NATIONAL SECURITY AGENCYICENTRAL SECURITY SERVICE

 

INSPECTOR GENERAL REPORT

(U) Report on the Special Study of NSA Controls to
Comply with the FISA Amendments Act ??704 and
705(b) Targeting and Minimization Procedures
ST-15-0002

7 January 2016

(U) This report might not be releasable under the Freedom of Information Act or other
statutes and regulations. Consult the Inspector General Chief of Staff before
releasing or posting all or part of this report.

    

eclassify On: 20410

 



(U) OFFICE OF THE INSPECTOR GENERAL

(U) Chartered by the NSA Director and by statute, the Of?ce of the Inspector General conducts
audits, investigations, inspections, and special studies. Its mission is to ensure the integrity,
ef?ciency, and effectiveness of NSA operations, provide intelligence oversight, protect against
fraud, waste, and mismanagement of resources by the Agency and its af?liates, and ensure that
NSA activities comply with the law. The OIG also serves as an ombudsman, assisting 
employees, civilian and military.

(U) num'rs

(U) The audit function provides independent assessments of programs and organizations.
Performance audits evaluate the effectiveness and ef?ciency of entities and programs and their
internal controls. Financial audits determine the accuracy of the Agency?s ?nancial statements.
All audits are conducted in accordance with standards established by the Comptroller General of
the United States.

(U) INVESTIGATIGNS

(U) The administers a system for receiving complaints (including anonymous tips) about
fraud, waste, and mismanagement. Investigations may be undertaken in response to those
complaints, at the request of management, as the result of irregularities that surface during
inspections and audits, or at the initiative of the Inspector General.

(U) INTELLIGENCE GVERSIGHT

(U) Intelligence oversight is designed to ensure that Agency intelligence functions comply with
federal law, executive orders, and DOD and NSA policies. The 10 mission is grounded in
Executive Order 12333, which establishes broad principles under which 1C components must
accomplish their missions.

(U) FIELD ENSPECTIONS

(U) Inspections are organizational reviews that assess the effectiveness and ef?ciency of Agency
components. The Field Inspections Division also partners with Inspectors General of the Service
Elements and other entities to jointly inspect consolidated facilities.

 

ST-15-0002

NATIONAL SECURITY AGENCY
CENTRAL SECURITY SERVICE
OFFICE OF THE INSPECTOR GENERAL

   

7 January 2016
ST-15-0002

TO: (U) DISTRIBUTION

SUBJECT: (U) Report on the Special Study of NSA Controls to Comply with the FISA
Amendments Act ??704 and 705(b) Targeting and Minimization Procedures 
ACTION MEMORANDUM

1. (U) This report summarizes our special study Controls to Comply with the FISA
Amendments Act ??704 and 705(b) Targeting and Minimization Procedures and incorporates
management?s response to the draft report.

2. In accordance with Policy 1-60, Of?ce ofthe Inspector
General, and 10-] 1731?14, Follow-up Procedures for 016 Report Recommendations, actions on
OIG recommendations are subject to monitoring and follow-up until completion. Therefore, we
ask that you provide a written status report concerning each planned corrective action
categorized as If you propose that a recommendation be considered closed, please
provide suf?cient information to show that actions have been taken to correct the de?ciency. If
a planned action will not be completed by the original target completion date, please state the
reason for the delay and forward a revised target completion date to Follow-
up Program Manager, at DL D1_Followup (ALIAS) D1.

3. (UNEQJOLO) We appreciate the courtesy and cooperation extended to the evaluators
throughout the review. For additional information, please contact? on 963-0922(s)
or via mail at mnsaicgov.

Jaw, EQQWV

DR. GEORGE ELLARD
Inspector General

(U) This report might not be releasable under the Freedom of Information Act or other
statutes and regulations. Consult the Inspector General Chief of Staff before
releasing or posting all or part of this report.

 



(UNEQUQ) DISTRIBUTION:
DIRNSA

EXDIR
COS
SV: 4' . 13553-1 .1 .. . 1331' 3:1
SW:
523 1 5 15121.; 1:2 31"33. '1 '1 .3 1-. 11:21.-

   

 
 
 

cc:
SIGINT Director: MG Potter
TD Director: G. Smithberger 
CLPO: R. Rlchards_)
ODOC: - - - 
OGC: Morris 1. -- 1 . ..
RMO: .
SV4: . . .. 1;
$232
T13 1 
T141 xx 
T1411- 
T1412: .W .
CLPO (DL D5 ALL)
ODOC (DL D4_tasker)
OGC Registry (DL d_gc_registry)
RMO (DL Risk)
SID 1G POC (DL SIDIGLIAISON)
802 (DL sOZufrontof?ce)
TD Registry (DL TD REGISTRY)
TD Strategic Operations Group (DL 
IG

Dl/Follow-up Program Manager 
D1 1
D12
D13
D14

 

 

   
  
 
  
 
  
 

1 _Followup)

 

 

 

ST-15-0002

(U) TABLE OF CONTENTS

(U) EXECUTIVE SUMMARY ii
I. (U) INTRODUCTION 1
ll. (U) FINDINGS AND RECOMMENDATIONS 4

FINDING ONE: Agency Controls for Monitoring Query Compliance Have

Not Been Completely Developed 4
Two: -.

