September 2010 Audit ofl?v'SA Controls to Comply with the Foreign Intelligence Surveillance Court Order Regarding Business Records May 20l0 Test Results 30 June 2010 Audit Controls to Comply with the Foreign Intelligence Surveillance Court Order Regarding Business Records - June 2010 Test Results 20 July 2010 Audit to Comply with. the Foreign Intelligence Surveillance Court Order Regarding Business Records July 2010 Test Results (ST-1000043, 18 August 2010 - WW Audit (I'ontrols to Comply with the Foreign Intelligence Surveillance Court Order Regarding Business Records -- August 2010 Test Results 28 September 2010 Audit othSLA Controls to Compl with the Foreign Intelligence Surveillance Court Order Reganiing Business Records September 2010 Test Results 28 October 2010 Audit Controls to Comply with the Foredgn. Intelligence Surveillance Court Order Regarding Business Records October 2010 Test Results 1 December 2010 Audit ofl?u?SA Controls to Comply with the Foreign Intelligence Surveillance Court Order Regarding Business Records November 2010 Test Results [ST?tO?0004tli, 20 December 2010 - Audit Controls to Comply with the Foreign Intelligence Surveillance Court Order Regarding Business Records December 20l0 Test Results (STUD-0004M 12 January" 201 1 - Dm? Audit Report on NBA Controls to Comply with the Foreign Intelligence Surveillance Court Order Regarding Business Records 15 March 2011 DOCID: 4248584 36-36 This page imentionally left blank. DOCID: 4248584 (U) APPENDIX (U) Test Results DOCID: 4248584 86-36 This page intentionally left blank. DOCID: 4248584 1 (U) TEST I A [built-PL. 36-35 WWcjudgcd NSA controls as adequate to provide reasonable assurance of compliance with the ?ve provisions of the Foreign Intelligence Surveillance Court Order regarding Pen Register and Trap and Trace Devices related to querying that we tested. Test results show that NSA complied with these provisions for the test periodl are defined on the last page of this report. I The ratings mini?PL. 86-36 Wit-Pi- Test . Assessment A rea Test Results Ermm Compliance of controls Authorized individuals made all . 1' ACCESS queries of PRITT metadata. campl'ant Adequate Seed selectors ofIEIqueries 2. Reasonable of metadata In . articulaole documented as RAE approve Inl suspicion at the time of the query. The remaining 0 Compliant Adequate ap roval ofqueried did notuse RAB-approved seed selectors ut . as actors were made- for data integrity and test purposes. as permitted by the Order. 3' Of?ce of were reviewed by {hum-PL. 86-3 EGeneral lCounsel prior to being ?595d I ?gcleggl?lugp) These reviews are documen in comphant Adequate s?l?c?ofs ass identi?er management system, All: queries made for foreign intelligence purposes were chained to no more than two hops from a?epproved selector, as - required. In ofthose instances, . 4' Cha'mng although a thir op was attempted. the compliant Adequate queries were terminated before results were returned and therefore were within the two? hop limit. The seed selectors queried for foreign intel Igence purposes were RAS approved by 5. Approval and authorized Homeland Mission Coordinators revalidation of in the Court?s time frames. An additional 0 Compliant Adequate queried selectors seed selectors were queried for data integrity or test purposes as permitted by the Order. 6. 30-Day Reports Dissemination of serialized reports with metadata 36-36 DOCID: 4248584 (U) RATING SYSTEM 86-36 Description Rating A rating of green indicates that no instances of non?compliance with the Order were identified during testing. Any noted scope limitations were related to the Compliant application of the continuous auditing methodology. not known control weaknesses. A rating of yellow indicates that although no instances of non- compliance were identified. control weaknesses prevented us from testing the entire universe. as explained in the scope limitations. Compliant, with scope limitations A rating of red indicates that one or more instances of non- compliance with the Order were identified during testing. IDOCID: 4248584 DOCID: 4243584 DOCID: OFFICE 01: THE INSPECTOR GENERAL NATIONAL SECURITY AGENCY CENTRAL SECURITY SERVICE -P.L. 86-35 TO: Assessn'ient oi' ("innit?tits to Intplen'ient. the. FISC Order Authorizing NSA to Collect lnfomiation Us?lg Pen Register and Trap and 'i?raee Devices ACTION MEMOIMNDUM 1. Whit-i report stintman?ees the. results of our assessment of management controls to implement. the FISC Order to collect information using Pen Register and Trap and Trace Devices Because. of extenuating circumstances. management. was unable to provide complete responses to the draft. report but indicated general concurrence with the recommendations. We. will follow up on management's actions to implement the recorninendaiions in 90 days. 58-99} As required by Policy 1?60. Q?ice of the Inspector General. actions on 01G audit ri-icornrnendations are subject to monitoring and followup until completion. we ask that you provide a written status report. concerning each planned corrective action categorized as The status report should provide sufficient iniormation to show that corrective actions have been completed. If a planned action will not be connileted by the. original target completion date. please state the reason for the delayr and 'ive a revised tar et completion date. Status reports should be. sent to Assistant inspector General. at OPS ?28. Suite 624?. within 15 calendar days after each target date. 3. {ti} We appreciate the courtesy and cooperation extended to the auditors throughout the review. lfvou need clari?cation or additional information. i lease contact on 9615?2988 or via mail at .{bl t3} 86?36 If; I 14:. it. PW Acting inn-rector (tenoral Derived From: iv ?2 Dated: Declossi?; Danie-R- 1 71 '111 approved for Finesse bv NSA on trio?2015. FOIA Case a 80120 mitigation] DOCID: .1 U1 DISTRIBUTION: DIR GC. SIGENT Director SID Program gm [or CT Spams-11 ijwts. 8 Chief. SID (31?11.. 35?35 SID Deputy Direcrior for Relatimiships SID Deputy Director fur Analysis and Prodmitinn Chief. 3321 Chief. SID Deputy Director for Data Acquisition Chitll'. 5332 DOCID: 4243763 1 U1 I)..le .2 86-36 OF MANAGEMENT CONTROLS TO IMPLEMENT THE FISC ORDER AUTHORIZING NSA TO COLLECT INFORMATION USING PEN REGISTER AND TRAP AND TRACE DEVICES WBackgmund: On 14 Lily 22004. the Foreign Intelligence Surveillance Court issued a court order (the Order} granting the NBA the to install and use pen registers and trap and trace devices to collect the addressing: tutti routine; of internet-bascd I The Order establishes strict. procedures governing the collection and use of. as well as access to. the data. This report. assesses the general adequacy of controls to ensure that the Agency complies with the terms of the. Order. The effectiveness of management controls will be in a report. (hi se?se SUMMARY on (Bl-50 use 3024(1) The management controls designed by the Agency to govern the collection. dissemination, and data security oi electronic communications metadata and US. person information obtained under the Order are adequate and in several aspects exceed the terms of the Order. Due to the risk associated with the processing of electronic communications metadata involving U. 8. person information. additional controls are needed lot processing and monitoring of queries made against data, documenting oversight activities. and providing annual refresher training on the terms of the Order. Includes all e-mait (ll) (13) -P.L. BIS-3E he current version twt'the Urdetl I 1. .1 .J DOCID: 424 (U) Criteria. "(hi t1) 35?35 lb} {Bl?5t] USC 3024(1) The Order. 35-35 The Order in etl'ect dunno e. time period of ottr review was issued on expired onl I lt-authorised the agency to: (bit 1) 35-35 - collect and retain electronic comn?tunications ntetadata using pen registers and trap and trace devices to protect agait'tst internatiottal ten'orisnt. and process and disseminate this data] I the ?rst order was signed in July 2004. the FISC has issued subsequent orders erer days. Although the terttis and requiret'ttents of each order sortiettrnes changed. the. core authority?to collect and retain electronic. communications ntetadata in the United States using pen registers and trap and trace devices?remains. Appendix summarizes the signi?cant. changes since the ?rst Order was signed. Win protect LES. privacy rights. the. Order speci?es and restrictions regarding} the collection. processing. dissemination. and data securityr of electronic. metadata and til-5. person information obtained under the Order. To ensure compliance with these terms and restrictions. the Order also mandates Agency management to implement a series ol' pniicedures to control the collection of data and the access to and use of the archived data collected pursuant to the Order. 'i?l?iese control procedures are clearlyr stated in the Order. ?ipper-idle summarises the kejtr terms of the Order and the related control procedures. {ti-l Standards of Intemal Control. internal control. or management control. comprises the plans. methods. and procedures used to meet missions. goals. and objectires. it provides reasonable assurance that an entity is cli'cctirc anti ef?cient in its operations, reliable in its reporting, and compliant with applicable laws and regulations. The Genetrd Accountit'tg Of?ce?s internal Control in the Federal November 1999 [the Standards]. presents the sttutdards that de?ne the minimum level of qualtt}I acceptable for management. control in government. .NSAXCSS Polity 7?3. Control April H. 2006. advises that. evaluations ot? internal control should consider the rcquirett'icnts outlined litr the Standards. for years. We did not assess the controls over retention at this tune as the Order allows data to he retained DOCID: 4243763 IUFJJ . 36-36 The. Office of the Inspector uses the Standards as the hosts again st which management control is craluz-tted. U) Assessment Eesults Agenqr management implemented all ot'the control procedures speci?cally tututdt?tted the Order: (See Appendix. Ageuw management also built on sortie of those mmidatcd procedures to establish rigorous processes to ensure com liartcc with the overall terms of the Order. For example] I 86-36 (33-50 USC 3024(i) Iln addition. processes to document Shift Coordinator and Of?ce of General Counsel justi?cations and approvals the Agency?s diligence and rigor in assessing whether seed addresses meet the terms of the Order. In general. controls over collection. dissemination. and data security were adequaic to ensure with key terms of the Order. However, the follottring control wcalo'iesses and needed improvements regarding processing and oversight exist: - The authority to approve queries made against data should be separated from the reliability to conduct queries. The SiGlN?l? Directorate Of?ce of (hrersight and Compliance (0&0 monitoring of queries is I are needed to docutitcot UGC spot checks and monitoring of collection delta. audit log functioning. and access lists. Attache}I management should provide annual intelligence oil-crisis)? training on the Order to comply will: Agent") and Doll policy. Details issues are discussed The Authority to Approve Queries Made Against PRTT Data Should be Separated from the Capability to Conduct Queries W?i?ttro Shift Coort'lirtt-itors in the CT Advanced Analysis I'Jirision (Air'le etch have both the authority;r to approve the querying DOCID: 424?753 ?n the. Order and the Capability to t'onriuei queries. The Standards rii'lntenint (L'onrrot in the Federot {Mt.?.?rttliie?iit require that key duties; and responsibilities be divided muting th} t1) different people to reduce. the risk of error or hand. [11 (hi (3) L- 85-35 responsibilities for a-nltliorizzing Ltunaaetions should be separate from lb" (3) '50 3024?? and recording: them. The leek of segregation ot'dutiea the. rial: that the Shift Coordinators will approve and queer. either by error or intent. that do not meet the. terms of the Order. Recommendation 1 I Separate the authority to approve queries from the capability to conduct queries under the Order. 5 (ACTION: Chief, Counterterroriem Primary Production Center} (U) Management Response CONCUR. W'Ihough management eoneun'ed with the ?nding. it did not ronenr with the reeonunendation Shift Coordinators need to agtu?nat data in emergent? Situations or during: o??houn-a. As an alternative eontrol. management recommended that Shift Coordinators retain queuing eapabitity hot that 0&6 routinety review their ouen?ea to ensure compliance with the Order. Status: OPEN Target Completion Date! I ?h?sl'P'L' 36'? (U) 016 Comment {ll} Planned aetion meeta the intent ol'tlie reeon'nnendation. 0&0 Monitoring Does Not Provide Reasonable Assurance that Queries Cornva withth?e girder? In nmrordnnee with deelaration dated 2004. wttieh stated that 0&(3 wi? periodically review the. FRET program. 