Documents
June 2023 NSA Internal Directives for SIGINT
Aug. 24, 2023
UNCLASSIFIED
(U) NSA/CSS POLICY 12-3 ANNEX C
Ps SUPPLEMENTAL PROCEDURES FOR THE Sa
4 ’ h2 COLLECTION, PROCESSING, QUERYING, e- Yi
vd RETENTION, AND DISSEMINATION OF SIGNALS Sh
INTELLIGENCE INFORMATION AND DATA
CONTAINING PERSONAL INFORMATION OF
NON-UNITED STATES PERSONS
DATE: (U) 29 June 2023 (See Document History.)
OFFICE OF PRIMARY (U) Civil Liberties, Privacy, and Transparency (DS), 969-8225 (secure)
INTEREST:
RELEASABILITY (U) No section of this document shall be released without approval from
the Office of Policy (P12). The official document is available on the
Office of Policy website (“go policy”).
AUTHORITY: (U) Paul M. Nakasone, General, U.S. Army; Director, NSA/Chief, CSS
ISSUED: (U) 29 June 2023
(U) PURPOSE AND SCOPE
1. (U) This policy prescribes binding policy guidance for NSA/CSS personnel and other
members of the United States Signals Intelligence (SIGINT) System (USSS) that implements
Executive Order 14086, “Enhancing Safeguards for United States Signals Intelligence
Activities” (Reference a), and National Security Memorandum (NSM)-14, “National Security
Memorandum on Partial Revocation of Presidential Policy Directive 28” (Reference b), which
revoked Presidential Policy Directive (PPD) 28, “Signals Intelligence Activities” (Reference ¢),
except for sections 3 and 6 of that directive and the Classified Annex to that directive, which
remain in effect.
2. (U) The Supplemental Procedures included in this policy address the privacy and civil
liberties safeguards required by Executive Order 14086 (Reference a) for U.S. SIGINT activities,
including orders of and procedures approved by the Foreign Intelligence Surveillance Court.
“These Supplemental Procedures must be followed for all SIGINT activities of NSA/CSS or the
USSS authorized under Executive Order 12333, “United States Intelligence Activities”
(Reference d), the Foreign Intelligence Surveillance Act (Reference ¢), or other authorities.
3. (U) This policy applies to all NSA/CSS employees and all elements of the USSS and
shall be applied consistent with the scope of PPD-28"s (Reference ¢) application to such
activities prior to PPD-28's partial revocation by NSM-14 (Reference b).
UNCLASSIFIED
UNCLASSIFIED
(U) NSA/CSS POLICY 12-3 ANNEX C
Ps SUPPLEMENTAL PROCEDURES FOR THE Sa
4 ’ h2 COLLECTION, PROCESSING, QUERYING, e- Yi
vd RETENTION, AND DISSEMINATION OF SIGNALS Sh
INTELLIGENCE INFORMATION AND DATA
CONTAINING PERSONAL INFORMATION OF
NON-UNITED STATES PERSONS
DATE: (U) 29 June 2023 (See Document History.)
OFFICE OF PRIMARY (U) Civil Liberties, Privacy, and Transparency (DS), 969-8225 (secure)
INTEREST:
RELEASABILITY (U) No section of this document shall be released without approval from
the Office of Policy (P12). The official document is available on the
Office of Policy website (“go policy”).
AUTHORITY: (U) Paul M. Nakasone, General, U.S. Army; Director, NSA/Chief, CSS
ISSUED: (U) 29 June 2023
(U) PURPOSE AND SCOPE
1. (U) This policy prescribes binding policy guidance for NSA/CSS personnel and other
members of the United States Signals Intelligence (SIGINT) System (USSS) that implements
Executive Order 14086, “Enhancing Safeguards for United States Signals Intelligence
Activities” (Reference a), and National Security Memorandum (NSM)-14, “National Security
Memorandum on Partial Revocation of Presidential Policy Directive 28” (Reference b), which
revoked Presidential Policy Directive (PPD) 28, “Signals Intelligence Activities” (Reference ¢),
except for sections 3 and 6 of that directive and the Classified Annex to that directive, which
remain in effect.
2. (U) The Supplemental Procedures included in this policy address the privacy and civil
liberties safeguards required by Executive Order 14086 (Reference a) for U.S. SIGINT activities,
including orders of and procedures approved by the Foreign Intelligence Surveillance Court.
“These Supplemental Procedures must be followed for all SIGINT activities of NSA/CSS or the
USSS authorized under Executive Order 12333, “United States Intelligence Activities”
(Reference d), the Foreign Intelligence Surveillance Act (Reference ¢), or other authorities.
3. (U) This policy applies to all NSA/CSS employees and all elements of the USSS and
shall be applied consistent with the scope of PPD-28"s (Reference ¢) application to such
activities prior to PPD-28's partial revocation by NSM-14 (Reference b).
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 123 29 June 2023
4. (U) If an NSA/CSS official determines that a departure from these procedures is
necessary because of the immediacy or gravity ofa threat to the safety of persons or property or
to the national security, they may approve an emergency departure from these procedures but
must notify the Director, NSA/Chief, Central Security Service (DIRNSA/CHCSS), the NSA
General Counsel (D2), and the NSA Civil Liberties, Privacy, and Transparency (CLPT, DS)
Director as soon thereafter as possible. The NSA General Counsel will provide prompt written
notice of any departures stating why advance approval was not possible and describing the
actions taken to ensure activities were conducted lawfully to the Office of the Director of
National Intelligence (ODNI) General Counsel and the Assistant Attorney General for National
Security
(U) PoLicY
5..(U) In recognition that SIGINT activities must take into account that all persons should
be treated with dignity and respect, regardless of their nationality or wherever they might reside,
and that all persons have legitimate privacy interests in the handling of their personal information
as required by Executive Order 14086 (Reference a), the USSS shall:
a. (U) Conduct SIGINT collection activities only following a determination that a
specific SIGINT collection activity, based on a reasonable assessment of all relevant
factors, is necessary to advance a validated intelligence priority in the National
Intelligence Priorities Framework (NIPF) or any successor framework (as determined in
accordance with the terms of the National Security Act of 1947, as amended,
(Reference f) and other applicable laws and policy direction), although SIGINT does not
have to be the sole means available or used for advancing aspects of the validated
intelligence priority;
b. (U) Conduct SIGINT activities only to the extent and in a manner that is
proportionate to the validated intelligence priority for which they have been authorized,
with the aim of achieving a proper balance between the importance of the validated
intelligence priority being advanced and the impact on the privacy and civil liberties of
all persons, regardless of their nationality or wherever they might reside;
c. (U) Conduct SIGINT collection activities only in pursuit of one or more of the
legitimate objectives listed in section 2(b)() of Executive Order 14086 (Reference a);
d. (U) Conduct SIGINT collection activities only as validated in accordance with
the process identified in section 2(b)ii) of Executive Order 14086 (Reference a); and
e. (U) Not conduct SIGINT collection activities for the purposes of prohibited
objectives listed in section 2 of Executive Order 14086 (Reference a). including for the
purposes of:
1) (U) suppressing or burdening criticism or dissent, or the free expression
of ideas or political opinions by individuals or the press;
c2
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 123 29 June 2023
4. (U) If an NSA/CSS official determines that a departure from these procedures is
necessary because of the immediacy or gravity ofa threat to the safety of persons or property or
to the national security, they may approve an emergency departure from these procedures but
must notify the Director, NSA/Chief, Central Security Service (DIRNSA/CHCSS), the NSA
General Counsel (D2), and the NSA Civil Liberties, Privacy, and Transparency (CLPT, DS)
Director as soon thereafter as possible. The NSA General Counsel will provide prompt written
notice of any departures stating why advance approval was not possible and describing the
actions taken to ensure activities were conducted lawfully to the Office of the Director of
National Intelligence (ODNI) General Counsel and the Assistant Attorney General for National
Security
(U) PoLicY
5..(U) In recognition that SIGINT activities must take into account that all persons should
be treated with dignity and respect, regardless of their nationality or wherever they might reside,
and that all persons have legitimate privacy interests in the handling of their personal information
as required by Executive Order 14086 (Reference a), the USSS shall:
a. (U) Conduct SIGINT collection activities only following a determination that a
specific SIGINT collection activity, based on a reasonable assessment of all relevant
factors, is necessary to advance a validated intelligence priority in the National
Intelligence Priorities Framework (NIPF) or any successor framework (as determined in
accordance with the terms of the National Security Act of 1947, as amended,
(Reference f) and other applicable laws and policy direction), although SIGINT does not
have to be the sole means available or used for advancing aspects of the validated
intelligence priority;
b. (U) Conduct SIGINT activities only to the extent and in a manner that is
proportionate to the validated intelligence priority for which they have been authorized,
with the aim of achieving a proper balance between the importance of the validated
intelligence priority being advanced and the impact on the privacy and civil liberties of
all persons, regardless of their nationality or wherever they might reside;
c. (U) Conduct SIGINT collection activities only in pursuit of one or more of the
legitimate objectives listed in section 2(b)() of Executive Order 14086 (Reference a);
d. (U) Conduct SIGINT collection activities only as validated in accordance with
the process identified in section 2(b)ii) of Executive Order 14086 (Reference a); and
e. (U) Not conduct SIGINT collection activities for the purposes of prohibited
objectives listed in section 2 of Executive Order 14086 (Reference a). including for the
purposes of:
1) (U) suppressing or burdening criticism or dissent, or the free expression
of ideas or political opinions by individuals or the press;
c2
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
2) (U) suppressing or restricting legitimate privacy interests;
3) (U) suppressing or restricting a right to legal counsel;
4) (U) disadvantaging persons based on their ethnicity, race, color, gender,
‘gender identity, sexual orientation, or religion; or
5) (U) affording a competitive advantage to United States companies or
United States business sectors commercially.
