DOCID: 3892312 UNCLASSIFIED INFORMATION ASSURANCE DIRECTORATE IAD MANAGEMENT DIRECTIVE NO. 20 Dated: 31 May, 2005 Revised: 16 February 2010 (U) IA OVERSIGHT AND COMPLIANCE PROGRAM (U) PURPOSE AND SCOPE (U) This Management Directive prescribes policies and procedures and assigns responsibilities to ensure that activities conducted under the Director. NSA's (DIRNSA) Information Assurance authorities are conducted in a manner that safeguards the information and privacy rights ofUnited States (U.S.) persons; complies with applicable U.S. laws. executive orders. regulations. directives. and policies; and permits fulfilling commitments to customers and partners. (U) This Directive implements SS Policy No. 1-23 (Reference a) by establishing an oversight and compliance (OC) program for persons engaged in activities conducted under NSA IA authorities, especially those activities that affect U.S. persons and including network defense activities. It defines the OC responsibilities of the Information Assurance Directorate (IAD) Director. IAD mission managers. other SS organizations conducting activities under NSA's IA authorities. and the IAD Oversight and Compliance Coordinator (IA OC (U) This Directive applies to all persons who. under NSA IA authorities: - Collect. process. retain. or disseminate information to- from. or about a US. person. including any such information that can be retrieved by reference to a U.S. person's name or other personal identifying information; - Have access to communications or information systems to conduct IA operations. including. but not limited to. such systems involved in penetration testing. readiness testing support. network monitoring. and communications security monitoring or - Access and conduct configuration or development activity on communications or information systems that support IA operations. pproved for Release by NSA on 8-25-2011. FOIA (E59 5898? UNCLASSIFIED oocxo; 3892312 UNCLASSIFIED Signals Intelligence (SIGINT) communications collected under DIRNSA SIGINT authority to meet foreign intelligence. counter intelligence. and support to military operations requirements are governed by USSID SPOOI8 (Reference b) and not by this Directive. RICHARD C. SCHAEFFER JR. Information Assurance Director DISTRIBUTION: DJPI DJP2 (VR) DJP2 (Archives) (Ut This Directixe supersedes IAD Management Directive 20. dated 31 May 2005. (U) OPI: IAD Office ofOversight and Compliance (IV) (U) No section of this document shall be released without prior approval from the IAD Office of Policy and Doctrine (I921 UNCLASSIFIE DOCID: 389231 2 UNCLASSIFIED TABLE OF CONTENTS PREFACE -I (U) POLICY - -I (U) RESPONSIBILITIES 6 (U) REFERENCES 10 (U) DEFINITIONS 10 ANNEX A (U) PROCEDURES FOR COLLECTION, PROCESSING, RETENTION, AND DISSEMINATION OF INFORMATION TO, FROM, OR ABOUT U.S. PERSONS I2 ANNEX (U) OVERSIGHT AND COMPLIANCE TRAINING PROGRAM FOR PERSONS CONDUCTING ACTIVITIES UNDER NSA LA AUTHORITIES 15 ANNEX (U) COMPLIANCE VERIFICATION REVIEWS 17 ANNEX (U) HANDLING OF REPORTABLE INCIDENTS 20 D.) UNCLASSIFIED DOCID: 389231 2 UNCLASSIFIED PREFACE (U) IA Mission Authorities I. (U) Persons carrying out the DIRNSA Information Assurance (IA) activities may rely on multiple IA authorities. including the following: a. (U) National Security Directive 42 (Reference c) designates the Director- National Security Agency (DIRNSA). as the National Manager for National Security Systems (NSS). Executive Order 12333 (Reference d) reaffirms DIRNSA's National Manager role. In accordance with Policy 1-2. DIRNSA. in approving IAD's Mission and Function Statement. delegated his National Manager authority to the IAD Director. Thus. the IAD Director performs all National Manager functions. b. (U) Executive Order 12333 authorizes intelligence agencies. including NSA. to provide specialized equipment- technical knowledge. or assistance of expert personnel for use by any U. S. Govermnent department or agency with NSS. as well as non-NSS. The Executive Order also directs that provision of assistance by expert personnel shall be approved in each case by the general counsel of the providing element or department. 2 2. (U) All activities conducted under NSA's IA authorities must comply with the Fourth Amendment to the U.S. Constitution. The Fourth Amendment protects all U.S. persons anywhere in the world and all persons within the United States from unreasonable searches and seizures by any person or agency acting on behalf of the U.S. Government. The Supreme Court has ruled that the collection of U.S. person electronic communications may be a search and seizure within the meaning of the Fourth Amendment. Section 2.3 of Executive Order 12333 requires that collection. retention. or dissemination of information to. froth. or about U.S. persons by intelligence agencies be conducted pursuant to procedures approved by the head of the Agency and the Attorney General (AG). to ensure such activities are conducted in accordance with U.S. laws. including the Fourth Amendment. executive orders. regulations. directives. and policies. To this end. Department of Defense Directive 5240.01 (Reference e) and Regulation 5240.1-R (Reference f) were approved by the AG and apply to activities conducted under NSA IA authorities. Additional specific AG-approved procedures for Communications Security (C OMSEC) monitoring activities are provided in National Telecommunications and Information Systems Security Directive (NTISSD) 600 (Reference Together. these references provide rules to protect the information and privacy rights of U.S. persons. and this Directive implements this set of procedures. (U) POLICY 1 (U) FBI- Operational assistance to the FBI. and other law enforcement entities. is governed by IAD Management Directive 6. "Information Assurance Procedures Governing the of Teclmical Assistance to Law Enforcement as amended 23 December 2008. 3 (U) Please con tact the offlce ofthe Associate General Counsel (Information Assurance) for applicable legal documentation. UNCLASSIFIE DOCID: 389231 2 UNCLASSIFIED 1. All persons conducting activities under NSA IA authorities. including those who access or configure information systems that support the IA mission. shall adhere to the requirements of Reference a and this Directive. 2. (UHF-8-H8-) IAD shall implement a robust IA Oversight and Compliance (OC) program permitting the conduct of authorized IA mission fiinctions while safeguarding the information and privacy rights of U.S. persons as afforded by Federal laws. executive orders. regulations. directives, and policies. 3. All organizations conducting activities covered by this Directive shall develop and maintain local procedures detailing their compliance processes. Local procedures shall document. in detail. how each mission element complies with the provisions of this Directive. as follows: a. Collection. processing. retention. or dissemination of information to. from. or about a U.S. person. as well as access to a communications or information system to conduct IA operations. pursuant to NSA IA authorities shall only be conducted in accordance with ANNEX A of this Directive. Local procedures used shall be documented by the organization conducting these activities. All such documented procedures must be coordinated with and approved by the IA Oversight and Compliance Coordinator (OC A) and the office of the Associate General Counsel for Information Assurance prior to implementation . Local procedures shall be established and coordinated within thirty (30) calendar days of the establishment of new organization mission activities not covered by existing local procedures. b. IA OC program shall include comprehensive multi-level training (ANNEX B) for all persons conducting activities under NSA IA authorities in order to sensitize such personnel to their responsibilities to protect the privacy rights of U.S. persons and to other provisions of this Directive. Local procedures shall incorporate these training requirements. c. (U) SS organizations shall include an oversight program in accordance with ANNEX as part of their local procedures for conducting activities under NSA IA authorities . 4. Questions and comments concerning this Directive should be submitted to the IAD Office ofOversight and Compliance (IV). NSTS 968-4277. Questions concerning the legal requirements associated with this Directive should be addressed to the Office of the (D24) NSTS 966-5574. i (U Examples of such activities and the organizations that conduct them under NSA IA authorities include. but are not limited to. the National Information Assurance Partnership (NIAP 1. Technology Directorate. and Network Analysis Center (SNAC). COMSEC monitoring Joint OMSEC Monitoring (JCMA) penetration testing and readiness testing support (Red Team and Blue Team network monitoring (the NSA CSS Threat Operations Center (NTOC) Advanced Net\\corl\' Operations (ANO). Supervisory Control and Data Acquisition ISCADA). and their successor organizations. UNCLASSIFIED DOCID: 3892312 (U) RESPONSIBILITIES 5. (U) The Information Assurance Director shall: (U) Establish the position ofthe IA OCC to support development and maintenance of the IA OC program. consistent with Reference a of this Directive. 