UNCLASSIFIED - Carnegie Mellon University...the use of a name in a descriptive sense, as, for example, Ford Mustang or Boeing 737; or Imagery from overhead reconnaissance or information

UNCLASSIFIED

UNCLASSIFIED

INTELLIGENCE OVERSIGHT IN A NUTSHELL Background The term “Intelligence Oversight came about as a result of a government review involving congressional hearings in the early 1970s of alleged constitutional abuses by DoD intelligence components. The abuses concerned compilation of information on civilians at college campuses who were protesting the Vietnam War and alleged constitutional abuses by the Nixon administration. As a result of these reviews, Presidents Ford and Carter issued Executive Orders (E.O.) 11095 and 12036, respectively, regarding intelligence activities and constitutional rights. President Reagan’s version of this Order (E.O.12333) was affirmed by Presidents Bush, Clinton, and Bush, and remains in effect today. EO 12333, “United States Intelligence Activities,” describes the U.S. intelligence community (IC) and provides guidance on the roles and missions of organizations within the IC. EO 12333 also provides general guidance regarding the conduct of intelligence activities and the protection of the rights of the American people. Recent guidance from DoD, DoD Manual 5240.01, issued August 8, 2016, updates the existing guidance in DoD 5240.1-R in implementing the requirement in Executive Order 12333 that I C elements establish procedures governing the collection, retention, and dissemination of information concerning U.S. persons. The procedures in DoDM 5240.01 have been approved by the U.S. Attorney General, after consultation with the Director of National Intelligence, as required by EO 12333. DoDM 5240.01 thus enables DoD to continue to conduct authorized intelligence activities in a manner that protects the constitutional and legal rights of U.S. persons. NOTE: DoDM 5240.01 did not entirely cancel and replace DoD 5240.1-R; it only replaced procedures 1 through 10 in DoD 5240.1-R. Procedures 11 through 15 of DoD 5240.1-R will continue to be in effect until superseded. Additionally, the classified annex to DoD 5240.1-R will continue to be used until superseded by issuance of a classified annex to DoDM 5240.01. The DoD Directive 5148.13 (27 Apr 17) incorporates and cancels procedures 14-15 of DoD Directive 5240.1-R. It does not rescind chapters 14-15 of AR 381-10. Those chapters remain in effect to the extent they do not conflict with the DoD Directive 5148.13. Effective immediately, all Army components performing authorized intelligence functions will comply with DoDM 5240.01 1 through 10 and Procedures 11 through 13 in DoD 5240.1-R and Procedures 14 and 15 in AR 381-10. All definitions in DoDM 5240.01 glossary replace the definitions in Army Regulation 381-10 and all related Army Regulations. REMEMBER: Before you perform an intelligence activity ask yourself if you have the Mission and Authority and for what purpose is the information being collected. DoD authorized intelligence activities are foreign intelligence and counterintelligence (CI) activities unless otherwise specified in DoDM 524-.01. Major changes to DoD guidance include: Definition of "collection": One of the key changes to the manual is how we define "collection " "Collection" is defined in the revised procedures as occurring "upon receipt," which differs from the previous version of the manual, which defined "collection" as occurring when the information was "officially accept[ed] ... for use." Because information is deemed collected upon receipt, the information must be promptly evaluated. As of 8 August 2016, information is collected when it is received by a Defense Intelligence Component, whether or not it is retained by the Component for intelligence or other purposes. Collected information includes information obtained or acquired by any means, including information that is volunteered to the Component. Collected information does not include: Information that only momentarily passes through a computer system of the Component; Information on the Internet or in an electronic forum or repository outside the Component that is simply viewed or accessed by a Component employee but is not copied, saved, supplemented, or used in some manner; Information disseminated by other Components or elements of the Intelligence Community; or Information that is maintained on behalf of another U.S. Government agency and to which the Component does not have access for intelligence purposes. USPI. Information that is reasonably likely to identify one or more specific U.S. persons. USPI may be either a single item of information or information that, when combined with other information, is reasonably likely to identify one or more specific U.S. persons. Determining whether information is reasonably likely to identify one or

