Discussion:
FOIPA adventures
(too old to reply)
coderman
2015-02-05 10:17:23 UTC
Permalink
"you want me to consent to make my FBI file public? Are you fucking mad?"
- https://twitter.com/thegrugq/status/563036665837789184

---

i am currently making requests through MuckRock.com which i recommend
for their helpful and dedicated staff, as well as their time devoted
to review and reporting on released information.

i am using the professional service, which lets you set requests
private until reviewed and ready to release publicly. this implies a
bit of trust in MuckRock, and i hope it is not misplaced.

few years back i asked for participants in a similar effort. some
things resulted:

1) this also opens up the requester to risk; that is, whoever is
filing must also potentially show some trust, if a falsified DOJ-361
is sent and used as pretext to "deter" you. i have not heard of this
actually happening, but i was also not willing to push it.

'''beware who you accept, coder,
or they're setting you up for USC 18 fuckery.
sure, it may in the end be ok.
but you're in misery until cleared.''''

2) the information is going to be public; if you've got a file because
you're a privacy enthusiast, then filing to make your file public is
the opposite of enjoying your privacy. there is merit in taking one
for team earth human, however...

---

as a first report, deliveries of USPS forms DOJ-361 to multiple, and a
batch of three sent concurrently. two arrived promptly, but one got
scrutiny before leaving town (forms to FBI, perhaps related to ? :)


a) INTERPOL Washington FOIA Service Center
(202)-616-0201
U.S. Department of Justice
Washington, D.C. 20530
---
Form DOJ-361 sent, currently:
February 4, 2015 , 11:41 pm - Arrived at USPS Facility - WASHINGTON, DC 20066
Tracking Number: 9405510200829494303833


b) U.S. Department of Justice
United States Marshals Service
Office of General Counsel
Washington, DC 20530-1000
---
Form DOJ-361 sent, currently:
February 4, 2015 , 11:40 pm - Arrived at USPS Facility - WASHINGTON, DC 20066
"Your item arrived at our USPS facility in WASHINGTON, DC 20066 on
February 4, 2015 at 11:40 pm. The item is currently in transit to the
destination."
Tracking Number: 9405510200830593742348


c) Record/Information Dissemination Section (RIDS)
FBI-Records Management Division
170 Marcel Drive, Winchester, VA 22602-4843
---
Form DOJ-361 sent, currently:
February 3, 2015 , 6:15 pm - Arrived at USPS Origin Facility -
PORTLAND, OR 97218
"Your item arrived at our USPS origin facility in PORTLAND, OR 97218
on February 3, 2015 at 6:15 pm. The item is currently in transit to
the destination."
Tracking Number: 9405510200828494428195
[ i offered to send via FAX if mail was problematic and excessively latent. ]
coderman
2015-03-08 01:33:34 UTC
Permalink
first responsive one to complete:

https://www.muckrock.com/foi/united-states-of-america-10/pet-15590/

"A search of the INTERPOL Washington indices produced 87 responsive
pages regarding the Tor Project. We have reviewed the pages and are
releasing 3 pages with partial redactions pursuant to Title 5, United
States Code, Section 552 and of the FOIA."

i'm not going to challenge the exception, but if anyone else cares to,
see the case above.

best regards,


P.S. originally i had included Tor devs on these requests, with an
offer like the one below. it turns out most of them have tried these
FOIPA requests before, and got the run-around or simple Glommar
responses. rather than demonstrate an ability for selective insanity,
i am carrying on with this muckrock experiment solo.

finally, i have come to the position that i like muckrock, and anyone
else who wants embargoes during requests should sign up a professional
account and support their good work!

--

<thanks, and>

I have a HUGE favor to ask of you!
and it involves multiple iterations of annoying paperwork. :/
[there are probably other reasons this is the worst request ever...]

Should you kindly agree to participate, you will mail multiple copies
of identification documents to various agencies. You will _not_ need to
pay any fees. I will reimburse you for shipping with tracking number
(prefer USPS priority with tracking #). Requests are hidden / embargoed
until approved for public release - you will review them before public.

This is in support of a project I describe below, using public records,
and inspired by Aaron's fearless advocacy for transparency.

I hope you consider participating!
- martin
grarpamp
2015-03-08 09:29:05 UTC
Permalink
Post by coderman
got the run-around or simple Glommar
responses.
Actual spelling: Glomar
coderman
2015-03-08 11:45:16 UTC
Permalink
Post by grarpamp
Post by coderman
got the run-around or simple Glommar
responses.
Actual spelling: Glomar
i can neither confirm nor deny that is the correct spelling. however,
this piece may be of interest ;)

https://nsarchive.wordpress.com/2014/02/11/neither-confirm-nor-deny-the-history-of-the-glomar-response-and-the-glomar-explorer/
coderman
2015-03-08 01:37:21 UTC
Permalink
this one to the Office of the Director of National Intelligence (ODNI)
of the United States of America was outright rejected with Glommar
response. not going to push it further, for now.

https://www.muckrock.com/foi/united-states-of-america-10/pet-15591/
coderman
2015-03-08 01:40:18 UTC
Permalink
also Glommar from the Department of Homeland Security, Office of
Intelligence & Analysis of the United States of America.

https://www.muckrock.com/foi/united-states-of-america-10/pet-15594/
coderman
2015-03-08 01:47:11 UTC
Permalink
last but not least, some of the posed requests were deemed too broad
or undefined by the subject agency.

i asked for guidance through muckrock's internal forum system, but did
not receive useful replies (this community is pretty minuscule!)

future requests to be more laser targeted, and separate out Privacy
Act for individuals from general requests like Tor Project.

"effective FOIA's - art not science!"

:)
rysiek
2015-03-08 02:18:57 UTC
Permalink
Post by coderman
last but not least, some of the posed requests were deemed too broad
or undefined by the subject agency.
i asked for guidance through muckrock's internal forum system, but did
not receive useful replies (this community is pretty minuscule!)
future requests to be more laser targeted, and separate out Privacy
Act for individuals from general requests like Tor Project.
"effective FOIA's - art not science!"
/me is lurking, this is relevant to his interests
--
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147
Polity News
2015-03-08 20:51:54 UTC
Permalink
If you receive a Glomar response to a FOIA request, you can use that to
file a Mandatory Declassification Review (MDR). You can request for the
records to be declassified and challenge the classification.

You have to make sure that you follow the correct procedure and appeal
to the ISCAP board in time.


Info on MDR appeals
http://www.archives.gov/declassification/iscap/mdr-appeals.html

Info on MDR
http://www2.gwu.edu/~nsarchiv/nsa/foia/foia_guide/foia_guide_chapter4.pdf

The NSA Archive has experience in filing MDRs
http://www2.gwu.edu/~nsarchiv/


On a side note, the US Navy, for months, lost my FOIA request about Tor
and the Navy finally transferred the request to the correct
department...where it continues to languish.
grarpamp
2015-03-08 21:33:14 UTC
Permalink
Post by Polity News
file a Mandatory Declassification Review (MDR). You can request for the
It's amazing more people haven't found and used MDR.
There are also regulations / theory that specify things must
be declassified after certain time periods such as 30, 50,
and lifetime years. That's at least 1965 and newer, approaching
the edge of the modern spy, tech, and secrets game.
Also interesting that more people haven't tried pulling the
same inquiry or document a year or more apart to see if
excessive to context or pointless redactions differ (whether
by FOIA or MDR or both).
Polity News
2015-03-08 22:11:59 UTC
Permalink
There is a public listserve for FOIA/MDR/Privacy Act issues. Just
remember that it is public list though.

http://www.nfoic.org/foi-listserv
coderman
2015-04-03 23:04:43 UTC
Permalink
Post by coderman
...
c) Record/Information Dissemination Section (RIDS)
FBI-Records Management Division
170 Marcel Drive, Winchester, VA 22602-4843
---
February 3, 2015 , 6:15 pm - Arrived at USPS Origin Facility -
PORTLAND, OR 97218
"Your item arrived at our USPS origin facility in PORTLAND, OR 97218
on February 3, 2015 at 6:15 pm. The item is currently in transit to
the destination."
Tracking Number: 9405510200828494428195
[ i offered to send via FAX if mail was problematic and excessively latent. ]
oddly enough, it appears this form disappeared?

i have un-embargo'd the request; unlikely to produce sensitive results:
https://www.muckrock.com/foi/united-states-of-america-10/pet-15589/
coderman
2015-04-03 23:25:33 UTC
Permalink
Post by coderman
...
February 4, 2015 , 11:41 pm - Arrived at USPS Facility - WASHINGTON, DC
Tracking Number: 9405510200829494303833
February 4, 2015 , 11:40 pm - Arrived at USPS Facility - WASHINGTON, DC
Tracking Number: 9405510200830593742348
c) Record/Information Dissemination Section (RIDS)
... [FBI request https://www.muckrock.com/foi/united-states-of-america-10/pet-15589/ ]
February 3, 2015 , 6:15 pm - Arrived at USPS Origin Facility -
PORTLAND, OR 97218
"Your item arrived at our USPS origin facility in PORTLAND, OR 97218
on February 3, 2015 at 6:15 pm. The item is currently in transit to
the destination."
Tracking Number: 9405510200828494428195
[ i offered to send via FAX if mail was problematic and excessively latent. ]
what i meant by this, is that the DOJ form to FBI was mysteriously
delayed leaving Portland, while the others were unobstructed and
reached DC on opposite coast before form to FBI left PDX.

it now appears they "lost" the form and closed a bunch with
"Reasoning: No record letter mailed"

does this happen very frequently, i wonder? (i feel another FOIA coming on... :)
coderman
2015-04-05 02:29:06 UTC
Permalink
Post by coderman
...
does this happen very frequently, i wonder?
i am content to let PA req stay nonexistant;

even better if i get my hw...

muckrock gets support even if i go on a FOIA vacation :P
coderman
2015-04-10 06:21:31 UTC
Permalink
Post by coderman
...
i am content to let PA req stay nonexistant;
this was best addressed as a separate, dedicated effort, after all :P
https://www.muckrock.com/foi/united-states-of-america-10/foipa-17315/
[ not even gonna embargo this one ... ]

coordinating DoJ-361 through MuckRock.com this time, and legal muscle
on retainer specialized in FOIA/PA for the next steps... let's
experiment with goal: no redactions; fight all omissions!

.
.
.

game theory says just one a compromise; potential for beneficial
resolution. yet negative sums as counter signal also apply... stay
tuned for onion site additions; SDRs and sensors see as well as thwart
:)
coderman
2015-05-11 05:13:55 UTC
Permalink
...
coordinating DoJ-361 through MuckRock.com this time, ...
MuckRock doesn't usually handle individual requests (PA w/ DoJ-361).
pursuing alternate tracks...

one of the completed FOIAs generated bemused nostalgia,
https://www.muckrock.com/news/archives/2015/may/06/def-cons-spot-fed-contest-sore-spot-feds/
coderman
2015-06-02 07:07:00 UTC
Permalink
Post by coderman
...
MuckRock doesn't usually handle individual requests (PA w/ DoJ-361).
pursuing alternate tracks...
the adventure continues!
... signs point to file containing interesting aspects, given the
"soft" pressure to stymie it.


also filed two requests with department of state regarding my
complaint about technical surveillance at the hotel where myself and
others were staying in Paris during Tor dev conference 2014:

https://www.muckrock.com/foi/united-states-of-america-10/independence-embassy-18065/
https://www.muckrock.com/foi/united-states-of-america-10/independence-embassy-18066/


best regards,


P.S. active attacks against cisco VPN clients (for password recovery
targeting those who re-use passwords - which is none of us, right?) as
well as some fun DirtBox middle behavior obtained in trade. go
#FreeRedTeam! [spoiler alert, if you don't have a baseband friendly
to SnoopSnitch, there may be a way to use packet latency and loss to
identify likely Stingray vs. non-Stingray type tower hand-offs...]
coderman
2015-06-12 15:26:38 UTC
Permalink
Post by coderman
...
also filed two requests with department of state regarding my
complaint about technical surveillance ...
latest requests testing specific device queries vs. general device
requests, and comparison between a few agencies.

specific DRT 1201 to FBI:
https://www.muckrock.com/foi/united-states-of-america-10/drtbox-18541/

generic "KingFish" to FBI, US Marshals, DEA respectively:
https://www.muckrock.com/foi/united-states-of-america-10/kingfishing-18594/
https://www.muckrock.com/foi/united-states-of-america-10/kingfishing-18595/
https://www.muckrock.com/foi/united-states-of-america-10/kingfishing-18596/


calling out aggressive tactics appears to have ceased aggressive tactics.

no update on progress for FBI file on my person.


best regards,
grarpamp
2015-06-12 23:42:33 UTC
Permalink
Post by coderman
latest requests testing specific device queries vs. general device
requests, and comparison between a few agencies.
Differential analysis of FOI systems and doc probing... ftw.
coderman
2015-06-15 03:45:11 UTC
Permalink
Post by grarpamp
...
Differential analysis of FOI systems and doc probing... ftw.
*grin*

the Sunday deluge a fun indicator of Monday morning processing delays,
or days? as per queue. sending all in a batch for e-delivery (except
CIA faxes!!) an interesting survey on responsiveness...

today's delivery:
"Any and all SKUs, Contracts, Invoices, Receipts, Billing Numbers,
Agreements, PO Numbers, for any services or goods purchased from
Boeing Corporation, including third party contract hours for training
or related services, regarding hardware to include Digital Signal
Processing (DSP) or Cell-site Simulators or Software Defined Radio
(SDR) base-stations, or Stingray-like pen/trace-trap devices, or other
radio surveillance technology, including technology formerly produced
by Digital Receiver Technology, Inc., also known as DRT Systems, now
part of Boeing, known to include the DRTBox, or DirtBox, or DirtBoxes
surveillance gear. Please include antenna systems and cable hardware,
as part of the radio systems to report on."