 
 
 

 

FINDING THREE .

 
 

(U) ABBREVIATIONS AND ORGANIZATIONS 16

(U) APPENDIX A: ABOUT THE SPECIAL STUDY 17
(U) APPENDIX B: ADDITIONAL INFORMATION 20
(U) APPENDIX C: FULL TEXT OF MANAGEMENT RESPONSE 23

 

 



 

(U) EXECUTIVE SUMMARY

(U) Overview

 

We conducted this study to determine whether National Security
Agency/Central Security Service (N SA) controls are adequate to ensure compliance
with the Foreign Intelligence Surveillance Act (FISA) Amendments Act of 2008 (FAA)
??704 and 705(b) targeting and minimization procedures. We found that Agency
controls for monitoring query compliance have not been completely developed-

 

(U) Highiights

 

(U) Our study ofNSA?s FAA ??704 and 705(b) controls revealed:

0 Agency controls for monitoring query compliance have not
been completely developed

The Agency has no process to reliably identify queries performed
using selectors associated with FAA ??704 and 705(b) targets ..

    

 

(U) Management action

(U) Of?cials from the Signals Intelligence Directorate agreed with the 
recommendations. The planned actions meet the intent of the recommendations.

 

 



It (U) INTRODUCTION

(U) Background

 

In July 2008, the President of the United States signed into law the
Foreign Intelligence Surveillance Act (FISA) Amendments Act of 2008 (FAA). FAA
??703 through 705 set forth requirements that must be satis?ed to target U.S. persons
(USPS) outside the United States for foreign intelligence purposes. The National
Security Agency/Central Security Service (N SA) has implemented the FAA ??704
and 705(b) authorities, but not the FAA ?703 authority.

(M) In July 2008, the Attorney General (AG) approved National Security
Agency?s Standard Minimization Procedures for Acquisitions Targeting United States
Persons Reasonably Believed to be Located Outside the United States Pursuant to
Section 704 of the Foreign Intelligence Surveillance Act. These procedures also
apply to FAA ?705(b). In August 2008, the AG issued a memorandum to the NSA
Director (known as the ?Mukasey Letter?) that required NSA to proceed under ??704
and 705(b) of FISA to conduct foreign intelligence that previously had been
authorized by the AG pursuant to ?2.5 of Executive Order 12333. The two
documents comprise FAA ??704 and 705(b) targeting and minimization
procedures.

FAA ?704 grants the Foreign Intelligence Surveillance Court (FISC)
jurisdiction over certain aspects of targeting USPS reasonably believed to be outside
the United States when they have reasonable expectations of privacy and a warrant
would be required if the collection were conducted inside the United States for law
enforcement purposes. application for an order under FAA ?704 must include
a statement of facts and circumstances suf?cient to allow the FISC to find that the
USP who is the target of the collection is reasonably believed to be outside the United
States and is a foreign power, anvagent of a foreign power, or an officer or employee
of a foreign power and targeting is for a valid foreign intelligence purpose. The FISC
issues orders for 90 days when it finds that the facts support targeting.

FAA ?705(b) streamlines the approval process for collection against
USPS who are outside the United States and are currently subject to a FISC order
authorizing electronic surveillance or physical search under ISA ?105 or ?304,
respectively. In such cases, the FISC has already made a probable cause
determination with respect to the target. Accordingly, FAA ?705(b) permits the AG
to authorize collection against the USP for the effective period of the Order, while the
person is reasonably believed to be outside the United States.

(U) Table 1 summarizes the requirements for targeting USPS under FAA ??704 and
705(b).

 



 

 

ST-15-0002
(U) Table 1. FAA ??704 and 705(b) Targeting Requirements

FAA ?7o4 FAA ?705(b)
Targeting Must satisfy four criteria: Same as FAA ?704

requirements

1. Proof that target is a USP

2. USP is reasonably believed to be
outside the United States

3. USP is a foreign power, an agent
of a foreign power, or an officer
or employee of a foreign power

4. Targeting is for a valid foreign
intelligence purpose

 

 

Approval (U) FISC Order AG authorization; however,

must have an existing FISC Order
against the target
Duration 90 days For the period of the

existing FISC order?
-

 

Targeting and
minimization
procedures

 

 

(W) Mukasey
Letter and National Security Agency?s
Standard Minimization Procedures for
Acquisitions Targeting United States
Persons Reasonably Believed to be
Located Outside the United States
Pursuant to Section 704 of the Foreign
Intelligence Surveillance Act

 

(U) Same as FAA ?704

 

(U) Study Scope and Methodology

W) Our study focused on NSA system controls and

manual processes designed to ensure that data is collected (tasked and detasked) and
queried in compliance with the FAA ??704 and 705(b) targeting and minimization
procedures. We reviewed records of taskings and detaskings and queries associated
with FAA ??704 and 705(b) targets to determine compliance for January through

March 2015

We also reviewed whether selectors had been tasked in the
with the correct


entered in? as the Signals Intelligence Directorate (SID)

and

requires.1 Last, we determined whether the Agency has implemented controls to

 

1 W) The term ?selector? includes but is not limited to dialed number recognition (DN R)
data telephone numbers) and digital network intelligence data e-mail addresses). - is 

corporate system for managing selector taskings and detaskings. 