082C peraonnel conducted periodie spot. el'ieeka to Tet-it}r that ad hoe queries made by anaiyata with access to data 35-35 DOCID: 'tbt tn [b113i-P.L. 86?36 {33?50 USC 3024tii - - .l 1J1.) .2 ?t 86-36 approved by a Shift. Coortiinator.'i Although monitoring of PRTT queries has the potential to be. a strong: and valuable compliance control. it is 1311'ng ine?ecttve because SID tt'ianagetneni did not establish a comprehensive inonitoting tnettioriotoe},r designed for that purpose. Although there are no indications that violations hat-'e occurred. monitoring does not provide reasonable assur?toiee that. queries comply with the following key terms of the. Order: a All qtieries made aeanist data must meet the tenns of Sl'iift Coordinators must approve the foreign seed addresses ofalt t'iiteries marlc against data. OGC must approve LES. seed addresses of queries ntatle ngtLii'tst data. may query to no more than two hops from the seeri address. (U) Monitoring is Essentiei to Effective ltnternelI Controi WMonitoting is one of the tire standards of internal control. Speci?cally. The otlnternal Control in the Federal ("iocernrnent states that monitoring inelorles regular management and supervisor}? activities. such as ongoing comparisons and reconciliations. to (ietentiine. whether internal control is functioning properly. Effective monitoring makes management. aware of inaccuracies. exceptions. or violations that could indicate internal control problems. Monitoring is the best means to verifyr con'iplianee ol' queries because preventive controls are not practical. Woo Management did not Establish a Comprehensive Monitoring Methodoiogy W?t?sc monitoring}; of queries is ii'iefleetire because SID onstagenient dirt not establish a comprehensive methodology to monitor compliance with four key icons of the Ortier. Developing a methodology requires identifying: all the terms of the. Order to be monitored. detern'iining the most eli'er-tive monitoring techniques. anti identifying kc}: data. tomiat. and report requirements. Rather. therefore hosed solci . .. - the time oter rct'ieu; (.lett use. to it new pioocss to monitor queries and developing written procedures. lie-cause. Ll'ltl not document spot results or the procedures followed. we could not assess the overall adequacy of the conducted prior to nit?' review. Hot results one :v on the neva itnplententerl process. DOCID: "(bi ill its) to 424876 36?36 85?36 'l?f?l [1 3: OdtC personnel spot?checked queries hased on the type and format. 03' audit lug,t data that was already available and on the. concept (it?superauditing" queries. consists of OdiC personnel spot --checlting SIGINT queries that have already heen reviewed by an at'iaiyst's supen-?isor. As a result. 511) mtmagement did not use eii'ectire monitoring techniques. did not have the. data and reporting elen'lenis it needed to conduct eliectit'e monitoring. and based its monitoring on incomplete. or inaccurate data. Spot checks are insuf?cient to assess compliance with the Order. To elieelively monitor ovei T?ii?lvl? queries conducted per month. snot cheeks oi er 30?day period do not include. cI'iouc?h data to draw reasonable coi'iciusions on the Agency's overall compliance. Rather. u'ionitoring techniques such as reconciliation or statistical sampling are more appropriate in that diet-?shnet include a sullicient portion oi" the population. or [site into account the risk that the stuul'?ed queries do not represent the entire population. I Using spot checks as the. only monitoring technique. 031C cannot provide reasonable asstinmce that. the Agency complies with terms of the Order. one persoimel that. ?superauditing? is problematic in that queries. unlilte SIGENT keyword queries. do not undergo [rout?line audits by? supewisors. 0&(3 personnel also agreed that reconciliation of queries to approved seed addresses is the preferred technique to monitor compliance with the Order and expressed frustration that audit log data could not he reconciled with records of approved seed addresses. At the time oi our review. (182C was working with Ant) to develop the report formats needed to conduct. more effective monitoring. Audit log reports do not consistently and accurately acoument originating seed addressesl - IL?nniatched or missing seed addresses are not. in and U1emseh=es. i?iUltiLlUllS oi' the Order. Rather. because we. do not ki'iow the seed addresses. we do not know whether a Shift Coordinator had approved them. ?hus. OdtC nonitoring cannot protide reasonable. assurance that of the queries comply wit it two trey icons of the Order. Speci?cally. because the. audit logs 4:24 I. DOCID: 'th cu 36-36 (13} (31-50 USC 3024l?il 36?36 L314 (I?ll-t. 86-36 do not consistently and accurately: document originating seed addresses. n'te'n'tagtunent cannot tit-writ}! dial: 1* all queries made agalt'tst data are traceable to seed addresses that meet the terms of the Order 1 and a Shift Coordinator the originating seed addresses oi'all queries made agadnst I data. Audit log re.po are incomplete. The audit log reports that 0&(3 do not include all queries made against data. The reports include only the. queries of that the Progrtun Management Of?ce lists as being; approved for access to IJRTT data. This data is incomplete because it does not include queries of excluded individuals?those that. have the ability to ouer the l?R?l?l? data but are not on the PMO list or who are not. For example. in one instance. the PMO list had not updated to include two helix-'itluals who had Just been granted access to data. Although the error was rat-?entually caught and corrected by management. the audit log report was initially generated without including the two newly added individuals. into systems administrators. who have the ability to query PRTT data. were also omitted from the audit log reports. Because all potential queries made. against FRET data are not included in the log reports. Intuiagcnlent cannot preside reasonable assurance of compliance with the Order. 311*} Audit logs do not capture needed data-?3? Raw i audit logs comply with the terms of the Order by recording all queries titade against. PRTT data. including user login. address. date and time. and retrieval 1' tuuest. However. the audit logs do not capture critical data to verify compliance with two key terms of the Order. Speci?cally, - thagement carmot rent}? that DGC approved the originating staid addresses of queries made against data because the audit logs do not distinguish between US. and foreign addresses. - Management etumot rent}r that analysis clut-ir}; to no more than two hops out because the audit logs in response to a related recumtueudaiion in the {tit} Reporter} the r-lfiic'ftl'ittie'itt mirror-urine the t-?oretgit Intelligence (hurt t'?t?ttct? i?k?tt?paoin Bitumin- Flt-cunts {Hilda-tail 1. September 5. Jittln. management indicated that limited progretnutmtg resources hat prevented them from identifying and making changes. in raw audit logs that would facilitate italic TECtJI?ICll?liillt?tl?li-i Action is contingent on the ?uorine! ole pending request to SID management to derati two computer programmers to the team (bl 36-36 4?1?43r11111 sun-r- ennin ul- f'l. rr's'l I I II. fit?; It.? nt..t..r1rt ?'11quuntiuiwgn-urumv; I A iiai-P.L. 86-36 do not true}: the number of hops frem itin eitigtnetintg seed address. Sit} did not ti'lei'lu?fji' the needed data-L did not request. changes he made the audit Inge tn rapture the. data. and made. no attempt to verify with these. two terms [it the Order. Recommendation 2 Restructure the rawl:laudit i095 ?0 capture made? data! such as originating seed iiddreess US. identifiers, number of hops, and i identifiers. Chief, em Oversight and Compliance) (U) Management Heepanee CONCUR. The PMO and eenetii'red with the ?nding and reentt'u:'iei'itlatinii. :dtd not respond directly to the. draft report, and no details were provided on its plans in implement the Rather. {Ric stated Lhat it had provided its date to the PMQ "the Chiefni' the Advanced Analysis Dix-?tsien added that the di'iti?ihaee new distinguishes hetit'eet'i US. and addressee. so can new lttoi'litiir OGC itppi?t?it-?ttl {if US. seed addresses. (33 -P-L- 95?35 Status: OPEN Tau'get Cernpteiinn Date (U) GIG Comment w? Beei'ittse we did not detailed plans from we ei'irii'itit determine. whether pleuu'ied eetien meets the intent {if the DOCID Establish, document, and implement procedures to monitor gque?es. i 42 4&253..mum I ail-I1. cult.me ELIMH I 36?36 Recommendation 3 Chief, SID Oversight 8: Compliance) I (U) Management Response CONCUR. DESIC concurred with the finding and recommendation. Although it had developed a foundational document. for t-noi'iit'oring PRTT queries. 0&{3 emphasized that successful implementation depends on the completion of Recotmnendatjon 2. Status: OPEN 'l?argct Completion Dali-?1 36-35 (U) DIG Comment {ii} Planned action meets the intent of the recommendation. Improvements Are Needed to Document Oversight Activities WDocumcmation of certain oversight activities is not being maintained. in addition to speci?c controls. the Order that the OCC conduct speci?c oversight activities: random si'iot checks of data. monitoring; of the audit log function. and monitoring ol'indiriduals with access to data. 060 Does Not Document Mandated Spot Checks of Coiiection Data and Monitoring of the Audit Log Function Wes mandated by the Order. OGC Jeriodicall 'conducts random spot checks of the data collected and it'll") monitors the audit log tut'tction. OGC does not. iowever. 35-35 the date. scope. or results oi" the reviews. The purpose of the spotlblial?m use 3924?? checks is to ensure tat filters and other controls in place on the are functioning as described by the Order and that. out}; court authorized data is retained. The [impose of the audit log function is to retain data needed to t-tutiit queries cot?u?iucted under the Order. (intently. tat OGC attomey DOCID: 424g [6 JUI (him (him-Pt. 86-36 use 3024"} Hall-PL. 86-36 I .- A meets with the. inriividuals responsible. and ouriit lot; functions and reviews stuitples oi the riots to determine compliance with the. Order. The attorney stated that she would tormaiiv document the revitsvs onlg,r if there were violations or other discrepemcics oi'note. To riste. 06C has found no violations or discrepancies. [Uf'FEi'b?Qi? NSAHCSS Poiicv 7? requires management to document totem-at control svsiettis .smi conduct internal coutroi assessments. Documentation of internal control systems incituics review iiocimientation that shows the scope. of review. the. responsible official. the perliritmt dates and facts, the key ?ndings. and the recol'nmenciecl corrective actions. W-Uiihout adequate documentation of court?ordered reviews. the Agency does not have readily available anti vet?i??bie evidence of its compliance with the Order. Recommendation 4 Maintain documentation of spot checks of collection date and monitoring of audit logs functions to include: - Date of the review, - Time period reviewed, - Source of the data (Le. personnel assisting 060), and - Results and corrective actions, if needed. (ACTION: NSA Office of the Generai Counsel) (U) Management Response CONCUR. WUGC concurred with the ?nding and recommendation and statcti that it will begin docutiiertting spot checks. Status: OPEN Target Completion Hotel I 36-36 (U) DIG Comment oetion meets the intent oi the DOCID: 424 86-36 A 060 Does Not Maintain Documentation of Data Access Monitoring Activities Widthough the DOC is noti?ed when the PMO has approx-it?d a request for i?R?iT data access. it does not maintain documentation that individuals being approx-"cal for access have obtained the required OGC brie?ng. The Order reQuires OGC to monitor the designation of indi?dduals with access to the data. The Strutdco'risjor internal Control in The Federal Gown'totent states that ?internal control and all transactions and other sigi'iiticant events need to he clearly documented. and the documentation should be readily available for The lack of readily available documentation makes it dif?cult to oichLh'ely monitor who has access to Phil!? data. Further. the Stondcactsjor Internal Control in the Gown-main!" de?nes monitoring to include comparisons and reconciliations. Periodically. Program mtmagemcnt compares a list of system users with data access [system list] to a list of approved by the PMO tor access list}. OGC conducts a similar review of the PMO list: however. there is no OGCH maintained list to compare against. Instead. the attorney coi'itlucting the review relies on n?teniory to vex-ii: i the accuracy and completeness of the list. Although the same attorney normally conducts all l'irie?ngs and reviews the lists. during one review. the attoiney did not recognize the name of one person on the PMO list. Upon further investigation. the attorney discovered that another operations attorney. who was properly cleared and familiar with the requirements of the order. had tnieicd the analyst. "this was con?rmed in the briefing attorney?s calendar. WW1 ten performing a rtsriew of individuals with access to the Pii?l'l' data. the OGC attorney is using the PMU list rather than the system list. Altl'iough only approx-ed individuals should i?iave access to the PRTT (into. the system iist shows which individuals are actually authorirr-id in the system to query the data. including any analysis or other users who may not be approved by the PMO. DOCID: 86-36 Recommendation 5 of the data and periodically reconcile that list with both the system list and the PMO list. (ACTION: NSA Office of the General Counsel) (U) Management Response CONCUR. WOGC [lid not agree that reconciliation is needed to monitor the Liesignaiion of ii?idiviiluals with access to the data. Ii did. however. concur with the recommendation and agree-rd to a proposal made. by The. in replicate the PMU list in the [nine Notes ?l?raclrer Program. a program for which the 060 has restricted access. and automate a process to reconcile the lists weekly. Stains: OPEN ?I'arg?et Completion Date: (U) ENG Comment {ll} Planned aciion meets the. intern oi' the. recommendation. Annual Advanced Intelligence Oversight Training on the Order Is Needed to Comply_with NSA Policy SID management. does noi provide annual refresher training on the terms of lhe Order to approprioie personnel. Such training consliluics achrancecl Intelligence (h?crsighi training as de?ned by Policy 1-23. Procedures ("lemming NSAICSS Activities [lira ri?icei US. Persons. March 11. 2004. Speci?cally. Policy 1?23 requires that the SlGih-T Director: ill] . . . provide training in all employees [including contractors and mieg?rces} in order to maintain a high degree to. and understanding of. ihe laws and HI ri?lei'em?eii in this Policy. ?nch Training shall include both core and adval'iircd iI?ilelligcmte. oversight training and refresher training? with appropriate testing. All employees shall receive core naming. and those. with eiqiosure to U5. inerson shall l'ccizit?c appropriate. enhanced naming. Training shall he required ai leasi annuth {or more. often commensurate m?lh the Maintain a list of individuals who have been briefed on the proper use i I 86-36 DOCID: 424 lb) (1) 35?35 use-L- letrel to 13.55. person information by the employee}. 