UNCLASSIFIED

UNCLASSIFIED

more specific U.S. persons in a particular context may require a case-by-case assessment by a trained intelligence professional. USPI is not limited to any single category of information or technology. Depending on the context, examples of USPI may include: names or unique titles; government-associated personal or corporate identification numbers; unique biometric records; financial information; and street address, telephone number, and Internet Protocol address information. USPI does not include: A reference to a product by brand or manufacturer’s name or the use of a name in a descriptive sense, as, for example, Ford Mustang or Boeing 737; or Imagery from overhead reconnaissance or information about conveyances (e.g., vehicles, aircraft, or vessels) without linkage to additional identifying information that ties the information to a specific U.S. person. Retention of USPI: The revised procedures make clear that collected information must be promptly evaluated and establish how long DoD can retain USPI for evaluation to assess whether the information meets the permanent retention standard. The fundamental privacy principle embodied in the procedures is that information will be deleted at the end of the appropriate maximum retention period unless it is affirmatively determined to meet the standard for permanent retention. These evaluation periods differ depending on the nature of the collection and the nature of the information collected. For intentionally collected USPI, those records may, if necessary, only be retained for evaluation for up to 5 years. Incidentally collected USPI may be retained for evaluation for up to 5 years if the collection targeted a person or place in the United States or involves "special circumstances," and up to 25 years if the collection targeted a person who is reasonably believed to be outside the United States. All USPI, including any information that may contain USPI, must be deleted upon expiration of these evaluation periods unless it has been determined to meet the standard for permanent retention. These periods can only be extended based on high-level approval, which requires a written finding of necessity and a finding that the information is likely to contain valuable information. Remember, the standard is that information will be evaluated promptly; a command must be able to articulate a reason for retention when asked. Publicly available information: Obtaining publicly available information is one of the least intrusive collection methods available to DoD intelligence components. The manual clarifies the definition of "publicly available" and adds context to several of its provisions by providing a more detailed characterization of what "publicly available" means, recognizing the policy issues raised by the Internet and new technology. Internet Considerations: Internet Protocol information that is "not self-evidently associated with a U.S. person" may, depending upon the circumstances, meet the DoDM 5240.01's definition of U.S. Person Information (USPI). The standard set forth in the DoDM 5240.01's definition of USPI and the provisions addressing intentional and incidental collection and retention of USPI will be applied to the collection, retention, and dissemination of Internet Protocol information. Effect of DoDM 5240.01 on Army intelligence guidance generally: Revisions to DoDM 5240.01 replaced procedures 1 through 10 in DoD 5240.1-R and thus substantially altered the discussion of procedures 1 through 10 in AR 381-10. Army personnel carrying out intelligence functions must understand how AR 381-10 has been modified, pending formal revision of AR 381.10. DoDM 5240.01 does not displace all of the Army's regulatory guidance for intelligence activities currently set forth in AR 381-10; only those portions of AR 381-10 that are inconsistent with DoDM 5240.01 are rescinded. Portions of AR 381-10 that are additional or unique for the Army and do not conflict with DoDM 5240.01 are still in effect. AR 381-10 Chapters 11through17 remain in effect without modification until further notice. Explanation of DoDM 5240.01 sections and effect on specific chapters of AR 381-10: Section 3 of DoDM 5240.01 contains the new procedures 1 through 10. Section 3.1, Procedure 1, establishes the scope and administrative provisions for implementing DoDM5240.01. Procedures 2 through 4 articulate the procedures through which the Defense Intelligence Components and those personnel within the scope of Paragraph 3.1.a.(1) are authorized to collect, retain, and disseminate U.S. person information (USPI). Procedures 5 through 10 govern the use of certain collection techniques to obtain information for foreign intelligence and CI purposes. The existing classified annex to 5240.1-R supplements Procedure 5. Defense Intelligence Components will employ the techniques governed by Procedures 5 through 10 only as necessary to perform missions or functions assigned to the Component. Enables DoD intelligence components to carry out their functions while ensuring the rights of US Persons are protected. Bottom Line: A member of an

UNCLASSIFIED

UNCLASSIFIED

intelligence component MAY NOT conduct an intelligence mission unless he/she has been lawfully assigned that function. DoDM 5240.01 supersedes only paragraphs 1-8 and 1-9.c in Chapter 1 of AR 381-10; the remaining portions of Chapter 1 remain in effect. --Presumptions: Guidance on presumptions is incorporated into the DoDM 5240.01 definition of U.S. person -- Internet Considerations: Internet Protocol information may, depending upon the circumstances, meet the DoDM 5240.01's definition of U.S. Person Information (USPI). The standard set forth in the DoDM 5240.01's definition of USPI and the provisions addressing intentional and incidental collection and retention of USPI will be applied to the collection, retention, and dissemination of Internet Protocol information. -- Shared Repositories (databases): All Army entities subject to AR 381-10 will immediately take steps to comply with the DoDM 5240.01's requirements regarding being a Host of a shared repository and being a Participant in a shared repository. -- Army Hosts of Shared Repositories will develop a capability to enable auditing of access to USPI.Army Participants in Shared Repositories will ensure that their access to and use of the repository complies with all applicable laws and policies, including the DoDM 5240.01 and ARs. This includes all rules regarding collection, retention and dissemination.

Section 3.2, Procedure 2: Collection of USPI. This procedure specifies the general criteria governing the collection of USPI. A Defense Intelligence Component may intentionally collect USPI only if the information sought is reasonably believed to be necessary for the performance of an authorized intelligence mission or function assigned to the Component, and if the USPI falls within one of the following categories (Refer to DoDM5240.01 for details):

(1) Publicly Available.

(2) Consent.

(3) Foreign Intelligence.

(4) CI.

(5) Threats to Safety.

(6) Protection of Intelligence Sources, Methods, and Activities.

(7) Current, Former, or Potential Sources of Assistance to Intelligence Activities.

(8) Persons in Contact With Sources or Potential Sources.

(9) Personnel Security.

(10) Physical Security.

(11) Communications Security Investigation.

(12) Overhead and Airborne Reconnaissance.

(13) Administrative Purposes.

NOTE: DoDM 5240.01 specifies the circumstances under which USPI may be collected under the foreign intelligence category. The information must be reasonably believed to constitute foreign intelligence and the U.S. person is: (a) An individual reasonably believed to be an officer or employee of, or otherwise acting on behalf of, a foreign power;

UNCLASSIFIED

UNCLASSIFIED

(b) An organization or group reasonably believed to be directly or indirectly owned or controlled by, or acting on behalf of, a foreign power; (c) An individual, organization, or group reasonably believed to be engaged in or preparing to engage in international terrorist or international narcotics activities; (d) A corporation or other commercial organization reasonably believed to have some relationship with a foreign power, organization, or person; (e) An individual reasonably believed to be a prisoner of war or missing in action; or

(f) An individual, organization, or group who is a target, hostage, or victim of an international terrorist or international narcotics organization.

Procedure 2 of DoDM 5240.01 replaces Procedure 2 of AR 381-10 in its entirety.

Section 3.3 Procedure 3: Retention of USPI. This procedure governs the retention of USPI collected by Defense Intelligence Components in accordance with Procedure 2. Paragraphs 3.3.d. through 3.3.h. govern information that does not fall within the definition of collection because it was disseminated by another Component or element of the IC. This procedure does not apply to the retention of information obtained under FISA, which has its own provisions. If an Intelligence Component collects USPI, the Component will evaluate the information promptly. If necessary, the Component may retain the information for evaluation for up to 5 years. The Defense Intelligence Component head or a single delegee may approve an extended period in accordance with Paragraph 3.3.c.(5).

Army approval authorities for extended retention of USPI [see para 3.3. of DoDM 5240 .01) are the Deputy Chief of Staff (DCS), G-2 and the Commander of the U.S. Army Intelligence and Security Command (INSCOM).