@FBI https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-18708/
@USMarshals https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-18709/
@DEA https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-18710/
@ATF https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-18711/
@CoastGuard https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-18712/
@USSS https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-18713/
@DoJ(crim. div.)
https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-18714/
@CIA https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-18715/
@NSA https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-18716/
@StateDept https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-18717/
@DoT https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-18718/
@FinCen https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-18719/
@HomeSec https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-18720/
@NCSC https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-18721/
@DSS https://www.muckrock.com/foi/united-states-of-america-10/dtbeboeingbox-18722/
@DoJ(natsec div.)
https://www.muckrock.com/foi/united-states-of-america-10/boeingbox-18723/
@INTERPOL https://www.muckrock.com/foi/united-states-of-america-10/boeingbox-18724/
@AirNatnlGuard
https://www.muckrock.com/foi/united-states-of-america-10/boeingbox-18725/
@Treasury-Offc.Intelligence&Analysis,Security
https://www.muckrock.com/foi/united-states-of-america-10/boeingbox-18726/


best regards,
coderman
2015-06-15 05:37:44 UTC
Permalink
Post by coderman
...
the Sunday deluge a fun indicator of Monday morning processing delays,
or days? as per queue. sending all in a batch for e-delivery (except
CIA faxes!!) an interesting survey on responsiveness...
first to "Processing",
request to U.S. Department of the Treasury, Office of Intelligence
and Analysis, Office of Security Programs of the United States of
America.

... fitting. :)


best regards,
coderman
2015-06-20 06:38:35 UTC
Permalink
Post by coderman
...
no update on progress for FBI file on my person.
added new language for request:

"Any and all records, including cross-references and indirect
mentions, including records outside the investigation main file. This
is to include a search of each of the following record stores and
interfaces: the Central Records System (CRS), the Automated Case
Support system ("ACS") Investigative Case Management system ("ICM"),
the Automated Case Support system ("ACS") Electronic Case File
("ECF"), and the Automated Case Support system ("ACS") Universal Index
("UNI"). I also request a search of "ELSUR", the database containing
electronic surveillance information, for any and all records or
activities related to my person for any on-line account or address or
associated service. In addition, please extend the search criteria
across any external storage media, including I-Drives, S-Drives, or
related technologies used during the course of investigation. Please
include processing notes, even if request is denied in part. Please
identify individuals responsible for any aspect of FOIA processing in
the processing notes, along with explanation of their involvement if
not typically assigned FOIA responsibilities for the record systems
above. Please include materials responsive to this request from the
San Francisco, California and Oregon field offices if possible, to
reduce overlap with field office requests."

as per https://www.muckrock.com/foi/united-states-of-america-10/foipa-17315/


this language is based on an article regarding an FBI FOIA legal
contest. see https://www.rcfp.org/browse-media-law-resources/news/foia-trial-offers-rare-look-how-fbi-searches-records-responds-reques

note that individual field offices may need to be queried
individually, and directly. currently MuckRock does not support
requests to FBI field offices in this manner.



i have date/times, locations, context for interactions with FBI back
to 2001; these intrusions which are the subject of the FOIA/PA search.
we'll see what it takes to get them... :P


best regards,
coderman
2015-06-25 06:06:36 UTC
Permalink
...
regarding the shenanigans with post and processing,

https://s3.amazonaws.com/s3.documentcloud.org/documents/2110787/leopold-obrien-foia-lawsuit-jacob-applebaum.pdf

describes some mis-directed replies, and other run around.

see:

Alexa O'Brien ‏@carwinb
***@JasonLeopold) and I (rep'd by atty @_LightLaw) just filed lawsuits
for @ioerror records with 19 federal agencies.
- https://twitter.com/carwinb/status/613889838748708865

Jason Leopold ‏@JasonLeopold
***@carwinb & I just filed a #FOIA lawsuit vs NSA, CIA, et al, for their
files on @ioerror, who signed privacy waiver
- https://twitter.com/JasonLeopold/status/613888586962890753


best regards,
coderman
2015-06-25 06:39:21 UTC
Permalink
FOIAs to State Dept. about my complaint at Paris Embassy (yes, that
one :) rejected along with a separate FOIA to Bureau of Consular
Affairs within State Dept.

they don't use form DoJ-361 for identity attestation, but their own
things, including a form


https://www.muckrock.com/foi/united-states-of-america-10/independence-embassy-18065/
and second to Consular Affairs:
https://www.muckrock.com/foi/united-states-of-america-10/independence-embassy-18066/



... punctuated joys, many long silences, occasional crushing by bureaucracy.
FOIPA adventures, indeed!



best regards,
coderman
2015-06-25 06:41:14 UTC
Permalink
FOIAs to State Dept. ... don't use form DoJ-361..., but their own
things, including a form
State Department form DS-4240 -^
coderman
2015-07-08 11:32:09 UTC
Permalink
for all of you driving vehicles with hundreds of global variables
around weird machines radio linked to strange networks,

the following new FOIAs:

https://www.muckrock.com/foi/united-states-of-america-10/badaccel-19510/
@FBI
Use of Sudden unintended acceleration (SUA) or Unintended acceleration
in the commission of a crime, including premeditated offenses of any
kind. Please include suspicion of Sudden unintended acceleration (SUA)
or suspicion of Unintended acceleration within the scope of this
request, even if alternate cause determined. This search is to include
any and all records, including cross-references and indirect mentions,
including records outside the investigation main file. This is to
include a search of each of the following record stores and
interfaces: the Central Records System (CRS), the Automated Case
Support system ("ACS") Investigative Case Management system ("ICM"),
the Automated Case Support system ("ACS") Electronic Case File
("ECF"), and the Automated Case Support system ("ACS") Universal Index
("UNI"). Please include processing notes, even if request is denied in
part. Please identify individuals responsible for any aspect of FOIA
processing in the processing notes, along with explanation of their
involvement if not typically assigned FOIA responsibilities for the
record systems above.


@DoT
https://www.muckrock.com/foi/united-states-of-america-10/badaccel-19509/


best regards,
John Young
2015-07-08 12:33:53 UTC
Permalink
Quite nice compilation of sources configured to evade
FOIA. Ever finer feigning requires ever finer seining.

Paraphrasing Charles Murray, "US's ever more manipulable
legal system and ever increasing government regulations are
essentally lawless. When governments transgress citizens'
rights, revolution is not treason but the people's duty."
Post by coderman
for all of you driving vehicles with hundreds of global variables
around weird machines radio linked to strange networks,
https://www.muckrock.com/foi/united-states-of-america-10/badaccel-19510/
@FBI
Use of Sudden unintended acceleration (SUA) or Unintended acceleration
in the commission of a crime, including premeditated offenses of any
kind. Please include suspicion of Sudden unintended acceleration (SUA)
or suspicion of Unintended acceleration within the scope of this
request, even if alternate cause determined. This search is to include
any and all records, including cross-references and indirect mentions,
including records outside the investigation main file. This is to
include a search of each of the following record stores and
interfaces: the Central Records System (CRS), the Automated Case
Support system ("ACS") Investigative Case Management system ("ICM"),
the Automated Case Support system ("ACS") Electronic Case File
("ECF"), and the Automated Case Support system ("ACS") Universal Index
("UNI"). Please include processing notes, even if request is denied in
part. Please identify individuals responsible for any aspect of FOIA
processing in the processing notes, along with explanation of their
involvement if not typically assigned FOIA responsibilities for the
record systems above.
@DoT
https://www.muckrock.com/foi/united-states-of-america-10/badaccel-19509/
best regards,
coderman
2015-07-11 01:42:41 UTC
Permalink
fun friday FOIA denials:

FU from FBI:


Rejected
DRTBox
Martin Peck made this request to Federal Bureau of Investigation of
the United States of America.
- https://www.muckrock.com/foi/united-states-of-america-10/drtbox-18541/


Rejected
DRTBeBoeingBox
Martin Peck made this request to Federal Bureau of Investigation of
the United States of America.
- https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-18708/


Rejected
KingFishing
Martin Peck made this request to Federal Bureau of Investigation of
the United States of America.
- https://www.muckrock.com/foi/united-states-of-america-10/kingfishing-18594/


don't think that's the end :P



best regards,
coderman
2015-07-12 07:33:55 UTC
Permalink
ready to spend a fortune to see this through.

next move FBI?

https://www.muckrock.com/foi/united-states-of-america-10/metadataz-19638/
"""
FOIA processing notes associated with requests #1331086-000,
#1331360-000, #1331082-000. Please include processing notes for this
request, even if request is denied in part. Please identify
individuals responsible for any aspect of FOIA processing in the
processing notes, along with explanation of their involvement if not
typically assigned FOIA responsibilities for the record systems above.
"""
Post by coderman
Rejected
DRTBox
Martin Peck made this request to Federal Bureau of Investigation of
the United States of America.
- https://www.muckrock.com/foi/united-states-of-america-10/drtbox-18541/
Rejected
DRTBeBoeingBox
Martin Peck made this request to Federal Bureau of Investigation of
the United States of America.
-
https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-18708/
Rejected
KingFishing
Martin Peck made this request to Federal Bureau of Investigation of
the United States of America.
-
https://www.muckrock.com/foi/united-states-of-america-10/kingfishing-18594/
don't think that's the end :P
best regards,
grarpamp
2015-07-12 22:16:30 UTC
Permalink
Post by coderman
ready to spend a fortune to see this through.
http://yro.slashdot.org/story/15/07/12/1449252/making-foia-requested-data-public-too-much-transparency-for-journalists
Post by coderman
FOIA processing notes associated with requests #1331086-000,
#1331360-000, #1331082-000. Please include processing notes for this
request, even if request is denied in part. Please identify
individuals responsible for any aspect of FOIA processing in the
processing notes, along with explanation of their involvement if not
typically assigned FOIA responsibilities for the record systems above.
lol.
coderman
2015-07-15 09:10:13 UTC
Permalink
two new for DOCSIS tech @FBI, @CIA:

"Any and all "DOCSIS" technology records, including cross-references
and indirect mentions, including records outside the investigation
main file. This is to include a search of each of the following record
stores and interfaces: the Central Records System (CRS), the Automated
Case Support system ("ACS") Investigative Case Management system
("ICM"), the Automated Case Support system ("ACS") Electronic Case
File ("ECF"), and the Automated Case Support system ("ACS") Universal
Index ("UNI"). I also request a search of "ELSUR", the database
containing electronic surveillance information, for any and all
records or activities related to "DOCSIS" or "DOCSIS intercept" or
"DOCSIS access" technology. In addition, please extend the search
criteria across any external storage media, including I-Drives,
S-Drives, or related technologies used during the course of
investigation involving Cable internet data services. DITU
experimental technologies or research also within scope of this
request. Please include processing notes, even if request is denied in
part. Please identify individuals responsible for any aspect of FOIA
processing in the processing notes, along with explanation of their
involvement if not typically assigned FOIA responsibilities for the
record systems above."
- https://www.muckrock.com/foi/united-states-of-america-10/indocsis-19725/