9.5 mentioned. OGC briefs individuals on the tenns ol' the Order when they are granted to data. OGC also forwards. 1w e-rnail. eopies oi newiy issued orders to key persomtei in 11nd AAD. The PMO. in turn. posts the Order on a website to elenred personnel: however. because the emails do not include detailed ext'ilsnattons ot'ehani-ges made to the Order. they do not eonsh?tnte nrh'oneed training. No additional refresher training on the Order is provided. As a result. the SIGINT threetor does not oomph; with Agency policy and risks violations of the Order by wl'to do not fully undersisi'id the terms of the Order. Recommendation 6 Policy 1-23. Conduct annual advanced intelligence oversight refresher training to and collectors on the terms of the Order as required by (ACTION: SIGINT Director) (U) Management Heep-ones CONCUR. OSLC concurred with the ?nding and reeommendetion but had not yet formally coordinated with the SIGINT Direetor or OGC. Steins: OPEN Ti-U'get Completion Date: 86-36 (U) Comment [13} Because management did not provide details. we ezu'mot. deteru'iine whether planned netion meets the intent. of the recommendation . The authonty [or the Agency to studio and (111131?); on huik address and routing information on eieetronie eoinrnuniestions is extrnordinery. conducted under the Order are extremer sensitive. The dgeney must take this responsibiliw DOCIID: 42 4 . {aw-m seriously and show good faith in its execution. Much of the. foundation for sirong eono?oi system is set up by the. Order itself. in the [one of mandated eoquol proeedures. and. in many ways Agency II'IeLnagemenL has made the ermlrols even stronger. Our reeommendations will address eonI rot weaknesses not cox-Fered of?; the Order or Agemsr memsgemem and will meet Federal s?ultiards for internal eomrol and Agency regulsLions. Once the. noted weaknesses are. addressed. and additionad controls are ixnplen?lerlted {he 111au1agement coho-oi system will reasonemle assurance. that the terms of the Order will not he violated. DOCID: (U) About the Audit DOCID 424 ULJJ This page left blank (b 86-36 DOCID: 42 1 L1: (hint-Pt. 86-36 (U) ABOUT THE AUDIT (U) Objectives The overall ohjeetives of this review were. to: - assess whether nituiagt-rinent eontrols are adequate to provide. reasonable assuranee that MESA complies with the terms of the Order. tun] - verify that control proeedures mandated in the Order are in pirtee. Scope andu?ethodology {him?Pf]: 86-36 The audit was lrornl I We. intenriewetl Agents? personnel and reviewed rloeurnentation to satisijr the review olijeetives. We eonrlueted limited testing of audit log data at PR?i?i? queries to assess the elTeet'iveness of controls. tootnoteri. we rlirl not assess controls related to the retention of Internet nietatlata pursuant to the Order. As the Order authorizes NBA to retain data for up to 41:5: years. stteh controls are not applits-ible at this time. (U) QIG Investigation of Violationsof PRTT Orders 36_36 MOM: the. GIG issued a report. of the. ?ndings ?'35 i 3 from an investigation into violations of the - The. 016 investigation began on after the OGC noti?ed the 01 . ation oeettrred. The violation was ?rst. noticed on no oeetured as a result of . The I: 6_3 6 investigation determined the cause of the violation and the extent to at?) {Isa 302 4 unauthorised eolleetion WThe OIG report 01' investigation does not moire formal reeoinntentlations to management. Rather, the report summarizes Rev l'aets and evaluates resnon.si'oiliirj.r tor the violation. this review con?rms that management has taken steps to prevent recurrence of t] In particular. titanagement now eoittinttouslv monitors I Iliiat. itiight result in i?iolatlons. This review also DOCID: 42 identi?ed. however. two z-rreas that were eiterl in the report of i. investigation that. still need mrprorementz 1* Although 0&(2 has become more involved in monitoring queries. eddjliorml action is needed to make {he momlnrine effective. - Whjle personnel are noii?ed ofehm'iges in renewals of Lire Order and new oniers nre posieri on a eener-ilized website. refresher irnining is still needed to ensure Lhni NSA personnel the Order eon?eetly. nnu'lr 1' A 111.1111?? 1' {n11f1f'1'll r! In If'll'l?ll'Jlr} I?ll ubth?L?rlff [3111?!va 1' LIMIIK APPENDIX (UHFOUO) Summary of Changes to the PRTT Orders DOCID: 42g?753 Fri?It'll? Hut-1 .f Irv?1n {r1 Tl'rr rlr'rlr" l' .l OLD-tlniJ If; UV .1 1.11 1.41.; 1 A nunn?rn .r Jud?Lil. Fr 14 'lJ?Jf'} If}! 1 This page left blank J's" Vin-IL!er 111D 35-35 IMDCZII): 432 SUMMARY OF CHANGES TO THE PRTT ORDERS . Order Effective Dates 5 Changes from Previous Order umber i Initial Urdu!" NRA collm and t'cmin lnternea mctadatu Io against uncrnatimtai lm?nrmn. and ED ill'iwk?h? ant} dimuminaw I wilhlum'ulm I I a lnurcau?d 1hr number of 311315-515. exacts-5 litult?IdEitH (1: ?anwl? ?115. 35-35 . :?uldud 51701: incrummgj dam. 1' Addvd a 39-day reporting :?c?qu?uincnt. Ne? changes Added ml that ?a?uhibim querying on 5TH .I .ARWINI J?dertk'ed ?Reeds.? I I i minted uu'cmmn to discuss Elm: nature (IF the dam m1 :n the. JIM?dash- rcpm's. Nu chungcs tb) 86-36 - - {W-vscmaum-? Channg permd [mm mamhs 104:8 yearn. ?lens W35. I'm effect on this M'cmll retention period: Data must be after 4.5 yuan. I Addcd TEN: stipulatmn that: ?Ii-51121:] :ILidrc-aszes that are currently the aiulhmrized clecmrniu sun-'c1'liemlsn? and-'0: phyr?eital search harem] ma Lhu i-?lSii?s ?ndinu of'probabir: cuusu in bclim'e mat [lacy are used bu dwde far meter dam querying \t-?itlmul an REA due to the mummy-manna? {page If! I I Increased Ihr number of Minn ed nurchs In thu mam-data [0 {113111 E5 in 2H. 36-36 Primary Urdcr t5 (iateiiEhQH-rwr. ail secondary orders are dascd 'DOCID: 42 This page Ich blank (b 35-35 DOCID: 42? lb) APPENDIX Mandated Terms and Control Procedures 35?35 DOCID 42 1 U1. 'H?s pug: imcmiunuily lc? hiank [b 36-36 DDCID: 4248763 (U) 1 Ir: -. n-u _l (U) Terms and Mandated Centre! Procedures for NSA . {11 Control Area I. Collection [13} 35-35 .. 4 Free JOrEler'fPiRn'T {him . - 4 rum.? 91111:. )IdLr Hum} I Mandated 'nmrul Precedurcx . . . .. . . . n'?lkl [l-?thlifd I Ill 1} [?uflil Harm}; rwvim; 113' curl. tl2-L' Er- We. .xl?nl? 13!! :iu-f ii ten-In include-.1: . . . 132'.) am than-1w 1' [mm A deli-11ml (In: Lililii Ihui hz' Lucinda! Iu II I [Emil mi] .: Lin-m5): :Ir- mum:- ul' I: . . 86?36 1hr ix 'M'lhln [hr I3. 4.7.1} (b1 u; 1-50 USE: 3024 i) [la-L- hhcring [mu-cm: IH rm: H11a n. ur {Pg Petra 39:1 15. 01' I'm: Emu-1m Ruth Llelrrae-d Full-ii} J. I It! ?utrjuu: mm?unti-tntiuu?] I IIHI :u?huluwl. {Iin 54 I - I (??11I111H1Eit'?licum tr' m?rnct t'L?t'ULd wrll?. lull-Hm likely irirs??lr') 1hr I he: :mr Ihr qnmg?my. u: lilh. F-IEL para . I I. elmuhi Lrilutrl avuL Ila-?36 [mm ill-J :1 u-Imn Hue-.111? Ind-,5 1iI dclaLLEL-d . Hay-.1 L-[mxg-J Addid [u mull 1n the 1 rerer und'ur limp i and lI'rIcL du'iru. li?g If: I 3 iuuhl fwm; :flrriru- rhr: 'Hr mil :mnluz'l rhm'ka 1v itn rhn.? [he I .our' H-Jrh "met :Ewckt: I I Hm]: {Ir :nfu 5hr: {1:113 M, I?am I: phi it. DOCID: 4248T63 I. Collection{Limmn-JL-{i} i .1 I. Respons??c . IN U1 ?rth-r . unhul [?l?iJL?l?dliI'L?ir hunt} Ila-auLliutitlz?. 311-? ?51? -. Hum,- In the a" .ullhurlzc-Li rll' i Hun-t} :ht' Huh-1 union. wrilkrul i?v m: I i {hurt I i I i {hm} B?montml Area II: Processing l?wylih?illgIut'ms the Unlor hm? #Iamlalul (. rmlrui l?i?uculurrn "mnrulu: knnu'n i Tim -- 51w: hillHH'F?. Iln' mesh iral'nrniuliizn I I'm I'm- NEH. 1m lmgiunl eniy i! lug infume Er 'cm'i: Mm}; zips-urn: ?Eur-I l?n-L :1th :Lailliuu rI-u. FiILE??j?l'u Hill In i. midr?h, Cl rt WW. and 1- Finn unu'ulnhk ~ui-piuiv51 acchIL-I :nr ?Skin-w: Is. v. i. Him I ?(ff 13 I If.? ll-l' HSIIE ill l' nub-ink; ?iTti-JTJnni-ya-Lq wis}; Ihu"L?I?lul' 1 UPI ?"1111 _l I amt-rowan anmm-g i ~.Lit. il': 15' 'n'cH as and i t?l: r'r' m1. xL-?rugc. .md Lil?i?wf?liihlii'?l II-r-aLl-{l? M. T3173 ini'nrmamcm ii Pan: we. I?Ml'l [11.71" I: i'u?rh HI nihrlzu: iih m'riuri NBA 1133 I Fly t?wa? our: :l numrr ml {Jami-ca I I'm hat-:1 made 51m: Ilw prim: Lnlf.:1l T?m'J'l'l; 3 35?3 . .. . i lily-In mun: cal I [13:13} so use 30 4 q PAH. Hig'l Jin'h' 'rtier. i: 1a the Fur?: mn- timl {b1 2f} {13] -P.L. 86-36 DOCID: 4.243763 ll. hau?nmcd} Illily ?Ht? 5. LnHurt' L'nilHdc'LIIrnr'. u-?Kuw i Ir'~i rm Icw and awn-n? ?rmlnu-AHI quariea 21? luvs-.1 ml [.Ivrmr'n 1hr, I 'i'crms of the (Inter ?Landau-{l Zuntrul Procedures i i IA Paw . . {rth I?ll. Ullu'L' i-l It?. Ihl: I-cgil! [hr lupus" Lllit'j'IL'n. i Encludl?f: Hi: 1"?er w: {nut in guffagl'ul?h r. i i It. E's-amaze I I '11} 1?1 5'13" mih: urnh [31-13. L. 36-36 luiluu'illg Ail-lumli l?n'lmum . - .: . . . I 50 USE i . 1n: [?at [Ia-c! [Hymn- i . 1 Adantlc-qd r?srull??m Hut! in r'1c .md l?I-xuthln-II n1 L'nc Myth: r: 1m; - ?uni! mniy qlzwuw 11511151: [by nu, 5 Gunman It'rmIInng' tiditlhl?iiw i5 r-I' [lus?'nilr'l'sa July 14" I?m PH. [3i-P. L. 36-35 [3i-P. L. 35-35 USU 3024[i} NEW 11w :dmul}: ?1!th :Jw :arrim I: mandala :l'rII Hun mun: htti?T] an. cumauul this Hect?l Mamas?! m- as zirc?lmth 131:1! hem: hurt". 1n L'nnfam within the. firm. her that 113::' HIS ?i?t'ri {Lccnuntl lib} {13 56-36 [13} {31-50 USC 3324(1 DOCID: 4248763 ll. Processing Iaznntimmnj I . Res nnsihlp i Turma the Order Mandala! (Intml milra itll mus: duh: Lillt'llt?H alkali avian-Marty mix!) I Mm;- I . I ILHdu?sylleu I I {l'g I - 1r. 1h: :Lh-ctrc 1 ?1 18A Inca Jun has bcun: I PmemphiEnf?m HW In wlicL'u-s new seediniuhhtnuz.h?1? h~hc:uhv ?IH?\IncL1dnu: I .un' manner ham-a1 rm .ia'uc' I J'e11;1 i 1 I . II tr: c'IuL-ry PISA clam :Jn {'rin? him: ?11' Kai-(l i tam urn Ijm'rtaL-LI I i - i I HIV lli?WfTiIHl 1" li? 'Mi I ?"deHm?EF "1 51"" 1. mp: ur-Jcref-Li 1U :i NHL-H. I'm I ?146119! 1? 1mm '?fLi?u Eli?! mix-wing. if?: Minimum wh-crz" I ?Wli? ?Emit-'91 ?'li?L'r inch: mm: url my ?1:4 H: HLJl1lh ?lc le' I I wheelliclc 1U. I: hulk-Iv 1.: [.mw [mm [lb-Jr}: ur, :1 mm, My valnlulnl . .I-leananm ul :Jlu HmUF- mlI 'IE?IL'quzm'l?I; t'riwt??. thr?t?n'rl'r; dL's'xithq; :11 muss ?(bl [hi 86?36 -50 302411! DOCID: 4248763 II. I'rm?ening {tmniinjcd} Rosinmsihlp 5 En} it: 'l'crmt: 0f the Order Handami ('ontml f?rncedurrs .5. I N: um: I H. l]1r.' HI :111ll'm flhpii'ii' .wnrull Imam?? 1m 1m; {Ending SJE'anhqu: Ii'dli-W- hell-cw lhu: 111:1 arc uscd Iv)? thum- Ib} ill i -P. . 86-36 -5DI USC 3024(1) .. [laid h. grif?u?ui. HE 15. E?arn Control Area Dissemination Hespnn?ihlv 'I'L?rlns of the ??ier A {imitml Procedures; [annly [hr :Ipply I .51 "ill L'k- 3 P'wr nulxuiu I Nun's-I ?ll-(glint Ihix'dILIL'lIm-fn! Ii {u HE. um:- m: ITI Ili'.? h?w?VE ir. Nu. I i1 'hl' 1" iL'Ialiud IN I. cuti'rrninfi i' F4 ilh' pt'rl 11nd drill ix :?wmf. m' In ill; hr-purmuu; {5?3 l?lej (Pr. Prim i5 iL'} {bl DOCID: 4248763 i Re?pnnsihlo Enlin .. of tin: Unit-r Mandala-{i (mural l?l'?tmim?t?? i A. IllrLIIH?IFtlizm n?uincc?i liar 51w 5 1 Nut-:- . . . . . . i dunws Ful?ll m: Junie-1M:- anlmc -1hr gamma?nun. Jnu'r I Ihun lint-1: ruld arm. jun-Ia uf'ttl' in; 'J'Iilm'. culls-Chm: l'm'n I ?iH'i' Control Area V: Data Security 35-mumble- the Urdu EE Mandated (.uailrnl Pruccdurt?s than ?fear! I: I Hi i" ?lm: Hum-.01 u'?l nu? hr [1 [Hui i inlinrmcutnr [Juli-pr :rniyr] {f?g 1mm Hui 11}; ..-- .. -.. .. . .. . . . .. . . . . -- - - - - - -- -- -- - . I. . Lu rrltu'x'c Jakanrmmon dart-mi from pm t'wegwi-H' :Lmi :rap if Num- rlmi .iha?ll bu 1&111g'1ud It: {went}. clean-IF and In {I'g Pruil 5 Supp-1L 86-36 . um?: nu1 Fur: nl rvun?u PH 1111:.? DOCID: 42 NATIONAL SECURITY AGENCY FORT GEORGE G. HEADE. MARYLAND 29?55-6000 19 December 20! 2 Vice Chairman, Select Committee on Intelligence United States Senate 211 Hart Senate Of?ce Building Washington, DC 20510 Dear Mr. Vice Chairman: Section 702 (2) of the HSA Amendments Act (FAA) authorizes the National Security Agencyr'Central Security Service Of?ce of the Inspector General (01G) to assess the Agency?s compliance with procedures for targeting certain persons, other than .S. persons (USPS), outside the United States. My office reviews the collection, processing, and reporting ot?data at least quarterly. incidents involving compliance with procedures for targeting certain persons, other than USPs, outside the United States and incidents involving minimization of USP information are reported to the 016 as they occur and quarterly. Each incident is evaluated against the targeting and minimization procedures set forth in the FAA and in NSAICSS directives. This report covers 1 September 201] through 3! August 20t2. OIG completed the Special Study: Assessment of Management Controls Over FAA ?702. This study examined the design oi?these management controls; future studies will test the identified controls. - ?"1an [hum-PL. 36-35 In compliance with the targeting and minimization procedures of of the intelligence reports were disseminated by NSAICSSI based on SIGINT derived from FAA ?'i?02 authorized coileetion.? Ofthe] disseminated reports, ontained one or more references to U.S. persons.2 This number includes references to a mted States electronic communications service provider as part of the 86-36 These reports were based in whole or in part on information acquired pursuant to FAA ??02(aj. 2 (Utr'soeoil 1 I [the references to U.S.?person identities may have resulted from collection pursuant to FAA or ?om other authorized Signals Intettigenee activity conducted by NSA that was reported in conjunction with information acquired under FAA lblt? (unseen 86-31 vr Approved for Release bv NSA on 11-10-2015. FOIA Case a 80120 [litigation] DOCID: 4248811 mm communications identi?er used by targets of this acquisition and other non-US. persons with whom they communicate. A communieant using email account lawman-2USprovidemom was included here as a report referencing a U.S.?person identity. In February 20 12, NSA stopped counting such communications identi?ers as U.S. person identi?ers if the user is a non?U.S. person. As a result, the number of intelligence reports containing one or more references to US. persons is significantly lower this year than last. In addition, NSAKCSS releasedljUSl? identities in