Signals Intelligence (SIGINT). Any retention of USPI obtained from SIGINT is subject to the procedures in the classified annex to DoD 5240.1-R and any applicable Presidential directives.

Procedure 3 of DoDM 5240.01 replaces Procedure 3 of AR 381-10 in its entirety with the exception of Section 3-3, subparagraph c. "Annual Review" which remains in effect.

Chapter 4, Procedure 4: Dissemination of USPI. This procedure governs the dissemination of USPI collected or retained by a Defense Intelligence Component. Information may be disseminated pursuant to this procedure only if it was properly collected or retained in accordance with Procedures 2 or 3. This procedure applies to USPI in any form, including physical and electronic files and information a Component places in databases, on websites, or in shared repositories accessible to other persons or organizations outside the Component. This procedure does not apply to the dissemination of information collected solely for administrative purposes, or disseminated pursuant to other procedures approved by the Attorney General or a court order that otherwise imposes controls on such dissemination.

Minimization of Dissemination Content. To the extent practicable, a Defense Intelligence Component should not include USPI in a dissemination (other than a dissemination pursuant to Paragraph 3.4.c.(1) or (2)) if the pertinent information can be conveyed in an understandable way without including the identifying information. If a dissemination includes USPI, the disseminating Component will notify the recipient so the recipient can protect the USPI appropriately. Procedure 4 of DoDM 5240.01 replaces Procedure 4 of AR 381-10 in its entirety. Bottom Line Chapters 1–4: When in doubt, check the regulation. Still in doubt, ask your supervisor!

Procedures 5 thru 10: Special Collection Techniques:

Procedure 5: Electronic Surveillance. This procedure implements FISA and E.O. 12333. A Defense Intelligence Component may conduct electronic surveillance for an intelligence purpose in accordance with

UNCLASSIFIED

UNCLASSIFIED

FISA or E.O. 12333 and this procedure. The legal framework for conducting electronic surveillance is dependent upon the Defense Intelligence Component’s mission, the U.S. person status and location of the target, the methods used to conduct the electronic surveillance, and the type of communication sought. All electronic surveillance must also comply with Procedures 1 through 4 of this issuance.

Procedure 5 of DoDM 5240.01 replaces Procedure 5 of AR 381-10 in its entirety. Army approval authorities for computer trespasser intercepts based upon 18 U.S.C. sect 2511(2)(i) are the DCS, G-2; the Commander of INSCOM; and the Commander of 650th Military Intelligence Group.

Procedure 6 Concealed Monitoring: This procedure governs concealed monitoring of any person inside the United States or any U.S. person outside the United States for an authorized foreign intelligence or CI purpose by a Defense Intelligence Component or anyone acting on their behalf.

Procedure 6 of DoDM 5240.01 replaces Procedure 6 of AR 381-10 in its entirety. Army approval authorities for concealed monitoring that occurs in the United States or that is directed against a U.S. person outside the United States are the DCS, G-2 and the Commander, INSCOM. Procedure 7 Physical Searches: This procedure applies to nonconsensual physical searches for intelligence purposes of any person or property in the United States and of U.S. persons or their property outside the United States that are conducted by Defense Intelligence Components or anyone acting on their behalf. Procedure 7 of DoDM 5240.01 replaces Procedure 7 of AR 381-10 in its entirety. A Foreign Intelligence Surveillance Act (FISA) court order is mandatory for all physical searches conducted in the United States or of U.S. persons outside the United States.

Procedure 8 Mail Searches and Examination: This procedure governs the physical searches of mail, including the opening or other examination of the content of mail, in the United States and abroad, by a Defense Intelligence Component or anyone acting on its behalf. This procedure also applies to the use of mail covers. A Defense Intelligence Component may only search mail or use a mail cover if such activity is for an authorized foreign intelligence or CI purpose. This procedure does not apply to items transported by a commercial carrier (e.g., Federal Express or the United Parcel Service). Such items are subject to the provisions of Procedure 7.

Procedure 8 of DoDM 5240.01 replaces Procedure 8 of AR 381-10 in its entirety.

Procedure 9 Physical Surveillance: This procedure governs physical surveillance of any person inside the United States or any U.S. person outside the United States by a Defense Intelligence Component or anyone acting on their behalf. If anyone acting on behalf of a Defense Intelligence Component is conducting physical surveillance, this procedure applies to any devices such person is operating to observe the subject of the surveillance, and not the provisions of Procedure 6.

Procedure 9 of DoDM 5240.01 replaces Procedure 9 of AR 381-10 in its entirety with the exception of the approval authority provisions in paragraphs 9-4 (Physical Surveillance of non-U.S. persons) and 9-5a (Approvals) when approving a physical surveillance of non-U.S. persons under paragraph 9-4. The approval authorities are as follows:

Army approval authorities for non-consensual physical surveillance of any person in the United States are the DCS, G-2 and the Commander, INSCOM.

Army approval authorities for non-consensual physical surveillance of a U.S. person outside the United States are those officials listed at current AR 381-10, paragraph 9- 5a.

Procedure 10 Undisclosed Participation in Organizations: This procedure governs the participation by Defense Intelligence Components and anyone, including sources, acting on behalf of a Component in any organization in the United States or any organization outside the United States that constitutes a U.S. person.

UNCLASSIFIED

UNCLASSIFIED

Procedure 10 of DoDM 5240 .01 replaces Procedure 10 of AR 3810-10 in its entirety, with the exception of the approval authority provisions in AR 381-10 noted below.

Army approval authorities for UDP described in DoDM 5240.01, section 3.10.f.(2) are the officials listed at the current AR 381-10, paragraph 10-4a

Army approval authorities for UDP described in DoDM 5240 .01, section 3.10.f.(3) are the DCS, G-2 and the Commander, INSCOM or their single delegee.

