(U) This document establishes policy and procedures and assigns responsibilities for identifying unauthorized disclosures of classified NSA/CSS information appearing in the media and for communicating significant disclosures to NSA/CSS organizations, the Department of Defense, the Director of National Intelligence, and the Department of Justice. This policy implements References a-e. (U) This policy addresses only unauthorized disclosures of classified NSA/CSS information that appear in the media. (U) This policy does not address procedures and responsibilities subsequent to the determination that unauthorized media disclosures do not meet the criteria for significant disclosures. In those cases, the evaluating organizations may still have further internal or corporate obligations to pursue that are beyond the scope of this policy. (U) This policy applies to all NSA/CSS elements worldwide.
UNCLASSIFIED // FOR OFFICIAL USE ONLY
NATIONAL SECURITY AGENCY
CENTRAL SECURITY SERVICE
NSA/CSS POLICY 1-27
Issue Date: 20 March 2006
(U) REPORTING UNAUTHORIZED MEDIA DISCLOSURES OF CLASSIFIED NSA/CSS INFORMATION(U) PURPOSE AND SCOPEDEBORAH A. BONANNI___________
Chief of Staff
Director of Policy Encl:
(U) Annex - Questions Related to Potential Unauthorized Media Disclosures
DISTRIBUTION 1(U) This Policy 1-27 supersedes portions of NSA/CSS Regulation 10-2, dated 23 November 1992, that relate to reporting significant unauthorized media disclosures of classified NSA/CSS information. (U) OPI: Information Policy, DC32, 963-4582s. (U) No section of this document shall be released without approval from the Office of Policy and Records, DC3.
DC36 (Archives)1. (U) NSA/CSS shall identify unauthorized media disclosures of classified NSA/CSS information. In accordance with the procedures and responsibilities outlined below, significant media disclosures of NSA/CSS classified information shall be communicated to NSA/CSS organizations, the Department of Defense (DoD), the Director of National Intelligence (DNI), and the Department of Justice (DoJ).
2. (U) The determination that an unauthorized disclosure qualifies as a significant unauthorized disclosure shall be made by the Office of Policy and Records (DC3) and the Office of General Counsel (D2). Organizations with purview over disclosed information shall not make this determination.
3. (U//FOUO) Information associated with an unauthorized media disclosure shall be classified at the level of the disclosure. Until an actual classification level has been determined, references to potential unauthorized disclosures shall be protected as classified.
4. (U//FOUO) Indications or assessments of potential damage resulting from an unauthorized disclosure shall not be releasable to foreign countries or international organizations unless specifically directed otherwise by the Director, NSA/Chief, CSS (DIRNSA/CHCSS) or the Director of Policy and Records. Information regarding unauthorized disclosures of intelligence information shall be marked as NOFORN, and transmittal of any information regarding unauthorized disclosures shall employ special protections (e.g., encryption).
5. (U//FOUO) Upon discovery of a potential unauthorized media disclosure of classified NSA/CSS information, the organization with purview over the information shall notify the Office of Information Policy (DC32) and the OGC Litigation Practice Group (D28) via email with a courtesy copy to the Assistant Director for Security and Counterintelligence (Q07 and Q22). At this time, DC32 will issue a tracking number to the organization with purview over the information. The email shall include:
a. (U) The identification of the media item containing the disclosure (to include the name of the publication in which it appears, date of the publication, and title of the media item); and6. (U) If a potential unauthorized disclosure is discovered by an organization without purview over the information, the discovering organization shall inform DC32. DC32 will then contact the organization with purview over the information, providing a tracking number. That organization shall then be responsible for actions related to the potential unauthorized disclosure as described in this policy.
b. (U) A brief synopsis of the potential disclosed information.