response to customer [bll1l requests for USP identities not referred to by name or title in the original reporting.4 [biisi'P'L' ?'36 +91% During this reporting period,l: foreign targets reasonably believed to be located outside the United States at the time of tasking were later suspected or con?rmed to be in the United States. In each instance, targeted selectors that at the time oftargeting were reasonably believed to be outside the United States but were tater found to be the United States i (I.me Compliance incidents occurred under such circumstances as: 86-36 - Tasking under an incorrect certification, {bum-13 USC 798 use 3024?) Errors in entry of the selector for tasking, I insuf?cient foreignness support, - Dissemination errors, 1' (Uni-13367 Poor construction of database queries, and I (creases USP status discovered post-tasking. (U) Action has been taken to correct mistakes, and internal management processes have been reviewed and adjusted to reduce the risk of unauthorized acquisition and improper retention of USP communications. is the fourth year for which the has assessed for the Congress the Agency?s compliance with FAA {$702. To ensure consistency between the DIRNSA report and the OIG report, the GIG and SID worked together to achieve a common understanding of the the previous reporting period, NSA reported thatljinteliigence reports contained one or more, {hm} references to US. persons, including reterenccs to US. electronic communications providers as part ofa {bust?PL, 36-36 communications identi?er. 4% For the previous reporting period, NSA reported that there Were I: identities disseminated in response to requests for identities not referred to in name or title in the original reportin .Ijr'eports by the 'Ihreat (,Jperation Center account tordot?thc increase, Approximath disseminated United States person identities were proper names of real persons or their titles;l [Dim 86-36 use rsa use 302cm DOCID: 4.248811 reporting requirements and have agreed on a methodology for accumulating and analyzing compliance statistics, (U) The 01G continues to exercise oversight of Agency intelligence activities. ?aw, waver GEORGE ELLARD Inspector General Copy Furnished: The Honorable Dianne Feinstein Chairman, Select Committee on Intelligence 4243314 NATIONAL SECURITY AGENCYICENTRAL SECURITY SERVICE 3 INSPECTOR GEN ERAL REPORT Report on the Special Study of Purge of Pen Register and Trap and Trace Bulk Metadata 36-36 [?avoured for Release by NSA on 11-10-2015. FOIA Case 8-0120 (litiqatieni DOCID: 4248814 (U) OFFICE OF THE INSPECTOR GENERAL (U) Chartered by statute and the Director, NSAtChief, CSS, the Office ofthe Inspector General (GIG) conducts audits, and investigations and inspections. Its mission is to ensure the integrity, ef?ciency, and effectiveness operations, provide intelligence oversight, protect against fraud, waste, and mismanagement of resources, and ensure that activities are conducted in compliance with the law, executive orders, and regulations. The OIG also serves as ombudsman, assisting NSAHCSS employees, civilian and military. (U) AUDITS (U) The audit function provides independent assessments ofprogrants and organizations. Performance audits evaluate the effectiveness and efficiency ofcntitics and programs and assess whether program objectives are being met and whether operations comply with law and regulations. Financial audits determine the accuracy ofan entity?s ?nancial statements. All audits are conducted in accordance with standards established by the Comptroller General of the United States. (U) INVESTIGATIONS AND SPECIAL INQUIRIES (U) The OIG administers a system for receiving and acting upon requests for assistance or complaints (including anonymous tips) about fraud, waste,and mismanagement. Investigations and Special Inquiries may be undertaken as a result ofsuch requests and complaints,at the behest ofmanagement, because ofirregularities that surface during inspections and audits, or on the initiative ofthe Inspector General. (U) FIELD INSPECTIONS (U) The inspection function consists of organizational and functional reviews undertaken as part ofthe annual plan or by management request. Inspections yield accurate, tip-to?date information on the effectiveness and efficiency ofcntitics and programs, along with an assessment ofcompliance with law and regulations. The Office ofField Inspections also partners with Inspectors General of the Service Elements to conduct joint inspections of consolidated facilities. DOCID: 4248314 OFFICE OF THE INSPECTOR GENERAL NATIONAL SECURITY AGENCY CENTRAL SECURITY SERVICE 86-36 TO: DISTRIBUTION SUBJECT: Report on the Special Stud of Purge of Pen Register and Trap and Trace Bulk Metadatal: ACTION 35-3-5 MEMORANDUM l. This advisory report summarizes the results of the review by the Of?ce of the Inspector General of Purge of Pen Register and Trap and Trace 13qu Metadat 2. WW On the basis of our observations and review of procedures and documentation, we determined with reasonable assurance that the Agency destroyed Pen Register and Trap and Trace bulk metadata from its declared systems, databases, and tape and system backups disclosed to us before the authority expired on 9 December 201 1. Based on our review, no management response is required for this report. 3. (U) We appreciate the courtesy and cooperation extended to our staff throu hout the review. For additional information, please contact Mr. don 963?0922ls) or via e?mail at I 86?36 Geormd Inspector General DOC ID 4248814 SID IT. Shea} cc: EXDIR (P. Pleisch) COS (D. Bonanni8V4 SV42 SB 331323 S3531 TE TEE. TV T1 T12 T121 T122 I I D4IGIKXH d-comply-tasker DL SIDIGLIAISON DL 86-36 DOJ 10 D1 D11 D12 D13 D14 DOCID: (me 35-35 use 3024c) {bib} 86-3E tonal-50 use 3024a) 4248814 NSAICSS Office of the Inspector General ADVISORY REPORT SPECIAL STUDY OF THE PURGE 0F PEN REGISTER AND TRAP AND TRACE BULK METADATA (U) Overview WThis report summarizes our special study of the Agency?s processes to destroy Pen Register and Trap and Trace bulk metadata from its declared systems, databases, and backups before the authority expired on 9 December 2011. On the basis of our observations and review of procedures and documentation, we conclude with reasonable assurance that the Agency destroyed bulk metadata in the systems, databases, and backups disclosed to us. lhll3l-P.L. 86-36 Between July 2004] i to the expiration of the authority on 9 December 201 1 the National Security Agency with the assistance of certain U.S. telecommunications service providers, collected, processed, and analyzed metadata from internet communications to obtain foreign intelligence information about the international terrorist activitiesi (U) Background This activity occurred under a authority [renewable every 90 days} granted by the Foreign Intelligence Surveillance Court in early ?201 l, the Signals Intelligence Directorate conducted an examination of the NSA program to assess its value as a source of foreign intelligence information. That examination revealed that the program was not producing valuable foreier intelligence information alter the program had been reinitiated [bll'll 36-36 On 201 i, SID requested that the Director, NSA terminate the Pitf?i?i? program. SID recommended that NSA not renew the authority and destroy all bulk metadata collected pursuant to the PRITT authority. SID identi?ed several limitations that contributed to the program?s inability to meet expectations. 1. WI DOCID: 4248814 tblt?ll 86-36 {Wat-50 USC 3024M 3. Other authorities can satisfy certain foreign intelligence requirements that the PRITT program was designed to meet. The Supplemental Procedures Governing Communications Metadata Analysis (SPCMA), which SID implemented Widely in late 2010, allows NBA to call? chain from, to, or through US. person selectors in Signals intelligence collection obtained under a number ofauthorities. In addition, notwithstanding restrictions stemming from the recent concerns regarding upstream collection, FAA ?702 has emerged as another critical source for collection of Internet communications of foreign terrorists. Thus, SPCMA and FAA assist in the identi?cation of terrorists communicating with individuals within the United States, which addresses one of the original reasons for establishing the Pit/Tl? program in 2004. WI (U) Decision it'll? On 2011, DIRNSA approved SlD?s request to {busy-PL. tie-36 allow the Order to expire and to destroy all collected bulk metadata from the PRITT program before the authority expired on 9 December 2011. NSA Systems and Repositories that Stored Metadata W-?r Before the nurse. the Acencv declared that metadata was stored 2 thin} {lanai-PL. seas DOCID: 4.248814 lie the agency?s corporate database that {hll3l-P-L- 35-35 {burn accepts metadatal Iinto separate partitions, {bn3}_p_l_1 3546 including NBA. Icontained the contact chain summaries and transaction records for Istored the contact chain summaries that document Internet communications between two persons. A contact chain summary shows that a person communicated with another person. their first and last contact dates, and the total number of communications between them. - 36-36 - {bum-50 use 3024:? I I I I 2. Wee! mm" 86-36 . IDOCID: 4248814 W13 Review of NSA's Bulk Metadata Purge The metadata purge was performed from: 86-36 through 9 December 2011. On 2 December and 7' December 2011, the DIG independently observed the Agency?s purge processes to destroy bulk metadata from its declared systems, databases, and backups {as disclosed by It. is important to note that we lack the necessary system accesses and technical resources to search networks to independently verify that only the disclosed repositories stored metadata. As a result, we completed our special study through observation and review of procedures and system documentation for the disclosed repositories only. During our study, we observed the Knowledge Services' Team and T121 personnel perform system commands to purge metadata from Agency systems and databases. or our request, TD personnel provided us with system documentation before and after the purge commands had been performed. This documentation showed that the tile systems and tables that stored metadata had been deleted from Agency systems and databases. We also observed T1222 submit the backup tapes for secure destruction and obtained copies of receipts signed by destruction personnel. {bum-Pt. 86-36 However, 83 had completed its purge before we had opportunity to observe. As a result, we were able to review the purge procedures only for reasonableness we were not able to do the before and after comparisons that we did for the TD systems and databases disclosed to us. 83 did provide system documentation that showed meiadata ?les no longer resided in temporary memory of thel: system and con?rmed that datailows had been terminated and ail other purge procedures had been completed for systems according to plan. Refer to Table for the six areas reviewed. DOC 86-36 (U) 4248814 (U) Table 1. Special Study Results Review Area are OIG . Review Method Procedures Adoquately Performed? - Tape, disk, and system backup destruction practices T1222 Observed T1222 submit backup tapes for secure destruction. Obtained copies of receipts signed by destruction personnel. Reviewed procedures and observed T1222 perform commands to purge Obtained system documentation that showed that the ?le system had been deleted. (?li?ll (cusps. Yes L.. 86-36 T1222 Reviewed procedures and 22 erform commands to purge Obtained system documentat on that showed that tables had been deleted. Yes T1222 Reviewed procedures and observed T1222 perform commands to purge for Obtained system documentation that showec been deleted. that ?le system 5 had Yes T1222 Reviewed procedures and observed T1222 perform commands to purge Obtained system documentation that showed that ?le systems had been deleted. Yes T121 Reviewed procedures and observed T121 perform commands to purge PRITT metadata from directories and tables. lObtained system documentation that showed that directories, files. and tables had been ur ed of metadata Yes $3 urge procedures were reviewed only for reasonableness. 83 had completed its purge betcre we had the opportunity to observe. 83 subsequently provided system documentation that showed that metadata ?les no onger resided in temporary memory of and confirmed that PRITT dataflows ad been terminated and all other purge procedures had been completed according to plan. Yes Conclusion On the basis of our observations and review of procedures and documentation, we conclude with reasonable assurance that the Agency destroyed hulk metadata from its declared systems, databases, and tape and system backups disclosed to us before the authority expired on 9 December 2011. 1 a 'r .- l. TDOCID: 4248814 This page left blank. DOCID: 4248814 1n 1- [Ir 1114 (U) APPENDIX (U) T1222, T121, and S3 Purge Procedures DOCID: 4248814 This page intentionally left blank. DOCID: 4248314 4 . .a I i Table A1. Bulk Metadata Purge Procedures (MU) 3 -P.L. 86-36 . Date, I Procedure . I I 153} terminatedl IPFUTT data?ows, purged metadata. and powered down equipment. due? seryloesl were deleted to prevent from accessing PRINT Chill" [data stored in {bll3l-P-L- 35-35 12r2r11 'Phase 1 T1222?s puroe procedures to destroy PRHT metadata collectedl I I Harm - 3 86-36 - 12am Phase 2 - ?222's purge procedures to destroy metadata collectedl 12Hl11 T121's purge procedures to delete sample metadata from thel Isystern: 86-36 123931 1 Note: Before the purge, the Agency had only metadatal I PRHT metadata obtained before] Ihad not been saved to the As a result, no action was needed by T1222 tor the during the Phase 1 purge. The entirel Iwas de eted during the Phase 1 purge. As a result. no action was needed by during the-Phase 2 purge. than 86-36 4246814 This page intentionally left blank. DOCID: 4248814 DOCID: 4248814 NATIONAL SECURITY AGENCY CENTRAL SERVICE Ft'i?'l' mutt: 30 December Bill 1 The Honorable Michael J. Rogers Chairman. Permanent Select Committee on Intelligence United States House of Representatives Capitol Visitor Center HVC-304 U.S. Capitol Buiiding Washington, DC 20515-6415 Dear Representative Rogers: PISA Amendments Act authorizes the National Security Agencyf?'entral Security Service Of?ce of the inspector General to assess the Agency's compliance with procedures for targeting certain persons, other than US. persons (USst outside the United States. My office reviews the collection, processing, and reporting of data at least quarterly. Incidents involving compliance with procedures For targeting certain persons. other than USPS, outside the United States and incidents involving minimization of USP information are reported to the DIG as they occur and quarteriy. Each incident is evaluated against the targeting and minimization procedures set forth in the FAA and in NSAICSS directives. This report covers 1 September 2010 through 3! August 201 l. in compliance with the targeting and minimization procedures of of the NSAICSS disseminated intelligence reports based on derived from FAA ?7t32 authorized collection. 