(W) 



 


ST-15-0002

Table 2 shows the four areas reviewed and the corresponding study
results within the report.

(U) Table 2. Study Scope and Results

 

 

 

 

 

 

 

 

 


Areas Reviewed Results

Tasking and detasking See Appendix 

compliance

Selectors entered in See Appendix 



Query compliance Finding One: Agency Controls for Monitoring Query Compliance
Have Not Been Completely Developed
_._9_Findin Two: 


Controls implemented in See Appendix 

response to?



_9_Findin hree: 


 

 

 



 



(U) FINDINGS AND RECOMMENDATHONS

(oi/mm ONE: Agency Controls for Monitoring
Query Compliance Have Not Been Completely Developed

(UM-10149) The Agency has no process to reliably identify queries performed
using selectors associated with FAA ??704 and 705(b) targets if:

 
 
 

 

 

resulttheAgency
cannot monitor completely query compliance for these authorities.

(U) Criteria

 

(U) FAA ??704 and 705(b)
(W) National Security Agency ?s Standard Minimization

Procedures for Acquisitions Targeting United States Persons Reasonably Believed to
be Located Outside the United States Pursuant to Section 7 04 of the Foreign
Intelligence Surveillance Act, 29 July 2008

(UNEQUQ) Mukasey Letter, 18 August 2008

(U) FAA ?702

(U) Minimization Procedures Used by NSA in Connection with Acquisitions of
Foreign Intelligence Information Pursuant to Section 702 of the Foreign Intelligence
Surveillance Act of 1978, as Amended in 2008, 24 July 2014

(U) E.O. 12333

(U) Executive Order 12333, United States Intelligence Activities, as amended (2008)

SID Oversight and Compliance (8V) Controls for Monitoring
Query Compliance Are Not Complete

 

(U0119149) The SV internal oversight program for the FAA ??704 and 70503)
authorities is still being developed. The following two activities, although important,
do not allow SV to monitor completely query compliance with the FAA ??704 and
705(b) targeting and minimization procedures.

 

 


support to external reviews is limited

(W) in October 2014, SV began supporting the Department of
Justice National Security Division? 3 (D01 NSD) semi? ?annual reviews of NSA FAA
??704 and 705(b) operations. SV provides to Do] NSD records of queries that NSA
performed during the previous six months. These records include only
queries of FAA and 705(b) data 1n_ and in certain partitions of

 

The methodology that Do] NSD and NSA have agreed on does not
include providing all records of queries performed using selectors assoc1ated with
FAA ??704 and 705(b) targets --. . . . .. .- . .. - ..

  
 

 

- -- - -..-I ba31sicomp11ance rlskandNSA system
l1m1tat10ns Do] and NSA agreed that semi- annual reviews would focus on
queries of content performed 111 and 1n certain partitions of --

   

post- query auditing controls are not designed to verify query
compliance with the FAA ??704 and 705(b) authorities

SV oversees the Agency?s post?query auditing controls. SV performs
?super audits? that randomly sample query records across all NSA missions and
authorities. SID mission auditors review query records (marked for auditor review)
for their assigned missions SV requires that auditors have target knowledge and be
familiar with the types of queries within their production chain to verify the
foreignness of queries and to protect USP privacy .. . . I - --

    

 

and_ are mission data repositories approved to retain communications content.
Content, as de?ned in 18 U. S. C. ?2510, is the substance, purport or meaning of a communication.

 

 



(UIIFGUQ) NSA System Limitations for Identifying FAA ??704 and 7050))
Queries

 

(UNEQUQ) At the time of our review, the Agency could not reliably identify queries
performed using selectors associated with FAA ??704 and 705(b) targets because
databases did not uniformly send records 111 the correct format to

-- - (NSA SIGINT audlting and logging systemaresult, the Technology
Directorate (TD) could net Search these records to identify queries performed using
selectors associated with FAA ??704 and 705(1)) targets.