"Any and all records, receipts, training, technology transfer
programs, research, evaluation technologies, or other materials
relevant to "DOCIS" cable communication technology. This is to include
"DOCSIS 1.0", "DOCSIS 2.0", "DOCSIS 3.0", and other relevant DOCSIS
protocols."
- https://www.muckrock.com/foi/united-states-of-america-10/indocsisxfer-19726/
Are they giving reasons for the rejections?
"What Is the Big Secret Surrounding Stingray Surveillance?"
-
http://www.scientificamerican.com/article/what-is-the-big-secret-surrounding-stingray-surveillance/
---
What Is the Big Secret Surrounding Stingray Surveillance?
State and local law enforcement agencies across the U.S. are setting
up fake cell towers to gather mobile data, but few will admit it
By Larry Greenemeier | June 25, 2015
Stung: Law enforcement agencies sometimes use a device called a
stingray to simulate a cell phone tower, enabling them to gather
international mobile subscriber identity (IMSI), location and other
data from mobile phones connecting to them. Pictured here is an actual
cell tower in Palatine, Ill.
Given the amount of mobile phone traffic that cell phone towers
transmit, it is no wonder law enforcement agencies target these
devices as a rich source of data to aid their investigations. Standard
procedure involves getting a court order to obtain phone records from
a wireless carrier. When authorities cannot or do not want to go that
route, they can set up a simulated cell phone tower—often called a
stingray—that surreptitiously gathers information from the suspects in
question as well as any other mobile device in the area.
These simulated cell sites—which collect international mobile
subscriber identity (IMSI), location and other data from mobile phones
connecting to them—have become a source of controversy for a number of
reasons. National and local law enforcement agencies closely guard
details about the technology’s use, with much of what is known about
stingrays revealed through court documents and other paperwork made
public via Freedom of Information Act (FOIA) requests.
One such document recently revealed that the Baltimore Police
Department has used a cell site simulator 4,300 times since 2007 and
signed a nondisclosure agreement with the FBI that instructed
prosecutors to drop cases rather than reveal the department’s use of
the stingray. Other records indicate law enforcement agencies have
used the technology hundreds of times without a search warrant,
instead relying on a much more generic court order known as a pen
register and trap and trace order. Last year Harris Corp., the
Melbourne, Fla., company that makes the majority of cell site
simulators, went so far as to petition the Federal Communications
Commission to block a FOIA request for user manuals for some of the
company’s products.
The secretive nature of stingray use has begun to backfire on law
enforcement, however, with states beginning to pass laws that require
police to obtain a warrant before they can set up a fake cell phone
tower for surveillance. Virginia, Minnesota, Utah and Washington State
now have laws regulating stingray use, with California and Texas
considering similar measures. Proposed federal legislation to prevent
the government from tracking people’s cell phone or GPS location
without a warrant could also include stingray technology.
Scientific American recently spoke with Brian Owsley, an assistant
professor of law at the University of North Texas Dallas College of
Law, about the legal issues and privacy implications surrounding the
use of a stingray to indiscriminately collect mobile phone data. Given
the invasive nature of the technology and scarcity of laws governing
its use, Owsley, a former U.S. magistrate judge in Texas, says the
lack of reliable information documenting the technology’s use is
particularly troubling.
[An edited transcript of the interview follows.]
When and why did law enforcement agencies begin using international
cell site simulators to intercept mobile phone traffic and track
movement of mobile phone users?
Initially, intelligence agencies—CIA and the like—couldn’t get local
or national telecommunications companies in other countries to
cooperate with U.S. surveillance operations against nationals in those
countries. To fill that void companies like the Harris Corp. started
creating cell site simulators for these agencies to use. Once Harris
saturated the intelligence and military markets [with] their products,
they turned to federal agencies operating in the U.S. So the [Drug
Enforcement Administration], Homeland Security, FBI and others started
having their own simulated cell sites to use for surveillance.
state and local law enforcement. That’s where we are today in terms of
the proliferation of this technology.
Under what circumstances do U.S. law enforcement agencies use cell
site simulators and related technology?
There are three examples of how law enforcement typically use
stingrays for surveillance: First, law enforcement officials may use
the cell site simulator with the known cell phone number of a targeted
individual in order to determine that individual's location. For
example, officials are searching for a fugitive and have a cell phone
number that they believe the individual is using. They may operate a
stingray near areas where they believe that the individual may be,
such as a relative's home.
Second, law enforcement officials may use the stingray to target a
specific individual who is using a cell phone, but these officials do
not know the cell phone number. They follow the targeted individual
from a site to various other locations over a certain time period. At
each new location, they activate the stingray and capture the cell
phone data for all of the nearby cell phones. After they have captured
the data at a number of sites they can analyze the data to determine
the cell phone or cell phones used by the targeted individual. This
approach captures the data of all nearby cell phones, including
countless cell phones of individuals unrelated to the criminal
investigation.
Third, law enforcement officials have been known to operate stingray
at political rallies and protests. Using the stingray at these types
of events captures the cell phone data of everyone in attendance.
How does law enforcement get permission to perform this type of
surveillance?
Federal law enforcement agencies typically get courts to approve use
of something like stingray through a pen register application [a pen
register is a device that records the numbers called from a particular
phone line]. With that type of application, essentially the government
says, we want this information. We think it’s going to be relevant to
an ongoing criminal investigation. As you can imagine, that’s a pretty
low bar for them to satisfy in the eyes of the court. Just about
anything could fit into that description. You don’t even have to show
that such an investigation would lead to an arrest or prosecution. Law
enforcement is telling the court, look, we’re in the middle of this
investigation. If we get this information, we think it might lead to
some other important information.
Different court orders have different standards for approval. The
highest standard would be for a wiretap. A search warrant likewise has
a much higher standard than a pen register, requiring law enforcement
to prove probable cause before a judge will grant permission to use
additional means of investigation. The problem that I have with a pen
register to justify use of something like a stingray is that the
standard for a pen register is much too low, given the invasive nature
of a pen register. Instead, I think the use of a stingray should be
consistent with the Fourth Amendment of the Constitution and pursuant
to a search warrant.
Why not explicitly state the type of technology being used and its
specific purpose when filing for a court order?
[When] law enforcement agencies seek to obtain judicial authorization
through a pen register, they do not directly indicate that they are
applying for authorization to use a stingray. Doing so might cause
some courts to question whether the pen register statute [as opposed
to some higher standard] is the appropriate basis for authorizing a
stingray. In addition, law enforcement agencies typically have to sign
nondisclosure agreements with Harris Corp. in order to receive the
federal Homeland Security funding needed to purchase the technology.
So there’s this concern, at least at the local law enforcement level,
about revealing any information about it because that would violate
the agreement with Harris and maybe subject them to losing the
equipment or some other consequences.
Why would law enforcement agencies sign a nondisclosure agreement with
a technology company?
I’m not sure whether the agreements are being driven by the FBI or by
Harris, but these agreements seem to be getting less relevant insofar
as [there is less] need to keep the public unaware of the existence of
this technology. In the last three or so years there’s been a lot more
awareness about the technology and its use. When agencies were first
signing these agreements years ago, use of this technology wasn’t
widely known. Now you are getting situations where criminal defense
attorneys learn about stingray and similar technologies and the role
they may be playing in the arrests of some of their clients. Defense
teams are starting to ask questions and require the government to
produce documentation such as court orders, and that’s creating the
confrontation you’re now seeing.
Why have law enforcement agencies kept their use of cell site
simulators so secretive?
Some of it is the cloudy legal issues surrounding the legitimate uses
of this technology. Law enforcement agencies will also argue that the
more information that’s available about this technology, the harder it
is for them to use these devices to fight crime. Yet there’s a growing
knowledge of this technology, and a serious criminal enterprise is
already aware of it. People are already using prepaid disposable
phones [sometimes referred to as “burner phones”] to some extent to
defeat this technology. Sophisticated criminals are aware that there’s
electronic surveillance out there in myriad ways, and so they’re going
to take precautions. From a technology perspective, it’s sort of a
cat-and-mouse game. There’s also a device that locates cell site
simulators, something referred to as an IMSI catcher. There’s an arms
race back and forth to get the best technology and to get the edge.
What does it say to you about the whole process that a prosecutor or a
law enforcement agency is willing to sacrifice a conviction in order
to keep their methods a secret?
I think it’s a very odd approach. You are throwing away some
convictions or potential convictions for the sake of secrecy. But it’s
even harder to understand now that knowledge of the technology is
becoming so common. There have been documented cases in Baltimore and
Saint Louis where stingray has supposedly been used. The use of
stingray and related technologies is a roll of the dice in the sense
that law enforcement is hoping that either the defense attorneys don’t
have enough savvy or wherewithal to find out about the technology and
ask the right questions or, even if that does happen, they’re hoping
that the judge that they have is favorable to their approach and not
going to order them to reveal information about its use. In the rare
occasions when things go against them, they just dismiss it.
You yourself denied a law enforcement application three years ago to
use a stingray. Under what circumstances would you approve its use?
I want to make clear: I don’t have a problem with stingray itself—I
understand that this can be a valuable tool in law enforcement’s
arsenal. My problem is that I want it to be used pursuant to a high
standard of proof that it’s needed, and that I want the approval
process to be more transparent. One of the reasons I’d like to see
some more documentation of stingray applications and orders is because
I have this suspicion—but there’s no way of confirming it one way or
another—that some judges are signing approvals to use this technology
thinking that they’re just signing a pen register. If a judge thinks
it’s [just] another pen register application, they’re just going to
sign it without giving it much pause.
Now that the use of this stingrays and related technologies has been
made public, where will this issue be a year or a few years from now?
A year from now I think we’re in the same position. You’re dealing
with outdated statutes concerning new and very different technology.
It’s possible in five years maybe that Congress will step in and do
something. More likely, state legislatures will take most of the
action to monitor this type of surveillance. Washington State,
California [and others] have already acted, and Texas is evaluating
the standards for approving stingray use.
coderman
2015-07-15 09:37:22 UTC
Permalink
and three appeals of rejected @FBI:
(my first appeal(s)! :)


"The number of Digital Receiver Technology units model DRT 1201 used
by, or owned or leased by the agency."
- https://www.muckrock.com/foi/united-states-of-america-10/drtbox-18541/

"The number of Harris Corporation KingFish systems/devices used by, or
owned or leased by the agency."
- https://www.muckrock.com/foi/united-states-of-america-10/kingfishing-18594/

"Any and all SKUs, Contracts, Invoices, Receipts, Billing Numbers,
Agreements, PO Numbers, for any services or goods purchased from
Boeing Corporation, including third party contract hours for training
or related services, regarding hardware to include Digital Signal
Processing (DSP) or Cell-site Simulators or Software Defined Radio
(SDR) base-stations, or Stingray-like pen/trace-trap devices, or other
radio surveillance technology, including technology formerly produced
by Digital Receiver Technology, Inc., also known as DRT Systems, now
part of Boeing, known to include the DRTBox, or DirtBox, or DirtBoxes
surveillance gear. Please include antenna systems and cable hardware,
as part of the radio systems to report on."
- https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-18708/
coderman
2015-07-16 07:45:47 UTC
Permalink
new reqs:
"Count of "Hardware Security Module", "HSM", "Cryptographic
Accelerator", or "VPN Accelerator" devices or equivalent in use or
purchased by the department. This is to include devices which are
incorporated into larger computing facilities such as databases,
servers, switches, and routers. Please include processing notes for
this request, even if request is denied in part."

@FBI https://www.muckrock.com/foi/united-states-of-america-10/hardwaresecmods-19755/
@CIA https://www.muckrock.com/foi/united-states-of-america-10/hardwaresecmods-19756/
@DoJ https://www.muckrock.com/foi/united-states-of-america-10/hardwaresecmods-19757/
@DoD-OIG https://www.muckrock.com/foi/united-states-of-america-10/hardwaresecmods-19758/
@DoD-SecDef https://www.muckrock.com/foi/united-states-of-america-10/hardwaresecmods-19759/
@DHS https://www.muckrock.com/foi/united-states-of-america-10/hardwaresecmods-19760/
@USSS https://www.muckrock.com/foi/united-states-of-america-10/hardwaresecmods-19761/


best regards,
coderman
2015-07-16 09:33:38 UTC
Permalink
moar new reqs:
"The number of "HotPlug" forensic power override devices or
equivalent in use or purchased by the Bureau. This is to include
official CRU® WiebeTech® HotPlug™ systems or equivalent forensic power
override systems by other suppliers. Please include processing notes
for this request, even if request is denied in part."