6. (U) IA Mission Group Chiefs. Center Chiefs. and Organization Mission Managers shall: a. (U) Ensure that local procedures for operations within their element covered under. and consistent with. this Directive and Reference a are fully documented and have been approved by the and the IA OC prior to their implementation. Knowledge of these documented procedures shall be part of the elements' employee training. b. (U) Ensure all organization personnel are receiving mandatory OC training in accordance with this Directive and. as outlined in ANNEX B. such training includes local procedures pertinent to the mission and function they are performing. c. (U) Ensure that operations are compliant with all relevant oversight requirements of this Directive. d. organizations operating under NSA IA authorities to crafl support agreements with their customers that provide maximum flexibility and authorization to share data within and and. if possible. within the U.S. Government . e. (U) Submit organization level quarterly reports to [Von "Activities Affecting U. S. Persons" and other topics requested by f. (U) Ensure mission compliance officer (MC 0) and mission compliance reviewer roles are designated within their mission operations in accordance with requirements of ANNEX C. g. (U) Ensure that IV has access to organization mission personnel. oversight records. mission data. and other information as necessary for oversight purposes. h. Unless otherwise authorized by this Directive. ensure collected data containing information to. from. or about U.S. persons is reviewed within ninety (90) calendar days from the date of its collection to determine its value and whether the data must be destroyed or can be retained for longer than ninety (90) days for IA mission purposes. 4 (Ut Cross-mission organizations outside the IAD shall provide their reports to the IG and provide IV and a copy of their final reports. UNCLASSIFIE DOCID: 389231 2 UNCLASSIFIED i. Ensure all activities performed under authorities that raise questions of law or the proper interpretation of this Directive are reviewed by IV and the prior to initiation. j. (UHFGUG) report to IV and the any activities operating under NSA IA authorities that may raise a question of compliance with this Directive. k. Ensure all reportable incidents are documented and reported in a timely manner as outlined in ANNEX of this Directive. 7. The IAD Office of Oversight and Compliance (IV) shall: a. (U) In support centralized support to the Director for issues of OC associated with the IA mission; ii. Prepare and issue consolidated quarterly reports to the NSA Inspector General (IG) regarding IAD activities affecting U.S. persons on behalf ofthe IAD Director. In consultation with the review and comment on quarterly reports that non- IAD NSA elements may submit directly to the Ensure that local procedures for SS IA mission activities conducted under NSA IA authorities provide for timely information and situational awareness of issues of interest to the IAD Director; and iv. Develop. implement. and maintain IA corporate level OC policies and procedures in partnership with IA OC stakeholders. b. (U) Support SS organizations conducting activities under NSA IA authorities by: i. (U) Coordinating with organizations and to ensure that established local procedures meet the necessary standards for OC practices and procedures as required by this Directive. IV must provide documented approval oflocal procedures prior to their implementation. ii. (U) Performing independent compliance reviews oflocal procedures. documentation. and training records within organizations operating under NSA IA authorities. These reviews do not replace the organizations internal mission compliance reviews performed in accordance with this Directive. UNCLASSIFIED DOCID: 3892312 UNCLASSIFIED (U) Verifying that all IA mission organization personnel are receiving core and advanced OC training pertinent to the missions and fiinctions they perform for their organization. 5 iv. (U) Meeting periodically with the IA mission organizations that implement mission compliance programs documented in their local procedures to provide oversight guidance and determine conformance with this Directive. v. (U) Reviewing anomalies. issues. and questionable trends with organizatio mission managers. MC Os- and to determine necessary corrective action or the repoitability of such information' to the NSA IG- or external overseers. c. (U) Oversee IA OC training program by: i. (U) Coordinating with the and organization mission managers to establish OC training requirements and develop detailed documentation and other working aids for persons subject to this Directive. ii. (U) Ensuring that IA OC guidelines and working aids are readily available and training is provided. as necessary. for persons subject to this Directive. Partnering with SID NTOC Policy. Oversight and Compliance; and on specialized and new training. when required. to enhance IA mission compliance with this Directive. iv. (U) Establishing routine reviews and updates of IA OC training documentation and materials to reflect changes to the IA mission. technology utilized. or higher level policy. v. (U) Ensuring that a notification system is in place and implemented that advises persons conducting activities under NSA IA authorities when core and advanced IA OC training is required. vi. (U) Advising organization mission managers and group management of any apparent inconsistencies or recommended changes in their local IA OC training activities. d. (U) Support and the NSA 1G by: i. support as needed to the and the NSA [Gin carrying out their oversight responsibilities as they relate to this Directive. 5 (Ui NTOC will maintain internal OC training records and provide compliance data to IV. DOCID: 3892312 UNCLASSIFIE ii. (U) Supporting the in reviewing past or ongoing activities. conducted under NSA IA authorities. for potential inconsistencies with applicable law and policy. (U) Supporting in reviewing new or amended federal laws. executive orders. and regulations and directives for their OC implications to the IA mission. e. (U) Support the IAD Office ofPolicy by partnering with that office to develop and review necessary IA OC-related policies and directives. (U) Coordinate with the OC elements ofother parts ofthe Agency on policies and directives related to the use of NSA IA information. g. (U) Support the NSA Director ofC0mpliance by: i. Assisting. as needed. to resolve corporate OC related issues involving IA activities. ii. (U) notifying the SS Director of Compliance about significant reportable incidents. as defined in ANNEX D. 8. (U) The Associate General Counsel for Information Assurance shall: a. Provide legal advice and assistance pertaining to IA OC issues. including interpretations of this Directive. to all organizations SS conducting activities under NSA IA authorities. b. (U) Advise the NSA IG on its inspections and oversight of IA activities conducted under NSA IA authoritie s. c. (U) Advise all persons. except for contractors. conducting activities under NSA IA authorities of new legislation and case law that may affect IA OC of missions. functions. operations. activities. or practices. d. (U) Report to the Attorney General on IA OC issues. as required. and provide copies of such reports to the SS and affected agency organizations. e. (U) I11 coordination with IV. review and provide approval for local procedures that meet the necessary standards for OC practices and procedures. as required by this Directive. UNCLASSIFIED DOCID: 3892312 UNCLASSIFIED (U) REFERENCES 9. (U) References 21. (U) Policy 1-23. "Procedures Governing SS Activities That Affect U.S. Persons." as amended. dated 11 March 2004. b. (U) USSID "Legal Compliance and Minimization Procedures." dated 27 July 1993. c. (U) National Security Directive 42. "National Policy for the Security of National Security Telecommunications and Information Systems." dated 5 July 1990. d. (U) Executive Order 12333. "United States Intelligence Activities." dated 4 December 1981. as amended 30 July 2008. e. (U) DOD Directive 5240.01. Intelligence Activities." dated 27 August 2007. f. (U) Regulation 5240. 1--R. "Procedures Governing the Activities of Intelligence Components that Alfect United States Persons." December 1982. g. (U) National Telecommunications and Information Systems Security Directive (NTISSD) 600. dated 10 April 1990. h. (U) 18 U.S.C. ?25l0 et seq. (Federal Wiretap Act). i. (U) 18 USC. 2510 note; Section lO7(b) ofthe Electronic Communications Privacy Act of1986. P.L. 99-508. (U) DEFINITIONS 10. (U) The following definitions apply only to activities subject to this Directive. Terms that are defined in References and have the same meaning in this Directive. a. (U) Mission Compliance Officer (MCO): An individual tasked to review the critical process steps performed by others in conducting activities under NSA IA authorities for compliance with this Directive. including. but not limited to. reviewing for proper authorizations and documentation. action plans. procedure documentation. process steps performed. system configurations. and content of reports. b. (U) Mission Compliance Reviewer: An individual tasked to review the activities of the first line compliance officers. as needed. providing support and guidance to the 10 UNCLASSIFIED DOCID: 389231 2 UNCLASSIFIED compliance officers and assessing thoroughness and consistency in overseeing mission critical process steps. c. Compliance verification: An independent review to ensure compliance with applicable laws and policies. including this Directive. of critical actions by all persons conducting activities under. or of system configurations designed pursuant to. NSA IA authorities. Compliance verification is normally conducted within the mission elements. d. (U) Reportable incident: 1) An unauthorized collection. processing. retention. or dissemination of information that identifies a U.S. person. 