    

(UNEQUQ) We worked with TD to identify records of queues using selectors
associated with FAA ??704 and 705(b) targets ~13extractlon tool and
the system script allowed TD in coordlnatlon w1th the 01G, to identify all query
records from January through March 2015 related to our review We then developed
our own process that automated the analysis of the query records and flagged
potent1a1 incidents for further review .g 11(UIFFGUQ) GIG Test Results: Query Compliance Probiems Discovered

 

(51131481110513) We analyzed all query records availabie for review from January
through March 2015. Queries were performed using selectors associated with.
FAA ??704 and 705(b) targets. We identi?ed. queries that were not compliant
with the FAA ??704 and 05(b)7target1ng and minimization procedures 

  

. . . . . another-queries that
were performed outs1de the targeting authorlzation periods 111 0.12333 data, which
is prohibited by the E. 0. 12333 minimization procedures. We also identified.

 

 

   

4 is a mission data repository.

 

10mm

ST-15-0002

queries performed using USP selectors in FAA ?702 upstream data, which is
prohibited by the FAA ?702 minimization procedures.5 Table 3 summarizes our test

results.

(U) Table 3. Summary of Non-Compliant Queries



 

Non-Compliant Queries

 

 

 

 

 

 

 

 

Reason for Non-Com l!iance* A 

No. of total "tmr'ty
I 07%


FAA 
I 1_4%t and 705(b)

Queries were performed outside targeting authorization I 1.3% E.O. 12333
periods (dates of queries) in E0. 12333 data
Queries were performed in FAA ?702 upstream data 5.2% FAA ?702

 

 

for additional details.

Non-compliant queries that had more than one problem are included in the counts in
multiple categories. There were a total of- non?compliant queries.
(ISIISWNE) We reviewed- query records for the. targets that had
the? branch or the- TOPIs selected for review. See Finding Two

by

 



SV confirmed that- ofthe - non-compliant queries that we
identi?ed were newly discovered instances of non?compliance. SV had already
discovered two instances of non-compliance and filed incident reports before our
review. For the newly discovered incidents, SV ensured that the appropriate 
tiled incident reports and counseled to prevent future non?compliance.
Office of General Counsel (OGC) notified NSD ofthe FISA incidents.6

Factors that caused non-compliant queries

SV explained that NSA query compliance is maintained largely through a
series of manual checks that perform before querying data. are
relied on to maintain target awareness, track targets? U.S. travel, and perform
compliant queries. For queries performed outside the targeting authorization periods

and queries performed using SV concluded that 

had not performed the required checks before querying data. SV also explained that

SIGINT systems automatically

 

5 Upstream Internet collection includes acquisition of two types of communications not present in
provider-enabled collection: ?abouts? communications and ?multiple communications transactions.? (MCTs).
?Abouts? communications are those that are not to or from the target selector but whose contents include the
selector. An MCT is an Internet ?transaction? that contains more than one discrete communication. If one of those
communications is to, from, or about a tasked selector and if the active end of the transaction is foreign, the entire

MCT transaction will be acquired through upstream Internet collection. This can include other discrete

communications that do not contain the tasked selector. If the targeted selector is not the active user in the

transaction, the MCT can include other discrete communications that do not contain the tasked selector.

6 The instances of non?compliance with the E0. 12333 minimization procedures will be reported in
first quarter 2016 calendar year Intelligence Oversight Quarterly report. The reports are provided quarterly
to the Of?ce of the Department of Defense Senior Intelligence Oversight Official and the President?s Intelligence

Oversight Board.



7

 

IORSECREMSIALNQEORN


include all authorities to which are entitled access on the basis of their
credentials. For the queries into FAA ?702 upstream data, SV concluded that
had not removed the FAA ?702 upstream authority from their search criteria
(that automatically defaulted on the basis of their credentials) or had not included the

appropriate_ limiters to prevent FAA ?702

upstream data from being queried.

(U) New controls to improve future query compliance

NSA is in the early stages ofimplementing a new system control,



. Until has been implemented-
the Agency?s compliance monitoring activities

and compliance awareness programs will remain important tools for detecting query
compliance problems and preventing future recurrences.

SV has already agreed to perform compliance verification reviews
periodically using the process we developed for this study. This will significantly
strengthen the Agency?s ability to monitor future compliance with the FAA ??704
and 705(b) and FAA ?702 targeting and minimization procedures and implement
corrective action as needed.

 

queries performed using selectors associated with FAA ??704 and 705(b)
targets. These reviews must determine whether queries had been performed

?as the FAA ??704 and 705(b) targeting and minimization
procedures require, and whether queries of FAA ?702 data excluded
upstream data, as the FAA ?702 minimization procedures require.

(ACTION: Chief, Compliance Verification (3V3) with Analysis and
Compliance (82) Compliance Lead and Office of the Director of Compliance)

 

 

 

 

7 


8 




8


ST-15-0002

 

(U) Management Response

AGREE SV will develop a standard operating procedure (SOP) to
document procedures and processes to periodically monitor for compliance
all queries performed using selectors associated with FAA ??704 and 705(b)

targets. It is estimated the SOP will be developed by?. This SOP
will include the procedures for determining whether queries were performed-

and
whether queries of FAA ?702 data excluded upstream data. It is estimated that the
periodic compliance veri?cation reviews will be implemented by


(U) OIG Comment

(U) The planned action meets the intent of the recommendation.

