SCCEE: NATIONAL SECURITY AGENCYICENTRAL SECURITY SERVICE (U) Final Report of the Audit on the FISA Amendments Act ?702 Detasking Requirements 24 November 2010 DERIVED FROM: Manual 1-52 DATED: OSJanuary 2007 DECLASSIFY omm ..- -. Removed for Release by NBA on 02-11-2015. F0135. Case #80120 {litigation} 1. $3 'YB?ei? (U) NSA OFFICE OF THE INSPECTOR GENERAL (U) The NSA Of?ce of the Inspector General (OIG) conducts audits, investigations, inspections, and special studies. Its mission is to ensure the integrity, ef?ciency, and effectiveness of NSA operations, provide intelligence oversight, protect against fraud, waste, and mismanagement of resources, and ensure that NSA activities are conducted in compliance with the law. The OIG also serves as an ombudsman, assisting Agency employees, civilian and military, with complaints and questions. (U) Intelligence Oversight (U) The OIG Of?ce of Intelligence Oversight reviews most sensitive and high-risk programs for compliance with the law. (U) Audits (U) The 010 Of?ce of Audits within the OIG provides independent assessments of programs and organizations. Performance audits evaluate the effectiveness and ef?ciency of entities and programs and assess whether NSA operations comply with federal policies. Information Technology audits determine Whether IT solutions meet customer requirements, while conforming to information assurance standards. All audits are conducted in accordance with standards established by the Comptroller General of the United States. (U) Investigations and Special Inquiries (U) The 01G Of?ce of Investigations administers a system for receiving and acting on requests for assistance and complaints about fraud, waste, and mismanagement. Investigations and special inquiries may be undertaken as a result of such requests and complaints (including anonymous tip at the request of management, as the result of questions that surface during inspections and audits, or at the initiative of the Inspector General. (U) Field Inspections (U) The Of?ce of Field Inspections conducts site reviews as part of the annual plan or by management request. Inspections yield accurate, up?to-date information on the effectiveness and efficiency of ?eld operations and support programs, along with an assessment of compliance with federal policy. The Of?ce partners with Inspectors General of Service Components and otherIntelligence Community Agencies to conduct joint inspections of consolidated facilities. THE INSPECTOR GENERAL NATIONAL SECURITY AGENCY CENTRAL SECURITY SERVICE 24 November 2010 1226? 10 TO: DISTRIBUTION SUBJECT: (U) Audit of the FISA Amendments Act (FAA) @702 Detasking Requirements ACTION MEMORANDUM 1. (U) This report summarizes the results of our audit of the FISA Amendments Act (FAA) ?702 Detasking Requirements and incorporates. management?s response to the draft report. 2. (UH-F666) As required by Policy 160, Office of the Inspector General, actions on OIG audit recommendations are subject to monitoring and follow?up until completion. Therefore, we ask that you provide a written status report concerning each planned corrective action categorized as If you propose that a recommendation. be considered closed, please provide suf?cient information to show that. actions have been taken to correct the deficiency. If a planned action will not be completed by the original target completion date, please state the reason for the delay and provide a revised target completion date. Status reports should be sent to] IAssistant Inspector General for Follow?up, at Suite 6247, within 15 calendar days after each target completiond'ate. 3. We appreciate the courtesy and cooperation extended?to the auditors th "ouahout the review. For additional information, please contact on 963-0957 or via e??mail at 86~36 llard Inspector General 312313113: a2 3 :5 DISTRIBUTIONDalo?g] DCO6I I SID IG LiaSionl SAE . 3 AUDIO-0023 (U) TABLE OF CONTENTS (U) EXECUTIVE SUMMARY .. I. (U) INTRODUCTION ..1 II. (U) FINDING AND RECOMMENDATION ..L .. 5 (U) FINDING: Gaps in goverage Exist ..L .. 5 (U) ACRONYMS AND ..19 86-36 (U) APPENDIX A: About the Audit (U) APPENDIX B: Data Analysis (U) APPENDIX C: Full Text of Management Responses DCBISED ?2 .3 1% ALI-I ?-6023 (U) This page intentionally left blank. 13:33.13: $3 AU-10-0023 tb)(1) (U) EXECUTIVE SUMMARY 86?36 (U) OVERVIEW (Blue-50 use 3024(1) I Section 702 of the Foreign Intelligence Surveillance Act Amendments Act of2008 has strengthened Signals Intelligence collection, particularly against terrorist targets. From September?iZOOS to March 2010, the number of SIGINT reports that incorporated FAA ?702 soureed collectionl Under the law, collection under FAA ?702 must cease in certain circumstances, potentially resulting in a gap in coverage. To regain coverage, NSA must transition to another authority for continued collection, such as a FBI FISA Order. The Agency does not have a consistent process to ensure a seamless transition from FAA ?702 authority to FBI Orders. (U) HIGHLIGHTS (U) Gaps in coverage exist Analysis of detasking for FAA ?702 compliance (U) Significanc?w?fl (DJ '56-?56 3024a) WW Need for standardized processl The Agency lacks a standardized process! wees} Management Response (UHF-669) The recommendation is being addressed by management." (1) 86?36 (3)?5o use 3024(1) 11?! 31739313 $2 7 .3 4% 5 Ail-I 0-0023 This page intentionally left blank. 17) DQGIB: $2 ?334% 5 AU-10-0023 I. (U) mraooucnoN (U) Background Section 702 of the Foreign Intelligence Surveillance Act enhances surveillance against (13) (3) ~50 foreign nationals outside the I ?702 effectively broadened access to critical targets of interest, particularly terrorists. From September 2008, when FAA was implemented, to March 2010, the number of Signals Intelligence reports that incorporated ?702 I.) 85?36 WCollection under FAA ?702 must cease under certain circumstances. Detasking is required when a target is determined to be entering or to have entered the United States-I I Collection when a target. is found to be a U.S. person .. I I To regain coverage of such a target, collection must transition to another authority, for example, a Federal Bureau (3) 86_35 of Investigation (FBI) FISA Order. The transition from FAA ?702 to (3, -50 use 3024(1) another authority may not be seamless, thereby creating a gap in coverage and potentially causing a risk to US. security. This audit assessed the circumstances and extent of the FAA ?702 coverage gap by examining tasking and detasking records, FBI FISA data, traffic collected and purged, and reporting. (U) FAA ?702 FAA @702 allows NSA to use the assistance ofU.S. telecommunications and Internet service providers to target non? USPs outside the United States. After the Attorney General and the Director of National intelligence file a joint certification that certain statutory requirements have been met and the certification is approved by the FISA Court (NSC), NSA may conduct foreign intelligence surveillance of the content of communications. The certification includes an affirmation that the surveillance targets only reasonably believed to be outside the United States. The certification is submitted to the FISC and typically is approved for one year. Acquisition under a certification must adhere to targeting and minimization procedures approved by the Court. As of August 1 SUSIE 432 $5 (3) (3) ?5o Other, FISA authorities provide alternative means to obtain collection against foreign intelligence targets when NSA must stop collection {detask} pursuant to FAA ?702. - (U) FAA ?704 Other Acquisitions Targeting USPS Outside the United States. A FISC Order is required, but surveillance techniques are not reviewed by the court. - (U) FAA ?705b LEG-HG) Joint Applications and Concurrent Applications. When a FISA Order that authorizes surveillance of a target inside the United States is in place, the Attorney General can authorize targeting While the USP is reasonably believed to be outside the United States. - (U) FBI FISA Order The FBI is authorized under a FISC Order to perform searches and electronic surveillance a ainst (1) ?33 86?35 [known as the Raw Take Sharing Order) dated July 2-002, NSA 03?) (3) '50 USC 3024 is able to receive most FBI FISA collection. (U) Increased use of FAA ?702 Authority Wi?cording to in the Signals Intelligence Directorate collection under FAA ?702 authority is productive and grewr in the 19 months between September 2008 and March 2010. Increased tasking under FAA ?702 authority has resulted in increased SIGINT reporting. The Agency has also experienced an increase in compliance?related detaskings of selectors. SDQCIE 4.2 3 4 AU-10-0023 Tasking I Detasking .. . . Comp?ance_related detasking significantly increased-l (U) repelling-- --Reporting based on collection under FAA ?702 authority increased-I I (U) NSA oversight of FAA ?702 collection In addition to the obligation to review the status of their selectors, the SID Oversight and Compliance Office is responsible for monitoring compliance with FAA ?702 and tracking detasking. SV monitors selectors through__ 3 ecial tools to ensure (3) 86-36 problem exists, SV contacts the Targeting Office of Primary Interest (TOPI) and requests that its personnel research the selector before detasking. SV is also responsible for maintaining a Protect America Act Incident database to record and track incidents and provide that information for external oversight by the Department of Justice and the Office of the Director of National intelligence. geeze: &E?34e5 This page intentionally left blank. Boers: earness AU-IO-OOZB El. (U) FENDENG AND RECOMMENDATION (U) PENDING: Gaps in G'overa'gf'?'Eii'ist 86?36, Although FAA ?702 has provided important SIGINT I collection, the Agency has experienced coveraggmgaps when transitioning from FAA ?702 to another authority. "We a comet'th process tastiest-Ea seam ess transition from (1) 35-35 (U) FAA ?702 Implementation 03) (3)"50 USC 3024(i) (U) FAA ?702 procedures FAA ?702 requires that NSA adopt procedures to ensure that its collection targets are reasonably believed to be outside the United States and to ensure that the Agency does not intentionally acquire communications known to be purely domestic. NSA must also establish minimization procedures that reasonably balance its foreign intelligence needs against the privacy interests of USPS with respect to the collection, retention, and dissemination of information. (U) FAA ?702 detaskings for compliance In certain circumstances, NSA must detask selectors to maintain compliance with FAA ?702 and approved targeting and minimization procedures. There are three broad reasons for detasking. - (U) Roamers The foreign target is initially believed to be overseas, but it is subsequently determined (3) -P.L. 86-36 USF status determined after tasking WSW The target is overseas and believed to be foreign, but NSA subsequently determines that the target is a USP overseas. (131,31) 86-66 (3) 3024 D3033: $2 The target is foreign and "overseasji must detask the account from FAA ?702 collection. that a target is a USP, is roaming in the United NSA must detask associated selectors from collection under FAA ?702 authority and purge related SIGINT holdings from all databases. To avoid a break in coverage, other authorities must be sought if the target remains of interest and is an agent of a foreign power ?704, ?705b, and/or FBI (C) Compliance detaskings few in context, but potential risk is great The number of '2 d-ctasked selectors that are Eel-actors compared to FAA detasked for tasking total SIG-EMT Schemes. compliance reasons (1's) (1 from collection under (3 FAA ?702 authority is small compared with all SIGINT selector taskin as of March I however, oss FAA ?702 collection on potentially high? interest selectors, "M'particula? those related?to poses a when transition to alternative coverage is not seam-less. --P.L. 86-35 (by 6 (U) Defining the?FAA ?702 gap in coverage The gap-in coverage is the collection lost in the time between destasking from FAA ?702 collection authority and initiation of collection under another authority ?704, ?705b, or FBI For non?FAA ?702 coverage, a higher legal standard, individualized probable cause, is secure a FISA order. In some cases, the Government may not be able-th assemble facts sufficient to satist the probable cause standard?" noctn A2 3 A A 5 ALI-1 0-0023 (U) Audit Focus ?on (U) Audit universe of FAA ?702 detaskings To determine the extent of the coverage gaps, we identified every Digitai Network Intelligence and Dialed Number Recognition selector that was detasked to comply with FAA @702 after enactment of the FAA in July 2008. By Itasking records and FAA Incidents database, we identified-Erelevant mm" (3) FAA F02?ertificatro??il (3) "50 USC 3024 (1) Contribution of collection under FAA reporting From September 2008 to March 20$ FAA ?702 collection contributed to an increasing percenta (ks-ix. 3) -P . ercent. Percentage-"bf Reports with Contributions from FAA [September 2008 March 2010} Qoaocea x?b 29' ?59 noern: large quantity (3 . ?3 .5 ALI-1 @0023 etaskings FAA gm o? (cum-PL. 86-36 Audit sample focuses onDNl selector DNI and DNR for gap Appendix for scope and methodology]. DNI selectors represented the large (BN3) in the sample {93 percent). In percent of tasked FAA DNI FAA ?702 Selectors by Certification (as of March 2010) addition-,- 3 electors ?702 DNI selectors as indicated in the adjacent diagram. (1) (bum?9.1.. 86?36 Of-iaSkl?gS and use 3024(1) the I significant-role of ?reporting, as well highxr'sk that: a gap in? cover-age poses, prompted our focus ori DNI detaskings. (U) Effective Collection Priority WTO understand better the priority of tasking and selectors, we obtained the under ?View two values: national SIGINT and collection prec ede? I one through nine, with one being the highest selectors that we identified, the average ECP was 2.52, indicating that these selectors are of high priority. (U) Effect ofGaps on SIGINT Collection and Reporting INT 0011.99ti9n__and WTO determine the effects of FAA ?702 detasking on selectors EGCID: $273??5 .. b" 3 (R) Coverage Gap Analysis Time deiay poses risk on productive selectors {Sig $2 ?:11on 86:36" (5)43) (bi-333) -50 (3)-50 use (U) Minimal h-inte rest selectors (U) Projected collection could result in risk to the nat10n from these h1gh-mterestl (U) Majority of collec tion (1) (3) L. 86?36 10 $2 '7 3% $55 AU-10-0023 (U) Selectors not Retasked (3) . .?ea?36Z221ijilili: Total 100.00% (U) Lack of Systematic Processl I -- 86-36 (ml Pr0duction Center has faced in achieving seamless coverage of targets while maintaining compliance with FAA @702 requirementa,..l I 86-36 86-36 3024(i) WI (U) Need feneonsistent process 2 I 8 11 SDQCIIE: d3 3 15 - (man-50 USC 3024") (U a a To?! 5 163?}: 86-36 (I 1) (ox/Foeen I 1. After the Agency detasks an FAA ?702 selector, (Bif?jl?ilf??l?? (mm-13 use 798 ZWITOPIS can directly notify] (mm-50 use 3024a} "la-in) 3. After normal duty hourS, 86-36 4. Agency can send WI 1 In addition, in September 2009, at. the reques?ilol the NSA Director, an Emergencv Authorization Operations was developed uan'dwtli?WOffice of 35_36 General Counsel to outline a detailed process for maintaining coverage I WI 12 86-36 usc 3024(i) EQEIE: wan-0023 a mime-ea Lack of understanding of the handoff process use 30240) Case studies 86-36 usc 3024(i) 1W Informal, but nearly seamless: 86-36 use 79 (mm?50 use so (Bit?i) 86-36 usc 3024(i) Selectors 86-36 gs: Egg; my} 13 DEM: NSA, the Central Intelligence Agency, and the FBI (W1) 36-36 usc 3024(i) @selmm These selectors under FAA @702 coverage] .. bV several persons associated with had been placed (Bio) 86-36 usc 3024(i) about obtaining alternative coverage and were not Ql?aru-ab?o?t What could be obtained from FAA 705b taskin-gand how this tasking "Ultimately, the 4W- (W1) 3 8 $3 AU-10-0023 were provided guidance internally-II I (bushso occur because not all in the office are familiar with these new procedures. 3- Limited feedback and a long deiay: I 8 usc 3024(i) ??lector?seociated withl - we Whor?v after tasking on the selector had been initiatedJ (bill-p .L. 66-36 usc 3024(i) WV Ill-55281::jf0 monitor tasked selectors to ensure foreignuess and compliance with the law. 86-36 15 Boots: astsaes tear: Isu es agreed that a standardized process would improve the timeliness I They also concluded that the process should be strengthened and suggested other improvements to the current systems WEstablish a standardized process for .. [when it is determined that coverage should continue after selectors are detasked (WW-L 35-35 from FAA ?702 collection. usc 3024a) (ACTION: SID with 000) (U) Management Response CONCUR. recommendation. Corrective action is under wav and will be completed as soon as possible, 86-36 16 EGG ID 42 .3 .5 . 0-0023 Successful completion within this timeframe is contingent upon direct involvement from SV and 81 as they are owners of mission components that are directly tied to the transition process [see Appendix for full text of management comments). (U) OIG Comment Planned actions meet the intent of the recommendation. - (U) Loss of Collection I WWC also grouped the selectors reviewed by the reason for detasking. -W Circumstances of Detaskin?g (bit-9M9 Use?39240) W1 17 3153,3113: $3 AH-IG-OOZS guidance on detaeking 86-36 use (U) Action taken wl 86-36 Attorney General and the acting Director-ofi?ationai intelligence, ?led with the FISC FAA ?702 certification related to targeting and minimization procedures fori??i?e learned that the FISC was concerned with the proposed changes to the minimization procedures. and NSA are exploring alternatives to address the matter While continuing to operate under the existing procedures. :nocrzn DIRNSA DNI DNR ECP FAA FBI FISA FISC OGC FAA SID SIGINT SV 8V4 TOPI USP ALI-1 0-0023 (U) ACRONYMS AND ORGANIZATIONS Central-Intelligence Agencv Director, NSA '3:333333313311?: rig, Digital Network Intelligence (bump-L. 86_36 Dialed Number Recognition Department of Justice (U) Effective Collection Priority (U) Foreign Intelligence Surveillance Act of 1978 (FISA) Amendments Act Federal Bureau-'01" Investigation (U) Foreign?Intelligence Surveillance Act of 1978 (UJ'jF?oreign Intelligence Surveillance Court (U) Office of General Counsel Protect America Act Signals Intelligence Directorate Signals Intelligence Signals Intelligence Directorate, Oversight and Compliance Heater- Signals Intelligence Directorate, Oversight and Compliance, FISA Authorities WES-HOT Targeting Office of Primary Interest (U) United States Person Dim 2 7 .3 .5 Alf-I 6-0023 (U) This page intentionally left blank. 20 ?2 7" (U) APPENDIX A (U) About the Audit EGG IE) ?2 7 .3 3% .E'o (U) This page intentionally left blank. EEC 2 ?323 'l?dd? AUNI 0~0023 (U) ABQUT THE AUDIT (U) Objectives The audit objective was to document the circumstances and the extent of dropped Signals Intelligence collection as a result of Foreign Intelligence Surveillance Act of 1978 (FISA) Amendments Act of2008 (FAA) ?702 restrictions. (U) Scope and Methodology 86-36 usc 30240) (U) Conducted from February to August 2010, the audit examined the gaps in coverage when a selector is required to be detasked for compliance with FAA ?702 and the measured effect of the lost coverage. (U We reviewed current policies and laws pertaining to FAA ?702. We obtained access to the Protect America Act Incident database and reviewed reported incidents from 10 July 2008 [when the FAA became law) through 4 March 2010 and documented actual instances when SIGINT collection was stopped to comply with ?702. See AppendixC Data Analysis for our data sources. interviewed representatives from the following organizations: Signals Intelligence Directorate Oversight and Compliance I Of?ce of General Counsel?lOGCh-l I and addition, we mEt""With--I land documented the collection transfer from NSA to FBI. (U) Oversight and Compliance To gain an understanding of the Agency?s process for documenting and reporting incidents and violations, we met with the SV staff. We obtained for our analysis information from Incidents database on selectors that were detasked because of FAA ?702 restrictions. (U) Office of General Counsel We met with the OGC FAA liaison to gain the overall legal perspective of the implementation of FAA ?702. We also met with the Acting General-Counsel to discuss the nature of collection restrictions that are inherent in legal authorities. In addition, we discussed whether the current law is sufficient for NSA to achieve its mission goals. 3 ?nders: J. . 6m) 86-36 usc 3024(i] We met with technical leadership in the Ito gain an understanding of the legal, policy, and compliance constraints in the [analytic environment, specifically related to 331mm? because of FAA ?702 restrictio?dwarfsconducted?:?- I [when a selector was detasked wa with We obtained the opinions about the effect of collection on their work, including specific benefits and obstacles of the FAA ?702 authority. (U) FAA implementation leads We met with the Analysis 8; Production FAA leads who are charged with overseeing working groups, which are addressing problems with carrying out work under the FAA. They outline efforts on analytic training and coordinate with the Department of Justice, OGC, and SV. WI (U) Tasking tool and data repository Personnel .. We met with 27.22::- I-todigb??Ethel- taski??'g'databases. We obtained extractions from these databases to assist in our review. In addition, we met with the metrics team, personnel, and a representative from SIGINT Strategy and Governance to gather additional data concerning tasking-"gaps, collection prioritization, and qualitative measures related to the FAA ?702 selectors of interest. (U) Training We took the Legal Compliance and'Minimization Procedures (USSID 18) training to obtain access to certain databases. In addition, we attended "raining. (U) Government auditing standards (U) We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions according our audit objectives. We believe i LDQSIB: $2 7.3d? Ea AU-10-0023 that the evidence obtained provides a reasonable basis for our ?ndings and conclusions according to our audit objectives. (U) Prior Coverage The Office of the Inspector General has not performed any previous audits or inspections on FAA ?702. (U) Use of Computer?Processed Data this audit, we used data that ori inated from the a 86-36 We used the data toconduct a gap analysis on selectors that were detasked for FAA ?702 compliance reasons. We did not determine the validity of these databases; however, we validated the data across multiple sources to ensure an accurate depiction of the data as used for our analysis. (U) Management Control Program part of the audit, we assessed the organization?s control environment pertaining to the audit objectives, as set forth in Policy 7-3, Internal Control Program, 14 April 2006. We found that 2010 statement of assurance reported that a lack of upgrades of Information Technology systems and software application and lack of training and staffing could impede the 8V4 mission. $2 7'3 #15 This page intentionally left blank. (U) APPENDIX (U) Data Analysis E-QEED: $2 3 ?3 $5 A?wi ?~0023 (U) This page intentionally left blank. as vases ANALYSES (U) Identification of Detasked Selectors We used the SV incidents database and the as sources of selectors that were detasked to maintain compliance with FAA @702. 3V4 PAAIFAA incidents database We examined the 8V4 Incidents database, which contains a record of reportable incidents under the A reportable incident under is one of the following: fFSti'Gj?The conduct of any SIGINT activity (collection, processing, retention or dissemination) using PAA collectors in a way that contravenes the terms of the PAA or the terms of the speci?c certification under which you are operating. 5 This includes any activity that runs counter to the Director?s affidavit or the associated exhibits that describe the process for determining foreignness, the minimization procedures, or the targets authorized for collection under the certification. The conduct of any activity using FAA collectors without having a certi?cation in place to cover the target being collected. 86-36 We reviewed the records in the Incidents database from 10 July 2008 (the inception bf to 4 March 2010 and determined that there were a total of incidents. The records in the database are categorized by incident type. This allowed us to determine those that met the criteria for our review of detaskings related to compliance. The relevant incident types for further review are: Roamers into the US I use I Targets identified as a USP after tasking under ?702 Incident types such as ?analyst error? and ?tasking error? did not relate to detasking to maintain compliance with ?702; therefore, we eliminated these types of records from our review. 5 (U) PAA was the predecessor to FAA. d2 "El?ddf? (U/fFG?d?jl 86-36 submit and manage Digital Network Intelligence (DNI) targeting requests. To ensure that we obtained records of all detas'kings related to ?702 compliance, we requested fronts-tasking records a record of detaskings for any of the three following reasons7: .. S. l? . -.-.. . 1. User is a USP 2. User is entering the United States 3. User is in the United States . The main purpose for requesting was to search for selectors that were 36'? detasked citing a reason ?user is entering the United States? and that were not captured as incidents in the SV FAA Incidents database because they were detasked before the user actually roamed into the United States. (U) Audit universe We compared the results of the query with the selectors identified in the review of the FAA Incidents database and identified additional selectors that were detasked for compliance purposes. From our review of the Incidents andl ld'e'ta'skin'g' total universe 36-33 35-36 unique selectors that were detasked for compliance reasons. The detaskings coyered__..t.he FAA ?702 certifications: We were able to identify both detasked DNI end Dialed Number Recognition selectors from the Incidents database and detasked DNI selectors from 36'? detasking records. The breakout of the selectors are detailed 1n the (bil3)?50 USC 3024?) following table: 2009; therefore, our search within February 2009 to 35-35 March 2010. BSCIE: (If gen?8%: 8V4 PANFAA Incidents Compiiance-related {what}: database detaskings since July 2008 020213; 8V4 PANFAA Incidents Compliance?related database detaskings since July 2008 2010 8V4 PANFAA Incidents Compliance?related database detaskings since July 2008 2010 8V4 PANFAA Incidents Compliance-related database detaskings since July 2008 20160 Compliance-related lamdetasking record detaskings since 2009 to 2009 March 2010 Compliance=telated February record detasigims'since February 2009 to 2009 March 2010 Total 86-36 (mm 86-36 (U) Audit Sample for Gap Analysis ?(377817?? The focus of our gap analysis was on FAA selectors that were detasked for collection for compliance from February 2009 to March 2010. We-eo?centrated on the selectors of the signifance collection, includin the ""?humber of and the key role"lit?playsuind regarding the time lselectors on of the availability and theajority of the .1: .LI We were unable to com: uct selectors or tasking information or both. lino) Ontan-aly?i? covered both time gaps [gaps in coverage in days) and collection {pro-'ected missed collection as a result of the loss of coverage) foftl?re1 selectors. 86-36 8V4 PANFAA Incidents database .. tasking records 86-36 Total EIECZID: d2 "3'3 Records reviewed To measure the extent of the gaps associated with detasked ?702 selectors, We evaluated multiple sourcesof information. This information was requested from SV, and W-e-zalsoareit"Lin. following databases:l 86-36 ?702 asking history records were used to determine the dates of coverages-for the selectors. The data included the dates the Jsel'?cmrs were tasked and Executive Order 12333 and ?7 02 - . ff?'b?ej Data were the tasking This allowed us to draw a __co_mpari_son__between information in th FAA Incidents database We also used the data to determine the Effective Collection of each of the selectors. ldata were requested for determination of the number 0 pieces of traffic or ?traffic hits,? This us to determine how active the selectors were in (bum?pi? 36_36 regard I From this information, we were able to project the potential collection that was lost during gaps in coverage related to ?702 compliance. It also provided us the ability to determine how - Purged records Purge requests from 8V4 to database managers were in the atabase. The purged records in CffeCt represent a gap in collection coverage. 7 .3 5 . reporting We requested erialized SIGINIurep-orting? hat cited ?702 data as the source The records were extracted from the and provided us the ability to determine the effect v- of @5702 collection on serialized SIGINT reporting. ?704l?705b tasking WW Reports were generated from and records requested from SV regarding ?704/705b authorizations to determine if any of the-Ddetasked ?702 selectors were subsequently approvedunder those 86-36 authorizations. (hm) 86-36 lEierC ID $2 TSQ '5 This page intentionally left blank. 43 3 5 AU-10-0023 (U) APPENDIX (U) Full Text of Management Comments Benin: a2?3aa5 ALI-10-0023 (U) This page intentionally left blank. EGG 2 d2?3%?5 (U) em and QGC Management Responses 5 Tu? oeuimuiqul SECU CLASSIFICATION NSA STAFF FORM ch CONTROL NUMBER below. Counsel (OGC) to review for factual accuracy an DISCUSSION: dc (FAA) 7?02 Detasking Requirements 0?0023). a prqces?l secounts tie-tasked from FAA if'QZ'collecltionT'Lcad Actionee: SID with OGC. response to the subject 86-36 OFFICE SIT) DIR 302 32 NAME AND DATE r1 mes-1'0 "953-3335 tll? 1 murm- GOORDEN ATICI OFFICE 963-3121 963?4093 3023 TO I EXREG GONTROL NUMBER OIG I 2010-8956 THRU ACTION EXREG SUSPENSE [3 APPROVAL 15 NOV 2019 SUBJECT KCC SUSPENSE (ULWHQ) SID Response to Draft Audit Report on the El ELEMENT SUSPENSE ISA Amendments Act 3?02 Detasking Requirements INFORMATION DISTRIBUTION PURPOSE: To provide the SID response to the draft repair on FISA Amendments Act BACKGROUND: The Audit was initiated at the request The Audit objective was to document the circumstances and the extent of dropped SIGINT collection as a result 702 restrictions. The draft Audit report was provided to-I and Of?ce of General (1 respond to the assigHEd recommendation listed ?urnth (TAB A) is the consolidated and OGC for their response to this tdsker. This SPF may be deterigmded and marked upon remand! 966-5590 NAME AND DATE Icoverage for inn?) 86-36. USC 3024") NSM 7540- Derlved From: 1-52 Dated: 20070108 ear-2999mm- FGRM REV FEB 2005 (Supersedes W96 NOV 96 ls obsolete) EDDIE): $2 'i'?d?fb I. SUMMARY As requested, this correspondence provides the Office of I 86-36 concurrence (or non-concurrence) with the recommendation contained in the Office,? of Inspector General?s (OlG?s) draft audit report on the transition gap NSA encounters when targets of Foreign Intelligence Surveillance Act (FISA) I Amendments Act (FAA) ?702 collection must be de-tasked from this collection authority. This memorandum also provides OIG with the results ofE'and review of the draft report for factual accuracy. II. CONCURRENCE WITH RECOMMENDATION WW Recommendation Establish a process I de-tasked from FAA 702 collection. 86-36 (mm-50 use 3024(5) (U) Lead Actionee: SID with OGC. (U) Concur/Nen -Concur 8: Estimated Completion Date: 36'36 recommendation. Corrective action is as soon as possible, completion within this? timeframe is contingent upon direct involvement from SV and 81 as they are owners of mission components that are directly tied to the transition process. Comment: Although there is a current process for the Signals Intelligence Directorate [coverage of targets of interest, OGC does not dispute substantive findig t-athe urrent process does not appear to be universally understood by response to this finding include personnelJ'areuworking on eeverage of be FAA 702 colIectionIQ'HOGgand SID personnel have already init_iated""discussions to establish a clearermprecess for NSAI Icoverage for selectors de'i tasked from FAA 702 collection. OGC drafting fa: comprehensive standard operatingr-procedure (SOP) for to follow when 86-36 [asap rop Th II also include a quick reference guide and GGC will engage with the Department of Justice 86-36 86-36 4 usc 3024(i) IRES IE $2 T73 ti ?5 ALI-1 0-0023 necessary to ensure that the new process addresses OlG?s finding and recommendations the short series of training sesszons for 36-36 (bii3l-50 US-Cs?o?iitiem-bers of the division and branch leadership teams to raise awareness of the I The purpose of the is to Points of Contact (POCs) who will be able to'ass?i?st through't'h- process. Additional Video Teleconferencingugenter (VTC) sessions will be scheduled to include the extended enterprise. . . . . Finally, an e-mail been created that includes technical and policy The purpose ofthisgroup is to assist the division and branch POCs as they work with the on the process. Members of the group will also ensure that timely resolution is reached for selectors de-tasked from FAA 702. J. 86?36 OIG Comment: The OIG does not agree suggested changes were due to inaccuracies or misleading statements. ln these suggested changes were based onE?interpretations of the report" and new information. We made the appropriate changes to update and clarify areas of the report. following lists areas of the report where identified factual inaccuracies or misleading statements that should be corrected in the final version of OlG?s report on NSA encounters when targets of FAA 702 collection must be de-tasked from this collection authority. These factual inaccuracies do not affectl:lconcurrence with the report's recommendation that SID and OGC establish a new process ritust be droppedifrom FAA The following constitutes 86-36 (U) Correction 1 [IS-Ci?zft?i "Winter Highlights Section (page On page in the report contains a sentence that says] DEBS ED 2 $2 "33 .5 AH-10-0023 Comment: This statement implies that NSA would have been able to obtain probable cause on all of those selectors and would have been able to transition to another authority. Believe we should clarify that we cannot transition all selectors in all circumstances. 3 -P.L. 66-36 (U) Correction 2 ll WGaps 'in-Covefa?eiaxist (page 5): Unider'the FINDING (top of the page), it states Agency has experienced coverage gaps when transitioning from FAATOZ to another authority.? WComment: This statement implies that NSA should be able to transition to another authority in all instances. This is not the case. Believe we should clarify that we cannot transition all selectors in all circumstances. While the need for a ?higher legal standard? is mentioned on the bottom of page 6, believe we need to be up front with the fact that some selectors will not transition. (U) Correction 3 Effective Collection Priority (ECP) (page 8): This section states that the average ECP was 2.52 indicating that ?the average ECP was 2.52, indicating that these selectors are of high priority.? Comment: Believe we need to add context to this statement. We would imagine that most if not all] 86-36 ECP that falls into the 1-3 range. Probably of high priority based on the ECP. (U) Correction 4 Selectors not retasked (page 11): The table at the top 0f the page indicates that I a - 66 36 Comment: We think it is important to add a footnote that indicates that the were told that they did NOT have to perform thorough research to try to recall why the selector was not retasked. Below is an excerpt from an email exchange between indicating that the analyst did not have to perform research if remember why the selector was not retasked. 86-36 DECOCIB: $2 3 '5 -- We agree with your assertion that the simply note that they do not recall what happened to the selectors if they cannot remember. Our intention was not to require people to spend hours trying to recall information to answer our survey, which is why there is a ?don?t recall" option in the first questioremm (Em?Pt. ss-ss (bitter-50 use 3024(i) (U) Correction 5 Comment (U) Correction 6 Need for consistent process (page 11}: The document states that, (suspense-es USC 3024(i) We think it is important to note that some selectors will take longer to transition compared to others based on the circumstances. The probable cause standard is higher than the standard associated FAA 702 tasking. This statement implies that we should always be able to transition quickiy. It may take time and a lot of back and forth between b-ef'ofe'we' 35'? reach the probable cause standard. We realize this is addressed in the Case Studies on page 13 but we think it should be stated up front. (U) Correction 7 WFoomote 3 (page 14): States that 35-35 Comment: its 1) 86?36 Ail-I 0-0023 booze: ss-ss (U) Correction 8 Paragraph (page 15): ?The also may not have been 86-36 usc 30240) Comment: (U) Correction 9 WAc?on Taken (page 18): This section discusses the new procedures which are supposed to provide relief on some I (him WComn-ient: Unfortunately, 86-36 removed from the new procedures so we will not see any 3 . . relief 86 36 based on the new procedures. OGC would have details on exactly what occurred and where we stand. OGC - REVIEW FOR FACTUAL ACCURACY (UH-FQUQ) OIG Comment: The does not agree with'the OGC that all suggested changes were due to inaccuracies or misleading statements. in most cases, these suggested changes were based on interpretations of the report and new information. We made the appropriate changes to update and ciarify areas of the report. Witt-H The following iists areas of the report where OGC identified factual inaccuracies that should be corrected in the final version of OlG?s report on the transition gap NSA encounters when targets of FAA 702 collection must be de? tasked from this collection authority. These factual inaccuracies do not affect concurrence with the report?s recommendation that SID and OGC establish a new process] [targets that must be dropped from FAA 702 collection. The following constitutes specific suggested corrections: How) 86_36 8 USC 3024(i) saaseea (U) Correction 1 8636 . .. - Highlights Section (page ?r in the ?Highlights?; sectioning report contains a sentence issue of a] I under review by This statement is factually incorrect. In July 2010, attempted to persuade the Foreign Intelligence Surveillance Court to allow tasking to continue under one version of the but the FISC refused to accept the proposed change to FAA targeting and minimization procedures that the Government proposed to address this problem. understanding is that the concluded such a change would conflict with statutory restrictions contained in the FAA legislation itself. Therefore, is no longer reviewing this issue in the manner mentioned in the draft report. Instead, is reviewing two different draft legislative proposals that attempt to close the transition gap. One proposal was drafted by NSA and the other proposal was prepared by DoJ?s National Security Division. I inn) (U) Correction 2 86-36 Introduction: On page 2, the ?Introduction? section of the draft report contains the following sentence: as the Raw Take Order) dated July 2002, NSA is able to receive FBI FISA collection.? (U) As draftedj'th'iscentence is factually inaccurate. The sentence should be revised to read: ?Under FISC docket (known as the Raw Take Sharing Order) dated July 2002, NSA is able to receive most FBI collection directed against the FBl?s counterterrorism targets.? DISC: ID: 7' 3 @550 Ail-I (Xi-6023 (U) Correction 3 ss-ss Finding that Gaps inUTarget Coverage Exist: Page 6 of this section of the draft report contains the following sentence: - WE ?To avoid a break in coverage, other authorities must be sought if the target remains of interest and is an agent of a foreign power (?704, ?705b, and/or FBI This sentence is inaccurate as drafted since it implies that the listed authorities are the only possible authorities available to resume coverage. The sentence should be revised to read: WW0 avoid a break in coverage, other authorities must be sought if the target remains of interest and is an agent of a foreign power ?704, ?705b, FBI FISA, (U) Correction 4 35-35 Finding that Gaps inDTarget Coverage Exist: Page 6 of this section of the draft report contains the following statement: non?FAA ?702 coverage, a higher legal standard, individualized probable cause, is required to secure a FISA order. I Wee) Although the statement is accurate as drafted, for completeness OlQi-jii-?i may wish to note that, in some cases, the Government may simply not be able-{b assemble facts sufficient to satisfy the probable cause standard. frilb)(1) 86-36 (U) Correction 5 Discussion of lack of process] pages 15 to 16 of this section of the draft report, there is a discussion of the delay experienced in regaining coverage of selectors associated wit thlejifep-o?rt says WW into 10 86-33 usc 30240) booze: 2?3?%5 NSA had to de-tBSk the use 3024 Discussion of ?Strict guidance on detaslging-I (U) Correction 6 I: On pages 17 to 18, the OGC have provided ?strict guidance? to dates-K Although accurate: as drafted the report have discretion to alter the guidance. Therefore, the discussion of the legal advice provided by and OGC on the de- task-i-ng-o-f- is extremely misleading. Although this section ofthe that the FISC has expressed ?concern? about the modifications to FAA 702 targeting and that the Court?s concern was with the concluded that even the mod est changes proposed-I Ito address one aspect?ofthe- were incompatible with the current statutory framework. Moreover, for completeness, the report should also note that, even if the statutory language is changed, there may be Fourth Amendment problems with maintaining electronic surveillance of a US. person or a person located inside the United States on anything less than a formal probable cause determination. 11 .2 7 3 i 19135 DQCID $2?3133 NATEONAL SECURETY SECURETY SERVICE Further dissemination ofzhis report outside NSA i5 ERUHIHIKQ without the approval ofthn Inspector General. (U) Report on the Special Study: Assessment of Management Controls Over FAA ?702 ST-11-0009 Revised and Reissued 29 March 2013 86-36 Classi?ed By: Derived From: 1-52 Dated: 20070108 Declassify 011W [spammed for Release by N315. on 02-11-2015. FOIA Case 80120 {Iitiqatieni DOCID: 43131.33 (U) OFFICE OF THE INSPECTOR GENERAL. (U) Chartered by the NSA Director and by statute. the Office ofthe Inspector General conducts audits. investigations. inspections. and special studies. Its mission isto ensure the integrity. efficiency. and effectiveness of NSA operations. provide intelligence oversight. protect against fraud. waste. and mismanagement of resources by the Agency and its af?liates. and ensure that NSA activities comply with the law. The OIG also serves as an ombudsman. assisting NSAICSS employees- civilian and military. (U) AUDITS (U) The audit function provides independent assessments ofprograms and organizations. Performance audits evaluate the effectiveness and ef?ciency ofentities and programs and their internal controls. Financial audits determine the accuracy ofthe Agency?s ?nancial statements. All audits are conducted in accordance with standards established by the Comptroller General of the United States. (U) INVESTIGATIONS (U) The 010' administers a system for receiving complaints (including anonymous tips) about fraud. waste, and mismanagement. Investigations may be undertaken in response to those complaints, at the request of management. as the result ofirregularities that surface during inspections and audits. or at the initiative of the Inspector General. (U) INTELLIGENCE OVERSIGHT (U) Intelligence oversight is designed to insure that Agency intelligence functions comply with federal law. executive orders. and and NSA policies. The 10 mission is grounded in Executive Order 12.3.3.3. which establishes broad principles under which IC components must accomplish their missions. (U) FIELD INSPECTIONS (U) Inspections are organizational reviews that assess the effectiveness and efficiency of Agency components. The "Field Inspections Division also partners with inspectors General ofthe Service C?ryptologic Elements and other IC entities to jointly inspect consolidated facilities. oocro: . should be sent to 4273133 OFFICE OF THE INSPECTOR GENERAL NATIONAL SECURITY AGENCY CENTRAL SECURITY SERVICE 29 March 2013- le 1 1526? 13 TO: DISTRIBUTION SUBJECT: Revised Report on the Special Study: Assessment of Management Controls Over FAA ?702 MEMORANDUM 1. revised report summarizes the results of our special study of management controls that ensure compliance with Section 702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act of 2008 (FAA ?702) and the Targeting and Minimization Procedures associated with the 2011 Certi?cations. It re?ects changes made based upon additional information provided subsequent to the release of the original report on 8 November 2012. The report documents our analysis, ?ndings, and recommendations for improvement. It also notes other areas that merit attention. 2. accordance with Policy 160, Office ofthe Inspector General, and 16?11358? 12, Follow-up Procedures for 01G Report Recommendations, actions on OIG recommendations are subject to monitoring and followup until completion. Consequently, we ask that you provide a written report concerning each OPEN recommendation in the following circumstances: when your action plan has been fully implemented or has changed or if the recommendation is no longer valid. The report should provide suf?cient information to show that corrective actions have been completed. If a planned action will not be completed by the target date, please state the reason for the delay and give a revised completion date. Reports IFollow?Up Program Manager, at e?rnail DL tronowup (ALIAS) D1. 3. [mi-We appreciate the courtesy and cooperation extended to our staff throughout the special study. For additional information, please contact I Ion 9613-1422(53) or Via e?rnail atl ., . DR. GEOR ELLARD (we) 86~36 Inspector General DOCID: 42?.3133 DISTRIBUTION: DIRNSA SID (T. Shea) NTOC (R. Ledgett) TD (Ln Anderson) 1300 (J. DeLong) OGC (R. De) ADET (J. Major-05) cc: Exec DIR (F. Fleisch) COS (E. Breaks) SID DL SIDIGLIAISON DL ntocreg DL DL TDMREGISTRY DL d_gcmtasker 86-36 (W6) D1 D11 1312 D13 D14 BQCID: 4273133 (U) TABLE 0F CQNTENTS (U) EXECUTIVE SUMMARY ..Iii I. (U) INTRODUCTION ..1 II. FINDINGS RESOLVED DURING THE REVIEW ..11 (UMPGGO-I-FINDINGS AND RECOMMENDATIONS ..13 FINDING ONE: PERFORMANCE PERFORMANCE METRIOS, AND COMPLIANCE ENFORCEMENT MEASURES FOR TARGETING AND MINIMEZATION PROCEDURES ARE INCOMPLETE ..13 WINDING TWO: CERTAIN FAA 86-36 ..IS FINDING THREE: OVERSIGHT REQUIREMENTS OF FAA S702 TARGETING PROCEDURES AND NSA POLICY ARE NOT FULLY ADDRESSED .21 FINDING FOUR: SOME DOCUMENTATION SUPPORTING FAA ?702 RESPONSIBILITIES HAS NOT BEEN KEPT AND REQUIRES REORGANIZATION ACROSS NSA WES PAGES .25 FINDING FIVE: INCREASED AUTOMATION OF PROCESSES SUPPORTING FAA ?702 IS NEEDED TO ENSURE COMPLIANCE AND REDUCE ERRORS .29 FINDING SIX: THE FAA ?702 CURRICULUM NEEDS TO BE UPDATED AND THE TRAINING REODIREMENT ENFORCED ..35 IV. (U) OBSERVATIONS ..39 V. (UIWSUMMARY 0F RECOMMENDATIO NS ..41 VI. (U) ABBREVIATIONS AND ORGANIZATIONS ..45 APPENDIX A: (U) About the Study APPENDIX B: (U) Control Requirements and Management Controls APPENDIX C: (U) Full Text of Management Response. DGCID -: 4273133 (U) This page. intentionally l?f?t blank. DOCID: $273133 (U) EXECUTIVE sumwmav (U) Overview WThe National Security Agency/Central Security Service conducts activities under the authority of Section 702 of the Foreign intelligence Surveillance Act of 1978 Amendments Act of 2008 (FAA ?702), a key source of information on foreign targets. Since inception, re alerting based on FAA ?702 collection has grown from an average of reports per month to more thanE:l FAA ?702 reports are sourced from collection. obtained with the assistance of service providers. The-majority of the collection is from Internet. Service Providers traffieLandthe [telephonv and upstream Internet traffic) obtained- fr-om. mm) 1) I lthe Internet backbone. {busrP?L 86_36 For the Agency to retain this important tool in support of its mission, it must ensure compliance with FAA 153702. has implemented policies and control procedures, including training, access control, multiple levels of review, and oversight. This system of controls is designed to provide reasonable assurance of compliance with the statute and FAA ?702 targeting and minimization procedures that form the basis for the affidavits made by the NSA Director concerning the Agency?s use of the authority. findings represent improvements needed to the overall control environment in which the FAA ?702 authority is used. In a later review, the Office of the Inspector General will conduct compliance and substantive testing to draw conclusions on the efficacy of the management controls. .. . (W1) . 86-36 (oval-50 use 3024(i) (U) Highlights Although the 01G did not identify areas of non-compliance with the targeting and minimization procedures, we identified six areas in which controls over compliance with FAA ?702 should be improved: Assessment of performance against compliance standards Establishing accountability for compliance requires clear performance standards, measurement of actual performance against those standards, reporting results, and implementation of corrective action. These processes are not fully developed. DOCID: 4273133 (him 86-36 (mm?50 use 30240) (elm?PL. 85?36 a wast-sees! a Wit-Fa Dissemination process A review of FAA E3702 ~sourced serialized dissemination does not include steps to verify that, when MCTs were used to support what is being disseminated, the multiple communications transaction (MCT) documentation required was prepared in accordanc with the minimization procedures. Documentation deficiencies Some internal Standard Operating Procedures and other internal FAA ?70?2 guidance have not been kept. up to date and require reorganization by subject across internal NSA web pages. would improve purge execution, training compliance, and production of compliance alerts. Training update and enforcement Adjudicators (personnel responsible for approving targeting requests] do not have a documented, standardized version of their training for reference. In addition to the initial FAA ?702 training required before accessing FAA data, are now required to take a new FAA ?702 applications course on compliant targeting requests and targeting maintenance. However, the requirement for the applications course is not yet enforced. (U) Management Action Signals intelligence Directorate personnel agreed with the inspector General recommendations, and the planned actions meet the intent. of the recommendations. DOCID 4273133 I. (U) ENTRODUCTION (U) Background (bio) 35-35 {mm 86?36 (om-50 use 3024(i) (om (U) Sources of Section 702 Foreign intelligence Surveillance Aot (PISA) Amendments Act of 2008 ?702) collection (Wagim? 35-35 FAA ?3702 data is composed of Digital Intelligence and Dialed Number Recognition (DNR) data. DNI is Signals Intelligence received from Internet Service Providers [lSPs] with the assistance of the Federal Bureau of Investigation (FBI) (the PRISM program) and from [Upstream collection). submitting FAA 70"; tasking can DNR data is SIGINT obtained via intercept. of the telephone network.? NSA has the authority to acc uire communications to, from, or, in the case of collection from about tasked selectors. (U) Requirements of FAA ?702 The target of collection must be a non-US. person who is reasonably believed to be located outside the United States and possesses, is expected to receive, and/or is likely to communicate foreign intelligence ?70 2 ertific atio ns: ?702 requires the Attorney General to adopt targeting and minimization procedures in support of the statute. The targeting and minimization procedures are documented in each Certification. affidavit. for each certification provides information regarding how the Government will implement those procedures and states that: 3H1) 86-36 use 302 nocro: 4273133 Reasonable procedures are in place to ensure that acquisition under the Certification is limited to targeting non?USPs reasonably believed to be located outside the United States. Targeting procedures are reasonably designed to prevent. the intentional acquisition of domestic communications? Acquisition is for the purpose. of obtaining foreign intelligence information within the scope of each Certification. 8 NSA will follow specific minimization procedures. NSA may provide the Central intelligence Agency (CIA) and the FBI unminimized communications acquired through this authority. (U) Independent measure of compliance performance The Agency?s compliance with FAA ?702 is subject to review by the Department of Justice and the Office of the Director of National Intelligence (ODNI), who review disseminations, queries of US. person identifiers, compliance incidents, and the targeting requests for all new and retaslced selectors for the period as well as the supporting information for a sample of the selectors. These entities have reported a very small number of errors. (U) Objective and Scope of Review (UH-F6667 The objective of the 01G review was to assess the adequacy of management controls to ensure reasonable compliance with FAA ?702. This analysis was based on review of published and draft guidance and certain controls in systems supporting application of the authority. We also I interview ed managers and responsible for targeting, approval, and oversight subject to FAA ?702 requirements. Testing of the controls identified will be. the subject of a later review. (U) Standards oflnternal Control (U) We assessed management controls against the Government. Accountability Office?s Standards for Internal Control in. the Federal Government, November 1999, which presents the five standards that define the minimum level of quality acceptable for management control in government: Control Environment, Risk Assessment, Control Activities, Information and Communications, and Monitoring. (U) internal control, or management control, comprises the plans, methods, and procedures used to meet. missions, goals, and objectives. It provides Domestic conmmhicaiions.according to Section 2 oflhc FAA W02 Minimization Procedures. are all comnumicalions other than foreign commonicalions. including those in which the sender and all intended recipients are reasonably believed to be located in the United States [he time Foreign communications have :11 least one outside the United Slates. DOC ID (U) Targeting and Minimization Procedures: 42l3133 reasonable assurance that an entity is effective and efficient in its operations, reliable in its reporting, and compliant with laws and regulations. Policy 7?3, Managers" Internal Control Program-r, 14 February 2012, advises that evaluations of internal control consider the requirements outlined by the GAO standards. The Office of the inspector General (01G) evaluates management control against the standards. Basis for Compliance 86-36 (mm sees use 3024(i lhll1l (U) Targeting WThe targeting procedures Specify that NSA will make a determination about ?whether a person is a non? United States person reasonably believed to be outside the United States in "light of the totality of the circumstances based on the information available with respect to that i [With respect to the foreign intelligence purpose lor the targeting, the procedures require NSA to assess ?whether the target possesses and/or is likely to communicate foreign intelligence information concerning foreign power or foreign With respect to documentation, who request tasking will document in the tasking database a citation or citations to the information that led them to reasonabl}I believe that a targeted person is located outside the United States? as well as ?identify the foreign poWerI [about which they expect. to obtain foreign intelligence information pursuant to the ?3 proposed targeting; The submitted tar etin? ret nest, is then subject to an adiudication 1 review by specially trained personnell Webliga?on to review target status Once collection begins, are responsible for conducting ?post?targeting analysis to detect those occasions when a person who when targeted was reasonably believed to be located outside the United States has since. entered the United States, NBA to take steps to prevent the intentional acquisition of any communication to which the sender and all intended recipients are known at the time of acquisition to be located in the United States, or the intentional targeting of a person who is inside the United States,? per the targeting procedures. Guidance to on Obligation. to Review Date PISA Amendments Act (OTR Guidance), states that, after tasking, are required to verifyr the foreignness and nature of the target I The OTR Guidance states that the targeting analyst must. perform initial target verification within five business days of first receipt of data, verifying that the: User of the selector is the intended foreign intelligence target, D-GCID 4273133 a Target remains appropriate under the Certification cited in tasking, and Target remains outside the United States and or there is no information to indicate that. the target is inside the United States. WThe (Du-Going Target Review section of the OTR Guidance states that mustl [to uphold that there has been no change in the target?s status that would require adjustment to maintain compliance. At least every 30 (bll?l) review should confirm that the: (bil3l'P-L~ 33-36 Selector remains associated with the intended target, Target. remains appropriate to the Certification cited, Target remains outside the United States and or there is no information to indicate that the target is inside the United States, and Type of data being obtained is not routinely of a type that is subject to immediate destruction requirements domestic communications]. Winknnation that demonstrates a change in any of these factors might require detasking the selector, destroying or otherwise handling collected traffic in accordance with the minimization procedures, and notice to the Agency?s overseers (U) Oversight and reporting (U f-F-e-B-G-l The Agency must: - Train those targeting and those approving targeting or accessing FAA [.3702 information Ensure that FAA ?702 raw traffic is stored only in authorized repositories and is accessible only to those who have had the proper training and - Conduct spot-checks of targeting decisions, intelligence disseminations, and queries of data repositories for compliance. (U) Minimization (UH-F8661 The minimization procedures are designed to protect USP information during acquisition, processing, retention, and dissemination of information obtained by targeting reasonably believed to be located outside the United States. They require that the Agency ensure that: 0 Acquisition is conducted in a manner designed, to the greatest extent feasible, to minimize the acquisition of information not relevant to the authorized purpose of the acquisition; - reasonable judgment. in determining whether information acquired must be minimized inadvertently DOCID: 42731.33 acquired communications of or concerning a USP at the earliest practicable point in the processing cycle [unless the data can be retained under exception provisions detailed in the minimization procedures] and Reportis) based on communications of or concerning a USP 111a},I be the identity of the USP is deleted and a generic term or symbol is substituted so that the information cannot reasonably be connected with an identifiable USER Otherwise, dissemination of intelligence reports based on communication of or concerning a USP may be made to a recipient requiring the identity of such person only for the performance of official duties but only if meeting [certain] criteria. (U) Control Environment (U) Reliance on manual controls (UH-F666) A significant number of the procedures and controls established to ensure compliance with FAA ?702 and court-approved targeting and minimization procedures are manual. Thus, training, supervisory reviews, and oversight. are critical elements of the control structure. Modifications to the systems relied on for targeting, collection, and processing continue to: Improve the ability to purge information when required, - Identify and prevent instances of 0V?Pcoll?