0f thel:idisseminated a reference to a USP. in addition, NSAICSS released EUSP identities in reSponse to customer requests, some of which were not unique. I ?mu? 86-36 During this reporting periodEvaiid foreign targets who were reasonably believed to be located outside the United States at the time of tasking were later suspected or con?rmed to be in the United States. in each instance, targeted selectors that at the time of targeting were continued to be outside the United States but were late I Compliance incidents occurred under such circumstances as: (Uriel-8% Delays in implementing minimisation procedures and purging unauthorized coilection. (him I {tifr'l-ltf-l-t-l-Hj-Analyst misunderstanding ot'the authority: 86-36 (bli3i-18 USC T98 Poor construction of? database queries. and (Him-50 USC 3024?) Derived From: i-52 Dated: mamas Orr: I, Pooroved for Release by NBA on 1140-2015. FOIA Case 80120 [litioation] DOC ID 4248817 i' I I I WNW-System errors. (U) Action has been taken to correct mistakes, and internal management processes have been reviewed and adjusted to reduce the risk of unauthorized acquisition and improper retention of USP communications. This is the third year for which the DIG has assessed for the Congress the Agency?s compliance with FAA ?702. After the ()lti ?led its report for the year ending 31 August 2010, discrepancies were identified between the data provided to the 016 by the Signals Intelligence Directorate (Sill) and similar information contained in a draft Agency Report of Annual Review Pursuant to Section 702(1) ofthe Foreign Intelligence Surveillance Act prepared by the NSA Of?ce ofGeneraI Counsel It was determined that different methodologies had been used to provide the information. The statistics were compiled differently for the number ol'reports disseminated based on FAA {3702 collection and for the number of USPS referenced in reporting. There were no differences in reporting for the number of USP identities released in response to customer requests. (UH-Fele The following table contains data for all three years of reporting using a consistent methodology, When reconstructing the data. we discovered that we were unable to con?rm exactly how of several possible legitimate counting methods the numbers provided to us on USPS referenced in reporting for 2009 and 2010 had been compiled. For the current year and retrospectively for 2009 and 2010. the table reflects the total number of USP identities referenced in reports derived from FAA {$02 collection. regardless of the number of times an individual identity was released or the number of USP identities per report. In addition, the 2010 data initially provided to. us on the number of reports disseminated excluded reports produced by Signals Intelligence organizations outside headquarters complexl I'l'hat number has been adjusted. eport 36-36 Reports Disseminated Based on mm ETD: Canadian 4? USP: Referenced in September 2003 August 2009 SeptembEr 2009 August 2010 (but 36-36 I September 2010 A_uggst 2011 ensure consistency of reporting for the year ending 31 August 20! 1 and for future years. the GIG, UGC, and SH) worked together to achieve a common understanding of the reporting requirements for the two reports and have agreed on a methodology for accumulating and analyzing the compliance statistics. The process has been standardized to ensure continued accuracy and is being documented for future reporting. The table above presents the reportable figures agreed on by the and (Kit: for all three years for which reports have been required. I DOCID: 4.248817 (U) The 010 continues to exercise oversight nt?Agency intelligence activities. i9 Inspector General Copy Furnished: The Ilenorable (LA. Ruppersberger Ranking. Member, Permanent Select Committee on Intelligence NATIONAL SHt'iliRl?n? AGENCY CENTRAL SECURITY SERVICE OFFICE OF THE Savage Road UPS Finite 624'? Ft. George Meade. Ml} 20 December 3t] 1 3 The Honorable Sash} (Thamhliss Vice Chairman. Select Committee on Intelligence United States Senate Ell Hart Senate Of?ce Building Washington. DC 20510 lb} -P.L. 36-36 Dear Mr. Vice tfhairman: lbl' i3) '50 USC 3024(1) Section TUE (It of the FISA Amendments Act of tl-?AAt authoriaes the National Secu?t} Agency-?f?entral Security Service Of?ce of the Inspector General (DIG) to assess the Agency's compliance with procedures for targeting non-l LS. persons outside the United States. My ('Jl'fiee reviews incidents insolvng compliance with proCedures for targeting non-1J8. persons outside the United States and incidents involving minimisation of US. person intormation as the} are reported to the Ulti and quarterly. l-Lach incident is evaluated against the targeting and minimization procedures adopted by the Director ofNationat Intelligence and the Attorney General and approved h} the foreign intelligence Surveillance t_?ourt. l'his letter covers the llvmonth period ending 3] August 20 3. During that period. the Ulti completed two reports on implementation of FAA 55103. The ?rst was an assessment of management controls over FAA Wit}. which examined the design ot'the management controls that ensure compliance with tint". HUB and the targeting and minimization procedure' TI Certi?cations. Future studies will test the identified controls. The second report 1 compliance with the targeting and minimization procedures of Noll linteltigence reports were disseminated by Ihased on derived from FAA N03 authorized collectionl Ofthel IdiSs?eminated repolts. L?ontained one or more references to lJEi.Pts.2 During the previous reporting period. NBA stopped counting references to U.S. service providers contained in an email address as a USP reference it the e-mail address was used by a non-ttSP. For example. a reference in a disseminated report that target A communicated using c?mail account is no .. {31 -P.L. 35-35 {Li} ?these reports were based in whole or in part on information acquired pursuant to FAA ?tt?ta}. i not I I [the I?elerences to USP identities might hase resulted from collection pursuant to FAA Will or front other authorlaed ?ltilN'l activit} conducted by NBA that was reported in conjunction with information acquired under FAA 521702. Whit: lCentral intelligence Agency does not conduct acquisitions under t-an-stoa. lion-ever. it reCeives unminimized communications from NBA and FBI and disseminates information based on those communications. I I lb) (11 (3) 36-36 [approved for Release be NBA on 11-10-2015. FOIA Case 80120 glitigation] DOCID: 4248818 longer inciudcd as a report a identit}. it'largct a is a Because this change was in effect for the entirety ot?the current reporting period. the total number of NHA intelligence reports counted tor this report as containini.I one or more references to USPs is signi?cantly lower than last year: 85?35 released identities in response to customer requests for USP identities not referred to by name or title in the original reporting." the majority ol'these requests were received from elements ot? the United States Intelligence Community or federal latlr ageneiqb) (1) 35?35 [airing this reporting period. NBA determined that. ool:loccasions. selectors bctonging to non-liSl?s reasonath believed to be located outside the United States at the time of tasking were later suspected or confirmed to he] lDoJ filed a preliminary notice ol'compliaocc incident with the FISC that advised the (Tour! thatl [l As reported in the quarterly report to the President?s Intelligence Oversight Board on NSA activities. compliance incidents occurred under such circumstances as: 86?36 I (L) Tasked selector not meetng the requirements ofthc certi?cation {ht {31?13 USC *298 . . . USC 3024til - (L, System errors resulting to improper storage or access 1- tli] Delayed detaslting ol?targets identified as or traveling in the United States It tLi] Dissetnination errors (It) Poor construction ot?datahase queries and I [It] USP status discovered post?taskine. it'll?I lb) (1) 86-36 (bl l3l?P-L~ 95'? . . - thirst?so use 3024(1) For the previous reporting period. NSA reported thatl: intelligence reports contained one or more references to USPs. including references to LLS. electronic communications providers as part of'a connounieations identi?er. the previous reporting period. NSA reported thatEidentitics were disseminated in response to requests for identities not referred to by or title in the original reporting. For the current reportng period. fen-er than a quarter disseminated USP identities were proper names ol?individuals or their titles. 86?36 DOCID: 4248818 [l ?ction has been taken In enrreet lTli?ilElkCH. and management pt?neeases have been retrien. etl and EitijUF-[Cd tn redttee the risk el?unantheriaed aeqnisitinn and retention or USP cmnmunieatinns. {ti} This i5 the ?fth year for nhieh the OIG has; reviewed the Agenc} ?5 with FAA $02 t'nr [he 'I'n ensmre consistency between t?epnrt nithe annual revievr in accordance with FAA HUI ll} and [hit-i ?Hi repm?t. the UlLi and the Signals Intelligence [Jireelnt'ate tt-nrked tngether to achieve a nl?the repnrling requirements and hat-e agreed nit a l?nt' accumulating and anaiyzing compliance (le 'l'lte Continue: to exereiee nvet'xigltt nl?Agene} intelligence atlivitiea. DR. GEORGE ELLARD Inspector General Copy Furnished: The Honorable Dianne Feinstein Chairman. Select Committee intelligence JNATIQHAL SECURITY CENTRAL SECURITY SERVICE FORT GEORGE G. MEADE, MARYLAND 213755-6000 19 November 2010 The Honorable Silvestre Reyes Chairman, Permanent Select Committee on Intelligence United States House of Representatives H405, The Capitol Washington, DC 20515 Dear Representative Reyes: (Uf?i??tl?j? The Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008 (FAA) authorizes the National Security Security Service Of?ce of the In5pector General (GIG) to assess the Agency?s compliance with procedures for targeting certain persons outside the United States, other than U.S. persons. My of?ce reviews the collection, processing, and reporting of data at least quarterly. Incidents involving compliance with procedures for targeting certain persons outside the United States, other than U.S. persons, and incidents involving minimization of U.S. person information are reported to the GIG as they occur and quarterly. Each incident is evaluated against the targeting and minimization procedures set forth in the FAA and in directives. This report covers the period 1 September 2009 through 31 August 2010. In compliance with the targeting and minimization procedures of ?702 of the FAA, NSAECSS disseminatch intelligence reports based on FAA T02 authority. Of thel:l disseminatiom. reports contained a reference to a U.S. person identity. In addition, released U.S. identities in response toI: customer requests. The total oil .is an aggregate of FAA?derived identities because tracking system did not discriminate between FAA sections until 26 2009. [him ss-ss During this reporting foreign targets reasonably believed to be located outside the United States at the time of tasking were later suspected or con?rmed to be in the United States. In many instances, NSAICSS targeted selectors that at the time of targeting were con?rmed to be lated In some cases, compliance incidents occurred under circumstances such as: . {bio} ss-ss (MIN-18 USC 793 . lbil3l-50 U50 30240} Derived From: Classi?cation Gurde 2-48 Dated: 20090804 Declassify On: "203%. [approved for Release bv NBA on 11-10-2015. Case 80120 {Iitioationi DOC ID 4248822 4W Target selectors were tasked under an incorrect ?702 certi?cation category. (UffF?-Bej Targets were tasked before ?702 certi?cation was approved. Software malfunctions caused unintended collection. (UH-13686) Database queries were poorly constructed. There were delays in implementing minimization procedures and in purging unauthorized collection. (U) Action was taken to correct any mistakes, and processes were reviewed and adjusted to reduce the risk of unauthorized acquisition and improper retention of U.S. person communications. The 01G continues to exercise oversight of Agency intelligence activities. Inspector General Copy Furnished: The Honorable Peter Hoekstra Ranking Member, Permanent Select Committee on Intelligence DOCID: 4248832 OFFICE OF THE INSPECTOR GENERAL NATIONAL SECURITY AGENCY CENTRAL SECURITY SERVICE 7 April 2008 10- 1 0919-08 TO: DISTRIBUTION SUBJECT: (U) Report on the Assessment of Management Controls to Implement the Ptotect America Act of 2007 MEMORANDUM 1. This report summarizes our Assessment of Management Controls to Implement the Pmtect America Act of 2007 and incorporates management's response to the draft report. 