AR 381-10 Chapters 11 through 17 remain in effect until further notice. Chapter 11, Contracting for Goods and Services: Bottom Line: Read and understand if involved in contracting. Chapter 12, Assistance to Civilian Law Enforcement Authorities: Bottom Line: Read and understand if your job may potentially involve you in supporting such authorities. Chapter 13, Experimentation on Human Subjects for Intelligence Purposes: Bottom Line: DO NOT. Chapter 14, Employee Conduct: Individuals, supervisors, and Intelligence components must ensure they and their employees are familiar with this and other applicable regulations, and must report questionable intelligence activities and Federal crimes upon discovery. Personnel reporting questionable activities or Federal crimes are protected from reprisal. Bottom Line: You are required to be familiar with oversight regulations and, if a supervisor, to educate your people.

Chapter 15, Questionable Intelligence Activities: Any conduct that constitutes or is related to an intelligence activity that may violate the law, any executive order or Presidential directive, or applicable DoD regulation or policy, must be reported upon discovery. This may be accomplished by reporting through the chain of command, Inspector General (IG), or appropriate intelligence oversight officer. Reports will reach DAIG-IO within 5 days of discovery. Inquiries or investigations are conducted on all reports and appropriate action is taken. Bottom Line: You must report and it must be quick. This has high visibility. NOTE: DoD 5148.13 Incorporates and Cancels: Directive-type Memorandum 08-052, “DoD Guidance for Reporting Questionable Intelligence Activities and Significant or Highly Sensitive Matters,” June 17, 2009, as amended and establishes policies, assigns responsibilities, and provides procedures for employee conduct and identifying, investigating, and reporting questionable intelligence activities (QIAs) and significant or highly sensitive matters (S/HSMs). However, it does not rescind chapters 14-15 of AR 381-10, which remain in effect to the extent they do not conflict with the DoD Directive 5148.13. Continue to report QIA’s and S/HSM using Procedure 15 (AR 381-10). Report questionable intelligence activities of a serious nature and all significant or highly sensitive matters immediately. Such reports may be made by any secure means. Oral reports should be documented with a written report as soon as possible thereafter. Reporting shall not be delayed or postponed pending an investigation, command inquiry, or legal proceeding. (1) Questionable Intelligence Activity. An intelligence activity, as defined in E.O. 12333 (Reference (f)), that may be unlawful or contrary to executive order, Presidential directive, or applicable DoD policy governing that activity. (2) Significant or Highly Sensitive Matters. A development or circumstance involving an intelligence activity or intelligence personnel that could impugn the reputation or integrity of the DoD Intelligence Community or otherwise call into question the propriety of an intelligence activity.

Chapter 16, Federal Crimes: Bottom Line: Same as Chapter 15. You are obligated to report federal crimes committed by Intelligence personnel.

Chapter 17, Support to Force Protection, Multinational Intelligence Activities, Joint Intelligence Activities, and Other DoD Investigative Organizations: Bottom Line: If you are a collector in the United States, you must limit your threat collection to that which has a foreign intelligence or international terrorism nexus. If

UNCLASSIFIED

UNCLASSIFIED

working within a multinational command, you may not conduct activities that violate US laws and oversight regulations, even if legal under the standards of other nations. CONTACT YOUR INTEL OVERSIGHT OFFICER IF YOU HAVE QUESTIONS OR NEED TO REPORT A QUESTIONABLE INTELLIGENCE ACTIVITY (QIA) Note even if Intelligence Oversight does not apply in a situation, Public Law 110-53 (Civil Liberties Program) may apply. In response to the terrorist attacks of September 11, 2001, Congress passed Public Law 110-53, "Implementing Recommendations of the 9/11 Commission Act of 2007." This law codifies many recommendations of the 9/11 Commission, including those that require DoD and other Federal agencies with anti-terrorism and law enforcement functions to safeguard civil liberties when sharing information. The DoD Civil Liberties program assures Department-wide compliance with section 803 of Public Law 110-53 by ensuring DoD appropriately considers privacy and civil liberties in its actions. It does this through advice, monitoring, official reporting, and training. The formal policy for the DoD Civil Liberties Program, DoD Instruction 1000.29, is available online here: http://www.dtic.mil/whs/directives/corres/pdf/100029p.pdf It is DoD policy to: a. Protect the privacy and civil liberties of DoD employees, members of the Military Services, and the public to the greatest extent possible, consistent with its operational requirements. b. Consider appropriately privacy and civil liberties in the review, development, and implementation of new or existing laws, regulations, policies, and initiatives. c. Not maintain information, as defined in DoD 5400.11-R, “Department of Defense Privacy Program,” May 14, 2007, on how an individual exercises rights protected by the First Amendment to the Constitution of the United States, including the freedoms of speech, assembly, press, and religion, except when: (1) Specifically authorized by statute; (2) Expressly authorized by the individual, group of individuals, or association on whom the record is maintained; or (3) The record is pertinent to and within the scope of an authorized law enforcement, intelligence collection, or counterintelligence activity. d. Have adequate procedures to receive, investigate, respond to, and redress complaints from individuals who allege that the DoD has violated their privacy or civil liberties. e. Prohibit reprisals or the threat of reprisals against individuals who make complaints or disclose information that indicates a possible violation of privacy protections or civil liberties in the administration of the programs and operations of the Federal Government. My Signature indicates I have read and understood the training on Intelligence Oversight. Signature: __________________________________________ Date: ______________ Name (Printed):______________________ SECTION: ______________ Email: ____________________________________________ Submit the signed and completed form to your IOO as directed your command. If you have questions contact your Intelligence oversight Officer. Version Date: 23 Jan 18 with OPLAW edits

NOTE: The following pages are useful tools/references and are not required for the training.

http://www.dtic.mil/whs/directives/corres/pdf/100029p.pdf

UNCLASSIFIED ARCYBER IOPM USPI Handling Guidance, 7 Dec 2017

1 M Spears, ARCYBER IOPM

A useful tool for Marking Documents containing US Persons Information (based on DIA marking standards). Many in the community assume/believe that you cannot collect on a US Person that is not true. DoDM 5240.01 and AR 381-10, etc are permissive documents that establish the how, in other words the rules of the road. Procedures exist with respect to the ability of U.S. intelligence agencies to collect, retain, and disseminate U.S. Person Information (USPI); therefore, consideration and potential legal review of ARCYBER’s handling of such information is necessary to guarantee appropriate use of the USPI for ARCYBER’s Foreign Intelligence (FI) and Counterintelligence (Cl) missions. DoDM 5240.01 • Establishes procedures to enable DoD to conduct authorized intelligence activities in a manner that

protects the constitutional and legal rights and the privacy and civil liberties of U.S. persons. DoD authorized intelligence activities are foreign intelligence and counterintelligence (CI) activities unless otherwise specified in DoDM 524-.01.