+ction, and - Improve efficacy and efficiency of processing and oversight. (Li/$966) Realignment of responsibility (U) SID has restructured operations to better manage FAA ?702 processing and compliance. . Iassumed responsibility for adjudicating FAA ?3702] (Sim .. I (bll3l-P.L. 86.36 Uncool 32 Mission and Compliance performs functions supporting use of the authority, as well as additional oversight of FAA ?702 processing and cornplieurce continues to perform much of the direct oversight oltargeting.) I assumed responsibility from 8V for: (Ellipse 86-36 DQCID: 4273133 Execution of purges related to FAA ?702 incidents (removal from data repositories of records ineligible for retention under the authority}. 0 lmpleni entation of a purge adjudication process to better ensure completeness of purges. 0 Development of processes and tools to enhance compliance While reducing the burden on 0 Training and oversight of targeting adjudicators, and 0 Preparation ol?additionalmanagement measures, including metrics, to improve accountability. (U) Continued precess improvement The Agency has undertaken several reviews of NSA systems and processes, as well as the data acquired from communications providers and other Agency sources under FAA ?702 authority, in response to compliance incidents and questions raised by the Foreign Intelligence Surveillance Court (MSG). These reviews and other efforts to improve compliance and efficiency of operations have resulted in several changes to the processes and controls supporting the Agency?s use of the authority. SID continues to take steps to improve FAA ?702 compliance. 36-36 - .. In addition to FAA ?702 training that focuses on legal requirements for use of the authority, a new course, Practical Applications was released] SID continues to make changes to the targeting tool to support. compliance and increase efficiency (see Findings Resolved During the Review, p. 9). 86~36 I project SID completed thel reduce errors in targeting requests. The most. significant gaps identified included a lack of standardized feedback to targetinU reasons targeting requests failed apprO?ValI I insufficient management reporting of denied targeting requests, and the need train-crease accountability and compliance for targeting. Corrective actions, including standardized denial reasons, management re jorting of denial metrics, . I were implemented. These actions reduced averaae wee enia of targeting requests bv 24 percent. improved DOCID -: 4273133 compliance with. required internal procedures for selector liianagement, and reduced the risk of incidents. (U) Definitions (U) Annual Contribution Evaluation The Agency?s performance management system based on established individual performance objectives and performance elements. Personnel] - I i '(biiayp?L' 86'36 with for reviewing and approving FAA ?702 targeting requests. I which provides authorization attributes and access control services to enterprise programs and projects. WW Digital Network Intelligence SIGINT derived from .. . communications involving lnterne tvbased selector-3 36:use 3924?) WDiale-d Number Recs mtton Coliection process: from teiephony systems. (U) Foreignness: Assessment and documentation supporting the I determination of reasonable belief that a target is not a United States person and is outside the United States. Acorporate com ?ance moi that serves asa streamline access control mechanism. :Chei?ks that. individuals meet. the necessarj,r mission, training ant earance required for initial account access to. SIGINT toois and databases. I temper. 86-36 Master Purge List central record of SIGINT coiiection, including records derived from that collection, which NSA has purged. The list. includesl Ithat have been marked for purge or have been purged from] I systems that are used in sourcing traffic for SIGINT reporting. DOC IE (Eilil sesa- USO 3024(0' I "footer. 35-33 86-36 system. rovide Internet communicationsI I Ithat. in generalhr? hosrecl bv'tlieprovider. I 4273133 . Multiple Communications Transaction Traffic containing more than one discrete communication. This traffic might contain discrete communications that are not to, from, or about tasked selectors. Upstream collection might contain both discrete and MCT traffic and could include MCTS of non ~targeted individuals that contain a tasked selector. I A database repository that provides storage and "retrieval or. content. It is a raw storage primary storage, search, and retrieval I it is a raw echanism for storage system. WW PRISM: PRISM refers to the portion ofthe FAA 702 collection architecture wherein individual electronic communication service providers Product Lines (PLin I Ialso known as production centers. Thev have. authority for tasking and reporting on SIGINT tar-gets. Purge: The on~de111and removal of data items, rendering them unrecoverable through standard mission data access mechanisms. ISIGINT: Any acquired either as a result of Search and development or as targeted collection operations against a foreign intelligence target before the information has been evaluated for foreign intelligence and minimized in accordance with the applicable set of minimization procedures. (U We] I I A controlled information management system which is the authoritative data Source for a given configuration managed data element and is governed in accordance with PolicyI I I: A SID organization that leads )lanning and acquisition. efforts rod I I::collection of intelligence. a SID initiative whose objective was to reduce targeting errors, thereby improving processing efficiency and compliance for FAA ?702 transactions. DOCID: $273133 (mm - communications acquired fromloeated on the United 86_36 States? Internet ?backbone?; conducted with the. assistance of electronic (mars!) use 3024?) communications service providers who are located inside the United States and have beenserved with FAA ?702 directives. This collection method Iis distinguished from other FAA [c3702 DNI collection (PRISM). . I The targeting tool for submitting DNI and DNR targeting compliant with FAA and other SZGINT authorities. DOCED: 4273133 101? but. K11 (MN This page intentionaiiy left blank. I DOCID: 4273133 Incompatibility between Assigned Authorities land Compliance Controls for FAA ?702 "WU-me of the primary NSA internal control mechanisms that ensure compliance with FAA ?702 Targeting Procedures is the adjudication of targeting requests before tasking. This review confirms that the target and associated selector are tasked under the proper FAA ?702 Certification, the. target is not a USP, the target is outside the United States {foreign}, and the determination of reasonable belief of foreignness is nronerlv supported. A11 (bum-Pt. 86-36 SV was aware of this gap between the NBA?required internal control and implementation of the internal control within the tool, and it. was I Increased Risk of FAA ?702 Non-Compliance for I lTasked Selectors - WTO support compliance with FAA ?702, automated OTR notices that I a rec uired review of target communications is due are generated and sent to I 36.36 We? 11 DOCED -: 42"?3133 This page intentionally left. blank. D-OCID: 42731.33 Performance Metrics, and Compliance Enforcement Measures for Targeting and Minimization Procedures Are incomplete Establishing accountability for compliance requires clear performance standards, measurement of actual performance against those standards, reporting results, and implementation ofcorrective action. These processes are not fully developed. (U) Elements of an Effective Compliance Oversight: Program WNSA has established a pre -tasking process that includes reviews of targeting requests for compliance with the targeting procedures. The targeting request must be approved before the selectors are released for (Ella-PL. 86-36 tasking and collection.- I I Effective compliance oversight requires the. development. of 111easurable standards against which actual performance can be assessed. Comparison of performance against these standards must be reported regularly to management for timely review and follow~up action. Together, these elements provide the means to establish accountability and initiate action to improve compliance. (U) Shared Responsibility for Oversight Monitoring compliance with FAA ?702 targeting and minimization procedures has become a shared responsibility Within the Agency. Before 2010, SID SV had primary responsibility for monitoring the Agencv?s application of FAA ?702 authority. I (him I 86-36 personnel outside SV assumed more of the reaponsibility for adjudicating FAA ?702 targeting requests,E: trained new adjudicators 86-36 DOCID (no) 86-36 (U) Development of FAA ?702 Compliance Metrics @2"?3133 and assumed oversight oi?the targeting queue. Statistics on the targeting queue provide an assessment of the timeliness of the adjudication process and the means to evaluate the adequacy of the number of adjudicators given the volume of targeting requests] I [Although these statistics inform management of the overall processing of targeting requests, they do not provide qualitative information regarding the accuracy of target requests submitted and approved and compliance with the targeting procedures. 86-36 continuing oversight of analyst and adjudicator performance is effected through revievvs of targeting requests (see Finding Three}, participation in IJi-nionthiy ovorseer reviews, and management of FAA ?702 incident reporting. Errors identified interacting requests are communicated to the analyst, adjudicator, and After overseer 60- day reviews, SV prepares feedback briefings to inform adjudicators of overseer findings. The briefings also provide metrics on the reasons for denial of targeting requests, trends identified in review, and guidance on FAA ?702 targeting procedures. Incident reports are aiso analyzed to identify trends that might require action. oversight. provides a critical assessment of compliance With FAA ?702 independent of those requesting targeting. This feedback, however, is not provided to the managers responsible for the targeting and adjudicators. 86?36 SQ Compliance FISA Staff provides some metrics for FAA ?702 processing and compliance, including Weekly reports on the targeting request queuel I The process to establish complete standards and measures for assessment of compliance continues. To support effective monitoring of the Agency?s use of FAA ?702 authority, metrics must be: Based on clear and consistent expectations of performance for all targeting and adjudicators within the Agency and 86-36 Hoses-eel - DOCID 4273133 Generate sufficient detail to facilitate action by the adjudicator or targeting analyst. 86-36 The development of these metrics byis not associated with the Comprehensive Mission Compliance group of NSA initiatives to achieve reasonable assurance that the and Information Assurance missions are conducted in accordance with the. laws and policies that protect. USP privacy. The program includes monitoring and assessments, including trend. analysis. (U) Incomplete implementation of Processes to Ensure Targeting Proficiency and Compliance Accountability (watercres- ;36 - ln 2010, SID completed thel:lproject, a Lean Six Sigma project to reduce targeting errors and improve processing efficiency and compliance for FAA transactions. The prefect team Comprised personnel from! I Although several of the recommendatio?s"from! 'Ih-ave been inlpl?lnented, reco1111nendations that focused on accountability for targeting accuracy h'aVe not. The study recommended for FAA Employee performance review objectives for compliance with targeting requirements; Periodic metrics to leaders in organizations responsible for targeting (original focus was on denial metrics for FAA ?702 targeting requests); and Progressive measures to improve compliance with targeting standards, including removal of FAA ?702 targeting authority. 86-36 study, similar actions are lity of targeting reviews Although not addressed by the needed to assess, monitor, and remediate the qua conducted by adjudicators. To measure and increase targeting proficiency ofthe work force, including targeting under FAA ?702 authority, SID has developed the Targeting Workforce Readiness Standard (WRSJ, a unctional Job Qualification Standard for all Agency personnel involved with targeting. Its purpose is to establish the standard targeting tasks along with the knowledge, skills, and abilities necessary to complete the tasks at a defined proficiency level.?1 The standard is supported by training and assessment plans [standard tests and on?the-job training evaluations). The RS is under review and not fully implemented. Associated development mil-A functional de?nes the ofperformancc for ll broad SIGINT such as targeting or reporting. and crosses skill com undies. work roles. and personnel types. It applies to civilians {and connectors: as well as military personnel, The functional once completed [he speci?ed proficiency level. accompanies the individual across PLs :md SID. DQCID: 4373133 pians and a means to track progress are being created Within the Associate Directorate for Education and Training?s Enterprise Learning Management (ELM) architecture and include much of the required training (classroom and on-the-job] for FAA ?702 targeting to achieve full proficiency. Implementation of the WRS and associated training and assessments will provide a means to achieve accountability for compliance with targeting requirements and enSure training standardization and enforcement. Development of FAA ?3702 metrics based on the WRS proficiency standards would support the performance measurement component of the WRS. (UHFGUGH Establish for FAA ?702 targeting and adjudicators ACE performance objectives based on completion ofa specified proficiency Ievei ofthe Targeting Workforce Readiness Standard and ELM training plan. ACTION: I I (U) Management Response 8646 AGREE Iare preparing an ELM plan for target and adjudicators. The ELM plan will be broken down into proficiency levels, thereby allowing the analyst to register for the correct. training as stated in the ACE objective. The ELM plan for the Targeting Workforce Readiness Standard for FAA {$702 will be completed for. all National School (NCS) courses Enforced registration in the ELM program and targeting proficiency statistics to the individual level as well as completion rate of an?? required training courses] will be completed] I Structured on? the -job training will be phased in. Status: OPEN . Target Completion Date: (U) Comment Planned aetion satisfies the intent. of the. recommendation. 86-36 DOCID: $2731.33 Develop metrics and management reporting to: a Measure targeting analyst and adjudicator compliance with FAA ?702 targeting and minimization procedures and (WM-86) Support analysis of trends indicative of changes needed in training or guidance. Coordinate this process with the Comprehensive Mission Compliance Program. I (I1 86-36 (U) Management Response AGREE I part of the SID Lean Six Sigma Team. Participants will assess the feasibility of developing metrics to evaluate detergeting trends and process deficiencies. Final implementation will depend on technical capabilities and deployment schedules. (U) Status: OPEN Target Completion Date: (ti 86-36 (U) OIG Comment [Ll/[Weir Planned action satisfies the intent of the recommendation. DOCID: 42?3133 (U) This 1) age intentionally left blank. BOCID: 4273133 FINDING TWO: Certain FAA ?m2 Selectors (5H1) 86-36 (mm-50 L156 30240) WVari?cation that Authorized Selectors Are on Callegtion (WU) 36-36 usc 3024a) The Report on the Assessment ochmagement to Implement the Protect. America ACT (FAA) 0f2007 1), '7 April _20084 86-36 USC 30246) (bun . .L. 86-36 use. 3024?, DOCID: 42731.33 its)?; 86-36 use 3024(i) ("Mm - 86-36 use 3024a) (am 86-36 use 3024(i) (U) Status: OPEN Target Completion Date: (U) 016 Comment 86-36 Planned action satisfies the intent of the recommendation. (uuf?ue-y ACTION: (U) Management REEponse 86?36 AGREE I DOCID: 4373133 FINDENG THREE: Requirements of FAA ?702 Tsrgetieg Procedures and NSA Policy Are Not Fully Addressed oversight of FAA ?702~souroed dissemination has not been modified to address requirements for multiple communication transactions. 3V is implementing a new process for oversight of audits of FAA ?702 database queries. (Dime-)- Oversight of FAA ?702 Dissemination WThe FAA ?702 targeting procedures associated with the 2011 certifications require that SV perform ?periodic spot intelligence disseminations to ensure compliance with established S?v? performs spot checks of both serialized dissemination and dissemination of evaluated minimized traffic, FAA ?702 minimization procedures establish unique requirements that must implement. This includes the requirement that document steps taken to verify that discrete communications within collection containing MCTs are eligible for dissemination spot? checlc of serialized dissemination does not include steps to verify that, when MCTs were used to support what is beng disseminated, the MCT documentation required was prepared in accordance with the minimization procedures. (Iii/W 86-36 DOCID: 4273133 Although. not required by the minimization procedures, SV should include in the spot?check of serialized disseminations of FAA ?702~ sourced material procedures to evaluate compiianoe with the documentation requirements pertaining to dissemination based on discrete MCTs. The spot-check should also evaluate proper (bum-PL; 86-36 per NSA policy. ACTION: SV (U) Management Response WAGREE I -- 86-36 I Ito mod'i'?v'the methodology and process for spot-checking disseminations of FAA ?702?sourced material. Status: OPEN Target Completion Date: (U) Comment Closure of this recommendation will be evaluated upon receipt. of documentation supporting the action taken. (U) Oversight of Targeting Decisions FAA ?702 targeting procedures require that SV ?conduct ongoing oversight activities anti make any necessary reports, including those relating to incidents of noncompliance [with the FAA ?702 targeting ensure that necessary corrective actions are taken to address any identified deficiencies.? SV achieves oversight of targeting decisions through several means: Adjudicatorsl I - . - I Ireview FAA ?702 targeting requests for 35-36 compliance with the FAA ?702 targeting procedures and implementation guidance. I I - I I review includes analysis of the ads: uacv of the foreignness supportfor these targeting requests ism" 86-36 use 30240) - SV adjudicates selectors nominated by: the CIA, after review bv NSA I . . personnelI 86-36 I Ithe FBI DOCID 42731.33 in?iplemented its own process for nominating selectors. These are also adjudicated by SV.) - S'v? reviews I ls-eiectors lJe'fore'le3l-PL. 86-36 sendingr them to the overseers bi-weeklv. I I. I SV evaiuates the targeting request. for inconsistencies or inaccuracies and might review the sources cited to support foreigrmess if SV question information] ii A full review, including sources supporting l?oreignness, is conducted for all targeting requests selected for review Supporting documentation was reviewed for of the targeting requests submitted for a recent rewew perioc. 86-36 Together, these processes give SV a perspective on the qualitv of the FAA ?702 targeting and adjudication processesl I . An assessment of compliance with the targeting procedures, based on reviews of targeting requests, is not reported to management. Such reporting wouicl aid in identification of trends, and adjudicators Whose performance demonstrates a need for additional training, and authoritative guidance in need of improvement. (UH-F0449) Periodically provide management an assessment of targeting anaiyst and adjudicator performance against the legal and policy requirements for FAA ?702 targeting based on SV reviews of targeting requests. Coordinate with FAA ?702 metrics reporting (see Recommendation 2). (ii/Imus?; ACTION: sv (U) Management Response . AGREE Per the requirements of Recommendation. 2, will incorporate metrics for management?s assessment. (U) Status: OPEN (U) Target Completion Date: (U) Comment Planned action satisfies the intent. of the recommendation. 86-36 DOCID: 4273133 (U) Dyersight of FAA ?702 Raw Traffic Repositeries FAA ?702 targeting procedures for the 2011 certifications require that. SV conduct periodic spot?checks of queries against repositories containing unevaluated and unminimized FAA ?7?02 traffic. All queries of databases containing raw SIGINT content are subject to daily review by auditors assigned to each targeting analyst. Under U.S. Signals Intelligence Directive (USSID) CR 1610, Section A29, auditors must be trained in accordance with SV standards or meet with SV for a briefing on auditor responsibilities before conducting audits. USSID CR 1610 also requires that SV conduct ?super audits? of all interactive raw SIGINT database systems. Daily audits of queries assess compliance with FAA ?702 query requirements. Oversight of the audits is necessary to ensure that they are prOperly and consistently executed. However, such reviews are not- performed with regularity. SV has piloted and will soon fully implement a new super audit process that will examine the justifications for queries and evaluate query terms for foreignness using various Agency databases. implement the super audit process and provide periodic feedback to FAA ?702 auditors and their management on the quality of audit performance. (unease-i ACTION: sv (U) Management Response AGREE has fully implemented the super audit process for FAA 702. SID requests closure of the recommendation. (U) Status: OPEN (U) OIG Comment (U Closure of this recommendation will be. evaluated upon receipt of documentation supporting the action taken. DQCID $2731.33 FINDING FQUR: Some Documentation Supporting Use of FAA Authority Has Not Been Kept Up?to?Date and Requires Reorganization Across NSA Web Pages (MFG-tie)? Guidance supporting compliant use of FAA ?702 authority is maintained in several locations and is not fully organized by subject. Some of the guidance is outdated. Two Standard Operating Procedures (SOPs) provide differing guidance on the adjudication process. SOPS for some oversight functions have not been developed. (U) Maintenance of FAA ?702 Guidance {busy-PL. 86-36 {bile-rm. 86-36 (UH-F9661 Part of the function of SO P5 and other forms of guidance on FAA 702 is to instruct and adjudicators' in the proper use of FAA ?702 authority. Included in the guidance are such topics as targeting, I Idissemination, incident reporting, and the requirements for approval of FAA ?702 targeting requests. (UH-F3881 These instructions are found in several places, including the FAA, SV, "and web pages, the SV SharePoint site, and web pages maintainer] by individual SQ product. lines. It is unclear whether some of the guidance is current because it refers only to PAA, the predecessor to AA. In addition, much of the information on the FAA web page is presented as tips or appears in memorandum form, making it unclear whether itcarries the same degree of authority as the SOPs. Some of the links from the FAA web page to the guidance I documents do not. work such as thel 1 Material is not iuliy organized by topic. Thus, to access complete intermation on a topic, a user might have to search through working aids, asked questions, and other references. The FAA web page, which should be the primary source of authoritatiVe guidance, is owned by thel I I SlD?s FAA ?702 Implementation Lead has been planning to update the guidance on this site, but other priorities, such support for the 2011 FAA ?702 Certification renewals, required attention. (U) Targeting Review: Two SOPs WTWO SOPs that. provide guidance for adjudication of FAA ?702 targeting requests have been issued. prepared the] I .I I and: the! [web page carries thel I The former, written primarily for descriptions of the review process, including adjudicators, provides detailec DOCID 4213133 examoies of and common errors. It] r] In contrast, the SOP published'byl Ilists the roles and responsibilities for targeting releasers, and adjudicators reviewing FAA ?702 targeting activities but does not provide a detailed description of the review rec uirements. Responsibility for training adjudicators now resides in I: which should establish the authoritative guidance to support that training. (U) SOPS for Oversight Activities 86?36 use 3024p) (U) Role SOPs are key elements of a system of management controls. They establish performance expectations necessary to achieve corporate objectives, including compliance with established authorities. The Agency?s use of FAA ?702 authority is subject to monitoring by SV, 32 Mission Support Staff, and Agency personnel who oversee targeting [including adjudicators). As noted already, guidance for targeting and adjudicators has been developed by SV and 82 Mission Support Staff. It is important for the oversight. functions to have documented procedures to ensure consistent execution of these functions despite staff turnover. Responsibilities for FAA .6702 oversight have changed significantly in the past year. SV performs reviews that support assessment of compliance with the authority by and adjudicators, [supports 60-day reviews ol? targeting and (dissemination by and manages incident report investigation and follow -up, As personnel outside SV have accepted responsibility for review and approval of a significant portion of the targeting requests (including adjudicators across the Agency), the FAA Implementation Team has assumed responsibility for trainianr and oversight of adjudicators and monitoring the targeting process. has implemented the purge adjudication process to improve the completeness and accuracy of purges of FAA 537012 data. SOPs for these oversight functions have not been fully developed. 86?36 of the Rules Management Process 86-36 As part of Comprehensive Mission Compliance Program, the role. of the ODOCI to gather, organize, maintain,- and provide access to the information contained in external authorities, policy, and compiiance standards which govern NSA mission activities. The FAA ?702 guidance should be maintained within this framework . DOCID -: 4273133 accord with the Rules Management framework, establish a process to maintain authoritative guidance supporting compliant execution of FAA ?702 authority: 9 (wines-sea Organize the information to facilitate research by topic, Coordinate changes in guidance with required training, 86-36 (ti/?59699 Estabiish a single SOP as the guidance for adjudication of and all FAA ?702 targeting requests. (uneesee ACTION: (U) Management Response (UH-FG-B-Q) AGREE The foiiowing activities are in progress: lare developing and updating a single SOP for oversight, adjudication, and targeting FAA ?702 functions and training. The! Iis polmiating FAA ?702 documentation into a reoositorv. in October 2012, SID worked with thei I "and progress. SV will collaborate with and web pages. to organize the ?go Ito discuss the process Guidance changes that require updates to NCS courses (within the CRSK series will be requester] via a New Learning Soiution. such caise?, SV. In addition, be the originator upon coordination with [see Recommendation 1] will manage changes to the Targeting Workforce Readiness Standard and ELM training plan. (U) Status: OPEN Target Completion Date: E: (U) Comment WNW) Planned action satisfies the intent of the recommendation. In DOCID: 4273133 This page intentionaiiy left blank. D-QC ID 42?73133 FINDING FIVE: Increased Automation of Processes Supporting FAA Is Needed to Ensure Compliance and Reduce Errors WThe process for purge adjudicetion and execution relies on manual procedures that might resuit in incomplete and untimely processing. Eligibility for access to FAA ?702 raw traffic databases is not verified after user accounts are established. Notices supporting required reviews automated. . (U) Purging of FAA ?702 Records ale?.35 86-36 purge. rety-on are not (bll1) 86-36 (sitar-50 use 3024a) The Agency identifies communications that. must. be removed from its systems by making a determination that content does not meet. the standards for retention. Such records are ineligible as sources for Age.ch reports and must therefore be remove-dI I .As these reeords are identified, they are. added to theI Ior This System Contains items that have been or are being evaluated for as a primary source for reporting. To prevent improper use of purged records, all records sourced to a report are checked against the MPL, in real time, when a report is released. The are responsible for deleting records from their system based on an Execute Order, which is an authoritative request to remove data from the CompleteneSs of the MPL as a register of records purged and full removal of records from the are critical to compliance. FAA ?702 records that identify {or purge are subject to adjudication by personnel in The review provides assurance that records subject-to purge are completer identified. It also avoids purging records eligible for retention because they were collected under authorities in addition to FAA also coordinatesI I to execute the purge order. The adjudication process is manually intensive . I I Ipersonnel issue the execute. order to the appropriate systems and conduct follow-up without automated support. The manual process is subject to error. I I Lack of automation to complete the purge creates the opportumty tor incomplete or untimely DGCID 86-36 4273133 processing. I instances of inappropriate reporting were identified during this review which did not include testing. (UH-F666) increase automation of the purge adjudication and execution processes to support complete and timely execution. ACTION: (U) Management Response 86-36 AGREE SID outlined a three-phased approach to develop requirements for automation. to improve purge process efficiency, pian a schedule of work, and implement the new capabilities (see Appendix for the detailed response). Status: OPEN Target Completion Date:l I (U) OIG Comment action satisfies the intent. of the recommendation. Access Controls over FAA ?702 Raw Traffic Databases (Bin) 3.5.36 WThe FAA ?702 targeting procedures associated with the 2011 86-36 certifications require that SV establish processes to ensure that. raw traffic is accessible only to those who have had the proper training. Raw traffic derived from FAA ?702 collection is maintained in! I To obtain a user account and access these databases, users must be assigned to an approved mission] lobtain the access required for the database] and take ?required training. hen all of these requirements have been met, I Ian automated notice that permits establishment of an account. This process ensures that users have a mission need to access the information, understand the restrictions for handling the data, and have been properly trained in FAA ?702 requirements. (U . does not update training or access information after accounts have been established. does not verify that persons accessing FAA ?702 raw traffic databases continue to meet eligibility criteria. can. be used. to verify this inforrnation;_ began using 86-36 DQCID: $2731.33 {01? this Plans f9? established. have not been provides authorization attributes and access control services to NSA enterprise programs and projects. NSAXCSS Policy 6-31, Authentication and Authorization Services on Resources, 26 July that all legacy data repositories and "enabled. According to the policy, a system is enabled in tilizes attributes about the user, obtained from and applies authorization decisions based on those attributes.? The Usage. Guide states that, ?authorization is based on privileges held such as security clearances, training completedl i Failure to verify user attributes that qualify for raw SIGINT access increases the risk of inappropriate access to FAA ?702 raw traffic databases, although no such inappropriate access was identified by the 016?: during this study. UI Establish for repositories of FAA 55702 data, a means to verify that users remain eligible for access. (onset. 36-36 Ac-mNd (U) Management Response AGREE lmanages the mapping of access controls thronghl Ito repositories. Eligibility to access FAA ?702 data i is uadatedand re?ected- in] 36 I [are able to restrict access according to a user?s eligibility status. This control was previouslv handled at a svstem level but. is now managed closure of the recommendation. (U) Status: OPEN ISID requests (U) OIG Comment Closure of this recommendation will be evaluated upon receipt of documentation supporting the action taken. Required Reviews of FAA ?702 Selectors 1) Under FAA {i702 authority, are required, before tasking Eggs?, 86_36 selectors, to determine that the intended target is a non~USP reasonably {bum-50 use 3024(i)believedlto be outside-the United States and confirm that the person appropriate for targeting under FAA Cert1f1catrons. After tasking IS initiated and collection begins, the targeting procedures require NSA to conduct post- targeting analysis ?designed to detect those occasions when a person who I when targeted was reasonably believed to be located outside the United Doers: (hm) 86-36 use 3624(i) om} 86-36 use 3624?) 4273133 States has entered the United States. and will enable NSA to take steps to prevent the intentional acquisition of any communication as to which the sender and all intended recipients are known at the time of acquisition to be located in the United States, or the intentional targeting of a person who is inside the United States.? ensure compliance with these requirements, the Agency has implemented the ()biigation to Review process, which establishes standards for post-tasking reviews. Initial target verification must be compieted within five days of receipt of communications for the tasked selector. must confirm that: The user of the tasked selector is the intended foreign intelligence target, The target remains appropriate under the. Certification cited in tasking and is not a USP, and The target remains outside the United States or there is no information to indicate that the target is inside the United States. the initial verification, must review sufficient information to verify that no change has occurred in the target?s status that would affect eligibility for targeting. internal guidance directs that this revievv is to be ddne at least every 30 days. in addition to the requirements for review] must determine whether the collection obtained is routiner of a type that might require prompt destruction domestic c0mmunications).53 WAutomation has been implement ed to support compliance with the OTR requirements. I 5 Guidance lo Anaiysls on Obligalion to Roxie? Dela Under Protect America Act and the FISA Amendments Ac! ion the FAA web page]. DOCID (him 86-36 use 3024(i) - 86-36 usc 3024a} 4273133 W) improve accountability for compliance with internai OTR requirement: 0 (DH-5 WAGREE SID reports that the requirementsl I I (U) Management Response are completed. I I Status: OPEN (U) Target Completion Date: I . (U) OIG Comment Planned action satisfies the intent of the recommendation. 86-35 86-36 DGCID $273133 (U) This page intentionally ieft blank. D-GCID: $273133 Be Updated and the Training Requirement Enforced (wise-sea Although the new FAA ?702 course significantly improved training content, additional subjects should be considered, and the training should be enforced. An online resource supporting adjudicator training is needed. (U) Anaiyst Training (U) SID has significantly improved training for FAA ?702 (11/wa9199?) All personnel with access to FAA {$702 raw traffic databases must take the training course Amendments Act (FAA) Section 702? (OVSC1203J, which provides students with an understanding of the legal policies and minimization procedures for this authority. (biases. 86?38" We; ?aim Practice} Applications,? I [teaches application of FAA ?702 authority. The course is part of the i which is establishing common standards and processes for SIGINT targeting and creating training and competency assessment mechanisms to support those standards. Practical Applications? will provide a tool to improve analyst understanding of how to apply FAA ?5702, including clear examples of documentation that meets the legal and policy requirements, and exercises in the use of the principles. Topics covered in the training include targeting requirements, selector research, documentation required to support the targeting decision, approval of targeting requests, analyst obligation to review communications to verify that selectors continue to meet targeting requirements, and incident research and reporting. Practical Appiications" does not address certain topics important to compliance with FAA ?702 E?ractical Applications? focuses on targeting and target maintenance. Certain matters were not included in the scope of the course, including handling of incidents resulting from improper minimization, dissemination, handling, and site tasking. Based on interviews with SID personnel and 01G review of the course, other matters should he considered for addition to the course: - Expianation of the reasonable belief standard, Reporting [including the new procedures required for handling MCTs), - Query requirements, and 0 Procedures for sharing FAA. ?702 -derived information within the Agency and disseminating FAA MOB-derived information to customers. DGCIE: 4273133 Practical Applications? is not enforced for targeting under FAA ??02 authority (Ll/Wed According to 82 officials, completion of Practical Applications? is required for who have access to data derived from FAA ?70i2 collection. The course offers more detailed training in the application of the authority and the potential to improve targeting efficiency and compliance with FAA ?35702. However, the requirement to take the course will not be enforced until ADET modifies the content to address 3 86 3-6-- deiic-iencies- identified by SID Operations personnel plan to begin in enforcing the requirement for all with access to FAA ?702 info 14111 ation I (U) Adjudicator Training Willdjudicators verify that targeting requests meet FAA ?702 compliance standards before tasking. A significant training effort was undertaken I (hum-AL. sis-36 I [but a standardized online resource is needed to support current ant uture adjudicators. An online course would provide the basis for performance standards, support consistency of training, and serve as a ready reference when questions arise. (um:on Modify the FAA ?702 curriculum: 0 include additional training on incidents from improper minimization, dissemination), reporting requirements unique to FAA ?7l32, query requirements, sharing of FAA ?702-derived information, and an explanation of the reasonable belief standard; - (UHF-969) Update Practical Applications? and enforce the requirement for all FAA ?702 to complete the course; and - (UllF-nga- Document the adjudicator training and make it available for reference. (urea-soi- ACTION: 1 86-36 DOC ID 86-36 4273133 (U) Management Response AGREE OVSCIQOS: SV will work with ABET to update the FAA ?702 (OVSCIQOS) course to re?ect the amended Targeting and Minimization Procedures that Intelligence Surveillance Court approved in September 2012. will publish training slides onto the 82 FAA ?702 Targeting eview idea web page and work with ADET to update OVSC 12.03 CRSK 1304 &_1305: Updates to Practical Applications? and Adindicator Training? (CRSK1305) were .compietetll i In addition, enforced registration in the ELM program and targeting proficiency Statistics to the individual level as Well as ired FAA ?702 training (NCS courses] will be completed Structured on?the-job training will be phased in I .. (U) Status: OPEN (U) Target Completion Date: I I (U) 036 Comment WNW) Planned action satisfies the intent of the recommendation. (U) Conclusion NSA has designed a system of management controls, including training, policies, processes, procedures, systems, and oversight, to ensure compliance with FAA {$702. Our recommendations suggest ways to improve the overall control environment in which the FAA ?702 authority is used. This review examined the design of the controls. Compliance and substantive testing needed to draw conclusions on the efficacy of the management. controls will he conducted in a later review. EGCID: 42"?3133 This page intentionally left blank. DG-CID $273133 N. (U) QBSERVATEQN -- Procedures to Improve Representations to the FISC (bun-PL. 86-36 (UH-F6681 Effect ofl an operation as diverse as NSA, where a multitude of legacy systems are involved in processing and compliance under a given authority, it is understandable that. variations might exist in systems and manual procedures involved in the application of authority under FAA ?702. These variations have the potential to create com when standards are mandated for all users of an authority. NSA expanded its use'of' venomous of Accuracy (VOA) procedures to FAA 702 Minimization Procedures and Affidavits. VOA procedures are to he applied to written representations that describe acquisition, processing, retention, analysis, and dissemination and form the basis of a legal opinion. a FISC Order, or an Executive Branch decision or authority. The purpose of a VOA review is to increase confidence that the representations made to external entities are accurate and based on a shared understanding among operational, technical, legal, policy, and compliance officials. The VOA procedures require all factual statements within the declarations to be verified. Subject documents must be reviewed by authorizing individuals identified by senior leaders within the Directorates. Additional training, maintenance of clear and updated guidance, and continued implementation of the procedure 3 will provide an increased level of confidence in obtaining a consistent understanding of Agency processes and in the accuracy of representations made regarding these processes to outside authorities {see Recommendations and 1.1). onCompliance with FAA ?702 . 86?36 D-OCEB: 4273133 86-36 Effect ef Manuel Entry of Information on Targeting Requests A significant requirement for processing targeting requests under FAA ?702 authority is the documentation of support for enaiysts? determinatiorl that. the target is outside the United States and is not a USP. (W1) - 86-36 use 3024(i) Before the targeting request is approved, adjudicators review the sources documented in the targeting request that support the foreigrmess of the selector. 86-36 . . use 3024(i) DOCID: 42731.33 (Ulises-6+ RECOMMENDATION 1 Establish for FAA ?702 targeting and adjodicators ACE performance objectives based on compietion ofa specified proficiency level of the Targeting Workforce Readiness Standard and ELM training plan. (U) Status: OPEN (U) Target Comp'etion Date: RECOMMENDATION 2 (UilFB-U?TDevelop metrics and management reporting to: - Measure targeting analyst and adjudicator compiiance with FAA ?702 targeting and minimization procedures and Support analysis of trends indicative of needed changes in training or guidance. Coordinate this process with the Comprehensive Mission Compliance Program. - (U) Status: OPEN .. 86-36 (U) Target Comptetion Date: (hm) 36-36 RECOMMENDA HUN 3 use 30240) new i ACT (U) Status: OPEN 86'36 (U) Target Compie?o? Date: Wit-F969) RECOMMENDATION 4 WAlthough not required by the minimization procedures, SV should include in the spot-check of disseminations of FAA ?702~sourced materiat procedures to evaluate compliance with the documentation requirements pertaining to dissemination based on discrete communications within MCTs. The spot-check should also evatuate proper use of::lper NSA policy. (U/IFouee ACTION: SV 36-36 (U) Status: OPEN (U) Target Compietion Date:l I (U) OIG Comment: Closure of this recommendation will be evaluated upon receipt of documentation supporting the action taken. - 4i DOCID: 42731.33 Periodically provide management an assessment of targeting analyst and adjudicator performance against the legai and policy requirements for FAA ?702 targeting based on SW reviews oftargeting requests. Coordinate with FAA metrics reporting (see Recommendation 2). (UILF-Q-HG) ACTION: (U) Status: OPEN (U) Target compze?on Date: (buarPIL' 86_36 (WIFE-HQ) RECOMMENDATION 6 implement the super audit process and provide periodic feedback to FAA ?702 auditors and their management on the quality of audit performance. (UHF-9H6) SV (U) Status: OPEN reports the super audit process is tuin implemented for FAA 702. (U) Comment: Closure of this recommendation will be evaluated upon receipt of documentation supporting the action taken. 7 (UH-F669) in conjunction with the Rules Management framework, establish a process to maintain authoritative guidance supporting compliantexecution of FAA ?702 authority: - Organize the information to facilitate research by topic, Coordinate changes in guidance with required training, and Establish a single SOP as the guidance for adjudication ofall FAA ?702 targeting requests. (unease) ACTION: 1 OPEN . (U) Target Completion Date: (bll3l-P-L- 86-36 . (Lil/W RECOMMENDATION 8 automation of the purge adjudication and execution processes to support complete and timely execution. (unease) ACTION: (U) Status: OPEN (U) Target Completion Date: 86-36 (U1115869) RECOMMENDATION 9 (bit3i-P-L- 35-36 (UHF-969) Establish for repositories of FAA ?702 data, I a means to verify that users remain eligible for access. I ACTION: I I (bii3i-P-L- 36-36 (U) Status: OPEN SID reports that actions have been taken to resolve the recommendation and requests its closure. - (U) OIG Comment: Closure of this recommendation wilt be evaluated upon receipt of documentation supporting the action taken. 42- DOCID: 4273133 RECOMMENDATION 10 Improve accountability for compliance with NSA's internal OTR requirement: (WW ACTION: I I (mm (U) Status: OPEN (U) Target Completion Date: I 86'36 86-36 use 3024(i) '11 (UNWModify the FAA ?702 curriculum: additional training on incidents improper minimization, dissemination), reporting requirements unique to FAA ?702, query requirements, sharing of FAA ?702-derived information, and an explanation of the reasonable belief standard; Update Practical Applications.? and enforce the requirement for all FAA ?702 to complete the course; and a (UHF-GHQ) Document the adjudicator training and make it available for reference. ACTION: (U)Status: OPEN . (U) Target Completion Date: - 43 DOCED: 42731.33 (U) This page intentionaily left blank. DOC ID 86-36 4273133 VI. (U) ABBREVIATIONS AND (U) cow (U) DIRNSA 0N1 (U) DJ Associate Directorate for Education and Training Corporate Data Warehouse Central Intelligence Agenc}r Director of NBA Digital Network intelligence Dialed Number Recognition Department of Justice (U) ELM Enterprise Learning Management (U) FAA Foreign Intelligence Surveillance Act. Amendments Act (U) FBI Federal Bureau of Investigation (U) PISA Foreign Intelligence Surveillance Act (U) FISC Foreign Intelligence Surveillance Court (U) ISP Internet Service Provider Well) MCT Multiple Communications Transactions (U) MPL Master Purge List (U) NCS National School NTOC Threat Operations Center (U) ODNI Office of the Director of National Intelligence (U) ODOC Office of the Director of Compliance (U) OGC Office of General Counsel (U) OIG Office of the Inspector General (U) OTR Obligation to Review (U) PAA Protect America Act. (U) PL Product Line (UH (U) 802 Policy and Corporate Issues Staff (U) 82 SID Analysis and Production (U) (U) (U) (U) (U) 83 SID Directorate for Data Acquisition (UII (U) SID Signals Intelligence Directorate (U) SIGINT Signals intelligence (U) SOP Standard Operating Procedure (U (U) (U) SV SID Oversight and Compliance (U) TD Technology Directorate (U) (U) (U) (U) (U) USP US. person (U) 0331:) United States Signals Intelligence Directive DGCID -: 4273133 VOA Verificati?n of Accuracy DOCID: 4273133 (U) APPENDIX A (U) About the Study DOCID: 4273133 TOP m: URN (U) This page intentionally left blank. DOCID: 427.3133 (U) asour THE sruov (U) Objective The objective of this study was to assess the adequacy of management controls designed to provide reasonable assurance of compliance with Section 702 of the Foreign Intelligence Surveillance Act of 1978 (FISA), as amended by the FISA Amendments Act of 2008 (FAA ?702). (U) Methodology This study was conducted from March 2011 to February 2012 and was based on review of published and draft forms of guidance; review of certain controls in systems supporting application of the authority; and interviews with managers and responsible for targeting, approval, and oversight subject. to FAA ?702 requirements. (This report of the study?s findings also incorporates information that was provided subsequently primarily with respect to Finding Three.) Testing of the controls identified will be the subject of a later review. The study was conducted according to the standards of the Cozmcil ofthe Inspectors General on. Integrity and Efficiency Quality Standards for Inspection and Evalimtion, January 2011. We believe that. the information derived from interviews and the documentation reviewer] provides a reasonable basis for our findings, observations, and conclusions according to our study objectives. (U) Use of Computer-Processed Data (U) The use of computer?processed data was not necessary to perform this audit. (U) Prior Coverage (U/?e?ej Assessment of Management Controls to Implement the Protect America Act (FAA) of 200? The Assessment ofManogement Controls to Implement the Protect America Act ofi2007 found that additional controls were needed to verify that only authorized selectors were on collection and that tasked selectors were producing foreign intelligence on the expected targets. The study also identified the need for more rigorous controls to increase the reliability of spot checks for PAA compliance was the predecessor to FAA). 42731.33 Audit of the FISA Amendments Act (FAA) ?702 Detasking Require-m ants WThe 01G Audit ofthe PISA Amendments Act 53702 Detaskz?ng Requirements I I [and that the. Agency does?imt have a consistent process to ensure a seamless transition from FAA ?702 authority to FBI FISA. (1) (3) -P. L. 86-36 DOCID .: 42731233 (U) APPENDIX (U) FAA ?702 Control Requirements and Management Controls DGCID: $373133 1 1~ 000 9 (U) This page intentim'lally left blank. DOCID: 4273133 (U) FAA ?702 CONTROL REQUIREMENTS AND MANAGEMENT CONTROLS (1) 86~36 Many of the internal eon'troi requirements are established by the affidavit of the Director of NBA submitted for each Certification. Exhibit A to the Affidavit. and Exhibit to the Affidavit. I 5i lExhiIJit A establishes the Agency's FAA $35702 targeting procedures: the process for determining that a person targetet under Section 702 of the Foreign Intelligence Surtfcillancc Act Allicuthnents Act (FAA ?702l authority is a non?US. person reasonably believed to be. located outside the United States; required post -targeting analysis to ensure that the Agency does not intentionally target a person knowo at the time of acquisition to he in the. United States and does not result in intentional acquisition of domestic communical'ions; required documentation of the foreignness determination; compliance and oversight: and steps required for departure from the. procedures. [Exhibit contains the minimization procedures to he used for information collected. In addition to the control requirements established by the affidavits and exhibits, the Standards for Internal Control in the. Federai Government provide a general framework of controls that shouid be incorporated into daily operations. This document provides a summary of the internal controls in place to meet these requirements. DOCID 4273133 T- I I- Lead information Research in NSA databases. avaitable reports. and collateral intormalion WReleaser review: Signals Inre Ii once tSlGitiT' Directorate :Sto: Praia at rm per-tome. mist-m Targeting Requests for overait comp lance wr I: mean on motion belore releasing it tor adiudicationl I All targeting requests submitted under FAA ?702 Certi?cations must pass this review for accuracy or processing and compliance with FAA requirements. It includes the appropriateness oi the target to the certification. verification of the support for roasonabie belie! of foreignriese. con?rmation that the most recent loretgnness support is used. and that the information supports the non?USP status of the target. (See recommendation it regarding determination ot a single Standard Operating Procedure (SOP) for aditiciication .1 Assessment Control Objective? Source Control Description Good Adequate News Improvement PROCEDURES 1 I. Determination oi Whether the Acquisition Exhibit A Targeting Requirements: Targets Reasonably Believed to Be (- Located Outside the United States ?it determines whether a person is a I I non-USP reasonaoty believed to be outside the i. [me selector [asked Uymiecj ?8333 "gum; or as? we?? C'Elme and support for the reasonable belie! oi ioreignness is aiso requiredotma ion errata I ?Tu [.115 a? '?n?HH-The Targeting Rationale Statement Is also requrred and with respect to the persondecttme?nts natty targeting is requested and must tie to a analysis may use inhumane? [mm we (?more toroigln intelligence ogrrpose specific to the FAA Certification under which the ioliowlng to matte that determination: large *5 names?? I FE irate) sagas use 3924?) DOCID: 4273133 Assessment Control Obie-dive? Source Control Description Good Adequate Needs improvement 2 Determination ot Whether the Acquisition Speciat Processing: Targets Reasonably Betieved to Be Located Outside the United States (continued) The Central intelligence Agency (CIA) has its own nomlnotion Ft 36?36 process. Requests are reviewed for FAA ??02 compliance by NSA [mm?59 use 3024a) nersonnelt 5V pe?ornts the adjudication renew. WFBI Tasking Requests: The implemented its own ibii3t-P-L. 36-35 nomination process subsequent to the tietct onthis study 3 To acquire communications about the (U) Exhllait A IP filters are used to ensure that one end of coliected tarqet that are not to or from the target. NSA wilt communications for seiectors is torelgn {see spec?ai requirements lto ensure for Multiple Communications Transactions (MCTS) 5 that the person whom it seeks to obtain Procedures. row 4). foreign intelligence intormatioh is located overseas I I wit: direct (mm some: once a a pa 5: othe communication {me?P'L' 86.36 reasonably betisved to be outside the United {b)t3)'50 use 3024?) States. 4 (U) Assessment otlhe Status oi the (U) Exhthit A (U) See Targeting Requirements (rows 1 and 2). Target Information that NSA examines to determine whether a target is reasonably believed to be located outside the United States might also bear on the _non-USBstatus ol the target. For examotei . 86-36 3-3 DOCID 4273133 3? 0009 "(min 35-36 use 30249) Control Objective? Source Comm! Description Assess ent Grand Adequale Needs improvement L51- WTG pr?vantmadvertent tarqelinq :31 a 1 (up Exhibit A iThe adjudmator?s review verifies the reasonabie belie! oiloreignness and that there is no contrary inlormation concerning the target's USP slams?. {bun mum?p 33.33 DOCID: 4273133 is inct'udirlg; assess whether the target pnssesses tikeiy to communicate tareign intent ence information related la a totetgn power NSA considers Information a 59 BC or. adjudication. Certi?cation under which targeting is (equested. Tht??; is subject I0 86-36 Assessment Control Objective? Source Control Description News Good Adequate Improvement 6 WAssessmem of the Foreign Intelligence (U) Exhibit A WEE TAR Statement documents why targeting is requested and Purpose oi the Targeting must tndicate the tie to a {oreign intelligence DUEDOSB specific 10 the FAA (mm 86-36 use 3024") DOCID: 42733.33 T- 1' 1- Asse5sment Control Objed?ve? Source Control Description News . Good Adequate Impmvemem 7 il. POSTATARGETING ANALYSES BY Exhibit A Internal Obtiga?tion 11:1 Review policy renulres NBA to pertorm reviews as toltows: Post ~targatirrg analysis is designed to - Initiai coilection must be reviewed within day's to verify that the detect when a person what when targelacl. was use: otthe selector is the: intendad toreign Intelligence target. 