2. required by Policy 1-60. Natl/(258 Q??ice of the Inspector General. actions on GIG recommendations are subject to monitoring and follow?up until completion. Therefore. we ask that you provide a written status report concerning each planned corrective action categorized as If you propose that a recommendation be considered closed, please provide suf?cient information to show that actions have been taken to correct the de?ciency. if a planned action will not be completed by the original target completion date. please state the reason for the tilelayir and pro completion date. Status reports should be sent to I Assistant Inspector General for Follow-up, at OPS 23. Suite 6247. within 15 calendar days after each target completion date. 3. We appreciate the courtesy and cooperation extended to the auditors throu out the review. For additional information. please contact 11 963-2988 or via e-rnail at thirst?9.1.. 35?35 I George E11 Inapector General for Release by NBA on 11-10-2015. F0125. Case #80120 {Iitiqationl WW DOC IEFWEMB 8 32 DISTRIBUTION: DIR DIR GC Signals Intelligence Director Chief. SID PPAS Chief. 8V SIDIPOC 1G Liaison SV Chief. 32 Chief, 53 Chief. 533 Chief. 5332 CC: IG D12 D13 D14 DOCID: 4243332 mm snag-0001 (U) execurwe sunumv (U) ovenvrew NSA has implemented procedures to comply with the provisions of the Protect America Act of 2007 which modi?ed the Foreign Intelligence Surveillance Act and was signed Into law on 5 August 2007. To protect the privacy rights of persons. the new legislation required NSA to Implement and follow procedures established by the Director. NSA to ensure its adherence to three requirements: that targets are located overseas. that the foreign intelligence purpose is signi?cant. and that personnel follow applicable mmirriization procedures. In general. management controls to comply with PM requirements are adequate. Speci?c controls to determine that targets are located overseas are especially strong. -iS-H6l] Made necessary by the technology changes that have occurred since the FISA was drafted in 1978. modernization" was intended to restore the effectiveness of the Act by eliminating the requirement for NSA to obtain court orders for monitoring the communications of persons physically located outside of the United States. Although the FAA expired in February 2008. NBA collection permitted under its provisions will continue for up to another year. (in mention-its The omce of the Inspector General assessed procedures established by DIRNSA to ensure compliance width the three FAA requirements. Management conCurred with the recommendations. - {Ll} NSA immediately Implemented DIRNSA-dlreoted procedures on compllenoe the PM. Management controls to determine that targets are located overseas are particularly strong. WPM tasking needs controls. Though current controls provide reasonable assurance of compliance with the FAA. additional controls are needed to veaify that only authorized selectors are on collection and that information acquired through the use of selectors is related to the expected foreign intelligence targets. More rigorous controls Increase the reiiebIllty of I: for PM compliance. While existing: are excellent preventive and detective controls. current methodologies are not rigorous enough to draw valid conclusions about the entire population. {bliSl?PL. 36-36 mm DOCIDST-QMB32 11113 page intentionally left blank. If DOCID: 4243832 51200-0001 (U) TABLE OF CONTENTS (U) EXECUTIVE SUMMARY .. I (U) TABLE OF CONTENTS .. ill I. (U) BACKGROUND ..1 ll. (U) FINDING ..3 (U) SUHMARY OF RECOMMENDATIONS .. 11 (U) ACRONYMS AND ..13 APPENDIX A (U) About the Flevlew APPENDIX - (U) Assessment Of Management Controls APPENDIX - (U) Full Text Of Management Comments DOC Insr-mt?za 32 This page intentionally left blank. DOCID: 4243332 sons-9001 I. (U) BACKGROUND (U) The Protect America Act of 2007 On 5 August 2007. the President signed into law the Protect America Act of 2007. The FAA. which expired on 16 February 2008. amended the Foreign Intelligence Surveillance Act of 1978. Speci?cally. the PM authorized the Attorney General and Director of National Intelligence to approve. without a court order, the collection of foreign intelligence information from facilities located inside the United States concerning persons reasonably believed to be located outside the United States. subject to certair criteria. As of 31 2003. NSA had approximately Internet selectors and lielephony selectors on PM?auihorized collection. From the passage of the PM through 31 March 2008. NSA had issued reports that included FAA-derived intelligence. (U) Requlremente of the PM The objective of our review was to assess the adequacy of management controls to implement and ensure compliance with three requirements of the FAA related to NBA operations: Selectors on FAA collection must (3 J, 3.545 concern ?persons reasonably believed to be located outside of the United States.? It Worelgn Intelligence Purpose. A signi?cant purpose of the collection is to obtain foreign intelligence information. - Procedures. NSA personnel must follow appropriate minimization procedures. . At the time of our review. the AG and issu eparate certi?cations that authorize NSA to acquire foreign intelligence information of certain targets: reasonable belief that a target is located outside of the United States based on one or more pro-determined factors. WW Boomer-azaleas 32 (bl lb) 86-36 These certi?cations were based on representations made by the Director of NBA (DIRNSAJ in a?idavits that detail the management controls and procedures that NSA will follow. (U) Standard: 01' Internal Control We assessed management controls against the General Accounting O?ce?s Standards for Intemol Control tn the Federal Government. November 1999. which presents the ?ve standards that de?ne the minimum level of quality acceptable for management control in government?Comm} Environment. Risk Assessment. Control Activities. Information and Communications. and Monitoring. Internal control. or management control. comprises the plans. methods. and procedures used to meet missions. goals. and objectives. It provides reasonable assurance that an entity is effective and ef?cient in its operations. reliable in its reporting. and compliant with applicable laws and regulations. NSAICSS Policy 7-3. Internal Conn-oi Program. advises that evaluations of internal control should consider the requirements outlined by the Standards. The Of?ce of the Inspector General uses the Standards as the basis against which management control is evaluated. DOC-ID: 42 48332 5T.03.m}01 (U) FINDING Since the PAA was passed in August 200?, Agency management has made progress in implementing the FAA and establishing management controls that are crucial to ensuring compliance with the PAA. NSA implemented all the procedures delineated by in the af?davits to the certi?cations. The controls implemented to ve n?fy that selectors tasked under the PAA for targets located outside at the United States are particularly strong. Nevertheless work remains to implement additional controls to: I 169999 Verily Ithat authorized selectom. and only those so so are. are on co action. - +5666 Verthr that routinely review intercepted data g; 4 {i 1 and continn that information acquired is narrated to the expected foreign intelligence targets. - (U) improve the validth and rerraerrin er variousl: of PAA compliance by Agency management. 3646 a (U) improve target understanding of the PAA. (U) Assessment details are included in Appendix B. (U) lmrnodlut-Iy procedures on compliance with the PM Within weeks of the FAA enactment. NSA implemented the procedures that DIRNSA delineated in the af?davits and built on those procedures to establish rigorous processes to ensure compliance with the three requirements of the PM Management controls to determine and document foreignness were particularly strong. Controls covering foreign intelligence purpose and compliance with minimization procedures were also adequate. Some examples of NSA's aCcomplishrnents to date are: 0 The PM Implementation Team was established to coordinate all aspects of PM nnpiementann. Components of the team include internal and external communications, collection and data ?ows. mission operations. and policy and oversight. WW 3 DOC 8 32 4mm . Telephony and Internet selector tasking systems were updated to allow to document the foreignness determination. Also. controls 1were programmed into tasking systems to ensure that required information is documented and is appropriate to AGIDNI certi?cation targets. weeks of PM passage. Signals Intelligence Directorate Oversight Er Compliance [0&Cl of?ce. with the Of?ce of General Counsel and the Associate Directorate for Education and Training. had developed interim training that included a brie?ng by an OGC attorney and a competency test. On January 9. 2008. OdtC deployed newr and improved training. Agency management developed and published standard operating procedures. including procedures fer training and raw tra?lc access. tasking. and incident reporting that will ensure consistent application of the FAA. FAA web site was established to provide the NSA workforce with consistent. reliable. and timely information. From a single location. target can read communications from NSA leadership. access certi?cation-related documents. and View FAA-related standard operating procedures The FAA Procedures and Analytic Support team runs various processes to ensure compliance with the PM. Speci?cally. PPAS personnel condu forelgnness checks of current targeting and notify targe of potential ch es to a target's status. They also perform vanousmf for compliance with other ments and guide target through the targeting and tasking processes. L. 36-36 (U) PM tasking nude Iddltien-l control: Wmmough NSA implemented a series of controls to previde reasonable assurance that target task only authorized selectors-uselectors that meet the foreignness and foreign intelligence purpose requirements?additional controls are needed to verify that only authorized selectors are on collection and that tasked selectors are producing foreign intelligence of the expected DOCID: 4248832 I m) Connols are needed to verifylr selectors, and only those selectors, re on With the telephony taskin 3 tom. and to some extent the [313135; 3:15:19: tail-ting system?tl . . a moi: of discrepancies - I lUltimately. discrepancies might resu one over-co ec on?seiectors that are on A collection that should not be?and meldents of under-collection? lb: selectors that are not on collection but should be. Periodic be! authorized -P.-L . 36?36 reconciliation and pro?der records is critical to identify and (bi {31-50 use 302411: resolve discrepandes and minimize violations and incidents. Mil-At the time of our review. NSA had not fully reconciled Agen Itasked selectors. Although Collection Managers prepared draft reconciliation procedures. the procedures were manual. I Implemen ooess that routiner reconciles FAA-tee so a with the providers. -P. L. 86-36 (ACTION: 5332) I (U) Management Response Status: OPEN Target Completlon Date: 15 May 2003 (U) 016 Comment Planned and ongoing actions meet the intent of the recommendation. 5 DOC Controls are needed to validate that target routinely con?rm that information acquired through the use of selectors is related to the expected foreign intelligence targets. FAA Standard Operating Procedures #2-07. Analyst CheckIEt, obligates target to periodically ?renew mtercepted data and con?nn that the tasked selector is producing foreign intelligence from the expected target [which is authorized under the A supplementary SOP on the obligation to renew was in dra?. Additional controls are needed to monitor compliance with this requirement to ensure that unintended persons are not mistakenly targeted. Lease Implement controls to verify that target routinely review intercepted data and confirm that Information acquired through the use of selectors Ia related to the expected torelgn Intelligence targets. (ACTION: Chief, 52 with 0&6) In December 2007. and Production personnel said they are considering an automated report that Mil determme whether target query. and therefore review. conununicailons in the collection databases. Although such a report is technically feasible. its usefulness as a management control remains uncertain. Management Response CONCUR. W111i: Deputy Director for Analysis and Production is working with 0&0 to establish formal controls to verify that target routinely rmdew both telephony and internet-based collection. The system currently being devised will Status: OPEN {by Target Completion Date: 30 Jummr. L. 35?35 {hil3I?50 osc 3024(1) U) Comment Planned action meets the intent of the recommendation. DOCID: 4243832 (U) More rigorous methodoloqu will Improve the reliability of spot cheeks (Uf As shown in Appendix B, NBA is conducting. or plans to conduct. that are lrnportant to ensure compliance with the requirements of the PM. Speci?cally. ?ne PPAS team is conducting Iof foreignness determinations {mm limited checks of foreign intelligence purpose] of selectors tasked under the FAA. - The SID 0&0 reviews selectors pulled for AGIDNI reviews and is working. on plans to conduct ??35 I:lol' targeting decisions that Will comp ement AG DNI reviews nothout being redundant. - 0&{3 conducts superaudlt reviews of queries in raw tra?lc data ensure compliance with the appropriate certi?cation and mirimuzaiion procedures. a ?llet-1'6} 061C conducts reviews of all reports generated by PM collection ensure adherence to NSA policy and standard minimization procedures. While such checks are excellent preventive and controls, neither organization had documented its procedures or considered using quality assurance an statistical sampling techniques that would strengthen the reliability of the results. In particular, neither organization had documented formal methodologies that speci?ed the universe. population. sample size. and means of selecting items for review. The bases for sample sizes were unstructured and sample item selections were judgmental rather than truly random.2 Sampling results were therefore not rigorous enough to draw valid conclusions about the entire population. [Dual-PL. 86-36 integration of statistical sampling or quality assurance techniques into erdsting and planned moth odol es will not only increase the validity and usefulness of the Ibut will likely decrease the frequency. time. and e?ort nee to condom; them. In short. well-planned methodologies will improve the reliability and ef?ciency of these irnportant controls. For a sample to represent a population, all items should have an equal probability of selection. Only samples that are truly random (45.3., by using a random number table to select items) are representative of the population. Samples based on haphazard or judgmental methods may be biased and are unlikely to be representative of the population- 7 WW "(hi -P.L.. (UIFFBHO) Develop and document rigorous methodologies for conducting FAA compliance. (ACTION: Chlef, 08:0 and Chief. PPAS) 14396-9} In January 2008. the Chief. osc stated that both 0&0 and PPAS are working on mere rigorous methodologies. 