 

 

 

 

For the periodic reviews of queries performed using selectors
associated with FAA ??704 and 705(b) targets, work with TD to obtain
records that also include- query records.

(ACTION: Chief, sva, with? Lead, T1412)

 

(U) Management Response

AGREE SV will develop an SOP to document procedures and
processes to periodically monitor for compliance all queries performed using
selectors associated with FAA ??704 and 705(b) targets. The SOP will also
include the procedures and processes to assess query records. Target

completion date is?.
(U) OIG Comment

(U) The planned action meets the intent of the recommendation.

 

 

 



 
 

Develop a process to send periodic reminders to the SID

 

workforce to specify that queries performed using selectors associated with
FAA ??704 and 705(b) targets must be performed

must also
be reminded periodically that queries of FAA ?702 data using USP selectors
must exclude upstream data by removing the FAA ?702 upstream authority
from the search criteria

_0 prevent that data from being queried.
(ACTION: Chief, SV, and 32 Compliance Lead)

 

 

(U) Management Response

AGREE SV will develop and post two compliance advisories one for
the FAA ??704 and 705(b) queries and one for FAA ?702 queries. Based on trend
analysis of any non-compliant queries discovered during the planned periodic
compliance veri?cation reviews (as agreed in Recommendation I), SV will issue
periodic reminders, as needed, to the SID workforce that references the two
compliance advisories to improve awareness. Target completion date is


(U) OIG Comment

(U) The planned action meets the intent of the recommendation.

 

10

 

 



(WIN) FINDING TWO: The Agency Has Not Provnded
Guidance for Documenting 

 
  

. . . by FAA ??704 and 705(1))
targets are not documented consmtently and completely and' a manner
accessible to all SID who cover the targets As a result, the Agency has
an increased risk of non-compliance.

Information Is Not Documented Consistently and Completely

 

FAA ??704 and 705(b) targeting and minimization procedures prohibit
targeting USPs while they are in .th? United States. Although the Agency 18 not
required to document - . - maintaining
these records 18 important foi securing compliance with the targeting and
minimization procedures.

 

 

(MSW) We reviewed the processes that- TOPIs use to document 

-- -- . . - -- - . -. FAA ??704 and 705(b) targets. Al though the
Agency uses the processes to maintain compliance with all NSA authorities, we
focused our review on how they are used ?for the FAA ??704 and 705(b) authorities.
We determined that [321 33_. - 2 3 - are not documented
consistently and completely and 1n a manner accessmle to all SID who cover
FAA ??704 and 705(b) targets.

 

 

Processes to document -- ?35 are not adequate

Each TOPI has developed its own method for '1
.FAA ??704 and 705(b) targets Information is often saved in systems 1nacce551ble
hy 1n other who migh?tw cover the same target-s. . .

 

 

    

 

 

However, this information is not consistently documented in 

   

(W) The 'j 2. Staff branch also documents
- FAA ??704 and 705(b) targets However, branch personnel stated that
the records they maintain cannot be relied on They also asserted that the TOPIs are
respons1ble for maintaining the of?cial records. Failure to have -.3 documented consistently and completely ma
system avallable to all SID 1ncreases the risk that - also increases the mic that-
he performed .. .. . . .. .

 

 

 
 
 
   

 

ST-15-0002

are not consistently documented
(MAN-E) TOPIS do not consistently document?

 

Develop a process to document consistently and completely all
including FAA ??704 and

705(b) targets
This process must designate systems for centrally documenting this
information, and these systems must be available to all SID Notify
the SID workforce of the new process once complete.

(ACTION: Title VII Authority Lead with 82 Compliance Lead)

 

 

 

 


ST-15-0002

 

(U) Management Response
AGREE Management action plan will be implemented in three phases:
a. (WE) The Section 704/705(b) authority virtual team will develop and

disseminate guidance requiring to?
It is anticipated that the interim 
procedures will be completed by_.

0 
A A

(U) OIG Comment

(U) The planned actions meet the intent of the recommendation.

 

 

(U) OBSERVATION

 

 

On Supplemental Procedures Governing Communications
Metadata Analysis (SPCMA) web page, the system link that documents the
SPCMA enabled metadata repositories does not work. This link should be
restored.

 

 

 


THREE

 

(U) Criteria

(U) FAA ??704 and 705(b)

(W) National Security Agency ?s Standard Minimization
Procedures for Acquisitions Targeting United States Persons Reasonably Believed to
be Located Outside the United States Pursuant to Section 704 ofthe Foreign
Intelligence Surveillance Act, 29 July 2008

 

ST-15-0002

 

(ACTION: Title VII Authority Lead)

 

(U) Management Response

AGREE 
_Target completion date is?-

(U) OIG Comment

(U) The planned action meets the intent of the recommendation.