6. (U) SIGINT collection activities shall be as tailored as feasible to advance foreign
intelligence requirements that have been approved in the manner prescribed by Executive Order
14086 (Reference a). National Security Act of 1947 (Reference f), and other applicable laws and
policy direction.
(U) SUPPLEMENTAL PROCEDURES
7. (U) The following safeguards, which apply to the collection, processing and querying,
retention, and dissemination of SIGINT by any element of NSA/CSS or the USSS, implement
the principles articulated in sections 2(a)(i) and (ii) of Executive Order 14086 (Reference a).
(U) Collection
8. (U) In determining whether to collect SIGINT, all elements of NSA/CSS and the
USSS shall consider the availability, feasibility, and appropriateness of other less intrusive
Sources and methods for collecting the information necessary to advance a validated intelligence
priority. including from diplomatic and public sources. Such altematives to SIGINT shall be
prioritized
9. (U) Whenever practicable. SIGINT collection will occur through the use of one or
‘more selection terms in order to focus the collection on specific foreign intelligence targets (e.¢.,
a specific, known international terrorist or terrorist group) or specific forcign intelligence topics
(e.2. the proliferation of weapons of mass destruction by a foreign power or ts agents).
10. (U) Application of privacy and civil liberties safeguards to the collection of
SIGINT. Consistent with U.S. SIGINT Directive (USSID) 18, “Protection of Civil Liberties and
Privacy of U.S. Person Information When Conducting SIGINT Missions” (Reference 2), and
section 2 of Department of Defense Manual (DoDM) S-5240.01-A, “Procedures Governing the
Conduct of DoD Intelligence Activities: Annex Governing Signals Intelligence Information and
Data Collected Pursuant to Section 1.7(¢) of E.O. 12333” (Reference h, targeted SIGINT
collection shall be prioritized over bulk SIGINT collection. For example, NSA/CSS will conduct
targeted collection using selection terms whenever practicable. NSA shall only engage in bulk
collection upon a determination that it is necessary to engage in bulk collection in order to
advance a validated intelligence priority. In addition to confirming advancement of a validated
intelligence priority and considering alternatives to SIGINT, when conducting collection or
C3
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
2) (U) suppressing or restricting legitimate privacy interests;
3) (U) suppressing or restricting a right to legal counsel;
4) (U) disadvantaging persons based on their ethnicity, race, color, gender,
‘gender identity, sexual orientation, or religion; or
5) (U) affording a competitive advantage to United States companies or
United States business sectors commercially.
6. (U) SIGINT collection activities shall be as tailored as feasible to advance foreign
intelligence requirements that have been approved in the manner prescribed by Executive Order
14086 (Reference a). National Security Act of 1947 (Reference f), and other applicable laws and
policy direction.
(U) SUPPLEMENTAL PROCEDURES
7. (U) The following safeguards, which apply to the collection, processing and querying,
retention, and dissemination of SIGINT by any element of NSA/CSS or the USSS, implement
the principles articulated in sections 2(a)(i) and (ii) of Executive Order 14086 (Reference a).
(U) Collection
8. (U) In determining whether to collect SIGINT, all elements of NSA/CSS and the
USSS shall consider the availability, feasibility, and appropriateness of other less intrusive
Sources and methods for collecting the information necessary to advance a validated intelligence
priority. including from diplomatic and public sources. Such altematives to SIGINT shall be
prioritized
9. (U) Whenever practicable. SIGINT collection will occur through the use of one or
‘more selection terms in order to focus the collection on specific foreign intelligence targets (e.¢.,
a specific, known international terrorist or terrorist group) or specific forcign intelligence topics
(e.2. the proliferation of weapons of mass destruction by a foreign power or ts agents).
10. (U) Application of privacy and civil liberties safeguards to the collection of
SIGINT. Consistent with U.S. SIGINT Directive (USSID) 18, “Protection of Civil Liberties and
Privacy of U.S. Person Information When Conducting SIGINT Missions” (Reference 2), and
section 2 of Department of Defense Manual (DoDM) S-5240.01-A, “Procedures Governing the
Conduct of DoD Intelligence Activities: Annex Governing Signals Intelligence Information and
Data Collected Pursuant to Section 1.7(¢) of E.O. 12333” (Reference h, targeted SIGINT
collection shall be prioritized over bulk SIGINT collection. For example, NSA/CSS will conduct
targeted collection using selection terms whenever practicable. NSA shall only engage in bulk
collection upon a determination that it is necessary to engage in bulk collection in order to
advance a validated intelligence priority. In addition to confirming advancement of a validated
intelligence priority and considering alternatives to SIGINT, when conducting collection or
C3
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 123 29 June 2023
developing SIGINT collection techniques, NSA/CSS employees and USSS personnel are further
required to consider all of the following:
a. (U) Methods to limit the types and aspects of the information collected to those:
necessary and proportionate to one or more of the legitimate objectives listed in section 2
of Executive Order 14086 (Reference a) (or any authorized updates to the list or new
priorities established consistent with the criteria in section 2 of Executive Order 14086
(Reference a));
b. (U) Whether mission requirements can be met by filtering non-pertinent
information as soon as practicable after collection; and
. (U) Whether additional approvals or civil liberties and privacy protections are
needed to ensure that collection is conducted consistent with the principles listed in
Section 2(a), including that it is necessary and proportionate to one or more of the
legitimate objectives listed in section 2 of Executive Order 14086 (Reference a) (or any
authorized updates to the list or new priorities established consistent with the criteria in
scation 2 of Executive Order 14086 (Reference a)), and, if so, the USSS entities
responsible for implementing those requirements. These requirements apply regardless of
whether a specific SIGINT collection activity will be performed through targeted
collection or bulk collection
11. (U) Bulk collection of SIGINT. Bulk collection may not be undertaken as part of a
SIGINT collection activity authorized pursuant to section 702 of the Foreign Intelligence:
Surveillance Act of 1978 (Reference ¢). Moreover, when SIGINT collection is necessary to
advance a validated intelligence priority, targeted collection shall be prioritized over bulk
collection. If a determination is made that NSA/CSS or another clement of the USSS must
engage in bulk collection in order to advance a validated intelligence priority (e.g. an
intemational terrorist target engages in activities to conceal the target's communications methods
so bulk collection is necessary to discover how the target is communicating), the bulk collection
shall, nevertheless, be as circumscribed as possible, proportionate to the intelligence objective,
and occur only for the minimum period of time the collection element determines is necessary to
satisfy the objective. Unless further authorized by the President in light of new national security
imperatives, such as new or heightened threats to the national security of the United States,
information collected through bulk SIGINT collection may only be used for one or more of the
following objectives consistent with section 2(c)(i)(C) of Executive Order 14086 (Reference a):
a. (U) Counterterrorism —protecting against terrorism conducted by or on
behalf of a foreign government, foreign organization, or foreign person;
b. (U) Rescue and recovery of captives—protecting against the taking of
hostages. and the holding of individuals captive (including the identification, location,
and rescue of hostages and captives) conducted by or on behalf of a foreign government,
foreign organization, or foreign person;
c4
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 123 29 June 2023
developing SIGINT collection techniques, NSA/CSS employees and USSS personnel are further
required to consider all of the following:
a. (U) Methods to limit the types and aspects of the information collected to those:
necessary and proportionate to one or more of the legitimate objectives listed in section 2