2) an unauthorized access to a communications or information system to conduct NSA IA operations. or 3) events occurring during or resulting from conducting authorized IA activities resulting in consequences described in ANNEX of this Directive. Reportable incidents include any failure to follow this Directive or applicable Federal laws. executive orders. regulations. directives. and policies that protect the information and privacy rights of U.S. persons. whether or not information was improperly acquired or released. 1 UNCLASSIFIED DOCID: 3892312 UNCLASSIFIED IAD Management Directive 20 ANNEX A (U) Procedures for Collection, Processing, Retention. and Dissemination of Information To, From, or About U.S. Persons 1. AND PROCESSING 1.1. Collection and processing ofinforination to. from. or about U.S. persons voluntarily provided by cooperating sources6 shall be governed by Reference as well as other applicable Fed laws- executive orders. regulations. directives. and policies and not by the rest ofthis section. 1.2. Consistent with Reference a. SS activities conducted pursuant to NSA IA authorities shall be conducted in strict compliance with Federal laws. executive orders and implementing procedures. and applicable Presidential directives. Accordingly. activities conducted pursuant to NSA IA authorities shall not be initiated (or. if initiated prior to the date of this Directive and not in compliance with this Directive shall cease -- except as provided for in section 1.3 --until brought into compliance) until written documentation is obtained reflecting that: a. (U) Collection is authorized by References and or applicable Federal laws. executive orders. regulations. directives. and policies; and b. (U) Collection falls within as many of the following exceptions to Reference as is practical and applicable: i. (U) A service provider exception exists. as evidenced by a written request made to SS for technical assistance under the requester"s service provider authority. (Note: For customers. there must be documentation that the Joint Task Force -- Global Network Operations- or its successor organization. made the request or is aware of the request); ii. (U) A consent exception exists wherein the system owner certifies in writing that a program is in place to provide the following legally sufficient notification to its system users: use ofsuch systems constitutes implied consent for monitoring for official U.S. Government purposes; or. in the determination of other releasable documentation to that effect exists; or '5 (U -F989-r Information to. from. or about a U.S. person provided by cooperating sources may include the U.S. person; including individuals and corporations. social securit} numbers. and other information. An example ofthis would be the collection ofinforination for evaluations ofCon1inercia| off-the-shelf (COTS) products or conducted through the National lnformation Assurance Partnership (NIAP l. UNCLASSIFIED DOCID: 3892312 UNCLASSIFIED OMSEC monitoring exception exists. whereby the U.S. Government department or agency requests COMSEC monitoring of its systems. in writing; provides written evidence of consent as noted in section l.2.b(ii) above; and ensures the collection is consistent with Reference g. c. IA collection activities shall not be initiated until the IA DIR approval (or that of his designee) is granted. Such approval shall be requested in writing on a staff processing form for IA DIR's approval (or that of his designee). The staffing package shall include all written documentation required by this section and shall be vetted through and IV for concurrence. 1.3. All authorized persons may access and report on SS IA data and systems containing information potentially collected. processed. retained. or disseminated in violation of applicable law or policy. including this Directive. for the limited purpose of investigating. characterizing. or mitigating those violations. The affected mission element shall notify IV and the to seek appropriate additional guidance. 1.4. selection terms used pursuant to NSA's IA authority that are likely to result in the collection of communications to. from. or about a U.S. person must: I) be within the scope of that requested by the customer. and 2) comply with applicable law and policy. including this Directive. organizations subject to this Directive shall establish and document local procedures. subject to IV and approval. to ensure these requirements are met. Any selection term discovered to have resulted in the collection of information exceeding the scope of the customer's request or law or policy shall immediately upon discovery be discontinued and the information shall immediately be destroyed except: as provided for in section or 2) evidence of a crime or threat ofdeath or serious bodily harm to any person that shall be required to be reported to the appropriate authorities. Any collection exceeding the scope of the customers request shall be considered unauthorized and subsequently documented through an incident report in accordance with annex D. 1.5. Use of selection terms is subject to oversight by IV and the AGC (IA) as follows: a. IV shall conduct periodic independent compliance reviews of all SS IA activities involving selection terms. These reviews shall be performed at least quarterly. These cornpliance reviews shall ensure that IV and AGC (IA) approved local procedures. intended to prevent use of selection terms that would exceed the scope of customer requests or violate applicable law or policy. are in place. implemented. and effective. b. A copy of the review results will be provided to the organization mission managers and the When results of the review reveal that information to. fiom. or about a U.S. person was collected. retained. or disseminated in a manner exceeding that authorized by the customer. or by law or policy. such information shall be reported in accordance with incident reporting procedures (ANNEX D). UNCLASSIFIED DOCID: 389231 2 UNCLASSIFIED 2. (U) RETENTION 2.1. accordance with Reference f. data recorded or otherwise retained under authorized activities conducted under NSA IA authorities and containing or potentially containing information to. from. or about a U.S. person. shall be evaluated within ninety (90) calendar days of collection under local procedures that have been reviewed and approved by IV and to determine if there is a legitimate mission-related reason to retain the information for longer than ninety (90) days. If no legitimate reason for retention is identified under these procedures. the information shall be destroyed. The ninety (90)-day period. described above. applies unless the data owner has provided for a shorter retention period. 2.2. data is determined to hold legitimate value for the approved mission activity. it may be retained beyond the ninety (90) calendar day period. up to the time approved in writing by the data owner, in accordance with written documentation approved by The duration ofdata retention will comply with records disposition schedules. approved by the National Archives and Records Administration . for the files or records in which the information is retained. However. the duration ofdata retention shall not exceed: (1) the period of time needed to achieve the mission. (2) the retention duration approved by the data owner. and (3) five (5) years without a review for either destruction or justifiable longer retention by the mission element in consultation with IV. 3. (U) DISSEMINATION 3.1. accordance with Reference f. dissemination of reports containing information to. from. or about a U.S. person voluntarily provided by cooperating sources. shall be governed by this Directive and internal SS policies (such as Policy 3-13. "Information Technology Product or System Vulnerabilities" or its successor). but is not subject to the limitation in subsections 3.2 and 3.3. 3.2. Subject to the limitation in subsection 3.4. dissemination ofinformation collected pursuant to the service provider or consent exceptions in sections and (ii) is governed by Reference f. A dissemination may be made to any NSA employee (including foreign integrees) or NSA contractor affiliate who is authorized to receive it. and who has a need for the information in the course of official duties. Such information also may be released to others in the intelligence. and law enforcement communities when such release is authorized and in accordance with written documentation approved by AGC (IA). 