• Authorizes the Defense Intelligence Components to collect, retain, and disseminate information concerning U.S. persons in compliance with applicable laws, Executive orders, policies, and regulations

ARCYBER has a responsibility to protect USPI in its possession, in both electronic repositories and hard copies. Appropriate handling is reliant upon accurate markings indicating the presence of USPI, warnings to handle USPI correctly, and limiting retained USPI to only that which is necessary when disseminating material. ARCYBER civilian employees, military service members, and contractors must be sensitive to the possibility of inappropriate access to USPI, and take appropriate precautions to avoid its occurrence. Applicability: To collected information, regardless of the manner in which it is collected, the source of the information, or the medium by which it was collected. This guidance applies to all intelligence collection activities such as Human Intelligence, Open Source intelligence, and the use of Publicly Available Information (PAI), commercially acquired data, or commercially available imagery. It also applies to intelligence information containing any specifically identifiable USPER data collected by ARCYBER, regardless of how it is collected or by whom, regardless of whether ARCYBER ultimately retains the information. ARCYBER personnel must take reasonable steps to protect any collected USPI from potential misuse. Materials containing USPI must be handled in a way that limits the exposure of the USPI to only those ARCYBER personnel with an authorized mission and function related to the information. It is incumbent on all ARCYBER personnel reviewing a document containing USPI for use in producing intelligence to ensure they have an authorized function that requires reviewing the document before doing so. ARCYBER personnel must clearly mark collected material with any known or suspected USPI. The marking must affirm the USPI was collected appropriately, the document contains or may contain USPI, and that the material must be handled in a way that limits the exposure of the USPI. All ARCYBER personnel collecting USPI must consider minimizing USPI to the extent possible while still providing a full understanding of the reported intelligence information and an assessment of its contents upon review. The specific marking caveats for material that includes minimized USPI will contain a point of contact in case the report consumer needs to unmask the USPI to fully assess the



report. Once the collector has evaluated the USPI and determined it meets criteria for permanent retention, the individual must retain the material in a way that protects the USPI while supporting subsequent unmasking requests from consumers. Purpose of Intelligence Collection: Bottom Line, you must have a valid mission and requirement to collect and all intelligence collection must have a foreign intelligence or Counterintelligence connection (nexus). (Mission, authority and purpose) Remember, information is only collected once. If you are the collector, you must have the mission, authority and purpose to collect. Intentional Collection of USPI. An intelligence Component may intentionally collect USPI only if the information sought is reasonably believed to be necessary for the performance of an authorized intelligence mission or function assigned to the Component, and the USPI falls within one of the 13 categories in DoDM 5240.01. If you collect USPI it must me marked to identify the data and warn others that it is there. Then you must make a retention decision (temp or perm). Dissemination of USPI: Information may be disseminated only if it was properly collected or retained in accordance with DoDM 5240.01 Procedures 2 or 3. This procedure applies to USPI in any form, including physical and electronic files and information a Component places in databases, on websites, or in shared repositories accessible to other persons or organizations outside the Component. If you disseminate you must insure any USPI is marked (unmasked USPI) or masked. As ARCYBER personnel evaluate or review collected material and encounter USPI, they must consider minimizing the USPI when disseminating the material. Minimization is the process of substituting a generic description of a USPER in place of specific USPI. For example, "A named USPER" in lieu of "Robert Smith." If the material can still be assessed and understood with minimized USPI, the individual must minimize the USPI contained in the material. When minimizing USPI, individuals creating documents will indicate the name, organization, and contact information for a POC for authorized personnel to request and obtain the unminimized information if needed. An authorized requestor must formally request access to the unminimized USPI, describe a valid, clearly defined mission need for the USPI, and must state in writing why the need cannot be met without the unminimized USPI. The release of minimized USPI must be discussed with the SJA and the IOPM/IOO to ensure appropriate civil liberties implications are considered and documented. Use of unminimized USPI. If the collected information cannot be understood or assessed for intelligence value when the USPI is minimized, ARCYBER personnel may include unminimized USPI in intelligence reporting. This is permissible only to the extent required to understand or assess the information. The material must be marked to indicate the presence of USPI and the specific USPI must have its own marking. Prior to disseminating Unmasked USPI, you must make a determination that each receiver of the product has a valid need to know the UNMASKED USPI. If not, then you must mask for any recipients who do not need to know.



• DoDM 5240.01: To the extent practicable, a Defense Intelligence Component should not include

USPI in a dissemination (other than a dissemination pursuant to DoDM 5240.01 Paragraph 3.4.c.(1) or (2)) if the pertinent information can be conveyed in an understandable way without including the identifying information.

• If a dissemination includes USPI, the disseminating Component will notify the recipient so the recipient can protect the USPI appropriately. Do not confuse dissemination (procedure 4) with Procedure 2 Collection of USPI, A Defense Intelligence Component may intentionally collect USPI only if the information sought is reasonably believed to be necessary for the performance of an authorized intelligence mission or function assigned to the Component, and the USPI falls within one of the 13 categories.