8&3; reasonabty beiiavect to be located outside the: the target is appropriate to the ERA Certification under which it 3 50 USC 3024 . United States has since entered the United States is tasked. and the setecto: is not in the United States are USP. - (I) Ian" 9'73st to take steps. tolp'e?fem - Coltection must be revlewed at least every 30 days to atilrm the Intentionai acqulsmon of In which targets and non,U5p Status and Yer-.15, that the and 3" '?clplems am 3? information obtained is mi of a type in require immediate the tame at acquisitlan It: be located 1n thE U?lt?d destruction (9.9.. domestic communications}. States. or the intentional targeting of a pars?on who A is in the United States. Such analysis may include: I {him 86-36 USC 302392?, B- 6 DOCID: 4273133 Assessment Control Source Controt Description News Good Adequam Improvement 8 till) DOCUMENTATION Exhibit A targeting requests submitted untler FAA ?iEi2 Certi?cations Ana; as who ,5 ?Est task"; w? are sub1ect to review by an adjudicator for verification of compliance with ?lawman: ?131313 {askinqualabase or requirements inciuding appropriateness oi the target to the Certi?cation. ?laughs we inmmam? mm than suppott tor determination of torelgnneso and USP status. and foreign reasonably behave ma! a targeted person is intelligence purpose. The adjudicator is responsibte tor ensuring that the located outside the United States. Heme tasking support for reasonable belief oi toreignness is documented in a is. approved. the database entry tor that tasking will databa?e maintain?, bi? 5'0 3V- be reviewed to verify that the database entry WThe targeting syste n1 requires the analyst to choose item or contains the necessary citations. menu ot ioteigr?r intelligence specific to each FM ?702 A citation is a relereme that identi?es the Certi?cation. Once the codification is chosen. the analyst must select at Ft A .. aeoocmted "the I under writ maintain. The Cllatlot?i will enable those FM ?mm? responsible lor conducting oversight to locate and . review the inlorrnatiori that led to - conclude that a target is reasonably believed to be {bilayp-Lr 86?36 (bnarp 3545 I i leUm . locatet outs de ti teat tat-e ?may? USC 3024?? What sis also identity the foreagn power #amm which they expect to 3 am oreign in Iigence. 9 IV. (U) AND COMPLIANCE (U) Exhibit A nctjudicetore are subject to the same training requirements (mm Wm] QGC Wm devemp and as analysis. They also have received in-person training on the targeting deliver ?am-mg to ensure that personnel review process. Documentation standardizing the information provided respmsible to, approving target-mg of persons in this training has not been made available online for reierence by the under FAA ?702. as welt as with access ?in?amm- to the acquired foreign intelligence Information. 3V and DGC developed the Alttenctment Act {Ft-list} understand their responsibilities and the Section 702? course when FAA was implemented. It a procedures that apply to this acquisition. focuses on the legal requirements 0! FAA. A new course. al Applications" . was made available It provides with detaitecl examples of use 0! the authority. he requirement for its completion is not yet entorcecl {see Recommendation it). -P.L. 86w36 DOCID: it$273133 .31 T- I r' - As ses sment be submitted lay an access sponsor. approved by th . wner. (wst reviews requests tor compartmented accesses. veritying that the anatyst has required training and an appropriate justification for access reg. inciudes mission tunction. targets rEquiring FAA access). access must be 1: re not able to verity an account holder?s continuing to access FAA MOE-derived coilection. Eiigibility is determined when the account is estabiished. Compliance with annual requirements to update tra? 's erified at signnen 3 Hip (this was corrected for In a system updatew?ee Recommendation 9). Controt Objective? Source Contra! Description Needs Goad Adequate improvement 10 (Ufri?eeiB-i SV has established processes ter Exhibit A {WW-mil cottecttan stores must be compliance certified before they ensuring that raw traf?c is labeled and stored oniy can be used to process or store FAA {3:702 data. In ?mowed reposmnes and ?5 awessmie ?my to Ali FFHA ?3702 systems are certi?ed for purge and access those who have haci the proper training ?Indians To obtain access to the FM databases. individuals 36.31; must have an approved mission (entered in by their supervisor}. appropriate ciearences {supervisor must request in the and required training el Intelligence Authorities. USSID 18 Legal Compiiance and Minimization Procedures, and WRequasts to: access tel I i i hontaining FAA ?702 data must 86-3 U80 3 3 024m (am-PL. 86-36 DOCID: 42733.33 Assessment Controi Obie-dive" Source Controi Description News Good Adequate Improvement 1 {Unease-r 5V will conduct oversight activities and Exhibit A (U) incident Reporting see row 13. will make necessary reports. inctuding those .- - -- . relating to incidents or non-compliance. to the NSA 1 8V padurms the antwmes' inspector General and 060. newly tasked or retaslred before I . sending to DOJ and Office or the Director or National intelligence (ODNE) W. atso ensure that corrective actions biweekly are taken to address identi?ed deficiencies. To that end. conduct periodic spot checks or {bit?li targeting decisions and intciilgence dissernlnatlons 86-35 to ensure compliance with established procedures ?36,60 use 3924?, and conduct periodic spot checks at queries in data repositories. - Review targeting support tor the buik of items requested by for the {30-day review It support is insufficient. w: 0 our upwr we a it] tea or an argeting anatyst tor additional support or corrective action (including . . - possible detasking}. 35?36 - Spot check serialized reports based on FAA ?702 information. re Jorts containino USP identifiers. and evaluated. minimized trattim i Ifollowlng up on Identi?ed discrepancies. Provide record oi at! FAA QUE-derived dissemination for review by DOJIODNI and totiow up on any issues identified in their review. at check at serialized ctisseminations does not include proceduresl I I Iverrfication ct - compiiance vein the minimization procedures? documentation th3)'P'L' 86?36 requirements tor dissemination derived tront Recommendation - Oversight of Queries: All queries are reviewed daily by auditors in the SID production centers. SV has not conducted reviews oi auditor pertormanca consistently {see Recommendation 6). 12 (Ur'rFEttd-E? DOJ and ODNI will conduct oversight (U) Exhib?n A NEW 5V coordinates bi?rnonihly reviews by oi targeting of exercise 01 authority}. which and dissemination. including responding to questions raised and will include periodic reviews by DOJ and ODNI providing feedback sessions to adjudicators on the overseers? findings. evaluaie F'ie? "?Piememalmi? ?the WOW pedorms reviews every 60 days covering ail tasking and P'Dce?mre" 3m" 'emews 3i [365? once dissemination tor a two~month period. Every 15 days. 8V sends a every 69 ?an5' document to EJOJ [or each certi?cation. one each tor DNI and DNR i??it alt the key fieids tor the review. (bngHo 33, DOJ sends NSA a spreadsheet oi the selectors chosen torremew. SV must gainer alt supporting material for each selector DOCID: 4273133 1-0009 Assessment Control Objective? Source Control Description News Good Adequate improvement 13 NSA wilt moon to DOJ and ODNI Exhibit A Incident incidents 9i "on'mli?pliame "firth these procem?es SU and the targeting team research teniial incidents by ?530? Paisannet that realm in the intentional iuintly. SV maintains records oi the incidents targeting ol a person reosonabiy Ineiieved to be in a Shalepmn a- 3 Se. manages mat?? in un'iad Siam? [he tie ow?op process 0 pro Lice the required notice to DOJIODNI within targeting of a USP. or the Intentional ol 5 business days of continuation 01 an incldem? communication in which the sender and all . I intentlert recipients are known at the lime oi iE? - acquisition to be located within the United States. (Unit-31899:} NSA will provide suah reports within 5 business clays oi learning oiths incident. Woes th Id i ci {bna'P'L' 86436 renews einci on an Li ima ey orininas reri - meets the criteria icr repairing to DOJJODNI. For incidents ofnon- (bus) 50 Us 3024(1) compliance with procedures (19.9.. tailors to appropriately detask a selector. over-collection}. NSA must exptain why it happened and what steps were taken to remediate the matter ije.g._ purge data; provide additional training) DQJ detemiinss whether the matter must be reported to the FISC In accordance with Ruie 13in) oi the FESC RLites of Procedure. . The Target oi Primary interest (TOPI) provides 55V with the parameters ior necessary purge of i n. hi incident record in Share-Point. 82's @1153 this information to initiate the purge process. Verliying that parameters Include all aliected coiiection wit'ioiit Lir i information eligible [or retention. I Information acquired by intentionaiiy I targeting a or a person not reasonabiy a believed to be outside the United States at the time of such targeting will be purged irom NBA databases. - {the purge process relies on manual procedures that create a risk oi incomplete or untimer purge execution (see Recommendation 8). ibit3J-P.L. 86-36 L. 86- 6-36 DOCID: 42 73133 Assessment Control Objective? Source Controt Description News Good Adequate improvement tel WMSA wiil report to DOJ and incidents (U) Exhibit A For 080. the same incident reportino recess is used tor I at non-compliance (including over-collection) lJy matters involving providersljincident any electronic communication service provider to [as a result at provider error have been tiled vain the FISC. ?Bus?; 8 whom the Attorney General and Director oi I 13 irrational intelligence lssuert a directive under $62. Such report will he made within 5 business days alter determining that the provider has not complied or does not intend to comply with a directive. 15 tn the event that NSA concludes that Exhibit A is the analyst?s responsibility to tollow up on person is reasonably believed to be located information from review oi traitic and detask att related selectors outside the United States and. alter targeting, it the target is in the United States or identi?ed as a USP. the learns that the person is inside the United States or rimar? user is not the target] if NSA concludes that a person. who at the time ol An incident is initiated targeting. was believed to he a non~USP was in identi?cation . .. [act a USP. it will take the lollowing steps; revrew or collection. 1. Terminate the sequisition without delayinadvertently acquires a communism-m? sent to or targelrng team works SVto document the incident. lntorr?natron :5 {mm the tatget while the @991 was located inside captured in the Report database includes the date. :51th - a nil St 35? incitld?m communim?m in whether other selectors associated with the target were detaskecl? arid a at parameters tor purge otcommunrcations collected that are ineligible lor {but-1H: L- 85'35 which the sender and all intended recipients are reasonably believed to be located inside the United States at the time oi acquisition. such communication will he treated in accorciance with the minimization procedures. 2. Report the incident to DOJ and within 5 business clays. 86- record is corupiete. including enlry oi purge criteria. Es for timely lollowmp. Note: lmplementat ion 0! metector management ensures that incident ow?u are handled timei . re ardiess of anal absence. retention. 3V up with PL personnel to ensure that the incident s; turnover or rilt add controls over the process. Including a requirement for Pi. management to document their review that the incident record is complete. JJtassel (U) See Row 13 incident Reporting. . (busier: use 3024c.ll 3-H DOCID: 4273133 ST- r- 0009 Assessment Control Dhjective? Source Contmt Description Needs Good ?dequate Improvement 16 V. (U) DEPARTURE FROM PROCEDURES (U) Exhibit A According to 0:30, such actions would be coordinated by .. . - - . that department and involve personnel at the highest levels oi the Wit, to protect against an immediate lineal to I . . national security. NSA determines that it must take Agency- wm'lld bedmtmed- No 5990"?: procedl'res or 5 action teratporarity in apparent departure {tom comma have Be? dew ope these procedures and it is not teasible to obtain a timely modification at these procedures from the Attorney General! and Director oi National lntelligenoe. NSA may take such action and wilt report that activity to DOJ. Under streh olroumsta noes. NSA will continue to adhere to all at the statutory limitations set forth in the Act. harmonization enoceounes 1 (U) Acquisition and Processing wGeneral it!) Exhibit B. WSEE targeting and adjudication processes: toreignness criteria. of Information 3 SIC. (FEMS 60$ Targeting I targeting non~USPs reasonably believed to be located outside the United States pursuant to I 3 FAA will he ellected in accordance with an UM: I authorization made by the Attorney General and Enanaaes Quanta! (blisl'SD US Director of National Intelligence and will be conducted in a manner designed. to the greatest extent possible. to minimize the acquisition 0! information not retardant to the authorized purpose o! the acquisition. audits of queries Fhey may stop collection. identity overly 7 query procedures deiine specific requirements tor use oi in query selection terms. broad queries (excessive large mg). 33-3 6-36 302 DOCID 4273133 Control (?Jtajectivei Source Control Description Assessment Good Adequate Needs improvement Monitoiing. Recording. and Processing (ti-{W Personnel will exercise reasonable judgment in determining whether information acquired must be minimized and will destroy inadvertently acquired communications at or concerning a USP at the earliest practicable point in the processing cycle at which such communication can be identified either as clearly.I not relevant to the authorized purpose of the acquisition ie.g.. the communication does not contain lorelgn intelligence information} or as not containing evidence ol a crime that may be disseminated undo: these procedures. WExcept tor Internet transaction lront upstream collection. such inadvertently acquired communications of or concerning a USP may he date of the certification authorizing the collection. retained no longer than 5 years lrom the expiration {Li} Exhibit B. Section 3 8! FAA training course specifies the steps are to take to analyse communications tor eligibility for retention. provides direction for retention.?destruction on the basis or re arget was outside the United States attire time of co lection and whether the communication is foreign or domestic. iGieH-H Unless an incident is reported front improper acquisition of such communications. there is no review process to ensure that identity and destroy them as required. The cost of such controi would be prohibitive. The requirement is that all identi?ed issues of improper collection be reported to 3V and an incident initiated. Performance standards and analysis oi actual versus. expected performance could improve accountability for compliance {see Recommendations (U) {Examination ol retention controls was not included in this review. {bit {bit 86-36 Iii-50 USC 3C (414% As a communication is reviewed. will determine whether it is a domestic or foreign communication to. lrom. or about a target and is reasonably believed to contain foreign intelligence inlorntation or evidence oi a crime. other communications may be retained or 5 le- Only our: I1 communications may be processed. All (U) Exhibit B. Section 3 It provides direction tor {etentionr?destruction on the basis 0! whether the target was outside the United States at the time of collection and whether the communication is ioreign or domestic. This is covered In detail in 0V501203. the required FAA ??t32 training. See also Obligation to Review - row oi Targeting Procedures. {tiff-689+ Parameters for purge of collection associated with an incident are provided to SV by the TUPI and recorded in the incident record in SliarePoint. 32 Purge and Prelastring Compliance uses this to initiate the purge process. verilyan that all aliected collec periorms follow?up 36-3 ?lo verily that Purge and Protestian Cortipilance has updated the incident record with the status of purge completion. The purge process relies on manual procedures that create a risk of incomplete o; untimely purge execution {see Recommendation 8V works with to prepare clostruction Waivers {or ob?ecls that meet purge criteria and contain significant foreign intelligence value or evidence of a crime or threat at harm. The Destruction Waiver must no approved by DIRNSA. DOCID: $273133 1-0399 Assessment Controt Objective? Source Control Description Good Ade ?ate News I 4 Itl. Processing of internet tU] Exhibit B. White Technology Directorate developed procedures to Transactions Acquired through NSA Upstream Section 3 analyze upstream cottection. Data permitted [or use by must Coltection Techniques have the active user {sender or rectpie the target or be outside the QWEA [aka masonahte Step5 United States {currently approximately oi upstream collection). alter acquisition to identity and segregate through Data ?Water be "1 technical means Internet transactions that cannot ?mad Siam be reasonably identi?ed as containing single. I discrete communications in which the active user of the transaction (to. the selector used to send or Where is no training on use oi MCTS at time (see receive the internal transaction to or from a service provider} is reasonabl believe-:1 to be lecated in ii the United State-8 I [ail segregated {me'P'L? 86.36 communications will be retained in an access (bii3i'5o use 3024?) committed repository accessible only to NBA analysis trained to review such transmits? to, [he {Utt?FeHe-J are ongoing to develop procedures lor removing data mfrpose 0g identirying those. that contain dismay; from seqttest ration and speciat training for who Will process this communications in which the sender and all data recommendatlon in Diocese}- intencted recipients are reasonably believed to be located in the United States. 5 ill. NBA seeking to (U) Exhibit 8. use at discrete comlttuntcation within an Internet Section 3 transaction that contains multiple discrete communications wilt assess whether the discrete communication {1)is a communication in which the sender and all intended reclpients are located in the United States and is to from. or about a tasked selector or otherwise contains loreign Training on application at these procedures has not been developed inletligence information. {see Recommendation 11). {haiSiha-?m?tl tbii1l 86-36 {bH3i?50 USC 3024M 86-36 (omit-50 USC 3024{ responsible for detetlng records lrom their system on the basls ofa Purge Execute Order. to prevent improper use oi purge records to support reporting. WI 1 itUJ Retention outside scope. DOCID: 4273133 Assessment Control Objectiv? Source Controt Description Needs Good Adequate Improvement 6 thISJ-t??fmmagnetio tapes or other (U) Exhibit B. WGuioance on queries of FAA Databases states that NSA may not storage media containing FAA ?'r'02-derived Section 3 use USP names or identifiers as selection terms when reviewing communications may lie queried to identityr and coilected FAA data. For apaiists- ?erms iUi?FeH'Bj? Queries are subject to review by auditors in the S2 95351 be 21mm 1" ite'EFt??" [arms 'easP?am? production centers to verify that the query has a foreign Wein "3mm mfre?gr,? ?angelica Imom?amn' purpose within mission scope and reasonably ei-rctudes protected data. identifiers oi an identi?able USP may not be used . . as {arms to identify and select for ?aws-I5 any REVIEWS of the audits peilormed by PL personnel have not Meme: communication acquired thmugh News been regularly?exeouted by 8V to ensure quality of the audit processisee f; upstream collection techniques. Recommendalm? 63? Any use oi USP identi?ers as terms to identify and select communications must first be (bu-t} approved in accordance with use procedures. NSA will maintain records of all USP identi?ers {busl'P'L? 86'36 (bum 86 36 approved tor use as setection terms. USC 3024?) 7 mosses-3 Destruction of Raw Data Exhibit B, .. .. WCOMMHIC all-Gm acquired under Section 3 iprondes direction for retentiontdestruotion on the basis FAA {3362 authorities 0mm man throth Upstream ether target was outside the United States at the time oi coliec?on that do not meal the retention standards collection and whether the communication Is loreign or domestic. This is set forth in these procedures and that are known to also covered In detaii In OVSCIZOS. the required FAA ?i02 training. contain communications at or concerning USPS wilt See also Obligation to Review row Tr? oi Targeting Procedures. ?33 desuloyed upon reccgm?ml and may be I matrix oi scenariosfreasons purge action is required is retained no longer than 5 yeaisfrom the expiration documented for authorities including FAA Purges are identified as date or the ?Micah? the mnem'on- part of the incident investigation process; SV and the capture the purge parameters in the incident record on the 3V Share-Point site. The purge adjudication team periorms. research to verity completeness oi items identi?ed for moms. rat Forge adjudication and execution Is manual and subject to error attesting completeness and timeliness {see Recommendation 8). (Uri-Fetter} Puroe Prooessi i . 86- 36 Iare DOCID: i32733.33 T- I I - 0009 Control Objective? Source Control Description Assessment [bll3i-P.L. 86-35 Good Adequate Needs Improvement - Internet transactions that are acquired through t-lSA's upstream collection and do not contain information that meets the retention standards set lorth in these procedures and that are lrnown to contain communication oi or concerning USF's will be destroyed upon recognition. All upstream collection may be retained no longer than 2 years lfOI?lt the expiration date of the certi?cation authorizing the collection. The internal transactions that may be retained include those that were acquired because oi limitations on NSA's ability toiilter communications. Exhibit a. Section 3 {Ui See also Obilgation to Review row 7 ol? Targeting Procedures. provides direction tor relentronldestruction on the basis of whether the target was outside the United States at the time at collection and whether the communication is foreign or domestic. This is also covered in detail in OVSC the required FAA {$702 training. (tin-F6367 The need to purge communications is Identifier! as part olthe incident investigation process; 8V and the TOPI capture the purge parameters in the incident recorcl on the SV SliaiePolnt site. The purge adjudication team pertorms research to eerily completeness or items identitied for purge. Purge adjudication and execution is manual and subject to error alto cling completeness and timeliness [see Recommendation (U1 Retenllon .- oulsicle scope. (hilt) sees thirst?50 use 30240 Illicl} tUi Change in Target's Location or Status In the event that NSA determines that a person reasonably believed to be located outside the United States and, alter targeting the person. learns that the person is inside the United States or it NSA concludes that a person who. at the time oi targeting. was believed to be a non-USP is in tact a USP, the acquisition from [hat person will be terminated without lzlelai,r WCommunicaiions acquired through the targeting of a person who at the time of targeting was reasonably believed to be located outside the United States but has in tact located inside the United States at the time such communications ware acquired. anti any communications acquired by targeting a person who at the time oi targeting was ineliEVecl to he a non-USP but was in tact a USP. will be treated as domestic communications. Exhibit a. Section 3 See also Obligation to Review row at Targeting Procedures. guidance states that are responsible tor detaching a selector upon review or content indicating that the selector is used by a USP, confirmation that the selector Is Del used 1) an individual in the United States] See row for purge procedures. i hilt) 86-33 bust-50 use 3024(5) ill-l6 DOCID: 42 73133 Assessment Centre! Objectiv? Source Controt Description News Good Adequate Improvement to IVT'i'Cr'l?l?rt'FrAcnutsitlon and Processing Attorney? (U) Exhibit B. OGC reports that no instances oi stich collcciion have been Client Communications Section ti identified to date by NSA anaiysts. and. thereiore. no log has been IF. . i ban a initiated. Such Instances. would be rare {e.g..it would occur only its ?mnmmicalga Singet?en person reasonably beiierreci to be outside the United States targeted by [a be under criminal indictment in mg Uniled stares NSA is shown to be under indictment in the United States and ?so I and an ammey who repregems that individual in intercepts a communication between the target and an attorney lhe manen manimring of {hat communicatim Wm representing that foreign person in the US. legal proceeding). cease and the communication will be identi?ed as an attornewclient col?nniu nioation In a tog maintained for that purpose. The relevant portion ol the communication containing that conversation will be segregated. and the Nationai Security Division at DOJ will be noti?ed. In addition. ail proposed disseminations of information constituting USP attol'neyvcilent privileged a communications must be reviewed by OGC dissemination. II V. (U) Domestic Communications (U) Exhibit B. Communication that is determined to be domestic {does not WA communicanon identi?ed as a Section 5 have at least one cornmunicant outside the United States} wilt be domestic communication Wm be prompliy promptiy destroyed upon recognition unless speci?cally i-Tz dammed upon recognmon unless {or determines In writing that the communication may be retained SV Ammg determm?s? in writing woriis TOPIs to prepare destructionyi'rawers. This process is that it meets certain criteria mg? conlams monitored as part of the follow-up on incidents and purges. signi?cant foreign inteiligence. evidence oi a crime}. la domestic communication indicates that a target has entered the United States. NSA may advise the FBI ol that tact. 12 VI. Foreign oi oi Concerning (U) Exhibit B. Woinmunication resulting lrom the targeting of a person who USPs Section 6 was reasonaoiy believed at the time oi targeting to be a (U) Ramiro? located overseas but is later determined to be a USP or a person in the 4% Foreign communications ol or concerning USPS may be retained oniy it necessary [or the maintenance oi technical databases. it dissemination otsuch communications with reference to such USPs would be permitted under subsection or if the information is evidence oi a crime and is provided to appropriate federal iaw enforcement authorities. United States will be destroyed upon recognition unless spec ilicaiiy determines in writing that the communication may be retained. 3V works with TOFIs to prepare t'i'aivers. This process is monitored as part at the follow-up on incidents and purges. DOCID: 42731.33 1 r? i Assessment Control Objective? Source Control Description News Good Adequate mprovement 13 V1. {bi (U) Dissemination (U) Exhibit B, This on dissemination is not unique to FAA ?To2 A mpg? based on a! Section 6 ago is consistent with procedures required by Executive Order 3 concerning at may be disseminated in "533- accordonce with Section Vii or Vii! ii the identity ol the is masked. Otherwise. disaemination of Intelligence reports based on communications oi or concerning a USP may be made only to a recipient requiring the identity of such person {or the I performance of duties that meet certain (ti-K1] criteria. 35-36 14 Vi. (greener. Provision oi Unminimized (U)i 9- I Communications to CIA and FBI Section 6 NSA may provide to the cm and Lrnmininiizecl communications derived lrom FAA acme collection. Wiscussion oi FAA collection with it if: a have their own copy of the data. provided through nomination or FBI dual route. NSA anoivsts may diseuss the iniormation with them They may not provide copies of the information to IC personnel, This is. addressed in required NSAFCSS Poticy it-t, Iniol'malion Sharing. 15 W. (U) Other Foreign Commonicetions (U) Exhibit B. {UrtFe'HG-TDissemlnalion is handted in accordance with the Foreign - - 27 Intelligence Surveillance Act Amendments Act of 2008. the Minimization Foreign communications oi or concerning a same? . I be in an term in accordance with other a Jiicable 1 or the Foreign Intelligence Surveillance Act oi lore, as Antendedt Dot) 3 law. regulation, and poticy. Regulation 5240.1-R Procedures Governing the Activities of DOD intelligence Components That Aiiect United States Personsh and the Classi?ed Annex to Department or Delense Procedures Under Executive Order 12333. DOCID: 4273133 Control Objective" Source Control Description Assessment Good Adequate Needs improvement Collaboration with Foreign Governments [aim Procedures for the dissemination of evaluated and minimized information: Information acquired under FAA ?902 may be disseminated to a toreign government. Other than in cases tor linguistic assistance by a ioreign government {Soction Viti ?isseminatlon to a foreign government oliniormation at or concerning a USP may be clone only in a manner consistent wilt: subsections Vi tin) and Vii {rows 13 and 15}. MW Procedures for technical or linguistic assistance: Communications that. because of their technicai or linguistic content. may require lunher analysis by loreign governments to assist NBA in determining their meaning or significance. NSA may disseminate items containing lrnminimiz'ed FAA ?702 iniormation to foreign governments tor analysis. under certain restrictions. (U) Exhibit B. Seolion El Wsnarino Evaluated and Minimizedl i Wand mlnimlzecll WI Wine nrovision tor teclinicaltlinouistic assistance! [Documentation is devetopert case by case. Consideration on egiven to documentation of this process. i ?rs-36 3024a) (MM MANAGEMENT CONTROLS DOCID: 4273133 T- i 1- 000-9 Aeseo?sment Control Objective? Source Control Description Needs Good Adequate mpro?renlent ?i Activities must he established to monitor (U) Standards Annual performance objectiueetor compliance with performance measures. and indicators. Controls lor Internal FAA requirements. associated policy, and SOPs have not been a should be aimed at validating the propriety and Control in the established [see Recommendation I). integrityr of organizational and individual Federal performance measures and indicators. Government Inlormation should be recorded and (U) Standards Comparison olaciual performance to established standards communicate-ct to management and others within tor lnternet for compliance activities aesonatett with FAA ?702 are incomplete (see the entity who need it and in a town anti within a Control in the Recommendations 2. 4. 5. and time {retire that enairies them to tram.r out their Federal internal control and other responsibilities. Government 3 to} internal control monitoring should assess the (U) Standards i (but) quality of performance over lime and ensure that for internal ?ndings are reeoivod. it inoiudes regular Control in the 3 management and supervisory activities. such as Federal "3 i" ongoing comparisons and reconciliations. to Government ensure that controls are functioning properly. 1 Access to resources and records should be (U) Standards To share FAA {3702 information with other NSA limited to authorized individuals. for Internal steps must be taken to ensure that the individual has the proper Cont rot in the clearance. This information is not addressed in the required FAA ?702 Federal training and guidance is not included on the FAA web page (see Government Recomme ndeiion 86-36 SC 3{ DGCIE: 4273133 (U) APPENDIX (U) Full Text of Management Response DGCID: 42"?3133 .1 1-0009 This page intentionally left blank DOCED: 4273133 SIGNALS INTELLIGENCE DIRECTORATE memorandum 22 February 2013 FROM: Signals hrtelligenee Directerste ?mm-RI" 85?? Response to the Revised ttepe rt he the GIG Assessment at Management (lr'mtrels Over FAA 702 The purpose elT this memorandum is te prerirle SlD?s rerisetl respense hr the subject report whieh includes eptletes t'e corrective artihn plans, eentent a [1d teeht?rirel minutiae to ensure arse tarp. 5th reviewed the revised report is its entirety The arterhetl respehse erknewlettges SiD's agreement with eleven rerm?nmenstations, and re ris e? rterreetiee eetien plans, points of so start, and target dates as needed. (U SID sense] lrleted respehse is attached It) this Please re start 5022; ityett have any (westerns. 86?36 Deputy Chief ef Staff to SIGINT Pulley end tiertmrete Issues [302} e/s DOCID: 4273133 87-] l? (2009 (11> - - 1 \dl hugging i I: [2 ?off OFFICE OF INSPECTOR GENERAL (U) oFFice or: inseecroe GENERAL (ore) REPORT: of Management Controls aver FM ?702 (U) In accordance with [54135742, ?Coordinating Office of Inspector General Reports," the Management Response to Draft Report purpose of the draft coordination phase is to gain management?s agreement or disagreement with repod findings and recommendatione The SIGINT Directorate (SID) has been extended an opportunity to review and comment on the revised report to ensure contextual accuracy! (U) The following matrix includes SlD?s consolidated revisions to management?s action plane where applicable: Action Agree or Disagree Management Response Completion date WSIH with Agree {or ?wi the recommendation. and are currentiy preparing an ELM plan for Target and Adjudicators? This plan will inciude FAA ?D2~specific training (U) POO: 963-0561 preparing an ELM pian'tor target and adjudicators. The ELM plan will be broken down into proficiency ievels thus allowing the to register for the correct training based on proficiency ievei as stated in the ACE objective. The ELM pian for the Targeting workforce readiness standard for FAA 702 be completeiydor ail NCS courses. Enforced registration in the ELM program and targeting proficiency statistics to the individual ievel as well as compietion rate of any required FAA ??02 train' - will be complete Structured 0.1T training wilt be phased in. "Tragic aces 3-53 {3?21 tit-3 (1ion; Hausa; ma DGCID: 42731.33 ?0009 86 Sigma Team. Participants will assess the feasibility oi developing metrics t0 g?uate de~targettng trends and __ess de?ciencies. Final implementation will be dependent on technical capabilities and. deployment schedules. - . litillill?lu'. 86-2 g: With 5V a? (Ul Oversight Compliance [will convene to establish technical procedures to implement a I: 3 (U): Agree reconciliation process. (Li) Poe: 3449 :6 4 sv with OGC will collaberate with]: and OGC to establish a me 095* and process for spot? checking disseminations?of FAA sourced material dependent on the volume of dissemination. Agree (U) PUG: 247'9 Kiri: Emil, ii til-"1"; ,1 :?ff'si ,1 NUH new 86-36 DGCID: 4273133 1- 0009 r-n 1 .H L.JJ. um i' I Mr" Hemmer STAI 10009 land 060 to modify the met etiology and process for spot? checking dissemination of FAA sourced material; Agree Per the requirements of Recommendation 2, SIDISV will incorporate metrics for management's assessment. 24?9 Agree implemented the super audit process for FAA 702? SID requests closure of the subject recommendation. wwm: 2479 lib): Request Closure 7 iih ODOC SV. Agree The foliowtng activities are currently in progress: -swwE:;:ke developing an updating a single SOP for oversight, adjudication and targeting FAA ?02 funglions and training. 0 i5 was currently populating FAA 7?02 dgooment reti' "i war e. progress. it 8V will collaborate with $2 and to organize the ?go and web pages. (U) POC: 559? ataxia "rat (UH-9988) Add bullet Guidance changes that require updates to NCS courses (within the CRSK series} wizl be "1h; am I h-Hr I MJI. L?Li.xr_ 86-36 BGCED: 4273133 ?1 r"x 1-"K.-..- r; 1' .. 1-0009 low-Imp sense requested vi earning Soiution. in such case; he the originator on coordination with Std. In addition .Ei?isee recommendation 1} will manage changes to Targeting Workforce Readiness Standard and ELM training ptan. :3 a? {CB-im?p-?L- ?6.36 Agree Tar at Com tetlon: plan. Phase 1: Requirements Gathering: 1- Conducttechnicai xchan sessions witn? developers. Inc uorng etal ed one of the purge process and requirements. a monument recommendations for Specific areas where automation will improve process efficiency. Update the compliance steering group on automation requirements and existing gaps. mime?) Phase 1 Deliverabi?e: Report documenting reviews and technian exchanges withE] This will include an implementation plan. Phase 2: Planning Phase: Per the development and implementation plan, create a schedule oi work required to increase automation o! the purge adfudication and execution prooesses, (omega; Pha?oeiivemoie: Coordinate with to document a sohedulaitimeiine WI speci?c completion tasks required to enhance this capability per the implementation -- 1w . 'v 3 .THWr-?p-t 1-191 [5.3.4.15 ,v m; Ir DOCID: T- I .1 - 0009 $273133 .. . . .. .y . 1.53551" Jr; ,a 1?0009 lousy-PL 86-36 I - letlon Date: ?lm Phase 3: {Jeveiopmenulmplementation: Work wit to develop the new Capability per Phase 1 and 2. (WW Phase 3 Deliverable: Complete the development and provide a final report to EMS defining results A . .. mplation Date: 95343561 8? ill-mm Agree .. 86-36 {pg r. I lmanages the e55 controle in rough we rep'osiIOriee. Eligibility to access Fw?ted and reflected in a user?s eligibility status. This control was previously handled at a stern level but is now managed by (U) POC: rum-mil: 95343561 . .egoo'ef . - manages the in of access controls through repositories. Eligibility lo FM ??02 data is l. -. . lTlEl are able to restrict access according to a user?s eligibility status. This control was previously handled at a stem level but "is now managed requests closure of the recommendations. Bellverable Update: The SID Data Manager can provide documentation to enable closure of this recommendation. -.- (-1 :?xrw .2?6le t..r511\ 3. Request Closure I D-O-CED -: 43731133 .- a .1 ?If Ht)! I [953-3004 Subvbulletm; DTR guidelines. the requiremen - 1 #1 nominated. I (Him?3L. 36-35 (bum-PL. 36-36 use 302 The analyst must assess traffic an respond to three supporting questions] [Ul Sub-bullet (Lbr Sub~bullet 1 Si eferred to SV. SV will work ADET to update the following course: FISA Amendment Act (FAA) Section r02 (OVSC1203) lo reflect modified Targeting and Minimization Procedures that are currently pending the Foreign intelligence Surveillance Court ruling. 11 UGO. ABET -- -- - 3: [will [bum-PL. 3151:351ishlraining slides onto the 82 FAA 7?02 Targeting Review Guidance webpage and will work with ADET to develop a course to replace briefings and informal training sessions. POC: (unease)! I mm? . . gag; DGCID: 42733.33 3?7-11-0009 {a {wry [writ .t ?new gw 2 .A .nmtEST-110009 9634109 and 3V, 956-2479 (Wm OVSC 1203: 3V will work with ADET to update the FAA ??02 course to reflect the amended Targeting and Minimization Procedures that the Foreign Intelligence Surveillance Court ap in September 2012. St will publish training slidesontc the 82 FAA ?3702 Targeting Review Guidance webpage and work with ADET to update OVSC 86-36 1304 8. 1305: Updates to FAA ?702 Practical Applications (CRSK 1304) and FAA ??02 Targeting Adjudication (CRSK 1305) were completed in December 2012. in addition. enforced registration in the ELM program and targeting proficiency statistics to the individual level as well as completion rate of any required I ?gtructurs OJT training will be phased in. I If 1 r" r-1r:~ 4 L3 1.11.: Li '5 If I: DOCID: 42731.33 This page intentionally left blank. DQCID: $273133 ?2 4% SECURETY SECURITY SERVICE (UIIFGUG) Implementation of ?215 of the USA PATRIOT Act and ?702 of the FISA Amendments Act of 2008 ST-14-0002 20 February 2015 (U) This report might not be releasable under the Freedom of Information Act or other statutes and regulations. Consult the Inspector General Chief of Staff before releasing or posting all or part of this report. By: Derived ram: Manual 1-52 Dated: 30 September 2013 Declassyj; 0mm Approved for Release by NSA on 02?11-2015. FQIA Case 80120 {Iitiqationl LDCPEIZD: (LI) GEEICE 3F THE INSPECTQR GENERAL (U) Chartered by the NSA Director and by statute, the Of?ce of the Inspector General conducts audits, investigations, inspections, and special studies. Its mission is to ensure the integrity, ef?ciency, and effectiveness of NSA operations, provide intelligence oversight, protect against fraud, waste, and mismanagement of resources by the Agency and its af?liates, and ensure that NSA activities comply with the law. The OIG also serves as an ombudsman, assisting employees, civilian and military. (U) AUDITS (U) The audit function provides independent assessments of programs and organizations. Performance audits evaluate the effectiveness and efficiency of entities and programs and their internal controls. Financial audits determine the accuracy of the Agency?s ?nancial statements. All audits are conducted in accordance with standards established by the Comptroller General of the United States. (U) INVESTIGATIONS (U) The 01G administers a. system for receiving complaints (including anonymous tips) about fraud, waste, and mismanagement. Investigations may be undertaken in response to those complaints, at the request of management, as the result of irregularities that surface during inspections and audits, or at the initiative of the Inspector General. (U) INTELLIGENCE OVERSIGHT (U) Intelligence oversight is designed to ensure that Agency intelligence functions comply with federal law, executive orders, and DOD and NSA policies. The IO mission is grounded in Executive Order 12333, which establishes broad principles under which 1C components must accomplish their missions. (U) FIELD INSPECTIONS (U) inspections are organizational reviews that assess the effectiveness and ef?ciency of Agency components. The Field Inspections Division also partners with Inspectors General. of the Service Elements and other IC entities to jointly inspect consolidated facilities. Benin: setse?e_ - NATIONAL SECURITY AGENCY CENTRAL SECURITY SERVICE OFFICE OF THE INSPECTOR GENERAL -- 20 February 2015 - "lG?11763~15 Re?Issned TO: DISTRIBUTION SUBJECT: Report on the Implementation of ?215 of the USA PATRIOT Act and 3 ?702 of the FISA Amendments Act of 2008 . l. Attached please ?nd the report on Implementation of 552] 5 of?the USA and 702 ofrhe Amendments Act 0f2008, as requested by members of the - Senate Committee on the Judiciary. 2. (U) In September 2013, ten members of the Senate Committee on. the Judiciary requested a comprehensive, independent review of the implementation of ?215 of the USA I Patriot Act and ?702 of the Fereign Intelligence Surveillance Act (PISA) Amendments Act (FAA) of 2008 (FAA ?702) for calendar years 2010 through 2013. In January 2014, Of?ce of the Inspector General (DIG) and staff members of the Senate Committee on the . - - Judiciary agreed on the scope of a review the 01G would conduct on use of both authorities. 3. (U) The following is the NSA report on. both authorities which. will be sent to the ten members of the Senate Committee of the Judiciary who requested the review, the Chairman and Ranking Member of the House Committee on the Judiciary, the Chairman and Vice Chairman of the Senate Select Committee on Intelligence, and the Chairman and Ranking Member of the House Permanent Select Committee on Intelligence. 4. eappreciate the cooperationand courtesies extended to our personnel throughQut the .re.viewx/gi??J?f? ?l2Q?po$L DR. GEORGE LLARD I Inspector General I (U) This report might not be releasable under the Freedom of Information Act or other statutes and regulations. Consult the Inspector General Chief of Staff before. releasing or posting all or part of this report. IDQGIE: DISTRIBUTION: SID DIR (R011 Moultrie) TD QGC (Raj De) AI . -(Qatherine Auceu?alz? GI 83-14-0002 - Bauman $1 S2 .32 SI . . _.3313 $3 - S3 . ST sv4'l l? T1 T1 - -. .TEZ TS TV 5 54I DL SIDIGLIAISON DL DL TD_Strat_0ps#Grp DL DL d__gc__registry DL d_1ao.__tasker I I D13, D14 ST-14-0092 (U) TABLE OF CONTENTS I. (U) INTRODUCTION .. .?ii (U) REASON FOR REVIEW .. ii (U) OBJECTIVES .. ii II. (U) SECTION 215 OF THE USA PATRIOT ACT .. 1 (U) BACKGROUND ..1 (U) METHODOLOGY AND SCOPE ..2 (U) BR FISA PROGRAM CONTROL FRAMEWORK ..3 (U) BR FISA PROGRAM INCIDENTS OF NON-COMPLIANCE ..FISA AUTHORITY ..63 (U) FAA ?702 .. 70 (U) BACKGROUND ..70 (U) METHODOLOGY AND SCOPE ..71 (U) FAA ?702 PROGRAM CONTROL FRAMEWORK ..72 (U) FAA ?702 INCIDENTS OF ..136 (U) NSA USE OF THE FAA ?702 AUTHORITY ..143 IV. (U) ABBREVIATIONS AND ORGANIZATIONS .. 150 (U) APPENDIX A: ABOUT THE ?215 AND FAA ?702 REVIEW .. 153 (U) APPENDIX B: BR FISA PROGRAM CHANGES 2010?2012 .-. 157 (U) APPENDIX C: BR FISA PROGRAM INCIDENTS 0F NON-COMPLIANCE 2010 THROUGH 2012 .. 159 (U) APPENDIX D: FAA ?702 PROGRAM CHANGES .. 160 $2 STwl4?0092 I. (U) mraooucriou (U) Reason for Review (U) In September 2013, ten members of the Senate Committee on the Judiciary requested a comprehensive, independent. review of the implementation of ?215 of the USA PATRIOT Act and ?702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act (FAA) of 2008 for calendar years 2010 through 2013. (U) Objectives (U) In January 2014, the National Security Agency/Central Security Service?s (NSA) Of?ce of the Inspector General (OIG) and Committee staff agreed that the NSA OIG would review implementation of both authorities for calendar year 2013. The study has three objectives: (U) Objective a (U) Describe how data. was collected, stored, analyzed, disseminated, and retained under the procedures for ?215 and FAA ?702 authorities in effect in 2013 and the steps taken to protect US. person information. (U) Describe the restrictions on using the data. and how the restrictions have been implemented including a. description of the data repositories and the controls for accessing data. - (U) Describe oversight and compliance activities performed by internal and external organizations in. support of ?215 Foreign Intelligence Surveillance Court (FISC) Orders and FAA ?702 minimization procedures. (U) Objective II (U) Describe incidents of non- compliance with ?215 FISC Orders and FAA ?702 Certi?cations and what NSA has done to minimize recurrence. (U) Objective - (U) Describe how used the data? to support their intelligence missions. Our study of implementation of ?215 and FAA ?702 authorities was based largely on program stakeholder interviews and reviews of policies and procedures and other program documentation. For this review, the NSA OIG documented the controls implemented to address the requirements of each authority; however, we did not verify through testing whether the controls were operating as described by program stakeholders. ll necrzn RETISRRB ST-14-0002 H. (U) SECTION 215 OF THE USA ACT (U) Background (U) Business Records Order 86-36 (mm-50 usc 3024(i) (U) Since May 2006, the Foreign Intelligence Surveillance Court (FISC) has authorized the National Security Agency/Central Security Service?s WSA) bulk collection program under the ?business records? provision of the Foreign Intelligence Surveillance Act (FISA), 50 U.S.C. ?1861, as amended by ?215 ofthe USA PATRIOT Act, legislation enacted by the US. Congress and signed into law by the President. From its first authorization in May 2006 through December 2014, the program has been approved 40 times under Business Records (BR) Orders issued by 18 FISC judges. series of BR Orders issued by the FISC, NSA receives certain call detail records (or Bitheadset-"em .S. telecommunication 5 providers. NSA refers to the series of BR Orders approved by the FISC as the Order? and the control framework NSA has implemented as the FISA pro gram.? (U) The BR Order requires that providers produce to NSA certain information about telephone calls, principally those made within the United States and between the United States and foreign countries. This information is limited to BR metadata, which includes information concerning telephone numbers used to make and receive calls, when the calls took place, and how long the calls lasted but does not include information about the content of calls, the names of the participants, or cell site location information (CSLI). (U) The BR FISA program was developed to assist the US. government in detecting communications between known or suspected terrorists who are operating outside the United States and communicating with others inside the United States, as well as communications between operatives within the United States. The BR Order authorizes NSA to query BR metadata only for identi?ed counterterrorism purposes. The BR FISA program includes oversight mechanisms to maintain compliance with the BR Order and external reporting requirements to the and Congress. (U) BR renewal process (U) Approximately every 90 days, the Department of Justice on behalf of the Federal Bureau of Investigation (FBI) and NSA ?les an application with the FISC requesting that certain providers continue to provide calling records to NSA for another 90 days. If the FISC approves the government?s applications to renew the program, the Court issues a?primary order? delineating the scope of what the providers must furnish to NSA and the provisions for handling of ER 1 Krill-t3 IE ?d2 3 7 rd metadata. The FISC issues ?secondary orders? separately to each provider, directing them to deliver an electronic copy of certain calling records to NSA daily until the expiration of the BR Order. (U) Methodology and Scope (U) Our review of the BR FISA program control framework, incidents of non- compliance, and use of the authority to support its counterterrorisrn (CT) mission was based largely on BR program stakeholder interviews and reviews of policies and procedures and other program documentation. For this review, we did not verify through testing whether the controls were operating as described by BR program stakeholders. However, we tested controls of the BR program during previous NSA Of?ce of the inspector General (01G) reviews (see the Oversight section for a list of those reviews). the processes and controls in lace in 2013. We used BR Order 13?158 a. compared the requirements listed in that Order with the processes and controls NSA used to maintain compliance with that Order. In addition, we documented the changes implemented in the BR FISA program following the President?s directives in 2014. (U) Presidential directives affecting querying controls in 2014 (U) On l7 January and 27 March 2014, the President of the United States directed that NSA implement the following changes to the BR program: (UMP-OHS) Submit selection temts to the FISC for reasonable articulable suspicion approval (see Querying section for RAS discussion). Before 17 January 2014, RAS selection terms were approved by the Chief or Deputy Chief of Homeland Security Analysis Center (S214) or one of the twenty specially authorized Homeland Mission Coordinators (HMCS) as the BR Order required, and Of?ce of General Counsel (OGC) performed First Amendment reviews for selection terms associated with US. persons (USPS). 2. Restrict contact chaining to two hops from seed selection terms (see Querying section. for contact chaining discussion). Before 17 January 2014, the BR Order authorized appropriate 1y trained and authorized NSA to query to three hops, however, NSA guidance restricted those to query BR FISA repositories two hops from seed selection terms and one additional hop (three hops from seed selection terms) with Analysis and Production (S2) management approval. - 3. (U) Store BR metadata in provider controlled repositories and not in NSA repositories. Once implemented, NSA will submit FISC-approved RAS selection terms to providers for them to query their repositories. Providers will provide to NSA only the results of those queries. WW 2 IDOCID $2 T3?7?i (UH-138683 NSA implemented the ?rst two directives by February 2014. The third directive, storing BR metadata in. provider repositories and obtaining only those query results ?om providers, will require Congressional approval of a. new statute for the production of business records, which had not been implemented before this report was issued. The following sections describe how the BR FISA program control ??amework complies with BR Order 13?158 (including the changes implemented following the President?s directives in 2014), the 2013 BR FISA program incidents of non-compliance, and use of the BR FISA authority. (U) BR FISA Program Control Framework (UM-18667 The BR program control framework describes how NSA collects, samples, stores, accesses, queries, disseminate s, and retains BR metadata and the oversight mechanisms to comply with the BR Order. This section summarizes the provisions of the BR Order and the controls implemented for each phase of the BR FISA production cycle. . 1 U) Collection Eb?ip-L 86?36 (U) Provisions of BR Order use 30240) The telecommunication providers to provide a?'?leetronic copy of certain call detail records (hereinafter referred to as metadata?). The BR Order de?nes BR metadata as comprehensive communications routing information, including but not limited to session identifying information originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) number, and International Mobile Station Equipment Identity (IMEI) number), trunk identi?er, telephone calling card numbers, and time and duration of call.1 BR metadata. does not include the substantive content of communications; the name, address, or financial information of a subscriber or customer; or CSLI. (U) Data received from providers 86?3 use 3024(i) 1 (U) The IMEI number is a type ofmetadata related to mobile telephony. It is permanently embedded in a mobiie telephone handset by the manufacturer and generally is not changeable by the user. In most instances, the does not travel with the Subscriber Identity Module card, in contrast to the number, which does. The IMSI number is another type of metadata related to mobile telephony. It is a 15-digit number used to identify a customer. lMSi numbers are permanently stored on SIM cards, allowing a user to plug a card into any niobiie telephone and be billed correctly. Calling card numbers are numbers used for billing teiephene calls. A calling card number may be a telephone number, as the phrase is commonly understood and used, plus a personal identification number, or may be another unique set of numbers not including a telephone number. 3 BQCIIE $2 ST-lananoz (arrange use 3024a) 2 (UH-F888) A is an accredited area, room, or instaiiation, incorporating physical control measures barriers, locks, alarm systems, armed guards), to which no person has authorized access unless approved to receive the particular category of sensitive compartmen ted information and has a need to know the sensitive compartmented information activity conducted therein. 35_36 3 contact chain shows that selection term A communicated with selection term B, their ?rst and last contact dates, telephony type, and the totai number of communications between selection terms A and B. I 86-36 usc 3024?) 4 $2 ST-14-0002 Figure 1 illustrates the BR metadata data?ow from the provider to NSA an? and the various BR metadata repositories in 2013. ii. 3 86?36 USC 3024?) 1. BR Metadata Dataflow and Repositories The BR Order requires thatl Iprovide all BR metadatal Ifor communications between the United States and abroad or wholly within the United?States, incl?hding local telephone calls. The BR Order does not requirel I I ?2 3 WWAS of 31 December 2013, NSA r??eived" BR metadata freon-I brovidersrl I .mii I 3 -P.L. 86-36 83'? (U) Table 1. BR FISA (exit-area use 30246) (U) Metadata Sampling (U) Sampling to verify BR metadata integrity Data Inte rity (DIAS) -- 35-33 dedicated to the BR FISA program. DIA responsibilities include: 5 (UMP-6667 The BR PISA Authority Lead isresponsible to the NSA Director and the Director of the Signals Intelligence Directorate for implementation of BR authorizations by the NSA organizations responsible for the collection, processing, and analysis of BR metadata under the BR Order. 6 $2 *9 Verifying that BR metadata is correctly ingested, processed, and formatted into chains; (WW 86_36 . I NSA has two types of controls to monitor data . . . ML by the DIAS using data. samp mg techniques-l I WI 86-36 86-36 The DIAS maintain the but changes are implemented by the team. The are up ated and reviewed at least I quarterly. The DIA team reviews pro G's-ed Chan es ad decides which - the-- - (bll3l'P-L- 36-35? project team runs tests to verify that-hanges have beeni'implemeneddup?vides the test results to the BIA team to changes (UM-18683 Sampling DIAS on to answer ?ve questions as part of the sampling process with the BR Order: 7 The standard format isl 86-36 I DUDE RETEBRQ Did the BR metadata contain credit card numbers? (unease-3? Did NSA detect CSLI in the! identi?cation ?eld? - 66-36 (U) Did the BR metadata. record structure adhere to expectationsmetadata record content ?dhere?tel-expectations Did . (U) The sampling results are submitted to Of?ce of the Director of Compliance (ODOC) in weekly BR FISA compliance compiles the information with other compliance reports and provides it to?the Director of Compliance for review. The BR PISA Authority Lead summarizes the weekly BR PISA compliance reports for the DOJ National Security/Division?s (NSD) review before quarterly compliance review meetings (see 'dersight section). Credit card numbers used as part of calling card personal identi?cation numbers. The adhere to expectations? ?it-the .. .. known to have contained 4E .. ibilaif BR DIAS sample all BR could mbers. The sam --contain credit card hit of BR netadata is performed to identify to screen for credit card numbers. Iare identi?ed, DIAS test to determine whether they pass! identify them as credit card numbers and forward them to] numbers were ingested intol including NSD. whether the credit card I, 86-36 W) To demonstrate the number of ?les and BR metadata records that are sampled daily for credit cards, the OIG randomly selected "for review (Table 2). 66-36 IDCMEIIE: 41.2 $23-$37? STnl4-0002 (U) Table 2. Sampling Metrics for Credit Cards (buarso USC 3024(i) To demonstrate the number of ?les and BR metadata records sampled I performed onl 36?36 (U) Table 3. for Credit Cards usc 3024(i) DIAS my the I Ito verify that it CSLI because the BR Order pmhibits SA rem receiving this data. The I (an?j'LEL. I DIAS have identi?ed 110 CSLI data. in thel It became operat10nall:!i winsypiLl 8666 Record sample BR metadatair?cords- for each feed to test whether the BR metad'at'a-urecord structure has changed. 9 (mm 86-36 $2 (bx-g 86-36 alfain tests show differences, a warning message is generated for the DIAS to address. Changes in BR metadata record structure are very rare, but, if identi?ed, the provider is contacted to determine whether the change is permanent or a onetime processing anomaly. BR metadata record content DIAS review the BR metadata record content for each feedl g, 86-36 Table 4 shows the percentage of thel BR metadata record structure and content during 2013, Table Percentages for BR Metadata Record . Structure and Content Testing 86-36 use 30240) Wis.)