3.3. Subject to the limitation in subsection 3.4. dissemination of information collected pursuant to the COMSEC monitoring exception in section is governed by Reference g. 3.4. (U) All proposed disseminations ofinformation constituting privileged communications to. from. or about a U.S. person attorney/client. doctor/patient). and all information concerning criminal activities or criminal orjudicial proceedings in the U.S. must be reviewed by the Office ofGeneral Counsel prior to dissemination. l~l UNCLASSIFIED DOCID: 3892312 IAD Management Directive 20 ANNEX (U)Oversight and Compliance Training Program for Persons Conducting Activities under NSA IA Authorities 1. (U) APPLICABILITY (U) This Annex applies for training purposes to all persons conducting. or who may conduct. activities under NSA IA authorities. 2. (U) POLICY 2.1. IA OC Core Training -- All persons7 conducting activities under NSA authorities shall receive IA OC core training at least annually to familiarize them with the basic Federal laws. executive orders. regulations. directives. and policies that govern NSA IA mission operations. Core training will be in accordance with Reference a and- at a minimum. shall include familiarization with References and d; Reference f. Procedures 1 through 4. 10. 14. and 15; and this Directive. Testing shall be administered to verify applicable knowledge. as appropriate. 2.2. IA OC Advanced Training -- All persons conducting activities under NSA IA authorities that have the potential for violations of this Directive. as determined by IV. shall have additional advanced IA OC training at least annually. Advanced training shall familiarize such persons with additional applicable legal and policy requirements to fiirther minimize the potential for violations ofthis Directive. The actual advanced training required for each mission activity shall be determined and agreed upon by mission management. IV. and the As new missions and or procedures emerge. training requirements shall be reviewed for adequacy and adjusted as agreed to be appropriate. 2.3. IA OC MCO Training -- All SS employees designated to perform as MCOS within mission operations shall first complete and be current (within one year) in the IA OC training required for the mission activity to which they are assigned. Those designated MC 0 employees mu st be current in special MC 0 training as shall be determined by a consensus of mission management. the IA OCC. and 8 2.4. (U) All training requirements and materials- including local procedures and this Directive- shall be reviewed as needed when a significant change to mission procedure occurs) but no less than bi-annually. The reviews shall be conducted by IV. and mission operations management to determine whether' these materials continue to adequately I For the purpose of this Annex. "Persoiis" includes civilians. contractors. military. military reservists. interns. assignees. and integrees. 3 I MCOS perform inherently functions and. therefore. contractors shall not be assigned as MCOS. UNCLASSIFIED DOCID: 389231 2 UNCLASSIFIED encompass the latest mission fimctions. methods. and procedures used by mission operations. Any recommended changes to the training materials shall be submitted to IV and the AGC (IA) for approval prior to implementation. 3. (U) PROCEDURES 3.1. (U) The training of persons conducting activities under NSA IA authorities shall include guidance concerning the requirements and restrictions of applicable Federal laws- executive orders. regulations. directives. and policies. SS employees conducting COMSEC monit.oring activities shall be specifically trained on the requirements and restrictions of Reference and successor directives.9 3.2. (U) The use of equipment for training purposes by persons conducting activities under NSA IA authorities is subject to the following limitations: 21. To the maximum extent practical. use of such equipment for training purposes shall be directed against targets that are under current authorization for mission operation. b. Communications to. from. or about a U.S. person collected during training sessions may not be retained unless such content has been collected within the limitations of an authorized mission operation. in accordance with law and policy. including this Directive. 3.3. (U) The limitations in paragraph 3.2. do not apply in the following instances: a. Public broadcasts or distress signals; and b. (U) Minimal acquisition of information as required for calibration purposes. (U) Only US. Government employees inay perform OMSEC monitoring. Section 107th) of the Electronic Cominunications Act of 1986. P.L. 99-508. 16 UNCLASSIFIED EPIC000017 DOCID2 389231 2 UNCLASSIFIED IAD Management Directive 20 ANNEX (U) Compliance Verification Reviews I. (U) PURPOSE 1. l. (U) It is essential that every effort be made to safeguard the information and the privacy rights ofU.S. persons. It is also essential that SS conduct its IA mission activities using procedures that comply with applicable Federal laws. executive orders. regulations. directives. and policies. including this Directive. Compliance may be verified using a combination of automated mechanisms that prevent or minimize policy violations as well as conducting mission compliance reviews under local procedures to detect any compliance violations that may occur or have occurred. Establishing automated methods to prevent policy violations is preferred to post -operation compliance reviews. However- organizations subject to this Directive shall establish a comprehensive set ofautomated and manual procedures to ensure policy violations are prevented and detected. Additionally. organizations subject to this Directive shall implement a rigorous compliance verification regime to ensure those insurance procedures are in place. implemented. and effective. 1.2. (U) Compliance verification will be included as an integral part ofthe documented local procedures for any SS mission operation conducted under NSA IA authorities. As part of the organization's mission procedures. compliance verification will provide a process to review accuracy ofcritical process steps and reduce inadvertent mishandling ofinformation to. from. or about a U.S. person. Assigned mission compliance reviewers shall provide the added benefit ofmission expertise to ensure consistency in procedures across multiple mission projects and assist the and primary MC Os in resolving issues relative to functions such as sensor programming or monitoring activity decisions. 1.3. (U) Within the IAD. the IV office will perform process compliance reviews and will address the end-to-end processes of mission activities to ensure proper correlation between procedural documentation. actual procedures performed. and NSA IA authorities. Within cross- mission NSA organizations operating under NSA IA authorities. process compliance reviews shall be performed by IV. unless the cross-mission organization can provide alternate methods of compliance review such as may be performed by their indigenous OC personnel and. on which it has attained IV concurrence. 2. (U) PROCEDURES 2.1. (U) Prior to the initiation ofany mission activity that is subject to this Directive and conducted under NSA IA authorities on behalf of any client external to SS . a manager responsible for the mission element conducting the activity shall verify and document that the mission element: I 7 UNCLASSIFIED DOCID: 3892312 a. (U) Has been delegated the authority to conduct the mission and the source of that authority E.O. 12333. NSD-42): b. (U) Has been provided authorization from the appropriate Office of Primary Interest (the "data owner") to access data necessary to conduct the mission; c. (U) Has a written statement from the data owner concerning the purposes for which the data may be used and. with whom the data may be shared; and d. (U) Has a written statement from the data owner that appropriate "notice and consent" procedures are in place. 2.2. (U) The mission manager shall locally maintain records that are related to the requirements set forth in section 2.1. above. and provide copies to IV. 2.3. (U) Compliance with applicable laws and policies. including this Directive. shall be enforced through a combination of system design features. system configuration settings. and manual verification procedures. Taken together. these measures shall either preclude the possibility of violations. or deter them by providing effective detection capabilities. a. (U) Compliance verification records shall be protected from unauthorized modification during their generation. storage. and retrieval. b. (U) Actions subject to compliance review shall be described in mission element local procedures. At a minimum. actions or decisions reviewed shall include those with the potential to: i) Cause the unauthorized collection. retention. or dissemination of information to. from. or about a U.S. person; ii) Operate outside the bouiidaiy of approved procedures pursuant to this Directive; or Otherwise violate this Directive. Compliance verification actions include. but are not limited to. the programming of selectors. filters. sensing devices. or other query systems; the creation and dissemination ofreports created from collected data containing such information; and population of routing tables or other automated systems that control or direct information subject to this Directive. c. (U) N0 compliance verification activity (as described above) shall be initiated until an MC 0 from within the mission organization has been assigned to that activity. Assigned MC 0 shall be senior to (by either position or grade) or be organizationally independent of those performing the actions being monitored and must be current on required oversight training. d. (U) Each MCO shall be assigned a mission compliance reviewer from within his/her corresponding mission organization. Mission compliance reviewers shall perform quality I 8 UNCLASSIFIED DOCID: 3892312 UNCLASSIFIED control checks sufficient to provide assurance that MC Os are correctly performing their intended functions. All mission compliance reviewers shall be senior (by position or grade) to the MC Os they review. 