MARKING USPI: Recommend method for marking USPI (Follows DIA procedure). Marking documents Internal to a command with USPI: (Not disseminated outside the command) Insert this as a header and footer in your document. “This report or its enclosure(s) is intended for the internal use of ARCYBER and contains U.S. Person Information that has been deemed necessary for the intended mission need to understand, assess, or act on the information provided, in accordance with (IAW) DoD Manual 5240.01 and Executive Order 12333. Do not disseminate outside of ARCYBER without an intelligence oversight review and application of appropriate minimization procedures.” Marking Disseminated report with USPI: Insert this as a header and footer in your document. “This product contains U.S. Person Information (USPI) that has been deemed necessary for the intended recipient to understand, assess, or act on the information provided, in accordance with (IAW) the Department of Defense Manual 5240.01 and Executive Order 12333. It should be handled IAW recipient's intelligence oversight and information handling procedures.” Minimized Report (USPI masked) Insert this as a header and footer in your document. “This product contains US Person Information that has been minimized. Should you require the specific USPI for an authorized mission need, contact [ARCYBER element], Secure [ARCYBER element secure phone number], commercial [ARCYBER element commercial phone number], or DSN [ARCYBER element, DSN phone number], or email [ARCYBER element's email address, if available].” Unevaluated collection that is likely to contain USPI: Insert this as a header and footer in your document. “This report, or its enclosure(s), may contain U.S. Person Information collected in accordance with (IAW) DoD Manual 5240.01 and Executive Order 12333. It should be handled IAW the recipient's intelligence oversight or information handling procedures.” STANDARIZED REPORTS: When a standardized report format does not include a field to indicate the presence of USPI, the author must indicate the presence of the USPI in both the summary and comments. Include the following in the summary, in bold:



"This report, or its enclosures, contains USPI. See reporter comments." Include the following in comments section, in bold: "This report or its enclosure(s)] contains U.S. Person Information that has been deemed necessary for the intended mission need to understand, assess, or act on the information provided, in accordance with (IAW) DoD Manual 5240.01 and Executive Order 12333. It should be handled IAW the recipient's intelligence oversight or information handling procedures." Intelligence Reporting Likely to Contain USPI. Due to the possibility of and evaluation requirements for incidental collection of USPI, ARCYBER personnel must warn readers when it is reasonably believed to be present. When the likelihood of USPI exists, mark the material to indicate the possible presence of USPI. Other Intelligence Reports. For lengthy written analytical products containing USPI, place a box under the SUBJECT line with the ARCYBER elements' name. "This product contains U.S. Person Information (USPI) that has been deemed necessary for the intended recipient to understand, assess, or act on the information provided, in accordance with (IA W) the Department of Defense Manual 5240.01 and Executive Order 12333. It should be handled IAW recipient's intelligence oversight and information handling procedures." Slides: When a briefing contains USPI, the title page must include a caveat indicating the presence of USPI in the briefing. "This briefing contains U.S. Person Information collected in accordance with (IAW) DoD Manual 5240.01 and Executive Order 12333. It should be handled IAW the recipient's intelligence oversight or information handling procedures." Subsequent individual slides containing USPI will be marked in a manner similar to the title page, but addressing the specific slide. The specific USPER or USPI will be marked. "This slide contains U.S. Person Information collected in accordance with (IAW) DoD Manual 5240.01 and Executive Order 12333. It should be handled IAW the recipient's intelligence oversight or information handling procedures." EMAIL Subject LINE: Rovian Nuclear Intentions (Contains USPI) If disseminating USPI in the body of an email or within an attachment to an email, the email title must indicate USPI is contained. General: When a USPER is identified in reporting, a caveat must immediately precede the name. If there are multiple USPERs included, the caveats must be numbered. Other USPI associated with these USPERs will be marked immediately prior to the information. Specific name of USPER. When one specific USPER is named, the author will place a caveat immediately preceding the name, in bold, to indicate the person's status as a USPER. " ... (USPER) Robert R. Smith." When more than one USPER is named, the caveat will include a number based on when the person appears in the material.



". (USPER 1) Robert R. Smith met (USPER 2) John A. Doe." If a specific topic area requires a particular caveat, personnel will follow that guidance, e.g. the use of USPI in intelligence reporting related to hostage and detainee cases. Specific Article of USPI. Specific articles of USPI, other than the name of the USPER, will be preceded by an annotation in bold, that the item is USPI. ". (USPER) Robert R. Smith uses telephone number (USPI) (000) 555-1234." Overall Document Marking. For documents containing USPI, the overall document will have a short caveat on the front cover or first page notifying prospective recipients of the presence of USPI and advising them to follow their agency's policies and procedure for handling such information. The author must include the date of the collection or acquisition of the information. Intelligence Documents Containing Minimized USPI. In many cases, intelligence products contain information about specific USPERs that has been minimized to avoid the presence of specific USPI. In those cases, the product will state that information has been minimized and provide a point of contact for formally requesting the USPI when there is an authorized mission need to do so. "This product contains US Person Information that has been minimized. Should you require the specific USPI for an authorized mission need, contact [ARCYBER element], Secure [ARCYBER element secure phone number], commercial [ARCYBER element commercial phone number], or DSN [ARCYBER element, DSN phone number], or email [ARCYBER element's email address, if available]." Protections for USPI. Intelligence Components will implement the following measures to protect USPI: 1. Limit access to and use of such information to those employees who have appropriate security clearances, accesses, and a mission requirement. 2. When retrieving information electronically: a. Only use queries or other techniques that are relevant to the intelligence mission or other authorized purposes. b. Tailor queries or other techniques to the greatest extent practicable to minimize the amount of USPI returned that is not pertinent to the intelligence mission and purpose for the query. c. Establish written procedures to document the basis for conducting a query of unevaluated information that is intended to reveal USPI. d. Take reasonable steps to audit access to information systems containing USPI and to periodically audit queries or other search terms to assess compliance with this issuance. e. In developing and deploying information systems that are used for intelligence involving USPI, take reasonable steps to ensure effective auditing and reporting as required by this issuance. f. Establish documented procedures for retaining data containing USPI and recording the reason for retaining the data and the authority approving the retention. g. In accordance with DoD or Defense Intelligence Component policy, annually train employees who access or use USPI on the civil liberties and privacy protections that apply to such information.