35-36 (U) Management Response CONCUR. Whianagement stated that 0&0 is documenting methodologies and procedures for conducting The management res use did not include planne con?ective actions for Status: OPEN Target Completion Date: 2 May 2008 (U) 016 Comment (U) Flamed action meets the intent of the recommendation for Planned action for PPAS remains unresolved. (U) Target need greater understanding of the PM shown in Appendix B. NSA has made signi?cant progress in unplementing a critical management control?training and awareness. Agency-wide e-malls. workforce presentations. a FAA?dedicated Web site. and interim training are used to communicate with the NSA workforce. Improved training will further highlight aspects of the PM authority most relevant to target However. two additional improvements are needed to provide target the tools and guidance they need to implement the PM. (U) Working Aid or Quick Reference on NSA Authorities Given the increasingly complex and dynamic web of authorities under which NSA operates. target are at risk of misunderstanding the FAA authorities. Although existing training and awareness provides details on the FAA. might still be confused about how it differs from other NSA authorities. a working aid or quick reference that compares the basic elements and requirements of various authorities. with links to the authorities themselves, will help navigate through the many documents and legalese and reduce the risk of violations. 8 DOCID: 4243332 49W Such guidelines and working aids should be available to employees at all times. (weasel Publish and maintain a working aid that compares key requirements for SIGINT collection. processing, retention. and dissemination authorized by E.O. 12333 with requirements of other significant additional authorities, for example the PM and FISA. In the working aid. provide links to the authorizing documents. 0&0 with 060) lUff-F?BHGi?The Chief. 0&0. stated that planning has begun to develop a course that will include an overview and explanation of NSA's authorities. when to use them. what needs to be done to acquire them. and what the handling and minimization procedures are for each. If a working aid becomes an element of such training. we recommend that it be made available to the workforce as soon as possible rather than be tied exclusively to the training course. (U) Management Response CONCUR. Management stated that 0&(3 levied a requirement for the Aesodate Directorate for Education and Training to develop an ovenrlew course of surveillance authorities. Course development is well underway and includes a requirement for a job aid. Status: OPEN Target Completion Date: 25 April 2008 (U) Comment (U) Planned action meets the intent of the recommendation. (U) Communicating FAA-related Guidance (bii1l (bun-Pl. 35.35 137733 Not surprisingly. certain overarching questions on how to apply and comply with the PM surfaced during our review. For example. target expressed their 33an on and purging communications of targe the United States. However. no mechanism was in place to keep the informed of what to do while 0&0 consulted with OGC and developed the needed guidance. For example, by the end of our review. OGC had issued guidance in an e-mail to who subsequently decided that PPAS. rather than the target analysis. would purge collection for PM incidents: but. existing procedures 9 melon?wastes 32 mm were not updated to re?ect this change. As NSA personnel continue to apply the PM. more questions and uncertainties will inevitably emerge. To minimize mn?ision. a process is needed to vet. communicate. and post FAA guidance as a reference until it can be incorporated into more formal policy or SOPs. if needed. implement a process to vet, communicate. and poet PM guidance untii it can be Incorporated into policy or SOPs. (ACTION: one) (U) Management Response CONCUR. [UffFQUQl?Management stated that would work with the 01G. 00C. SID Policy and the PM Legal! Policy! Oversight Team to document the process for vetting. communicating. and posting PM guidance. Status: OPEN Target Completion Date: 2 May 2008 (U) Comment Planned action meets the intent of the recommendation. (U) Concluslon Within a short timo. NSA has made considerable progress in setting up the needed training. policies. processes. procedures. systems. and to ensure compliance with the FAA. Our recommendations strengthen the planned or implemented management controls. and NSA has already taken steps to address many of our concerns. As Congress continues to debate a long-term solution to the collection gaps that exist in PISA. the controls that NSA has in place set a solid foundation that will accommodate any law that supersedes the FAA. For this review. we did not conduct a full range of compliance and substantive testing needed to draw conclusions on the ef?cacy of management controls. We plan to complete such testing in a follow-on review. 10 DOCID: 4248832 (U) SUMMARY OF RECOMMENDATIONS 36?36 (U) Recommendation 1 Implementl process that routiner reconciles FAA?tasked selectoraL (U) Action: srorssaz Ii: 3.546 (U) Status: OPEN (3)?50 use 3024(1) (U) Target Completion Date: 15 May 2003 (U) Recommendation 2 +309) Implement controls to verify that target routinely review intercepted data and confirm that Information acquired through the use of selectors Is related to the expected foreign intelligence targets. (U) Action: SIDISE (U) Status: OPEN (U) Tarot Completion Date: 30 June 2008 (U) Recommendation 3 UHFOUO) Develop and document rigorous methodologies for conducting PM (U) Action: and PPAS (U) Status: OPEN (U) Target Completion Date: 2 May 2008 86?36 (U) Recommendation 4 (UIFFOUB) Publish and maintain a working aid that compares key requirements for collection, processing. retention, and dissemination authorized by E.O. 12333 with requirements of other significant additional authorities, for example the PM and FISA. In the working aid, provide links to the authorizing documents. (U) Action: with DIOGC (U) Status: OPEN (U) Target Completion Date: 25 April 2008 11 DOC momm- (U) Recommendation 5 (unwise) Implement a process to vet, communicate, and post PM guldanoo untll It can be Incorporated Into polloy or (U)Aotion: (U) Status: OPEN (U) Target Completion Date: 2 May 2008 12 DOC ID 4248332 AG DIRNSA FISA 01G PM PPAS GGC ACRONYMS AND ABBREVIATIONS (U) Attorney General (U) Director, National Security Agency (U) Director of National Intelligence (U) Foreign Intelligence Surveillance Act (U) Oversight Compliance (U) Of?ce of the Inspecter General Protect America Act (U) FAA Pmcedmee and Analytic Support (U) Office efGenerel Ceunsel (U Signals Intelligence Directorate 13 Donny?seam 8 3 2 This page mtentlunally left blank. 14 DOCID: 4248832 ST-OSWI (U) APPENDIX A (U) About the Revlew DOCID: 4248832 This page left blank 4243332 1mm grog-0001 (U) ABOUT THE REVIEW (U) Objectives The objective of this review was to assess whether management controls are adequate to provide reasonable assurance that NSA complies with the terms of the PM. in particular. our renew assessed the adequacy of controls on the three PM requirements: - 1377311 Foreignnese. Selectors on FAA collection must concern ?persons reasonany believed to be located outside of the United States." - Woman Inteiilgenee Purpose. A signi?cant purpose of the collection is to obtain foreign Intelligence information. i Procedures. NSA personnel must follow appropriate minimization procedures. (U) Soup. and Mathodology The review was conducted from September 14. 2007 to November 30. 2007. We intenriewed Agency personnel and renewed documentation to satisfy the review objectives. We did not conduct a full range of oompliance or substantive testing that would allow us to draw conclusions on the e?lcacy of management controls. Our assessment was limited to the overall adequacyr of management controls. This review was conducted in accordanoe with generally accepted government auditing standards. as set forth by the Comptroller General of the United States and implemented by the audit manuals of the Do!) and NSAICSS inspectors General. (U) Prior Gov-rage The 016 has conducted no prior coverage of implementation of the FAA. Appendixh Page 1 of DOC IDST-t?ai?i?' 3 32 This page Intentionally left blank DOCID: 4243332 WW (U) APPENDIX (U) Assessment of Management Controls This page intentionally left blank DOCID: 4248832 (U) ASSESSMENT OF MANAGEMENT EONTROLS Many of the internal control requirements were established by the Al?th of DIRNSA submitted for each Certi?cation. Exhibit A to the A??ldavit. and Exhibit to the A?ldavit. Exhibit A is common to each of the three AGIDNI certi?cations issued at the time of the review and establishes the procedures used to determine the foretgnness of a target. Exhibit for each ai?dawt contains the procedures to be used for information Collected under the related Cer??mtlm, 111ese procedures are unique to each Certi?cation. in addition to the control requirements established by the a?ldav?its and exhibits. the Standards for Internal Control in the Federal Government provides a general framework of controls that should he into daily operations. H- Allen-mutt control Objective Baum: Description new. and-qua. I. Nurse-oi Io} muons smashing analyst must review iaskingsubmlued oyatsrgetanalysi Fora second-Mm lithe target analyst and a tasking analyst are the same permrl. a tasking auditorium! perform the second level rem. We 5 rm I . lie-u} I ih} tar-rm, sis-35 unlumglurunaly-sts tanking under the Pm and analysis Wig In?ltration eollened uode' the me WWI I no Exl?hit WWII Pa?rlol'? DOCID: 4246332 (U) OF MANAGEHENT CONTROLS Canuw?t??acunn Source unnu- ini?wuxd I {bl -P. L. 35-35 {tum Tu mum lhr. mumls fur Maxim-nuns mutt that analyst: de?l Wm? sum: when tam unda: The PM Wimm Analyst ?uids! status that ?the timid analth mm mm each I and amounted admin? The. Cheddjat further dean-[hes IE 'hr?gum' damma'ltnuan. Enth A pawns] support animated reviews MPH. urge-(mg denim. So far. have not manually repurmd any ?chums to NSA. Mime-Harm: AG and mxducted 12 [Mependent ?Wilma? mum as mdatedm A. Inl?al 1'ch wt conduch days anu- ah: mam was signed, and an 30 da lhm?tr. DRAG and trad: resulumn of feedback and nuns by the AGIDNI twin Emma during mm Ihjtsa?p. L. 86?36 [Unwed ME??b?llA. urcaur?gorws ndt'pumlml of 1b: lam-king um that 1811] cmplemcnl AGIDNI 151m Mthout being redundant. See I3. [Him The PPAS team does limited checks for Hm. 1h: WAS 410:: um MW: 8 mt?d mmodalogy [or conducting [ht Ber Rammuan #31 I: Appcmibc Page 2 uf 6 DOCID: 4248832 (U) ASSESSMENT OF MANAGEMENT CONTROLS umumounun Source Magnum kunmmg?ym '1n whether Ell?h at the 13mm targeted for calla-11m: pursuant amilallkelytn mur?catc mhrmu?an [al' a Imam talcum mull-1. PISA consider: {mum I {13} I13) -P.L. 36-- Af?d?vtl 35 The ?rmly? (Aha-ch15: Includes map; that analysis must fr:th tn Wain whim crrl?lraum the target can be talked. m1ra.1nta .11 mann- Minimum}! and a Informaan entered t5. mm mus: also dowmmt. 1n the making took. The 41mg: CMICHISE reg-tum: tn mumely review proclqu mm [rum the meld iargctu. A SUP I: maimed prom: full Instruction: an analyst?s m'l? obligation. In addition no the 50?. Wt should develop mntmia to mm: anniyata are conducting :12un mm. Rmda?m rim-mm. the memo-blag [or canduc?ng I See WM Routine audits nfqm-rles ofraw trunk databases. m1.- pu'fumed to validate mat the qua-Land]! ?kdy produce form: mm?igtmc Information. Appendix Page 3 of DOCID: 4248332 57103-0001 (U) ASSESSMENT or MANAGEMENT CONTROLS Amen: Control Objective Baum: Deni-[ptan and Mega? 1m ?9m Wt .45: will follow: the Standard E?nb? 13 mm Standard mlmmizamn procede have been Mhuu?zation Pmee?ums {or Elect:er promulgated an LED WJW 0mm mid Surmllamae Col-initiated by the In?ll [also ?mm Hmedww 16}. attic: 1993Linnea Siam Signals version of USSID ta aupm?uodm a prlur mum mum In 1930, [nu-11m Dii-ecuve mud: have been The policies and prncedures presumed by USSID 13 are . adaplacl by the Alton-my Gent-nil and an: an well-established and well-m in mulynta. Aim. mtd?gmocSuwd?mme Cami Em an imitl?etl by Exhlbit USED 15 tad-are Hm in raw 51mm gamma. eat-h also mikes USE-ID 13 brie?ngs every two year! In Gerda-tumulan databaseameaa. M?mg?h PM naming has been implanenled, mid he made Mm managing the dilemma betweui USSR) 13 and the for each . Del-Mullen. A working aid for mid help mungimh berm authorities and their related pomdums. See IH. mamas-um Procedure: 1202939] a <11 lb} -P. L. 35-35 [1}!me Exhibit A PPAS team and SID 0m: compliance. will: rcpm-iing mumlmtiou magnum-lee with minimization armed fur . published reports. However. (161C has not documented procedures or a Motleng for Such mdewa. Set Recummda?on l3. 35-35 4W Page 4 of IE DOCID: 4248832 Mm snag-00m Assessment or MANAGEMENT con-rams Alum Control Objocuve Source Dam-1mm non-d- Goo-ll Mount: I "Hermann" should and Standards (mm An hilt-mm win me has beam cade In Immunth to management and others for Internal calla-altar cumnnuutzum of PM-rclau-d mfarmatlon to the N35 and within mm: lthat arable: mam Ln Fm] FAA-minted mum. Fm om location. mats can carry nut their Ultme wani and other Gmurunml?. am PM 50h. DIRNSA amda?la and related gamma l'ur reuponaibl?ties.? mm I'm-Inaum. waved PM mmcauma ?