of Executive Order 14086 (Reference a) (or any authorized updates to the list or new
priorities established consistent with the criteria in section 2 of Executive Order 14086
(Reference a));
b. (U) Whether mission requirements can be met by filtering non-pertinent
information as soon as practicable after collection; and
. (U) Whether additional approvals or civil liberties and privacy protections are
needed to ensure that collection is conducted consistent with the principles listed in
Section 2(a), including that it is necessary and proportionate to one or more of the
legitimate objectives listed in section 2 of Executive Order 14086 (Reference a) (or any
authorized updates to the list or new priorities established consistent with the criteria in
scation 2 of Executive Order 14086 (Reference a)), and, if so, the USSS entities
responsible for implementing those requirements. These requirements apply regardless of
whether a specific SIGINT collection activity will be performed through targeted
collection or bulk collection
11. (U) Bulk collection of SIGINT. Bulk collection may not be undertaken as part of a
SIGINT collection activity authorized pursuant to section 702 of the Foreign Intelligence:
Surveillance Act of 1978 (Reference ¢). Moreover, when SIGINT collection is necessary to
advance a validated intelligence priority, targeted collection shall be prioritized over bulk
collection. If a determination is made that NSA/CSS or another clement of the USSS must
engage in bulk collection in order to advance a validated intelligence priority (e.g. an
intemational terrorist target engages in activities to conceal the target's communications methods
so bulk collection is necessary to discover how the target is communicating), the bulk collection
shall, nevertheless, be as circumscribed as possible, proportionate to the intelligence objective,
and occur only for the minimum period of time the collection element determines is necessary to
satisfy the objective. Unless further authorized by the President in light of new national security
imperatives, such as new or heightened threats to the national security of the United States,
information collected through bulk SIGINT collection may only be used for one or more of the
following objectives consistent with section 2(c)(i)(C) of Executive Order 14086 (Reference a):
a. (U) Counterterrorism —protecting against terrorism conducted by or on
behalf of a foreign government, foreign organization, or foreign person;
b. (U) Rescue and recovery of captives—protecting against the taking of
hostages. and the holding of individuals captive (including the identification, location,
and rescue of hostages and captives) conducted by or on behalf of a foreign government,
foreign organization, or foreign person;
c4
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
c. (U) Hostile foreign or other intelligence activities —protecting against
espionage, sabotage, assassination, or other intelligence activities conducted by, on behalf
of, or with the assistance of, a foreign government, foreign organization, or foreign
person;
d. (U) Counterproliferation of weapons of mass destruction—protecting
‘against threats from the development, possession, or proliferation of weapons of mass
destruction or related technologies and threats conducted by, on behalf of, or with the
assistance of, a foreign government, foreign organization, or foreign person;
e. (U) Cybersecurity threats—protecting against cybersecurity threats created or
exploited by, or malicious cyber activities conducted by or on behalf of a foreign
‘government, foreign organization, or foreign person;
£.(U) Threats of harm—protecting against threats to the personnel of the United
States or of ts allies or partners;
£.(U) Transnational crime —protecting against transnational criminal threats,
including illicit finance and sanction evasion related to one or more of the objectives
listed in section 2 of Executive Order 14086 (Reference a).
12. (U) Bulk SIGINT Collection Considerations. Consistent with the SIGINT
collection considerations included in section 2 of DODM S-5240.01-A (Reference h), in any
circumstance when application of the above procedures results in a determination that it is
necessary for the USS to engage in bulk collection of SIGINT in order to advance a validated
intelligence priority, bulk collection must be limited to circumstances where the NSA Director,
or designees, in consultation with the NSA CLPT Director, determines all of the following:
a. (U) the information cannot reasonably be obtained by targeted collection or
alternatives to SIGINT
b. (U) the information is necessary to advance a validated intelligence priority
identified in section (¢)(i)(B) of Executive Order 14086 (Reference a) or authorized by
the President in light of new national security imperatives, such as new or heightened
threats to the national security of the United States as provided for at section 2(c)i}(C)
in Executive Order 14086 (Reference a); and
. (U) reasonable methods and technical measures to limit the data collected to
only what is necessary to advance a validated intelligence priority, while minimizing the
collection of non-pertinent information, will be applied.
13. (U) Consistent with the SIGINT collection considerations included in section 2 of
DODM $-5240.01-A (Reference h) and section 2(b)(ii)D) of Executive Order 14086
(Reference a), the data acquired as part of a targeted SIGINT collection activity that temporarily
uses data acquired without the use of discriminants (e.g., without specific identifiers or selection
terms) may only be used to support the initial technical phase of the targeted SIGINT collection
cs
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
c. (U) Hostile foreign or other intelligence activities —protecting against
espionage, sabotage, assassination, or other intelligence activities conducted by, on behalf
of, or with the assistance of, a foreign government, foreign organization, or foreign
person;
d. (U) Counterproliferation of weapons of mass destruction—protecting
‘against threats from the development, possession, or proliferation of weapons of mass
destruction or related technologies and threats conducted by, on behalf of, or with the
assistance of, a foreign government, foreign organization, or foreign person;
e. (U) Cybersecurity threats—protecting against cybersecurity threats created or
exploited by, or malicious cyber activities conducted by or on behalf of a foreign
‘government, foreign organization, or foreign person;
£.(U) Threats of harm—protecting against threats to the personnel of the United
States or of ts allies or partners;
£.(U) Transnational crime —protecting against transnational criminal threats,
including illicit finance and sanction evasion related to one or more of the objectives
listed in section 2 of Executive Order 14086 (Reference a).
12. (U) Bulk SIGINT Collection Considerations. Consistent with the SIGINT
collection considerations included in section 2 of DODM S-5240.01-A (Reference h), in any
circumstance when application of the above procedures results in a determination that it is
necessary for the USS to engage in bulk collection of SIGINT in order to advance a validated
intelligence priority, bulk collection must be limited to circumstances where the NSA Director,
or designees, in consultation with the NSA CLPT Director, determines all of the following:
a. (U) the information cannot reasonably be obtained by targeted collection or
alternatives to SIGINT
b. (U) the information is necessary to advance a validated intelligence priority
identified in section (¢)(i)(B) of Executive Order 14086 (Reference a) or authorized by
the President in light of new national security imperatives, such as new or heightened
threats to the national security of the United States as provided for at section 2(c)i}(C)
in Executive Order 14086 (Reference a); and
. (U) reasonable methods and technical measures to limit the data collected to
only what is necessary to advance a validated intelligence priority, while minimizing the
collection of non-pertinent information, will be applied.
13. (U) Consistent with the SIGINT collection considerations included in section 2 of
DODM $-5240.01-A (Reference h) and section 2(b)(ii)D) of Executive Order 14086
(Reference a), the data acquired as part of a targeted SIGINT collection activity that temporarily
uses data acquired without the use of discriminants (e.g., without specific identifiers or selection
terms) may only be used to support the initial technical phase of the targeted SIGINT collection
cs
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
activity and retained for the short period of time required to complete this phase and thereafter
must be deleted.