@FBI https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19762/
@CIA https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19763/
@DEA https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19764/
@DHS https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19765/
@DoD-OIG https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19766/
@DoD-SecDef https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19767/
@USSS https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19768/


best regards,
coderman
2015-07-19 02:26:33 UTC
Permalink
this new request i vote most likely to take longest time to fulfill :)

"Any and all records, reports, tasking, mitigations, redesigns,
post-mortems, and any other responsive materials related to compromise
of "Tor" and/or "Tor Browser Bundle" and/or "Tor Vidalia Bundle"
leading to breach of NSANet, JWICS, SIPRNet, and also including joint
activities with access to FBINet and SCION where compromise of Tor
resulted in attacker attaining access to, or potentially gaining
access to these networks. Note that Tor may be incorrectly capitalized
as "TOR"; please do a case insensitive search. Specific date of
compromise is between July 30th 2007 and Aug. 2nd 2007; date provided
to aid search efforts. CVE assigned to vulnerability is CVE-2007-4174
and provided to aid search efforts. Subject announcing vulnerability
is "Tor security advisory: cross-protocol http form attack" and
provided to aid search efforts. Please include results spanning the
Cryptologic Services Groups, the National Security Operations Center
(NSOC), the Information Assurance Directorate, the Research Associate
Directorate, the Signals Intelligence Directorate, the Technology
Directorate, the NSA/CSS Threat Operations Center (NTOC), and the
Office of the Director, including Staff. Search of Covert Network
Access technologies employed by Special Intelligence (SI) programs
contained within compartmented access constraints is specifically
requested, including QUANTUMTHEORY and related covert programs
requiring covert Internet access. Please provide processing notes for
this request, even if denied in part. Thank you!"
- https://www.muckrock.com/foi/united-states-of-america-10/backhack-19811/


best regards,
coderman
2015-07-19 02:53:21 UTC
Permalink
P.S. this just dropped and is awesome :)

https://archive.org/details/COMPLETE_FBI_VAULT_FOIA_PDF_ARCHIVES_07_15_15

54GB FBI VAULT FOIA PDF ARCHIVES V1.0

SOURCE: https://vault.fbi.gov

ABOUT THIS DOWNLOAD SET (4 PARTS):
– four downloadable .zip files uncompress to roughly 54GB total
– complete FBI Vault online archives (up to July 15 2015)
– meticulous folder structure
– all individual PDF files renamed accordingly & logically
– utilizes long file/folder names on Mac OS X 10.10.4
– archive created on Mac OS X 10.10.4 – master folders
compressed to .zip files via standard system compression utility

[SPECIAL NOTE: This version of the archive is much better than the
original FBI downloadable components. This took much time to
methodically download, compile and cleanup.]

FOLDER DIRECTORY: http://pastebin.com/0RcBHjKP
coderman
2015-07-25 12:20:00 UTC
Permalink
an interesting response on the FOIA stats:
https://www.documentcloud.org/documents/2124204-responsive-documents.html

FOIA totals from 2005 through 2014 for FBI RIDS.

PA req. contention continues...



best regards,
coderman
2015-08-05 05:58:30 UTC
Permalink
my first payment required:
https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19762/#file-50509

as i do not qualify for fee waiver in their eyes. :(

this diss hurts most deep, earth humans...



best regards,
acting in selfish self interest FOIA for profitman (?!?)
coderman
2015-08-05 06:02:59 UTC
Permalink
Post by coderman
...
best regards,
acting in selfish self interest FOIA for profitman (?!?)
i forgot to add, they also checked off:
"You have not demonstrated your expertise in the subject area
[forensic power supply devices for live in-situ and lab equipped
volatile memory and running system analysis], your ability, and/or
your intention to effectively convey the information to the public."

which offends me for MuckRock as their publication platform is excellent! rude.



i suppose if my competence is insulted, there is no alternative but to
reclaim and defend honor so besmirched...
coderman
2015-08-05 06:23:25 UTC
Permalink
Privacy Act request to FBI is in third attempt, with dual copies of
notarized DoJ-361 to both RIDS and MuckRock:
https://www.muckrock.com/foi/united-states-of-america-10/privacyactdirect-19921/

enabled web tracking for real-time stats on progress of each identical
USPS certified letter.


expect to get next:
0. X records responsive to your request. you must pay for them and it
will take three years to dribble out.
1. upon reading the dribbles, majority is redacted. now starts the
remove-redact fight, more years hence...


best regards,
coderman
2015-08-05 08:32:36 UTC
Permalink
Post by coderman
...
i suppose if my competence is insulted, there is no alternative but to
reclaim and defend honor so besmirched...
able to pre-pay for the most technical report on FBI procurement of
forensic power overrides:
https://www.pay.gov/public/search/global?formSearchCategory=FOIA%20Request
and FBI specifically at:
https://www.pay.gov/public/form/start/37210538

updated MuckRock accordingly,
https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19762/
fun to see how pre-payment processed? :)


best regards,
coderman
2015-08-05 10:05:59 UTC
Permalink
most recent batch:

P25Count

Count of the number of P25 capable radio units or systems in use by,
or owned, or leased, or otherwise utilized by the Bureau. This
includes any of the Motorola ASTRO APX P25 portables, Vertex Standard
P25 portables, ICOM P25 portables, RELM Wireless P25 portables,
Motorola MOTOTRBO DMR radios, and Mobile P25 Radios. This includes any
P25 Phase 1 and Phase 2 capable radios. Please include yearly
break-down by radio model, if available. Please include processing
notes for this request, even if denied in part.

@FBI https://www.muckrock.com/foi/united-states-of-america-10/p25count-20168/
@DEA https://www.muckrock.com/foi/united-states-of-america-10/p25count-20169/
@USMarshals https://www.muckrock.com/foi/united-states-of-america-10/p25count-20170/
@ATF https://www.muckrock.com/foi/united-states-of-america-10/p25count-20171/
@CoastGuard https://www.muckrock.com/foi/united-states-of-america-10/p25count-20172/
@USSS https://www.muckrock.com/foi/united-states-of-america-10/p25count-20173/
@DoJ(crim. div.)
https://www.muckrock.com/foi/united-states-of-america-10/p25count-20174/
@CIA https://www.muckrock.com/foi/united-states-of-america-10/p25count-20175/
@NSA https://www.muckrock.com/foi/united-states-of-america-10/p25count-20176/
@StateDept https://www.muckrock.com/foi/united-states-of-america-10/p25count-20177/
@DoT https://www.muckrock.com/foi/united-states-of-america-10/p25count-20178/
@HomeSec https://www.muckrock.com/foi/united-states-of-america-10/p25count-20179/
@NCSC https://www.muckrock.com/foi/united-states-of-america-10/p25count-20180/
@DSS https://www.muckrock.com/foi/united-states-of-america-10/p25count-20181/
@DoJ(natsec div.)
https://www.muckrock.com/foi/united-states-of-america-10/p25count-20182/
@INTERPOL https://www.muckrock.com/foi/united-states-of-america-10/p25count-20183/


all reqs:
https://www.muckrock.com/foi/list/?page=1&per_page=104&user=2774


best regards,
coderman
2015-08-05 22:55:58 UTC
Permalink
Post by coderman
...
https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19762/
fun to see how pre-payment processed? :)
same day turnaround; that's a record!

"The FBI has received your additional correspondence regarding your
Freedom of Information Act/Privacy (FOIPA) request and it has been
forwarded to the assigned analyst for review. If appropriate, a
response will be forthcoming."


RIDS++
coderman
2015-08-27 04:21:34 UTC
Permalink
Post by coderman
...
able to pre-pay for the most technical report on FBI procurement of
forensic power overrides...
https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19762/
as expected, this was just a "go away" tactic, and once paid, they
took their time to tell me they must refund, and i must give them an
amount, and then they search, and then they charge me, and then they
search some more, and then they give me the docs.

fuck that! and happy judicial precedent later, i gave this reply:

---

This is a written response regarding payment for FOIA request 1333239-000.
Please be advised that I am NO LONGER WILLING TO PAY FEES and contest
the notion of my request being "commercial use".

Observe that in August, 2015 D.C. Circuit Judge Merrick Garland
emphasized that web-based publishers are as entitled to waivers as
newspapers, that outlets without a following by a broad swath of the
general public can qualify for waivers and that organizations that
pass analyzed government documents to media outlets can be classified
as members of the news media under the federal public records law.

"There is nothing in the statute that specifies the number of outlets
a requester must have, and surely a newspaper is not disqualified if
it forsakes newsprint for (or never had anything but) a website,"
Garland wrote in an opinion joined by Judges Janice Rogers Brown and
David Sentelle. "There is no indication that Congress meant to
distinguish between those who reach their ultimate audiences directly
and those who partner with others to do so..."
- http://www.cadc.uscourts.gov/internet/opinions.nsf/EF1DE205B4E1264685257EAC004EF78C/$file/13-5335-1569545.pdf

The results of my FOIA requests have been incorporated into popular
reporting in the technical press and wider media, proving the value of
this information to the public and my ability to ultimately reach the
public audience through partner organizations.
Thank you.
grarpamp
2015-08-27 04:48:12 UTC
Permalink
Post by coderman
a requester must have, and surely a newspaper is not disqualified if
it forsakes newsprint for (or never had anything but) a website,"
The results of my FOIA requests have been incorporated into popular
reporting in the technical press and wider media, proving the value of
this information to the public and my ability to ultimately reach the
public audience through partner organizations.
The medium or size is no longer relavant in demise of print.
Some FOIA are published discussed here on this list.
Can easily be published ftp, nntp, drone pamphleting,
irc on darknets and down the river.
There are interested readers, at least one, somewhere.
Untill all govt docs are published, what better legit use
of taxes is there? Certainly not on murder and secrets.
coderman
2015-09-07 04:24:17 UTC
Permalink
Post by coderman
...
Post by coderman
https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19762/
as expected, this was just a "go away" tactic, and once paid, they
took their time to tell me they must refund, and i must give them an
amount, and then they search,,,,
mea culpa; this response about fees was in error, and the FOIA person
apologized. so far as now, zero fees expected...

this other did complete: request to Department of Defense, Office of
the Inspector General of the United States of America.
- https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19766/#file-54038

they have THREE (3) WiebeTech HotPlug systems, and no other brands of
this device type used.


best regards,
coderman
2015-09-17 07:23:14 UTC
Permalink
another to complete:

at least 10 P25 Motorola radios at Department of State. and some not
so pretty carpet :P

https://www.muckrock.com/foi/united-states-of-america-10/p25count-20177/#file-54797


best regards,
coderman
2015-09-23 04:13:12 UTC
Permalink
Post by coderman
at least 10 P25 Motorola radios at Department of State. and some not
so pretty carpet :P
https://www.muckrock.com/foi/united-states-of-america-10/p25count-20177/#file-54797
handily beat by the US Marshals, with 21,994 P25 radios!
https://www.muckrock.com/foi/united-states-of-america-10/p25count-20170/#file-56132

i expect the DEA will be another big buyer...


best regards,
coderman
2015-09-23 04:25:52 UTC
Permalink
most interesting reply:

asked about SCIFs at the DoJ, and they forward only to FBI:
https://www.muckrock.com/foi/united-states-of-america-10/scifcount-21229/#file-55661

surely DoJ has more SCIFs than just those used by FBI investigations?
perhaps FBI is simply SCIF steward for all DoJ components...

sending more FOIAs now, starting with processing notes. will advise,
Ryan Carboni
2015-09-23 06:34:46 UTC
Permalink
I suppose prosecutors working on the Manning and Snowden cases can't work
out of their offices?
Post by coderman
https://www.muckrock.com/foi/united-states-of-america-10/scifcount-21229/#file-55661
surely DoJ has more SCIFs than just those used by FBI investigations?
perhaps FBI is simply SCIF steward for all DoJ components...
sending more FOIAs now, starting with processing notes. will advise,
coderman
2015-09-27 08:52:56 UTC
Permalink
most interesting reply ...
less interesting reply, but a more interesting response on my part:

FBI claiming privacy interest to refuse ALL of my FOIA regarding the
Sklyarov / Elcomsoft incident years back:
https://www.muckrock.com/foi/united-states-of-america-10/freedmitry-21209/

this is my first attempt to argue compelling public interest against a
privacy exemption,
it is as follows;


Please recognize the public interest in this request for responsive
records as follows:

First and foremost, extensive media attention during this period was
generated due to the intersection of "hacking" and "reverse
engineering" combined with the DMCA provisions deeming some
technologies illegal at interest to the information technology
industry as a whole. This reason alone is sufficient and compelling
justification for transparency in a watershed case, however, I shall
continue.

Second, this case involved not a US citizen, but a foreign national.
As has recently been scoured in the technical press, Wassenar with its
incumbent BIS obligations has brought discussion of the risks
foreigners face visiting the EU and US, in addition to US citizens
abroad who now find themselves subject to severe technical controls
due to their industry participation. I feel that surely this must
provide beyond sufficient justification for public interest in
documents responsive to this request, yet I shall continue to exhaust
the relevant perspectives in my quiver of inquiry.

Thus thirdly, the conference venue, DEF CON security conference,
itself of notoriety and high esteem in the technical community, was
the operating domain for the closing moves of this investigation. The
logistics and technical considerations for operating in this domain
thus also compounds the public interest in the activity for which the
records responsive to this request have been requested.

Fourthly, and there is a fourthly for sure, the activities undertaken
by the agency were at risk of alienating a talent pool the Bureau has
increasingly courted and pursued for their invaluable skills in
digital forensic analysis, reverse engineering, and information
security. Balancing actions before a critical group who also interacts
frequently with the agency, and from whom the Bureau itself draws
professional talent, amplifies the interest and relevance of this
inquiry, and the need for unrestrained transparency when identifying
documents responsive to this request.