? ?neness Data feed volumes DIAS monitor data feedyolnmesljfor anomalies by Report,? which lists for each records-I [received and the Irecord?sl Table 5 shows the number of BR 86u36 (UHF-9893 BR inctadata record content is distinct from the content of communications: BR nietadata record content does not contain the content de?ned in 18 U.S.C. ?2510, as the substance, purport, or meaning of. a communication - TOW 10 Deere: (U) Table 5. Total Nun: 86-36 (U) Table 6 summarizes the provisions of BR Order 13-158 for collection and the controls NSA implemented to maintain compliance. ow). (U) Table 6. Collection Provisions and Controls Prowde Dally BR 1,-forclata {low Metadata Records problems. DIAS monitor clta feeycl'iiolumes. or anomalies. (U) NSA only Receives Parser rules-fistsdesignedio prevent unauthorized . data from bein in ester} into operational systems. DIAS sample Aumonzed Data dataI data. (U) Repositories 86-36 (U) Provisions of BR Order 13-158 (U) NSA will store and process BR metadata in repositories within secure networks under NSA control. (U) NSA repositories that store BR metadata All NSA systems that store and process BR metadata. are certi?ed as secure through an accreditation and certi?cation. process and are in NSA controlled SCIFs. During 2013, the following systems stored and processed BR metadatathe corporate contact chaining databasel 86-36 (mm?so use 3024p) 11 EEC: IE) $2 353% 7 I .. a repository that stores BR metadataBackup tapes are The BR electronically Sammie are saved *0 tape backup Idesigned for the BR F1 SA program is software System. Idata distribution systems move BR metadata between. NSA systemslate the only operational (bll3J?P-L- 35-35 databases used to store BR metadata for intelligence analysis. As previously mentioned-J 86-36 (bxsl'P-L- 36-36 use 3024?) 86-36 9 12 2 7 3 i 86-36 86-36 use 3024(i) 3 use-ms 3024-6) (U) NSA system accreditation and certification processes (U//F8t:t6j' Accreditation HTS) is responsible for managing the risk on all NSA networks and the computer systems and devices connected to those networks. TS responsibilities include; 86-36 1? (U) A relational database stores data in tables using a standardized data format. This allows similar information to be organized and queried on the basis of speci?c data ?elds. MW 13 not: In 36 86- STw'l 4?0002 Guiding, prioritizing, and overseeing the development of information assurance programs necessary to ensure protection of information systems and networks by managing the NSA Information Security Program, Serving as the NSA Director?s Authorizing Of?cial to accredit all NSA information systems, (UM-1988) Conducting information systems security and accreditation and risk management programs, and Establishing, maintaining, and enforcing information systems security policies and implementation guidelines for NSA. Accreditation is the of?cial management decision to permit operation of an information system in a speci?c environment at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards. (unease) When accrediting systems, TS uses a risk management framework to determine the appropriate level of risk mitigation needed to protect systems, information, and infrastructure. The framework comprises six steps. (U) Categorize the information and information system, (U) Select an initial baseline of security controls and tailor as appropriate for the system, data, and environment, (U) Implement and build the security controls in the information system, (U) Authorize the operation of the information system (accept the risk), and (U) Monitor continually and assess the effectiveness of the security controls. Before a system is authorized to be put on a network, it must go through the accreditation process and be approved by TS. Table 7 lists the dates through which the BR repositories are accredited. (U) Table 7. Dates through which BR Repositories Are Accredited Certification In addition to the TS system accreditation requirement, all systems containing FISA data must be certi?ed (TV) TV4 is the NSA authority for cei'titicatlon or systems to ensure they are the legal and policy regulations protecting USP privacy. . 86-36 14 Iii-Cit: $.2i??7d 86-36 86-36 TV began certifying FISA systems, including the repositories thatcontain. BR metadata, to ensure that they comply with USP privacy protection. the NSA corporate database for registration of and their compliance certi?cation and data ?ows. It is ?authoritative source for all compliance certi?cations. certi?cation process evaluates system controls for maintaining compliance in the following areas: purge, data retention and aging off, data access, querying, dissemination, data tagging, targeting, and analytical processes. (UM-18W To be certi?ed to handle PISA data, systems must be certi?ed by TV as part of the Compliance Certi?cation process. Table 8 shows the TV4 certi?cation dates for repositories that contain BR metadata. (U) Table 8. Certification Dates for Repositories Containing BR Metadata Ween?wag. (U) Table 9 summarizes the provision of BR Order 13?158 for repositories and the control SA implemented to maintain compliance. (U) Table 9. BR Repository Provision and Control (unease-)- AII BR systems are certified as secure through system accreditation (TS) and certi?cation process (TV4) and located in NBA controlled SCIFs. NSA Will store and process BR metadata in repositories within secure networks under NSA control. (U) Access and Training (U) Provisions of BR Order 13-158 (U) BR metadata shall carry unique markings such that software and other controls (including user authentication services) can restrict access to authorized personnel who have received appropriate and adequate training with regard to this authority. NSA shall restrict access to BR metadata to authorized personnel who have received appropriate and adequate training. (U) Appropriately trained and authorized technical personnel may access the BR metadata to perform these processes needed to make it usable for intelligence analysis. The Court understands that the technical personnel responsible for underlying corporate and the transmission of the BR metadata from the '15 IE3 speci?ed persons to NSA will not receive special training regarding the authority granted herein. (U) OGC and ODOC will further ensure that all NSA personnel who receive query results in any form ?rst receive appropriate and adequate training and guidance regarding the procedures and restrictions for the handling and dissemination of such information. NSA will. maintain records of all such training. (U) OGC will provide Do] NSD with copies of all formal brie?ng and/or training materials (including all revisions) used to brief or train NSA personnel concerning this authority. (U) Restricting access to BR metadata to authorized personnei The Signals Intelligence Directorate?s (SID) Of?ce of Oversight Compliance (SV) veri?es semi-weeklv that persons authorized access to BR metadata I main "ain the required credentials is listed in the ?Appropriate-am Adequate Training? heading of this section. . . Th - ?ederiti'almsigni?es that an individual has been adequate and appropriately trained (discussed below) with regard to the program and provides the authorization to View the results of BR metadata-?queries, in any form, including written and oral summaries of results. does not provide access to the BR metadata. in the bulk metadata. (BMD) repositories or authorization to query the data. Table 10 shows a breakdown of the number of personnel with: 01?31 December 2013 by af?liation. 86-36 Table 10. Number of Personnel with Wra? NSA Civilians NSA Military Non-Agency Civiliansl Contractors Total Table 11 shows a breakdown of the number of personnel withl::las of3l December 2013 by work role. 16 nears: sarsevs' I 86-?36 Role Table 11. Number of Personnel with Work Analyst Oversight Leadership Staff Technical Contractor Total mama). W?lhe credential signi?es ccess and is-"the ?rst step in obtaining the ability to'ii?se? Ito perform working CT targets described in the BR Order and technical personnel who maintain the systems that process and store BR 86-36 metadata. The BR FISA Authority Lead is the ultimate authority for deciding which organizations are authorized to access BR metadata repositories. Table 12 shows a breakdown of the number of personnel with as of 31 December 2013, by af?liation and work role. W) Tabie 12. Number of Personnel 1) by Affiliation and Work Role 86-36 NSA Civilians Ana Overs ht Technical Total NSA Milita Contractors Technical Total In addition-tel Iif an individual needs to intelligence analyst contact chaining tool, a Division Division Chief, Branch Chief, or Deputy Branch Chief must submit to SV a written request that the individual be given query access. If the individual is (bll?l) Icredentials, sends an (bum-PL? 86?36 e-mail to the -tean1,__and requests that the person be added to the user interface use to query data, including BR metadata, DEC: ID (Briers.geese 86-36 as of 31 December 2013. informatio-n?yithuan notice to the Court. d2?3@?s . administrator verifies the "Ids the hers-onto the user group, and noti?es SV when complete. Upon completion, automatically sendsan e- mail to SV indicating that the person has been added to the user management control helps ensure that only appropriately trainedMa?'diautligt?ized personnel are able to execute queries. 3545 Table 13 Shows (U) Table 13. Number of Personnel with Querying Capability as of 31 December 2013 Technical Total Receiving query results NSA personnel who receive query results are required to receive training and guidance regarding the procedures and restrictions for handling and disseminating such information. Before send BR-unique query results containing USP information to another individual, they must ?rst con?rm that the credential. 13 Sharing BR?unique query results credential would (U) Training records The BR Order requires that NSA maintain records of BR training. Associate Directorate for Education and Training (ABET) Enterprise Learning Management database is source system of record (SSR) for maintaining training completion records for all required training. (U) Figure 3 shows the categories of individuals authorized access to BR data. 12 i's'NSA?s Corporate Authorisation Service Portal, attributes and access controi services to NSA programs and projects. 13 (Utmoseel 'l 18 DQGID: d.2?3?i??i (UHF-GHQ) Figure 3. Access to BR Information Determined by Credentials Maintained by BR Stakeholders 86-31 Obtaining the credential To lcredential, a request must be system. the a "valid?sponsor who currently holds the requested credential. menswear Directorate for Security and Counterintelligence (Q) reviews rerfl?iiest's 8636 031(1) . . . 8646 security concerns. If approved, the request IS forwarded SV veri?es that the individual is current on the required training (explained below) and that the request includes avalid missignjusti?cation: If all requirements are met, SV approves the credential Maintaining the credential To ensure thatp'ersonnel remain current on training, SV runs aI Ireport several times aweek that lists all the personnel with tliel Icredential and their training is color coded (green=current, red=expired). If someone?s or 100 training has expired, SV noti?es that person by e-mail that-training must be completed. If OVSCISOO or access is revoked immediately. Access is not restored until anew "request is submitted and all training is current. If an individual?s training expires and the credential. has been revoked, this would not violate the BR Order. However, if someone accesses BR metadata. but has not completed the required training, this would violate the BR Order because the person has not been apprOpriateiy and adequately trained. The violation requires notice to the Court.14 The Court understands that the technical personnel responsible for underlying corporate in?'astructurc and the transmission of the BR rnetadata from the speci?ed persons to NSA will not receive speciai training regarding the authority granted herein. - 19 2 ?g 7' 3 ed ST-14-0092 Appropriate and adequate training Policy 1-23, Procedures Governing Activities The! A?ect US. Persons, 30 July 20l3, requires that Agency personnel (civilians, military, military reservists, integrees, and most contractors) complete intelligence oversight (l0) training annually. In Icredential and comply "thercquircments"of the BR Order, persons must have completed speci?c training courses within the last 12 months. All courses are developed by ADET in 86-36 conjunction with the OGC, mission subject matter experts, and mission compliance pro fessio nals. OVSC1000, Intelligence Oversight Training, the Agency?s core 10 course is provided to the workforce to maintain a high degree of sensitivity to and understanding of intelligence laws, regulations, and policies associated with the protection of USP privacy rights during mission operations. Personnel are familiarized with the major tenets of the four core 10 documents: Executive Order (13.0.) 12333, as amended; Department of Defense (DOD) Regulation 5240.] Directive Type Memorandum (DTM) 08?052; and, Policy 1-23. is web based and includes knowledge checks for pro?ciency.15 - Overview of Signals Intelligence Authorities, the core SIGINT 10 course, provides an introduction to various legal authorities that NSA uses to conduct its operations. Upon completion, personnel should be able to identify applicable surveillance authorities at a high level, de?ne the basic provisions of the authorities, and identify situations and circumstances requiring additional authority. 100 is web based and includes knowledge checks for pro?ciency. All personnel in the US SIGINT System working under the NSA Director?s SIGINT authority with access to raw SIGINT are required to complete OVSCI 100 every 12 months. (Will-19989 OVSC1800 (Analytic) and OVSC1806 (Technical), Legal Compliance and Minimization Procedures, advanced SIGINT 10 course that explains policies, procedures, and responsibilities within missions and functions of the to enable the protection of USP and foreign partner privacy rights. Upon successful completion, NSA with mission requirements to access raw SIGINT databases will have met the additional. training requirement imposed by SID. and OVSC1806 are web Personnel who do net?pa?ss thete'st'a?erl lattempts must comp ete remedial training. All personnel in the working under the NSA Director?s SIGINT authority with access to raw SIGINT are required to complete or OVSC1806 every 12 months. 15 ED. 12333, United States Intelligence Activities; DOD Regulation 5240.1-R, Procedures Governing the Activities of DOD Inte?tgence Conwonents ?int Affect US. Persons; DOD Guidance for Reporting .Intelttgence Activities and Signi?cant or ?ight}: Sensitive Matters. 49W 20 343*: 2 1&9 ST-14- 0002 usc OVSC1205 (Analytic) and OVSC1206 (Technical), Special Training on FISA, advanced 10 courses that present legal policies surrounding the FISC Orders and RAS standards pertaining to speci?c CT focused programs. OVSC1205 and OVSC1206 are web based and include competency exams with a minimum passing score of 90 percent for OVSCIZOS and 89 percent for OVSC1206, ahigher pro?ciency threshold than other courses because BR FISA data has a greater probability of containing USP information. Personnel who do not pass the test after one attempt must complete remedial training. All personnel with access to the BR FISA program are required to complete OVSCIZOS or OVSC1206 every 12 months. (Um-.1866? NSD review of training material As the BR Order requires, OGC provides NSD copies of the material (cg, and OVSC1206 training courses) used to train NSA personnel on the authority. OGC most recently provided NSD copies of revisions to the training materials in February 2014. NSA had revised the training materials because of the 17 January 2014 program changes, which included the two-hop limitation and RAS?approval process. (U) Access requirements for technical person not to BR repositories The BR Order states that appropriately trained and authorized technical personnel may access the BR metadata to perform those processes needed to make the data usable for intelligence analysis. The following describes the repositories and systems and the access requirements for technical personnel. 16 Backup tapes are securely stored in a locked cabinet inside a restricted access room at a secure facility and are only accessible personnel. JOB-SEW lane'th 86-36 21 $2 ST-14-0002 30240) 0 Corporate Infrastructu re Technical personnel responsible for maintaining underlying corporate infrastructure and transmission ofBR metadata to NSA corporatel: personnel and SharePoint system administrators) are not required to receive special 10%??de the BR Plogfam- 86_36 (U) Access requirements for to query BR repositories To query thel using including DIAS, must buc?listed?onith?] It Iser Group in The Isfection. "rate-using their public key infrastructure PKI) Iveri?es that the are listed on the user group credentials. If all three requirements are met, the are able to select-tithe; mode inl:: and query BR metadata. As of 31 December had the ability to run queries on BR data using (UM-18889 Table 14 summarizes the??provisions ofBR Order 13-158 for access and training and the controls implemented by compliance. 86-36 system accesses to :ml-elermmated' 18 (UN-F989) PKI is used to authenticate users on NSA networks. binds nublic keys with certi?cate authority. 22 Tilt-C353 ID appropriate and adequate training. U) Access to BR metadata shall be restricted to authorized personnei who have received personnel With- accessdorB I metadata must be the I credentiai. Ali personnel with BMD repositories must have the credential. All personnel who query the Beta in the EMU must hat-tie the be on the personnei with th must complete veri?ed and monitored by 8V. training (U) Appropriately trained and authorized technical personnel may access the BR to make it usable for intelligence analysis. metadata to perform those processes needed Wit-F)- Technical the BR metadata must havethe credential and most have completed appropriate and adequate training veri?ed and monitored,=by SV. (U) Technical personnel responsible for speci?ed persons to NBA wiil not receive special training regarding the authority granted herein. underlying corporate infrastructure and the transmission of the BR metadata from the (U) Technical personnel responsible for underlying corporate infrastructure do not" receive special training regarding the BR program. (U) OGC and ODOC will further ensure that NSA personnel who receive query results in any form ?rst receive appropriate and adequate training and guidance regarding the procedures and restrictions for the handling and dissemination of such information. Before an BR-unique query results containing/USP'information to another individual, the a "st'con?rm that the recipient has th 'redential. An individual with th credentiai must complete and remain current on required training, which includes training and guidance on handling and disseminating such data. (U) NSA will maintain records ofaii such training. (unease) ADET Enterprise Learning Management database is 88R for maintaining training completion records. all formal brie?ng andfor training materials (including all revisions) used to brief/train NSA personnel concerning this authority. (U) 080 will provide NSD with copies of (UifFe-U-e) 060 provides BR FISA training material to N80 for review before modifying material in the and training courses. *Wl (U) Querying (U) Provision of BR Order 13-158 86-36 NSA may access BR metadata. for purposes of obtaining foreign intelligence information only through queries of the BR metadata. to obtain contact Kit-Cit: IE lbim telephone number, as that term is commonly d2?3??d chaining information using selection terms approved as seeds.19 A seed is a. selection term approved for querying BR metadata. All selection terms to be used as seeds with which to query the BR metadata. must ?rst be approved by the 8214 Chief or Deputy Chief or one of the twenty specially authorized HMCs in the SID Analysis and Production Directorate. 20 Approval shall be given only after the designated approving of?cial has determined that based on the factual and practical considerations ofeveryday life on which reasonable and prudent persons act, there are facts giving rise to a RAS that the selection term to be (hereafter the Foreign Powers). If the selection. term is reasonably believed to be used by a USP, the OGC must first determine that use 30246)? solely on the basis of activities that are protected by the First Amendment to the Constitution. .21 RAS approvals shall be effective for 180 days for any selection term reasonably believed to be used by a USP and one year for all. other selection terms. (UNFOHG) Furthermore, queries of the BR metadata using RAS approved selection terms may occur either by manual analyst query or through the automated query process.2 Contact chaining queries of ER metadata will begin with a RAS approved seed, and will return only that metadata within three ?hops? of the seed.23 19 (UH-F989) The term not iin1ited to ?identi?ers.? The term ?identi?ers? means a 20% Selection terms that are the subject of electronic surveillance authorized by the FISC based on the ?nding of probable cause to believe that they are used by] I I Iincluding those used by USPS, may be deemed approved for querying for the period ofFiSCjat-i'thorized electronic surveillance without review and approval by a designated approving of?cial. On 26 February 2014, NSA began sending selection terms to the FISC for RAS approval to comply with the President?s directive of 17 January 2014. On 28 February 2014, the FISC approved RAS for the ?rst two selection terms under this new process. 21 (U) The First Amendment to the US. Constitution prohibits making any law abridgng the freedom infringing on the freedom of the press, interfering with the right to peaceably assemble, or prohibiting the petitioning for a. government redress ofgrievances-s'The BR Order no longer requires that OGC perform a First Amendment review ofseleetion terms used by USPs for non-emergency RAS requests; the performs those reviews. This change was inadextbiiowing the President?s directive on 17 January 2014, which requires that NSA submit seiection terms to theFlSC for RAS approval. 22% The automated query process was initially approved by the FISC in the 7 November 2012 Order that amended docket number BR 12-178. Although approved, NSA never impiemented and is no longer authorized to use the automated/query process since it withdrew its request to do so in the renewai applications and declarations that support the/BR Orders approved by the FISC (beginning with ER Order 1467, dated 28 March 2014). 23 (unseen; The ?rst hop from a seed returns results including all selection terms {and their associated metadata) with a contact and/or connection with the seed. The second hop returns results that include ali selection terms (and theirassociated metadata) with a contact and/or connection with a selection term revealed by the ?rst hop. The third hop'returns results that include all selection terms (and their associated metadata) with a contact andfor connection [swith a selection term revealed by the second hop. On 29 January 2034, software system controls were modi?ed to limit the number of hops from seed selection terms to two to comply with the President?s directive of 7 January 2024. mm 24 86-36 (easy-50 use 3024(i) IKE-QC ID Appropriately trained and authorized technical personnel may query BR met adata. using selection terms that have not been RAS approved to perform processes needed to make the BR metadata usable for intelligence analysis and may share the results of those queries with other authorized personnel responsible for these purposes. However, the results of such queries may not be used for intelligence analysis purposes. NSA must ensure through adequate and appropriate technical and management controls that queries of BR metadata for intelligence analysis purposes will be initiated using only selection terms that have been RAS approved. (U) Presidential directives affecting querying controls in 2014 (U) On 17 January 2014 and 2?7 March 2014, the President of the United States directed that NSA implement the following changes to the BR FISA program: 1. Submit selection terms to the FISC for RAS approval. Before 17 January 2014, selection terms were RAS approved by the 8214 Chief or Deputy Chief or one of the twenty specially authorized HMCs as the BR Order required, and OGC performed First Amendment reviews for selection terms associated with US. persons. 2. Restrict contact chaining to two hops ?'om seed selection terms. Before 17 January 2014, appropriately trained and authorized NSA were authorized to query to three hops; however, NSA guidance restricted those to query BR PISA repositories two hops from seed selection terms and one additional hop (three hops from seed selection terms) with $2 division management approval. 3. Store BR metadata in provider controlled repositories and not in NSA repositories. Once implemented, NSA will submit FlSC?approved RAS selection terms to providers for them to query their repositories. Providers will provide to NSA only the results of those queries. NSA implemented the first two directives by February 2014. The third directive, storing BR metadata in provider repositories and obtaining only those query results from providers, will require passage of a new statute for the production of business records, which had not been enacted when this report was issued. (WE-GHQ) The remainder of this section documents the control ??amework in place for querying BR metadata in 2013, including the changes implemented by the President?s directives in 2014. (U) Determining seed selection terms for requesting RAS approval working CT missions focus on lead selection terms, which can be derived from multiple sourees, 86-36 awidemrange of tradecraft in determining which selection I, terms to pursue RAS approval 25 ID earners ST-14-0002 retinal. 86-36 (unseen) Anaiysts making determinations whether selection terms are eligible to be used as seeds under the BR PISA authority must consider all the facts they know or reasonably can know before submitting requests for RAS approval. Looking at the totality of the circumstances, evaluate whether there is a. RAS that the selection terms are used by persons associated with one of the terrorist organizations in the BR Order. The level of proof demanded by the RAS standard is less than a preponderance of the evidence or probable cause. the RAS standard requires more than a mere hunch or uninformed guesswork. must have an ?articulable reason,? supported by at least one source, for suspecting that the person using the selection term is associated in the BR Order. Sources used to justify RAS requests include, but I l? The RAS standard is the same for selection terms associated with USPS and foreign persons. W139- electronically submit RAS re .uests-in-IZb RAS selection has required ?elds for RAS requests, user nationalities, and uscrties to at least one organizations in the BR Order. save the supporting for review by designated of?cials. if selection terms are subject to ongoing FISC- authorized based on a. ?nding of probable cause that the selection about to be used by persons associated with one of the identi?ed foreign powers, the selection terms to query the BR metadata without obtaining RAS because standard has already been met. In these cases, entries are still submitted through- along with supporting documentation, and HMO and possible OGC review (if a would also be required. According 86-3.6 amaiority of the selection terms submitted Usego??gtti) list in 24 (oneness If RAS requests are based in part or in whole on NSA SIGINT, NSA performs a purge veri?cation check for the selection term when the request is submitted to ensure that the selection term had not been submitted for on~den1and, retroactive, or reactionary removal of data from NSA SIGINT system repositories. The ?purge veri?cation? ?eld must be ?lled out when creating a RAS request and must be conducted no more than 24 hours before submission. 26 $2 "F.3d? (reverence-ad (bum-50 use 3024mm. RAS selection terms associated with the terrorist organizations Those would include organizations listed in the BR Order or based on 1C reporting and determined by OGC Iaterrorist organization in the FlSC-approved Irole can maintain the tErrorist organizatio?'li'stin I were assigned this role 86-36 (hm) which NSA implemented in June 2010, provides the (bll3l?P-L- 35?35 system-control framework for nominatin 'ustif inn, reviewing, approving, and USC 3024?) disapproving RAS for selection terms-ti rhas built?in safeguards to ensure RAS approved selectiont'erms comply with requirements of the BR Order (cg, required-'RA'Sxapprovals documented, only approved terrorist or anizations used time limits not exceeded also serves selection terms and exports the terms to other systems in the BR control framework. 86-36 (U) RAS approval process?2013 In 2013, the RAS, approval process included certain mechanisms NSA useditodetermine whether selection terms were associated with one of the terrorist organizations-?in: before BR authorized could use the selection terms as seeds to query BR metadata. Consistent with the BR Order, all selection {mm terms used as seeds for querying BR metadata. were first approved by the 3214 Chief 86-36 25W In May 2012, Do] NSD stated that it was generallv acceptable for one to determine, based l?n addition. with the condition being met, NSA can inciude I I NSD further stated that OGC must revisit those determinations every six months 2 7 86-36 (bll3l-P-Lv 35-35 use 30240) ZEEQEIEI: @3353?7? STnl4-0002 or Deputy Chief or one of the 20 specially authorized HMCs. If selection terms were reasonably believed to be used by USPS, OGC determined whether the USPS were regarded as associated with one of the terrorist organizations named in. the BR Order solely on the basis of activities protected by the First Amendment. Figure 4 illustrates the RAS approval process in place during 2013. (U) Figure 4. RAS Approvals Needed Before Querying BR Metadata in 2013 (ore-see)? tz'tomel?and ii. . step. I PROCESS. were?? ass as . I. - Nan Gamecrf?ap-erat?ounser veri?es-strata step. 86-36 Table 15 summarizes the RAS selection terms approved in 2013. lb) 1) (U) Table 15. 2013 RAS Approvals (wig-pm? 36-35 3024p) Data includes RAS selection terms that were approved more than once in 2013. (Li/$969) Data only includes unique selection terms approved during 2013; it excludes multiple RAS approvals for the same selection terms in 2013. (U) HMC review process?2013 (WE-9996 After RAS approval requests are submitted in: automatic e?mail noti?cations are sent to alerting them that requests for review. Depending on the ranking assigned to RAS approval requp?ts in reminder e?mails are sent afterE-for emergency urgent 86-36 IE3 d273?m 86-36 requests by and desi nated a rovers. For oversight purposes, requests,- for priority Hares verify that request for routine requests. suf?ciently and accurately document user ties to the terms submitted for RAS approval; (UM-781393 Justi?cati Spport user ties to one of the terrorist RAS requests are supported by credible source documentation; (UH-13886) Source documentation is current and has not been superseded by other intelligence; RAS requests contain time restrictions, if selection terms are or were associated with users for only a specific and limited time; and If SIGINT is used as justi?cation for RAS approval requests, performed purge veri?cations when requests are submitted. determine that the documentation. requirements have not been met and the RAS standard has not been not satis?ed, are noti?ed of de?ciencies and asked to provide additional information. HMCs denote denied RAS requests as ?Pending? until adequately If the documentation standard has been satis?ed, HMCs change the from 26 status changes and edits of the original RAS system controls require that OGC approve selection terms used by USPS before completing the RAS approval process. Figure 5 illustrates the RAS standard. 5. RAS Standard 86-36 usc 3024a} 86-36 26 trained??and authorized can approve RAS requests and query BR 111 etadata. However, system controls prevent persons from submitting and approving their own RAS requests. 29 Benin: as 86-36 earner-a (U) OGC First Amendment review of seed seiection terms associated with NSA is prohibited from establishing RAS on a USP selection term based solely on activities protected by the First Amendment. In 2013, RAS requests containing selection terms USPS were forwarded to the NSA OGC for aFirst sent automated email noti?cations to designated-?OGC attorneys until a First Amendment review was completed. OGC the RAS requests and source documentation, as well as the RAS decisions made by HMC s, and determined whether NSA intended to target individual. based activities protected by the First Amendment. If there were indications that RAS solel on such activities, OGC would deny the RAS request Once OGC has approved RAS requests 1n the selection terms are authorized for use as seeds for querying. However, a series of system updates must be completed before can query BR (U) Controls for querying BR metadata using only RAS approved seed selection terms within the authorized number of hops tracks the status of selection terms and for an ?Approved? status-"the expiration of the RAS approval. The BR Order specifies that RAS shall be effective for 180 days for selection terms reasonably believed to be @?nfrmen . used by USPs and one year for all other selection terms. However, NSA, out of an abundance of caution, used a more restrictive RAS expiration policy in 2013: days for selection terms used by USPS and 180 days for selection terms used by is configured to automatically change the status of RAS selection terms from ?Approved? to ?Expired? when expiration dates NSA set . "oneseeu I including BR metadata. When launching" iis the graphical user interfacesha anal. use to query data in with 27 tux/Fermi] Iwas recon?gured so that selection terms used by USPS expired in 173 days and 358 for all others. NSA made this change to avoid hardening the FISC, which began approving RAS for selection terms as the President had directed, with more frequent reauthorizations than the BR Order requires. 30 $2 appropriate credentials have the option to include BR metadata in their queries. If may only use approved selection term The term used to initiate a query of BR metadata?isreferred??to as a seed because it is used to produce a. ?chain? of Ndmetadat'a" contacts, act chaining. seed selection . middlewm?e called Access Restriction (EAR) checks whether the selection terms appear as Itables.28 The EAR, through internal software Contact chaining is restricted to seeds that are RAS apple-tired by preventing terms from being used as seeds for conducting-?call chaining analysis of BR expired, ?decommissioned disapproved selection terms, terms that have never been entered into?l:l. If selection-~terpis submitted by for querying of BR metadata appear as ?Approved? in?del Itables, the EAR allows queries to perform. The EAR prevents queries from performing when the selection terms do not appear as ?Approved.? In 2013, the EAR software system controls also restricted the number of hops to three from the seed for contact chaining as the BR Order authorized. 2?9 However, if after reviewing the ?rst two hops results wanted to perform contact chaining out to a third hop from the seed selection term, SID policy required that they first obtain 82 division management approval. NSA relied on to comply with SID policyw?no system control was in place to prevent from querying out to three hops without 32 division management approval. (UH-138683 To understand how contact chaining was performed and the system controls implemented by the EAR to only allow querying using RAS approved seeds and within three hops of the seed selection term in 2013, it is helpful to review an example. 86-36 . Seed selection term A?reasonably believed to be used by a I was RAS approved by an HMC. No First Amendment review was required because selection term A the seed) was not used by a US. person. The analyst entered selection ?HuntermAuin-tolil to perform contact chaining analysis one hop from the seed. The [tables to determine whether 23 A'V?in 1'31in 011 all diligence to query-l only release in June 2010, the EAR was reconfigiu?ed to use datafrum?l to prevent "queries-in using selection terms that were not RAS approved, including USP selection terms that OGC had not reviewed. On 29 January 2014, NSA modi?ed the EAR software system controls to reduce the number ofhops iron} the seed to two to comply with the President?s directive of. 17 January 2014. WSW-9W 31 DEEMED: earners I 86-36 selection term A was RAS approved. as RAS approved, the EAR allowed the query of BR metadata i1 First hop queries returned all . I . .. 86-36 in the BR repository (and associated metadata) that had a 793 contact or connectionwu?ththeseed: - If the analyst tried to query beyond the third hop or query using a selection term that had not been RAS approve d, the EAR would have prevent ed the action. (U) EAR bypass Ifor system updates to complete selection term can be used for querying BR metadata, an EAR bypass was implemented for emergency situations. If an analyst, with a RAS 35-35 approved seed selection term and $214 management approval, determines that immediate querying of BR metadata using the RAS approved seed selection term is necessary to obtain time-sensitive results to respond to an emergency, 8214 informs designated OGC, SV, and ODOC personnel of its intention to bypass the EAR software system controls. After this noti?cation, $214 management contacts the team requesting that designated be temporarily added to the This allows the to select the I thereby bypassing the EAR software system controls for an co I by direct on- site supervisor oversight, ensure that three hops before 17 January team noti?ed when the removed fro?rnRt?he-I user group to an emergency situation or alternorma] system updates have completed to all?o'iiv?uuerying usin the RAS approved selection terms. No NSA personnel were included user group] (U) Querying by trained and authorized technical personnel for testing purposes only masses) The BR Order allows authorized NSA technical personnel to access the BR metadata, including through queries, to make it usable for intelligence analysis. This includes performingl and maintaining records to demonstrate compliance with the BR Order. However,/ technical personnel do not share the results of these queries with Tests-of BR metadata. are oerformedl Inas the Order allows. Only a limited number of technical personnel, who appear in the. 86-36 32 1&2 iblt?i) ST-14-0002 sees user group..in non RAS approved selection Operational ?361' group is used only by audits all queries performed using query tools by technical and mission personnel to ensure comic withe BR Order. I:]authorized --usep--gf0up.m (U) RAS approval process?2014 assesses-i On 17 January 2014, the President directed that NSA implement changes in how it operates the BR FISA program: NSA must submit selection terms to the FISC for RAS approval and limit contact chaining to two hops from the seed selection terms. Before 17 January 2014, RAS selection terms were approved by the 3214 Chief or Deputy Chief or one of the twenty authorized HMCs, as the BR Order .. I As an added measure, terms in an ?Approved? status were changed to ?Revalidate? in RAS selection . 36-36 in the weeks followmg the Presrdent?s directlves, through amotlon to amend BR Order 14-01 the FISC approved on. 5 February 2014, the following: (U) The government may request, by motion and on a case-by-case basis, permission from the Court for NSA to use speci?c selection terms that satisfy the RAS standard as ?seeds? to query the BR metadata to obtain contact chaining information, within two hops of an approved ?seed,? for purposes of obtaining foreign intelligence information. In addition, the Director or Acting Director of NSA may authorize the emergency querying of the BR metadata with a selection term for purposes of obtaining foreign intelligence information, within two hops of a ?seed,? if: (1) the Director or Acting Director reasonany determines that an emergency situation exists with respect to the conduct of such querying before an order authorizing such use of a seiection term can with due diligence be obtained; and (2) the Director or Acting Director of NSA reasonably determines that the RAS standard has been met with respect to the selection term. In any case in which this emergency authority is exercised, the government shall make a motion in. accordance with this amendment to the BR Primary Order to the Court as soon as practicable, but not later than seven days after the Director or Acting Director of NSA authorizes such query. In response to these new requirements, the NSA BR control framework changed: - (ll/@999) RAS approvals submitted to the FISC NSA no longer approves RAS for selection terms, except in emergency situations. HMCS or the 8214 Chief or Deputy Chief previously approved RAS. They now perform 3? . On 17 January 2014,. selection terms were in an ?Approved? status inl I RAS approxials seiection terms had expired, and [automatically changed status from ?Approved? toijevali-datefi- tile?i?itlniltiliig- in an ?Approved? 86?36 .L. IE3 $2 ?3 a only ?rst level reviews to determine whether RAS requests are adequately and supporte by creditable source documentation in follow the same preliminary Procedures as before for determining whether selection terms are used by persons who are reasonably believed to be associated with one of the terrorists listed in the BR Order and for documenting RAS requests-in After reviewing the supporting RAS requests back to to make (as needed), deny RAS requests, or fo RAS requests endorsed to of whether selection terms are used by USPS or foreign persons). OGC no longer of?cially performsFirst Amendment reviews of selection terms used by USPS for non? emergency RAS requests; the FISC performs those reviews. OGC now performs second level reviews of RAS requests, source documentation, and endorsement decisions by HMCS to provide greater assurance that the FISC will not reject RAS requests because of insuf?cient documentation or First Amendment concerns (for selection terms used by USPS). OGC reviews HMC endorsements during RAS veri?cation meetings, at which HMCs present evidence supporting the RAS justi?cations for review by SV, OGC, and the 82 Declarant (usually the 8214 Chief or Deputy Chief) who signs the eventual motions seeking FISC approval of the selection terms. This group (known as the veri?cation panel?), chaired by SV, con?rms that representations in RAS requests are accurate. If the RAS veri?cation panel endorses the RAS requests, OGC submits them to NSD for review and submission to the FISC for approval. At each level of review by HMCs, OGC, the RAS veri?cation panel, and Do] NSD, all questions, concerns, and requests for additional information must be satis?ed before NSD submits the requests to the FISC. The FISC makes the final determination of whether the RAS standard has been met for each request and noti?es NSD of its decision to approve or disapprove requests. After OGC has been noti?ed by the Do} NSD of the FISC decision, OGC enters the date of the decision, saves the su porting court documentation, and updates the dispositions of RAS requests Ias ?Approved? or ?Disapproved.? 31 FISC approvals are effective for 180 days for selection terms used by USPS and one year for all others. However, NSA established more conservative expirations in 173 days for selection terms used by USPS and 358 days for all others. Figure 6 illustrates the non-emergency RAS approval process. 31 is the system of record for storing documents relating to NSA authorities, inctuding BR Orders for the BR FISA authority. 34 ZEJCOEIZEJ 86?36 u? (U) Figure 6. (unseen? 86-36 (unearned;- Emergency RAS approvals Under the BR Order the NSA Director (DIRNSA) or Acting DIRNSA can approve RAS for selection terms for querying BR metadata within two hops of the seed selection term only after the RAS standard has been met and only when responding to emergencies. When submitting a RAS request for emergency approval, document the request and justi?cation for emergency approval in An HMC performs a ?rst?level review and requests additional information from the (as needed) and denies or endorses the emergency RAS request. If the HMC endorses, the RAS veri?cation panel is immediately convened to review the supporting documentation and justi?cation for requesting emergency approval. If the RAS request contains a. selection term used by a. USP, OGC performs a First Amendment review to determine that the basis for seeking RAS is not solely based on activities protected by the First Amendment. If the RAS veri?cation panel concurs with Amendment concerns, the S2 Declarant, BR FISA Authority Lead, SV, and KOGC the DIRNSA or Acting DIRNSA, who determines whether an emergency situation exists, and the RAS standard has been met, and the RAS determination is notabgsed solely on First Amendment protected activities. the approves the emergency RAS request, OGC'sayes the apprevalsdp?cumentatim nd changes the disposition of the RAS requests-to ?Approved? in" and noti?es Del NSD of the axemergency RAS approval. If immediate qryin is re uired, $214 coordinates adding the designated to user group in (see Querying "section for EAR Bypass procedures). Otherwise, the designated must wait} Ifor a series of system updates to complete before querying BR metadata using the emergency-approved selection term. The BR Order requires that, within seven days of the emergency RAS approval, Do] NSD file a motion with the FISC on behalf of NSA 49W '35 IDEZDEID 4Q '(zii?itnii: ST-14-0002 concerning the emergency authorization. If the grants the motion, OGC enters the date the FISC approved the RAS request and records the supporting 1f the FISC denies the motion, NSA will take remedial action, including actions the FISC has directed. Figure 7 illustrates the emergency RAS approval process. (U) Figure 7. Emergency RAS Approval Process -P.L. 86-36 the DIRNSA approved the ?rst emergency quelying since receiving this new mandate from the FISC on 5 February 2014. A motion was ?led with the within seven da of the approval of the emergency RAS requestrZE] the FISC approved RAS for the selection term. Two?hop restriction for contact chaining On 29 January 2014, NSA modi?ed the EAR software system controls to restrict contact chaining to two hops ??om seed selection terms as the President had directed. Before 17 January 2014, authorized NSA could query BR PISA repositories two hops from seed selection terms and one additional hop (three hops from seed selection terms) with S2 division management approval. (U) Table 16 summarizes the provisions of BR Order 13-158 for querying BR metadata. and the controls NSA implemented to maintain compliance. 36 not: (U) Table 16. Querying Provisions and Controis (WW) Seed selection terms must be approved by a designated approving of?ciai and also reviewed by 060, if the selection term is used by a USP, before querying BR metadata for intelligence analysis purposes. In 2013, controls ensured that one of the 22 designated approving of?ciats approved RAS for selection terms and, if uSed by USPS, OGC performed a First Amendment terms were added to the RAS Approved {List only after the required approvals were documented in. Approvals shall be given only after the designated approving official has determined that there are facts giving rise to RAS that the selection term to be queried is associated with a Foreign Power. I lstores supporting documentation for 'ustif in itI-iL?thoriiative ,iist of foreign pgtvers. L. 86-36 NSA shall ensure, through adequate and appropriate technical and management controls, that queries of the BR metadata for intelligence analysis purposes witl be initiated using only a selection term that has been RAS approved. EAR restricts contact chaining to o_nly"tnose seeds that are RAS approved by preventing all non RAS approved selection terms expired, disapproved) from being used as seeds for conducting contact chaining. RAS approvals must not exceed 180 days for selection terms reasonably believed to be used by a USP and 365 days for all other selection terms. automatically changes the status of RAS approved selection terms from ?Approved? to "Expired" when expiration dates set by NSA are exceeded. In 2013, expiration dates were set for 90 days for selection terms associated with USPS and 180 days for all others.1 Results of contact chaining queries must not exceed three hops from seed selection terms. In 2013, the EAR limited the number of hops to three from the seed selection term for contact chaining. Technical personnei may query the BR metadata using selection terms that have not been RAS approved to perform processes needed to make it usable for intelligence analysis. 8V reviews alt query records for compliance with the BR Order. (UH-F669) On 26 February 2014, NSA began sending RAS requests to the FISC for approval to comply with the President?s directive of 17 January 2014. On 28 February 2014, the FISC approved RAS for a selection term under this new process, and NBA began the process of manually entering into the dates that the HBO approved RAS for selection updated to require that approval dates be inputted into it before adding selection erms the RAS Approved List. The relies on RAS aggroved selection terms to hex-accurately entered by authorized personnelmanually into approved selection terms that were inaccurater entered into In 2014, NSA discovered instances of RAS by authorized personnel. In response, NSA impiem'ented a two-person review for acctir'atiy of RAS approved selection terms manually entered int (unease) the expiration dates'linl: were changed to 173 days for selection terms Used by USPS and 5358 days for allothers. software?system controls were modified to limit the number of hops rom see so ectidn terms to twp/to comply with the President?s directive from i? January 2014. (unease-)- 86-36 37 ZDQCID d2 3 4 81314-0002 (U) Sharing and Dissemination (U) Provisions of BR Order 13-158 Sharing Results of intelligence analysis queries of BR rnetadata. may be shared, before minimization, for intelligence analysis among NSA subject to the requirement that all NSA personnel who receive query results in any form ?rst receive appropriate and adequate training and guidance regarding the procedures for handling and disseminating such information. (unease-a Dissemination NSA shall apply the minimization and dissemination requirements and procedures of Section. 7 of US. Signals Intelligence Directive (USSID) SP0018 to any results from queries of the BR metadata, in any form, before the information is disseminated outside NSA in any form. In addition, before disseminating USP information outside NSA, the DIRNSA, the Deputy Director, or one of the officials listed in Section 73(0) of SPOO 18 (Le, Director of SID, Deputy Director of SID, Chief of Information Sharing Services (SIS), Deputy Chief of $18, and the Senior Operations Officer of the National Security Operations Center) must determine that the information identifying the USP is related to CT information and it is necessary to understand the CT information or assess its importance nexus?). Approximately every 30 days, NSA shall ?le with the Court a report that, among many things, includes a. statement of the number of instances since the preceding report in which NSA has shared, in any form, results from queries of the BR metadata that contain USP information, in any form, with anyone outside NSA. 86?36 Sharing BR-unique information with authorized NSA personnel NSA refers to ?sharing? as providing query results internally to and authorized NSA personnel. Sharing restrictions in the BR apply query results of a USP. unique? is a term used by NS-A'that refers to contacts-I Iwithin a chain solely derived from BR metadata?l Oral or written depictions, manipulations, and summaries are also query results. Unless included inst-disseminated report, BR?umque quer results containing USP "information are only shared with individuals who have thei I-credential. BR stakeholders manually check::lto con?rm that recipients have before sharing BR-unique USP information, in any form. BR stakeholders also?" ensure that documents or files containing BR-unique USP information are only stored in access-controlled, personal or shared network locations accessible cleared-personnel and that BR-unique results containing USP information displayed in the workplace are not visible to who do not (bli3l-P.L. 86-36 (onerous) 38 .TEDQCIE: smears 86-36 (U) Disseminating BR-unique information (U) Dissemination is the sharing of information outside NSA. The BR Order includes two provisions for disseminating information: the CT nexus requirement and the dissemination tracking requirement. - (UH-F869) CT Nexus Requirement The CT nexus requirement applies only to disseminations of BR query results containing USP information. The dissemination provisions of Section 7.3(c) of USSID SPOOIS must be followed. If query results include USP information unique to BR metadata. and the analyst needs to disseminate that information to an external customer, such as the FBI, then the CT nexus requirement must be met before disseminating information in any form. However, if query results contain only foreign person information, the CT nexus requirement does not apply when disseminating BR information. The remainder of this section focuses on disseminating USP information derived from BR-unique metadata. What-NE} In accordance with USSID if unminimized USP information is to be disseminate d, one of the designated approval authorities must determine that the information is necessary to understand the foreign intelligence in the report before the information is released. This applies to all disseminations of unminimized USP information under all NSA authorities. The BR Order further requires that one of the approving authorities con?rm that the information identifying a USP also relates to CT information and is necessary to understand the CT information or assess its importance. SIS stated that most disseminations of USP information derived from BR metadata 86"3 3?24") are two categories of BR disseminations Published disseminations-I I and other disseminations oral. briefings to recipients external to NSA, such as the FISC, who are not receiving the information as part of their lawful executive or legislative oversight function(W3) are used to dlssemmate SIGINT information that responds to I rep0rts are disseminated in a limited distribution to customers empowered to act on the information and to additional customers who have an operational need- to-know FBI, NCTC, Central Intelligence Agency (CIA), Of?ce of the Director of National Intelligence (ODNID. fer-sum 39 EQCIE: 4E 7.3% a RFIs are requests by customers FBI) for information ?'om NSA. RFis are usually requests requiring one-time, speci?c responses. topic or event I. .. variety of collection authorities to a. wide are not used to disseminate USP informationfunique to BR (U/Ee?e??A?er one of the approving authorities listed in Section 7.3(c) of USSID SPOOIS has approved the dissemination if USP information unique to ER it is usually combined collection authorities to provide amore complete.intelligence summary. Otherwise, NSA masks the identities of can be distributed widely and sends separately an Identities Release Memorandum only to those parts of the 1C that need to know the person?s idem _32 only those recipients within the 1C who receive both the and Identities Release Memorandum can determine the USP identity, and then only after submitting a formal justi?ed request that has been approved by one of the of?cials listed in Section 7.3(0) of USSID SP0018. Dissemination of BR information occurs most _9fi?n..in- reports SIS stated that, even when NSA disseminates"information using RFIs, reports-foiloiifio formally document the disseminationfsg ?Ibis-a:- 'oWs the information requested by one 1C customer, 86-36 1C customers, to be released through a Wider, highly controlled, distribution. Table 17 summarizes the BR reports disseminated in 2013. 32 (Li/$9899 Masking ist he process of using generic identification terms in place of USP names, tities, or contextual identi?ers so that the person?s identity is not reveaied E11 written or oral disseminations. $214 confirm reports ed that ail RFIS containing BR-unique information have been followed up with: 40 .. .. 36-36 DOC ID :1 ?2 3% ST-14-0002 (U) Table 17. BR Reports Disseminated in 86 36 BR Reports plssemmated - .. . Total-Bei?ction Terms from BR Total BR Unique Selection Terms Reported? 86-36 Total US. Contacts Reported I, There werel l-additional dissemin'dtions in era! presentations. The NSA Director briefed the sec: land NSA made a presentation to the F180 The $18 Chief or Deputy Chief, two of the approving authorities designated $130018, reviews the majority of the requests for disseminating USP information for all NSA authorities, including those unique to BR. Dissemination requests are approved usually the day they are received. Senior Operations Of?cers (SOD) in the National Security Operations Center (NSOC) are also authorized approvers for disseminating USP information and typically review and approve dissemination requests submitted after hours or in emergency situations. (Uni-Gee)! 'lS I sigri?d' in an access-controlled SIS network folder. Disseminations I approved after hours by the 8005 are formally documented, normally the (busy?so use 34 35 IDEQCITB: $2 following business day, by $18. The NSOC Senior Reporting Officer notifies atiens-r'l that include USP information derived from BR- unique metadata. to officials outside NSA occur less frequently. Normally, these briefings are provided leadership who are approving authorities for disseminating USP information SPOOIS. All other BR stakeholders coordinate approvals with oneho'f?theuapproving authorities before presenting information outside NSA. The CT division tracks oral brie?ngs only, and SIS and S214 track all disseminations oi USP information (published and oral), which are included in the 30- day reports ?led with the FISC, as the BR Order requires. WW3 Dissemination Tracking Requirement The second provision of the BR Order that applies to USP information is the dissemination tracking requirement regarding BR-unique information. NSA tracks and reports to the FISC every instance in which NSA disseminates USP information derived from BR metadata. 36 every 30 days, OGC requests from $18 and $214 the number of disseminated reports containing USP information from BR?unique metadata for input into the 30-day reports ?led with I the I Although no longer required to track disseminations of foreign person information, 8214 continues to track all disseminations of BR-unique information. Disseminations were tracked manually untill corporate dissemination tracking tool, was implementedl Since then, all disseminated reports containing BR-unique been tracked inI Icompleted the__upload of and past BR disseminations into i33ii:: 86-36 Table 18 summarizes the provisions of ER Order 13-158 for sharing and disseminating information derived from BR query results and the controls implemented by NSA to maintain compliance. 