 

 

 

15

 



Ill. (U) ABBREVIATIONS AND ORGANIZATIONS

(U) ii -I 25?: 3 

(U) AG Attorney General

(Counterterrorism

(U) DNI Digital network intelligence

(U) DNR Dialed number recognition

(U) Do} NSD Department of Justice, National Security Division

(U) FAA Foreign Intelligence Surveillance Act Amendments Act

(U) E.O. Executive Order

(U) FISA Foreign Intelligence Surveillance Act

(U) ISC Foreign Intelligence Surveillance Court

(U) - .. .3 3 7* 3-1135:

(U) MCT Multiple communication transaction

(U) NSA National Security Agency/Central Security Service

(U) OIG Of?ce of the Inspector General

(U) OGC Of?ce of General Counsel

(U) SID Signals Intelligence Directorate



(U) SIGINT Signals intelligence

(U) SPCMA Supplemental Procedures Governing Communications
Metadata Analysis

(U) SOP Standard operating procedure

(U) SSR Source system of record

SV Signals Intelligence Directorate Oversight and Compliance

SV3 Compliance Veri?cation

SV4 FISA Authorities

SZ Analysis and Production

(U) TD Technology Directorate

(U) TOPI Target of?ce of primary interest

T13 Tl4l2 Compliance Capabilities

(U) USP US. person

 
 

 
 

 

 
 

   

 
 

   

 

 



(U) APPENDIX A: ABOUT THE SPECIAL STUDY

(U) Objectives

The overall objective of the study is to determine whether National
Security Agency/Central Security Service 018A) controls are adequate to ensure
compliance with the Foreign Intelligence Surveillance Act (FISA) Amendments Act
of 2008 (FAA) ??704 and 705(b) targeting and minimization procedures.

(U) The focused objectives were as follows:

1. Determine whether selectors associated with FAA ??704 and
705(b) targets are tasked for collection only within Foreign Intelligence
Surveillance Court? or Attorney General-approved targeting authorization

periods and while targets are reasonably believed to be outside the United
States.

2. Determine whether selectors associated with FAA ??704 and
705(b) targets are tasked 1n the -- with the
- entered 1n 

 
      

3. Determine whether queries performed using selectors associated
with FAA ??704 and 705(b) targets comply with the targeting and
minimization procedures.

4. Determine whether the Agency has implemented controls that

 

(U) Scope and Methodology

 

This special study was conducted from March through August 2015. The
Of?ce of the Inspector General (OIG) review focused on NSA system controls and
manual processes for tasking and detasking selectors and querying data and on
controls implemented in response to an FAA ?704 purge incident.

We gained an understanding of FAA ??704 and 7 05(b) controls and
corporate controls by interviewing personnel from the Signals Intelligence
Directorate? (SID) Over31ght and Compllance (SV), SIGINT Policy and Corporate
Issues Staff,the echnology Directorate 751.. (TD)Off1ce of,the Research

Comphance I i
,and the Of?ce of

Directorate 3 (RD) OfficeofCompliance -. 

   

 

 


ST-15-0002

the Director of Compliance. We interviewed personnel from the Of?ce of General
Counsel to discuss the FAA ??704 and 705(b) targeting and minimization procedures.

We performed procedural reviews of - product lines?

We conducted this special study using the standards of the Council of the
Inspectors General on Integrity and Ef?ciency, Quality Standardsfor Inspection and
Evaluation, January 2012. Those standards require that we plan and perform the
review to obtain sufficient evidence to provide a reasonable basis for our findings and
conclusions according to our review objectives. We believe we have met that
standard: we reviewed policies, procedures, and internal controls and interviewed
personnel to determine whether taskings and detaskings and queries are being
performed compliantly, and interviewed personnel to determine whether additional

controls have been implemented to prevent?

(U) Standards for Internal Control

 

(U) internal controls

(UNEQUQ) Policy 7-3, Managers Internal Control Program, 14 February
2012, implements the Government Accountability Of?ce?s Standards for Internal
Control in the Federal Government, November 1999 (revised September 2014), and
assigns managers responsibility to establish internal controls. We focused on internal
controls for documentation, record, structure, authorization, and management when
assessing processes and procedures for tasking and detasking and query compliance.
Table A-1 depicts the categories ofinternal controls outlined in Policy 7-3.

(U) Table A-1. Categories of Internal Controls
(U)

 

 

 

Control Description
Established written procedures that are complete, accurate, and available for
Documentation examination. Consists of regulations, policies, procedures, and/or standard
operating procedures (SOPs).
Record A written description of what has happened.

 

Key duties and responsibilities in authorizing, processing, recording, and
reviewing official NSA transactions should be separated among individuals.

 

Structure Managers should exercise appropriate oversight to ensure that individuals do
not exceed or abuse their assigned authorities.
Authorization Procedures are in place to prevent people from exceeding their authority or

misusing government resources.

 

Consists of the assignment, review, and approval of work. This control
Management requires that management provide guidance and training to reduce loss of
resources and increase achievement of results.