(U) Processing and Querying
14. (U) Data security and access. Consistent with existing requirements in section 6 of
DoDM §-5240.01-A (Reference h) and pursuant to requirements in section 2(c)(ii)B) of
Executive Order 14086 (Reference a), all personal information collected through SIGINT shall:
a. (U) Be processed and stored under conditions that include auditing and internal
controls to limit access to authorized personnel who have received appropriate training
and have a need to know the information to perform their mission;
b. (U) Be accessed only by individuals who have been approved by supervisory or
other appropriate personnel; and
. (U) When no final retention determination has been made, be accessed only in
order to make or support such a determination or to conduct authorized administrative,
testing, development, security, or oversight functions, including compliance functions.
15. (U) Queries of SIGINT collection. Consistent with the SIGINT processing and
query requirements included in section 3 of DoDM $-5240.01-A (Reference h), queries of
information acquired through SIGINT may be conducted by the USSS for the legitimate
objectives of identifying foreign intelligence, counterintelligence, and support to military
operations purposes and for the purpose of protecting the safety or enabling the recovery of a
person reasonably believed to be held captive outside the United States. Queries of SIGINT
obtained pursuant to authorizations issued under the authority of the Foreign Intelligence
Surveillance Act (Reference ¢) must conform to these procedures and any additional
requirements imposed by applicable procedures adopted and approve in the manner prescribed
by the Foreign Intelligence Surveillance Act (Reference ¢), including the documentation of
justifications, to the extent reasonable, as provided for by this policy.
4. (U) Queries using selection terms that identify any person. Further
consistent with existing requirements in section 3 of DoDM §-5240.01-A (Reference h),
queries using selection terms that identify any person, regardless of nationality or
wherever they might reside, shall be designed to defeat, to the extent practicable under
the circumstances, the retrieval of personal information that is not relevant, necessary,
nor proportionate to advance a validated intelligence priority listed in section 2(a)(i) of
Executive Onder 14086 (Reference a) (or any authorized updates to the list or new
priorities established consistent with the criteria in section 2 of Executive Order 14086
(Reference a).
b. (U) Queries of bulk SIGINT Collection. In addition to the above
requirements, queries of information acquired through bulk SIGINT collection must be
consistent with the permissible uses of SIGINT obtained in bulk as specified in section
2(e)(i) of Executive Order 14086 (Reference a), including taking into account the impact
C6
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
activity and retained for the short period of time required to complete this phase and thereafter
must be deleted.
(U) Processing and Querying
14. (U) Data security and access. Consistent with existing requirements in section 6 of
DoDM §-5240.01-A (Reference h) and pursuant to requirements in section 2(c)(ii)B) of
Executive Order 14086 (Reference a), all personal information collected through SIGINT shall:
a. (U) Be processed and stored under conditions that include auditing and internal
controls to limit access to authorized personnel who have received appropriate training
and have a need to know the information to perform their mission;
b. (U) Be accessed only by individuals who have been approved by supervisory or
other appropriate personnel; and
. (U) When no final retention determination has been made, be accessed only in
order to make or support such a determination or to conduct authorized administrative,
testing, development, security, or oversight functions, including compliance functions.
15. (U) Queries of SIGINT collection. Consistent with the SIGINT processing and
query requirements included in section 3 of DoDM $-5240.01-A (Reference h), queries of
information acquired through SIGINT may be conducted by the USSS for the legitimate
objectives of identifying foreign intelligence, counterintelligence, and support to military
operations purposes and for the purpose of protecting the safety or enabling the recovery of a
person reasonably believed to be held captive outside the United States. Queries of SIGINT
obtained pursuant to authorizations issued under the authority of the Foreign Intelligence
Surveillance Act (Reference ¢) must conform to these procedures and any additional
requirements imposed by applicable procedures adopted and approve in the manner prescribed
by the Foreign Intelligence Surveillance Act (Reference ¢), including the documentation of
justifications, to the extent reasonable, as provided for by this policy.
4. (U) Queries using selection terms that identify any person. Further
consistent with existing requirements in section 3 of DoDM §-5240.01-A (Reference h),
queries using selection terms that identify any person, regardless of nationality or
wherever they might reside, shall be designed to defeat, to the extent practicable under
the circumstances, the retrieval of personal information that is not relevant, necessary,
nor proportionate to advance a validated intelligence priority listed in section 2(a)(i) of
Executive Onder 14086 (Reference a) (or any authorized updates to the list or new
priorities established consistent with the criteria in section 2 of Executive Order 14086
(Reference a).
b. (U) Queries of bulk SIGINT Collection. In addition to the above
requirements, queries of information acquired through bulk SIGINT collection must be
consistent with the permissible uses of SIGINT obtained in bulk as specified in section
2(e)(i) of Executive Order 14086 (Reference a), including taking into account the impact
C6
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
on the privacy and civil liberties of all persons, regardless of nationality or where they
might reside.
(U) Retention
16. (U) Application of privacy and civil liberties safeguards to the retention of non-
USS. persons’ personal information. Non-US. persons’ personal information collected through
SIGINT may be retained only if the retention of comparable U.S. person information is permitted
under section 4 of DODM $-5240.01-A (Reference h), including the retention periods applicable
10 unevaluated SIGINT for which no final retention period has been made. Personal information
of non-US. persons collected through SIGINT that does not meet these requirements shall be
deleted. Personal information of a non-U.S. person retained on the basis that it is foreign
intelligence must relate to an authorized intelligence requirement and cannot be retained solely
because of the non-US. person's foreign status.
(U) Dissemination
17. (U) All SIGINT products and services shall be written 50 as to focus solely on the
provision of foreign intelligence to support national and departmental missions, including
support for the conduct of military operations, hostage recovery effort, or ike purposes.
18. (U) The USSS may not disseminate personal information collected through SIGINT
solely because of the persons’ nationality or country of residence or for the purpose of
circumventing Executive Order 14086 (Reference 2). Disseminations to U.S. Government
personnel must be limited to recipients who are reasonably believed to appropriately protect and
have a need to know the information. Disseminations to recipients outside of the U.S.
‘Government shall only occur after NSA/CSS and USSS personnel take due account of the
purpose of the dissemination, the nature and extent of the personal information being
disseminated, and the potential for harmful impact on the person or persons concemed, before
disseminating personal information collected through SIGINT.
19. (U) Application of privacy and civil liberties safeguards to the dissemination of
non-U.S. persons’ personal information. Non-U.S. persons’ personal information collected
through SIGINT, may only be disseminated in accordance with Executive Order 14086
(Reference a) and consistent with existing requirements in section 5 of DDM S-5240.01-A
(Reference h) and other applicable Intelligence Community (IC) and USSS dissemination
standards and directives.
20. (U) Data quality. Consistent with existing requirements in DoDM S-5240.01-A
(Reference h) and Executive Order 14086 (Reference a), for data quality purposes, the USS
elements that handle personal information collected through SIGINT shall include such personal
information in intelligence products only as consistent with applicable IC standards of analytic
tradecraf, for accuracy and objectivity, as set forth in relevant directives, including IC Directive
203, “Analytic Standards” (Reference 1), with a focus on applying standards relating to the
quality and reliability of the information, consideration of alternative sources of information and
interpretations of data, and objectivity in performing analysis.
7
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
on the privacy and civil liberties of all persons, regardless of nationality or where they
might reside.
(U) Retention
16. (U) Application of privacy and civil liberties safeguards to the retention of non-
USS. persons’ personal information. Non-US. persons’ personal information collected through
SIGINT may be retained only if the retention of comparable U.S. person information is permitted
under section 4 of DODM $-5240.01-A (Reference h), including the retention periods applicable
10 unevaluated SIGINT for which no final retention period has been made. Personal information
of non-US. persons collected through SIGINT that does not meet these requirements shall be
deleted. Personal information of a non-U.S. person retained on the basis that it is foreign
intelligence must relate to an authorized intelligence requirement and cannot be retained solely
because of the non-US. person's foreign status.