2.4. (U) Within the IAD. IV will coordinate with mission operations to develop and schedule end -to-end procedure compliance reviews. Reviews may cover any individual portion ofor the entire activity process and documentation. and may periodically include review of compliance verification procedures and data. Within cross-mission NSA organizations operating under IA authorities. IV will coordinate procedure compliance reviews. process reviews. or other assurance methods with appropriate authorities within the cross mission organizations. 19 DOCID: 3892312 IAD Management Directive 20 ANNEX (U) Handling of Reportable Incidents 1. (U) SCOPE This annex addresses the handling and documentation of reportable incidents that occur during activities conducted by SS mission organizations under IA authorities. This annex also provides local mission operations procedures for rapid leadership notification of events of significant interest that may occur during mission operations. 2. (U) PURPOSE It is essential that all reportable incidents are documented with concise information and appropriately reported. in a timely fashion. to all parties having a stakeholder interest in the incident. All reportable incidents shall be recorded and reported. whether they were the result of intentional actions. human error. or automated system breakdown or malfunction. A reportable incident shall include any situation in which IA authorities were improper or improperly applied. or IA approved procedures were violated. whether or not the violation actually resulted in the collection. retention. dissemination or reporting of U.S. person information. 3. (U) PROCEDURES 3.1. (U) Reporting General Incidents 3.1.1. Incid ents involving the violation of IA Operational Authorities or Approved Procedures for the IA mission shall be recorded and reported within one (1) business day (24 hours -- weekends and holidays excluded) of recognition ofthe event to the following recipients: a. (U) Immediate Mission Management; b. (U) IAD Oversight and Compliance (IV) and c. (U) NTOC shall report incidents to the NTOC Policy. Oversiglit and oinpliauce Office (V07 which shall distribute reports as appropriate. 20 UNCLASSIFIED DOCID: 3892312 3.1.2. Reportable Incidents include. but are not limited to. the following: a. unauthorized collection. retention. ordissemination ofU.S. person information; b. Any provision monitoring or readiness testing support to a US. Government organization outside the bounds of an approved written support agreement; c. Any provision of OMSEC monitoring or readiness testing support to a U.S. government organization without all required authorization and agreement documentation in place; d. Any handling or retention ofdata collected under IA authorities in such a manner as to permit unauthorized access to that data; e. Failure to follow a provision oflocal policy or procedure; f. Unauthorized use of a real U.S. person name or other identifying inform_a_t_ion| I g. Use of sexually suggestive or pornographic material as part of an . IA operation; 86-36 h. Use of material that is insensitive based on racial. cultural. gender. sexual orientation. disability or religious criteria- age. national origin. or genetics as part of an IA operation; 3.2. Reporting of Items of Significant Interest to Senior Leadership 3.2.1. Even if all IA activities are carried out in accordance with IA authorities and approved procedures. the occurrence of unexpected events that warrant documentation and timely reporting through the chain ofcommand could occur. For example. if an event does not involve a violation of authorities or procedures. but resulted from an activity performed under IA authorities. an incident repoit shall still be generated. Thus. incident reporting permits trend analysis and helps identify the need for review of policy or procedures for potential improvement. 3.2.2. It is essential that the local mission management understand the types of events that warrant immediate notification to senior leadership. The following list is not all inclusive. but suggests the types ofissues that should be considered for priority reporting: a. Physic-al damage to U.S. Government or private property; 21 UNCLASSIFIED DOCID: 389231 2 UNCLASSIFIED b. Extensive and irreplaceable destruction of U.S. Government information destruction of on-line databases that are not otherwise backed c. Damage to mission infrastructure or components that will disable or significantly degrade client mission operations; d. Compromise of classified material; e. Events that may trigger media attention or cause significant embarrassment to the Agency or community; f. Denial of service ofinission critical services for large segments of US. or foreign users shut-down of network services for a major command. or a c-ominerc-ial provider); g. Events compromising national intelligence networks or national intelligence communications; h. Loss of control or public exposure ofpersonal privileged information social security numbers. home addresses. phone numbers. medical or information. financial information. private correspondence or data) ofU.S. persons; or i. Initiation ofcriminal investigations by U.S. or foreign law enforcement agencies (possibly due to the breakdown ofTrusted Agent networks). 3.2.3. Local mission procedures shall include how to report these events through management in an expedient manner and. as appropriate. include notification to the following: a. IA Director. IA Deputy Director. or IAD Chief of Staff (reporting after normal operating hours would bethrough the Senior Information Assurance Officer (SIAO) on duty in the b. (U) and c. (U) IAD Oversight and Compliance (IV). NSA CSS Policy I-22 defines "personal information" as: "Information about an individual that is intimate or private to the individual. as distinguished from information related solely to the individuals official functions or public life." UNCLASSIFIED 3.3. Group, center, and subordinate levels of management may impose additional reporting requirements beyond those stated in this annex. as long as they do not interfere with meeting the reporting thresholds and timelines described above. 3.4. For all reported incidents. an initial review and analysis will be made by IV. lzwith guidance from as needed. Review of the incidents shall permit a determination of the completeness of the report. and permit requests for any needed clarifying information about the incident. IV. in consultation with the will make a determination of what. if any- immediate action must be taken. IV will ensure the incident is properly repoited to the NSA Inspector General (IG), including any end--of-quarter IGrepo1t. 13 (U) VU7 would perform initial and for based IA related incidents. Ix.) UNCLASSIFIED (b)(1 ) EPIC000024 I SECRET,I NATIONAL CENTRAL SECURITY SECURITY NSA/CSS (b)(3)-P.L. 86-36 AGENCY SERVICE POLICY 1-58 Issue Date: 24 March 2011 Revised: (U/,'fOUO, This policy governs the Signals Intelligence and Information Assurance missions ofNSA/CSS in condu cting and supporting integrated US. Governmentl ~yber.space operations (References a, b, c, d, e and f) and in adjudicating -m-ls-sl-o-n-eqUities. I_ __ (U//FOUO) It provides direction for NSA/CSS element support to US. Cyber Command to achieve integrated cyberspace operations as envisioned in Secretary of Defense Memorandum, "Establishment ofa Subordinate Unified US. Cyber Command Under US. Strategic Command for Military Cyberspace Operations" (Reference c), and implements portions of National Security Presidential Directive-54/Homeland Security Presidential Direetive-23, "Cybersecurity Policy" (Reference d) and related subordinate plans, including the "Deployment of Automated Defense Sensors Across Executive Branch Federal Systems Implementation Plan" (Reference e). KEITH B. ALEXANDER General, US. Army Director, NSA/Chief, CSS Endorsed by Associate Director for Policy pproved for Release by NSA on 8-26-2011 FOIA Case # 58987 Ends: (U) Annex A - Equities Adjudication SI;CRET1 I"" "" " (b)(1) (b)(3)-P.L. 86-36 EPIC000025 l 8I'CRET/1 (b)(1) uu UU •••• uuu •• uuu (b )(3)-P. L. 86-36 Dated: 24 March 2011 DISTRIBUTION: DJPl DJP6 (VR) DJP6 (Archives) (U) This Policy supersedes Policy 1-58 dated 24 November 2009. (U) OPI: Corporate Policy, DJPl, 963-3086s. (U) No section of this document, regardless of classification, shall be released without approval from the Office of Policy and Records (DJP) . . (U) POLICY· ." : 2. (U,wOUO) NSA/CSS elements/shall, to the maximum extent permissible by law and policy and consistent with NSA/CSS authorities, actively collaborate with elements of the U S. Government, including the Departm~nt of Defense (DoD), the Intelligence Community (IC), and other US. Government departments or agenciesJ 3. (U,~q;OUO). As part of Office of the Director of National Intelligence (ODNI)mandated informa~i()n sharing efforts and to support the Department of Homeland Security (DHS) mission t6protect Federal systems, NSA/CSS elements shall provide threat or vulnerability information to US. governmentl _ at the lowest classification level ossible to facilitate its use in c bers ace 0 erations 5. (UlfFOUO) In recognition of the threat posed by foreign adversaries to the nation's information systems and critical infrastructure. NSA/CSS elements shall provide information about threats or vulner.