 

Any method or device that can be used to restrict access to government
Security resources. This control may utilize safes, vaults, locked rooms, locked desk
drawers, computer log?on identi?cation, and passwords.

 

 

 

 

(U)

18

 



(U) Authorities and Restrictions

 

(U) FAA ??704 and 705(k)) Targeting and Minimization Procedures

(Sim?E) Mukasey Letter to the Director, 18 August 2008, required NSA to
proceed under ?704 and ?705(b) of FAA to conduct foreign intelligence that
previously had been authorized by the AG solely pursuant to ?2.5 of 15.0. 12333.

(MSW) National Security Agency ?s Standard Minimization
Procedures for Acquisitions Targeting United States Persons Reasonably Believed to
be Located Outside the United States Pursuant to Section 7 04 of the Foreign
Intelligence Surveillance, 28 July 2008, establishes standard minimization
procedures for acquisitions targeting U.S. persons (USPS) reasonably believed to be
outside the United States pursuant to ?704 of PISA. These procedures also apply to
FAA ?705(b).

(U) National policies and procedures

(U) Executive Order 12333, United States Intelligence Activities, as amended
(2008), authorizes to collect, process, analyze, produce, and disseminate
SIGINT information and data for foreign intelligence purposes to support national
and departmental missions.

(U) Department of Defense Regulation 5240.141, Procedures Governing the
Activities of DOD Intelligence Components that Affect United States Persons,
December 1982, establishes procedures governing the activities of DOD intelligence
components that affect USPS.

(U) NSA policy

(U) Policy 7?3, Managers Internal Control Program, 14 February 2012,
establishes policy and prescribes procedures and responsibilities for the 
Internal Control Program.

(U) Policy 1?23, Procedures Governing Activities That A?ect
US. Persons, 30 July 2013, establishes procedures to protect the privacy rights of
USPS.

(U) SID policy

USSID SP0018, Legal Compliance and US. Persons Minimization
Procedures, 25 January 201 1, prescribes policies and procedures and assigns
responsibilities to ensure that the missions and functions of the United States 
System are conducted in a manner that safeguards the constitutional rights of
USPS.

USSID SP0019, Signals Intelligence Directorate Oversight
and Compliance Policy, 13 November 2012, outlines the oversight and compliance
policy and procedures governing activities by elements of the 
operating under the Director, NSA.

 

 



(U) APPENDIX B: ADDETIONAL INFORMATEGN

(U) Tasking and Detasking Compliance

(U) System controls

systems controls were evaluated in development environment
for the following scenarios:

(U) Taskings

    
    

(U) Detaskings

(U) Detasking requests

We reviewed analyst requests in? to detask selectors associated with
the. FAA and 7 05(b) targets who had documented U. S. travel from 
through .We found that had submitted the detasking requests
before targets arrlved 1n the United States to comply with the FAA ??704 and 705(1))
targeting and minimization procedures

 
 

 

 

 



 

 

 



 

 

 

 



 

 

Controls Implemented in Response to an if:

 

 

 

  
   
 

 

month at a time starting with and will perform reconciliations as
new data is received.

 

 

 

 

EST-150002

(U) APPENDIX C: FULL TEXT OF MANAGEMENT RESPONSE

(U) SID RESPONSE

 

 

 

i Ii 

SIGNALS INTELLIGENCE
DIRECTORATE

Memorandum

 

18 Eluccmbur 2m 5
RUM: Signals Iaxtulligcmc Dircumrutc 
Of?ce nl?ihe (DIG)
64.! Si!) Mme Dra? Report on the Special? Stud} ul' NSA tantrum to
Comply with the HSA Act 794 and Targeting and Minimimtinn 
r- 1 541002}

This mcmumndum provides the ()Ki 3 the subject draft :1:me

(l 5 Fin: were identi?ed by the for SH) remediation: 1 (8V).

2 (5V). 3 (EV). 4 (802). and 5 (502:.

(1 $444.29.; SID cmwum with the )Ki's; ?ndings and remammendmions. Formative actiun plums
and target cnmpidiun dams fur each at? Elm i'm: are inciuded in the maimed

mmrix

502.1 ?th?wi?s?? (5) if you: have an} questions.

 

(I Plcasc mamas: 

iincl: 1:15

 
 

Deputy {'hch?o Staff for
SKEW Pulicy {?urpnratc [games (802)

 

1m 1 am?: 1: Mr H: 3 1.- raw. 

 

 

 



 

??nh?ml I'Ifh?nh?l'!

OFFICE OF INSPECTOR GENERAL

NEG-U0) Management Response to Draft Report on the Special Study of NSA
Controls to Comply with the FISA Amendments Act 704 and 705(1)) Targeting
and Minimization Procedures


SID is required to prrwide management corrective actions for the subject
draft report. In accordance with lG-l 1357?12.. ?Coordinating Of?ce of Inspector
General Reports." the DIG will evaluate the management response and determine
whether changes to a ?nding. conclusion. or recommendation can be supported.