(U) Dissemination
17. (U) All SIGINT products and services shall be written 50 as to focus solely on the
provision of foreign intelligence to support national and departmental missions, including
support for the conduct of military operations, hostage recovery effort, or ike purposes.
18. (U) The USSS may not disseminate personal information collected through SIGINT
solely because of the persons’ nationality or country of residence or for the purpose of
circumventing Executive Order 14086 (Reference 2). Disseminations to U.S. Government
personnel must be limited to recipients who are reasonably believed to appropriately protect and
have a need to know the information. Disseminations to recipients outside of the U.S.
‘Government shall only occur after NSA/CSS and USSS personnel take due account of the
purpose of the dissemination, the nature and extent of the personal information being
disseminated, and the potential for harmful impact on the person or persons concemed, before
disseminating personal information collected through SIGINT.
19. (U) Application of privacy and civil liberties safeguards to the dissemination of
non-U.S. persons’ personal information. Non-U.S. persons’ personal information collected
through SIGINT, may only be disseminated in accordance with Executive Order 14086
(Reference a) and consistent with existing requirements in section 5 of DDM S-5240.01-A
(Reference h) and other applicable Intelligence Community (IC) and USSS dissemination
standards and directives.
20. (U) Data quality. Consistent with existing requirements in DoDM S-5240.01-A
(Reference h) and Executive Order 14086 (Reference a), for data quality purposes, the USS
elements that handle personal information collected through SIGINT shall include such personal
information in intelligence products only as consistent with applicable IC standards of analytic
tradecraf, for accuracy and objectivity, as set forth in relevant directives, including IC Directive
203, “Analytic Standards” (Reference 1), with a focus on applying standards relating to the
quality and reliability of the information, consideration of alternative sources of information and
interpretations of data, and objectivity in performing analysis.
7
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
(U) Oversight and Training
21. (U) Documentation. In order to facilitate the oversight processes included in
Excutive Order 14086 (Reference a), the USSS shall maintain documentation for each of its
SIGINT collection activities to the extent reasonable in light of the nature and type of collection
at issue and the context in which it is collected. The content of any such documentation may vary
based on the circumstances, but shall, to the extent reasonable, provide the factual basis under
which the USSS has, based on a reasonable assessment of al relevant factors, assessed that the
SIGINT collection activity is necessary to advance a validated intelligence priority. For example,
the content of documentation will likely differ depending upon the specific type of SIGINT
collection activity, the location at which the activity is conducted, and the element of NSA/CSS
or the USSS carrying out the SIGINT collection activity. However, consistent with existing
requirements in section 5 of DoDM $-5240.01-A (Reference h), NSA/CSS and USSS personnel
will document and annually review the use of selection terms as the basis for collection to ensure
‘compliance with applicable authorities, including Executive Order 14086 (Reference a).
22. (U) Legal, oversight, cybersecurity, and compliance officials. NSA has multiple.
senior-level legal, oversight, cybersecurity, and compliance officials, as further addressed in the
responsibilities section of this policy, that meet or exceed all requirements of Executive Order
14086 (Reference a), including ensuring that such officials have access to all information
pertinent to carrying out their compliance and oversight responsibilities, that appropriate actions.
are taken to remediate an incident of non-compliance, and that such officials are free from
actions designed to impede or improperly influence their oversight responsibilities.
23. (U) Noncompliance. As determined by the NSA Director of Compliance, or
designee, after coordination with the NSA CLPT Office (DS) and NSA Office of General
Counsel (OGC, D2), when a significant issue of noncompliance arises involving personal
information of any person, regardless of nationality, collected as a result of SIGINT activities.
the issue shall, in addition to any existing reporting requirements, be reported promptly to
DIRNSA or DIRNSA’s designee, for follow-on reporting to ODN, DoD, the Department of
Justice, and/or the Foreign Intelligence Surveillance Court in accordance with Executive Order
14086 (Reference a), applicable implementing guidance, and other applicable laws, policies, and
procedures
24. (U) Training, Consistent with other existing requirements and section 2(c)i)(B)(2)
of Executive Order 14086 (Reference a), all NSA/CSS employees and USSS personnel with
access to unevaluated SIGINT shall receive training that includes knowing and understanding the
requirements of Executive Order 14086 (Reference 1)). Such training is a prerequisite to initial
and continued access and includes policies and procedures for reporting and remediating
incidents of noncompliance. Existing PPD-28 (Reference o) training will be updated, as
appropriate, to reflect the issuance of Executive Order 14086 and National Security
Memorandum 14 (References a and b), and the Supplemental Procedures included in this policy.
NSA will monitor completion of training requirements to ensure compliance with this provision.
25. (U) Redress. All USSS elements shall provide the ODNI Civil Liberties and Privacy
Office (CLPO) with access to any information necessary to conduct the reviews described in
cs
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
(U) Oversight and Training
21. (U) Documentation. In order to facilitate the oversight processes included in
Excutive Order 14086 (Reference a), the USSS shall maintain documentation for each of its
SIGINT collection activities to the extent reasonable in light of the nature and type of collection
at issue and the context in which it is collected. The content of any such documentation may vary
based on the circumstances, but shall, to the extent reasonable, provide the factual basis under
which the USSS has, based on a reasonable assessment of al relevant factors, assessed that the
SIGINT collection activity is necessary to advance a validated intelligence priority. For example,
the content of documentation will likely differ depending upon the specific type of SIGINT
collection activity, the location at which the activity is conducted, and the element of NSA/CSS
or the USSS carrying out the SIGINT collection activity. However, consistent with existing
requirements in section 5 of DoDM $-5240.01-A (Reference h), NSA/CSS and USSS personnel
will document and annually review the use of selection terms as the basis for collection to ensure
‘compliance with applicable authorities, including Executive Order 14086 (Reference a).
22. (U) Legal, oversight, cybersecurity, and compliance officials. NSA has multiple.
senior-level legal, oversight, cybersecurity, and compliance officials, as further addressed in the
responsibilities section of this policy, that meet or exceed all requirements of Executive Order
14086 (Reference a), including ensuring that such officials have access to all information
pertinent to carrying out their compliance and oversight responsibilities, that appropriate actions.
are taken to remediate an incident of non-compliance, and that such officials are free from
actions designed to impede or improperly influence their oversight responsibilities.
23. (U) Noncompliance. As determined by the NSA Director of Compliance, or
designee, after coordination with the NSA CLPT Office (DS) and NSA Office of General
Counsel (OGC, D2), when a significant issue of noncompliance arises involving personal
information of any person, regardless of nationality, collected as a result of SIGINT activities.
the issue shall, in addition to any existing reporting requirements, be reported promptly to
DIRNSA or DIRNSA’s designee, for follow-on reporting to ODN, DoD, the Department of
Justice, and/or the Foreign Intelligence Surveillance Court in accordance with Executive Order
14086 (Reference a), applicable implementing guidance, and other applicable laws, policies, and
procedures
24. (U) Training, Consistent with other existing requirements and section 2(c)i)(B)(2)
of Executive Order 14086 (Reference a), all NSA/CSS employees and USSS personnel with
access to unevaluated SIGINT shall receive training that includes knowing and understanding the
requirements of Executive Order 14086 (Reference 1)). Such training is a prerequisite to initial
and continued access and includes policies and procedures for reporting and remediating
incidents of noncompliance. Existing PPD-28 (Reference o) training will be updated, as
appropriate, to reflect the issuance of Executive Order 14086 and National Security
Memorandum 14 (References a and b), and the Supplemental Procedures included in this policy.
NSA will monitor completion of training requirements to ensure compliance with this provision.
25. (U) Redress. All USSS elements shall provide the ODNI Civil Liberties and Privacy
Office (CLPO) with access to any information necessary to conduct the reviews described in
cs
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
sections 3(c)(i) and 3(d)() of Executive Order 14086 (Reference a) consistent with the protection
of intelligence sources and methods, and shall not take any actions designed to impede or
improperly influence these reviews. All NSA/CSS and USSS personnel shall comply with any
CLPO determination to undertake appropriate remediation, subject to any contrary determination
of a panel of the U.S. Data Protection Review Court, and, further, shall comply with any
determination by a Data Protection Review Court panel to undertake appropriate remediation.