36 Since 3 September 2009 Order 09-13), NSA has been exempt from reporting in the 30?day reports to the FISC BR disserninations to the executive branch for oversight. 0n 3 January 2034 (the date the approved BR Order 14-01), this reporting exemption was further extended to include BR disseminations to the legislative branch for oversight. 42 IE3 ST-14-0002 (U) Table 18. Sharing and Dissemination Provrsrons and 86 (U) Results of Intelligence queries of the BR metadata may-be shared. before minimization, for intelligence analysis purposes among NSA subject to the requirement that all NBA personnel who receive query results in any form first receive appropriate and adequate training and restrictions for handling and disseminating such information. 86-36 BRstakeholders manually check corporate authorization services tool, to confirm that recipients hays before sharing BR-unique query resu-tts ofa USP. in any and guidance regarding the procedures forms} I (U) Before disseminating USP information outside NSA, the NSA Director, the Deputy Director, or one of the of?cials listed in Section 7.3(0) of USSID SP0018 must determine that the information identifying the USP is related to CT information and that it is necessary to understand the CT information orassess its importance . One of the designated approvers (usually the 8155 Chief or Deputy Chief) veri?es that the CT nexus has been met before disseminating USP information in any form. The approving documentation is independently maintained by 818 for internal recordkeeping and for external review by overseers. (U) Approximater every thirty days, NSA shall file with the Court a report that among many things includes a statement of the number of instances since the preceding report in which NSA has shared, in any form, results from queries of BR metadata that contain USP information, in any form, with anyone outside NSA. (Ui?Fe?d-G) 818 and S2I4 independently track the number of disseminations since the preceding report in which NSA has shared, in any form, results from queries of BR metadata that contain USP information, in any form, with anyone outside NSA. ST tracks orai disseminations only. This data cotlectiveiy is provided to OGC for input into the 30-day reports filed with the (U) Retention (U) Provisions of BR Order 13-158 mirror-)- (U) The BR Order requires that BR metadata be destroyed no later than five years (60 months) after its initial collection. "(pun-PL. 86-36 (U) BR age-off process completed its ?rst BR age-o We?) To remain compliant With the five year retention requirements NSA May 2011. 43 (Bin) 86-36 ~36 one IE3 ?tgi??7? STul4-0002 on; 86?36 Based on guidance from OGC, BR retention compliance is determined using the date when records are received from providers, not the call communication date. Record receipt date is the date on. which providers electronically deliver BR metadata to NSA. Call communication date is the date on which atelephone call is made from one selection term to another.33 (U) Timing differences with call communication dates and record receipt dates (mm-50 use 3024;; I Because of these differences, NSA tracks record receipt dates for 86-36 USC 3024( BR metadata. to document compliance with I (U) Quarantine process 86-36 use 798 use 30240) 37 (Ii/$866) In September 2013, the Do} Civil Division directed NSA to preserve all records relating to the collection of BR metadata under the BR FESA program as a result of civil lawsuits against NSA. To comply with the preservation order, NSA did not age-off data with record receipt dates exceeding 60 months in 2014. This data was saved in partitions within NSA system repositories inaccessible to auaiysts. 33 (U) Seiectiou terms also refer to identifiers used in diaied number recognition telephone numbers). 44 IDES ID (U) 2013 age-off (bit) 86-36 (UH-F689) Table 19. 2013 BR Age-Off Procedures 6 (U) Changes that affected the 2014 age-off (UM-1866) In September 2013, DoJ?s Civil Division directed NSA to preserve all records relating to the collection of BR metadata under the BR FISA program as a result of civil lawsuits against NSA. This affected the age?off performed during 2014: BR metadata that would have been aged of? to comply with the BR Order was - 45 ST-14-8002 retained to comply with the preservation obligation. This data. was saved in partitions within NSA system repositor ies inaccessible to (White-HG") On 12 March 2014, the FISC granted the government?s motion for temporary relief from the ?ve year destruction requirement pending resolution of the 33.36 ""preseryatign__litigation ?led by plaintiffs .39 As ermitted the BR Order, continue to pu oses the?'repos?g? that contains BR metadata received on or alter"'the 010 retention cutoff date ii?'ittgo- - RAS approved selection terms. Elgml'P-L- ?'36 I tsit51:1: (bum-sonar: tum (built-.50 use-some) 39ml 46 D3313 ST-M-OOGZ 1) 36-36 Table 2] summarizes the provision ofBR Order 13-158 for retention and the control implemented by NSA to maintain compliance. - (U) Table 21. Retention Provision and Centre! (UHF-GHQ) BR Metadata must be destroyed no later than ?ve See Table 19 for the procedures performed to years after its initial collection. age-off BR metadata to comply with the BR Order in 2013. (unease? (U) Oversight (U) Provisions of BR Order 13-158 (U) OGC and ODOC will ensure that personnel with access to ER mctadata. receive appropriate and adequate training and guidance regarding the procedures and restrictions for collection, storage, analysis, dissemination, and retention of the BR metadata and the results of queries of the BR metadata. OGC and ODOC will ?irther ensure that all NSA personnel who receive query results in any form ?rst 47 not: ID ST-M-BOOZ receive appropriate and adequate training and guidance regarding the procedures and restrictions for handling and disseminating such information. NSA will maintain records of all such training. OGC will provide Dol NSD with copies of all formal brie?ng and/or training materials (including all revisions) used to brief/train NSA personnel concerning this authority. (U) ODOC will monitor implementation and use of the software and other controls (including user authentication services) and the logging of auditable information referenced in the previous paragraph. (U) NSA will ensure that an auditable record is generated whenever BR metadata is accessed for foreign intelligence analysis or accessed using foreign intelligence analysis query tools. (U) OGC will consult with NSD on all signi?cant opinions that relate to the interpretation, scope, and/or implementation of this authority. When operationally practicable, such consultation will occur in advance; otherwise, Dol? NSD will be noti?ed as soon as practicable. (U) At least once during the authorization period, OGC, ODOC, Do] NSD, and any other appropriate NSA representatives will meet for the purpose of assessing compliance with the Court?s orders. Included in this meeting will be a review of monitoring and assessment to ensure that only approved metadata is being acquired. The results ofthis meeting will be reduced to writing and submitted to the Court as part of any application to renew or reinstate the authority. (U) At least once during the authorization period, Do} NSD will meet with the OIG to discuss their oversight responsibilities and assess compliance with the Court?s orders. (U) At least once during the authorization period, OGC and BM NSD will review a sample of the justi?cations for RAS approvals for selection terms used to query the BR metadata. 40 (U) NSA oversight (UHF-866) In addition to the oversight requirements listed in the BR Order, NSA performs additional. oversight, not required in the Order, to ensure compliance. The organizations and the oversight performed are described next. (UHF-GHQ) BR FISA Authority Lead is the focal point for the BR program within SID, reporting to the CT Associate Deputy Director, who reports to the SID Director. The BR FISA Authority Lead?s responsibilities include: 4G (UN-F939) As of 28 March 2014 (BR Order 14-67), the no longer required OGC and Del NSD to conduct periodic reviews of RAS approved selection terms. The government sought this change as a result of the President?s directive of 17 January 2014 that NSA submit selection terms to the for RAS approval. 43 EOE ID a Chairing weekly BMD meeting Ensuring appropriate program direction and proper program functioning Signing declarations to the FISC during renewal and Ensuring that the BR authority is used as described in the BR Order. (wane-ea Weekly BMD meetings are held to discuss BR FISA program activities to ensure compliance with the BR Order. They include representatives from OGC, ODOC, TV, SV, GTO, DIAs, TD, Counterterrorisrn Production Center (821), 01G, and other organizations involved in the BR PISA program. Agendas and notes are maintained for each meeting. (UN-F6863 Authorities Integration Group (AIG) reports directly to the Deputy DIRNSA. The AIG works directly with SID and Information Assurance Directorate authority leads, including the BR PISA Authority Lead, and holds weekly meetings with the authority leads and corporate process leads TD, ODOC, OGC). The AIG focuses on the activities for each authority, both internal and external, to ensure that they are coordinated and integrated across NSA. The AIG acts as a. ?forcing function? within NSA, facilitating discussion. among the Directorates to promote a better understanding of how decisions affect the various authorities. The AIG updates the Deputy DIRNSA quarterly on each authority. (U) ODOC In 2009, NSA created the position of Director of Compliance to improve the Agency?s ability to keep activities consistent with the laws, policies, and procedures designed to protect USP privacy during SIGINT and information assurance missions. ODOC has speci?c functions with the BR FISA program - outlined in the Order. The Assistant Director for Special Compliance Activities is representative to the BR program. Some of responsibilities include: (U) Involvement in all decisions related to the program, (U) Participating in weekly BMD meetings, (U) Updating BR ISA program training material, (U) Participating in quarterly compliance meetings with Do] NSD, and (U) Leading the veri?cation of accuracy process. The BR PISA program has been. designated a special compliance activity (SCA) since 2009, that is, an NSA mission activity determined to require additional tailored compliance safeguards to ensure the protection of USP privacy. When an activity is identi?ed as an SCA, ODOC becomes active in all aspects of implementing the SCA until it is determined that it is suf?ciently underpinned by the Comprehensive Mission Compliance Program and significant risks have been 49 QETEJETQ mitigated. The Comprehensive Mission Compliance Program provides a. framework and strategy to organize, govern, and resource compliance activities across NSA. (UN-128883 An activity may become an SCA when: it (In/new external overseers Do] NSD, FISC, Congress) have aheightened sensitivity about an activity or the means by which NSA is executing an activity; (UHF-8683- legal, policy, compliance, or oversight elements determine that an. activity requires attention to understand the application of compliance measures and potential risks; or NSA identi?es an activity or process that may be out of with oversight and compliance regulations and policies, thus making NSA vulnerable to compliance incidents. Recognizing the critical importance of the completeness and accuracy of documentation ?led with external entities, ODOC developed line-by-line accuracy procedures, known as VOA. These procedures provide greater assurance that the representations NSA made to external overseers are accurate and based on a shared understanding among operational, technical, legal, policy, and compliance of?cials. NSA uses the VGA process during the application process to the Court when requesting renewal of the BR Order. (UM-1969) OGC has speci?c ?lnctions with the BR FISA program outlined in the Order. One requirement is that the OGC consult with Do} NSD on all. signi?cant opinions that relate to the interpretation, scope, or implementation of the authority. The lead OGC BR attorney, assigned ?'om January 2013 to September 2014, stated that OGC consults with 130.1 NSD on all signi?cant opinions. OGC saves all correSpondence discussing signi?cant legal opinions with Do] NSD in an access- controlled network folder. (UM-19994 In 2013, NSA OGC met with Do] NSD at least once during each BR authorization period to review a sample of the justi?cations for RAS approvals for selection terms used to queiy BR metadata. However, as of 28 March 2014 (BR Order 14-67), the FISC no longer required OGC and D01 NSD to conduct periodic reviews of RAS approved selection terms. The government sought this change as a result of a January 2014 presidential directive under which NSA began submitting selection terms to the FISC for RAS approval. In addition to the oversight requirements listed in the Order, the OGC de?ned its BR PISA pro gram responsibilities as: Addressing all legal questions from BR FISA program stakeholders Coordinating all interaction with Do] 50 $2 "33% ST-14-0002 Coordinating the ?ling of 30-day report 3 and renewal documents; Leading quarterly compliance reviews with Performing First Amendment reviews for USP RAS approval (before 17 January (UH-1839) Coordinating RAS requests and submitting them to Do] NSD for approval by the (on and after 17 January 2014); and to 86-3-65- 86-36 SV implements the SIGINT compliance program across NSA, particularly within. SID, enabling mission to operate in compliance with laws, policies, and other guidance. SV provides guidance across the global SIGINT enterprise, manages compliance incidents, monitors compliance in high- risk areas, resolves problems, and veri?es compliance through site visits, audits, and managing the SIGINT Intelligence Oversight Of?cer program. SV performs two main oversight functions for the BR FISA program: ing access by verifying training requirements semi-weekly for persons who Icredential and for persons included in the FISABR user and (2) auditing all BR queries performed using query tools by have'the gro_up_..i.n and technical personnel to verify compliance with. the requirements of the BR Order. process for verifying training and managing access can be found in the Access and Training section. As the BR Order requires, whenever BR metadata is accessed for foreign intelligence analysis or accessed using foreign intelligence analysis query tools, an auditable record of activity is generated. Although not required by the BR Order, NSA audits all query records. SV veri?es that only authorized personnel with the required credentials queried BR metadata, selection terms used to query BR metadata for intelligence analysis were RAS approved at the time of the query, and queries for intelligence analysis remained within the authorized number of hops from RAS approved seeds, as the BR Order requires. For the last two checks, SV verifies manually that the EAR software system controls are working as intended. SV stated that it has never found an instance of the EARI allowing a. non?compliant query to complete. In 2013, SV audited all-I query records for that year. tum 86-36 0 (U) Ensuring that SID incident reports are entered timely into corporate incident reporting database (U) Additional SV responsibilities include: - (U) Assisting in the development of oversight and compliance courses Providing BR query statistics andl metrics reports provided to SID leadership credentialing data for MW 51 3 $32 73%?d 81314-0002 Maintaining the content and access to the SV BR SharePoint site for storing BR FISA program documentation (WW Performing for statements assigned to SV in the BR Declarations and Witl OGC, additions of] to the "hi-st". 2013, SV also assisted NSD in its periodic review 8636 approved selection terms used for querying BR metadata. SV provided Do] NSD with RAS justi?cations and supporting documentation for each review. As previously mentioned in the OGC Oversight section, the periodic reviews of RAS approved selection terms were discontinued pursuant to BR Order 14-67, 28 March 2014. TV is responsible for identifying, assessing, tracking, and mitigating compliance risks, including USP privacy concerns, in NSA mission systems across the extended enterprise, including systems that hold BR metadata. TV manages the system compliance certi?cation process, continuous compliance monitoring, and technical compliance incident management and conducts training and awareness for technical personnel. TV attends the BMD weekly meetings and performs VoAs for areas assigned to it in the BR Declarations . (UH-F668) OIG conducts audits, special studies, inspections, investigations, and other reviews of programs and operations of NSA and its af?liates. 01G oversight includes: - Performing audits and special studies ofthe BR PISA program; Meeting with 1301 NSD at least once during each BR - authorization period to discuss oversight responsibilities compliance with the BR Order, the status of OIG reviews, and important developments affecting the BR PISA program (notes from these meeting are documented in 3 (UH-E9993 Receiving notification of incident reports for all NSA authorities, including BR FISA, saved in the Agency?s ceiporate incident reporting database; - Reviewing Congressional Noti?cations and notices filed with the of incidents of non-compliance with the BR Order; Preparing Intelligence Oversight Quarterly Reports, in coordination with the DIRNSA and OGC, that summarize compliance incidents for all authorities occurring during quarterly review periods and forwarding the reports to the President?s Intelligence Oversight Board through SEIOQIZEJ 3% ST-14-0002 the Assistant to the Secretary of Defense for Intelligence Oversight (arsnaon 41; (WW Performing 10 reviews during OIG inspections of joint and ?eld sites; Attending weekly BMD meetings for situational awareness; Maintaining the OIG Hotline and responding to complaints of violations of law, rule, or regulation (the OIG also investigates allegations of misuse by NSA af?liates operating under the SIGINT authority); and Reporting immediately to the ATSDUO) adevelopment or circumstance involving an intelligence activity or intelligence personnel that could impugn the reputation": or integrity of the 1C or otherwise call. into question the propriety of an intelligence activity. (UM-198983 The OIG reviews management controls, maintains awareness of compliance incidents, and stays informed of changes affecting NSA authorities, including BR PISA. OIG reviews of the BR PISA program allow it to independently assess compliance with the BR Order. Since 24 May 2006, the date the original BR Order was signed, the OIG has completed five BR FISA program reviews. Table 22 summarizes OIG reviews of the program. (U) Table 22. OIG Reviews of the BR FISA program Assessment of Management Controls Reviewed collection, processing, analysis, 09.05% for Implementing the HBO Order: dissemination, and oversight controls. Telephony BR (ST-060018) NSA Controls for BR Orders 0512110 (ST-100004) Reviewed querying and dissemination controls; summarized pilot test results for January through March 2010. Audit of NBA Controls to Comply with Reviewed querying and dissemination controls; 0525/11 the FISC Order Regarding BR summarized the test results for 2010. Audit of NBA Controls to Comply with Veri?ed age-off of BR metadata in 2011 to 10l20i11 the FISC Order Regarding BR maintain compliance with the 60 month Retention (ST-11-0011) retention requirement of the BR Order. NSA Controls to Comply with the FISC Reviewed collection and sampling controls for 08l01i?12 Order Regarding BR Collection ensuring that NSA receives only the BR (ST-12-0003) rnetadata authorized by the BR Order. (UH-F869) This report summarized test results ofthe BR querying and dissemination controls during 2010. (unease-y in 2014, the ATSDUO) was changed to the Of?ce oftlie Senior DOD Intelligence Oversight Official. 53 $271134Td STU-1 4?0002 (U) Exte rnai oversight (U) NSD is the liaison between NSA and the for the BR FISA program. Do] NSD oversight includes the following: (U) Coordinating 90-day renewal applications Providing guidance to NSA OGC on all signi?cant legal opinions relating to the interpretation, scope, and implementation of. the BR authority (UM-18993 Reviewing NSA briefings and training transcripts to ensure that they accurately describe the requirements of the BR Order before NSA incorporates material into its training program OVSCIZOS, OVSC1206) ("U/sew Meeting with 01G at least once during each BR authorization period to discuss oversight responsibilities and NSA compliance with the BR Order. Proposed initiatives and other important developments affecting the BR PISA program are discussed with the OIG (U) Meeting with OGC, ODOC, and other NSA stakeholders at least once during BR authorization periods to assess compliance. Do] NSD meets with OGC, ODOC, and the BR FISA Authority Lead to review the Quarterly Compliance Report that summarizes the results of weekly tests NSA performed to ensure that NSA is receiving only authorized data. NSD submits summaries of these meetings in writing to the FISC as part of applications to renew the authority. In 2013, Do] NSD met with NSA OGC and SV at least once each BR authorization period to review asample of the justi?cations for RAS approvals for selection terms used to query BR metadata. For RAS selection terms approved in 2013, D01 NSD sampled 100 percent of the USP RAS selection terms and 20 percent of the foreign RAS selection terms. As mentioned in the OGC Oversight section, D01 N81) and periodic reviews of RAS selection. terms were discontinued pursuant to BR Order 14-67, dated 28 March 2014. NSA now submits selection terms to the FISC for RAS approval to comply with the President?s January 2014 directive. Table 23 summarizes Do] NSD sampling of RAS selection terms approved in 2013. 23. NSD Sample of RAS Selection Terms Approved in 2013 (UH-F669) Estimate calculated using NSD sampling methodology (sample 20 percent of foreign selection terms for review). - Data includes RAS selection terms that may have been approved more than once in 2013. 54 DEBBIE: eaves? (unease-'7 ODNI representatives attend Do] NSD meetings with OGC, ODOC, and the BR FISA Authority Lead to review the Quarterly Compliance Report. Although ODNI does not have a formal role described in the BR Order, it participates in its general role as an overseer of 1C activities. .. FESC is the approving authority for all lmlewals5 amendments, reinstatements of the BR authority, and, starting in February 2014, RAS for selection terms NSA submitted. The approves the BR Primary Orders that authorize NSA to acquire bulk BR FISA metadata and the BR Secondary Orders that compel providers to provide daily bqu BR FISA metadata to NSA for the duration of the Order. The FISC performs oversight by receiving ?lings of Rule 13(a) Notices, Correction of Material Facts, and Rule l3(b) Notices, Disclosure of Non Compliance, by Do] NSD on behalf of NSA. The also reviews the 90-day renewal applications and 30- day reports that NSA ?les. The 30-day reports document NSA application. of the RAS standard (no longer applies after March 2014); implementation and operation of the automated query process (no longer applies after March never implemented the process and withdrew its request to do description of signi?cant changes in the way in which the BR metadata is received from providers and signi?cant changes to the controls NSA has in place to receive, store, process, and disseminate BR metadata; and the number of instances since the preceding report that NSA disseminated, in any form, USP information outside NSA. The 30-day reports also include attestation that the CT nexus was completed and disseminations were approved by a designating approving authority before disseminating USP information derived from BR-unique metadata. (U) Table 24 summarizes the provisions of BR Order 13-158 for oversight and the controls implemented by NSA to maintain compliance. (U) Table 24. Oversight Provisions and Controls (unseem- 060 and ODOC will ensure that personnel with query access to BR metadata receive appropriate and adequate training and guidance regarding the procedures and restrictions for collection, storage, analysis, dissemination, and retention of the BR metadata and the results of queries of the BR metadata. 060 and 0000 will ensure that all NBA personnel who receive quary results in any form ?rst receive appropriate and adequate training 835? Tame 14 AcceSS and Trainmg and guidance regarding the procedures and and commis- restrictions for the handling and dissemination of such information. NSA will maintain records otall such training. OGC will provide NSD copies. of all formal briefing and training materials (including all revisions) used to train NSA personnel concerning the authority. WSW 55 Iii-Cit: d.2?3d?t? ODOC wiil monitor implementation and use of software and other controls (including user authentication services) and the logging of auditable information referenced above. SV performs 100 percent audits of queries performed using query tools by mission and technical personnel to verify that only authorized personnel who have the required credentials queried BR metadata, selection terms used to query BR metadata for intelligence analysis purposes were RAS approved at the time of the query, and queries for intelligence analysis purposes remained within the number of authorized hops from RAS approved seeds. NSA's OGC will consult with NSD on all signi?cant opinions that relate to the interpretation, scope, andior implementation of this authority. NSA OGC con?rmed that NSA has always consulted with and received advance approvai from NSD and the FISC before implementing significant changes to the BR FISA program. NSA OGC saves ali correspondence with NSD in an access- controlled network folder. At least once during the authorization period, OGC, ODOC, Bod NSD, and any other appropriate NSA representatives will meet to assess compliance with the Court?s orders. lnciuded in this meeting will be a review of monitoring and assessment to ensure that only approved metadata is acquired. The results of this meeting will be reduced to writing and submitted to the Court as part of any application to renew or reinstate the authority. NSD meets with 060, ODOC, and the BR Lead to review the Quarterly Compliance Report, which summarizes the results of weekly tests performed by NSA to ensure that it is receiving oniy the BR metadata authorized by the Order. NSD submits summaries of these meetings in writing to the HBO as part of the applications to renew the authority. l-hll3l-P-L . 86-36 At least once during the authorization period, NSD will meet with the NSA's to discuss their respective oversight and assess compliance with the Court's orders. NSA meets with NSD at least once during BR authorization periods to oversight and compliance with the requirements of the Orde'. Notes from these meeting are documented in At least once during the authorization period, OGC and Bed NSD will review a sample of the justifications for RAS approvals for selection terms used to query the BR metadata. in 2013, NBA 060 and 8V met with Do] NSD at ieast once during BR authorization periods and review a sample of the justi?cations for RAS approvals for selection terms used to query the BR metadata.* As of 28 March 2014 (BR Order 14-67), the FISC no longer required 060 and Bed NSD to conduct periodic reviews of RAS approved selection terms. The government sought this change as a result of the President?s January 2014 directive under which NSA began submitting selection terms to the F186 for RAS approval. (U) BR FISA Program Incidents of Non-Compliance 56 ISC Rules of Procedure require that NSA report ?corrections of material facts? and ?disclosures ofnon-cornpliance? with. FISC Orders. NSA also must determine whether Congressional noti?cations are required. Our review focused on the process for identifying and reporting incidents of non- compliance, the incidents reported in 2013 to the Court and other external overseers, and the controls NSA has instituted to mitigate recurrence of compliance incidents. Dill: IE3 d3"?3d"id ST-M-OGUZ (U) FISC Rules of Procedure (U) The FISC Rules of Procedure, 1 November 2010, adopted pursuant to 50 U.S.C. 1803(g), govern FISC proceedings. Rule 13, Correction ofMisstatement or Omission; Disclosure ofNon- Compliance, is the procedure that NSA follows when notifying the Court, through. Do} NSD, of BR FISA misstatements and compliance incidents. (U) Rule 13(a) Correction of Material Facts if the government discovers that a submission to the Court contained a misstatement or omission of material fact, the governme nt must immediately, in writing, inform the Judge to whom the submission was made of: (U) the misstatement or omission; (2) (U) necessary corrections; (3) (U) the facts and circumstances relevant to the misstatement or omission; (4) (U) modi?cations the government has made or proposes to make in how it will implement any authority or approval granted by the Court; and (5) (U) how the government proposes to dispose of or treat information obtained as a result of the misstatement or omission. (U) Rule 13(1)) Disclosure of Non?Compliance If the government discovers that any authority or approval granted by the Court has been implemented in a manner that did not comply with the Court?s authorization or approval or with applicable law, the government must immediately, in writing, inform the Judge to whom the submission was made of: (U) the non-compliance; (2) (U) the facts and circumstances relevant to the non-compliance; (3) (U) modi?cations the government has made or proposes to make in how it will implement any authority or approval granted by the Court; and (4) (U) how the government proposes to dispose of or treat information obtained as a result of the non?compliance. (U) Identifying and Reporting Incidents of Non- Compliance (U) identifying incidents of non-compliance (UMP-GHQ) NSA typically discovers incidents ofnon?compiiance with the BR Order during its operation of the BR program. Because of the program?s sensitivity, suspected anomalies are reported out of an abundance of caution. Training, a pillar of the compliance framework, provides a heightened sense of awareness for personnel to identify potential violations of the BR Order. A second pillar, monitoring and assessment, includes manual and technical controls to detect abnormalities. A weekly BMD meeting, attended by BR PISA program stakeholders, provides a forum for addressing potential problems. When apossible incident is discovered, it is communicated to the BR FISA Authority Lead, OGC, ODOC, SV, and, if appropriate, TV and BR FISA program stakeholders meet to discuss the facts and determine, with. concurrence, whether apotential violation of the Order has occurred. If OGC believes an incident has or may have occurred, even if all the facts have not been 49W 57 nocrn: ST-14-0002 gathered, preliminary noti?cation to Do} NSD is made shortly after notice to the DIRNSA other NSA leadership, BR FISA program stakeholders, and OIG. Upon receiving initial noti?cation. from OGC, Do] NSD starts drafting aprelirninary noti?cation to the Court. (ii/58663" Once the facts have been gathered and OGC has made an initial determination that a. violation of the BR Order has occurred, OGC ?nalizes a. noti?cation of non- compliance and forwards it to Do] SD, which makes the ?nal determination as to Whether there has been an incident of non? compliance that must be reported to the FISC. If Do} NSD determines that an incident has occurred, it prepares a draft noti?cation to the Court, coordinates the noti?cation with NSA, ?nalizes the draft, and ?les the noti?cation with the Court. D01 NSD often ?les a. preliminary noti?cation with the Court and, if needed, will follow up later with additional noti?cations. In some cases, the preliminary noti?cation of an incident serves as the ?nal notice. More than one notice to the Court to address an incident is typically required when at the time of the preliminary noti?cation: (UH-F8683- NSA does not have all the facts the Court needs to ?illy understand or address the incident or (WW Remedial follow-on action may be needed. or the four incidents of non- compliance ?rst reported to the Court in 2013, two required additional information; therefore, ?nal notices were ?led separately. One of the incidents included anotice of material misstatement because NSA had previously ?led a declaration to the Court that contained inaccurate information . (U) Congressional notifications In addition to the requirement to notify the FISC, DIRN SA has a statutory obligation to keep the Senate Select Committee on Intelligence and the House Permanent Select Committee on Intelligence ?illy and currently informed of all signi?cant intelligence activities. 42 NSA resolves doubts about noti?cation in favor of noti?cation. In addition to notifying Congress and the Director of National Intelligence (DNI), DIRNSA must notify the Undersecretary of Defense for Intelligence and other staff, as guidance directs. For all BR FISA incidents of non? compliance reported by Congressional noti?cations to the intelligence committees, NSA also noti?es the Senate and House Committees on the Judiciary. Legislative Affairs Of?ce (LAO) manages liaison with the Congress and DNI, the IC, and other US. government departments and agencies regarding matters of concern to the Congress. LAO is focal point for 42 (U) See 50 U.S.C. ?3091, as implemented by intelligence Community Directive 112, Congressional Noli?caiion, 16 November 2011. 58 Zri?tff. H) ST-14-0002 Congressional inquiries, correSpondence, questions for the record, and directed to NSA. SA Policy 1?33, Relations with the Congress, 22 July 2005, provides guidelines for identifying matters that OGC and LAO must. consider reporting to the Congressional intelligence committees under 50 U.S.C. ??309l and 3092. The guidelines do not constitute a. comprehensive list of what must be reported. Compliance incidents are assessed under a general guideline to consider for reporting matters that the intelligence committees have expressed a. continuing interest in or which otherwise qualify as signi?cant intelligence activities or failures. NSA works to keep Congressional intelligence committees fully and currently informed about the Agency?s activities, more than what is required under the guidelines outlined in Policy 1-33. (UM-19399 analysis of the incidents of non-compliance that occurred in the BR PISA program i112013 resulted in three of the four incidents reported as Congressional noti?cations. (U) 2013 Incidents of Non~Compliance (UHF-GHQ) In 2013, NSA reported four incidents of non- compliance to the Court. The following are reports of the incidents and the actions NSA took to mitigate recurrence. Notice of 86-36 an?NiStd analyst conducted a query of the BR metadata with approve U. person selection term (the US. person is currentlv subject to Court?authorized electronic surveillance-I identi?ers believed tasking, to an e-mail alias that included NSA personnel-who-had not training to receive query results containing The analyst also ?entered'themdentniers into certain analytic and tasking NSA personnel without the required BR metadata training have access. The same day, the analyst ?s NSA supervisor realized tlia't'Wh'eE] US. person identifiers had been shared, within NSA, with who had not received the training required to receive them. The supervisor took steps to immediately detaslt the identi?ers, delete them from the analytic tools, and recall the e-rnail message, processes which had been successfully completed on or about March 22, 2013. he analytic and tasking tools had returned no collection or results, and afollow-up e-mail was sent to all addresses on. the e-mail alias instructing that anyone without the required training should destroy all copies of the original e-mail sent to the alias. OGC determined that no Congressional noti?cation was required for this incident. 46W 59 EEC IE 2 86?35 81744?0802 Controls put in place to mitigate recurrence The BR Order requires that results of queries of BR metadata. may be shared among NSA for intelligence analysis before minimization, subject to the requirement that all NSA personnel who receive query results in any form ?rst receive appropriate and adequate training and guidance regarding the procedures and restrictions for handling and disseminating such information. who run queries and obtain results on BR metadata. receive annual OVSCIQOS training regarding the rules and restrictions on sharing BR metadata query results. Before share BR-derived query results containing USP information, they must con?rm that the recipient has the credential to receive BR metadata information. are reminded to I To help mitigate recurrence, the analyst?s supervisor reiterated to the analyst the requirements for sharing BR metadata query results and the portions of the OVCSI205 training related to sharing. I ?in-?36, INSA technical personnel discovered thatNSA had inadvertently retained files containing call detail records that were more than five these call detail records, which had been produced pursuant to Court?s Primary-?Ordera-I I These call detail among those used in connection with a migration of call detail records to a new systeiitl See Declaration, Docket Number BR ?5 7 at 13 n8 (describing migration of records to a replacement system). The call detail records could be accessed or used by only technical personnel who had received appropriate and adequate training to access call detail records. INSA technical personnel destroyed the call detail records used in the migration of records that had been. inadvertently retained past the retention limit of ?ve years. As a result of the destruction, NSA is unable to provide an estimate regarding the volume of data destroyed. For recovery back?up purposes, NSA has retained those call detail records used in the migration of records that did not exceed the retention limit, and will use those records in accordance with the requirements of the Court is Primary Orders. May 2013, NSA submitted a Congressional noti?cation of the compliance incident to the House Permanent Select Committee on Intelligence, the Senate Select Committee on Intelligence, and the House and Senate Committees on the Judiciary. Copies were also provided to Congressional affairs offices at the ODNI, and Do]. 011 7 May 2013, the NSA 01G noti?ed the ATSDGO) of the incident and Congressional noti?cation. Controls put in place to mitigate recurrence In response to this incidentf technical personnel developed a script that searches for ingest and backup ?lesin servers containing BR metadata older than four years, 21 '1 months. Before the preservation order, if such files were identi?ed, the script would send automated reminders weekly for three weeks and then daily until the ?les had been. 60 Elm-if: IE) $2 3 ST-14-0002 manually deleted.43 No ?les matching the criteria have since the database, which servers, automatically deleted ?les before they reaiihe?d-thc .fivc? year mark. NSA maintains location restrictions for machines and directories that files. Notice of Compliance Incidental NSA informed the rj'lntelligence (OI) that, in the course of reviewing its formal reporting to products containing US. person in?irmation that it had not reported in reports lFor each BR metadata product, an authorized official made the required Cl? determination prior to \""'disseminatton. NSA and OI continue to investigate the facts and circumstances concerning this matter and the will provide a thorough explanation of this matter to the Court. 86?36 mail"! I final notice ofCompiiance Incidents, leas?led with the Court. The notice indicated that in total?were not included 1it the thirty-day I NSA relied on a Single individual to lceep reports ofdisseminations that occurred during each reporting 36-35 provide information about those disseminations for inclusion in the thirty- day reports. described above were not recorded and, as result, information about in the t'hirtv-da i re orts. Currently, as discussed in a notice in this matter filed with the Conn-Ii] NSA ?s Information Sharing Services (188) o?ice maintains records ofthe CT determinations for each disseminated BR metadata product containing US. person information. NSA ?s now also verifies the accuracy ofstatements regarding disseminations that are included in each thirty day report by confirming that its records re?ect the number of disseminations described in each report. Along with the final notice, a supplemental report to the Court provided additional details and attestation. that, before dissemination, the USP information was determined to be related to CT information and necessary to understand the CT information or to assess its importance. On 20 September 2013, NSA submitted a. Congressional notification of the compliance incident to the House Permanent Select Committee on intelligence, the Senate Select Committee on Intelligence, and the House and Senate Committees on the Judiciary. Copies were also provided to the Congressional affairs offices at ODNI, USDU), and On 12 September 2013, the NSA 01G noti?ed the ATSDGO) about the incident and pending Congressional noti?cation. 43 (ti/trees) On 21 March 2014, the us. District Court for the Northern District chaiitctnia issued a preservation order against the destruction ofBR metadata znoorn: disseminations. ST-14-0002 Controis put in alaee to mitigate recurrence In response to this NSA issued the FISA Reporting Process incident?,1 external reporting requirements and organizational responsibilities and de?nes a. standardized, repeatable process for the creation, coordination, and release of mandatory FISC reports for the BR FISA program. The SOP states that, as process and create a s'o'?'wai?e'tool; ra committed to re?ne the manual report 2013. Before this, disseminations were tracked manually. Sce e, all disseminated reports derived from BR metatada have been tracked in 8t (-1) Preliminary-I lanterns records for (es-tine attrgosesrl I was stored at all times on servers accessible only to technical personnel and was not available for intelligence analysis. NSA and 0] continue to investigate the facts and circumstances concerning this matter 86-36 00.] will provide a thorough explanation oftlte matter to the Court upon completion of the investigation. WEE-all 8 the sample [call?detail recordsi On 17 December 2013, NSA submitted a Congressional noti?cation of the compliance incident to the House Permanent Select Committee on Intelligence, Senate Select Committee on intelligence, and the House and Senate Committees on the Judiciary. Copies were also provided to the Congressional affairs of?ces at the ODNI and On 2 December 2013, the NSA 01G noti?ed the ATSDGO) of . the incident and pending Congressional noti?cation. 62 noctn: estates STwl4-0002 WW Controls put in place to mitigate recurrence NSA ?led a?Notice of Material Misstatement? because in a previous declaration to the Court, NSA stated that it had BERSQESEELiiltii?g?ilicraample --records-I I and that notied the providers that it did not want CSLI verify-I I As an implementing control, NSA modi?ed the way it performs the VOA on the to the Court so that all organizations associated with the BR FISA pro?g?ran'ijparticipate in the process and review the entire document. The BR Autho-rity:Leadrxinitiated quarterly meetings with stakeholders to compare the previous__?nal BR'Orderii'iitithiithe..new declaration to identify changes and ensure that the new 'H?slarat?iewsd the incident, NSA has not received sample As in the Sampling section, feed daily and weekly to verify tha CSLI identified no CSLI data since the feed became operational (unease) The four incidents of non-compliance were included in ?rst, third, and fourth quarters 2013, Report to the Intelligence Oversight Board on N524 Activities . For alist of the incidents ofnon-compliance from 2010 through 2012, see AppendixFISA Authority Although no formal process has been implemented to assess the effectiveness of the BR FISA authority, NSA asserts that the authority has made valuable contributions to the CT intelligence mission and that it plays an important role for NSA intelligence tasked with identifying potential terrorist threats to the US. homeland and US. interests abroad. (U) Methods Used to Assess Effectiveness (U) BR FISA program was developed to assist the US. government in. detecting communications between known. or suspected terrorists operating outside the United States and others inside the United States, as well as communications among operatives within the United States. The 9/11 Commission identi?ed that detecting and linking such communications as a critical intelligence gap in the aftermath of the attacks on ll September 2001. Based on requests from the Senate Select Committee on. Intelligence to determine the ?value of the program,? NSA and FBI personnel developed in February 2014 the FISA Bulk Metadata Process for FBI Feedback? plan that describes responsibility to deliver to the FBI spreadsheet with BR information and the responsibility to summarize use for NSA. The plan called Ito categorize selection terms in the BR FISA report as follows: 86-36 63 ZDCICEIIB: $3 ST-14-0002 *5 Not of Interest?mselection term is technically flawed or the characteristics make it worthless for research. Known to the is aware of the selection tenn independently . Known to the FBI with additional information is aware of the selection term independently, but NSA reporting provides amplifying information to aid FBI investigations. 6* Unknown to the FBI?the FBI was not aware of the selection term, send BR_.uniQUe leads to FBI ?eld .. (whit: (U/tpe?eyl I 86-36 (UN-FEMS) BR PISA pro gram leadership recognizes that there is no process to track program effectiveness. They agreed on the need to track effectiveness but were unable to determine how to do so. Feedback is dif?cult to obtain. One former BR FISA program leader asked, ?How do you assess the effectiveness of an authority when we don?t get feedback from the customer?? Another limitation on ability to determine the effectiveness of the BR PISA program-l 64 DQEIIJ: d3 ?iB?pl-? (U) Table 25. Selection Terms in Approved Status as of 31 December 2013 by Target Office of Primary interest We}- 3 . INSA implemented the FISA Bulk Metadata Internal Report for The report includes: (WEBB-9) Program highlights, (UHF-GHQ) Number of disseminations, Number of approved RAS selection terms, a Number of queries, BMD volume, and - Number of personnel by organization and work role with program access, approved to disseminate USP information, and approved as HMCS. (U) Contributions from BR FISA Authority that Support the Mission (U) 2013 highlights WNSA does not assert that information hen] the BR FISA program does, by itself, identify or thwart plots. Instead, information obtained through the program plays a complementary role within a larger body of intelligence and CT investigations. It is important to note that BR metadata may sometimes be the single source of intelligence. However, typically, acquisition and analysis of BR met adata. are designed to ?ll gaps in information gathered under other collection authorities. By helping close those gaps, NSA personnel report that BR data contributes to comprehensive efforts to identify and address threats to the homeland. The following are highlights from the BR PISA program in 2013. {asset/7%? . 86-36 use 793 65 use 30240) DEM: (mm-?13 (U) On 21 June 2013, in response to a. request from the House Permanent Select Committee on Intelligence after unauthorized public disclosures, NSA provided to that committee and the Senate Select Committee on Intelligence, the House and Senate Committees on the Judiciary, and the Defense subcommittees of the House and Senate Appropriations Committees a list of 54 events in which the BR PISA or FAA ?702 authorities or both contributed to the production of SIGINT and to the understanding of terrorism activities. (U) Analyst Use of the Authority NSA senior management believe that the BR FISA program is important to intelligence tasked with identifying potential terrorist threats to the US. homeland, primarily in support of the FBI, by enhancing their ability to detect, prioritize, and track terrorist operatives and their support networks in the United States and abroad. By querying BR metadata, intelligence are said to: (UH-EQUQ) Detect domestic and foreign selection terms in contact with domestic and foreign selection terms associated with foreign terrorist organizations (gym-PL. 86-36 44 (creased AI 66 a Discover selection terms with which the foreign and domestic- selection terms associated with foreign terrorist organizations are in contact, and Detect possible terrorist-related communications between communicants inside the United States. (U) identifying threats NSA has many sources of information that provide indications of potential terrorist activity against the United States and its interests abroad. The best analysis typically occurs when evaluate information obtained from all those sources to disseminate complete a picture as possible of potential terrorist threats. Although BR metadata. is not the sole sourceof information available to NSA CT personnel, it is a component of the information that rely on to execute threat identi?cation and characterization. BR metadata can add to the and law enforcement community?s understanding and evaluation of threat information and the need to take investigative action. (U) Agility (U) BMD, NSA personnel assert, enables the Agency to quickly analyze communications and contact chains. Unless the data is aggregated, it may not be feasible to detect communication chains that cross communication networks and authorities. The ability to query accumulated metadata from multiple authorities signi?cantly increases ability to rapidly detect persons who are af?liated with foreign terrorist organizations and might otherwise go undetected. (U) Hops (UHF-6883 When NSA performs a contact-chaining query on a terrorist-associated selection term, are able to detect not only the direct contacts made by that ?rst tier of contacts but also the additional tiers of contacts, out to the maximum number of permitted hops from the seed selection term. I (him-Pm. 86-36 provides amore complete picture of those who associate with terrorists or are engaged in terrorist activities. The ability to look at a network beyond the ?rst hop enables to potentially identify the core of a network, focusing and prioritizing resources efficiently against threats. (U) Historical data misnomer advantage that SID leadership ascribes to the BR FISA program is that the BR metadata is historical. I lhistorical connections are critical to understanding newly 1dentitied targets, and links that are unique, pointing/to potential targets of interest that may otherwisebe-missed. 7me WW 86_36 67 DEC IE3 ears-ave (U) Tradecraft report that BR metadata analysis enriches their understanding of the communications tradecraft of terrorist operatives who may be preparing to conduct attacks against the United Statesl 86-36 (U) Complementary (UH-11668) The BR FISA program, SID leadership asserts, complements information that NSA collects by other means, increasing the value to the Agency and linking possible terrorist~related telephone communications between communicants based solely inside the United States. As a complementary tool to other intelligence authorities, the access to BR metadata. increases the likelihood of detecting terrorist cell. contacts within the United States. The BR FISA program provides NSA the information necessary to perform call chaining that can enable to obtain a much broader understanding of the target and, as a. result, allow NSA to provide more complete picture ofpo ssible terrorist-related activity inside the United States. (U) Prioritizing (bnsl'P'L'SG'ss (UH-F8663 The BR FISA program assists with applying limited analytic and linguistic resources available to the CT mission have the highest probability of connection to terrorist targets. Analysis of BR metadata can help prioritize communications of non- USPS that it acquires under other authorities because such persons are of heightened interest if they are in a communication network with persons in the United States. (UMP-GHQ) SID leadership asserts that, without the ability to obtain and analyze BR metadat a, NSA would lose a tool for detecting communication chains that link to selection terms associated with known and suspected terrorist operatives, which can lead?tethewidenti?cation of previously unknown persons of interest. The BR PISA I Ipotential terrorist activities. Any other means that might be used to conduct similaranalyses would require multiple, time-consuming steps that would frustrate rapid situations and could fail to capture some information available If BR metadata is not aggregated and retained for a time, NSA could not det?eCt-I (U) Former DIRNSA General Alexander testified to the Senate Committee on the Judiciary in December 2013: (U) Measuring the value of the BR authority by the number of plots exposed to date misses the point and presents us with a false choice. The BR FISA authority is similar to an insurance policy, designed to make sure that the gap exposed after 9/11 doesn?t happen again, with perhaps even more catastrophic consequences. As with an insurance mm 68 ?it-1C3 IE3 policy on your house, you don?t determine its value by asking how many times you?ve collected on the policy to date?you want to have it for the possible ?re, or flood, or theft in the future. Combined with the limitations on the program, the potential bene?t in allowing us to uncover the hidden terrorist in the US. still provides a unique value consistent with the protection of privacy rights. 69 DQEIE L: di2??3??d ST-14-0002 m. (U) FAA ?7o2 (U) Backround use 3024(i) (U) The FAA ?702 certifications Section 702 of FAA, Procedures for Targeting Certaii-t Persons Outside the United States other than United States Persons, states that the Attorney General and the DN1 may jointly authorize, for the period of up to one year, the targeting of persons who are not USPS and who are reasonably believed to be located outside the United States to acquire foreign intelligence information. This authority is granted on the basis of annual certi?cations made by the Attorney General and the DN1 to the certi?cations identify categories of foreign intelligence information through this acquisition: WThe NSA targeting and minimization procedures establish the processes that the Agency must follow and the requirements that it must satisfy to comply with the limits the statute and the Constitution impose on the use of this surveillance. The tar etiug procedures must be ?reasonably designed? to limit acquisition under the AA ?702 certi?cations to reasonably believed to be located outside the United States to acquire foreign intelligence information and to prevent intentional acquisition of communications in which the sender and all intended recipients are known at the time of acquisition to be in the United States. 45 The purpose of the minimization procedures is to establish controls over the acquisition, retention, and dissemination of non-publicly available USP information. in addition to targeting and minimization procedures, FAA ?702 requires the Attorney General, in consultation with the DN1, to adopt guidelines to ensure compliance with the limitations in the Act on acquisition of communications. These are documented in Gnidetines for the Acquisition of Foreign Intelligence Information Pursuant to the Foreign Intelligence Surveiflance Act of 1978. Approved by the Attorney General in 2008, the guidelines reinforce the targeting procedures, establish. 45 Acquisition is the collection by NSA or the FBI through electronic means cinch-public communications to which they are not intended parties. JEEP-SEW 70 nearer AETBATA ST-14-0002 requirements for application of the targeting procedures, and establish requirements for obtaining court orders. The government?s FAA ?702 certi?cations, targeting procedures, and minimization procedures (but not the Attorney General Guidelines) require FISC approval. The FAA ?702 certi?cations are accompanied by af?davits from the heads of elements of the 1C, such as the DIRNSA, that describe the Agency?s basis for assessing that acquisition will be consistent with statutory authorization and limits. (U) Methodology and Scope Our review of the FAA ?702 control framework, incidents of non- compliance, and use of the authority to support its mission, was based largely on FAA ?702 stakeholder interviews and reviews of policies, procedures, and other program documentation. The Special Study: Assessment of'Managemeut Controls Over FAA ?702, revised and reissued 29 March 2013, was also used as a resource. That study examined the controls designed to ensure compliance with FAA ?702 and the targeting and minimization procedures associated with the 2011 certifications. Given. the time constraints for the current review and the agreement with staff of the Senate Committee on the Judiciary, we did not verify through. testing that all controls were operating as described by FAA ?702 program stakeholders. 46 (UHF-GHQ) Our review fOCused on the processes and controls in place in 2013. Two documents ?led annually with each FAA ?702 certification delineate procedures for complying with the FISA Amendments Act of 2008: - Procedures Used by the National Security Agency for Targeting Non- United States Persons Reasonably Believed to be Located Outside the United States to Acquire Foreign Intelligence Information Pursuant to Section 702 of the Foreign Ii-irelligence Surveillance Aci ofl978, as Amended (FAA ?702 Targeting Procedures) and (U) Minimization Procedures Used by the National Security Agency in Connection with Acquisitions ofPoreign Intelligence Information Pursuant to Section 702 oftlze Foreign Intelligence Surveillance Act of I978, as Amended (the FAA ?702 Minimization Procedures). For calendar year 2013, the period under review, different versions of these documents were in effect because of changes made at the annual certi?cation renewal and special amendments to the procedures. - (U) Targeting Procedures 0 Procedures approved with the 2012 renewal of the authority, effective 24 September 2012 through 10 September 2013. 