Lastly and finally, yet not to diminish the inherent privacy rights
afforded to all earth humans, inalienable, with justice for all, the
privacy rights which this agency has cited in justification for
limiting the documents responsive to this request, please note that
the privacy exemptions provided by law are specific and limited to
situations where there is a compelling personal privacy interest. The
agency has not provided any compelling privacy interest on behalf of
the fine Mr. Sklyarov, and his foreign status removes the common
privacy concerns of an individual within a domestic community at issue
in responsive documents. It is fully reasonable, per Department of
Justice v. Reporters Committee for Freedom of the Press, that the FBI
may provide documents detailing "what they were up to" in this
investigation, without undue burden on the privacy rights of a foreign
citizen briefly visiting to attend a public conference in the United
States.

Please do recognize and acquiescence to the public interest so broadly in view.

Best regards,
coderman
2015-09-30 13:58:15 UTC
Permalink
... less interesting reply, but ...
from the comforting responses dept., a legit Glomar: [it's been a while!]

"The list of origin IPv4 CIDR prefixes or distinct IPv4 addresses
used by the Office of Tailored Access Operations (TAO) within the
QUANTUMSQUIRREL covert access network, which is able to impersonate
any IPv4 address. Note that this program has been widely discussed in
the press thus removing any claims of sensitivity on this subject
matter. C.f. "The NSA and GCHQ’s QUANTUMTHEORY Hacking Tactics".
firstlook.org. 2014-07-16:
https://firstlook.org/theintercept/document/2014/03/12/nsa-gchqs-quantumtheory-hacking-tactics/
. Please break out the list of impersonated endpoints by year, if
possible."

'The request has been rejected, with the agency stating that it can
neither confirm nor deny the existence of the requested documents.'

- https://www.muckrock.com/foi/united-states-of-america-10/deezquantumsquirrelsrnutz-21241/


best regards,
coderman
2015-10-05 16:23:05 UTC
Permalink
honestly didn't think i'd get a useful reply to this one:
" [regarding SCIFs]
Records associated with self inspection of classified materials
handling pursuant to Executive Order (E.O.) 13526 and E.O. 13587
performed by the agency for the last ten (10) years. Please include
results of inspection and especially guidance resulting from analysis
of reviewed activities and materials. Inspection records associated
with effectiveness of original classification, effectiveness of
derivative classification, safeguarding material, security training,
security violations, and auditing / oversight are specifically
requested. Thank you!
"

and yet!
"Please see the NRO partial response to your recent FOIA request."
https://www.muckrock.com/foi/united-states-of-america-10/eeeieeeohorder-21368/#file-56655

:P

best regards,
coderman
2015-10-05 16:29:36 UTC
Permalink
Post by coderman
" [regarding SCIFs]
...

https://muckrock.s3.amazonaws.com/foia_files/2015/09/29/F15-0117_Peck.PDF

NATIONAL RECONNAISSANCE OFFICE
14675 Lee Road
Chantilly, VA 20151-1715

28 September 2015
Mr. Martin Peck
MuckRock
DEPT MR 21368
PO Box 55819
Boston, MA 02205-5819
Re: NRO Case #F15-0117
Dear Mr. Peck:
This is in response to your request dated 19 September 2015, received
in the National Reconnaissance Office (NRO) on 21 September 2015. Pursuant
to the Freedom of Information Act, you are requesting "Records associated
with self inspection of classified materials handling pursuant to Executive
Order (E.O.) 13526 and E.O. 13587 for the last ten (10) years."
We have accepted your request, and it is being processed in accordance
with the FOIA, 5 U.S.C. § 552, as amended. As an interim release in
response to your request, we are providing to you thirty-nine pages of
responsive information that has previously been released in part to another
requester. These pages are being released in part to you, as well.
Information that is denied is withheld pursuant to FOIA exemption (b)(3),
which is the basis for withholding information exempt from disclosure by
statute. The relevant withholding statute is 10 U.S.C. § 424, which
provides (except as required by the President or for information provided to
Congress), that no provision of law shall be construed to require the
disclosure of the organization or any function of the NRO; the number of
persons employed by or assigned or detailed to the NRO; or the name or
official title, occupational series, grade, or salary of any such person.
Since it is unlikely we will be able to provide a complete response
within the 20 working days stipulated by the Act, you have the right to
consider this a denial and may appeal on this basis to the NRO Appeal Review
Panel, 14675 Lee Road, Chantilly, VA 20151-1715 after the initial 20 working
day period has elapsed. It would seem more reasonable, however, to allow us
sufficient time to continue processing your request and respond as soon as
we can. Unless we hear from you otherwise, we will assume that you agree
and will continue processing your FOIA request on this basis. You will have
the right to appeal any denial of records after you receive a final response
to your request.
The FOIA authorizes federal agencies to assess fees for record
services. Based upon the information provided, you have been placed in the
"other" category of requesters, which means you are responsible for the cost
of search time exceeding two hours ($44.00/hour) and reproduction fees ($.15
per page) exceeding 100 pages. We will notify you if it appears that we will

meet or exceed our $25.00 minimum billing threshold in processing your
request. Additional information about fees can be found on our website at
www.nro.gov .
If you have any questions, please call the Requester Services Center
at 703 - 227-9326, and reference the case number F15-0117.

atricia B. Cameresi
Chief, Information Review
and Release Group
Enclosure: Responsive information for 2012 & 2013

UNCLASSIFIED NRO APPROVED FOR RELEASE

28 August 2014
NATIONAL RECONNAISSANCE OFFICE
14675 Lee Road
Chantilly, VA 20151-1715

MEMORANDUM FOR OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR
INTELLIGENCE SECURITY POLICY AND OVERSIGHT DIRECTORATE
SUBJECT: Annual Self - Inspection Report
REFERENCES: OUSD(I) Memorandum, Annual Senior Agency Official
Self - Inspection Program Report for Classified
National Security Information, 8 July 2013
The National Reconnaissance Office (NRO) is providing the
attached Self - Inspection Report as requested in reference.
oint of contact for questions concerning this submission is

A. Jamieson Burnett
Director, Office of Security
and Counterintelligence
Attachment:
NRO Annual Self-Inspection Report for 2013

UNCLASSIFIED

NRO APPROVED FOR RELEASE
28 August 2014

Enclosure 2
AGENCY ANNUAL SELF-INSPECTION PROGRAM DATA: FY 2013
(Submissions must be unclassified.)

PART A: identifying Information
1. Enter the agency name.

1. National

Reconnaissance Office (NRO)

2. Enter the date of this report.
3. Enter the name, title, address, phone, fax, and e-mail address of the
Senior
Agency Official (SAO) (as defined in E.O. 13526, section 5.4(d)) responsible
for this report.

2 . 30
3.

4. Enter the name, title, phone, fax, and e-mail address of the
individual or
office responsible for conducting self-inspections and reporting findings.

4.

5. Enter the name, title, phone, fax, and e-mail address for the
point-ofcontact responsible for answering questions regarding this
report.

5

September 2013

Mr. Frank Calvelli
Principal De suty Director, NRO
Room (b)(3) 10 US(
14675 Lee Road, Chantilly, VA 20151

A. Jamieson Burnett
Director, Office of Security and
Counterintelli .ence,
(b)(3) 10 USC 44 Finn=
(b)(3) 10 USC 424

Chief Securit and Counterintelli ence Policy
.

Staff,

(b)(3) 10 USC 424

Fax (b)(3)

10 USC 424

(b)(3) 10 USC 424

PART B: Classified National Security Information (CNSI) Program Profile
Information
6. Has your agency been designated/delegated as an original
classification authority (OCA)?
7. Does your agency perform original classification activity?
8. Does your agency perform derivative classification activity?
9. Does your agency have an approved declassification guide and declassify CNSI?

6.

7.
8.
9

â– No
_I Yes â– No
Yes â– No
❑ Yes ■No
❑

Yes

❑

PART C: Description of the Program
A description of the agency's self-inspection program to include
activities assessed, program areas covered, and methodology
utilized. The
description must demonstrate how the self-inspection program provides
the SAO with information necessary to
assess the effectiveness of the CNSI

program within individual agency activities and the agency as a whole.

Responsibility
10. How is the SAO involved in the self-inspection program? (Describe
his or her involvement with the self-inspection program.)

The Director of Security and Counterintelligence (D/OS&CI) advises the
Senior Agency Official (SAO) when
events warrant. The NRO Integrated Security Assessment Program (ISAP)
results are also reported to the SAO
thru the annual Management Control Plan Statement of Assurance (MCPSOA).
11. How is the self-inspection program structured to provide the SAO
with information necessary to assess the agency's CNSI program in
order to
fulfill his or her responsibilities under section 5.4(d) of E.O. 13526?

The DOS&CI receives periodic reports on the program and advises the
SAO when the DOS&CI believes events
warrant advising the SAO. The NRO ISAP results are also reported to
the SAO thru the annual MCPSOA.
12. Whom has the SAO designated to assist in directing and
administering the self-inspection program? Who conducts the
self-inspections?
(If the SAO conducts the self-inspections, which may be the case in
smaller agencies, indicate this.)

The DOS&CI is provided a Letter of Instruction by the Director, NRO
which assigns his responsibilities.

Approach

(b)(3) 10 USC 424

13. What means and methods are employed in conducting self-inspections?
(For example: interviews, surveys, data calls, checklists, analysis, etc.)

NRO self-inspections are part of the NRO ISAP. Because contractors
make upillif the total NRO workforce
and have the overwhelming number of Sensitive Compartmented
Information Facilities (SCIFs), ISAP is a
collaborative
between Government and industry to identify and address security
vulnerabilities, provide
, . ,
, process
•
ri •
INFORMATION SECURITY OVERSIGHT OFFICE

AUTHORIZED FOR LOCAL REPRODUCTION
32 CFR 2001 E.O. 13526

NRO APPROVED FOR RELEASE
28 August 2014
14. If your agency performs different types of inspections (e.g.,
component self-inspections, command inspections, compliance reviews,
etc.),
describe each of them and explain how they are used. If not, indicate NA.

NA

15. Do your agency's self-inspections evaluate adherence to the
principles and requirements of E.O. 13526 and its implementing
directive and the
effectiveness of agency programs covering the following areas? (Select
all that apply.)
Original classification
Cl Security violations
[ 1 Safeguarding
__I Management and oversight
Derivative classification
â– Declassification
11 Security education and training
16. Do your self-inspections include a review of relevant security
directives and instructions?
16. â– Yes 7 No
17. Do your self-inspections include interviews with producers (where
applicable) and users of classified information?
17. H Yes â– No
Approach: Representative Sample
(If your agency does not classify information, indicate NA.)
18. Do your self-inspections include reviews of representative samples
of original and derivative classification
18.
Yes â– No â– NA
actions to evaluate the appropriateness of classification and the
proper application of document markings?
19. Do these reviews encompass all agency activities that generate
classified information?
19. â– Yes
No â– NA
❑

20. Describe below how the agency identifies activities and offices
whose documents are to be included in the sample of classification
actions.
(Indicate if NA.)

Based on the 291 site self-assessments submitted, the ISAP Manager,
Program Security Officers (PSOs) and
stakeholders discuss findings and formulate recommendations for a
formal assessment, if required. OS&CI

talePhnlrle.re rPrirpcAnt the tr. inr (IC R,- rr clirp.rtnratF•c and
nrnrrram ref-St-.F. cv rnrift, etafFc int...II
-IA.11a but nett
21. Do the reviews include a sampling of various types of classified
information in document and electronic
21. — Yes ■No ■NA
formats?

22. How do you ensure that the materials reviewed provide a
representative sample of the agency's classified information?
(Indicate if NA.)

Documents are selected for review in cooperation with site personnel
who are familiar with the type of materials
produced by the site. However, contractors are not required to count
classified pages produced because of the
additional costs that would be incurred by the NRO, so the documents
reviewed may not be a representative
1

n-11

1

.

11

1

.

A

. .1

lrat-1,-IL

1 !11 1!1

I.

•.

nn

1

nn

•

11

1

.

.1

23. How do you determine that the sample is proportionally sufficient
to enable a credible assessment of your agency's classified product?
(Indicate if NA.)

We do not attempt to do this as it would increase costs to the NRO (as
explained in item 22 above).
24. Who conducts the review of the classified product? (Indicate if NA.)

PSOs and Classification Management Officers (CMOs).
25. Are the personnel who conduct the reviews knowledgeable of the
classification and marking requirements of
E.O. 13526 and its implementing directive?
26. Do they have access to pertinent security classification guides?
(Indicate if NA.)
27. Have appropriate personnel been designated to correct
misclassification actions? (Indicate if NA.)
If so, identify below.

â– No â– NA
❑ Yes ■No ■NA

25. D Yes
26.

27. El Yes

â– No â– NA

Frequency
28. How frequently are self-inspections conducted?