(U) SID agrees with the OlG?s findings and recommendations and the following
strategy has been developed for immediate remediation. and offers comments for DIG

 

 

 

mnsideration.
"?E'eb'iiw Action? Planned Corrective Measure Target
Element Completion Date
1 8V3 Comment: Request that 82 Compliance be added 

to Recommendation 1 as contributor.

POC: 969-5369.
S2 Compliance Lea

 

 

SVLB Recommendation 1: Implement a process (U)
to periodically monitor for compliance all queries
pertoriued using selectors associated with FAA 704 and

705(k)) targets. These reviews must determine whether
queries were performed

 

as the FAA 704 and 70. targeting and
minimization procedures require. and whether queries
of FAA 7012 data excluded upstream data. as the FAA
702 minimization procedures require.

Action Plan: SV will develop an
SOP to document SV's procedures/processes to
periodically mmiitor for compliance all queries
performed using selectors associated with FAA 704 and

FAA 705(13) tar 'Jets. It is estimated the SOP will be
developed by This SOP will include

procedures for determinina whether ueries were
perforated

  
   
    
 

 

 

 

 

and whether

 

 

 

     

  

. Ith?-J?to

l)ccl' .sIfV U11: 

   

nunnt?m I I EYAEGRM

 

 

 

24



 



"11111111111 oi EAA 7O 3 (lat: 1 1 x1 luded llp?slIt-?dlrl 1111111 "11134 

I I Itn'??nD?T

WW

1' stinmted that th1- pr-1iodio 1 on 11111114. vorifiration
11':Vi1ws will l'11 on by?
11111111111111 1111?

1
1um14ss7,sV1 .l
LUH-EO-UO-l-Recommendation 2. Poi reviews 
of quaiiss using, 15141131. tors associated with 
FAA 704 and 7t. targets work with 1D to obtain

1141: 11111:; that 111 so 1r11 ludt ?qut:1y 1'61 ords.

[Ul Corrective Plan: SV will develop an SUP to 

dooument SV's pi'or'edures/processes to periodically
monitor for 1't01'11pliano1'4 all querios using
sclm'tors associa?tted with FAA 704 and FAA 7t)5(b)
targets. The 801' will also include the
to assess-query
rd 3.

11111111111?

887. 8V3

 

\Aa?

 

Recommendation 3: Develop a provess to

51-41111 p14riodi1' 1'1411?1i11d1'1's to SID workform to spocily

that 11111-311135 using associatrrd with
1 1 . -

 
 
 
 

 
 
 

must also be rmnindcd
pm?iodically that queries o'l~ FAA 702 data using USP

solentoi's must exclude data by renuwing the
FAA 702 1115111711111 autlioritv the search critoria

[Ull-FQUO-l?Corrective Action Plan: 55V will

develop/ post two Compliance advisories 4? one for the
FAA 704/705h queries, and one for FAA 702 querios.
Based on trend 1'1.n1'1.1ysis of any non?rompliant queries
disoovr-rro during tho planntd periodic complianrr
verification reviews (as agreed to in

R6t1'1'11n1111'1ndation 1), SV will issue periodic reminders,
as needed, to the Sll) workforcr that references hack to
the two compliant'e advisories to improve awareness.

9619?002], bV?l

 

 

 

 

5?02

 

Comment: Rt'quctst that 82 (ilompliarmt: 1'114 added
to Recornrnendation 4 as contributor.

11915153511. 32. .



 

 



 

 

25

 

 

 

      
  
  
 

  
   

    

   

  
  
  

    

 

 

 


. .EmneR?
(10111 pliamre Lead
4 802 Recommendation 4: (U Develop a rocess to (U)
document consistently and com lately all 
including FAA
i 704 and 705(1)) targets
i 113 new process: must
a (l?signuto systems for I:I:'Iiti'ally documenting this (U)
and l?l'lti'St' systems must be available to all I
RIF) Notify SIT) workl?oi?ci? of tilt? Iltrw 
I prom-?55 ()Ilt?t? (romplc?ttr.
Reguest: 'l?itlc' Authority Load 
with finding.
(UHM action plan will be
in throw phases:
a a. ?E?hr" Sr'r?tion authority
virtual tram will (levelo 3 and disseminatr? iuidance
I recuii?ing analysm to
anticipate
procedures will be in place 802, FAA 704/7053 Ten? Director
5? SH) Recommendation 5: (I 

 

 

 

 

I 

 

26

 

 

ST-15-0002

 

I 

 

 

 

 

 

Proposed Change: Reuumber R5001mucndation 5



Rationale: to
I'equcst to split Recommendatiou 4 into
two sepm?ntP i

Corrective Action Plan:



    


Tim: VII Authority Load 1

 

 

 

I Il?n'lf?nD?If
mm

 

 

27

 



(U) This page intentionally left blank.