~lJilHiesl _ ~X3;~~:" . . SECRRT1 J uuuuumUU m m .•• (b)(1 ) (b )(3)-P. L. 86-36 EPIC000026 SECRETA""-- I··· . (6)(1) (b)(3)-P.L. 86-36 Dated: 24 March 2011 6. (U 7. (U) This policy shall be implemented in compliance with public law, policies and other applicable guidance, including those that protect the information rights and privacy ofU. S. persons (References y, z, aa and ab). (b)(-3)-P.L. 86-36 . 8. (UHFOUO) Recognizing that the greatest concentration of technical expertise and opetatiQnal capability for conducting cyberspace operations resides in the USCS, NSNCSS elements shall, in accordance with their respective authorities and mission: ~.(uj;~O) Leverage the capabilities of the USCS to provide an integrated response to cyber thteat~and opportunities when conducting or providing assistance to authorized U. S. Governme~ ~yberspace operations (References a, b, c, d, e, and f); ~ ..... Provide representation to an NSNCSS Equities ~ Ad'udicatiOI1 Board and Senior Review Board as a ro riate. See Annex A for details. xisting equities policies or econflietion processes (to include those in References rand s) shall be reviewed to ensure compliance with this policy. When an equity is identified for which no adjudication process exists or when parties to an existing equities process are unable to reach consensus on the outcome of an equities decision, the equity shall be adjudicated in accordance with Annex A. ::~ (b)(1 ) (b)(3)-P.L. 86-36 . S~CR~T1 _ EPIC000027 sEcRETA I···· (b)(1) (b)(3)-P.L.86-36 Dated: 24 March 2011 c. (U In res onse to validated US. overnment re uirements, develop and provid to achieve US. objectives in cyberspace, including national objectives set forth in the "Com rehensive Nati Offal C bersecuri Initiative" and related subordinate Jans include the f~U9wingspecific .•/ (b~fj)~~.[ .•:. : initiatives: 1) (Vhq;;:OUO) Participate in US. Government cybersecurity initiatives to •..•1 ··············assist··DHSI"'""- "'······1 I .......................................... 2) (V/;q;;:OUO) Enhance the security of US. Government National SeciirttySy.'ltems; 3) i (V/;OUOlJ -_-_-_. _ _ d. (VIinformatioJl. 2) (U) Threat information from any source, including threats to US. critical infrastructure; . I f (Vl/rOUO) In response to validated DoD requir~~~nts;1 . lenable rapid and sustained improvement in the speed, agility and effectiveness of DoD cyberspace operations (References c, g, and ac). These include the following requirements: SI;CRETfl I···· ' ··~~~~;~-P.L. 86-36 SECItEYt I · EPIC000028 . (b)(1) (b)(3)-P.L. 86-36 Dated: 24 March 2011 1) (Uh'FOUQll 2) ........... ··<··I_·· _ (PIBtOUO,1 '-'-._-- 3 )_(_lJ_/if_Q_H_Q_" -' -' ---------------- 5) (UhfOUO) Facilitate the training and oversight of, and mission collaboration with, USCYBERCOM personnel. h. (U/fF0lJOt- In accordance with DHS authorities and mission, coordinate with DHS when providing technical assistance to: 1) (U/;'FOU<)~ ! "tCU/,'FeH92·I Sf; CRETl~ _ J.............. ~~g~-P.L. 86-36 EPIC000029 8~cRET4 1 Dated: 24 March 2011 1_------ /j.(~N£OUO) In recognition of the importance of a comprehensive approach to cyhersecurity, as permissible by law and policy, work with the ODN!, DoD. DHS. and /other governmental and non -governmental entities to facilitate partnerships to systematically address cyber-related threats that span both government and industry (References d, t, u, v, x, and at); k. (Uh¥OUO) To ensure the security ofNSNCSS information systems, ~n1) NSNCSS elements shall notify the Office of Counterintelligence (Q3) of any indication :b)(3),.P:L86~~Qf foreign cyber operations targeting or successfully exploiting or compromising any ·················...NSArCSSinfQrmation network or system (Reference ag); <··I··i~ tJ _ ""'<::: ---------------------------------- are su nutte upon identifi9ation and when operationally feasible for equities adjudication or deconfliction to ~xpedite, whenever possible, their use in cyberspace operations, to include network /defense or inclusion in automated defense sensors (References d, e, f, ae, ah and ai); (b)(1) (b)(3)-1SUSG798 (b)(3)-50 use 403 (b)(3)-P.L. 86-36 o. (U/;iOOUO~ With other NSNCSS elements, develop automated mechanisms to facilitate equities adjudication and operational deconfliction of threat and vulnerability information; .~ (b)(1)u (b)(3)-P.L. 86-36 uuSt}€RET~ _ (b)(1 EPIC000030 ) (b)(3)-P.L. 86-36 SECRET/{_" 1 Dated: 24 March 2011 p. (Ul/rOUO, Review and develop new or u technical solutions and 0 erational constructs q. (U/frOUO, Identify and address impediments to the effective implementation of this policy. As required, NSA/CSS elements shall work with OGC and relevant oversight and compliance bodies when existing authorities or procedures may impede effective implementation 2; and work with DJ to modify existing policies and procedures, and propose and seek approval for new policies and procedures as needed to achieve the objectives stated herein. / 2 (U.f'8lJ8) Defense. the This may include seeking additional authorities or approval of new procedures from the Secretary of General or the Director of National Intelligence. u.s. Attomey 7 (b)(1) (b)(3)-P.L. 8tN6 S~€R~~1 _ EPIC000031 I SECR~J4 Policy 1-58 // e,:fSII/// Dated: 24 March 2011 I Support the Director, NSA (DIRNSA) in his role as .' th~Executive Secretary responsible for deconfliction of US. government CNE and CNA q __ ~ """ilCtiVit:;:_fe_r_e_nc_e_s_p_an_d_ _);Under the guidance of the Secretary of Defense . the .••"""/",,,> Attorney Gen-e-ra-l-a-nd-th-e-D-NI-,-c-o-ordinate requests for and support authorized CNA phmning and execution with USCYBERCOM, Combatant Commands and other DoD elements;1 ". (References c, g, and ac); ~~~~~~-~.~:86~36 I s::fi4 b Support authorized CNA activities 1 _ ;1-················· ..··· " I Suooort anthorj~ ;j)(fL)immmmmmHmmh::~ »(3H;j:L~36 .... . . d . -ffc-J an targetmg e ort':) ,/ . . ~ techno a~£YdQ~mjt I. o. J{R'eTerences c, g. ana ac); ·········//t"· .... ijsA" /' . .... U _ -,/ 1:<>/ .. »' i;:;>< Gove~e~:=e~:::'a;:~i;=1~:i.r~~~~ technical as~stance to US (b)(3}-'18USCZ98 '" (b)(3)-500SC;: 4d3l{UhfQUO) Provide cryptanalytic services to US. Government departments or . . ............ agencies and otheiauthorize4 recipients as part ofU S. national cybersecuflty ImtlatIves ...litaccordanceWithA,nnex B, "Cryptanalytic Services," of this policy (References d and (b)(~FP.L.se-36 "e); ". / \'\\1.. _···· n:lM" \ .. \\ . .... .... tJ ---I -""" g.;f6f---IU-------1 .' ..... 'I ~)/:;//.///"/ --------------~8---------------~ b)(3)-P.L. 86-36 J t.U}\ I} use 403 (b)(3)-18 use 798 (b)(3)-P.L. 86-36 (b)(3)-50 EPIC000032 ~1 SECR~Jf Dated: 24 March 2011 .. ' ~,~~~ ~)(3FP:L;~36"'" . \\\ b. __ c_,=bSA_": _ _U-=--=--=--=--=--=--=-=-=-=-======l d. (U'fFOUO) In consultation with the Secretary of Defense and the ODNI, work to enhance the security of US, Government National Security Systems against cyber intrusion and attack by implementing specific defensive measures to significantly reduce malicious activity and enhance the protection of these networks from the full range of cyber threats (References b and d); e. (U/I¥OUO) Develop architectures and capabilities to identify and reduce vulnerabilities of US. Government National Security Systems and increase the security of National Security System networks (References b and d); f~ ~ Conduct predictive and trend analyses to better understand/and anticipate cyber threat and technology developments (Reference d); /g. (Uhq;OUO) Strengthen enterprise-wide cross-domain capabilities and use strong identity protection to enab Ie greater information sharing among key US. Government cyber organizations (Reference d); \/I_h_'i5d_' U r.~L:/~CRET~=====9============== _ (b)(1 ) EPIC000033 (b)(3)-P.L. 86-36 i. (V/~OUO' Conduct operations to identify and characterize adversarial penetrations of US. government National Security System networks (References b, d and ag); j. (VlfPOUO) Provide, upon request, IA technical assistance to US. Government departments and agencies (Reference a); k. (VlffOUO' Provide IA technical assistance to owners or operators of U S. Government National Security Systems (References a and b); 1.