7. (U) Within two weeks of receipt of the tracking number, the organization with purview over the information shall provide the following information via Staff Processing Form (SPF) to DC32 and D28 with a courtesy copy to Q07 and Q22 (in cases where the disclosure is not textual or graphic in nature [e.g., videotape, CD, etc.] contact DC32 for format guidance):
a. (U) Answers to the questions included in the Annex. Include each question and the corresponding answer in the Discussion section of the SPF;8. (U) Upon receipt of the SPF with Tabs, DC32 and D28 shall determine if the disclosure meets the criteria for DoD and/or DNI notification, and/or reporting to DoJ. DC32 shall then inform the organization with purview over the information of the decision. For those disclosures not meeting the criteria, the organization may still have further internal or corporate obligations to pursue that are beyond the scope of this policy.
b. (U) A copy of the media item containing the verified unauthorized disclosure. The classified NSA/CSS information in the media item shall be bracketed and the classification of each bracketed passage shall be noted. Each bracketed passage shall be numbered, distinguishing separate items of disclosed information. Include it as Tab A; and
c. (U) A copy of the probable NSA/CSS source(s) of the disclosed information. The information corresponding to the information in the media item shall be bracketed. Numbers corresponding to the bracketed passages in the media item shall be placed next to each bracketed passage, indicating clearly the suspected origin of the information in the media item. Include it/them as Tab B.
9. (U) DC32 shall inform the Associate Director for Security and Counterintelligence of the decision.
10. (U) For significant unauthorized media disclosures, DC32 shall prepare an SPF and a package for DIRNSA/CHCSS. For disclosures not in text or graphic format (videotape, CD, etc.), the information shall be conveyed in the SPF as determined by DC32. For significant disclosures in text or graphic format, the following information shall be provided in the SPF and package:
a. (U) A brief summary of key information related to the disclosure, to include applicable information derived from answers to the questions as provided by the organization with purview over the information (included in the Discussion portion of the SPF);11. (U) Upon receipt of information on a significant unauthorized media disclosure that is determined to be reportable, the OGC (D2) shall prepare correspondence to DoJ and any other appropriate law enforcement organizations.
b. (U) A copy of the media item containing the significant unauthorized disclosure. The NSA/CSS classified information in the media item shall be bracketed and the classification of each bracketed passage shall be noted. Each bracketed passaage shall be numbered, distinguishing separate items of disclosed information (Tab A);
c. (U) A copy of the probable NSA/CSS source(s) of the disclosed information. The information corresponding to the information in the media item shall be bracketed. Numbers corresponding to the bracketed passages in the media item shall be placed next to each bracketed passage, indicating clearly the suspected origin of the information in the media item (Tab B); and
d. (U) Letters for DIRNSA/CHCSS signature informing the DoD and DNI of the significant unauthorized media disclosure (Tabs C and D)l
12. (U) DC3 shall notify the Foreign Affairs Directorate of any significant unauthorized media disclosure that impacts a foreign partner.
13. (U) Mission, Associate, and Principal Directorates shall:
a. (U) Appoint an organization to carry out the responsibilities detailed in this policy;14. (U) All NSA/CSS Components, including Extended Enterprise Organizations, and Service Cryptologic Elements, shall:
b. (U) Maintain official record copies of all supporting information related to potential unauthorized disclosures under their purview; and
c. (U) Provide annual metrics on all potential media disclosures of information under their purview.
a. (U) Ensure their workforce has instructions regarding how and to which organization they should communicate suspected or actual unauthorized media disclosures of classified NSA/CSS information in accordance with this policy;15. (U) The Office of Policy and Records (DC3) shall:
b. (U) Actively monitor media for the purpose of identifying unauthorized disclosures of classified NSA/CSS information. Organizations shall primarily be alert for information under their purview, but shall note any other unauthorized disclosures of classified NSA/CSS information.
a. (U) Assign a tracking number for each potential unauthorized disclosure;16. (U) The Office of General Counsel (D2) shall:
b. (U) Determine, in coordination with D28, whether the unauthorized disclosure meets the criteria to be considered significant and notify the organization with purview of the information and ADS&CI of the determination;
c. (U) Maintain official record copies of all prepared packages; and
d. (U) Notify the Foreign Affairs Directorate of any unauthorized media disclosures that impact a foreign partner.
a. (U) Determine, in coordination with DC32, whether the unauthorized disclosure meets the criteria to be considered significant; and17. (U) The Corporate Communications Strategy Group (DC6), in its role as the media organization for NSA/CSS, shall monitor media for the purpose of identifying potential unauthorized disclosures of classified NSA/CSS information in the media and notify DC32.
b. (U) Prepare and maintain official record copies of correspondence to DoJ or other law enforcement organizations of reportable unauthorized disclosures.