3. Marking Electronic and Paper Files. Intelligence Components will use reasonable measures to identify and mark or tag files reasonably believed or known to contain USPI. Marking and tagging will occur regardless of the format or location of the information or the method of storing it. When appropriate and reasonably possible, Components will also mark files and documents containing USPI individually. In the case of certain electronic databases, if it is not reasonably possible to mark individual files containing USPI, Components may use a banner informing users before access that they may encounter USPI. References: DoDM 5240.01, Procedures Governing the Conduct of DoD Intelligence Activities, 8 Aug 16 DoDD 5248.13, Intelligence Oversight, 26 Apr 17 DoD Directive 5240.01, “DoD Intelligence Activities,” August 27, 2007, as amended Executive Order 12333, “United States Intelligence Activities,” December 4, 1981, as amended AR 381-10, U.S. Army Intelligence Activities, 3 May 2007 Army Directive 2017-037, U.S Army Open Source Intelligence Activities (U/FOUO) ARCYBER OPORD 2017-311, Open Source Intelligence Activities (S/NF) Interm DIA USPI Handling Guidance, Undated. Minimization - The process of replacing information about a specific United States Person (USPER) with a general descriptor; e.g. replacing "John A. Doe" with "a named U.S. Person."

ARCYBER INTELLIGENCE OVERSIGHT (IO) SMART CARD

JAN 2018

Congressional investigations into questionable activities of government intelligence components carried out in the 1960s and 1970s resulted in calls for increased oversight. The present IO regime enables DoD intelligence personnel to carry out their legitimate intelligence functions while protecting the constitutional rights and privacy of U.S. Per-sons. IO encompasses the effective implementation of all regulations, guidance, and procedures governing intelligence activities and civil liberties through advice, policy revision, assessments, training, and incident reporting.

Executive Order 12333, United States Intelligence Activities, empowers the intelligence community with the authority to carry out their official duties, limiting their roles and activities to protect the rights of U.S. Persons.

DoD Manual 5240.01, Procedures Governing the Conduct of DoD Intelligence Activities, implements part II of E.O. 12333 and governs the activities of DoD intelligence compo-nents as they pertain to the rights and privacy of U.S. Persons (Procedures 1-10).

DoD 5240.1-R, Procedures Governing the Activities of DoD Intelligence Components that Affect U.S. Persons, Governs the activities of DoD intelligence components as they pertain to the rights and privacy of U.S. Persons (Procedures 11-15 ).

AR 381-10, U.S. Army Intelligence Activities, implements E.O. 12333, DoDM 5240.01, DoD 5240.1-R, DoDD 5148.11 and DoDD 5240.01 for the Army and applies to ALL Army military, civilian, and contractor personnel conducting intelligence activities under DoD’s authorities. Current 2007 version (under revision) does not incorporate DoDM 5240.01. Procedure 1 General Provisions (Refer to DoDM 5240.01) Procedure 2 Collection of U.S. Person Information (Refer to DoDM 5240.01) Procedure 3 Retention of USPI (Refer to DoDM 5240.01, AR 381-10 Para 3.3.c remains in effect( Annual Review) Procedure 4 Dissemination of USPI (Refer to DoDM 5240.01) Procedure 5 Electronic Surveillance (Refer to DoDM 5240.01) Procedure 6 Concealed Monitoring (Refer to DoDM 5240.01) Procedure 7 Physical Searches (Refer to DoDM 5240.01) Procedure 8 Searches of Mail and the Use of Mail Covers (Refer to DoDM 5240.01) Procedure 9 Physical Surveillance (Refer to DoDM 5240.01); AR 381-10 Para 9-4 and 9-5.a remain in effect) Procedure 10 Undisclosed Participation (UDP) in Organizations (Refer to DoDM 5240.01) Procedure 11 Contracting for Goods and Services (AR 381-10) Procedure 12 Assistance to Civilian Law Enforcement Authorities (AR 381-10) Procedure 13 Experimentation on Human Subjects for Intelligence Purposes (AR 381-10) Procedure 14 Employee Conduct (AR 381-10) Procedure 15 Questionable Intelligence Activities (AR 381-10) Chapter 16 Federal Crimes (AR 381-10) Chapter 17 Force Protection, Multinational Intelligence Activities, Joint Intelligence Activities, and Other DoD investigative Organizations (AR 381-10)

Guidance on presumptions is incorporated into the DoDM 5240.01 definition of U.S. person.

Proceed 1: General Provisions Outlines the regulation's purpose, office responsibilities, limitations and restrictions, and administrative guidance.

Procedure 2: Collection of U.S. Person Information. Specifies the general criteria governing the collec-tion of USPI. DoDM 5240.01 paragraphs 3.2.f. and 3.2.g. apply to the acquisition of information in accordance with Chapter 36 of Title 50, U.S.C., also known as the “Foreign Intelligence Surveillance Act (FISA).” U.S. Persons” are defined as:

a. U.S. Citizens. b. Permanent resident aliens (Green Card holders). c. An unincorporated association substantially composed of (a) or (b). d. A corporation if incorporated in United States and not directed or controlled by a foreign govern-ment.

KEY POINT: A person or organization in the United States is presumed to be a U.S. person, unless specific information to the contrary is obtained. Conversely, a person or organization outside the United States, or whose location is not known to be in the United States, is presumed to be a non-U.S. person, unless specific information to the contrary is obtained.