(VlfPOUO, Provide IA technical assistance to owners or operators of nonNational Security Systems and, where such assistance is not authorized by Reference a, provide it consistent with the Federal Information Security Management Act and ...... procedures agreed to by NSNCSS and the National Institute of Standards and technolp~y (Reference s a and ae); m. (VII.L~~·'~,1 ................... ..... ,..:..... , n. (VI, 0.+64 , p. (VI/FOUO) As the National Manager for IA education and training relating to lVS. Government National Security Systems, partner with the Associate Director for Education and Training, DoD, DHS and other US. Government organizations to expand i cyber education and training capabilities (References b and d). i~ii 11. (V) The Director, NSNCS S Threat Operations Center (NTOC), employing .. authorities delegated by Directors of SID and lAD, shall: . '(6)(1) (b)(3)-PL 86-36 SECRET1 10 _ EPIC000034 ~I SE€R~T~~ Dated: 24 March 2011 a:(tfhf:~~ot Serve as a driver for integrated cyberspace operations, providing a for the planning, coordination and synchronization of authorized DoD and US . .. government cyberspace operations (References c and d); ' venue (b)(1) mmb:"tSt7I ~ In cooperation with DoD and US. Government departments and agencies, build and maintain a common cyber operating picture that . (b)(3)~P:L86-36 '. provid es an understanding of the global cyber environment and support s multiple ................. missions, including CNE, CND and support to Network Operations and CNA (Ref~rences a, b, c and d); ~.isf" 1 ..... as a leader Serve for intrusion -detection analysis and response actions, providing direct support, as authorized, to DoD and other US. Government departments and agencies at the national level (References a, b, c and d); d. (Ut,l¥OUOr- Serve as a national cybersecurity center, in accordance with Reference d; (t.l)(1} e. (UHfi'OUO) Provide indications and warnings of threats to US. networks or (bj{~rP.t:a&-:3l5 '""'-----_u ,': .. ,:/ . ' li~~~:~ .. \1.:\£ \. /: I __ ~ :")' ... "." . . ········t I IU ······1_ _ _ ::::~:::. :::... : :". = :.; . . __ k_.~_.r~~~~~~_ I - ·_U_· .. SE€RET~ _ EPIC000035 SECltE'f~ (b)(1 ) (b)(3)-P.L. 86-36 lu Dated~ 24M~;~h2011 ...... n{(U/i~OUQ'1 /1__ :>)(3FP:L86-36 - _ ·····················effort b. (UNFOUO) In coordination with NTOC, and as authorized, maintain automated defense architectures in support ofUSCYBERCOM and other NSNCSS partners and customers (References d, e, ah and ai); c. (U/,Q;OUO) In accordance with ODNI- and DoD-promulgated standards. provide certification and accreditatio n of automated defense systems on NSANet and other DoD networks, as required, in support ofUSCYBERCOM and other NSNCSS National Security System partners and customers (References d, e, g, am and an); and, d.~ ~ Provide technical assistance and security certificClti6n assistance to DHS in support ofDHS cybersecurity efforts using automated defense technologies (References d, e, am and an). 13. (U) The Director, National Security Operations Center (NSOC), shall: .....a.+8A (6)(1) ~ Maintain CRITIC criteria for cyber events and ·························execu te CRITIC reporting upon indication Of:•.• _ (b)(3H':C"""", .... ... ... I····················'l ... ...x .... J III ~ U-=-=-=========I _···_············_2fft'tl_· U U 9 ~ •••.••••.•...•...••••••••••.•.••••••••••••••.••.••••••.• _)_?f_O _ _.)_I_·_··· __ ·_···.· .•._O:._'f · :::::::::::::::::::::::::::::::::1 :b)(1 ) :b)(3)-SO use 403 :b)(3)-P.L. 86-36 SECRETf _ (b)(1 ) (b)(3)-18 use 798 (b)(3)-SO use 403 (b)(3)-P.L. 86-36 EPIC000036 uSECRET1~ 1 Dated: 24 March 2011 ................ -_ . i~(1r- '1(:lt;,>L~l_.·~ __ \1 __ U ----_14_:~_- -_J ---'/I 1 5 tJ _ '-ffltt_- 1 16. (U/WOUO) The Associate Directorate for Education and Training shall partner with NSNCSS mission elements, DoD, DHS and other U. S. Government organizations to expand cyber education and training capabilities (Reference d). (b)(1 ) (b)(3)-18 use 798 (b)(3)-50 use 403 (b)(3)-P.L. 86-36 a. (U) Executive Order 12333, as amended, "United States Intelligence n dated July 2008. Activities, b. (U) NSD-42, "National Policy for the Security of National Security Telecommunications and Information Systems, dated 5 July 1990. n c. (U) Secretary of Defense Memorandum, "Establishment of a Subordinate Cyber Command Under U.S. Strategic Command j()r Military Cyberspace Operations, n dated 23 June 2009. Unijied u.s. d. (U) NSPD-54/HSPD-23, "Cybersecurity Policy, n dated 8 January 2008. e. (U) "Deployment of Automated Defense Sensors Across Executive Branch Federal Systems Implementation Plan, n dated 22 September 2008. I ................... -----------------g. (U) CDRUSSTRATCOM 3 June 2008. - -- CONPLAN 8039, "Cyberspace Operations, n dated h. (U) Intelligence Community Directive 501, "Discovery and Dissemination or Retrieval of Information Within the Intelligence Community,n dated 21 January 2009. SE€RET/~ luumumuumuuuuuuU(b)(1) (b)(3)-P.L. 86-36 EPIC000037 sEcRRTA""'"--- ln .. nnnn n ... (bj(1) (b)(3)-P.L. 86-36 Dated: 24 March 2011 ___________________________ ~~~..... NSC (_"JTP.L o. (U) HSPD-7, "Critical Infrastructure Protection, n dated 17 December 2003. Identification, Prioritization 86-36 and ·············pl _ q. (UI7'f'OUO, and CNE Activities, n "Trilateral MOA Among 000, dated May 2007. DaJ and the IC Regarding r. (Uh'FOUO) NSNCSS Policy 3-13, "Information System Vulnerabilities, n dated 1 July 2005. CNA Technology Product or s. (U) ISS-155-06, "Policy and Guidance for Reporting and Dissemination SIGINT Technical Information, n dated 12 October 2007. of u. (U) "Critical Infrastructures Protection Act of2001, n Section 1016(e) of Public Law 107-56, USA PATRIOT Act, (42 USe. 5195c(e), dated 26 October 2001. v. (U) Executive Order 13388, "Further Strengthening Information to Protect Americans, n dated 25 October 2005. w. (U) DCID 7/4, "Critical Information, x. (U) Public Law 108-456, "Intelligence of 2004, n dated 17 December 2004. n the Sharing of Terrorism dated 2 January 2001. Reform and Terrorism Protection Act y. (U) DoD Regulation 5240.1-R, "Procedures Governing the Activities of DaD Intelligence Components that Affect United States Persons,n dated 7 December 1982. 8BCRET/J .... lnnnnnnnnn .. n···· .... ~~~m-p.L.86-36 n ... ··nnnn EPIC000038 (b)(1) (b)(3)-P.L. 86-36 SECRET~--------""D'-at .... 124:=ch2011 aa. (U) NSNCSS Policy 1-23, uProcedures Governing NSAICSS Activities that Affect U.S. Persons,n 27 December 2007. ab. (Vl/fOUO) VSSID SPOO - ULegal Compliance and Minimization 18 Procedures, n dated 27 July 1993. ac. (U) UNational Military Strategy for Cyberspace Operations,n dated December 2006. ad. (U) uWhite House Cyberspace Policy Review,n dated 29 May 2009. ae. (U) uFederal Information Security Management Act of 2002, n dated 17 December 2002. af (U) DoDD 3020.40, uDefense Critical Infrastructure Program, n dated 19 August 2005. ago (U) NSNCSS Policy 5-31,uNSAICSS Counterintelligence Program, n dated 27 January 2005. ah. (U) DoDD 0-8530.1, ai. (U) DoDI 0-8530.2, 9 March 2001. uComputer Network Defense,n dated 8 January 2001. uSupport to Computer Network Defense, dated n ak. (U) Department of Homeland Security, UNational Infrastructure Protection Plan, n dated January 2009. al. (U) CJCSM 6510.01, ulnformation Assurance and Computer Network Defense,n dated 18 March 2005. am. (U) Intelligence Community Directive 503, Ulntelligence Community l/~formation Technology SystemsSecurity Risk Management, Cert~fication and Accreditation, n dated 15 September 2008. an. (U) DoD Directive 8500.01E, ulnformation Assurance,n dated 24 October SECRETfl lnnnnnnn (b)(1) (b )(3)-P.L. 86-36 EPIC000039 SI'CRETI luu uu u u.······· ..uu.·· u~~~~~~_P.L. 86-36 Dated: 24 March 2011 18. (U) Civil Authorities - Nonmilitary Federal, State, or local government agencies (Source: DoDD 3025.15). 19. (U) Comprehensive National Cybersecurity Initiative - As used in this policy, refers to an integrated and holistic national approach to cybersecurity practices to achieve the goals outlined in NSPD-54/HSPD-23, "Cybersecurity Policy" (Reference d). Core to this strategy is the "bridging" of historically separate cyber defensive missions with law enforcement, intelligence, counterintelligence, and military capabilities to address the full spectrum of cyber threats from remote network intrusions and insider operations to supply chain vulnerabilities (Reference ad). 20. (U) Computer Network Attack (CNA) - Operations to disrupt, deny, degrade. or destroy information resident in computers and computer networks, or the computers and networks themselves (Source: DoDD 3600.01). {~~g~-18 798 use (b)(3)-50 use 403 (f? )(3)-P. L. 86-36 21. (U) Computer Network Defense (CND) - Efforts to defend against the computer \ network operations of others, especially those directed against U. S.andallied computers and '. networks (Source: DCID 7/3). . 23. (U) Computer Network Operations (CNO) - Comprises CNA, CND, and related CNEenabling operations (Source: DoDD 3600.01). 24. (U) Critical Infrastructure - Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination thereof (Reference u). 