46 (Ur/#118667 The NSA 01G has conducted several audits and special studies on the effectiveness of certain FAA ?702 program controls. ZD-?t?il?: $2 0 These procedures were not changed for the 2013 certification renewal and remained effective 10 September 2013 through 28 August 2014. (U) Minimization Procedures 1 Procedures approved for the 2012 certi?cation I I renewal, approved by the FISC 24 August 2012, were effective 24 1 i5in[M (UHF-669) An amended version of the 2013 minimization procedures 86-36 tasking checks were not functioning properly and procedures for handling data collected during a period in 2013 when these checks were not performing as intended. (U) We also examined implementing procedures and controls for the Attorney General?s targeting guidelines. (U) FAA ?702 Program Control Framework The FAA ?702 control framework describes how NSA targets, collects, retains, accesses, queries, disseminates, and purges FAA ?702 data and the oversight mechanisms to comply with FAA ?702 certi?cations, including FISC-approved targeting and minimization procedures. This section summarizes the provisions of the targeting and minimization procedures and the controls implemented for each phase of the FAA ?702 production cycle. (U) Targeting (U) Provisions of FAA ?702 certifications WThe FAA ?702 targeting procedures set forth the measures that NSA uses to determine whether aprospective target is eligible for targeting under this authority. Each prospective target must meet three criteria. The individual must be a non? USP, reasonably believed to be located outside the United States, who possesses or is likely (U) A target is a person or entity against which intelligence operations are conducted. Foreign inteliigence is obtained by tasking the target?s selectors e-mail addresses) to acquire information pursuant to one of authorities. WW 72 $2 ti ST-14-0002 to communicate foreign intelligence information consistent with one?gf?the. FAA ?702 certi?cations. 48 The targeting procedures state-t-lrat'Qwhen NSA proposes to direct surveillance at aprospective after it has learned something about the facilities the individual uses to communicate. For example, may examine lead information, obtained from a. non-NSA element, such as tips - 9 I I 3' 86-36 . personnel must also assess whether the prospective target possesses or is likely to communicate foreign intelligence information concerning a. foreign power the proposed target is appropriate under one of the ?702 86-36 (U) Targeting process overview To initiate targeting under FAA ?702 authority, NSA personnel must research the prospective target to determine whether it meets the requirements of this authority and to identify selectors that will yield communications from the prospective target. 50 Mission operate within an assigned mission team (see and Training section) and follow targeting guidance established by SID Targeting Procedures to complete the analysis that Iis the vehicle for development and submissionof'TRs; lThe TR documents information supporting the targeting decision and is so Ject to at least two levels of review before targeting Additional reviews may be performed by the SID Data Acquisition (SB) office of Targeting Strategy and Mission Integration (TSMI) and SV. Mission are responsible for the initial research and identi?cation of potential targets within their organization?s assigned missions. must complete a training regimen involving general courses on legal authorities and annual courses on FAA ?702 procedures to be eligible to submit TRs under this authority and access and handle FAA ?702 data. (see the Access and Training section). (U) Provisions of FAA ?702 certifications?eligibility for targeting Foreignness determination The targeting procedures require that NSA personnel examine, as appropriate under the circumstances, three categories of information to determine whether the intended target is a non-USP reasonably believed to be outside the United States (the foreignness determination). The ?3 (U) FAA doesnot de?ne the term ?reasonable belief,? but the Act requires that NSA adopt targeting procedures to ensure that FAA ?702 acquisition is limited to targets reasonabiy believed to be outside the United States. Facilities are communication vehicles used by targets, including teiephonc numbers and email addresses. NSA tasks these facilities or ?selectors? to obtain foreign from approved targets. 50 (U) Selectors are unique identi?ers of targets (entities against which intelligence operations are conducted), such as teiephone numbers and e-mail addresses, used for tasking (initiating SIGINT coliection for the target?s seiectors). MW 73 nocrn: determination is based on the totality of information available about the prospective target?s location and status as a USP and may be obtained from any one or a. combination ofthese sources: intelligence purpose fortargeting In addition to the foreignness determination, NSA personnel must assess whether the prospective target possesses, is expected to receive, and/or is likely to communicate foreign intelligence pursuant to one of the FAA ?702 certi?cations. categories of foreign intelligence (see Background at the beginning of FAA ?702 section) and speci?es activities for which foreign intelligence collection is approved. 51 Each certi?cation identi?es Targeting must also comply with the Attorney General?s Guidelines for the Acquisition ofForeign Intelligence Information Pursuant to the Foreign Intelligence Surveillance Act of 1978, which reiterates the ?ve targeting activities prohibited by FAA ?7022 (U) Intentionally targeting a person known at the time of acquisition to be in the United States; . (U) Reverse targeting, that is, targeting anon? USP outside the United States for the purpose of targeting a particular, known person reasonably believed to be in. the United States; Wintentionally targeting a USP reasonably believed to be outside the United States; (U) Intentionally acquiring communications as to which the sender and all intended recipients are known at the time of acquisition to be in the United States; and (U) Targeting inconsistent with the Fourth Amendment to the Constitution of the United States. 51 (U) Foreign intelligence information is de?ned in as (1) information that relates to, and ifconcernin a USP is necessary to, the ability ofthe United States to protect against- (A) actual or potential attack or other grave hostile acts of a foreign power or an agent of a foreign power; (B) sabotage, international terrorism, or the international proliferation of weapons of mass. destruction by a foreign power or an agent of a foreign power; or (C) ciandestine intelligence activities by an intelligence service or network ofa foreign power or by an agent of a foreign power; or (2) information with respect to a foreign power or foreign territory that relates to, and if concerning a US. person, is necessary to (A) the national defense or the security of the United States or; (B) the conduct of the foreign affairs of the United States. 74 DQCIEJ: s22 (U) Targeting control procedures Target research ?foreignness_. i?itil- (Wt-1:666) Target research?w-forein intettience determination NSA mission task targets that are aligned with the National Intelligence Priorities Framework, can be linked to one of the foreign intelligence purposes specified in the appropriate,__fAA 5702 certi?cation and, generally. are within the assigned mission area'?" Targeting request Once mission complete the research for the Proposed I the prospective targets meet the standards in the targeting procedures. Once the TR has been reviewed and approved (see Targeting Authorization), the selector identi?ed in the TR is used to initiate collection. To complete avalid TR, mission must compile speci?c information to demonstrate that, based on the totality of the circumstances determined from the research performed, there is a reasonable belief that the proposed target is foreign (not and not within the United States) and is likely to produce foreign intelligence consistent with one of the FAA ?7 02 certi?cations. The TR must include: 52 Raw data is data that has not been evaluated for foreign intelligence-or procassed to handie USP identities pursuant to the minimization procedures. Mctadata is dialing, routing, addressing, or signaiing information associated with a connmmication but does not include information concerning the substance of the communication. 53 (U) The National intelligence Priorities Framework translates national foreign inteiligence objectives and priorities approved by the President into speci?c prioritization guidance for the 1C. it serves as guidance for U.S. foreign intelligence analysis and collection. mm 75 4?0002 66-36 . (U) Sources supporting the determination of foreignness. 54 Mission must create permanent documentation of the information sources used to establish foreignness. Copies of the source information are saved in a restricted access SharePoint site SV maintains. This repository facilitates approval of the TR, as well as internal and external oversight. UHEQ??jtT-h-system supports targeting compliance as the mission analyst the TR. The system requires: WWDetailed information establishing the I 3 -P.L. 86-36 . . . . 33:3}60 USC 3024") Target information, includlng the TAR, Completion of key ?elds to document information about the prospective target authorized targeting purpose, how the individual was determined to be outside the United States, basis for expectation that targeting the individual wiil produce foreign intelligence), and 86-36 (U) Identi?cation of the apprOpriate FAA ?702 certi?cation. also: L. '3 6-36 (mg) - (U) Identifies con?icting data within the TR, (bum-{L 35-35 (U) Captures references to supporting documentation, 54 (U) Targeting Rationale is a brief justi?cation for targeting a selector, intended to explain the connection between the proposed target and a foreign intciligence purpose. 55% -- 49W 35-35 76 $3 ST-14-0002 86-36 86-36 (wry-50339 3024(i) mam-~- 77 I I I 3024?; :Smm I - (WW-8899 86-36 1 a I I Easel I (hm-L- 86-36 (U) Provisions of FAA ?702 certifications?authorization to target (UHF-GHQ) Approval to task aprospective target?s selectors requires that the TR entry for that tasking be reviewed to verify that it contains the necessary citations to source information that led the analyst to reasonably believe that the individual is a 5? I I 86-36 use 3024(i) :necrn d273?7? ST-14-0002 non-USP outside the United States and is linked to the appropriate FAA ?702 certification. (U) Targeting authorization-4;: ontrols NSA has implemented a multi? level review process to approve all proposed targeting. Releaser review submitted TRs are first reviewed by the mission releaser. Normally, the releaser is in the same organization as the mission analyst. Releasers must complete the same training courses as mission They examine the TRs for completeness and compliance with the FAA ?702 Targeting Review Guidance developed and maintained by the Mission and Compliance staff, part of the Directorate for Analysis and Production, within Signals Intelligence Directorate. 58 (outsell-reg Adjudtgatton-- I the ?nal approval-"ofthe TR, known as adjudication, is a. critical control point in tasking nun-selectors under FAA ?702 authority and is performed by personnel designated as Ithe responsibility was moved to the mission groups within the SIGINT Analysis and Production organization, where specially trained and experienced usually from the same organization as the targeting analyst, perform adjudication. 59 Adjudicators must complete the same courses as other mission personnel as a prerequisite for access to FAA ?702 data (see the Access and Training section). They must also complete a speci?c course on adjudication and receive on-the-job training in their mission of?ce before they are permitted to adjudicate independently. Adjudicators receive advice and updated information from the staff of the Analysis and Production organization, SV, and OGC on developments affecting the application of the FAA ?702 authority. The majority of adjudicators have two or more years experience in adjudication. Adjudicator performance is monitored by the Mission and Compliance staff in SlD?s Directorate for Analysis and Production. WAdjudicators review TRs for accuracy, evaluate the evidence in the TR supporting the foreignness of the proposed target, examine the TAR statement for the individual?s foreign intelligence value, and verify that the TR supports eligibility for targeting under the speci?ed FAA ?702 certification. As part of their TR reviews, adjudicators recreate the steps taken by the mission analyst to independently con?rm that the supporting data. is accurate and that the most current information available is used to support a. reasonable belief that the prospective target 53 (UHF-6667 As part of the Opera i if 2 11 ff includes teams who provide support and oversight of SlD?s use of FAA ?702, sucha.s I 59 (WW Missierioum are I 86-36 SV, and the NSA OGC. 79 ST-14-0002 is foreign. Following the same procedure as mission adjudicator-s] I I to determine 86-36 whether there is supporting or contrary information regarding the foreignness of the individual. Adjudicators must complete a series of checks manually or assisted by technoiogy: for an initial foreignness determination. 60 Reviewing the database of selectors whether there was information indicating that the 86"? individual. was not foreign. Accessing the 8V4 SharePoint Site to determine whether there is information that would preclude the current tasking request from being approved-I I If adjudicators are able to meets the FAA ?702 requirements for tasking, they approve the target?s se1ectoifdf't'iisking-EI However, if there is an error or required information is absent in the TR, adj udicators must ensure that corrective action is taken before approving the TR. Win most instances, if adjudicators identify updated foreignness information, they substitute that information in the TR to ensure that the TR is current. if adjudicators ?nd an error, such as inaccurate foreignness information, insuf?cient evidence to support foreignness, or an incomplete TAR statement, adjudicators may deny the TR and return it to mission for correction. When the TR is corrected, the TR goes back to the mission releaser and the mission I adjudicator. As part of the approval process, adjudicators upload documentation of the sources supporting the targeting decision to the SharePoint site that SV maintains. 131:? trawl 80 ZEJCIEIEJ: 86?36 The targeting review process is summarized in Figure 8. (U) Figure 8. FAA ?702 Tareting Review Process 32 FAA 7?32 Targeting Review 86-36 Analyst Ramon-r Approve; momma: mnnunlsm'?n mini-gm. -I- i hgmuu?ymly?n?ln. ama? . . . ahtyieulhe; - "ammonia m. were: tea-anal; at amount? amoral. im- must! with}? manilrninarul? . . . gamma usuanwemrm tL Deejays; iaqu . . newer (U) Provisions of FAA ?702 certifications?approval of TRs from other agencies The FAA ?702 minimization procedures set forth processes NSA uses for the acquisition, retention, use, and dissemination of information acquired under FAA 6702. In accordance with Section 6(0) of the minimization procedures, SA provides the CIA and the FBI unminimized communications acquired pursuant to FAA ?702 for targets nominated by the respective agencies and approved for tasking in accordance with targeting procedures. I the CIA and the FBI must handle unnainimized communications receivedi?ljrom NSA in accordance with their NSC-approved minimization procedures?fadopted by the Attorney General in consultation with the ODNI. (Slim-AL. 86-36 (Dh1) 86-36 not: In thin};I: d2?3%?a? Controls over approval of CIA and TRs The CIA and the FBI submit requests for tasking selectors of prospective targets to NSA, which reviews the foreignness information and the foreignness justi?cation for the prospective target and approves the selectors for tasking upon an assessment that there is a reasonable belief that the pro Spective target is a noanSP outside the United States and that collection will produce intelligence information pursuant to one of the Targets proposed by the ClAib'r'FBIuthat are not currently tasked by NSA are vetted through reviews performed by NSA personnel-I I Table 26 summarizes the targeting provisions of the FAA ?702 targeting procedures and the controls NSA has implemented to maintain compliance. (U) Table 26. Targeting Provisions and Controls imam?) (U) Foreignness - Acquisition targets only reasonably believed to be outside the United States (UliFeth) The TR documents the support for determination of the prospective target?s foreignness. The targeting system enforces completion of required ?elds (including foreignness information), identifies con?icting data, ?ags selectors ineligible for - 86-36 land captures source information supporting targeting. (UliFGU'e-i All TRs are subject to at least two levels of review prior to targeting. Additional reviews may be performed by or 8V. Reviewers examine available information to validate accuracy of the foreignness determination and that con?icting information has been resolvedInternet ?transaction? that contains more than one discrete communication within it. If one of the communications within an MCT references a tasked selector and one end of the transaction is foreign, the entire MCT transaction will be acquired through upstream internet collection techniques, Since this can include discrete communications that do not contain the tasked selector, use of such information must meet specific requirements. 82 LB-GCSID: 42 ST-14-9002 wa?iB-l-H-H-F) NSA will maintain NSA maintains these records in a database of seiectors-I (suspect-sags - {to support compian as ing. New TRs will be compared with these records before targeting. This tool is used in target research by and interfaces with Ito identity ineligibie selectors proposed fortargeting. The in ormation generated is reviewed by the adjudicators and any con?icts should be resolved before the TRs are a roved. pp ss- (U) Foreign Intelligence Purpose of Targeting - NSA will assess whether the target possesses or is liker to communicate foreign intelligence pursuant to one of the approved certifications. (Uii?Fth-e-j The TAR Statement documents why targeting is requested and indicates the tie to a foreign intelligence purpose specific to the FAA Certification under which targeting is requested. This is subject to adjudication. (U) NSA may provide unminimized communications acquired pursuant to FAA ?702 to the CIA and FBI. ?ames?Few The and FBI may nominate targets and selectors for acquisition. subject to targeting procedures. I [The CIA and FBI have their own minimization procedures for processing the unminimized data that they receive. 1) 86-36 (unease-j Tasking requests must he supported by citations to the information that led to the analyst?s reasonable belief of the foreignness of the target. Approval of the TR will include review of the citation. The adjudication review includes examination of the citations supporting the foreignness determination maintained in the SV SharePoint site. (U) Provisions of FAA ?702 Certifications and other Guidance?uPost- Targeting Review In accordance with the targeting procedures set forth in each FAA ?702 certi?cation, NSA are required to conduct post-targeting reviews of all selectors tasked under FAA ?702 authority. The targeting procedures state that ?Such analysis is designed to detect these occasions when a person who when targeted, was reasonably believed to be located outside the United States has since entered the United States, and will enable NSA to take steps to prevent the intentional acquisition of any communication as to which the sender and all intended recipients are known at the time of acquisition to be located in the United States, or the intentional targeting of a person who is inside the United States.? 83 ID (mitt.-- (U) Post-targeting WNSA has implemented four procedures to ensure that targeted persons continue to meet the criteria. speci?ed in the FAA ?702 targeting procedures. a. process called Obligation to Review that has two provisions. implemented The ?rst requires that, upon tasking a selector, the mission team that initiated tasking must review collection from that tasking within 5 business days of the receipt of the initial piece oftraf?c from FAA ?702 collection. An e-mail noti?cation is sent to mission team members notifying them of the receipt and the 5 day review requirement. The mission. analyst must review a sample of the content of the to determine that: (UTTi?ieuselector is being used by the intended target, (U) The target'i's-valid under the requested FAA ?702 certi?cation, and If the reviewing analyst determines that all three requirements have been satisfied, thus making the tasking valid under FAA ?702 authority, no further action is required. If any of the three requirements is not satis?ed, the selector must be system (removed from collection). The selector cannot be resubmitted for tasking until all requirements have been satis?ed. (Detasking is discussed further in Monitoring Collection section.) 86-36 {Unease} The second provision of the process requires the to conduct an ongoing review of at least a sample of the content from to ensure that the target continues to meet the criteria for targeting under After the initial review has been completed, a sample of collection is reviewed" lieu) 86-36 34 not: In {Minuet Post-targeting controlsmmonitoring collection Mission must monitor collection for indications that the target no longer meets the foreignness requirements, is not associated with the tasked selector, or is not linked to a valid foreign intelligence purpose tied to an FAA ?702 certi?cation. If it is determined that the target or the selector is no longer appropriate for tasking under this authority, NSA will have to take actions that might include detasking the selector, reporting a. compliance incident, recalling intelligence reports, and purging collected communications. (wane?no) lf user of a tasked selector is an not the intended target and is not of foreign intelligence value or is or is in the United States, the mission of?ce must immediately remove from coll'ection'all'selectors-I land identify collection ineligible for retention. Additional research may be performed before detasking, if there is evidence that the information on the user?s USP status or location is not correct. Unless there is a strong reason to doubt this information from collection, it is presumed valid and detasking should occur immediately. if review of collection identi?es communications in which the sender and all intended recipients are determined to have been within the United States at the time of collection (domestic communications), those communications must be destroyed with limited exceptions. 64 (U) If analysis ot?the collection ?nds that the selector is no longer used by the target, the selector must be removed from tasking. 65 Attorney-client privileged communications are subject to special procedures designed to prevent privileged information ?om being used in prosecution. Should review of collection identify communications between persons known to be under criminal indictment in the United States and their attorneys, review of the communication must be discontinued and OGC noti?ed for guidance on handling the communication. 66 64 (UHW lf the domestic communication collected is not related to an incident (see incident Reporting), DIRNSA may approve a destruction waiver to allow retention ofthe collection. 65 Esn?in??f i, F: :Elzil 66 (WW Monitoring"conmtunications between a person known to be under criminal indictment in therti?ited States and an attorney representing tliat?in-dividuai in the matter under indictment must cease once thelrelationship has been identi?ed. The acquired and NSD noti?ed so that measuresinay be taken to protect such communications from review or use in criminal"prosecutions. 35 86-36 (mm-50 use 3024p) not: In (51(3) detasks the roaming selector, and I (UMP-868) If authorized collection incidentally acquires aforeign communication of or concerning a USP (cg, an FAA ?702 target is communicating with a. USP or about a USP), the communication may in general only be retained if the USP information quali?es as foreign intelligence or the information is evidence of a crime and is provided to appropriate federal law enforcement authorities. Domestic communications, including communications of a target who has entered the United States, must in general, be destroyed upon recognition, unless DIRNSA or the Acting DIRNSA approves retention of the communication for one of the limited reasons listed 11] Section 5 of. NSA FAA ?702 minimization procedures. .(bmrP-L? 86_36 For intelligence collected ??om upstream Internet collectioti?ljsubject to MCTs, NSA mission must identify and carefully review collection containing MCTs made available for analytic review. While NSA automatically segregates certain MCTs and does not pass them to repositories accessible to there may still be information in some MCTS that is not eligible for retention. If a discrete communication within an MCT is not to, from, or about a. tasked selector but othervvise contains foreign intelligence information and the discrete communication is not to or ?om an identi?able USP or a person reasonably believed to be in the .United States, the MCT may be retained to the same degree that a discrete communication could be retained. If any portion of the MCT contains a domestic communication, the entire MCT must be purged, unless there is no underlying compliance incident and DIRNSA approves a. destruction waiver. (U) For selectors removed from tasking, all communications collected after the target no longer meets the requirements of FAA ?702 must be identi?ed for purging through incident reporting and the purge adjudication process (see the Purge section). Post~targetinf controls?detection of targets that may have In addition to analyst review of for indications that the user of a tasked selector has entered the United State-5:1 8?6 notifying them that the selector has been detasked. It is the responsibility to identify and detask additional selectors for the target and develop the informationnecessaiy to produce an incident report. Though NSA may not have had prior notice of the target?s intention to travel, FAA ?702 may not be used to target individuals in thei'United States (see the Incident Reporting section). ST-14-0002 86.33 (bun-so use 3024" (bil?I 86-36 Post-targeting controls?periodic selector review As discussed earlier, NSA is required to regularly con?rm that all selectors tasked under FAA ?702 continue to meet targeting requirements. In addition to these ongoing reviewsz? defaults all ?702 targeting to a one year review. To maintain acquisition? for the target, mission must con?rm that continued tasking of the selector ist expected to acquire foreign intelligence relevant to the FAA ?702 certi?cation under which the targeting was executed. 86_36 Table 27 summarizes the post- targeting provisions of the FAA ?702 targeting procedures and the controls implemented by NSA to maintain compliance. (U) Table 27. Post-Targeting Provisions and Controls (U) are requrred to monitor collectton to determlne whether the target continues to meet targeting criteria, including foreignness. (U) receive "obligation to review" notices upon ?rst receipt of collection for newty tasked Internet selectors and every thirty days commencing with the date of first coliection after the last review. The notice is repeated until collection has been reviewed. (U) Annual reviews confirm that a target remains eligible for targeting and continues to be expected to produce foreign tntetligence relevant to the FAA ?702 certi?cation under which it was approved. Post?targeting analysis is performed to detect when a person, reasonably believed to be outside the United States when targeted, has since entered the United States. This allow NSA to take steps designed to prevent acquisition ofdomestic communications orthe targeting ofa USP. NSA will routinely compare - tasked selectors with information collected from 67 susw?a $6 FHEBI . inn) 87 86-36 USC 3024(i) DEBS ID 86-36 3024(i) d.2?3d?d ST-M-GOOZ -- cr detasking of the selector and purge of any non-compliant communications. WP) NSA witl routinely compare selectors tasked - See Table 26 second control. NSA will foreign target has entered or intends to enter the United States. - Internet selecto'r?s'a'nd everythirty days commencing with the date of first collection after the last review. The notice is repeated untii collection has been reviewed. (U) If NSA determines that a target has entered the United States, it will take the necessary steps to assess whether the incident represents non-compiiance with the targeting procedures and report such occurrences to Bed and ODNI and purge related communications from NSA databases as required. (U) See the incident Recognition and Reporting section. (U) It NSA determines that a target has entered the United States and the target?s selectors were not detasked before entry, it is reported to Bed and ODNI as an incident. assesses which incidents represent non-compliance with the targeting procedures and reports such occurrences to the NSA purges related communications from NSA databases as required. In some cases, DIRNSA may grant a destruction waiver so NSA can retain collection that is otherwise subject to purge. (U) If NSA determines that a target who at the time of targeting, was believed to be a non-USP is in fact a USP, itwiil terminate collection without delay and report the incident to and ODNI and purge such collection from its databases. (U) See the Incident Recognition and Reporting section. (UH-FEES) As soon as it becomes apparent that a communication is between a person who is known to be under criminal indictment in the United States and an attorney who represents that individual in the matter under indictment, monitoring ofthat communication will cease and the communication witl be identified as an attorney-chant communication in a log maintained for that purpose. Annual FAA training requires that such communications be brought immediately to attention for further instruction. OGC maintains e-mail records communications, that the process used to quarantine these communications is a suf?cient process for documenting the information. (U) Incident Recognition and Reporting (U) Provisions of FAA ?702 certifications?incident reporting The targeting procedures state that NSA will conduct ongoing oversight and report incidents of non? compliance to the NSA OIG and OGC and ensure that corrective actions are taken to address de?ciencies. Reporting is required for incidents ofnon?compliance ?that result in the intentional targeting of a person 88 BE EEC ID reasonably believed to be located in the United States, the intentional targeting of a. USP, or the intentional acquisition of any communication in which the sender and all intended recipients are known at the time of acquisition to be located within the United States.? NSA must report these incidents within ?ve business days of learning about them. The Agency must purge from its databases information acquired by intentionally targeting a USP or a. person not reasonably believed to be outside the United States at the time oftargeting. If post-targeting analysis shows that the target is inside the United States or a. USP, acquisition must be terminated without delay. Inadvertent acquisition of domestic communications is addressed in the minimization procedures see the Purge section). NSA also reports incidents of non? compliance with. the FAA ?702 minimization procedures. Some examples include incomplete minimization of USP information, improper queries of raw data, and technical errors that affect systems controls over .the data, such as retention beyond the required destruction date. (U) incident reporting controls Training and management communications emphasize the fact that incidents can occur at any point in the collection, targeting, dissemination, access, and retention of communications and stress the importance of immediate reporting of instances of non? compliance. Individuals do not have to prove that the activity is noncompliant to report an incident. SV works with the mission team that reports the matter to develop an incident report with complete and accurate information. If the incident involves a system or a system?s performance, TV involves all appropriate subject matter experts (including SID, SV, TD, and OGC) to assess the situation and evaluate its effect on compliance under the authority. OGC informs and ODNT of incidents that may indicate non-compliance with. FAA ?702. Do}, in coordination with ODNI, makes the final determination whether an incident is reportable to the FISC. (WA-7668) The OIG receives internal incident reports from SV and TV. Notices of noncompliance (13b notices) that Do} ?les with. the are made available to the OIG. The OIG uses this information to develop the Intelligence Oversight Quarterly Report, which is prepared with OGC and sent to the President?s Intelligence Oversight Board through DOD. The incidents and notices of non- compliance are also used as input to 010 inspections and intelligence oversight reviews. The annual FAA ?702 training required of all individuals handling information obtained under this authority addresses incident recognition, reporting, and processing. It de?nes two types of reportable events: incidents ofnon? compliance and changes in the target?s status. Reportable compliance incident ?702 compliance incident occurs when NSA violates FAA ?702 statutory requirements or targeting and minimization procedures or has made materially inaccurate representations to the or has otherwise not performed in a manner consistent with previous representations to the NSC. For example, if NSA tasked a foreign intelligence target reasonably believed to be outside the United States at the time of tasking and later JOB-SEW 89 net: (bust-50 criteria. I d2?3@??i learned that the target planned to travel to the United States but did not detask the selector before the target?s entry into the United States, this would be reported as a compliance incident. Reportable compliance incidents may also result from actions taken by communication service providers. For example, provider error could cause distribution to NSA of communications for selectors not tasked under FAA ?702. (UHF-GHQ) Change in target status After tasking selectors associated with atarget that meets all requirements of the targeting procedures, NSA may identify information about the target that was not available when the targeting decision was made. This information may show that the target is a USP or is located in the United States, making the target ineligible for targeting. These changes in target status, though not incidents of non? compliance, must be reported. Incident reporting and documentation has a signi?cant rolein reporting incidents of non? compliance with FAA ?702. SV developed an operating procedure that addresses the multiple means of incident discovery and the actions SV personnel follow for each. There are three primary sources from which SV may identify incidents: 86-36 Detask noti?cations wproduced personnel remove selectors from collection. A detargeting reason is associated with each noti?cation, some of which may indicateanincident, the user of the tasked selector has been identi?ed as a USP, - United States, and Itargets that appear to have roamed into the (weer-set Communications of incidents reported by query reviewers, and others involved in processing or monitoring collection. This may include errors by communication service providers. For each incident, SV works with personnel familiar with the occurrence to create apermanent record including signi?cant detail about the incident and its resolution, for example, the detasking information, and "dates of collection to be purged. SV creates an entry in the database of selectors associated with targets that have roamed into the United States or have been identi?ed as USPS to identify selectors associated with targets identi?ed as meeting Ig-enerates a notice to enti?'r?ingle. This entry is required when incidents identifya-t-arget located in the United State'sd or a target identi?edwas a USP. "(bust?PL. 86-36 TV is responsible for overseeing the reporting and mitigation of incidents that affect TD personnel and systems. For each incident, information regarding the incident?s root cause and mitigation is gathered and documented. There are four primary ways in which incidents in TD are discovered: 90 IDQCID 4.273de ST-I4-0002 (UM-1968) Technical personnel or find data that is not protected, labeled, or transferred as expected, Audits of queries submitted by TD personnel are reported when they do not comply with the minimization procedures, (UH-13968) Upon analysis of a system for TV certi?cation, instances of potential. non?compliance are reported, and it Technical personnel self report incidents. SV and TV provide the incident reports to DOC to assess Whether the incident is a matter of non-compliance with the FAA ?702 certi?cations and targeting and minimization procedures and is reportable to overseers (see the Oversight section). Incident remediation Several types of activities may be necessary to resolve compliance incidents or changes in status, for example, detasking selectors, purging communications ineligible for retention, recalling disseminated reports based upon communications subject to purge, correcting system errors, and training. The actions taken are documented in the incident report and, if appropriate, the notice of non- compliance ?led with the FISC. Depending on the magnitude of an incident of non-compliance a system error affecting the functioning of targeting controls), the FISC may require supplemental reports on progress in correcting the matter. SV and OGC coordinate such reports with D01 and ODNT. Table 28 summarizes the incident reporting provisions of the FAA ?702 targeting procedures and the controls implemented by NSA to maintain compliance. The provisions are documented in the oversight and compliance requirements in the targeting procedures. (U) Table 28. Incident Reporting Provisions and Controls (unseem- . (U) NSA wilt conduct ongomg overSIght activities and will make necessary reports, including those relating to incidents of non?compliance, to the NSA OIG and OGC. (U) FAA ?702 training addresses moldent Identi?cation, documentation, and the process for self-reporting. 8V and TV document the incident with assistance of the individuals who identified the matter and provide the information to OGC for review. 060, in turn, forwards the incident to and ODNI. (U) NSA will ensure that necessary corrective actions are taken to address identi?ed deficiencies. (U) The incident report documents measures taken to remediate the incident detasking and purge of communicatitnns). (UifFGU'e-r NSA will report to NSD and incidents cinch-compliance [including over collection) by electronic communications service providers within ?ve business days after determining non-compliance. (UHF-GHQ) SV, TV, and OGC manage the incident reporting process to assure that initial reporting is performed within ?ve business days of the identi?cation of non?compliance. (unneces- 91 zoocrn QEVBSEWQ (U) Collection Mag-Eta FAA ?702 targeting prdcedures state than! use 3024a)- (U) FAA ?702 minimization procedures require that collection of information by targeting reasonably believed to be outside the United States he conducted in a manner designed, to the greatest extent feasible, to minimize the acquisition of information not relevant for the purpose under which the collection was authorized. Steps to assure that acquisition meets this requirement start with target research and approval and the determination that the proposed target meets the criteria for eligibility under FAA ?702. NSA has incmporatcd additional measures in its collection process to comply with this limitation. (U) Collection mechanisms for FAA ?702 communications (U) NSA has two collection mechanisms for FAA ?702. 35-35 communications are obtained by the FBI through compelled collection from ISPs and include only communications to which a tasked selector is a party. For upstream Internet collection and telephony collection, the communication service providers who control the telecommunications infrastructure over which the communications travel are legally compelled to make available to NSA communications related to tasked selectors. Upstream collection of Internet-based selectors may include communications to or from the task ed selector, as well as communications in which the selector is referenced within an Internet transaction. The latter is called ?abouts? collection because the communication is neither to nor from the tasked selector, but ?about? the selector, i.e. the selector is contained within the communication. Communications acquired ?'om telephony selectors are only to or from the tasked telephone number ?abouts? collection is not a factor). (U) Provisions of FAA ?702 certifications??lters {Item 86-36 NSA will employaiilnten1et Protocol ?lter to ensure that the person from" whom it seeks to obtain foreign. intelligence information is located in a foreign country, (U) Collection controls for telephony and upstream lnternet communications? communications not to or from the target I DCDEIE: The providers should deliver only communications meeting these criteria to NSA. (U) Provisions of FAA ?702 certifications_anatysis of selector targeting status - - FAA ?702 targeting procedures set forth criteria. (bn?lx collection on a target. Once atarget?s selector has been placed on i" Agency continues to evaluate collection and use other tools to identify changes in the stat-aster location of the target (cg, change in USP status, such as information that the indiy?ida-almhas been granted permanent resident status in the United Stat'esior information is entering the United States). If these changes occur o'r-itnis determined that no longer producing foreign intelligence, the select01f__is removed from in targeting status may be processed immediateiy?unon identi?cation in NSA systems] IThis requires NSA to I emp oy measures (U) Collection controls?verification that collection is for currently tasked targets 03611 $011136 0f conectiO?, NSA employs processes to determine whether I -are"sending"communicatioas only for selectors curr'ently?tlaskeda?d 33-33 authorized for collection. I Collection for W) Upstream collection forlnternet-based selectors I fem 86-36 (mm-50 use 3024(i) ID-CBCIZD: $2 '7 3% 7 86-36 use 3024?) A situation gnomes-I Ican result in the unintended communications-?I I I NSA implemented a veri?cation "P?:fi:??process to address this situation that is another check performed before upstream 1 communications are forwarded to analyst-accessible repositories for 35-33 processing-:1 Uscgozaiu) use (U) Provisions of FAA ?702 certifications?upstream Internet transactions (U) Background Upstream Internet collection includes acquisition of two types of communications not present in collection: ?abouts? communications and ?multiple communications transactions? (MCTs). ?Abouts? communications are those that are not to or from the target selector but whose contents include the selector. For example, if a target?s e-mail address is within the body of the Internet communication between other individuals, the communication is ?about? the selector. An MCT is an Internet ?transaction? that contains more than one discrete communication. If one of those discrete communications is to, from or about atasked selector and if the active end of the transaction is foreign, the entire MCT transaction will be acquired through upstream Internet collection. This can include other discrete communications that do not contain the tasked selector. If the targeted selector is not the active user in the transaction, the MCT can include other discrete communications that do not contain the tasked selector. (U) Provisions FAA ?702 minimization procedures require NSA to: EEC IE3 86-35 us ?63 ti.2?3??ti Ii take reasonable steps p0 st-acquisition to identify and segregate through technical means Internet transactions that cannot be reasonably identi?ed as containing single, discrete communications where: the active user of the transaction the electronic communications account/address/identi?er used to send or receive the Internet transaction to or from a service provider) is reasonably believed to be located in the United States; or the location of the active user is unknown. (ll/#118693 Internet transactions that cannot be identi?ed as meeting the above de?nition must be segregated and retained in an access-controlled repository from which transactions may not be moved, except for processing to render them intelligible, unless they are determined not to contain discrete communications for which the sender and all intended recipients are reasonably believed to be in the United States. Any such transactions moved to data repositories accessible by are required to be identi?ed as having been previously segregated. 68 FAA ?702 minimization procedures also specify that Internet transactions acquired through upstream Internet collection techniques on or before 31 October 2011 be destroyed upon recognition. (U) Upstream tnternet collection controlsmmuitiple communication transactions Effective January 2012, NSA implemented a. process for analyzing and processing upstream Internet collection to ensure that only MCTs devoid of wholly domestic communications will be forwarded for further analysis. This process applied to all upstream data that had been sequestered starting 1 November 2011.69 Three criteria are used to sort these communications and determine whether they would be withheld from use by (sequestered in a collection store) or sent to data. stores accessible by the type of communication (discrete or MCT), the active user of the selector, and the location of the active user. The minimization procedures require that sequestered communications be accessible only to eciall trained personnel to determine whether they may be I I As NSA reported to the FISC, all FAA ?702 upstream Internet transactions acquired before November 2011, whether or not they were MCTS, were deleted. Additional controls are required when MCTs available to are used, for example, to support reporting of foreign. intelligence (see the Sharing and Dissemination section); 30240) W?hough the minimization procedures permit NSA to pass previously segregated communication to repositories NSA has not done so. - a . I the only FAA ?702 data forwarded to analyst L?a-ccessible repositories was data [or where the target was the active user. The remainder was sequestered pending development of decision logic to assess MCTS. The data was also exciuded 95 ST-14-0002 (U) Table 29 summarizes the collection provisions of the FAA ?702 minimization procedures and the controls implemented by NSA to maintain compliance. (U) Table 29. Collection Provisions and Controls (U) Acqursitron of information Targeting controls (see Table 26) are the ?rst by targeting measures employed to limit collection to communications of reasonably believed to be targets that meet the requirements of the targeting procedures. outside the United States will The toreignness requirements and the post-targeting analysis of be conducted in a manner communications serve to minimize collection of communications designed, to the greatest extent not authorized for acquisition domestic communications). feasible, to minimize the acquisition of information not relevant to the purpose for which it was (WW 86_36 use :Acquisition of {UH-Fetth internet protocol ?ltering is performed! communications not to or from on collectionl the target will employ an [to verify that at ieast one end of each transaction Internet protocol ?ltered Is foreign. Only transactions meeting this criterion should be delivered to NBA. -. .W (him I 86-36 (U) NSA will take reasonable (UH-F6661 NSA has implemented procedures to analyze steps post-acquisition to upstream lnternet collection. Only discrete?transactions and" identify and segregate through MCTs meeting certain criteria are made accessiblexto technical means Internet transactions that cannot be reasonabiy identified as containing single, discrete communications where the actiVe user of the transaction is reasonably believed to be located in the United States or the location of the active user is unknown. 86-36 (U) Repositories (U) Provisions of FAA ?702 certifications? repositories FAA ?702 targeting procedures require that NSA establish processes for ensuring that raw traf?c is labeled and stored only in authorized repositories and is accessible only to those who have had proper training (see the Access and Training section). I (U) Control framework for access to FAA ?702 repositories (U/WSeveral control procedures are employed to ensure that FAA ?702 data. is stored in repositories that meet standards for security and compliance and that access to the data is properly controlled. From the data. is processed through interim systems before it reaches th approved source systems for FAA ?702 reporting. 70 he rema types of controls, focusing on their application to th. (WW System security accreditation, System certi?cation, Data ?ow management, and Data tagging. Approval for NSA systems to store and process FAA ?702 data Accreditation TS is responsible for managing the risk on all NSA networks and the computer systems and devices connected to those networks. responsibilities include: L. 36'36 prioritizing, and overseeing the development of information assurance programs necessary to ensure protection of information systems and networks by managing the NSA Information Security Program, - Serving as the Director NSA Authorizing Official to accredit all NSA information systems, (UHF-GHQ) Conducting information systems security and accreditation and risk management programs, and - Establishing, maintaining, and enforcing NSA information systems security policies and implementation guidelines. (U) Accreditation is the of?cial management decision to permit operation of information. systems in speci?c environments at acceptable levels of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards. accrediting systems, TS uses the National Institute of Standards and Technology (NIST) Risk Management Framework to determine the appropriate level of risk mitigation to protect systems, information, and infrastructure. NIST Special Publication 800-37, Guide for Applying the isk Management rameworlt 10 Federal In?irmation Systems, February 2010, describes the six steps in the framework. 7? m/xreeml 86-36 97 $2 7'3 Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis (risk assessment), (U0513668) Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions, (UN-PW Implement the security controls and describe how the controls are employed within the information system and its environment of operation (system developers), Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system (independent testing by TS), (UHF-GHQ) Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the nation resulting from the operation of the information system and the decision that this risk is acceptable, and (UH-11999) Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials. (UHF-GHQ) Before a system is authorized to be put on a network, it must go through the accreditation process and be approved by TS. Once implemented, systems are 36-36 subject to reaccreditation every three years or when signi?cant changes occur that i may affect the risk assessment. The dates through which the FAA ?7 02 repositories are accredited are listed in Table 30. (UH-F966) Table 30. Accreditation Status of NSA 98 nocrn: d.373??d thirst-PL. 86-36 Certification in addition to system accreditation, all systems containing FISA data. must be certi?ed by TV4, the NSA authority for certifying automated systems to ensure they are compliant with the legal and policy regulations USP privacy. and the FISC are noti?ed when NSA designates anew- In 2010, NSA began certifying part of an effort to ensure that they comply with the legal and-policy regulations protecting USP privacy. This included the FAA ?702 metadata. Personnel from various SID and TD performed the initial certi?cations. TV subsequently-"assumed responsibility for system certi?cation and developed the NSA database for registering NSA systems, their compliance certi?cation, and data ?ows. it is authoritative source for all compliance certi?cations. The Agency?s certi?cation process currently evaluates system controls for compliance with purge, data retention and age-off, data access, querying, dissemination, data. tagging, targeting, and analytical processes. These mission functional areas are de?ned by the Comprehensive Mission Compliance Program ODOC administers. Through this program, compliance certi?cation requirements are developed to address required compliance controls. The compliance requirements, administered by the TV2 requirements team, form the basis for the criteria against which systems are certi?ed for compliance. - (UH-138567 To be certi?ed to handle FISA data, systems must receive TV certi?cation throu the Compliance Certi?cation process. The TV4 certi?cation dates for the Ethan contain FAA ?702 data and which can be used as sources to support dissemination ?atelisted in Table 31. (UirFeHei Table 31. Compliance Certification Status of 36-35 TV provided new compliance certi?cation guidance in May 2014. Systems other than those being decommissioned within twelve months, which meet the following criteria, should be recerti?ed by TV: (bli3l-P-L- 35-35 0 Systems with two signi?cant system-related incidents in a twelve month. period or three total, FISA systems that have not been certi?ed within two years, 99 DEM ID d2?3di'??i Systems with amajor upgrade affecting compliance functionality, or Systems planning to process under a new authority addition of FISA data). Owners of all affected PISA systems were noti?ed in June 20M that they should cote recerti?cation, if. their systems met these guidelines, within six 86-36 are scheduled"tab?endecommissioned and were exempted from this requ. - (U) Data ?ow management - - USSIDs de?ne aset of controls and operating procedures for the United System. USSID DA3511, Data Acquisition Directorate Targeting and Data 10w Management, de?nes aprocess intended to assure that only desired is delivered to intended users in the time frame and format required. overning end?to~end houses the access data - -- is responsible for manag and telephony"datacollectionnv setting up new data. ?ow paths that traverse the sci-36 usc 3024(i) Data Governance Team governs the processing and distribution of data collected within SIGINT system, oversees the documentation and review of all new data?ow requests, and implements processes designed to ensure that NSA compliance standards are maintained throughout the deveIOpment of new data ?ows. . The Data Governance Team manages the data ?ow process. Customers must complete Data?ow Management Requests (DMR) to initiate or modify data ?ows, DMRs require detailed information, including the status of system certifications, system accreditation plans, types of data to be processed [authorities for collection, and documentation of data ?ows. DMRS are evaluated and approved by a triage team I tria team concurrence, the DMR is given to the Targeting and Tasking and. Data Delivery organizations for testing and amp required approvals are obtained and data ?ows become ?33:25:22: 86-36 (U) Data tagging Historically, NSA has managed data access by implementing restrictions on data storage, including the use of logical database partitions. Data. ?ows were designed to place data. in these partitions, for example, according to the FAA ?702 certi?cation under which the communications were acquired. To access the data, personnel had to have appropriate training and be given access to certain systems and missions matching the data. partitions where the data. was stored. 