Annually.
29. Describe the factors that were considered in establishing this time period?

The time period is defined in the NRO Security Manual (NSM).

INFORMATION SECURITY OVERSIGHT OFFICE

AUTHORIZED FOR LOCAL REPRODUCTION
32 CFR 2001 E.O. 13526

Enclosure 2

NRO APPROVED FOR RELEASE
28 August 2014

Coverage
30. How do you determine what offices, activities, divisions, etc.,
are covered by your self-inspection program?

assessed?

What agency activities are

Self-assessments are to be completed on each contractor SCIF. All
contractor activities are assessed.
31. How is the self-inspection program structured to assess individual
agency activities and the agency as a whole?

Contractor SCIF locations far outnumber government SCIF locations in
the NRO. Government locations are
relatively few in number and have professional government security
officers assigned who can monitor
safeguarding and classified information production and correct errors
as they occur. We chose to concentrate on
.

1

rni

1

.. •

Special Access Programs (SAP)
(If your agency does not have the authority to create SAPs, indicate NA.)
32. If your agency has any special access programs, are
self-inspections of the SAP programs conducted annually?
33. Do the self-inspections confirm that the agency head or principal
deputy has reviewed each special access
program annually to determine if it continues to meet the requirements
of E.O. 13526?
34. Do the self-inspections determine if officers and employees are
aware of the prohibitions and sanctions for
creating or continuing a special access program contrary to the
requirements of E.O. 13526?

32.
33.
34•

â– No â– NA
—I Yes III No ■NA
Yes III No â– NA

❑

Yes

❑

Reporting
35. What is the format for documenting self-inspections in your agency?

Self-assessments are documented using the self-assessment review tool
in the NSM, Appendix B. For formal
assessments, an out-briefing is provided to site security staff and
other site senior management identifying
ori

iritu nrnorrarn c 1 'nor:wet.

nhcanratinna and am,

36. Who receives the reports?

cAri

1 rift! "ha et nr nti ni.c " fl I c nrafArPrl di Irina the frorm it

The OS&CI ISAP Manager.
37. Who compiles/analyzes the reports?

The ISAP Manager and the responsible PSO analyze the report.
38. How are the findings analyzed to determine if there are problems
of a systemic nature?

The ISAP Manager provides to the sponsoring Government Program
Security Officer (GPSO) for review and
subsequent action.
39. How and when are the results of the self-inspections reported to the SAO?

The DOS&CI determines when results warrant informing the SAO.

40. How is it determined if corrective actions are required?

The Government PSO and security stakeholder(s) reviews determine if
corrective actions are required.
41. Who takes the corrective actions?

The assessed site.
42. How are the findings from your agency's self-inspection program
distilled for the annual report to the Director of ISOO?

The OS&CI Security Policy Staff (SPS) tasks the ISAP Manager to
distill the findings and provide them to SPS
for inclusion in the annual report.
43. Has the SAO formally endorsed this self-inspection report?
IN FORMATION SECURITY OVERSIGHT OFFICE

43.

â– Yes

❑

No

AUTHORIZED FOR LOCAL REPRODUCTION
32 CFR 2001 E.O. 13526

NRO APPROVED FOR RELEASE
28 August 2014
PART D: A summary of the findings of your agency's self-inspection program
The summary should present specific, concise findings from your
self-inspection program for each of the required program areas below.
It is not a
description of the requirements of the agency's CNSI program. Rather,
the summary outlines the essential self-inspection findings based on
the
compilation and/or distillation of the information contained in the
agency's internal self-inspection reports, checklists, etc. In large
agencies where
findings are drawn from multiple agency offices and activities, the
findings that are reported here may be the most significant or most
frequently
occurring.
44. Original Classification:

OCAs are senior officers and mainly exercise their authority through
the signing of classification guides for
information unique to their activity. While OCA decisions get
implemented through the classification guide,
written documentation of individual OCA decisions is difficult or
impossible to locate. OCA's were not using
the appropriate OCA classification block but a derivative block. OS&CI
Policy Branch will issue clear
instructions for all classification guides to contain the appropriate
OCA classification block.
45. Derivative Classification:

NRO activities result in complicated Power Point slide briefings with
complex tables, diagrams, and text boxes
describing engineering and R&D activities. Under reduced manning from
sequestration and budget cuts which
have resulted in a loss of over 1,000 man-years of experience across
the NRO, derivative classifiers struggle to
get all derivative markings accurate after they have compiled
difficult subject matter on compressed time lines
under stressful conditions. It is admirable that individuals perform
as well as they do.
46. Declassification:

Not included in self-inspection.

47. Safeguarding:

Regular conduct of exercises provides vital feedback to the physical
security program. Exercises identify areas
for corrective measures, enhancements, validates current tactics
techniques and procedures (TTP) and the
adoption/employment of new TTP to meet a dynamic threat environment.
Regular inspections/audits are
essential to ensuring status and validity of issued IC badges and
conformity to physical security requirements.
Risk assessments/physical security assessments provide a helpful
"outside" perspective to site security offices.
48. Security Violations:

The ISAP program is the formal mechanism by which we corroborate
self-inspections. Included in these formal
reviews is an assessment of the respective security violation program
and trends. In addition, each component
Security team evaluates Security incidents and violations by tracking
them according to general broad categories.
During this past FY, the majority (63%) of incidents/violations were
related to categories within personnel
electronic devices in SCIFs. Other categories that have multiple
occurrences indicating potential trends are data
49. Security Education and Training:

100% of personnel assigned to the NRO are required to complete an SCI
indoctrination briefing to include
signing a Non-Disclosure Agreement. E.O. 13526 is called out
specifically so that personnel fully understand
their responsibilities and requirements to protect classified
information. This message is repeated by the release
of awareness videos and reminders throughout the year; to include
presentations, written materials, and training.
Specifically, OS&CI incorporates classification management questions
within the Annual Security Refresher
50. Management and Oversight:

Government oversight of NRO-sponsored SCIFs is achieved in a multi
faceted manner. Program Security
Officers, Physical/Technical, and Computer Security Officers review
self-assessment results and participate in
on-site reviews. Some program findings for FY 13 were identified in
the following areas:
• Standard Operating Procedures (SOPs) require more detail and more
frequent revision to stay up-to-date with
security requirements.

INFORMATION SECURITY OVERSIGHT OFFICE

AUTHORIZED FOR LOCAL REPRODUCTION
32 CFR 2001 E.O. 13526

NRO APPROVED FOR RELEASE
28 August 2014
PART E: An assessment of the findings of your agency's self-inspection program
The assessment

discerns what the findings mean. The assessment is an evaluation of
the state of each element of your agency's CNSI program
based on an analysis of the specific, concise findings of the
self-inspection program. It reports what you have determined the
findings indicate about
the state of your agency's CNSI program.
The assessment should inform the SAO and other decision makers of
significant issues that impact the CNSI program. It should be used to
determine
how security programs can be improved, whether the agency regulation
or other policies and procedures must be updated, and if necessary
resources
are committed to the effective implementation of the CNSI program. The
assessment should report trends that were identified during the
reporting
period across the agency or in particular activities, as well as
trends detected by making comparisons with earlier reporting periods.
It can be used to
support assertions about the successes and strengths of an agency's program.
51. Original Classification:

While OCA's produce timely and sufficient Classification Guides,
decisions are not normally documented
outside the guide by a separate source document. OCAs are not using an
OCA style classification block but this
will be corrected soon when specific detailed policy is issued by
Security Policy.
52. Derivative Classification:

Derivative classifiers are still wrestling with proper portion marking
and classification of complex power point
slide presentations and other documents concerning difficult subject
matter and formats. To try and stem this
tide, we are adding more classification management questions to our
ASR. Dwindling budgets, reduced
manpower, and "greening" (reducing) of salaries has reduced longevity,
increased turnover, and reduced portion
marking proficiency.
53. Declassification:

Not included in self-inspection.

54. Safeguarding:

Awareness and education programs are vital to ensuring the workforce
maintains awareness of security policy
and procedures. Regular and aperiodic exercises, inspections, and
audits provide crucial inputs that are
indispensable to ensuring that the physical security program is
current and effective. Key challenges are
maintaining adequate funding to replace aging, malfunctioning, and
obsolete security equipment and training and
education for new personnel. The NRO has an organization-level process
for the Assessment and Authorization
55. Security Violations:

The NSM detail the NRO process for reporting and investigating
security incidents, infractions and violations.
Appropriate and prompt corrective actions were taken to mitigate the
severity of the infraction/violation, and to
sanction the offender via management, counterintelligence, and
personnel security processes. Infractions and
violations are centrally tracked in the Security Log (the NRO
incident/violation database). This database is
managed by the Program Security Officers in each directorate and
office, and enables the PSO to automatically
56. Security Education and Training:

OS&CI works closely with PSOs, Counterintelligence personnel, and the
Integrated Self Assessment Program
to determine any trends or specific areas that need an additional
educational awareness campaign. Security
communications are then targeted, utilizing large scale efforts, per a
topic area and audience for best impact
results. The NRO is adding additional classification management
questions to the Annual Security Refresher to
better satisfy the derivative classification training requirement.
OCAs complete yearly training provided by
57. Management and Oversight:

The NRO has a very mature Security management and oversight program.
Over the past FY, much greater
emphasis has been placed on ensuring all sites and facilities
accomplished the self-assessments and submited the
findings to the Government within the mandated time requirements. This
improved management oversight has
made an impact. Our self-inspection program coupled with security
officer visits, and formal team assessments
provide managers a report card on the health of our security programs.
When negative trends are identified,
INFORMATION SECURITY OVERSIGHT OFFICE

AUTHORIZED FOR LOCAL REPRODUCTION

32 CFR 2001 E.O. 13526

NRO APPROVED FOR RELEASE
28 August 2014
PART F: Focus Questions
Answer the questions below. If the response identifies a deficiency,
it should be explained in Part D, Summary of Findings, under the
relevant
program area, and should be addressed in Part H, Corrective Actions.
Training for Original Classification Authorities
Original classification authorities are required to receive training
in proper classification and declassification each calendar year.
(Section 1.3(d) of
E.O. 13526 and § 2001.70(c) of 32 C.F.R. Part 2001) (Indicate NA
ifyour agency does not have original classification authority)
58. Does agency policy require training for original classifiers?
58.
Yes â– No â– NA
59. Has the agency validated that this training has been received?
59. I Yes â– No â– NA
❑

100

60. What percentage of the original classification authorities at your
agency has received this training?

60.

61. Have any waivers to this requirement been granted?

61. III Yes

Actual

â– Estimated
No â– NA

Persons who Apply Derivative Classification Markings
Persons who apply derivative classification markings are required to
receive training in the proper application of the derivative
classification
principles of E.O. 13526, prior to derivatively classifying
information and at least once every two years thereafter. (Section
2.1(d) of E.O. 13526 and
§ 2001.70(d) of 32 C.F.R. Part 2001) (Indicate NA if your agency does
not have any personnel who derivatively classify information)
62. Does agency policy require training for derivative classifiers?
62. • Yes Ill No III NA
63. Has the agency validated that this training has been received?
63.
Yes â– No â– NA
64. What percentage of the derivative classifiers at your agency has
received this training?

64.

â–

100
Actual

Estimated

65. â– Yes i No
Initial Training
All cleared agency personnel are required to receive initial training
on basic security policies, principles, practices, and criminal,
civil, and
administrative penalties. (0 2001.70(6) of 32 C.F.R. Part 2001)
66. Does agency policy require initial training?
66. ❑ Yes ■No
65. Have any waivers to this requirement been granted?

67. Has the agency validated that this training has been received?

67.

❑

68. What percentage of cleared personnel at your agency has received
this training?

68.

100

70. Has the agency validated that this training has been received?

70.

71. What percentage of the cleared employees at your agency has
received this training?

71. 100
Actual

Yes

â– NA

â– No

LI Actual • Estimated
Annual Refresher Training
Agencies are required to provide annual refresher training to all
employees who create, process, or handle classified information. (§
2001.70() of
32 C.F.R. Part 2001)
69. Does agency policy require annual refresher training?
69.
Yes â– No
❑

rl Yes â– No

â– Estimated
Identification of Derivative Classifiers on Derivatively Classified Documents
Derivative classifiers must be identified by name and position, or by
personal identifier on each classified document. (Section 2.1(b)(1) of
E.O.
13526 and § 2001.22(b) of 32 C.F.R. Part 2001) (Indicate NA ifyour
agency does not derivatively classify information.)
72. Does your agency's review of classification actions evaluate if
this requirement is being met`'
72.
Yes â– No â– NA
73. What percentage of the documents sampled meet this requirement?

73 .

74. What was the number of documents reviewed for this requirement?

74.