-om NSA luau-ship. and PM Help Tm contact Information. . 11:: PM mu: Agury-a? evm?a 4nd preamtauuns. Inplane. unfatandard npuntmg 13mm? havebnm so . I Incumt Regan-?g. mm. . {b1 mm ?'35 lib) [31?50 USC 3024a] Inic?m guldanct Lululele Em [Himmth manna-m. autumn: an applyingm? the Wm Anamtuauch queaunmhawhmn . mnmtudbye-mn? hadnotbcmupd??dtorc?tctanydm. hpmtopmt and; quantum arldanum for ?rmly-stauntll So?mupdatad. {1me PM den-doped farmdm1 reporting PublishedSOPna-abk - appropriatcactlon. mfg-meal ThePPMs-Tmmumpmduum byguidjng Ihc Mpm. 499mm Appendlx Pa?e?ni? 86?3-6 Cummn?m DOCID: 4248832 (U) OF MANAGEMENT CONTROLS Control Objuc?n Source Duel-[pun Good Mont-ta I I ExhiMA 0m: and act: dating-Cd training than rcqulrtu watching a Man brie?ng Ere-m OGC. reading the w??catlmis andmlaled tmlwiiha (Him mc hasimdc Improvements to the mm; haired mfeedbad: ?-Omtheh?ua] muraeJhcupdatnd valuing darl?es key paints for and drawn distinctions: Wm PM and 0th: NSA an aunties. [Dim A'I?nlinmg has been developed and puhilahcd . Hid: 86_36 then-31mg. tL'IStandarda the quality of pufarmanuc wu?mcami fur [mman system 1] ensure It Includes Conn-almlhe bcpu'formcd in distant potential ova-rm wumu- lb} 3} 56_ 55 regular Wt and sums-minor}! Fed-cm] cu?nc?m. Although uJ-lluztim managas prepared daft from: Minimum urea the were to 392? [1 Communication mm. to ensure an: pumps-1y. 3 9H. rm Exhibit A {UH-Feast one candum :upmumu 01' qucn for URGID l?mplianoe. OM: w?l nominal superimle of qua-lea made to PM data I part1 1m: magma.er with appmp?aie crnl?muuns and 18. See Recummu?a?on l3. Ch} -P. L. 86-35 Page 6 of DOCID: 4248832 5110843001 (U) APPENDIX (U) Full Text of Management Comments DOC IDST?(??a??ai?d? (U) This page intentionally left blank DOC ID 4248832 tub-'1 sag-erases rri?riu?i?m- CLASSIFICATION NSA STAFF PROCESSING FORM exam: censor. NUMBER KDC como?r'omm 19 1250?03 mu sorrow uraovu. mm. susmsr. (moose? SID Response to em Draft Report on the Slammer Assessment of Management Controls to Implement the Elm SUSPENSE Protect America Act of 290'? msomno? DISTRIBUTION so), sv, so, so, Toms PURPOSE: (Um To provide the SID response on the BIG Draft Report on the Assessment of Management Controls to Implement the Protect America Act (PM) of 200'? (ST-03000 1). BACKGROUND: The OIG performed an assessment of the procedures established by the Director NSA (DIRNSA) to ensure NSA's adherence to three PAA requirements: that targets are located overseas. that the foreign intelligenoe purpose is signi?cant, and that personnel follow applicable minimization prooedures. The GIG draft report was published on 31 January 2003 and provides a coinplete summary of the assessment. The .SIGINT Directorate (SID) was tasked to review and comment on the BIG Draft Report. DISCUSSION: O?iee of Oversight Compliance (5V), the $11) Directorate for Analysis Es and the SID Directorate for Data Acquisition (83) have reviewed and concurred with the recommendations in the 01G Draft Report. These organizations have responded with detailed plans of action, to include their expected target oompletion dates. .fibitsi-P.L. ss?ss omen: our: 3% I err-1c: masons? sun r?ng some 1 Si! [Wait oesmro some he 11 Mar 05 963-3335 [@121 Mar 03 963-1921 PM Team Mar 03 966-2044 oarsmnoa one. more: (Secure) om: muses SID IG liaison SV 966-2454 17 March 20-08 Possum nun-ind Fran: names 1-52 mm WHc?m new new as Data-d a January ones-mm DOCID: no lb! 86-36 (ht (EH-50 USC 3024(1) 4248332 I (mm SID RESPONSE to the GIG Draft Report on the Assessment of Management Controls to Implement the Protect America Act (PM) Recommendation 1: 1m lement process to mutiner reconcile FAA-tasked selecto Chief, (bl (1) (U) SID ACTION: SBIChief.8332 {bl (3) es?ss SID Response (March 2003): 1(3332) concurs with the BIG Draft Report and Recommendation 1 and provides the following description of planned corrective actions and a target completion date. ml WI -??es?seersj[ lkrircd From: l~51 Dated: 20010108 Declnsify On: mm DOCID: 42 48 83.2 ?an If?! ib)(1> ibii3i-P.L. 36?36 use 3024(1) WI (UIEQUQEL The Target Completion Date for 83 to implementl:lproeess is 15 May 2008- lb} {b1131-3.L. 36?36 (WEBB-9) sm (533243), 953-4330. {biiai?P.L. 36?36 hm Implement to verify tint tel-get In?ynts routinely review intercepted due and con?rm tint tasked selector: Ire producing foreign intelligence from the expected targets. (ACTION Chief. 52) (U) SID ACTION: DDAP (Chlef, SI) SID Reepome (March 2008): The Deputy Director for Analysis 3: Production (DDAP) will continue to work with Oversight Compliance (5V) to formaliy establish the requested controls. The eurreutl bein devised will cover both DNI and telephony. I The system should WW ?Hm? WW 86?36 USC 3024{i} DOCID: 4.245332 lb) 85-36 {Bl-50 USC 3024(1) (U) The Target Completion Date for of?cial implementation of these procedures is 30 June 2003. I 963-1361. 35?35 Recommendation 3: Develop and document rigorous methodologies for conductin of PAA compliance. (ACTION: Chief, and Chief, PPAS) SID Response (March 2008): (WW Oversight and Compliance (3V) concurs with this recommendation nib) . 95-35 Oversight and Compliance is currently documenting the methodologies and procedures for conductinqu targeting decisions, intelligence disseminations, and queries in date reposrtones to ensure compliance with established procedures and in accordance with Exhibits A under th certi?cations. is condo disserninations by reviewing 100% of all rope - pyditsagainstd l?ch (101(3) 35! IAllquerytennsareresicwed to ensure that there are no terms that will inherently return U.S. entity communications. These procedures will be documented. Finally. Oversight and Compliance is working with DUI and ()an attorneys in every re?ew of all targeting decisions. Procedures for these reviews will also be documented. it should be noted that these procedures may change pmding the passage of permanent legislation. (U) The Target Completion Date for the docummtation of the methodologies and procedures is 2 May 2008. SH) I NETS: pres NSTS: 963- 0363. 36-36 Recommendation 4: Issue and maintain an up?to?date working aid or quick reference that compares key elements and requirements of and links to various authorities. 0&1: with WW DOCID: 4248332 SID ACTION: 0&(2 (EV) SID Response {March 2008): SV concurs with this recommendation. Prior to receiving this recommondation, Oversight and Compliance (0882) had already levied a requirement with ABET in October 200? to develop an overview course of NSA's surveillance authorities. The Training Centre] Document for this course was completed on i 2008 and includes a requirement for a job aid to ful?ll this recomnmdation The development of the course is well underway. Details of the course are available upon request. It should he noted that some course content may change pending the passage of permanent legislation. (U) The Target Completion Date for the come and the job aid is 25 April 2008. (UHFBHOT 5m mm: (8V3), NSTS: 966-4387; ea TISA Technical Lead, SVD9, NSTS: 963-8168. lb} -P.L. 86-35 Recommendation 5: (Dime) Implement a process to vet, communicate, and post PM guidance until It can be incorporated into policy or SOPs. (ACTION: 'tbi <11 (U) SID ACFEONI 03?: (5V) 35?36 SID Response (March SV concurs with this recommendation. WE) Immediately after the temporary PAA legislation was passed, SID established a PM implementation team, winch consisted oil Isuh?teams that included the following: I I land a legalfPolicnyversight (LPG) team. The LPO team, led by the Chiefovacrsight and Compliance (8V), has been meeting periodically since August 2007 to and develop gtddance related to PM implementation. The team has promulgated SDPs and is in the process of ibll3l-P-L- 33-35 developing These SOPs are posted on th the PM and 0&0 websites. In addition, mom of the LPO team (which includes SID Policy, 06C, 82, and 33 members} participate in the almost daily PM team lead sessions where additional information is discussed to include the need for further guidance. Although this recommendation is somewhat vague in terms of expected deliverables, Oversight and Compliance will work with the BIG Of?ce, OGC, SID Policy, and the LPG team to document the process for vetting. commnnicating and posting PM guidance. it should be noted that some guidance may change pending passage of permanent legislation. (U) The Target Completion Date for documenting the process is 2 May 2008. sm IChief. Oversight and Compliance (SV), NSTS: 966-2479. (3) -P.L. 85-36 DOCID: 4243332 DOCID: (1) 36-36 (13} (31-50 USC 4.243333 NATIONAL SECURITY AGENCY SECURITY SERVICE OFFICE OF THE INSPECTOR GENERAL 9800 Savage Road DPS 23. Suite 624'? Ft. George ill-leads. MD 20755?624? December 20M The Honorable Dianne lieinstein Chairman. Select Committee on intelligence United States Senate 211 Hart Senate Of?ce Building Washington, DC 20510 Dear Madame Chairman: (Ll) Section T02 (2) ol? the Foreign Intelligence Surveillance Act (PISA) of [978. as amended by the FISA Amendments Act (FAA), authorizes the National Security Security Service (NSAECSS) 0F?ce ofthe Inspector General (GIG) to assess the Agency's compliance with procedures For targeting non-US. persons reasonably believed to be located outside the United States. My Of?ce reviews incidents involving compliance with procedures for targeting non-U5. persons reasonably believed to be located outside the United States and incidents involving minimisation ofLiS. person information as they are reported to the 016 and quarterly. Each incident is evaluated by NSA against the targeting and minimization procedures adopted by the Attomey General. in consultation with the Director ofNational intelligence. and approved by the Foreign Intelligence Suwcillancc Court This letter covers the I2-month period ending '31 August 2014. {hi -P.L. 35-36 During the reporting period, the DIG performed two special studies of?thc FAA program: I Iand the Implementing?? of'h'et't'ion I?ll} ojrhe FHA Amendments Act gases. I I I The second study, requested by members ot'the US. Senate Judiciary Committee and scheduled to be published in .ianuary 2015, documents implementation ol'thc FAA $02 authority. the controls used to protect US. person privacy. past incidents of?non?compliance. and use of?Fr?tA ?702 data to support intelligence missions. Wm compliance with the FAA 511702 targeting and minimization procedurcstI I intelligence reports were disseminated by I I:Ibased on signals intelligence derivet in whole or in part From FAA $02 authorized (3) 86?35 Classi?ed ?ing Derived mm: AWAXI ?33 mea - ?ared: September 24'} Li Hedonism! 0n: lb} asuas W: ii. ?ooroyed for Release by NBA on 11-11-2015. Case 80120 (litioationi . lib} i1} DOCID. 4243833 (33-31,, 35?35 lb? - {33-18 USC 798 tb) 96-36 (is) (31?50 use 3024(1) colieetion. Ot'theljdisseminated reports. I: eontained one or more references to US. persons. reieasedljUS. person identities in response to customer requests For US. persott identities not referred to by name or title in the original reporting.2 The majority of these requests were received from elements of the United States Intelligence Community and federal law enforcement agencies. ?ared-H'Dming this reporting period. NSA determined that. onljoeeasions. selectors belonging to non-US. persons reasonabl}r believed to be located outside the United States at tlte timeoftasking were. later suspected or confirmed to have heenl I E: 6 I Ithe Department of Justice {Del} ?led with the FISC a preliminary notice ofa compliance incident that advised the Court tltatl [hr] -P . . lib-36 itlte references to US. person identities might have resulted from cottection pursuant to FAA ?Ttl2 or From other authorised SIGINT activity NSA conducted that was reported itt con'uttction witlt acquired under FAA ?'r'ttl. For the previous reporting period. NSA reported thalljjintelligenee reports contained one or more references to US. persons. including reterettecs to US. elecrronic communications providers as part ol'a communications identit'ter. The Central Intelligence Agency {CtAt does not conduct acquisitions under FAA ?Ttil However. it receives non-upstream from NSA and FBI and disseminates information based on those I 8E 36 l- For the previous reporting period. NSA reported Iidentities were disseminated itt response to requests for id?tt i is not referred to by name or title itt the original reporting-1. For the current reporting period. approximater oi'the disseminated LES. person identities were proper names ot?individttals or their titles. reasoned I 1, (hi (1) .. (bi 86?36 2 {hi {ll t3)?18 use "398 .. tbi {Bi?Pi. 35?36 thirst?so use 3024(1) ss-ss thitli DOCID: 4248333 tbiiBl-P.L. as?ss {13191-13 USC 793 ts)-sa use 3024(1) As explained in the Ult'i's quarterly report to the President's Intelligence Oversight Board on NBA activities. compliance incidents occurred under such circumstances as: II 'i?asked selector not meeting the requirements oi'the certi?cation I System errors resulting in improper storage or access, - Delayed detasking oftargets identi?ed as US. personsl I Dissemination errors, t3} 86?36 I Poor construction ordatabase queries. and I Post-tasking discovery of LLS. person status. Action has been taken to correct mistakes. and management processes have been reviewed and adjusted to reduce the I?lSl-t ot?unauthoriaed acquisition and improper retention of U.S. person communications. This is the sixth year for which the DIG has reviewed for the Congress the Agency?s compliance with FAA $02. To ensure consistency between report ofthe annual review conducted in accordance with FAA {$702 (3) and this OIG report. the OIG and the Signals Intelligence Directorate worked together to achieve a common understanding of the reporting requirements and have agreed on a methodology for accumulating and analyzing compliance statistics. (U) The DIG continues to exercise oversight of Agency intelligence activities. If: DR. GEORGQELLARD Inspector General Copy Furnished; The Honorable Saxby Chambiiss Vice Chairman. Select Committee on Intelligence Lu