26. (U) Auditing and Internal Controls. Consistent with DoDM -5240.01-A
(Reference h), the USSS will create and maintain sufficient auditing records to verify compliance
with this anne, and protect auditing records against unauthorized access, modification, or
deletion. The USSS will periodically review the effectiveness of its auditing to ensure the key
requirements of Executive Order 14086 (Reference a) remain satisfied.
27. (U) Privacy and Civil Liberties Oversight Board. The NSA shall provide the
ODNI CLPO and the PCLOB with access to information necessary to conduct the annual review
of the redress process described in Excutive Order 14086 (Reference a), consistent with the
protection of sources and methods.
(U) RESPONSIBILITIES
(U) NSA/CSS Office of the Inspector General (OIG, I)
28. (U) The NSA/CSS OIG (1) shall perform the appropriate oversight of NSA/CSS
activities to prevent or detect violations of these Supplemental Procedures consistent with the
Inspector General Act of 1978, as amended (Reference i)
(U) NSA Office of General Counsel (OGC, D2)
29. (U) The NSA OGC (D2) shall provide legal advice and assistance, as appropriate,
regarding the requirements of Executive Order 14086 (Reference a) and the implementation
guidance contained in these Supplemental Procedures, including the development of appropriate
documentation standards in order to facilitate the oversight processes specified by Executive
Order 14086 (Reference a). The OGC, as appropriate, will coordinate closely with the NSA
CLPT (DS) to ensure alignment and coordination for the Agency's implementation of the:
privacy and civil liberties safeguards required by Executive Order 14086 (Reference 1).
(U) NSA/CSS Civil Liberties, Privacy, and Transparency (CLPT, DS)
30. (U) NSA/CSS CLPT (DS) shall
a. (U) Provide civil liberties and privacy advice and assistance regarding the
requirements of Executive Order 14086 (Reference a) and the implementation guidance:
contained in these Supplemental Procedures, including developing appropriate
documentation standards in order to facilitate the oversight process specified in Executive
Order 14086 (Reference a);
co
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
sections 3(c)(i) and 3(d)() of Executive Order 14086 (Reference a) consistent with the protection
of intelligence sources and methods, and shall not take any actions designed to impede or
improperly influence these reviews. All NSA/CSS and USSS personnel shall comply with any
CLPO determination to undertake appropriate remediation, subject to any contrary determination
of a panel of the U.S. Data Protection Review Court, and, further, shall comply with any
determination by a Data Protection Review Court panel to undertake appropriate remediation.
26. (U) Auditing and Internal Controls. Consistent with DoDM -5240.01-A
(Reference h), the USSS will create and maintain sufficient auditing records to verify compliance
with this anne, and protect auditing records against unauthorized access, modification, or
deletion. The USSS will periodically review the effectiveness of its auditing to ensure the key
requirements of Executive Order 14086 (Reference a) remain satisfied.
27. (U) Privacy and Civil Liberties Oversight Board. The NSA shall provide the
ODNI CLPO and the PCLOB with access to information necessary to conduct the annual review
of the redress process described in Excutive Order 14086 (Reference a), consistent with the
protection of sources and methods.
(U) RESPONSIBILITIES
(U) NSA/CSS Office of the Inspector General (OIG, I)
28. (U) The NSA/CSS OIG (1) shall perform the appropriate oversight of NSA/CSS
activities to prevent or detect violations of these Supplemental Procedures consistent with the
Inspector General Act of 1978, as amended (Reference i)
(U) NSA Office of General Counsel (OGC, D2)
29. (U) The NSA OGC (D2) shall provide legal advice and assistance, as appropriate,
regarding the requirements of Executive Order 14086 (Reference a) and the implementation
guidance contained in these Supplemental Procedures, including the development of appropriate
documentation standards in order to facilitate the oversight processes specified by Executive
Order 14086 (Reference a). The OGC, as appropriate, will coordinate closely with the NSA
CLPT (DS) to ensure alignment and coordination for the Agency's implementation of the:
privacy and civil liberties safeguards required by Executive Order 14086 (Reference 1).
(U) NSA/CSS Civil Liberties, Privacy, and Transparency (CLPT, DS)
30. (U) NSA/CSS CLPT (DS) shall
a. (U) Provide civil liberties and privacy advice and assistance regarding the
requirements of Executive Order 14086 (Reference a) and the implementation guidance:
contained in these Supplemental Procedures, including developing appropriate
documentation standards in order to facilitate the oversight process specified in Executive
Order 14086 (Reference a);
co
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
b. (U) Implement the guidance issued by ODNI CLPO for conducting SIGINT
reviews and assessments from a civil liberties and privacy perspective under IC Directive
126, “Implementation Procedures for the Signals Intelligence Redress Mechanism Under
Executive Order 14086” (Reference k), including assessments of the adequacy of
safeguards to protect personal information that are either proposed or in place for new or
unique SIGINT collection programs; and
¢. (U) Receive, review, and respond to redress requests from ODNI CLPO,
including providing ODNI CLPO with access to information necessary to conduct the
reviews described in cither section 3(c)(i) or section 3(d)() of Executive Order 14086
(Reference a) consistent with the protection of intelligence sources and methods.
(U) Risk Management Office (RMO, D9)
31. (U) The RMO (D9) shall provide risk management advice and assistance regarding
the requirements of Executive Order 14086 (Reference a) and the implementation guidance
contained in these procedures consistent with the implementation of risk management efforts
across NSA/CSS.
(U) Director, Operations (X) and Director, Cybersecurity (C)
32. (U) The Director, Operations (X), and, as applicable and relevant, the Director,
Cybersecurity (C) shall
a. (U) Inform and ensure all personnel conducting SIGINT activities under
DIRNSA’s authorities understand their responsibilities and maintain a high degree of
awareness and sensitivity to the requirements of these Supplemental Procedures;
b. (U) Apply the provisions of these Supplemental Procedures to all SIGINT
activities govemed by Executive Order 14086 (Reference a) that are conducted under
DIRNSA’s authorities;
. (U) Conduct necessary reviews of SIGINT production activities and practices,
including development of required assessments, governed by Executive Order 14086
(Reference a) to ensure consistency with these Supplemental Procedures. These reviews
will include periodic auditing against the standards required by these Supplemental
Procedures;
d. Participate in the development of appropriate documentation standards in order
to facilitate the oversight processes specified by Executive Order 14086 (Reference a);
and
e. (U) Ensure that all new major requirements levied on the USSS or internally.
‘generated activities are considered for review by the OGC (D2). All activities that raise
questions of law or the proper interpretation of these Supplemental Procedures must be
reviewed by the OGC prior to acceptance or execution.
cio
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
b. (U) Implement the guidance issued by ODNI CLPO for conducting SIGINT
reviews and assessments from a civil liberties and privacy perspective under IC Directive
126, “Implementation Procedures for the Signals Intelligence Redress Mechanism Under
Executive Order 14086” (Reference k), including assessments of the adequacy of
safeguards to protect personal information that are either proposed or in place for new or
unique SIGINT collection programs; and
¢. (U) Receive, review, and respond to redress requests from ODNI CLPO,
including providing ODNI CLPO with access to information necessary to conduct the
reviews described in cither section 3(c)(i) or section 3(d)() of Executive Order 14086
(Reference a) consistent with the protection of intelligence sources and methods.
(U) Risk Management Office (RMO, D9)
31. (U) The RMO (D9) shall provide risk management advice and assistance regarding
the requirements of Executive Order 14086 (Reference a) and the implementation guidance
contained in these procedures consistent with the implementation of risk management efforts
across NSA/CSS.