87
166,130 pages

List of Sources on Documents Derivatively Classified from Multiple Sources
A list of sources must be included on or attached to each derivatively
classified document that is classified based on more than one source
document
or classification guide. (§ 2001.22c(l)(ii) of 32 C.F.R. Part 2001)
75. Does your agency's review of classification actions evaluate if
this requirement is being met?
75. • Yes ■No ■NA
76. What percentage of the documents sampled meet this requirement?
76. 88
77. What was the number of documents reviewed for this requirement?

INFORMATION SECURITY OVERSIGHT OFFICE

7 7.

166,130 pages

AUTHORIZED FOR LOCAL REPRODUCTION
32 CFR 2001 E.O. 13526

Enclosure 2
a ca alai

The

NRO APPROVED FOR RELEASE
28 August 2014

mauct nvatuations

performance contract or other rating system of original classification
authorities, security managers, and other personnel whose duties
significantly involve the creation or handling of classified
information must include a critical element to be evaluated relating
to designation and
management of classified information. (Section 5.4(d)(7) of E.O. 13526 )

78. Does agency policy require this critical element in the
performance evaluations of personnel in the
categories required by E.O. 13526?
79. Has the agency validated that this critical element is included in
the performance evaluations of
personnel in the categories requited by E.O. 13526?
80. What percentage of such personnel at your agency has this element
in their performance
evaluations?

OCA Delegations

â– Yes No
79.â– Yes 0 No
78.

❑

80. 50%
Actual

•

Estimated

OCA delegations shall be reported or made available by name or
position to the Director of the Information Security Oversight Office.
(Section
I .3(c)(5) of E.O. /3526). This can be accomplished by an initial
submission followed by updates on a frequency determined by the £40,
but at least
annually. 02001.11 (c) and §2001.90(a) of 32 C.F.R. Part 2001)

81. Have there been any changes in the delegations, by name and
position, of original classification
authority in your agency since delegations were reported to ISOO in 2010.
82. Have all delegations been limited to the minimum required based on
a demonstrable and
continuing need to exercise this authority?
83. If changes have been made, have they been reported, by name or
position, to ISOO?

81.
82.

83.

â– Yes

No

â–

NA

Yes MI No I. NA

â– Yes â– No

NA

Classification Challenges
An agency head or SAO shall establish procedures under which
authorized holders of information. including authorized holders
outside the
classifying agency, are encouraged and expected to challenge the
classification of information that they believe is improperly
classified or
unclassified. (Section 1.8(b) of E.O. 13526) Classification challenges
must be covered in the trainingfor original classification authorities
and
persons who apply derivative classification markings. 02001.7 1
and (§2001.71(d) of 32 C.F.R. Part 2001)

84. Has your agency established procedures under which the
classification of information can be
challenged in accordance with section 1.8(b) of E.O. 13526 and
§2001.14 of 32 C.F.R. Part 2001?
85. Does your agency's training for OCAS and for personnel who apply
derivative classification
markings cover classification challenges?
86. Does your agency's training for all other cleared personnel cover
classification challenges?

84•

Yes

85.

â– Yes

86. III Yes
PART G: Findings of the Annual Review of Agency's Original and
Derivative Classification Actions

â– No â– NA
❑

❑

No â– NA
No

In this section provide specific information with regard to the
findings of the annual review of the agency's original and derivative
classification
actions to include the volume of classified materials reviewed and the
number and type of discrepancies identified.

87. Indicate the volume of classified materials reviewed
during the annual review of agency's original and derivative
classification actions. (If your agency does not classify information,
indicate NA.)
87. 166,130 pages
88. Indicate the number of discrepancies found during the annual
review of classification actions for each category below. For
additional
information on marking, consult the ISOO marking guide.
88 (a) Over-classification: Information does not meet the standards
for classification.
88 (a) 28,798
88 (b) Overgraded/Undergraded: Information classified at a
higher/lower level than appropriate.
88
(b) 42,779
88 (c) Declassification: Improper or incomplete declassification
instructions or no declassification instructions.
88 (c) 24,043
88 (d) Duration: a shorter duration of classification would be appropriate.
88 (d) 13,889
88(e) Unauthorized classifier: A classification action was taken by
someone not authorized to do so.
88(e)
0
88 (f) "Classified By" line: A document does not identify the OCA or
derivative classifier by name and position
or by personal identifier.
88 (f) 22,368
88 (g) "Reason" line: an originally classified document does not cite
a reason from section 1.4 of E.O. 13526.
88
(g) 0
88 (h) "Derived From" line: A document fails to cite, or cites
improperly, the classification source. The line
should include type of document, date of document, subject, and
office/agency of origin.
88 017,096
88 (i) Multiple sources: A document cites "Multiple Sources" as the
basis for classification, but a list of these
sources is not included on or attached to the document.
88 (i) 19,190
88(j) Marking: A document lacks overall classification markings or has
improper overall classification markings.
88 (j) 34,141
88 (k) Portion Marking: The document lacks some or all of the required
portion markings.
88 (k) 59,937
88(1) Instructions from a classification guide are not properly applied.
88 (1) 17,070
88 (m) Other:
.
88 (m) 0

INFORMATION SECURITY OVERSIGHT OFFICE

AUTHORIZED FOR LOCAL REPRODUCTION
32 CFR 2001 E.O. 13526

Enclosure 2

NRO APPROVED FOR RELEASE
28 August 2014

•
__ __..._ ..-..-...
89. Describe actions that have been taken or are
planned to correct identified program deficiencies, marking
discrepancies, or misclassification
actions, and to deter their reoccurrence.

OS&CI Policy Branch will issue written instructions that all
Classification Guides and original classification
decisions will use an OCA style classification block.
We plan to issue NRO-wide, monthly, short written educational
reminders of the most error-prone mistakes
reported in item 88 which will also include the proper way to classify
and mark materials.

PART I: Best Practices
Best practices are those actions or activities that

make your self-inspection program and/or CNSI program more effective
or efficient. They set your
program apart through innovation or by exceeding the minimum program
requirements. These are practices that may be utilized or emulated by

other agencies.

90. Describe best practices that were identified during the self-inspection.

One contractor site developed a database that allows self-assessments
to be completed by each program area at
that site. The database can apply filtering and reporting
capabilities, thereby allowing managers to focus
resources on a wide-range of security-related disciplines. This type
of approach and comprehensive tool
development had not been previously seen by the ISAP Program.

PART J: Explanatory Comments
Use this space to elaborate on any section of this form. If more space
is needed, provide as an attachment to this fonn. Provide explanations
for any
significant changes in trends/numbers from the previous year's report.

Item 16. All security directives and instructions are issued by the
DOS&CI and are reviewed and updated
annually but not as part of the self-inspection. All directives and
instructions are maintained on-line and are
accessible to all government employees and contractors.
(b)(3) 10 USC 424
Item 27. All government and contractor PSOs and CMOs (about ' '
'ndividuals) are authorized to correct
incorrect classification, incorrect use of SCI control channels, an•
incorrect dissemination restrictions.
Item 68. CIA personnel (including CIA contractors with Agency Data
Network or staff-like access) at the NRO
are required to take the CIA "2013 Derivative Classifier Training" by
their parent agency. All other government
and contractors at the NRO take their training through the Annual
Security Refresher briefing.
Item 78. The NRO is comprised of government individuals from various
agencies. Parent agencies set the rules
for their performance contract or rating system which cannot be
altered by the NRO. The percentage given
represents the percentage of individuals from agencies that require a
security performance evaluation statement.

For !SOO Use Only
ISOO Analyst:
Date QC:
Analyst Initials:

AUTHORIZED FOR LOCAL REPRODUCTION
32 CFR 2001 E.O. 13526

UNCLASSIFIED

NRO APPROVED FOR RELEASE
28 August 2014

NATIONAL RECONNAISSANCE OFFICE
14675 Lee Road
Chantilly, VA 20151-1 71 5

12 October 2012
MEMORANDUM FOR OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR
INTELLIGENCE SECURITY DIRECTORATE

SUBJECT: Annual Self-Inspection Report
REFERENCES:

(a) OUSD(I) Memorandum, Annual Senior Agency Official
(SAO) Self-Inspection Program Report for Classified
National Security Information, 2 October 2012
(b) Memorandum of Agreement between the Secretary of
Defense and the Director of National Intelligence
concerning the National Reconnaissance Office,
21 September 2010
(c) DoDI 5200.01, DoD Information Security Program and
Protection of Sensitive Compartmented Information,
9 October 2008

The National Reconnaissance Office (NRO) is providing the
attached Self-Inspection Report as requested in reference (a). In
accordance with Director, National Reconnaissance Office authorities
in reference (b) and (c) it should be noted that the NRO does not
administer a standard DoD Information Security Program based on DoDM
5200.01-V1 thru V3 and, therefore, some of the items in the attached
checklist are not applicable and have been noted as such.
My point of contact for questions concerning this submission is
(b)(3) 10 USG 44-

. Jamieson Burnett
irector, Office of Security
and Counterintelligence
Attachment:
NRO Annual Self - Inspection Report for 2012

UNCLASSIFIED

UNCLASSIFIED
INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST
TITLE/SUBJECT/ACMATWFUNCRONAL AREA

Information Security Program Self-Inspection Checklist
NO.

STEM

NRO APPROVED FOR RELEASE
28 August 2014

National Reconnaissance Office
045 R

DATE

Security Manager

11 October
2012

EO 13526 CLASSIFIED NATIONAL SECURITY INFORMATION AND IMPLEMENTING DIRECTIVE

REQUIREMENTS
PART 1. DESCRIPTION OF SELF-INSPECTION PROGRAM: A description of the
DoD Components self-

inspection program should include activities assessed, program areas
covered, and methodology
utilized. The description must demonstrate how the self-inspection
program provides the senior
agency official with the information necessary to assess the
effectiveness of the classified national
security information program within the individual Component
activities and the Component as a
whole. It should include the following:
1. Responsibility for the program:
(1) Whom does the senior agency official designate to assist in
directing and administering the self-inspection
program?
Answer . The Director of Security and Counterintelligence (DOS&CI) is
provided a Letter of Instruction by the
Director, NRO which assigns his responsibilities.
(2) How is the program structured to provide the senior agency
official with the information necessary to assess the

agency's classified national security information program?

Answer: The DOS&CI advises the Senior Agency Official (SAO) when the
DOS&CI believes events warrant
advising the SAO. The NRO Integrated Security Assessment Program
(ISAP) results are also reported to the SAO
thru the annual Management Control Plan Statement of Assurance (MCPSOA).

(b)(3) 10 USC 424

(3) Who conducts the self-inspections?

Answer: NRO self-inspections are part of the NRO ISAP. Because
contractors make upgAof the total NRO
workforce and have the overwhelming number of Sensitive Compartmented
Information Facilities (SCIFs), ISAP is
a collaborative process between Government and industry to identifi ,
and address security vulnerabilities, provide
datfornlysi,findings
e tmcuriyseand.Th
may lead to identification and
definition of risk mitigation practices, and enable sharing of best
security practices across government and
industry. The primary purpose of the ISAP is to ensure the proper
safeguarding of classified information through a
single comprehensive review by various components of the Office of
Security and Counterintelligence (OS&CI).
ISAP integrates reviews utilizing program security, classification
management, transportation and transmission of
classified information, physical and technical accreditation,
information systems security, personnel security, and
Counterintelligence (CI) perspectives. The integrated assessment
evaluates implementation of and ensures
compliance with, established security policies, procedures, and plans
at all NRO government and contractor
location&
Site personnel conduct/document security self-assessments per
requirements stated in the NRO Security Manual
(NSM). Security Officers will conduct self-assessments of their SCIFs
at least annually. For the reporting period
there were 343 site self-assessments. The ISAP Manager or designee
reviews the site assessments and enters a
copy into an NRO database listing each NRO sponsored facility.
Based on the self-assessments, the ISAP Manager, Program Security
Officers (PSOs) and stakeholders discuss
findings and formulate recommendations for a formal assessment, if
required OS&CI stakeholders represent the
major OS&CI divisions and program office security staffs, including,
but not limited to, PSOs, Physical/Technical
Certification Officers, and Security Certification Officers.
Stakeholders will develop and provide ISAP candidates
to the ISAP Selection Board. Each ISAP recommendation shall contain
detailed factors used to formulate the
recommendation. Recommendation for site visits is then provided to the
selection board Sites are selected based
on ring proximity, resources, budgetary constraints, time since last
assessment, and random sampling. A team
composition is proposed for each site visit and a Lead PSO is selected
The Assessment Team will, at a minimum,
consist of a Government PSO and an OS&Cl/Facilities and Information
Security Division (F&ISD) representative.
Additional team members will be added as needed based on site size,
mission, facility risk, and subject areas being
assessed. An out-briefing is provided to site security site - and
other site senior management identfying security
program successes, observations, and any security "best practices"
discovered during the formal assessment. The
results are then loaded into the facility database that contains
information from all previous visits with any problem
areas or "best practices" noted. A final report requiring corrective
actionsto be taken within 90 days of the date of

UNCLASSIFIED
1

UNCLASSIFIED
INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST
TITLESUBJECT/ACTIVITY/FUNCT1 ONAL AREA

Information Security Program Self-Inspection Checklist
NO.