109 Doers: a273g7g ST-14-0002 (WW) As NSAI 86?36 storing and accessing data are being developed. Data. tags are creatcd?foru-each' l, collection record, identifying the authority under which the as well as several other pieces of information used in managing-the data over its .I-Thus, to access raw data acquired under thel jb'll3l-P-L- 35-35 certi?cation for FAA ?702, must be approved for access to such collection as part of an authorized mission and ful?ll the training requirements for the authority. Data tags also serve to maintain compliance with limitations on the scope of queries, as well as age-off and purge requirements. Table 32 summarizes the repository provisions of the FAA ?702 targeting and minimization procedures and the controls NSA implemented to maintain compliance. (U) Table 32. FAA ?702 Repository Provision and Controls (ox/Feed). NSA has established processes for (U) All systems processing FAA ?702 data must ensuring that raw traf?c is iabeled and stored complete a security accreditation process. only in authorized repositories (U) All FAA ?702 repositories are certi?ed compliant with the legal and policy regulation protecting USP privacy. (U/iFe-H-ej Data flows must be approved by: and 8V to ensure compliance. Data tags are applied tie-identify the authority under which the information was acquired. The tags also serve to mane access a?ta..l I (unease-)- 86-36 (U) Access and Training (U) Provisions of FAA ?702 certifications (U) The FAA ?702 targeting procedures state that NSA will develop and deliver training to ensure that intelligence personnel responsible for approving the targeting of persons under that authority, as well as with access to the raw data. acquired pursuant to FAA ?702, understand their responsibilities and the procedures that apply to this acquisition. MW 101 (9N1) 86-36 (bust-50 use 3024?) nocrn: Standard MinimizatiorPi?cures for different versions'of ":I'were estainshed'forparticular cate acquire before the establishment oftheljcredentia?n- arrears (U) Control framework for restricting access to FAA ?702 collection to authorized personnel NSA requires that users having access to FAA ?702 data have one or more credentials, be current on the required training, and be assigned to approved missions. . tRequired credential Onel Ic-redentialsv-i's'needed to accessFAA ?702 data:l twp?H; . i- 1 is re uired to under theI-e ?702 Obtaining the credential To obtain any ofthe credentials, a. request must be Only individuals who 1d the requested for the credential. The request is ?rst Directorate for Security and Counterintelligence (Q) Whether the applicant has satis?ed certain security criteria. If approved by Q, the request is forwarded to SV for ?nal adjudication. SV reviews the request, individual is current on required training and that the request avalid are met SV approves the for entry to retrieves other corporate authoritative source systems that of individuals?"approyed missions, training, and clearances. Using this information," calculates individuals who qualify for FAA ?702"?acc?ess. NSA systems use the information-??end to determine what data the individuals are authorized to access. SID maintains authority rules, which determine What verifies for individuals to access data. Obtainin access to mission resources SID policy designates as tool for the proper administration and implementation of access to SIGINT data in NSA repositories; it facilitates the administrative process of acquiring access to tools and databases. Access sponsors submit individuals for access. The sponsors determine the appropriate authority for users, assigning them to a mission documented in the mission correlation table, a master list of all analytic production elements that have been approved for SIGINT missions. The table facilitates database access by providing a record of databases needed to perform SIGINT missions. The access sponsor nominates a user for access to raw SIGINT databases, sources, and tools in support of a stipulated mission. The sponsor ensures that audtor are assined to the mission to review queries of mission 72 an - 'n errnits access to FAA ?702 data 102 (UH-99693 Maintaining access Automated and manual procedures provide assurance of continuing eligibility to access FAA ?702 data. Users and access sponsors are responsible for removing users? access when they no longer qualify fora miSSiOn? Ell?Ch .. is also required to have an intelligence oversightof?cer who performs periodic reviews to ensure that individuals assigned to are still. eligible for access. Enforcement of required training is supported by the production of automated notices to individuals well in advance of their training expiration date. Notices are produced at regular intervals until the training is completed. If training individual is automatically removed from access to FAA ?702 data.73 1- culates daily alist ofindividuals who qualify for FAA {5702 access:- interfaces with several corporate authoritative source systems that provide the status of individual?s approved missions, trainingi and clearances. For systems that use data tags, user information in is compared with the data tags applied to the communications before giving the individuals access to the data. if the user does not possess the combination of requirements identified in the data. tag, access to that data is denied. Appropriate and adequate training Policy 1-23 requires that Agency personnel complete 10 training annually. To qualify for access to data. acquired under an FAA ?702 certi?cation, persons must have completed speci?c training courses within the last 12 months. All courses are developed by ADET in conjunction with the OGC, mission subject matter experts, and mission compliance professionals. All NSA who perform targeting functions must take the ?rst three courses listed next; the last is mandatory only for personnel requiring access to FAA ?702 data. - Intelligence Oversight Training - the Agency?s core 10 course, provided to the workforce to maintain ahigh degree of sensitivity to and understanding of intelligence laws, regulations, and policies associated with the protection. ofU.S. person privacy rights. Personnel are familiarized with. the major tenets of the four core 10 documents: Executive Order 12333, as amended, Department of Defense Regulation 5240.1-R, Directive Type Memorandum 08-052, and Policy 1?23. is web-based and includes knowledge checks for pro ?eiency . T4 - 100 - Overview of Signals Intelligence Authorities - the core 10 course, provides an introduction to various legal authorities 73 (ill/$9139? Idoes not verily the individuals? FAA i 74 E.O. 12333, United States Intelligence Activities; DOD Regulation 5240.1-R, Procedures Governing the Activities of DOD Intelligence Components Tqu A?ec! US. Persons; DTM-OS-OSZ, DOD Guidance for Reporting Questionable Intelligence Activities and Significant or Highly Sensitive Matters. 103 coerce governing NSA operations. Upon completion, personnel should be able to identify applicable surveillance authorities at a high level, de?ne the basic provisions of the authorities, and identify situations requiring additional authority. 100 is web-based and includes knowledge checks for pro?ciency. All personnel in the US. SIGINT System working under NSA SIGINT authority with access to raw SIGINT are required to complete (UMP-910183 OVSCISOO - Legal Compliance and Murimz'zarion Procedures - an advanced SIGINT intelligence oversight course which explains policies, procedures, and responsibilities within missions and the obligations of the to protect US. person and foreign partner privacy rights. OVSCISOO is web-based and includes competency exams - who do not pass the test after must complete remedial SIGINT authority with access to raw OVSC 1 800 annually . 86-36 (tr/arena) FISA Amendments Aettrnai Section 702?,eep1eins the legal policies and targeting and minimization procedures FAA mandates, The course is web based and exam] lav-Peisonnel who do not pass the test after attempts must complete remedial training. All who require access to FAA ?702 data must take this course annually. (UN-119683- Other courses are also required before can access NSA targeting tools. The first four of these are required for all. NSA who perform targeting functions, while the last is mandatory only for those targeting under FAA ?702. (UHF-9899 CRSKI300 Foundations of Smart Targeting, aweb-based course that covers targeting policy, processes and concepts, available assistance, targeting tools, research, and collection. Foundations of Smart Targeting: Research, available in web -based format beginning January 2015, the course focuses on elements of the targeting process requiring research, the research process, and the tools and databases used in research. - (UHF-9693 CRSK1302, Foundations of Smart Targeting: Targeting, aweb- based course that includes collection source considerations, the target work?ow process, creating TRs, finding and assessing collection results, and documenting sources. CRSK1303 Foundations of Smart Targeting: Targeting Maintenance, aweb-based course that focuses on resolving compliance problems, managing traf?c, and maximizing the intelligence value of tasked selectors. 104 DEN: IE3 ST-14-0002 (UH-F9689 CRSK1304, FAA Section 702 Practical Applications, aweb- based course required for all NSA who conduct targeting under FAA ?702. It is scenario ~based and addresses compliant TRs, targeting maintenance, and incident reporting. Adjudicator training In addition to the above courses, mission personnel who grant ?nal approval of FAA ?702 TRS must take a course on the approval process, be approved by their FAA ?702 mission lead, receive hands-on training by personnel with. adjudication experience, and be approved by 82 Mission and Compliance staff. Upon approval, elements in SID will upgrade the individual} access role i 86-35 CRSK1305 - FAA Section Adjudication a course that explains NSA resourcespforvvalidating selectors and foreignness explanations i TR'stetermining whether submitted TRs should be approved, and follow-up actions after a. TR has been approved or denied. (U) Access requirements for technical personnel to FAA ?702 repositories Technology Directorate personnel who directly support repositories and systems that contain raw SIGINT data or activities that utilize raw SIGINT must complete OVSCI 100, and OVSC1806 training annually. OVSC 1806 is the same course as (see above) but has an additional lesson on the system compliance certi?cation process. Technical personnel who support FISA systems and whose responsibilities may include direct access to FISA data are also required to attend abrie?ng administered by OGC and TV. Upon completion of the brie?ng, SV recording the user?s attendance at the brie?ng and their authorization for access. (U) identification of access vutnerapility-u-ir: lscheduled to be decommissioned in relies on a to does interface however, it does not verify that an individual is current on training as access control. 76 an individuai with authorized access to A data, discovered that FAA ?702 data. had been included in the results of a query of: data. The individual had received FAA ?7 02 training when she was cu;- 75 what-193.9) See the Obtaining the Credential section for 011 86-36 ZDQC ID 2 (strait-1392945" (bum?AL. 86-36 ifthey have the ofindividdal received FAA ?702 training querying controlling access based upon the authority under which it was d2"?3??d assigned to a different mission so her access to the data was not in violation. of the FAA ?702 targeting and minimization procedures. However, the access did violate SID policy because the mission to which the individual was assigned was not authorized for FAA ?702. 77 Investigation of the occurrence led to the discovery that the training could access FAA ?702 data in credential. is To date, no incidents have and recs-irng FAA ?702 data. 79 When SV personnel discovered this vulnerability, they worked with TD to initiate measures-I Iwas updated to add new'COIs to FAA grog" data collected on or after that date. The new COIs emulate the required for other FAA ?702 systems, includin process will be implemented to for i obtainedl I A review regarding action to take 33 summarizes the access and training provisions of the FAA ?7 02 targeting procedures and the controls implemented by NSA to maintain compliance. (U) Table 33. Access and Training Provisions and Controls tweeters" NSA has a list of courses requ1red annualiy for analysis to quality for access to data acquired under FAA {$702. This includes a course specific to FAA ?702. (Lift-F666) To access NSA targeting tools, ail anaiysts must complete four courses on targeting. targeting under FAA ??02 must also take a course on application of the authority. (UHF-BUG) Adjudicators (who grant the final approval of TRs under FAA ?702) must also complete a course on adjudication speci?c to the authority. Technoiogy Directorate personnel who support systems must complete 1100 and 1806 annually and attend a briefing administered by OGC and TV. (U) NSA will develop and deliver training regarding the applicable procedures to ensure that intelligence personnel responsible for approving the targeting of persons under FAA ?702, as well as with access to the acquired foreign intelligence information, understand their responsibilities and the procedures that apply to this acquisition. WW) SID Management Directive 42] states that access is based on current mission need and does not follow individual when they move to new missions or locations unless speci?ed in the document authorizing the assignment. Persons changing missions, jobs, or locations must provide re-justi?cation to through their management chains for PISA access or access to unrniniinized, unevaluated content in the new Without-3 Icredential, anaiysts cannot access FAA ?702 data and most other types ot'F-iSA data. Tirol Icredential was originally established for PISA data and requires training in standard minimization procedures for FISA information. 7% authorized for FISA also authorized to access FAA ?702 data. .. 105 86-36 usurp: earners ST-14-0002 (U) NSA has established processes to ensure (UW) Access to FAA ?702 foreign that raw traf?c is accessible in authorized inteliigence and the ability to submit and approve repositories onty to those who have had the targeting under the authority require certain proper training. credentials and access to mission resources (databases, sources and tools). The approval is not granted unless the required training has been com teted. (See above information regarding 86?36 (U) Querying Repositories of Collected FAA ?702 Data (U) Provisions of FAA ?702 certifications-mo ueries (U) Minimization procedures permit use of computer selection terms to scan storage media containing communications acquired pursuant to AA ?7 02 and to select communications for analysis with certain limitations. Query selection terms telephone numbers and key words and phrases) must be formed in a manner reasonably likely to return foreign intelligence information. Collection obtained through SA upstream Internet collection techniques may not be queried using selection terms of an identi?able USP. (U) Compliance controls?query compliance Queries of raw SIGINT databases are subject to USSID CR1610, SIGINT Production and Raw SIGINT Access, revised 12 February 2013, which requires that: (U/i?fre?biey All user organizations designate two auditors to review daily those queries presented for their review, 30 (UHF-8H8) Auditors be familiar with the targets and types of queries executed within their missions, SV provide training for new auditors on their responsibilities and certify them as compliant before conducting audits,81 (UH-F0909 SV conducts periodic super audits of interactive raw SIGINT database queries, verifying that selectors were foreign on the date the super audit is performed and examining the query terms to determine compliance with NSA policy, 82 NSA maintain a non?editable ?le of all such database queries for a minimum of one year, 3? implemented an approach to query review that uses stratified sampling based upon historicai rates of queries identi?ed as ?reportable? to determine the queries from each database to be presented for auditor retriew. Thel:: system passiveiy logs queries, but the queries are not subject to audit. NSA is developing a process to provide additional oversight for queries against this system. 31 are now required to take NSA Raw Tra?ic Database Auditor Training every two years?and must be cleared to the security level required for the authority under which the analyst performed the to audit. The system used to test foreigiiness: does not maintain an historical record of of the tasked 86-36 107 EQEIB L: ST-14-0092 All queries be driven by a foreign intelligence purpose, and An audit record of the selection terms be created and reviewed per NSA policy by the originating organization. (ll/$999) Mission auditors are assigned ?0 Bil-Ch miSSiQEt??i?g-ihe tool described in the access missions have designated auditors beforenewperso-nnel'can be approved for the missions. Auditor target knowledge expertise in the mission area, familiarity with (?lial?a 86-36 (Bits?Lat. 86-3 the type of queries to be reviewed, ability to mentor to improve query execution, attainment of all credentials required for the data. reviewed, and completion of all required training. Queries presented to auditors are required to be audited within 24 hours or on the next normal duty day. SV developed OVSC3101, NSA Raw Traffic Database Auditor Training, to prepare auditors for post-query review. The course provides instruction on use of the corporate query audit system, incident identi?cation, incident reporting, and maintenance of reco of audits (to support SV super audits and reviews). I The I .. system, aiegacy system which and is scheduled to be decommissioned, does maintain alog "urof'qiieries for ?ve years. The system has not yet been modified to provide these query logs to the corporate logging and auditing system. I "'"iblm Queries not using USP selection terms 35-33 FAA ?702 systems provide records of queries to the corporate logging and auditing system for user generated queries of raw SIGINT content. 83 These records are the source for daily post-query reviews by auditors and SV query oversight. These systems also maintain records of query reviews. Auditors examine queries to determine whether they have a valid foreign intelligence purpose. Auditors also evaluate query selection terms to determine whether they were constructed so as to avoid obtaining information on USPS. The review is intended to balance the pursuit of. foreign intelligence and protection of Fourth Amendment rights. When a tasked FAA ?702 selector is used as a query term and the selector is foreign, the corporate query logging and auditing system does not present the query for review by an auditor because the term has been reviewed by a releaser and an adjudicator as part of the TR approval for tasking during the targeting process. 84 If a tasked selector is used as a query term and the One 0fthe .. .. .. .. .. auditing system. This system is scheduled to be decommissioned. 86-36 34 The Query auditing and logging system obtains current tasked selectors their foreignness against NSA databases. 108 IE3 selector is not foreign, it is subject to review by an auditor. Queries using selection terms that are not approved selectors are subject to auditor review. (UH-F399) Provisions of FAA ?702?queries using USP selection terms A 3 October 2011 FISC Order approved the use ofmodi?ed minimization procedures that permit queries of data. collected under the authority only for foreign intelligence purposes, using USP query terms subject to speci?c NSA review procedures and external oversight. Such queries can only be performed using FAA ?702 telephony communications and Internet communications obtained ?om collection. Use of USP identi?ers to query FAA ?702 collection must be approved in accordance with NSA procedures. NSA is required to maintain records of all USP identi?ers approved for use as selection terms. These query procedures are subject to oversight by Do] and ODNI. Complianee controls?queries with USP selection terms NSA adopted internal procedures governing use of USP identi?ers for queries of communications collected under FAA ?702. Upstream Internet collection is not approved for such queries. Do} and ODNI reviewed and approved these procedures. The Senate and House Intelligence Committees were informed of these changes. There are three sets of procedures for approval of these queries: (UHF-GHQ) Queries of metadata, - Emergency queries of content, and - Non~emergency queries of content. annually required course on FAA ?702, OVSC1203, includes training on the use of USP identi?ers to query raw data collected under the authority. The NSA FAA web page also contains the documented and approved procedures for these queries. Although metadata queries are not subject to pre-approval, the query and a foreign intelligence justi?cation must be recorded to support external oversight. The justi?cation must document the analytic knowledge linking the selector to a foreign target or foreign intelligence purpose. Content queries using USP identi?ers are subject to pre-approval by SV, and OGC. SV maintains records of all queries using USP identi?ers and includes such queries in its query oversight. (U) Table 34 summarizes the query provisions of FAA ?702 minimization procedures and the controls implemented by NSA to maintain compliance. 109 DQCIE: 81314-0002 (U) Storage media (data repositories) (U) Queries of FAA ??02 databases may oniy be containing communications acquired conducted for foreign purposes and are pursuant to FAA ??02 may be queried to subject to review by mission auditors who must identify and select communications for have target knowledge expertise in the mission area analysis. Query terms, such as teiephone and have compieted training on raw traf?c database numbers and key words or phrases, wilt be auditing. The review evaluates whether the query limited to those selection terms reasonably was for a valid foreign intelligence purpose. Web? to remm foreign inteliigence SV conducts periodic super audits of Information these queries. I ?l ail database queries for at least one year in the logging and auditing system for Jser I (U) identi?ers ofan identi?ablexUSP may"?not. All personnel receive annual training on be used as terms to query any Internet query procedures which can only be performed communication acquired through upstream for foreign intelligence purposes against FAA ?702 Internet collection. Use of USP telephony?eomm Jnications and internet terms to query communications must be communications approved in accordance with NSA The 8 web page provrdes instructions procedures. NSA will maintain records of atl for requesting approval of such queries, using a USP identi?ers approved for use as selection process that and ODNI approved. terms- (UlfFe'U??) Queries of upstream Internet collection using USP terms are prohibited. (UH-F969) Queries of metadata are not subject to pre-approval, but the query and foreign inteliigence justi?cation must be documented. (Lift-F966) Content queries using USP terms toltow request and documentation procedures and are subject to pre?approval by SV and OGC. SV maintains records of all queries using USP identi?ers and includes these quaries in its oversight of qLIery review. (unease) and ODNI wiil conduct (U) See the Oversight section. oversight of NSA's queries using USP identi?ers. (U) Sharing and Dissemination (U) Sharing As stated in the Access and Training section, targeting procedures require that all personnel accessing or otherwise handling raw data acquired pursuant to FAA ?702 must be current on training for the authority. This imposes restrictions even. Within NSA on the use of information obtained under this authority. (U) Unminimized communications acquired pursuant to FAA ?702 may be provided to the CIA and FBI for targets each has identi?ed to NSA. Each agency has minimization procedures for handling data collected under this authority and must 110 EECID: handle communications provided by NSA in accordance with those procedures. Currently, unminimized data shared with the CIA and FBI is limited to communications derived from collection. (U) Dissemination (U) The NSA minimization procedures apply to dissemination of all information acquired under FAA ?702, including non?publicly available information concerning USPS acquired by targeting approved under the NSA targeting procedures. There are several restrictions on dissemination of information acquired under this authority. (UM-FGHG) Discrete Communications within an MCT seeking to disseminate information obtained ??om a discrete communication within an MCT must assess whether the communication is eligible for dissemination not a domestic communication) and document that assessment in the comments ?eld of the reporting tool in a manner that supports internal and external oversight. Attorney-Client Communications Dissemination of USP attorney-client privileged communications must be reviewed by the NSA OGC. NSA must cease review of communications between a person known to be under criminal indictment in the United States and an attorney representing that individual in that matter, segregate such communications, maintain. arecord of the identified attorney-client communications, and notify D01 so that appropriate procedures may be established to protect such communications from review or use in a criminal prosecution, while preserving foreign intelligence information in the communication. Domestic Communications A domestic communication may only be disseminated if DIRNSA has approved a destruction waiver for that communication, documenting its eligibility for retention and dissemination. Such communications must contain information that meets one of four criteria: signi?cant foreign intelligence, technical database information necessary to assess a. communication?s vulnerability, evidence of a crime, or information concerning a threat of serious harm to life or property. Communications acquired when there was no reasonable belief at the time of tasking that a target was a non-USP located outside the United States are not eligible for destruction waivers. If a waiver has been obtained, NSA may share domestic communications that do not have foreign intelligence value but are believed to contain evidence of a. crime with appropriate federal law enforcement authorities in accordance with applicable laws and regulations. 85 Without a. destruction waiver, NSA is authorized to notify the FBI if information in a domestic communication indicates that a target has entered the United States. The Agency may also provide information U.S.C. ??1806(b) and 1825(0) require that the communications be released with a statement that the Attorney General must approve use-of the information in a criminal proceeding. USC ?i806(b) is not limited to FAA ?702 domestic communications; it applies to all disseminations to law enforcement. 49W 111 not: In FBI for collection avoidance purposes. NSA may retain domestic communications shared with the CIA and FBI for six months and must restrict further use or dissemination of communications Whose destruction has been waived by placing the identi?ers for these communications on the MPL. (U) Foreign Communications of or Concerning USPS These communications may be disseminated, if the identity of the USP is deleted and a. generic term substituted so that the information cannot reasonably be connected with an identi?able USP. This process is referred to as ?masking.? Otherwise, dissemination of intelligence based on such communications may only be made to recipients requiring the identity of the USP to perform their of?cial duties and only if at least one of eight additional requirements is met: 0 (U) The USP consented to dissemination or the information is publicly available, 0 (U) The USP identity is necessary to understand the foreign intelligence information. or assess its importance, 0 (U) The communication or information indicates that the USP may be a. foreign power, an agent of a foreign power, residing outside the United States and holding an of?cial position in the government or military forces of a foreign power, a corporation or other entity owned or controlled directly or indirectly by a foreign power, or acting in collaboration with an intelligence or security service of a foreign power and the USP has or has had access to classi?ed national security information or materialthe target of intelligence activities of a. foreign power, 0 (U) The USP is engaged in unauthorized disclosure of cias sifted national security information (only if the originating agency has veri?ed that the information has been properly classi?ed), 0 (U) The USP communication was authorized by a court order and the communication may relate to the foreign intelligence purpose of the surveillanceengaging in international terrorist activities, or 0 (U) There is evidence that the USP is engaging in a criminal activity. (U) Foreign Communication of or Concerning a may be disseminated in accordance with other laws, regulations, and policies, provided that the communications are eligible for retention under FAA ?702. (U) Collaboration with Foreign Governments Consistent with the authority accorded NSA by ED. 12333, the Agency maintains liaison relationships with certain foreign governments. Information derived from FAA ?702 collection that has been evaluated for foreign intelligence and minimized for USP information may be disseminated to these foreign 112 iD-?lEIfEi d2?3&7?i v- 86-36 For a roved selectors, Internet communications-I are routed to the requestingjigeney-I governments. 85 Dissemination of information. of or concerning a USP must comply with the restrictions described in Foreign Communications of or Concerning USPS above, as well as with those described for MCTs above. NSA is permitted to disseminate unminimized communications to foreign partners to obtain technical or linguistic assistance to determine the meaning or significance of the information. 87 (U) Sharing FAA ?702 with authorized NSA personnel authorized to access FAA ?702 communications are trained to ensure that individuals wish to discuss such communications have appropriate credentials. --perr_nits review of an individual?s training and clearances. The training also addresses states that e-mailing unmim'mized and unpublished data to anyone, even violates compliance controls, such as effective auditing. 86-36 (U) Provision of unminimized communications to CIA and FBI As described in the Targeting section, NSA must approve selectors nominated by these agencies based upon compliance with NSA targeting procedures. based upon 1n states that should not share "andiinevaluated communications received pursuant to this collection ":Ziivitli the CIA and FBI for selectors tasked on behalf of those agencies; collaboration on such collection is permitted when from the CIA or FBI access the unminimized communications from their own agencies? FAA ?702 data repositories. The required annual FAA ?702 course, OVSCI203, provides training on these restrictions which are designed to assure accountability of dissemination if recall or purge becomes necessaiy. (U) General dissemination requirements (UH-17666) Limits on use of reported FAA ?702 communications Analyst training (OVSC1203) instructs that ?use or disclosure of information derived from FAA ?702 communications in any criminal proceeding, immigration proceeding, or any other legal or administrative proceeding is prohibited without the advance authorization of the Attorney General of the United States.? To prevent such. use, NSA internal procedures require that disseminations of FAA ?702 derived information include the ?Intelligence Purposes Only? caveat that prohibits use of the information Without approval. This is included in the FAA ?702 training. 36 (UH-F969) Collected traf?c that has been evaluated to determine whether it contains foreign intelligence and has been subject to minimization to protect USP identities is referred to as evaluated minimized traffic or EMT. l? (U) Dissemination for technical or linguistic assistance is subject to speci?c restrictions limiting the use of the information by the foreign government to translation or analysis of the communications, allowing dissemination only to the individuals performing the analysis or translation, restricting the foreign government from making a permanent record of the information, and requiring destruction or return to NBA of the information disseminated. 40W 113 IE3 Fi?-did ST-14-0002 (UN-13666) Reporting documentation Consistent with the purge requirements in the minimization procedures, NSA is required to account for and must be able to trace its disseminations based on FAA ?702 communications. The annual training addresses the documentation that must complete to ?ll?ll this requirement: The collection authority (speci?c FAA ?702 certi?catio I fo_i_i__each. piece of traf?c used in the report, and ligxaw?k 86?36 (U) A source veri?cation statement documenting an identi?er for each piece of traf?c and con?rming that the source was not ineligible for retention or subject to purge. A new reporting tool, ?rst introduced in 2013, performs the source veri?cation automatically. Successful completion of this process with no ?ags con?rms the traf?c may be used as a source for reportingreporting document, Sourcing Requirement and Verification Guidance, revised 8 May 2012, provides reporting and dissemination. guidance. The policy requires that individuals releasing reports verify that the reports do not contain information that should have been purged from raw SIGINT databases. This must be performed within 24 hours of the report release using the Master Purge List. SIGINT reporters are also required to include traf?c source identi?ers for all reports and enter source veri?cation statements in the reporting tool to con?rm that this review has been performed. The primary analyst reportin tools used in 2013 performed automated veri?cation of Sources"againstuNSA?sbatthe time Of -lfnone"ofthe"source?records for the report matched records in the purge system, the report would be released. If a. match to the identi?er for apurged record was found, the release would be stopped and the individual releasing the report would be noti?ed. The policy requires that a manual source veri?cation check be performed for reports released through means without automated source veri?cation. In 2014, anew analyst reporting tool was implemented that also includes automated source veri?cation (see the Purge section). (U) Disseminating communications involving MCTs (UHF-GHQ) The FAA ?702 annual training course, OVSC1203, addresses procedures that must perform for upstream Internet collection containing MCTs to comply with the minimization procedures. The training identi?es the requirements for disseminating single discrete communications within MCTs. The course also explains requirements for documenting the analysis that supports the decision that communications are eligible for reporting. An NSA reporting policy document, Source Record Entries for Reporting from FAA 702 Multiple Communications Transaction, lSS-l85- 1, requires that compliance be documented in NSA reporting tools. SV performs oversight of the documentation supporting use of certain MCTS for reporting (see the Oversight section). BECK: IE (U) Disseminating attorney-chant communications In OVSC1203, are trained on the requirement that NSA OGC personnel pre-approve disseminations of information involving USP attorney-client privileged communications. (UHF-8863 Disseminating domestic communications Dissemination of domestic communications is limited to those communications for which DIRNSA has approved a. destruction waiver documenting their eligibility for retention. 83 Such communications must contain information that meets at least one of ?ve criteria: signi?cant foreign intelligence, technical. database information, information necessary to assess communications vulnerabilities, evidence of a crime, or information concerning a threat of serious harm to life or property. (Destruction waivers are discussed in the Oversight and Purge sections.) Training on retention and use of domestic communications is included in OVSC1203. Disseminatin foreign communications of or concerning USPs addresses the requirement to exclude information from reporting that would allow a. reader to determine a identity unless the identity quali?es for dissemination under the terms of the FAA ?702 minimization procedures. Information Sharing Services Group (ISS) reviews exceptions to this ?masking? requirement. ISS handles requests for release of USP identities. (U) Disseminating foreign communications of or concerning a non-USP Foreign communications of that contain foreign intelligence are eligible for dissemination subject to other applicable laws and policies. (U) Dissemination to foreign governments Information obtained under FAA ?702 may be disseminated to foreign governments in three ways (addressed in OVSC1203): ml (bit 86-36 "These records are provrded to SV and are subject to rev1ew by and NH. 33 A destruction waiver is not required for dissemination of domestic to notify the FBI of the target?s presence in the United States or to notify the FBI or CIA for collection-avoidance purposes. 49W 115 use 30240) ?2T3d7d 4~0092 ?ruiipyeuas-ss ("urine-eon must be performed in accordance with special handling procedures and requires the approval of SV and OGC, who maintain records and report this activity to Do] and ODNI. Dissemination of collection acquired when post~ hnicai checks are not functioning properly in 2013, NSA identi?ed production "(bier-PL 86- minimization procedures approved in November 2013 required application of ?procedures that NSA developed in response to the incident. These procedures of target location before FAA communications acquired during a period?"Who. post-tasking technical checks are not functioning as intended are used and dissemination. These procedures were the subject of several communications across SID, as well as training sessions, and are documented on FAA ?702 web page. Table 35 summarizes the sharing and dissemination provisions of the FAA ?702 targeting and minimization procedures and the controls implemented by NSA to maintain compliance. (U) Table 35. Sharing and Dissemination Provisions and Controis (U) Annual FAA ?702 training addresses analyst responsibility for ensuring that individuals with whom they wish to discuss FAA ?702 communications have the necessary credentials and training. SV adjudicates TRs from CIA and FBI. If approved, the agencies will receive unminimiZed pursuant to FAA ?702. These communications communicationsl I wiil be based upon targets that each agency For requested targets whose selectors identi?es to NSA. are airea'dw?? personnel will to provide Internet communications to the (bll3l-P-L- (U) To account for and trace dissemination based on FAA ?7?02 communications and to comply with purge requirements. must document certain information for the data sources in each report, including the certification under which data was collected and a statement verifying that each piece of traf?c used was con?rmed as eligible for retention. This is addressed in annual anaiyst training and NBA reporting policy. (unease-in new reporting tool, ?rst introduced in 2013, performs the source veri?cation automatically. Successful completion of this (U) NSA has established processes to ensure that raw traffic is accessible in authorized repositories only to those who have had the proper training. (U) NSA may provide to the CIA and FBI unminimized communications acquired (U) Minimization procedures require NSA be able to purge communications that meet speci?c requirements. "116 posts: ST-l4n0002 process with no flags con?rms the traffic is not subject to purge and may be used as a source for reporting. (U) A dissemination based on communications of or concerning a USP that are eligible for retention may be made, if the identity of the USP is deleted and a generic term or symbol is substituted so that the information cannot reasonany be connected with an identi?able USP. Otherwise, dissemination of intelligence based on communications of or concerning a USP may only be made to a recipient requiring the identity of such person for the performance of of?cial duties and only if at least one of eight criteria is met. (U) This requirement is consistent with NSA reporting policy for all reporting based on communications of USPS. (U) NSA seeking to use a discrete communication. within an MCT for reporting must document that speci?ed analysis has been performed. Annual FAA ?702 training includes the requirements for reporting based upon discrete communications within an MOT and the documentation required. SV reviews this documentation for certain MCTs. (See Oversight - SID Oversight and Comptiance .) (U) All proposed disseminations of information constituting USP attorney-client privileged communications must be reviewed by the NSA OGC before dissemination. (U) Monitoring of attorney -client communications between a person known to be under criminal indictment in the United States and an attorney representing that individual in the matter under indictment must cease once the reiationship has been identified. Acquired communications must be logged and the Nationai Security Division of the noti?ed so that appropriate procedures may be established to protect such communications from review or Use in criminal prosecutions, while preserving foreign intelligence information contained therein. (U) Annual FAA ?702 training addresses procedures must perform to disseminate this data. OGC notifies NSD of such communications and advises mission personnel on dissemination. (UMP-BUG) Minimization procedures require that domestic communications be promptiy destroyed upon recognition, unless DIRNSA approves the communication for a deatruction waiver. Domestic communications for which a destruction waiver is approved may be disseminated. If a waiver has been obtained. NSA may share domestic communications believed to contain evidence ofa crime with appropriate tederai law enforcement authorities in accordance with applicable laws and regulations. Without a destruction waiver, NSA is authorized to notify the F81 if information in a domestic communication indicates that a target has entered the United States and may provide information to both the CIA and for coilection avoidance purposes. (U) Annual FAA ?702 training addresses this requirement. 117 d2 "F?d'ihi disseminate evaluated minimized information dissemination of EMT acquired pursuant to to foreign partners. FAA ?702, other than as serialized product, must be approved by the SIGINT Director and a record of the dissemination provided to 8V. (U) NSA may disseminate raw data to a (U) Annual FAA ?702 training addresses the foreign government for technical or linguistic requirement that such dissemination must be assistance. approved by SV and OGC, who will manage the restrictions on this dissemination, keep the required records, and report to Bed and ODNI. {85% if NSA seeks to use information WI Procedures addressing the requirements acquired pursuant to FAA ?702 when there is for use of data acquired when post-tasking uncertainty about the location of the target of checks are not functioning as intended the acquisition because post tasking were communicated to mission personnel and are checks described in NS 3 Q2 .5 documented on the FAA ??02 web page. targeting procedures were not functioning properly, NSA will follow internal procedures I for determining whether such information may" be used. 86-36 (U) Purge (U) Background WTM Post-Targeting section documents the requirements for destruction of communications and the processes that may identify a change in the target?s location or USP status. These processes include analyst review of comttiylligationsg-I land receipt of information from other ?agencies. If the circumstances result in unauthorized collection, the non? compliant data will be identi?ed and purged. 39 The period of the unauthorized collection is 86-36 use 30240) included in an incident report documented by SV and is used by the purge adjudicator, who initiates the purge process. Comptiance controls?purge of FAA ?702 communications 9? Manual and automated controls support the purge process. Mission Support- Systems and'Data Compliance Group, within the Directorate for Analysis and Preduction, developed apurge information web page to guide This page includes instructions to purge communications collected under FAA ?702 authority. The directions call for to contact SV, if they believe that purge ?702 data is required, because nearly all. cases requiring purges also require incident reports. The purge web page describes two types of purges: l) incident or parametric purges which are necessary when the-reason for the purge affects all collection for a target or selector over a period of time Mission Support?Systems and Data Compliance Group performs these); and 2) purge upon 89 (U) ?Purge? refers to the deletion of communications "from systems that were acquired as a resutt of unauthorized collection or otherwise are not authorized for retention pursuant to the minimization procedures. 90% From the time ofcollectionJ 118 description focuses on 86-36 usc 30240) IE recognition or analyst-driven purges. Aparametric purge is applied, for example, to remove communications collected after a. target is determined to he in the United States. Purge upon recognition for FAA ?702 is, for example, required when: 1) NSA identi?es a discrete domestic communication within requiring the entire MCT to be purged or 2) alegally acquired foreign communication between a foreign target and a USP or a communication in which the subject is a USP found to have no foreign intelligence value. NSA has implemented a mission compliance standard for purges which states that, consistent with FAA ?702 minimization procedures and absent a destruction. waiver, some or all communications data. acquired under the authority must be purged if any of the following criteria are satis?ed: (U) The targeted person is con?rmed or believed to be regardless of location (purge all communications), (U) The targeted person was con?rmed or believed to be in the United States at the time of collection (roamer) (purge collection acquired during period of US travel), (U) A person was incorrectly targeted (purge all collection), (U) The tasked selector is known or suspected to be used by a USP (purge all communications from known date of use by the USP), 91 (U) The tasked selector was known or suspected to be accessed from within the United States (purge communications from date of access), (U) The tasked selector was tasked before being approved for tasking, remained tasked for any reason after collection was no longer authorized, or was tasked under the wrong authority (purge all collection), (U) An incorrect selector was tasked (purge all collection), (U) The communication is one in which the sender and all intended recipients were in the United States at the time of acquisition of the communication (purge affected communications), or communication otherwise quali?es as a ?domestic communication? as de?ned in the FAA ?702 minimization procedures and DIRNSA or the Acting DIRNSA has not executed a destruction waiver to authorize continued retention of the communication (purge affected communications). (WW-GHQ) Purge processes Purging involves four processes: nominate data to purge, adjudicate purge nominations, execute purge actions, and verify 111' actions. Other systems are certi?ed to hold certain data copied or derived from data. 86-36 (hm) 86-36 119 DECID $.273wd'Wi ST-14-0002 objects their Own purge focuses on the - 86~36 ("U/moses Nomination for purge Nomination involves identi?cation of the selectors and time period for which communications must be destroyed. For FAA ?702, most are identi?ed in incident reports, and SV determines whether purge is required and documents the date range for purge in the incident report. Purges of speci?c data objects are also initiated by recognizing content that meets minimization criteria, but which is not an indicator of a compliance incident. This process is known as ?purge upon recognition.? For this type of purge, the identi?ers of the affected communications are placed on the MPL in ?discover state? before a. modi?ed version of the process described below is followed. Adjudicating purge nominations Purge adjudication is the process whereby the purge adjudication authority, SlD?s Mission Support-Systems and Data Compliance Group, determines the validity and accuracy of a nominated purge request, locates the data. required for destruction, and places the data objects on the master purge list (MPL). The goal of adjudication is to ensure compliance with purge criteria without over?purging communications at the expense ofmission. The adjudicator: Evaluates the nomination against the purge criteria (unless a determination was made during incident processing), (UH-138889 Using logical parameters provided in the nomination, determines and issues search criteria for discovery of potentially affected communications in (WEI-1866) Enters identi?ers of affected data objects in the MPL in ?discover state? to prevent use as a. source for new reporting or other controlled uses and to initiate checks to determine if the objects were used in prior SIGINT reporting, - Manages the impact of pending or approved destruction waivers that may exclude specific objects ?om purge, For data objects requiring purge, changes MPL state of their identi?ers to ?purge? and issues purge execute orders to theijtp delete those objects, and Records the decision. to purge, relese,uarantine the data objects in the corporate purge tracking system, 36-35 92 The a iimited number of individuais with special access for each 120 nocrn: ST-14-0002 submitted data identi?ers with historical records of actions taken and cross- references to original compliance incidents and/or purge nominations that caused them to enter the purge process. (WW) For purges stemming from system or technical errors, collection and/or technical subject matter experts are typically relied upon to conduct or assist with purge discovery. Some aspects of the adjudication process may be modi?ed based on the details of the Specific incident. (U/Fe?ej Executing purge actions The purge executor receives purge decisions from the adjudication authority, issues execute orders to 86-36 containing the unique identi?ers of the data. to be purged, orders, changes the MPL state for those records of the purge action for ?ve years. "'systern owners for processing the orders, rendering the speci?ed data_..unrecoverable, and con?rming completion ofpurgc execute orders. Verifying Procedures are performed to provide additional owners have purged required SIGINT data from NSA obtains random samples of data from the master purge list and determines whether the data objects have been removed from the systems selected for revrew. (UM-1939) Automation to support purge processing Much ofthe purge process is performed manually. NSA is developing a system to automate more of the process in phases betweenl 86- Reports affected by purge actions SIGINT reporting procedures require MPL checks to prevent publication of new reports with sources that were subject to purge. Additional measures are taken to detect and adjudicate already- disseminated SIGINT products affected by a compliance incident or speci?c data identi?ed during purge discovery. Incident reports include information SV obtained from the mission team on reports issued related to the target or collection referenced in the incident. Another source of information is a daily query run by management information systems for SIGINT production against the MPL to identify reports sourced from communications listed on the MPL, whether because of an incident or purge?upon?recognition. When products with potentially "tainted" sources are identi?ed, the Reports under Review (RUR) team coordinates with the mission team that issued the report, the purge adjudication authority, SV, and OGC, as necessary, to determine and complete appropriate actions. This may include requesting a destruction waiver to permit retention of the traf?c and allow the report to stand, removing the MPL- listed traf?c completely from the report and revising and reissuing the report, or recalling the report. The RUR team maintains a list of affected reports and their status that is updated when the report analysis is complete. The purge adjudication 121 Eli-Qt: IE1 d2?3?7% ST-14-0092 authority makes necessary changes to the status of the communication identi?ers on the MPL, depending on the action taken. Table 36 summarizes the purge provisions of the FAA ?702 targeting and minimization procedures and the controls NSA has implemented to maintain compliance. (U) Table 36. Purge Provisions and Controls Telephony communications and internet communications acquired with the assistance of the FBI from Internet service providers that are not approved for retention under the standards set forth in the minimization procedures and that are known to contain communications of or concerning USPs will be destroyed upon recognition. Annual FAA ?702 training addresses post-targeting review of target communications and situations requiring destruction of communications, which most often require noti?cation to 8V and an incident report. mime-es) internet transactions acquired through NSA's upstream collection techniques that do not contain information that meets the retention standards set forth in the minimization procedures and that are known to contain communications of or concerning USPS will be destroyed upon recognition. Annuai FAA ??02 training addresses post-targeting review of target communications and situations requiring destruction of communications, which most often require noti?cation to SV and an incident report. (U) Internet transactions that are identi?ed and segregated pursuant to the requirements for processing MCTs and are subsequently determined to contain a discrete communication in which the sender and all intended recipients are reasonably believed to he in'the United States will be handled as domestic communications. (urine-us) Annual FAA ?702 training addresses post-targeting review of target communications and situations requiring destruction of communications, which most often require noti?cation to 8V and an incident report. communication identified as a domestic communication (and, if applicable, the internet transaction in which itis contained) will be destroyed upon recognition, unless DIRNSA or the Acting approves a destruction waiver after determining the communication meets one or more of four speci?c conditions. Annual FAA ??02 training addresses post?targeting review of target communications and situations requiring destruction of communications, which most often require noti?cation to 8V and an incident report. (WIFE-HG) Any communications acquired through the targeting ota person who at the time of targeting was reasonably believed to be outside the United States but is in fact inside the United States at the time such communications were acquired and any communications acquired by targeting a person who at the time of targeting was beiieved to be a non-USP but was in fact a USP at the time such communications were acquired will be treated as domestic communications under these procedures. Annual FAA ?702 training addresses post-targeting review of target communications and situations requiring destruction of communications, which most often require noti?cation to 8V and an incident report. Win addition to an review of communications, investigation of notices from others involved in processmg FAA are: information, and receipt ofin'formation from other agencies may identify aux-incident. If the circumstances of the collection require an incident report, and 8V work together to determine the extent ofthe communications affected. This is 122 used to document the purge" parameters in an ?(him 86-36 BEDS ID d273d?7? ST-M-GBOZ incident report, which becomes the source for the purge adjudication process. Communications identi?ed for purge are subject to adjudication to determine whether the nominated data objects are consistent with the purge criteria, communications affected by the incident have been properly identified, destruction waivers (pending or approved) may affect the .. ..-pu-rae--l I . . The adgudlcator adds the relevant data --to..the_ Master Purge List (MPL) to prevent its use in and issues purge execute orders to appropriate-systems. Owners of the execute the purge orders, remove data the included identifiers, and acknowledge completion of each order. (UHF-6667 management information system for SIGINT reporting queries the MP1. daily to identity data objects added to the list that may be associated with issued reports. The Reports under Review team uses this information and incident report data concerning reporting associated with the affected communications to follow up with mission personnel for recall or reissuance of the reports. SV randomly samples records from the MPL, comparing them to the FAA ?702 repositories to assure completeness of purge. {Saw-F) For information acquires ursuant to WSID guidance, NSA Procedures for the Use FAA ?702 during a period when. of FAA 702, 704 or 705053) Coiiection, last revised post?tasking checks were not functioning I 15 November 2013, was updated to provide properly, resulting in uncertainty about the manual procedures for evaiuating data when location of the target of the acquisition. it NSA NSA's post~taslt?ng checks are not determines that the target is reasonably believed to have been inside the United States at the time the information was acquired, suoi?i? information will not be used and will be (h (1) destroyed. (b 35'36 (U) Retention of Data (U) Provisions of FAA ?702 certifications The retention criteria. in the minimization procedures apply only to communications not subject to purge based upon other minimization requirements (see the Post-Targeting section). NSA minimization procedures state that telephony 86- communications will be retained no longer than ?ve years from the expiration re of the certi?cation authorizing collection, unless NSA have determined that the communications meet the retention standards set forth in the minimization procedures, for example, communications necessary to understand foreign intelligence information. Communications for which SIDDIR has approved longer retention and for which. a purge was not otherwise required, may also be retained. 123 310E d2?3tt?d Communications for which DIRNSA has waived destluction may also be retained in accordance with the terms of the destruction waiver. (U) in general, NSA may not retain internet transactions obtained through upstream collection techniques longer than two years from the expiration date of the certi?cation authorizing collection. However, NSA may be able to retain certain Internet transactions longer, if at least one discrete communication within the upstream Internet transaction would otherwise meet the retention standards and each discrete communication within the transaction is to, from, or about a. tasked selector or not to, or about a tasked selector and is also not to or from or person. reasonably believed to be in the United States. The minimization procedures also required destruction of all upstream Internet transactions acquired before November 2011. (U) Retention control procedures System certification The NSA system certi?cation process implemented in 2010 (see the Repositories section) includes the Agency?s requirements for compliance with the FAA ?7 02 retention limits established in the minimization procedures. To be certi?ed, FAA ?702 systems must: 1) limit retention of unminimized data records to the authorization and retention periods of the certi?cation under which they were collected, 2) retain. data with an approved age-off waiver beyond the normal age-off period (SID Director waiver), and 3) provide a means to identify data records to be retained beyond the maximum retention period speci?ed by the collection authority under which it was obtained. 