Under Procedure 2, a Defense Intelligence Component may intentionally collect USPI only if: The infor-mation is reasonably believed to be necessary to the conduct of an authorized mission or function assigned to component; AND It falls into an authorized category below (DoDM 5240.01)

Intentional Collection of USPI 1. Publicly available - Information that is publicly available 2. Consensual - USPER consents to collection by MI personnel 3. Foreign intelligence - USPER working for a foreign power or engaged in international terrorist or

international narcotics activities; USPER believed to be a POW or MIA; USPER who is a target/hostage/ victim of an international terrorist or narcotics organization

4. Counterintelligence - USPERs reasonably believed to be engaged in Intel activities on behalf of a foreign power; USPERs reasonably believed to be engaged in international terrorist activities

5. Threats to safety - USPI required to protect the safety of any person or organization, if the threat has a foreign connection OR the DIC head/delegee has determined that a person’s life/physical safety is in imminent danger OR needed for maritime & aeronautical navigation safety

6. Protection of intelligence sources, methods and activities - USPI collection required to protect against unauthorized disclosure of intelligence sources & methods

7. Current, former, or potential source of assistance to intelligence activities - USPI about those who are or have been intelligence sources or sources of assistance

8. Persons in contact with sources or potential sources - USPI for the purpose of assessing suitability or credibility of sources or potential sources

9. Personnel security - USPER information from a lawful personnel security investigation 10. Physical security - Foreign connection AND threat to DoD personnel/installations/operations/

visitors 11. Communications security investigation - USPI from a lawful COMSEC investigation 12. Overhead reconnaissance - USPER collection incidental to overhead recon operations 13. Administrative purposes - USPER information necessary for admin purposes

Key Points

Collection of USPI must be done only by persons assigned a lawful intelligence mission carrying out an assigned intelligence function, AND,

Collection must be done by the least intrusive means.

Procedure 3: Retention of USPI USPI will be evaluated to determine whether it may be permanently retained. Two part standard for permanent retention. Standards for temporary retention are base on collection type (intentional/incidental/voluntarily provided USPI/special circumstances collection) AND location of intended collection (CONUS vs OCONUS). Refer to DoDM 5240.01. Procedure 4: Dissemination of USPI USPI may only be disseminated by personnel trained on Procedure 4 AND if the information falls into one or more of the 9 categories listed in Section 3.4.c of DoDM 5240.01. Procedures 5-10: Special Collection Techniques (Refer to DoDM 5240.01)

5 - Electronic Surveillance - *NSA/CSS directives take precedence over DoD 5240.1-R and AR 381-10, but not DoDM 5240.01.

6 - Concealed Monitoring 7 - Physical Searches 8 - Searches of Mail and the Use of Mail Covers 9 - Physical Surveillance 10 - Undisclosed Participation (UDP) in Organizations

Special collection techniques are used by operational personnel very familiar with these chapters, and having consulted Legal Counsel and IO personnel accordingly. All techniques must be approved by the appropriate authority BEFORE conducting the mission. Procedure 11: Contracting for Goods and Services: Applies to MI personnel contracting with USPERS for the procurement of goods/services. Procedure 12: Assistance to Civilian Law Enforcement Authorities (CLEA) With prior approval, MI may assist CLEA for the purposes of (1) investigating/preventing clandestine Intel activities of foreign powers, international narcotics, or international terrorists; (2) Protecting DoD personnel, info, or property; or (3) preventing, detecting, or investigating other violations of law. Procedure 14: Employee Conduct: You are liable for knowing & following all Intel regulations. All Intel component personnel will receive IO training within 30 days of assignment, and every 365 days there-after. Report all QIA and Federal crimes to your IOO upon discovery. Personnel may remain anonymous and are protected from reprisal for reporting. Report QIA/SIGINT Incidents through OPCON Channels.

Online Training, tools, reporting, and regulations available at: Intel Oversight Portal at: https://army.deps.mil/Army/CMDS/ARCYBER/External/G2/IO/SitePages/Home.aspx and on the ARCYBER & 2A SIPR G2 Portal IO Page Report SIGINT Incidents on the JWICS ARCYBER & 2A G2 IO Portal at: http://arcyber.army..ic.gov/G3/G32/IO/SitePages/Home.aspx Internet Considerations: Internet Protocol information that is "not self-evidently associated with a U.S. person" may, depending upon the circumstances , meet the DoDM 5240.01's definition of U.S. Person Information (USPI). The standard set forth in the DoDM 5240.01's definition of USPI and the provisions addressing intentional and incidental collection and retention of USPI will be applied to the collection, retention, and dissemination of Internet Protocol information.

If you have Foreign Disclosure Questions go to the FDO Portal at: https://army.deps.mil/Army/CMDS/ARCYBER/External/G2/FDO/SitePages/Home.aspx

Procedure 15: Questionable Intelligence Activities Report any questionable or illegal intelligence or intelligence-related activity upon discovered to the IOPM, unit Intelligence Oversight Officer, IG or chain of command. The report must reach DAIG (SAIG-IO) within 5 days of discovery. Examples include: misuse of CI Badge & Credentials or improperly including USPI in intel products. Chapter 16: Federal Crimes Report possible violations of federal law and all reportable federal crimes upon discovery. The report must reach DAIG within 5 days of discovery. Examples: espionage, sabotage, unauthorized disclosure of classified information. Some Federal Crimes are also reportable under Procedure 15, if so explain why. Chapter 17: Support to Force Protection While working in multinational assignments, you may not conduct activities that violate U.S. laws or intelligence regulations, even if legal by the standards of other nations.

DTM 08-52: Significant or Highly Sensitive Matters. Report Immediately by fastest means. Any devel-opment or circumstance involving Army Intelligence activities/personnel that could impugn the reputa-tion, integrity or call into question the propriety of the intelligence community/activity. Example: May result in adverse media coverage; may impact foreign relations/partners, or identifying a sensitive source and method. Do not report routine security violations. Refer to DTM 08-052. If you suspect a questionable activity or federal crime has been committed, or if you have any ques-tions, contact your unit Intelligence Oversight Officer or Mr. Michael P. Spears, ARCYBER & 2A Intel Oversight Program Manager / Foreign Disclosure Officer (GG14-0132) at Phone: 703: 706-2699, NIPR: [email protected]; SIRP: [email protected]

JWICS: [email protected]

Version: 12 Dec 2016