(U) Director, Operations (X) and Director, Cybersecurity (C)
32. (U) The Director, Operations (X), and, as applicable and relevant, the Director,
Cybersecurity (C) shall
a. (U) Inform and ensure all personnel conducting SIGINT activities under
DIRNSA’s authorities understand their responsibilities and maintain a high degree of
awareness and sensitivity to the requirements of these Supplemental Procedures;
b. (U) Apply the provisions of these Supplemental Procedures to all SIGINT
activities govemed by Executive Order 14086 (Reference a) that are conducted under
DIRNSA’s authorities;
. (U) Conduct necessary reviews of SIGINT production activities and practices,
including development of required assessments, governed by Executive Order 14086
(Reference a) to ensure consistency with these Supplemental Procedures. These reviews
will include periodic auditing against the standards required by these Supplemental
Procedures;
d. Participate in the development of appropriate documentation standards in order
to facilitate the oversight processes specified by Executive Order 14086 (Reference a);
and
e. (U) Ensure that all new major requirements levied on the USSS or internally.
‘generated activities are considered for review by the OGC (D2). All activities that raise
questions of law or the proper interpretation of these Supplemental Procedures must be
reviewed by the OGC prior to acceptance or execution.
cio
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
(U) Chief, Compliance (P7)
33. (U) The Chief, Compliance (P7). shall provide compliance advice, formal and
updated training, and assistance regarding the requirements of Executive Order 14086
(Reference a) and the implementation guidance contained in these procedures, including
developing appropriate documentation standards in order to facilitate the compliance and
oversight process specified in Executive Order 14086 (Reference a).
(U) Chief Information Officer (CIO, Y)
34. (U) The CIO (Y) shall ensure that proper data security, access, and quality is
maintained within all capabilities operated by NSA/CSS.
(U) Directors, NSA/CSS Chief of Staff, Extended Enterprise Commanders/Chiefs
35. (U) Directors, the NSA/CSS Chief of Staff, and extended Enterprise
commanders/chiefs shall:
a. (U) Recognize, understand, and execute NSA/CSS authorities in a compliant
manner;
b. (U) Manage, monitor, and perform mission activities in a manner consistent
with the provisions of law and policy that are designed to protect civil liberties and
privacy in accordance with NSA/CSS Policy 12-2, “NSA/CSS Mission Compliance and
Intelligence Oversight” (Reference 1):
c. (U) Enable training for NSA/CSS employees and USSS personnel who have
access to operations information regarding DoD Directive (DoDD) $148.13, “Intelligence
Oversight” (Reference m), DoDM 5240.01, “Procedures Governing the Conduct of DoD
Intelligence Activities” (Reference n), DoDM $-5240.01-A (Reference h), and this policy
on the requirements for collecting, processing, querying, retaining, and disseminating
SIGINT information;
d. (U) Apply the provisions of this policy to all SIGINT mission activities under
their cognizance and ensure that all publications, directives, and instructions for which
they are responsible are in compliance with this policy:
¢. (U) Conduct a periodic review of the SIGINT mission activites and practices
conducted in or under the cognizance of ther respective organizations to ensure
consistency with the laws and authorities listed in the references section of this policy:
f. (U) Ensure that all new requirements levied on NSA/CSS and the USSS or
internally generated NSA/CSS requirements for mission activities are considered for
review and approval by the NSA OGC (D2) and NSA/CSS CLPT (DS) as required and
comport with Compliance (P7) requirements and controls;
ci
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
(U) Chief, Compliance (P7)
33. (U) The Chief, Compliance (P7). shall provide compliance advice, formal and
updated training, and assistance regarding the requirements of Executive Order 14086
(Reference a) and the implementation guidance contained in these procedures, including
developing appropriate documentation standards in order to facilitate the compliance and
oversight process specified in Executive Order 14086 (Reference a).
(U) Chief Information Officer (CIO, Y)
34. (U) The CIO (Y) shall ensure that proper data security, access, and quality is
maintained within all capabilities operated by NSA/CSS.
(U) Directors, NSA/CSS Chief of Staff, Extended Enterprise Commanders/Chiefs
35. (U) Directors, the NSA/CSS Chief of Staff, and extended Enterprise
commanders/chiefs shall:
a. (U) Recognize, understand, and execute NSA/CSS authorities in a compliant
manner;
b. (U) Manage, monitor, and perform mission activities in a manner consistent
with the provisions of law and policy that are designed to protect civil liberties and
privacy in accordance with NSA/CSS Policy 12-2, “NSA/CSS Mission Compliance and
Intelligence Oversight” (Reference 1):
c. (U) Enable training for NSA/CSS employees and USSS personnel who have
access to operations information regarding DoD Directive (DoDD) $148.13, “Intelligence
Oversight” (Reference m), DoDM 5240.01, “Procedures Governing the Conduct of DoD
Intelligence Activities” (Reference n), DoDM $-5240.01-A (Reference h), and this policy
on the requirements for collecting, processing, querying, retaining, and disseminating
SIGINT information;
d. (U) Apply the provisions of this policy to all SIGINT mission activities under
their cognizance and ensure that all publications, directives, and instructions for which
they are responsible are in compliance with this policy:
¢. (U) Conduct a periodic review of the SIGINT mission activites and practices
conducted in or under the cognizance of ther respective organizations to ensure
consistency with the laws and authorities listed in the references section of this policy:
f. (U) Ensure that all new requirements levied on NSA/CSS and the USSS or
internally generated NSA/CSS requirements for mission activities are considered for
review and approval by the NSA OGC (D2) and NSA/CSS CLPT (DS) as required and
comport with Compliance (P7) requirements and controls;
ci
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
& (U) Ensure that the NSA OGC reviews mission activities that may raise a
question of law or regulation before their acceptance or execution:
h. (U) Ensure that necessary special security clearances and access authorizations
are provided to the NSA OGC, the IG (I), NSA/CSS CLPT, and the Chief of Compliance
in order to enable them to meet their assigned responsibilities; and
i. (U) Report as required in this policy and otherwise assist the NSA/CSS CLPT
and NSA OGC with carrying out their responsibilities.
(U) NSA/CSS Employees and United States Signals Intelligence System (USSS) Personnel:
36. (U) NSA/CSS employees and USS personnel shall:
a. (U) Implement these Supplemental Procedures upon publication;
b. (U) Immediately inform the Director, Operations (X) staff of any tasking or
instructions that appear to require actions at variance with these Supplemental
Procedures;
<. (U) In accordance with existing procedures, report to the OIG (1) and consult
with the OGC on all activities that may raise a question of compliance with these
Supplemental Procedures:
4. (U) If anon-U.S. person's personal information is improperly stored, accessed.
collected, analyzed, queried, retained or disseminated, then the incident must be reported
0 the NSA/CSS Office of Compliance for Cybersecurity and Operations (P75) via
NSA's Incident Reporting Tool (go IRT) (or any successor tool) within 24 hours upon
recognition;
. (U) Comply with the procedures outlined in DoDM 5240.01 (Reference n) and
DoDM §-5240.01-A (Reference h);
1. (U) Complete all required compliance training and ensure that all required
documentation (c.g, precondition agreements for memoranda of understanding/
memoranda of agreement) is approved before data access is granted;
2 (U) Conduct mission activities lawfully and in a manner that protects privacy
and civil liberties in accordance with this policy and USSID 18 (Reference ). including
the compliance and oversight requirements in NSA/CSS Policy 12-2 (Reference I); and
h. (U) Report potential SIGINT mission compliance incidents, Questionable
Intelligence Activities (QIAs), and/or Significant or Highly Sensitive Matters (S/HSMs)
as defined in DoDD $148.13 (Reference m) immediately upon recognition in NSA's IRT
(or any successor tool). Any potential S/HSM that is not mission-related must be reported
10 the NSA Intelligence Oversight Officer (NSA 100) via the alias DL NSA_I00.
ci
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
& (U) Ensure that the NSA OGC reviews mission activities that may raise a
question of law or regulation before their acceptance or execution:
h. (U) Ensure that necessary special security clearances and access authorizations
are provided to the NSA OGC, the IG (I), NSA/CSS CLPT, and the Chief of Compliance
in order to enable them to meet their assigned responsibilities; and
i. (U) Report as required in this policy and otherwise assist the NSA/CSS CLPT
and NSA OGC with carrying out their responsibilities.