25. (U) Ctyptologic - Related to the collection and/or exploitation offoreign communications and non-communications emitters, known as SIGINT, and solutions, products, and services to ensure the availability, integrity, authentication, confidentiality, and nonrepudiation of national security telecommunications and information systems, known as IA (Source: NSNCSS Policy 2-12). SECRET~ J (b)(1 ) (b)(3)-P.L. 86-36 EPIC000040 P()ligyJ,,5& ~ECRE'f~ . ----,1 Dated: 24 March 2011 :1)(1 ) :»(3)-P.L 86-36 26. (U) Cybersecurity - As used in this policy, refers to the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence international engagement, incident response, resiliency, and recovery policies and \ activities, including computer network operations, information assurance, law enforcement, \ diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure (Reference ad). \27. (U) Cyberspace - The interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems. and embedded processors and controllers in critical industries (Reference d). ___ (b)(3)-P.L 86-36 ~-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-[/POL 29_._(U)_1-_-_~ __ 86-36 30. (U) DoD Cyberspace Operations - The employment of cyber capabilities where the primary purpose is to achieve objectives in or through cyberspace. Such operations include computer network operations and activities to operate and defend the Global lI~rormation Grid. (Source: CJCS Memorandum CM-I050-09) 31. (U) Federal Systems - All Federal Government information systems except for National Security Systems of Federal agencies and Department of Defense information systems (Reference d). 32. (U) Global Information Grid (GIG) - The DoD's globally interconnected, end-to-end set of information capabilities for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policy makers, and support personnel. The GIG includes owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services, and National Security Systems. SECRET/f ·..············ .·... I.. ~~m-p.L 86-36 (b)(1 ) EPIC000041 (b)(3)-P. L. 86-36 -1 SECRETf Dated: 24 March 2011 Non-GIG IT includes stand-alone. self-contained. or embedded IT that is not and will not be. connected to the enterprise network. (Source:.DoDD 8100.01) , ",<' 34. (U) Mitigation: As used in this policy, refers to actions taken or activities developed to lessen possible negative outcomes resulting from an equities decision. This may occur when the release of information to support one mission may negatively impact another mission. In this case, actions to lessen the impact must be developed. Alternatively, ifrelease of information is deferred, actions are required to lessen the negative impact that might occur due to the nonrelease of the information. 35. (U) National Security Systems - Any information system used or operated by an agency, an agency contractor, or other organization on behalf of an agency, where the function. operation, or use of that system involves: intelligence activities; cryptologic activities related to national security; command and control of military forces; equipment that is an integral part of a weapon or weapon system; or is critical to the direct fulfillment of military or intelligence missions; or protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest ofnational defense or foreign policy. (Source: Title 44) 36. (U) Sector-Specific - A Federal department or agency responsible for infrastructure protection activities in a designated critical infrastructure sector or key resources category (Reference 0). 37. (U""'~TT~' knowledge;! Technical Assistance Including. but not limited to providing technical 38. (U) Threat - An adversary having the intent, capability and opportunity to cause loss or damage (Reference at). 39. (U) United States CIyptologic System - Describes the various U.S. Government entities tasked with a SIGINT mission, i.e., the collection, processing and dissemination of SIGINT, or with an Information Assurance mission, i.e., preserving the availability, integrity, authentication, confidentiality, and non-repudiation of national security telecommunications and information systems. 40. (U) Vulnerability - A technical design or implementat ion flaw in industrial control systems, government -off-the-shelf: commercial off-the-shelf, or other commercial info rmation 18 SI;CRETf ~···· (b)(1 ) (b)(3)-P.L. 86-36 SE€RET~ I EPIC000042 Dated: 24 March 2011 technology products or systems (hardware or software to include open-source software) that permits exploitation or attack by an unauthorized party. (b)(1 ) (b)(3)-P.L. 86-36 8ECRtJ'ff l u (&)(1) (b)(3)-P.L. 86-36 EPIC000043 DOCID: 3892324 UNCLASSIFIEDIIFOR OFFICIAL USE ONLY (U) ANNEX A (U) Equities Adjudication 1. (U//¥OUOj This Annex outlines a process for adjudicating NSA/CSS corporate equities. An NSA/CSS corporate equity is an equity that is of interest or importance to more than one NSA/CSS element, and that, ifnot addressed at a corporate-level, has the potential to adversely affect NSA/CSS's ability to fulfill its SIGINT or IA missions. 2. (U/I¥OUO) NSA/CSS corporate equities shall be adjudicated in accordance with existing equities policies. 3 Upon identification of a corporate equity that is not addressed by an exi sting policy or when parties to an existing policy are not able to reach consensus on the outcome of an equities decision, 4 NSA/CSS elements shall enter into formal equities adjudication in accordance with this annex . .., (U''''''' " '-''--''-' .). .. " I 4. (U,;..,r.TTr-" . Annex A to Policy 1-58 Dated: 24 March 2011 A-I UNCLASSIFIEDIIFOR OFFICIAL USE ONLY EPIC000044 DOCID: 3892324 UNCLASSIFIEDHFOR OFFICIAL USE ONLY t l(3l-P.L. 86-36 6. (UHfOUO) When adjudicating equities, participants shall: a. (UI/FeUe) I b. (Ui/FOUO) I ---'t 10. (Uf4t'OUO) An NSAlCSS Equities Adjudicatio n Board (EAB) shall be established \ to facilitate the adjudication of corporate -level equities and the development of assessment .•.•• criteria and associated operational deconfliction mechanisms. The EAB shall be apprised upon •• identification of an equity that is not addressed by an existing equities policy or when parties to.· an existing equities policy are unable to reach agreement on how to adjudicate a specific instance. of an equity. When unable to reach consensus on an issue, the EAB shall elevate it to an NSAIC SS Senior Review Board (SRB) for consideration. An EAB Executive Secretary, with functions that include those described herein, will be established by the SRB. 11. (D) I Annex A to Policy 1-58 Dated: 24 March 2011 A-2 UNCLASSIFIEDNFOR OFFICIAL USE ONLY EPIC000045 13. (Uh'¥OUO~ I 14. (UHfOUO, NSNCSS equities adjudication deliberations, assessment criteria and associated operational deconfliction mechanisms shall conform to existing laws, policies, and handling procedures, including those governing the information rights and privacy of US. persons (References y, z, aa and ab). 15. (U/,cpOUO~ NSNCSS elements that invoke an equities adjudication process in accordance with this annex shall comply with the following procedures: a. (U/I-fOUO~ Upon identification of a corporate equity for which there is no existing policy, or when parties to an existing equities policy are unable to reach Annex A to Policy 1-58 Dated: 24 March 2011 A-3 UNCLASSIFIEDNFOR OFFICIAL USE ONLY EPIC000046 DOCID: 3892324 UNCLASSIFIEDHFOR OFFICIAL USE ONLY fb)(3)-P.L.86-36 consensus on the outcom e of a specific equities decision. stakeholders shall notify the NSNCSS EAB Executive Secretary of the equity issue and of major stakeholders; ., b. (U'IT""HT""'\I ... .-. --... .... c. (U I d. (U'!T"~TTr-.. I e. (UJ,lfOUO, I f (UA'FOUO) The NSNCSS EAB Executive Secretary shall identify and track appropriate metrics related to equities resolution. 5111is requirement applies to initial adjudication deliberations entered into when there is no existing equities policy or when parties to an existing policy are unable to reach agreement equities decisions reached through the application of existing equities policies are not subject to this requirement. Annex A to Policy 1-58 Dated: 24 March 2011 A-4 UNCLASSIFIEDHFOR OFFICIAL USE ONLY EPIC000047 (U) ANNEX B (b)(1 ) (P)(3)-18 use 798 (b)(3)-50 use 403 (b)(3)-P. L. 86-36 (U) Cryptanalytic Services (U/AAOUO) NSA/CSS shall provide cryptanalyticservices in support of US. Government operations in cyberspace as follows (Reference a, b, c, d, e, f and g). -f&'~ 1. a. (U/AAOUO)I _ 1/ /1__ b. (UfA-ouotl""'-- . /1------__ 1 I --------- I (UIII'::U0i! ..c - I ._."'_2_._(U_I~q<_· .•. O_U_b_1_ _ _ / - 1 /.... ·/_/3_···.·_(U_h_q<_ou_9_.:_-.:.:.:.:.:_-.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:_-.:.:_-_1 I .... l_I .., .. :, ,'>.,'I~",:'~';;:;(, , ::::I ._(U_f._A*_OU_O_1_1 .:/;.';:;< t:i:::""·:······m bj(3H'J.,ll!l-36 ••..•..•.....• ..........................................1_ 1 a mmm ..m.ml)(UNFOUO) ....._.....;;;;, ~~~~~~~~~ I Annex B to Policy 1-58 Dated: 24 March 2011 SECRETJ~ __ B_-_J 1································· (b)(1) (b )(3)-P. L. 86-36 ----,. ./ ...•. EPIC000048 (15)(1 ) (b)(3)-P. L. 86-36 // 4) (U//fOU~1 ~~l~······························· .............................................................. ............................. ················1 '--..,;,-.--------------------_ ..', 1--- ••......• b. (UJ.,'fOUOll c. (Uf+F;'f~O.rUff'OH-l.·r------------------, _' _ _ Annex B to Policy 1-58 Dated: 24 March 2011 8I;CRBT4 __ B 2 _- I .... .. ··· {b)(1 ) (b )(3)-P.L. 86-36