93 Data tagging Data tags are now associated with most collection before it is made available to data stores accessible to The tags include the certi?cation. under which the communications were obtained, ?irther supporting ability to identify records that meet the criteria for removal from system repositories based upon age-off requirements associated with each certi?cation. in 2014, new data tags were implemented to distinguish among the retention periods for upstream internet transactions (two years), collection (?ve years) and telephony data (?ve years); (UM-1668) implementation and monitorin of age-off Processes have been implemented to age-off data in FAA ?70 procedures require data be aged?off within two or ?ve years of expiration of the certi?cation, depending upon the source of collection, the processes NSA uses for determining age?off result in earlier removal of data (see Table 37).94 93 FAA ?702 minimization procedures provide no maxinnun retention period for foreign communications determined to contain foreign intelligence information. The age-off requirements apply to communications for which such a determination has not been made. 94 (U/i?Fe?e) The FAA 702 certi?cations are renewed annually. Expiration of the certi?cation in effect for any collection would occur somewhere between 1 and 365 days ofthat collection. NSA applies age-off criteria to time of collection or recording date, not the expiration of. the certification. 124 $2 3% 1% (bilali?f' ?'36 (U) Teete 37. System Age-Off Procedures "(bu-1n usc'sozegi (UHF-980) Enterprise data header (EDH) is a smatl set of metadata tags applied to a piece of 'ss'o a so that it can be identi?ed, protected, tracked, and handted throughout its life cycle. ill only accept data with an EDH. Systems scheduled to be decommissioned. (bll3l?P-L- 35-35 (willie-tie) DTOI, date and time of intercept. ?gs-meal 86-36 (UN-13989) Table 38 summarizes the retention provisions of the FAA ?702 targeting and minimization procedures and the controls NSA implemented to maintain compliance. 125 DQEID: d2?3?7$ (U) Table 38. Retention Provisions and Controls (U) Telephony communications and internet (U) System certi?cation, required of atl communications acquired by or with the FAA ?702 systems, includes retention assistance of the FBI from Internet Service standards consistent with minimization Providers may not be retained longer than ?ve procedures. years from the expiration date of the certi?cation (U) Data (395 are now associated with most authorizing the eoilection unless NSA determines couec?on before it is made availabie to data that eaCh communication meets the retention stores accessible to anaiysta Data tags Support standards in these procedures. (U) Internet transactions acquired through NSA's 35-35 upstream collection may not be retained longer SO?ware mm to 593ml) for data than two years from the expiration date of the FeqUire'd age-0f? Procedure. Af?lmii?'i toot iS certification authorizing the unless being for NSA determines that each communication meets the retention standards in these procedures. [Additional requirement regarding MCTs are addressed in the Purge section (U) lnternet transactions that are identi?ed and NSA has impiemented a segregated pursuant to the procedures for MCTs segregation process and sequestered MCT will be retained in an access?controlled data is maintained in a collection store where it repository. is not available for analytic use. None of the (U) Any information contained in a segregated data subject to sequestration has been Internet transaction may not be moved or copied transferred to repositories accessible to from the segregated repository orotherwise used for foreign intelligence purposes unless it has (mm) NSA has dereted all identi?ed been determined that the transaction does not upstream Internet collection acquired before contain any distillate communication as to November 2011. If additional data is identi?ed the sender aild 3? intended reelpients are that was subject to this purge requirement, NSA reasonably believed to be located in the United it upon recognition States. (U) These controls are documented in the (U) Any Internet transactions acquired through COiieCtion 590mm- NSA's upstream collection techniques prior to October 2011 will be destroyed upon recognition. (or/Fees) (U) Oversight (U) Provisions of FAA ?702 certifications?internal and external oversight (unease) The FAA ?702 targeting and minimization procedures provide that NSA will conduct the following oversight: (U) Implement a compliance program with ongoing oversight of its exercise of FAA ?702 authority, including the associated targeting and minimization procedures a (U) Develop and deliver training regarding procedures to ensure that intelligence personnel responsible for approving targeting ofpersous under these procedures, as well as with access to the acquired foreign intelligence information, understand their responsibilities and the procedures that apply to this acquisition DOE IE3 L: ST-14-0902 (U) Establish processes for ensuring that raw traf?c is labeled and stored only in authorized repositories and is accessible only to those who have had the proper training Conduct ongoing oversight activities and make necessary reports to the NSA OIG and OGC, including reports of non-compliance (U) Ensure that corrective actions are taken to address identi?ed de?ciencies (U) Conduct periodic spot checks of targeting decisions and intelligence disseminations to ensure compliance with established procedures and conduct periodic checks of queries in data repositories WReport incidents of non? compliance with the targeting and minimization procedures within ?ve business days of discovery to the NSD and oversight teamgs (U) NSD and ODNT oversight requirements include: - (U) Oversee exercise of the FAA ?702 authority, including reviews to evaluate the implementation of the procedures (U) Oversee activities with respect to use of USP identi?ers to query communications collected under FAA ?702. (U) NSA oversight (UH-F688) NSA operates acomprehensive oversight framework to maintain compliance with the FAA ?702 targeting and minimization procedures. The NSA organizations that perform oversight are described below. (UM-1666) FAA ?702 Authority Lead is responsible for the implementation and operation of the FAA ?702 authority for NSA. The FAA ?702 Authority Lead serves on corporate Authorities Integration Group and works with other NSA mission Authority Leads and corporate, legal, policy, compliance, and technology personnel to coordinate implementation of NSA mission authorities. The FAA ?702 Authority Lead addresses the tactical and strategic elements of the program; interacts regularly with OGC, ODOC, TD, LAO, and routinely interacts with NSD, FBI, and provides direction regarding daily operational and technical questions; and coordinates input to reports to Congress and the Court. Authorities Integration Group (AIG) is administratively assigned to ODOC and reports to the NSA Deputy Director. The AIG works directly with SID and Information Assurance Directorate authority leads, including the FAA ?702 Authority Lead, and holds weekly meetings with the authority leads and corporate process leads TD, ODOC, OGC) to bring legal, policy, compliance, technology, and mission. areas together to provide recommendations on the implementation of the 95 (U) oversight team is comprised of Of?ce ercenetat Counsel, Civii Liberties and Privacy Office, and Of?ce of the Deputy Director of National Intelligence for Intelligence Integration/Mission Integration Division. JOB-SEW 127 IE) ?E'i?BdWi authorities. The focuses on the activities of each authority, internal and external, to ensure that they are coordinated and integrated across NSA. The AIG acts as a ?forcing function? within NSA, facilitating discussion among the Directorates to promote better understanding of how decisions affect the various authorities. The A16 updates the NSA Deputy Director quarterly on each authority. Of?ce of the Director of Compliance (ODOC) is responsible for developing and directing the execution of compliance strategies and activities focused on protecting USP privacy during the conduct of authorized NSA missions. ODOC has the authority to develop, implement, and monitor a Comprehensive Mission Compliance Program for the Agency, which addresses: integration of compliance strategies and activities across NSA mission, technology, and policy organizations; (2) a training and education program for compliance; and (3) maintenance of and reporting on the status of mission compliance. The focus is on mission compliance, particularly in Signals Intelligence and Information Assurance operations, including the technology base on which they function. The key objective of the CMCP is to provide reasonable assurance that the legal authorities and policies affecting USP privacy are reliably and veri?ably followed by NSA. The CMCP includes activities and funding to support compliance with FAA ?702, such as compliance target validation and query tools. monitoring activities provide continuous assessment to determine whether internal controls are operating as intended. Its assessments help management evaluate the effectiveness of the compliance program and its components. For example, ODOC reviews compliance activities associated with queries in NSA repositories, including those related to FAA ?702z - ODOC analyzes queries 86-36 forwarded to the query audit database that could indicate aproblem in communicating with the repositories queried, (UH-F696) It veri?es that all queries requiring post- query review are assigned to reviewers, - It monitors the number of queries selected for review and the timeliness of review, and It tracks the super audits performed by SV (see the Oversight section). In addition, ODOC performs Compliance Vulnerability Discovery (CVD) reviews that focus 011 high- risk areas within the CMCP to discover compliance weaknesses. In 2013, ODOC completed two CVDs focused on mission compliance with SIGINT authorities. Table 39 summarizes these CVDs. 128 IDQEIE: (U) Table 39. Compliance Vulnerability Discovery Reviews I Multiple I Renewed Implementation of controls to FAA ?702 Communications segregate unauthorized data from FAA Transactions ?702 Upstream Multipte Communications Transactions 07/17?1?13 All Data Taco rid I Reviewed data from NSA systems for proper .. ta, ding to su aport designation of these systems My?, 86?36 (wiser-set (UH-129883 ODOC has also implemented processes to ensure that NSA representations to external. overseers are accurate and NSA personnel have a consistent understanding of program activities. VOA and veri?cation of implementation reviews are performed on written NSA representations that describe the Agency?s acquisition, processing, retention, analysis, and dissemination and form the basis for legal opinions, FISC Orders, and Executive Branch decisions. In 2013, ODOC conducted VoAs with FAA ?702 stakeholders for the af?davits and targeting and minimization procedures supporting renewals of FAA ?702 certi?cations. One veri?cation of implementation was conducted in June 2013 with NSA external partners NSD and on procedures for implementing the FAA ?702 targeting procedures. SV implements the SIGINT compliance program across NSA. SV establishes SIGINT compliance standards and provides guidance across the global SIGINT enterprise, manages incidents of non? compliance, monitors compliance in high risk areas, resolves problems, and veri?es compliance through audits and by managing the SIGINT Intelligence Oversight Of?cer program. SV manages resources to ensure that NSA corporate systems and capabilities align with CMCP solutions. To maintain compliance with the FAA ?702 targeting and minimization procedures, SV: Adjudicates TRs for selectors nominated by the CIA and FBI, same process used for NSA TRs ltasking requests for completeness. Performs p0st?tasl{ing?a11alysis for FAA {$702 selectors suspected of being accessed within the United States 129 nearer ("SnailsInnis? d2"?3??t?i Investigates all incidents ofnon?cornpliance with FAA ?702 targeting and minimization procedures, coordinating with TV when apotential incident involves a system. SV works with the mission team to document FAA ?702 incidents, reports them to OGC, OIG, and ODOC, and maintains a. permanent record (UM-18883 Works with mission personnel and OGC to process destruction. waivers as needed (Wit-13998? Conducts super audits of queries of raw SIGINT databases that provide records of queries to the corporate logging and auditing system to analyze the quality of query reviews by auditors 86-36 Completes Purge Veri?cation Activities quarterly for and certain other stores that hold FAA ?702 data to assess effectiveness in purging non- compliant SIGINT . Oversees use as a source for reporting and verifies . . . 95 completion of required documentation Serves as the FAA ?7 02 tasking liaison for the NSA enterprise, IC customers (FBI and CIA), and overseers from Do] NSD and ODNI (UHF-GHQ Provides documentation for review by Do] NSD and ODNT. SV reviewsvl:lfor each selector tasked and reviews records of information shared with NSA SIGINT partners for compliance with dissemination requirements. Records of database queries using USP query terms and records of USP reporting are also provided to overseers. SV coordinates responses by NSA organizations to questions from NSD and during their review of information SV made available. Pre?approves USP content queries in conjunction with OGC (UN-11886) Participates in the verification of accuracy process for renewals of certifications and targeting and minimization procedures Partners with the Associate Directorate for Education and Training to develop and implement oversight and compliance training for the SIGINT workforce. SV co-develops and reviews all updates of the FAA ?702 course. SID Anaiysis and Production, Mission and Compliance Of?ce This of?ce supports all areas of SIGINT operations by overseeing: 96% Three iypes are made avaiiable to Two types of transactions made available to after the MCT sequestration process are those that contain only discrete communications (no MCTs) and those where the active user of the seiector is a targeted individual. SV performs oversight of the third type, where the active user of the selector is a non-targeted individual outside the U.S. (an example of ?abouts? collection). SV examines these MCTS for compliance with NSA reporting guidance which states that are ?only authorized to use those discrete portions of MCTs containing the targeted selector." 130 nocrn: (W1) sense FAA ?702 adjudication and training (interfacing with on how to use the authority, approving new adjudicators who meet training and mission requirements, and reviewing adjudicated TRs for compliance) ?WDual-route adjudication (approving provision. of the results of targeting to the CIA or FBI for selectors already on NSA collection) . and production metrics (providing feedback to management on use of the authority and analyst/adjudicator performance) . -- The application of the authority I were not operating, targeting and adjudication. checklists, and general guidance on the analytic use of the authority). TD Of?ce of Compliance (TV) is responsible for identifying, assessing, tracking, and mitigating compliance risks, including USP privacy concerns, in NSA mission systems across the extended enterprise, including systems that hold FAA ?702 data TV manages the system compliance certi?cation process, continuous compliance monitoring, and technical compliance incident reporting and also trains technical personnel. TV performs VoAs for areas assigned to it in NSA representations. TV began certifying FISA systems, including the FAA ?702 uns$13aa systems, to ensure compliance with the law and policies protecting USP privacy (see the Repositories section). (U) The Of?ce of the General Counsel provides legal advice to NSA and is the liaison to Do] NSD for FAA ?702 program. One of its main oversight responsibilities includes independently assessing potential incidents ofnon? compliance. (U) OGC receives reports of potential incidents of non? compliance from SV. OGC compiles FAA ?702 incidents daily, provides them to Do] NSD and and makes an initial determination whether incidents represent non-compliance with the FAA ?702 certifications and targeting and minimization procedures. OGC noti?es NSD and the oversight team of potential incidents of non- compliance with the targeting procedures within ?ve business days of discovery, as FAA ?702 targeting procedures require. OGC reviews all proposed disseminations of information constituting USP attorney-client privileged communications before dissemination, as FAA ?702 minimization procedures require. For all violations of FAA ?702 targeting and minimization procedures, OGC coordinates input from NSA organizations and edits the content for factual and legal accuracy. Do} NSD prepares Rule 13 notices, in coordination with ODNI. EOE: ST-14-0002 (U) OGC performs additional oversight responsibilities including: "l Reviews requests to perform content queries using USP selection terms. Only OGC approved selection terms can be used to. perform content queries of USP information. tasking requests for completeness. in the process. (UH-1899) Reviews and makes updates to the FAA ?702 course, as necessary. (U) Office of the Inspector General (01G) conducts audits, Special studies, inspections, investigations, and other reviews of the programs and operations of NSA and its af?liates. OIG oversight includes: (U) Performing audits and special studies of the FAA ?702 program (U) Receiving notification of incident reports for all NSA authorities, including FAA ?702, saved in the Agency?s corporate incident reporting database Reviewing Congressional notifications and notices ?led with the of incidents of noncompliance with FAA ?702 targeting and minimization procedures (U) Preparing Intelligence Oversight Quarterly Reports, in coordination with the DIRNSA and OGC, that summarize compliance incidents for all authorities occurring during quarterly review periods and forwarding the reports to the President?s Intelligence Oversight Board through the 9" (U) Performing intelligence oversight reviews during OIG inspections of joint and ?eld sites (U) Maintaining the OIG Hotline, responding to complaints, including allegations of SIGINT misuse by NSA af?liates operating under authority (U) Reporting immediately to the ATSDUO) a development or circumstance involving an intelligence activity or intelligence personnel that could impugn the reputation or integrity of the 1C or otherwise call into question the propriety of an intelligence activity. 9? (unseen) in 2014, the ATSDUO) was changed to the Of?ce ol?the Senior non Intelligence Oversight Official. 132 Bit-?315?! 1: $2 The 01G reviews management controls, maintains awareness of compliance incidents, and stays informed of changes affecting NSA authorities, including FAA ?702. OIG reviews of the FAA ?702 program allow it to independently assess compliance with minimization procedures. Since the Agency obtained FAA ?702 authority in January 2008, the OIG has completed annual reviews of reports containing references to USP identities and targets later determined to be in the United States, as the statute requires. The 01G has also completed two special studies of the program (Table 40). (U) Table 40. (MG Reviews of the FAA ?702 program (U) Assessment of Management 3r29r13 I I (or Fess) Controls Over FAA ?702 (ST-1 1-0009) maintaining compliance with targeting and minimization procedures. (NH) 3 . 86-36 (U) External USC 3024?) (UM-7686) NSD and ODNI closely coordinate to perform oversight to ensure that FAA ?702 program is compliant with the statute and FISC rulings. NSD is the primary liaison between NSA and the FISC for all matters pertaining to the FAA ?702 program. NSD and ODNI oversight includes: Reviewing and approving annual certification renewals and updates of the associated targeting and minimization procedures and ?ling them for FISC approval - (U) Providing guidance to the NSA OGC on legal opinions relating to the interpretation, scope, and implementation of the FAA ?702 authority - (Li/$666) Reviewing brie?ngs on NSA proposals to substantially modify systems or processes supporting FAA ?702. This allows NSD to determine that the modi?cations are lawful and that the Attorney General (AG) and the FISC are aware of the scope and nature of the changes - (U) Evaluating and investigating potential incidents of non- compliance with the statute or procedures and reporting any matter determined to be a compliance incident to the FISC (U) Reviewing NSA briefings and training transcripts to ensure that they accurately describe the requirements of the FAA ?702 Orders - Performing reviews of NSA authorities under?theI: FAA ?702 certi?cations. The reviews include targetiir'g""decisions, ibll?l) wens-ramm? ?'36 - use 3024(i) 133 nonrn: including source documentation supporting these determinations, to assess compliance with NSA targeting procedures and AG Acquisition Guidelines. The reviews also examine database queries using USP query terms and disseminations of serialized reporting and EMT. (U) Preparing the periodic reports the statute requires: 1. submits the Semiannuai Reports ofthe AG Concerning Acquisitions under Section 702 ofthe FISA to Congress and the FISC. Pursuant to FISA ?707, the AG reports on the ac uisition of foreign FAA ?7 02 certifications by NSA and FBI. While the CIA does not acquire the information, it may receive unminimized data. that NSA and FBI acquired. The semiannual reports focus on analysis of incidents of non? compliance with targeting and minimization procedures by NSA and FBI "'and.ii1cidents ofnon?compliance with minimization. procedures by CIA. 2. the AG and the DN1 submit the Assessments of Conipiiancedirt-infracedtires and Issued Pursuant 1?0 Section 702 ofthe FISA to congress and These reports summarize the oversight performed on implementation of the FAA ?702 authority, trends in targeting and minimization in the number of selectors under collection and statistics on use of the erti?cations), and compliance incidents with the FAA ?702 authority for NSA, FBI, and the 0 (U) hosts interagency meetings and aweekly phone call to discuss FAA ?702 implementation and compliance matters. WThe FISC reviews and, when satis?ed that the legal requirements have been met, approves ail renewals of certi?cations and, targeting and minimization procedures for the FAA ?702 authority that have been authorized by the AG and DNI. 93 In addition, the FISC reviews representations NSA made regarding the operation of the program and Rule 13 notices of incidents of non?compliance ?led by NSD on behalf of NSA. If the Court ?nds that incidents of non? compliance result from processes inconsistent with the targeting and minimization procedures incomplete identi?cation), NSA will be systems or procedures and report to the Court on the made to achieve compliance. The Court may also determine that additional measures or changes are required to the targeting and minimization procedures sequestration if it deems that NSA processes do not adequately protect USPS. 93 (Wife-66') The AG and DNI authorize the coiiection of data pursuant to FAA ?702 using targeting and minimization procedures adopted by the AG (in consultation with the DNI). The FISC must approve the certifications and associated procedures that the AG and have authorized. 134 poem Table 4] summarizes the oversight provisions of the FAA ?702 targeting and minimization procedures and the controls NSA implemented to maintain compliance. (U) Table 41. Oversight Provisions and Controls (U) NSA wiil implement a compliance program, and will conduct ongoing oversight, with respect to its exercise of the authority under FAA i53702, including the associated targeting and minimization procedures. (UH-F9667 NSA operates a comprehensive oversight framework to maintain compiiance with the FAA ?702 targeting and minimization procedures. This compliance framework is collectively managed by the NSA organizations described above. (U) NSA will develop and deliver training regarding the applicable procedures to ensure intelligence personnet responsible for approving the targeting of persons under these procedures, as well as with access to the acquired foreign intelligence information, understand their responsibilities and the procedures that apply to this acquisition. SV partners with the Associate Directorate for Education and Training to develop and implement oversight and compliance training for the workforce. SV co-developed and reviewed all updates of the FAA ?702 course. OGC also reviews and updates the FAA ?702 course. (U) NSA will establish processes for ensuring that raw traf?c is labeled and stored only in authorized repositories and is accessible only to those who have had the proper training. TV certifies FISA systems periodicaliy, including the FAA ?702 systems, to ensure that they comply with iaw and policy protecting USP privacy. codification process evaluates system controls for maintaining compliance in a number ofar'eas, including data tagging and data access. (U) NSA will conduct ongoing oversight activities and make any necessary reports, including those relating to incidents cinch-compliance, to the NBA 016 and 060, in accordance with the NSA charter. (urrFeseJ; 8V and TV investigate incidents of non-compliance with FAA ?702 targeting and minimization procedures. 8V works with mission teams to document FAA ??02 incidents. SV reports potentiai incidents to OGC and 01300 and maintains a permanent record. When a potential incident involves a system, TV manages the incident investigation. The DIG receives noti?cation of incident reports for all NSA authorities, including FAA ?702. The atso receives Congressional noti?cations and notices filed with the FISC ofincidents ofnon~compliance with the FAA ?702 targeting and minimization procedures. OGC receives notifications of potential incidents cinch-compliance for all NBA authorities. OGC compiles FAA ?702 incidents daily (which it provides to God N80 and COM), and assesses whether incidents represent possible non-compliance with the FAA certi?cations and associated targeting and minimization procedures. 135 DISC ID (U) FAA ?702 Incidents of Non-Compliance d2?34?$? ST-14-0002 (U) NSA will ensure that necessary corrective actions are taken to address any identi?ed de?ciencies. SV and TV investigate ail incidents of non?compliance with FAA ?702 targeting and minimization procedures and monitor corrective actions. (U) OIG performs audits and special studies of the FAA ?702 program; tracks recommendations until completion. (U) NSA will conduct periodic spot checks of targeting decisions and intelligence disseminations to ensure compliance with established procedures, and conduct periodic spot checks of queries in data repositories. (UH-F666) SV performs oversight of targeting decisions, queries, and dissemination and provides documentation for review by Bo! NSD and ODNI to support their oversight of impiementation of FAA ?702. SV also conducts super audits of queries of raw SIGINT databases. (U) 060 reviews all proposed disseminations of information constituting USP attorney-ciient privileged communications before dissemination. (unis-see) NSA will report incidents of non- compliance with the targeting and minimization procedures within ?ve business days ofdiscovery to the NSD and ODNI OGC, and CLPO. OGC noti?es external overseers of incidents of possible non-compiiance with the targeting procedures within ?ve business days ofdiscoverv. OGC coordinates input by NSA organizatidns for Rule 13 notices prepared by NSD, in coordination with ODNI, for ail violations of the FAA ?702 targeting and minimization procedures. (UH-F6667 NSD and COM will oversee exercise of the FAA ?702 authority, which will include bi?monthiy reviews to evaiuate the implementation of the procedures. NSD and ODNI perform reviews of NBA authorities under the, FAA ?702 certifications. NSD and ODNI review NSA's targeting decisions, including the source documentation supporting these (unease) NSD and ODNE wili oversee NSA's activities with respect to use of USP identi?ers to query communications coiiected under FAA ?702. determinations, to assess compliance with NSA targeting procedures and Attorney General?s (AG) Acquisition Guidelines. NSD and also review queries, and disseminations of seriaiized reporting and (W1) 86-36 FISC Rules of Procedure require NSA to report to the FISC ?corrections of material facts? and ?disclosures of non-compliance? with FAA ?702. In addition, NSA determines whether Congressional noti?cations are required. (U) FISC Rules of Procedure The FISC Rules of Procedure govern all FISC proceedings. Rule '13, Correction ofMissrarement or Omission; Disclosure ofNon-compiiance, is the procedure NSA follows when notifying the Court, through NSD, of incidents of non~ compliance with FAA ?702. (U) Rule 13(3) Correction of Material Facts If the government discovers that a submission to the Court contained a misstatement or omission of material fact, the 136 (bit3i-50 use 302w) Elm: ID Afi?d?? government must immediately, in writing, inform the Judge to whom the submission was made of: (1) (U) the misstatement or omission; (2) (U) necessary corrections; (3) (U) the facts and circumstances relevant to the misstatement or omission; (4) (U) modi?cations the government has made or proposes to make in how it will implement any authority or approval granted by the Court; and (5) (U) how the government proposes to dispose of or treat information obtained as a result of the misstatement or omission. (U) Rule 13(b) Disclosure of Non ~compliance If the government discovers that an authority or approval granted by the Court has been implemented in a manner that did not comply with the Court?s authorization or approval or with applicable law, the government must immediateiy, in writing, inform the Judge to whom the submission was made of: (I) (U) the non-compliance; (2) (U) the facts and circumstances relevant to the non-compliance; (3) (U) modi?cations the government has made or proposes to make in how it will implement any authority or approval granted by the Court; and (4) (U) how the government proposes to dispose of or treat information obtained as a result of the non-compliance. (U) identifying and Reporting Incidents of Non-compliance (U) Identifying incidents of non?compliance All potential incidents of non-compliance with FAA ?702 certi?cations and targeting and minimization procedures are reported to SV or TV upon discovery by and others operating under the authority, as documented in the FAA 702 Program Control Framework section - Incident Recognition and Reporting. Training provides aheightened sense of awareness for personnel to identify potential violations. incidents may also be discovered through oversight mechanisms addressed in the FAA 53702 Program Controi Framework section Post-Targeting and Oversight. Monitoring and oversight include manual and technical controls to detect abnormalities. After review of the incident, SV or TV forwards documentation. to OGC. If OGC believes a violation of the targeting and minimization procedures has or may have occurred, even if all the facts have not been gathered, preliminary noti?cation is sent to Do! NSD. OGC noti?es DIRNSA of instances of non? compliance, as appropriate. Upon receiving initial noti?cation from OGC, NSD drafts, in conjunction with anotifrcation to the Court, should one be required under the FISC Rules of Procedure. 137 EEC: ID 86?36 cassava ST-14-8002 Once the facts have been gathered and OGC has made an initial. determination that a non?compliant FAA ?702 event has occurred, OGC ?nalizes a noti?cation of non? compliance and forwards it to Del NSD and ODNI, which make the ?nal determination as to whether there has been an incident of non? compliance that must be reported to the FISC. If NSD and ODNI determine that an incident of non-compliance has occurred, Do] drafts a noti?cation, which is coordinated with the IC elements involved, ?nalizes it, and ?les the notice with the Court. Do] NSD often follows up on preliminary noti?cations with one or more additional noti?cations. in some cases, the preliminary notification ofan incident serves as the final notice of that incident. 99 of non- compliance (l3(b)s) were ?led with the FISC for matters identi?ed in that calendar year. None of these incidents involved inaccurate information in previously ?led declarations to the Court, requiring that a Rule l3(a) notice of correction of material fact be ?led. (U) Congressional notifications DIRNSA, as head of an IC element, has a statutory obligation to keep the Senate Select Committee on Intelligence and the House Permanent Select Committee on Intelligence fully andcurrently informed of all signi?cant intelligence activities. 100 NSA resolves doubts about noti?cation in favor of noti?cation. In addition to notifying Congress and the Director of National Intelligence, must notify the and other staff, as directed by guidance. For all FAA ?702 incidents of non-compliance reported to Congressional intelligence committees, NSA also provides discretionary noti?cations to the Senate and House Committees on the Judiciary. LAO manages liaison with the Congress, and with the DOD, the IC, and other US. government departments and agencies regarding matters of concern to Congress. LAO is focal point for Congressional inquiries, correspondence, questions for the record, and directed to NSA. Policy 1?33 provides guidelines for identifying matters that OGC and LAO must consider reporting. to the Congressional intelligence committees under 50 U.S.C. ??3091 and 3092. The guidelines do not constitute a comprehensive list of what must be reported. Compliance incidents are assessed under a general guideline to consider reporting matters that the intelligence committees have 99 DOJ NSD ?les the ?Quarterly Report to the Foreign Intelligence Surveillance Court Concerning Compliance Matters Under" Section 702 of the Foreign Intelligence Surveillance Act" which includes incidents DOJ NSD and OD NI determined to be violations of the targeting and minimization procedures (13(b)s) as well as all other incidents determined not to meet the reporting requirements of 13(b). This quarterly report to the FISC also provides supplemental information on previously reported compliance incidents. 100 activities. (U) 50 U.S.C, ?3091, as implemented by intelligence Community Directive 1122, Congressional Noti?cation, 16 November 2011, requires the head of each element of the IC to inform Congress on signi?cant intelligence mm 138 booze: d2??3%?d and dissemination compliance incident involi SA corporate database Congressional Noti?cation," matter ?rst reported to the Congressional intelligence committees on expressed a continuing interest in or which otherwise qualify as signi?cant intelligence activities or failures. (Li/$8683 NSA works to keep Congressional intelligence committees fully and currently informed about the Agency?s activities over and above what is strictly required to be reported under the guidelines outlined in Policy 1?33. At a. minimum, however, NSA must keep the Congressional intelligence committees timely informed of all. major intelligence policies and activities and provide the information those Committees request. (ll/58w Determining whether Congressional noti?cation should be provided is a judgment based on the facts and circumstances and on the nature and extent of previous noti?cations to Congress on the same matter. Not every intelligence activity warrants Congressional noti?cation. analysis of the FAA ?702 incidents of non-compliance ?led during 2013 resulted in two incidents reported in Congressional noti?cations; one related to a 2013 incident, and the other to an incident first reported in 2012. I reported a retention providedmresolution of a, ?his update reported on the actions taken to resolve the matter, including correction of the affected system component, purge of affected transactions, veri?cation that no disseminated reports had been based upon overcollected data, and implementatio of a post-acquisition review of this type of data. to identify ?xture overcollection. 101 (bl 86-36 139 DQEIB: $2 "F.3d (U) Incidents of Non-compliance in 2013 86-36 In 2013, Do] reported to the Court: Iincidents of non? compliance with FAA ?702. The incidents and rates of occurrence are in Table 42. (UHFOUO) Table 42. FAA ?702 Incidents of Non-Compliance Reported in 2013 Tasking Errors* 12% Detasking Errors? 19% Non-compliance with Noti?cation Requirementi 57% Non-compliance with Documentation 50/ Requirement 0 Minimization Errors'El 6% Other? 1% (U) Tasking errors?foreignness support was insuf?cient to support tasking foreignness was not reestablished following travel to the United States, foreign intelligence purpose explanation was insuf?cient, ora typographical error was made). (U) Detasking error examples include: (1) delayed detasking which occurs when NSA has a foreign intelligence target, reasonably believed to be outside the United States at the time oftasking, and later learns that the target plans to travel to the United States, but does not detask the target?s selectors before the target arrives in the United States; and (2) incomplete detasking of all tasked selectors when it is determined the target is no longer eligible for tasking. 1 (U) Noti?cation?NSA?S targeting procedures require certain incidents be reported to NSD and ODNI within ?ve business days, even if these incidents do not involve non?compliance with the targeting procedures. Speci?cally, MBA is required to terminate acquisition and notify NSD and ODNI if concludes that a person is reasonably believed to be located outside the United States and after targeting this person learns that the person is inside the United States, or if NSA concludes that a person who at the time of targeting was believed to be a non-United States person was in fact a United States person.? Documentation Errors?The targeting procedures require that NSA provide a citation to the source of information upon which the determination of the target?s foreignness was made. These errors, in which the citations were not considered adequate to support the foreignness of the user of the selector tasked, were identified through and ODNI review of NBA tasking. 1' (U) Minimization errors may include errors in querying, reporting, and retention. (U)The "other" incident type often pertains to instances in which systems that support compliance are not operating, as intended. awareness)- Examples of incidents, including actions NSA took to mitigate recurrence, follow. This information is taken from the 13(b) notices Do} NSD filed with the FISC. (Ull'Fe-U'e') Example 1: incident as a result of delayed - (?rompliance Incident Regarding Section 702-Tasked . SA reported to the National Security Division CN SD) and the-Of?ce of the Director of National Intelligence (ODNI) a delay in the detasking of 86-36 1&2 "Egg? 3314?0902 86-36 U39 (mad-(i) determined] ?'Ithat the the associated With the US. travel]. ?1 he [[selectors] used by the target. NSA discovered this-heifer and diet'a?s'kedl [the same da . The continued tasking of the [remaining selector] was not discovered until ?1:5when [the selector] was immediately detasked. (U/W??ej Action taken to mitigate recurrence The target of?ce [was] reminded of the need to identify and immediately detask all facilities used by a target when the target is found to be in the United States. NSA did not issue a Congressional noti?cation about this incident. The incident was included in the Semiartnuai Report of the Attorney General Concerning Acquisitions under Section 702 ()fthe Foreign Inteiligenee Surveillance Act, dated March 2014. Example 2: Other incident (technical error) Notice of Compliance Incidentee- 2013 (Preliminary) noti?ed thejnst) of an incident regarding the cheeks NSA ensuiie that I [accounts tasked for collection Section 702 are not used from inside the US. NSA provided written notice of'this?ineident to NSD and the II identi?ed the following conapliancer'incidentias a result of its ongoing process post tasking] [checks are?iniended to identify indications that users of Section 702-tasked [selectors] may be inside the US. I - 86-36 Section 702 [selectors] were not being sent froml Fol I-"thEreby preventing I 141 86?36 usc 30240) DQCIIEB: 81744-0002 checks from being conducted regarding (biti?t?rh I land con?rmed that there is no lindicatingjtiat any of the users'ofithei [selectors] were oca in the US. as'ol'] I that] records With the] Iare now sent ?te? NSD, and ODNI [at the time] continue[d] to investigate this incident. The Department of Justice [committed] to continue to inform the Court of additional information regarding this incident as it became available. W) Supplemental/Final As detailed in the preliminary NSA determined that certain Section 702 [selectors] were not being sent I Ipost-tasking if tartar use-egg?) 86-3 I I 86-36 [revealed no USC 3024(i) previously unknown-"iridicationsthe procc?SS of ?xing this issue at the time the 13(b) was reported to the FISC. 105 I {at that time] continued to investigate the alert. 186% To prevent the potential compliance incident, NSA has corrected the error 142 86-36 usc 3024(i) AEWBAWQ .. hm) ST-14-0002 Section 702 acquisition. With to {selectorsl NSA has identi?ed one con?rmed period of ridaming in the United States by the intended target, which lasted lidaysr-I laccounts have been detasked. Wei-F5 Summary of action taken to mitigate recurrence. With respectito (buanlL- 86_36 [selectors] discussed above, l?lSA adv1ses that the unique identi?ers assomate?d w1th mum?s!) use 3024?) communications acquired while users were or may liggrve been in the US. were added to Master Purge List (MPL) in discover status I were; The notice also stated that Do] would include this issue in its quarterly report to the Court regarding Section 702 compliance occurrences and that the report would con?rm that NSA had added the communications to the MPL in purge state. NSA did not issue a. Congressional noti?cation about this incident. The preliminary incident of non? compliance was included in the Report ofihe Attorney General Concerning Acquisitions under Section 702 of the Foreign Intelligence Surveillance Act, dated March 2014. (U) NSA Use of the FAA ?702 Authority NSA asserts that the FAA ?702 authority provides signi?cant foreign - to the foreign intelligence categories speci?ed in the AA ?702 I 86-36 use 3024(i) (U) Methods Used to Assess Effectiveness (UHF-8663 NSA maintains a variety of statistics related to the FAA ?702 authority that show the overall contributions to NSA SIGINT reporting, how customers value and use reports, and the unique access to foreign intelligence information FAA ?702 provides. Data presented in this report is for calendar year 2013, unless otherwise noted, and statistics are limited to NSA reporting. (U) FAA ?702 contributions to SIGINT reporting WW As Figures 9 and 10 show, information obtained US. foreign governments. Ofthe more than SIGINT reports issued in percent were based in whole or in part on FAA ?702 information. 10W h) (b 86-36 143 caysaan ST-14-0002 (U) Figure 9. Total SIGENT Reports Issued in CY2013 86-?36 (U) Figure 10. SIGINT Reports Based in Whole or in Part on FAA ?702 or PAA Collection 2008 2009 2010 2011 2012 WW 108W When a report is solely sourced to an authority, it indicates that a particular source was used by the analyst but does not mean that the collection was only available fi?om that one source of collection. 144 ST-14-8002 During 2013, NSA disseminated an average of over serialized SIGINT reports a month that included information collected under the FAA ?702 certi?cations. ?09 a . . - NSA management believes that disseminated reports further the US. government?s understanding of high priority disseminated reports, collection obtained under FAA ?702 I land reports per month concerning international terrorism that include information derived from FAA ?702 collection. A .r (U) Figure 11. Terrorism -Specific SIGINT Reports Sourced with FAA ?702 Information CY2013 109 The number of iss ucd reports was obtained in November 2014 from management information system for production. The number of reports for any period is net of any reports recailed after they were issued. nun-err: ST-14-0002 average, more thanl [selectors were tasked for acquisition (U) Analyst Use of the Authority under FAA ?702 during 2013. 86-33 W) The FAA ?702 authority is utilized broadly to support NSA usefulness is con?rmed by the above statistics. as well as the fact that the number if selectors tasked to the authority has increased since 2010. Similarly, the increase in the number of reports sourced by FAA ?702 communications has increased] "in the same period. (U) FAA ?702 Contributions to the Intelligence Mission 36.35 use 793 USC 3024(i) (U) In 2013, NSA reported to the Senate Committee on the Judiciary that ?information. gathered from Section 702 of the FISA Amendments Act and Section 215 of the Patriot Act, in complement with other authorities, has contributed to the United States government?s understanding of terrorism activities and, in many cases, has enabled the disruption of potential terrorist events at home and abroad.? (U) On 21 June 2013, NSA provided to several Congressional committees testimony concerning 54 cases in which these programs contributed to the US. government?s understanding and, in many cases, disruption of terrorist plots in the United States and more than 20 countries. (U) The SIGINT Directorate provided to the OIG additional examples of the value of FAA ?702 collection to NSA missions. 1) -F-) U.S. andl - 86156? 86-36 use 793 use 30240) 146 ST-a14u0002 Wsectmn I Based on section 702 Idismpted the potential attack - - - - (bum-songsc (m6 147 13131313: ST-M-OGDZ I I NSA analyzed and disseminamd larger Intelligence pursuant to Executive-Ordef?? information to the based ?analysis of Section 702-acquired communications revealed .. I 86-36 148 DQSIIB: $2 ST-14-0002 86-35 86-35 USC 793 use 3024?) 149 DQCIE AETEATA STnl4?0002 lV. (U) ABBREVIATIONS AND ORGANIZATIONS (U) ADET Associate Directorate for Education and Training (U) IAIG Authoritie?s Integration Group (U) (U) Assistant tol?the Secretarv of Defense for Intelligence Oversight (U) Bulk metadata a (U) BR Business Records (U) CDR Call Detail Record (U) CIA Central Intelligence Agency (U) CMCP Comprehensive Mission Compliance Program (U) CSLI Cell site location (U) CSP Communication Service Provideig (U) CT Counterterrorism (U) DIA Data Integrity Analyst (U) DIRNSA Director, NSA (U) DMR Data?ow Management Request (ID DNI Director of National Intelligence (U) DOD Department of Defense (U) NSD Department of Justice, National Security Division (U) DTM Directive Type Memorandum (U) DTOI Date and Time of Intercept (U) EAR Emphatic Access Restriction (U) EDH Enterprise data -- 86-36 (U) ED. Executive Order (U) FAA FISA Amendments Act (ID FBI Federal Bureau of Investigation (U) FISA Foreign Intelligence Surveillance Act (U) FISC Foreign Intelligence Surveillance Court (U) FTP File Transfer Protocol (U) (ID HMC Homeland Mission Coordinator (U) IC Intelligence Community (U) IMEI International Mobile Station Equipment Identity (U) IMSI International Mobile Subscriber Identity (U) IO Intelligence Oversight (U) LAO Legislative Affairs Of?ce (U) MCT Multiple Communication Transaction 150 EGG ED 2 hm) 86-36 (U) MPL Master Purge List (U) MRG Math Research Group (U) NCTC National Counterterrorism Center (U) NSA National Security Agency/Central Security Service (U) NSAW NSA Washington (U) NSD National Security Division (U) NSOC National Security Operations Center)?, (U) ODNI Office of the Director of National Intelligence (U) ODOC Of?ce of the Director of Compliance (U) OGC Of?ce of General Counsel (U) OIG Of?ce of the Inspector General (U) OTR Obligation to Review (U) PKI Public key infrastructure (ID Associate Directorate for Security and Counterintel?ligence (U) RAS Reasonable Articulable Suspicion (U) Request for information (Uj (U) SIS Information Sharing Services Group (U) 32 Analysis and Production (U) 821 Counterterrorism Production Center (U) S214 Homeland Security Analysis Center (U) S3 Data. Acquisition (U) $31324 (U) 8354 (U) SCA Special compliance SCIF Sensitive Compartrnent?d""Information (U) I. (U) SID Signals Intelligence Directorate (U) SIGINT Signals Intelligence I I (U) SOO Senior Operations Of?cer (U (U) Counterterrorism Division (U) SV SID Oversight and Compliance (U) T12 (U) T1222 (U) (U) r1323 (U) T16 (U) TD Technology Directorate (U) TR Targeting request (U) TS neenn: ennaevn "TD-Of?ge of Compliance (U) USDU) Undersecretary of (U) USP US. person (U) USSID ULS, Signals Intelligence Directive (U) U.S. SIGINT System (ml 86_36 (U) VOA Veri?cation of accuracy 152 Brill-CID 1&2 A (U) A: THE ?215 AND FAA ?roz REVIEW (U) Reason for Review In September 2013, ten members of the Senate Committee on the Judiciary requested acomprehensive, independent review of the implementation of ?215 of the USA PATRIOT Act and ?702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act (FAA) of 2008 for calendar years 2010 through 2013. (U) Objectives (U0181999) In January 2014, the National Security Agency/Central Security Service?s (N SA) Of?ce of the Inspector General (016) and Committee staff agreed that the NSA OIG would review implementation. of both authorities for calendar year 2013. The study has three objectives: (U) Objective I (U) Describe how data was collected, stored, analyzed, disseminated, and retained under the procedures for ?215 and FAA ?702 authorities in effect in 2013 and the steps taken to protect US Person information. (U) Describe the restrictions on using the data. and how the restrictions have been implemented, including a. description of the data. repositories and the controls for accessing data. (U) Describe oversight and compliance activities performed by internal. and external organizations in support of ?215 Foreign Intelligence Surveillance Court (FISC) Orders and FAA ?702 minimization procedures. (U) Objective II - (U) Describe incidents of non? compliance with ?215 FISC Orders and FAA ?702 Certi?cations and what NSA has done to minimize recurrence. (U) Objective (U) Describe how used the data. to support their intelligence missions. The report also provides a summary of the changes made in the implementation of both authorities for calendar years 2010 through 2012 and for ?2lS, a list of incidents of non? compliance for calendar years 20l0 through 2012. 153 DOC earners ST-14-0002 (U) Scope and Methodology 6'36 (UM-39999 Our study of implementation of the ?Section 215 and FAA ?702 authorities was based largely on program stakeholder interviews and reviews of policies and procedures and other program documentation. For this review, the NSA OIG documented the controls implemented that address the requirements of each. authority. However, we did not verify through testing whether the controls were operating as described by program stakeholders. I (U) Section 215 (WE-999) Our ?215 review focused on the BR FISA program control framework, incidents of non?compliance, and use of the authority to support its counterterrorism (CT) mission in 2013. To document the BR FISA control framework, we used BR Order 13-158, approved by the FISC on ll October 2013 effective through 30 January 2014, and compared the requirements listed in that Order'wi-thithe processes and controls NSA used to maintain col-Till??ance With that Order In the changes implemented in the BR FISA Homeland Securiili?rialwis Center (8214). Data (5'3?l'4'l I following the in 2014. (Ul._We interviewed personnel Intelligence Directorate?s (SID) Oversightand?ompliance (SV), Information Sharing""Services Group (818), and Counterterrorisml Idivision; the Technology Directorate?s (TD) Of?ce of Compliance I I the Office of the Director of Compliance the Authorities Integration Group the Legislative Affairs Of?ce and the Of?ce of General Counsel (OGC). (U) FAA ?702 In addition to FAA ?702 stakeholder interviews and reviews of policies and procedures and other program documentation, information obtained in the Assessment of Management Controls Over FAA 39702, revised and reissued 29 March 2013, was also used as a. resource. That review examined the controls that NSA used to maintain compliance with FAA ?702 and the targeting and minimization procedures associated with the 2011 certi?cations. Our FAA ?702 review focused on the processes and controls in place in 2013. Two primary documents ?led annually with each FAA ?702 certification comprise procedures for complying with. the FISA Amendments Act of2008: - The Procedures Used by the National Security Agency for .largeting Non- United States Persons Reasonably Believed to be Located Outside the United States to Acquire Foreign Intelligence Information Pursuant to Section 702 oftlte Foreign Intelligence Surveillance Act of 1978, as Amended (FAA ?702 Targeting Procedures), and 49m 154 DEE d.2?3??i?i STnl4?0002 (Em 86-36 use 3024(i) (U) Prior Coverage (UMP-999) The Minimization Procedures Used by the National Security Agency in Connection with Acquisitions of Foreign Intelligence Pursuant to Section 702 of the Foreign Intelligence Surveillance Aci of1978, as Amended (the FAA ?702 Minimization Procedures). For calendar year 2013, the period under review, different versions of these documents were in effect because of changes made with the annual certi?cation renewal and special amendments. FAA ?702 Targeting Procedures 0 Procedures approved with the 2012 renewal of the authority, effective 24 September 2012 0 These procedures were not changed for the 2013 certi?cation renewal and remained effective 10 September 2013 through 9 September 2014. FAA ?702 Minimization Procedures 0 Procedures approved for the 2012 certi?cation renewal, approved by the FISC 24 August 2012, were effective 24 September 2012 through I We also examined implementing procedures and controls for the Attorney General?s targeting guidelines. We interviewed personnel in SID Policy and Corporate issues Staff (8021]. SV. Analvsis and Production (S21 Staff and Product Lines. Data AcquisitionI (S3) I the (UMP-GHQ) Since 24 May 2006, the date the original BR Order was signed, the NSA 016 has completed ?ve BR PISA program reviews. Table summarizes the reviews the NSA OIG has performed on the BR FISA program. noerp: W) ST-I4-0002 (U) Table A-1. NSA Reviews of the BR FISA Program 09i05i06 Assessment of Management Controls Reviewed coilection, processing, analysis, for Implementing the Order: dissemination, and oversight controls. Telephony BR 05I12i10 NSA Controls for FISC BR Orders Reviewed querying and dissemination (ST-100004) controls; summarized pilot test results for the period from January through March 2010. 05i25itt Audit of NBA Controls to Comply with Reviewed querying and dissemination the FISC Order Regarding BR controls; summarized the test results for 2010. 10i20i11 Audit of NBA Controls to Compiy with Veri?ed age-off of BR metadata in 2011 the FISC Order Regarding BR to maintain compliance with the 60 month Retention (ST-1141011) retention requirement of the BR Order. 08l01!12 NSA Controls to Comply with the FISC Reviewed collection and sampling controls for Order Regarding BR Collection ensuring that NSA receives only the BR (ST-12-0003) metadata authorized by the BR Order. This report summarized test results of the BR querying and dissemination controls during 2010. Since the Agency obtained FAA ?702 authority in January 2008, the NSA 016 has completed annual reviews of reports containing references to USP identities and targets later determined to be located in the United States, as required by the statute. Table A-2 summarizes the two reviews the NSA 016 has completed of the FAA ?702 program. (U) Table NSA OIG Reviews of the FAA ?702 Program (U) Assessment of Management Reviewed management controls for Controls Over FAA ?702 (ST-110009) maintaining compliance with the targeting and minimization procedures. ow) 86-36 mm 156 BGCIID: APPENDIX B: an FESA PROGRAM CHANGES 2610w2812 25 June 29.1.07 RAS selection term management Haggai-.41 I Ithe Order requirement restricting the number of allowed to access BR metadata. was lifted. Ithe Order requirement for weekly reports of '3 33:35 BR-related disseminations was changed to Iprimary repository for detailed records. the?Order requirement for NSA to review a sample records obtained was changed to a monitoring and assessment only approved meta'data. is being-acquired. . NSA noti?ed the Coottl (U/isoae? .. INSA noti?ed the coer?tl - (Utmo?jl Ithe Court authorized NSA to implement an automated querying process . 1 ?0 (weenie) NSA is no longer authorized to use the automated query process since it withdrew its request to do so in the renewal applications and declarations that support the BR Orders approved by the FISC (beginning with BR Order 14-67, dated 28 March 2014). 157 DEM ID ST-14-0002 (UHF-8889 On 29 November 2012, the Order requirement to track and report the number of instances, since the preceding report, in which NSA has shared, in any form, results from queries of the BR metadata, in any form, with anyone outside NSA was changed to apply to only sharing of query results that contain US. person information. 158 ?eeie: (U) APPENRIX C: BR FISA PROGRAM INCIDENTS GF 2013 THROUGH 2&12 (U) Table (3-1. BR PISA Incidents 2010 through 2012 lbll1) 86-36 (UH-FG-U-O) On 1 November 2010, Rule 10(b) and 10(0) notices were replaced by Rule 13(3) and 13(b) notices respectively. (uer-eue) Final Rule 10(0) noticel 86-36 i (WW S?pp'eme?ta' We 13mm? Final Rule 13(a) and 13(2)) notice - 159 nonrn: earners (U) APPENDEX D: FAA ??62 CHANGES (U) Minimization Procedures 86-36 (U) 2011 a Language on upstream data. added to Minimization. Procedures. The retention period for Upstream Data is reduced to two years - Clari?ed that the ?ve-year retention period for unevaluated data began to run from the date of expiration of the certi?cation. under which the data was collected. Prior versions did not specify when the ?ve-year period began. (U/f?e?ei- Permitted queries using USP identi?ers to identify and select communications. Requires pre-approval before any queries are made. Speci?cally excludes queries against upstream data. Adds requirement to segregate Internet transactions that cannot be - reasonably identi?ed as containing single discrete communications. - Limited access to metadata ?'om Internet transactions to data acquired on or after October 31, 201 i. - Adds speci?c requirements for DIRNSA determination that a domestic communication can be retained. This includes arequirement that DIRNSA ?rst determine that the sender or recipient of the domestic communication was properly targeted under FAA ?702. ?iW2Ma?? (U) An amendment to the Minimization procedures was made in late 2013- A section was added precluding NSA from using information acquired pursuant to FAA ?702 unless NSA determines, based 011 the totality of the circumstances, that the target is reasonably believed to be outside the United States at the time the 3024(i) "informationwas acquired. '?ar+aee?n?na I I ml pf. I ow) 86-36 160 31331313: 42 (U) Other Changes (U) 2012 9 Congress noti?ed bV NSAI WNSA beginsl imm (5M1) 86~36 85'35 (mm-50 use 30240)