(U) NSA/CSS Employees and United States Signals Intelligence System (USSS) Personnel:
36. (U) NSA/CSS employees and USS personnel shall:
a. (U) Implement these Supplemental Procedures upon publication;
b. (U) Immediately inform the Director, Operations (X) staff of any tasking or
instructions that appear to require actions at variance with these Supplemental
Procedures;
<. (U) In accordance with existing procedures, report to the OIG (1) and consult
with the OGC on all activities that may raise a question of compliance with these
Supplemental Procedures:
4. (U) If anon-U.S. person's personal information is improperly stored, accessed.
collected, analyzed, queried, retained or disseminated, then the incident must be reported
0 the NSA/CSS Office of Compliance for Cybersecurity and Operations (P75) via
NSA's Incident Reporting Tool (go IRT) (or any successor tool) within 24 hours upon
recognition;
. (U) Comply with the procedures outlined in DoDM 5240.01 (Reference n) and
DoDM §-5240.01-A (Reference h);
1. (U) Complete all required compliance training and ensure that all required
documentation (c.g, precondition agreements for memoranda of understanding/
memoranda of agreement) is approved before data access is granted;
2 (U) Conduct mission activities lawfully and in a manner that protects privacy
and civil liberties in accordance with this policy and USSID 18 (Reference ). including
the compliance and oversight requirements in NSA/CSS Policy 12-2 (Reference I); and
h. (U) Report potential SIGINT mission compliance incidents, Questionable
Intelligence Activities (QIAs), and/or Significant or Highly Sensitive Matters (S/HSMs)
as defined in DoDD $148.13 (Reference m) immediately upon recognition in NSA's IRT
(or any successor tool). Any potential S/HSM that is not mission-related must be reported
10 the NSA Intelligence Oversight Officer (NSA 100) via the alias DL NSA_I00.
ci
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
(U) REFERENCES
a. (U) Executive Order 14086, “Enhancing Safeguards for United States Signals Intelligence
Activities.” dated 7 October 2022
b. (U) NSM: 14, “Partial Revocation of Presidential Policy Directive 28.” dated 7 October 2022
c. (U) PPD-28, “Signals Intelligence Activities.” with Annex: “Policy Review of Sensitive
Signals Intelligence Collection Activities.” dated 17 January 2014
d.(U) Executive Order 12333, “United States Intelligence Activities.” dated 4 December 1981,
and as amended
e. (U) Foreign Intelligence Surveillance Act of 1978, 50 U.S. Code (U.S.C.) §§1801 et seq., as
amended
1. (U) National Security Act of 1947, 50 U.S.C. §§3001 et seq., as amended
g (U) USSID 18, “Protection of Civil Liberties and Privacy of U.S. Person Information When
Conducting SIGINT Missions,” issued 10 January 2022
h. (U) DoDM $-5240.01-A, “Procedures Governing the Conduct of DoD Intelligence Activities:
Annex Governing Signals Intelligence Information and Data Collected Pursuant to Section 1.7(¢)
of Executive Order 12333,” dated 7 January 2021
i. (U) Intelligence Community Directive 203, “Analytic Standards”, dated 2 January 2015
J. (U) United States Code, Title 5, Section 401-424, “Inspector General Act of 1978", as
‘amended, dated 12 October 1978
k. (U) Intelligence Community Directive 126, “Implementation Procedures for the Signals
Intelligence Redress Mechanism Under Executive Order 14086.” 6 December 2022
1. (U) NSA/CSS Policy 12-2, “NSA/CSS Mission Compliance and Intelligence Oversight,”
dated 16 May 2022
m. (U) DoDD 5148.13, “Intelligence Oversight,” dated 26 April 2017
n. (U) DaDM 5240.01, “Procedures Governing the Conduct of DoD Intelligence Activities.”
dated 8 August 2016
0. (U) NSA/CSS Policy 12-3, “Protection of Civil Liberties and Privacy of U.S. Person
Information When Conducting NSA/CSS Mission and Mission-Related Activities.”
dated 10 January 2022
ci
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
(U) REFERENCES
a. (U) Executive Order 14086, “Enhancing Safeguards for United States Signals Intelligence
Activities.” dated 7 October 2022
b. (U) NSM: 14, “Partial Revocation of Presidential Policy Directive 28.” dated 7 October 2022
c. (U) PPD-28, “Signals Intelligence Activities.” with Annex: “Policy Review of Sensitive
Signals Intelligence Collection Activities.” dated 17 January 2014
d.(U) Executive Order 12333, “United States Intelligence Activities.” dated 4 December 1981,
and as amended
e. (U) Foreign Intelligence Surveillance Act of 1978, 50 U.S. Code (U.S.C.) §§1801 et seq., as
amended
1. (U) National Security Act of 1947, 50 U.S.C. §§3001 et seq., as amended
g (U) USSID 18, “Protection of Civil Liberties and Privacy of U.S. Person Information When
Conducting SIGINT Missions,” issued 10 January 2022
h. (U) DoDM $-5240.01-A, “Procedures Governing the Conduct of DoD Intelligence Activities:
Annex Governing Signals Intelligence Information and Data Collected Pursuant to Section 1.7(¢)
of Executive Order 12333,” dated 7 January 2021
i. (U) Intelligence Community Directive 203, “Analytic Standards”, dated 2 January 2015
J. (U) United States Code, Title 5, Section 401-424, “Inspector General Act of 1978", as
‘amended, dated 12 October 1978
k. (U) Intelligence Community Directive 126, “Implementation Procedures for the Signals
Intelligence Redress Mechanism Under Executive Order 14086.” 6 December 2022
1. (U) NSA/CSS Policy 12-2, “NSA/CSS Mission Compliance and Intelligence Oversight,”
dated 16 May 2022
m. (U) DoDD 5148.13, “Intelligence Oversight,” dated 26 April 2017
n. (U) DaDM 5240.01, “Procedures Governing the Conduct of DoD Intelligence Activities.”
dated 8 August 2016
0. (U) NSA/CSS Policy 12-3, “Protection of Civil Liberties and Privacy of U.S. Person
Information When Conducting NSA/CSS Mission and Mission-Related Activities.”
dated 10 January 2022
ci
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
(U) GLOSSARY
(U) This annex carries forward the same definitions provided in NSA/CSS Policy 12-3,
“Protection of Civil Liberties and Privacy of U.S. Person Information When Conducting
NSA/CSS Mission and Mission-Related Activities” (Reference o). Any terms not otherwise:
defined in DoDD 5148.13 (Reference m) that are included in these Supplemental Procedures.
shall have the same definitions contained in Executive Order 14086 (Reference 2), Executive
Order 12333 (Reference d), DoDM 5240.01 (Reference n), and DoDM S-5240.01-A
(Reference h).
(U) DOCUMENT HISTORY
U/FOUO)
owe | swesin [boi |
29 June 2023 Paul M. Nakasone, Policy 12-3 Annex C issuance
General, U.S. Army;
Director, NSA/Chief, CSS
(UIFOUO)
C4
UNCLASSIFIED
UNCLASSIFIED
Annex C to Policy 12-3 29 June 2023
(U) GLOSSARY
(U) This annex carries forward the same definitions provided in NSA/CSS Policy 12-3,
“Protection of Civil Liberties and Privacy of U.S. Person Information When Conducting
NSA/CSS Mission and Mission-Related Activities” (Reference o). Any terms not otherwise:
defined in DoDD 5148.13 (Reference m) that are included in these Supplemental Procedures.
shall have the same definitions contained in Executive Order 14086 (Reference 2), Executive
Order 12333 (Reference d), DoDM 5240.01 (Reference n), and DoDM S-5240.01-A
(Reference h).
(U) DOCUMENT HISTORY
U/FOUO)
owe | swesin [boi |
29 June 2023 Paul M. Nakasone, Policy 12-3 Annex C issuance
General, U.S. Army;
Director, NSA/Chief, CSS
(UIFOUO)
C4
UNCLASSIFIED