18. (U//FOUO) The Foreign Affairs Directorate shall notify an NSA/CSS foreign partner that is impacted by a significant unauthorized disclosure only with DIRNSA/CHCSS or Chief, DC3 approval.
19. (U) References:
a. (U) DoD Directive 5210.50, "Unauthorized Disclosure of Classified Information to the Public," dated 22 July 2005.
b. (U) DCID 6/8, "Unauthorized Disclosure, Security Violations and Other Compromises to Intelligence Information," dated 2002.
c. (U) DDNI Memorandum, "DNI Special Security Center and Senior Officials of the Intelligence Community Roles and Responsibilities under DCI Directive 6/8," dated 15 November 2005.20. (U) Classified NSA/CSS Information -- Information that is classified pursuant to the standards of Executive Order 12958, as amended, or any predecessor order. It includes, but is not limited to, intelligence and intelligence-related information, sensitive compartmented information (information concerning or derived from intelligence sources and methods), and cryptologic information (information concerning communications security and signals intelligence, including information which is also sensitive compartmented information) protected by Section 798 of Title 18, United States Code.
21. (U) Media -- Any print, electronic, or broadcast outlet (including blogs) where information is made available to the general public.
22. (U) Need-to-know -- The determination by an authorized holder of classified information that a prospective recipient, with appropriate security clearance, requires access to specific classified information in order to perform or assist in a lawful and authorized governmental function.
23. (U) Significant Disclosure -- An unauthorized disclosure that is either extensive in scope, indicates pervasive breach of security procedures, or is otherwise likely to have a serious effect on national security interests. Examples include:
a. (U) Loss or compromise of classified intelligence information that could pose a risk to human life;24. (U) Unauthorized Disclosure -- A communication or physical transfer of classified information to one or more persons who do not have the appropriate security clearance, access approval, and need-to-know to receive such information.
b. (U) Loss or compromise of classified intelligence information on a scale or over such an extended period of time as to indicate the possibility of a systemic compromise;
c. (U) Loss or compromise of information storage media or equipment containing intelligence information of such quantity or sensitivity as to potentially jeopardize intelligence activities, sources, or methods;
d. (U) Loss or compromise of information revealing covert or clandestine U.S. or liaison partner's intelligence operations or locations;
e. (U) Loss or compromise of classified intelligence information that could seriously impair foreign relations; or
f. (U) Such other disclosure, release, violation, or compromise of intelligence sources, methods, activities, or information that is determined to have a substantial or otherwise adverse impact on the conduct of activities related to U.S. national security. (Source: DCID 6/8, dated 9 Dec 2002.)
1. (U) What is the date and identity of the media item that is the subject of the unauthorized disclosure?
(U) ANNEX(U) Questions Related to Potential Unauthorized Media Disclosures
2. (U) Is the disclosed information accurate?
3. (U) What are the specific statements that are classified? What is the classification of each of the statements?
4. (U) What is the extent of official dissemination of the information that was disclosed?
5. (U) Has the disclosed information been the subject of a prior authorized official release?
6. (U) Has the disclosed information previously appeared in an open source publication? If yes, identify the publication and date of publication.
7. (U) Have any requests for publication or release (official or unofficial) of the information been made (for example, a FOIA request, a Demarche)? If yes, identify the requestor, date of the request, and disposition of the request.
8. (U) Has the information, portions thereof, or enough background data been published (officially or unofficially) that would allow someone to arrive at the information through speculation?
9. (U) What are the potential short-term and long-term impacts of the unauthorized disclosure?
10. (U) Have any declassification determinations been made regarding the disclosed information? If so, indicate the date, information declassified, and declassification authority.
11. (U) For unauthorized disclosures of Information Assurance-related information, does the unauthorized disclosure potentially put U.S. or allied communications at risk of adversary exploitation? What degree of difficulty could an adversary have in putting countermeasures in place?
UNCLASSIFIED // FOR OFFICIAL USE ONLY