I

NRO APPROVED FOR RELEASE
28 August 2014

National Reconnaissance Office
OPR

DATE

Security Manager

11 October
2012

ITEM

report is issued by the DOS&CI. The assessed site is required to
provide follow-up reports of corrective action to
the responsible PSO and the ISAP Manager every 90 days until all
corrective actions are complete. The
responsible PSO monitors all mitigation actions. Reports of corrective
action are loaded into the NRO facilities
database for historical purposes. For the reporting period, 16 formal
team assessments were performed An
additional 9 formal specific-issue reviews were conducted There were
an additional 1,491 visits by OS&CI
stakeholders to contractor SCIFs.

(4) How is the senior agency official involved in the program?
Answer: The DOS&CI keeps the SAO advised of trends and issues
developed by the ISAP. The NRO ISAP results
are also reported to the SAO thru the annual MCPSOA.
2. Approach:

(1) What means and methods are employed in conducting self-inspections?
Answer: For formal assessments, the Assessment Team evaluates
implementation, and ensures compliance with,
established NRO security policies, procedures, and plans.

(2) Are different types of self-inspections conducted? If so, describe
each of them.
Answer: Formal assessments will vary based on the experience of the
lead PSO and the stakeholders with the
facility and items noted in the self-evaluation report as well as the
areas of responsibility of the attending subject
matter experts. However, the objective for all is to identify and
address security vulnerabilities, provide data for
analysis, and identift system security issues and trends.

(3) Do the self-inspections evaluate adherence to the principles and
requirements of E.O. 13526 and its implementing
directive and the effectiveness of agency programs covering:
• Original classification?
Answer: Since Original Classification items only apply to 13
government employees who are Original
Classification Authorities (OCA) at NRO Headquarters, a formal tasking
is sent to Program Security Officers
supporting the OCA to determine the date the OCA received their annual
briefing and the number of original
classification decisions they made during the reporting period.
Experience has shown that not all of the OCAs
make individual OCA decisions every year but most require their
authority to sign classification guides for
their area of responsibility. For the reporting period there, nine OCA
decisions were made.

•

Derivative classification?
Answer: Included. In NRO Implementing Instructions released on 31 May
2011, derivative classifiers were
instructed to include in the classification block a personal
identification number rather than their name to
protect their identity and association with the NRO. This
"Classification ID (CLID)" number exists in the
NRO Access Database so the specific individual with that number can
always be identyled Employees of other
agencies, who already have an ID number assigned by their parent
agency, will use that number instead
Headquarters NRO derivative classifiers have their PSO available for
questions regarding classification and
marking and to review their derivatively classified documents for
format and accuracy of classffication and
marking. Available on the OS&CI website are the Order, Information
Security Oversight Office (IS00)
Implementing Directive and Marking booklet, videos and documents that
explain the correct way to classify
and mark documents, the Controlled Access Program Coordination Office
(CAPCO) register and manual, over
120 Frequently Asked Questions with answers that are posted about
portion marking a Security Policy hotline
that will answer their questions in real-time, and numerous other
experts who are available to answer their
questions. Once the document is distributed, they face additional
scrutiny from any security or classification
management officer who reads it or from subject matter experts who
point out classification and marking
errors to security officers.
The ISAP team visiting a site will review a sample of derivatively
classified documents to point out errors in
classification and marking, omissions of required information, and to
make suggestions for improvement.

•

Declassification?
Answer: The NRO has a formal declassification program which restricts
to one office the authority to officially
declassify NRO information and release it to the public, and which is
not included in the self-inspection
program. The results of this program are reported in the SF 311 report
provided to USD(I) in October 2012.
The NRO Declassification Guide (known as the Review and Redaction
Guide) is updated and approved by the

UNCLASSIFIED
2

UNCLASSIFIED
INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST
TITLE/SUEWECT/AC71VITY/FUNCT1ONAL AREA

Information Security Program Self-Inspection Checklist
NO.

NRO APPROVED FOR RELEASE
28 August 2014

National Reconnaissance Office
OPR

DATE

Security Manager

1 1 October
2012

ITEM

DNRO each year. It is currently undergoing review by the Interagency
and is expected to be approved by the end of 2012.

•

Security Classification Appeals Panel

Safeguarding?
Answer: Included

•

Security violations?
Answer: Included

•

Security education and training?
Answer: Included

•

Management and oversight?

Answer: Included
(4) Do the self-inspections include a review of relevant security
directives and instructions, as well as interviews with
producers and users of classified information?
Answer: All directives and instructions are issued by the DOS&Cl and
are reviewed and updated annually. All
directives and instructions are maintained on-line and are accessible
to all government employees and contractors.
(5) Do the self-inspections include reviews of representative samples
of your Component's original and derivative
classification actions?
• Do these reviews encompass all Component activities that generate
classified information?
Answer: There are hundreds of individual activities that can generate
classified information. While the annual
self-assessment questionnaire covers 343 of these activities, the ISAP
formal assessment inspects only a small
percentage of these activities yearly. However, the Program Security
Officers, Contractor Program Security
Officers, and Classification Specialists review hundreds of classified
documents yearly and provide direction to
originators to correct those that are improperly marked.
o How do you identify the activities to which this applies?
Answer: Site personnel conduct/document security self-assessments per
requirements stated in the NSM
• Do the reviews include a sampling of various types of classified
information in document and electronic
formats?
o How do you ensure that the materials reviewed provide a
representative sample of the Component's
classified information?
Answer: Documents are selected for review in cooperation with site
personnel who are familiar with the type
of materials produced by the site. However, contractors are not
required to count classified pages produced
because of the additional costs that would be incurred by the NRO, so
the documents reviewed may not be a
representative sample.
o How do you determine that the sample is proportionally sufficient to
enable a credible assessment of your
Component's classified product?
Answer: We do not attempt to do this as it would increase costs to the
NRO (as explained above).
• Who conducts the review of the classified products?
o Are they knowledgeable of the classification and marking
requirements of E.O. 13526 and its
implementing directive?
Answer: Yes
o Do they have access to pertinent security classification guides?
Answer: Yes
• Have appropriate personnel been designated to correct
misclassification actions? If so, identify.
Answer: All Program Security Officers and Classification Managemeni
Specialists are authorized to correct
misclassification, incorrect use of SCI channels, and incorrect
dissemination restrictions.
3.

Frequency:
(1) How frequently are self-inspections conducted?
Answer: Annually.
(2) What factors were considered in establishing this time period?
Answer: Time period is defined in the NSM.
UNCLASSIFIED
3

UNCLASSIFIED
INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST
TITLE/SUBJECT/ACTIVITY/FUNCTIONAL AREA

Information Security Program Self-Inspection Checklist
NO.

NRO APPROVED FOR RELEASE
28 August 2014

National Reconnaissance Office
CPR

DATE

Security Manager

11 October
2012

ITEM

4. Coverage:
(1) How do you determine what program elements and Component
activities are covered by your self-inspection
program?
Answer: Self-assessments are to be completed on each contractor SCIF.

(2) What Component activities are assessed?

Answer: All contractor activities are assessed.

(3) How is the program structured to assess individual Component
activities and the Component as a whole?
Answer: Contractor locations far outnumber government locations in the
NRO. Government locations are
relatively few in number and have professional government security
officers assigned who can monitor
safeguarding and classified information production and correct errors
as they occur. We chose to concentrate on
contractorfacilities which are visited relatively infrequently. The
conditions at contractor locations are not directly
applicable to government locations.

(4) If your Component has any special access programs (SAP), are
self-inspections of the SAP programs conducted
annually?
Answer: Most SAPs are reviewed as part of the ISAP program. The ISAP
formal assessment team has PSOs
assigned that are briefed for most SAPs. In addition. the NRO conducts
special annual reviews (in some cases.
semi-annual) of the entire Sensitive Activities portfolio.

o

o

Do the self-inspections confirm that the Component head or principal
deputy has reviewed each special access
program annually to determine if it continues to meet the requirements
of E.O. 13526?
Answer: The NRO's entire Sensitive Activities portfolio is reviewed
and briefed annually to the DNI's Senior
Review Group (SRG) who then reports to Congress.

Do the self-inspections determine if officers and employees are aware
of the prohibitions and sanctions for
creating or continuing a special access program contrary to the
requirements of E.O. 13526?
Answer: Yes. In keeping with E.O. 13526, all Sensitive Activities'
compartments that are established
terminated, or transitioned (to another program or lower
classification) require NRO Special Activities
Management Board review and approval, followed by notification to the
DNI's Senior Review
Group/Controlled Access Program Oversight Committee.

5. Reporting:

(1) What format for documenting self-inspections in your Component?
Answer: Self assessments are documented using the self-assessment
review tool in the NSM, Appendix B. For
formal assessments, an out-briefing is provided to site security staff
and other site senior management identi&ing
security program successes, observations, and any security "best
practices" discovered during the formal
assessment. The results are then loaded into the facility database
that contains information from all previous visits
with any problem areas or "best practices" noted A final report
requiring corrective actions to be taken within 90
days of the date of report is issued by the DOS&CI. The assessed site
is required to provide follow-up reports of
corrective action to the responsible PSO and the ISAP Manager every 90
days until all corrective actions are
complete. The responsible PSO monitors all mitigation actions. Reports
of corrective action are loaded into the
NRO facilities database for historical purposes.

(2) Who receives the reports?
Answer: The OS&CI ISAP Manager.

(3) Who compiles/analyzes the reports?
Answer: The ISAP Manager and the responsible PSO analyze the report.
(4)

How are the findings analyzed to determine if there are problems of a
systemic nature?

Answer: The ISAP Manager provides to the sponsoring Government Program
Security Officer (GPSO) for review
and subsequent action.
(5) How and when are the results of the self-inspections reported to
the senior agency official?
Answer: The DOS&CI determines when results warrant informing the SAO.

(6) How is it determined if corrective actions are required?
Answer: The GPSO and security stalceholder(s) review.

UNCLASSIFIED
4

UNCLASSIFIED
INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST
TITLE/SUBJECTIACTIVITY/FUNCTIONAL AREA

National Reconnaissance Office
OPR

Information Security Program Self Inspection Checklist

NO.

NRO APPROVED FOR RELEASE
28 August 2014

Security
ITEM

DATE

Manager

11 October
2012

I I

(7) Who takes the corrective actions?
Answer: The assessed site.

(8) How are the findings from your Component's self-inspection program
distilled for the annual report to the Director
o f ISOO?
Answer: The OS&CI Security Policy Staff (SPS) tasks the ISAP Manager
to distill the findings and provide them to
SPS for inclusion in the annual report.
Self-Inspection Program Description here: Description include in
italics under questions above.
PART 2. ASSESSMENT & SUMMARY:
ASSESSMENT

The assessment is an evaluation of the state of each element of your componenVs
classified national security information program based on an analysis
of the findings of the selfinspection program. It should consider if
the program element is being effectively implemented in
accordance with the Order and Directive and DoD 5200.01-M. It should
consider whether the
findings indicate that the regulation or other policies or procedures
may need to be updated, and
it should take into account other program information such as the
Standard Form 311, "Agency
Security Classification Management Program Data." If a particular
element does not apply to a
component (e.g., original classification authority) the report should
explain this.
• Original classification
Rating: Satisfactory
• Derivative classification
Rating: Document creation: Satisfactory Training: Deficient due to cost
• Declassification
Rating: Satisfactory
• Safeguarding
Rating: Satisfactory
• Security violations:
Rating: Satisfactory
• Security education and training
Rating: Satisfactory except for Derivative Classifier training which
is not required due to cost
• Management and oversight
Rating: Satisfactory
SUMMARY: The summary should report the findings from the
self-inspection program within each
of the program areas. This information should support the assessment.
• Original classification
Rating: Satisfactory
• Derivative classification
Rating: Document creation: Satisfactory Training: Deficient due to cost
• Declassification
Rating: Satisfactory
• Safeguarding
Rating: Satisfactory
• Security violations
Rating: Satisfactory
• Security education and training
Rating: Satisfactory except for Derivative Classifier training which
is not required due to cost
• Management and oversight
Rating: Satisfactory
Assessment & Summary here: included in italics under headings above.

UNCLASSIFIED
5

UNCLASSIFIED
INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST
TITLE/SUBJECT/ACT1VITYIFU KnONAL AREA

Information Security

NO.

Program Self-Inspection Checklist

NRO APPROVED FOR RELEASE
28 August 2014

National Reconnaissance Office
OPR

DATE

Security Manager

11 October
201 2

ITEM

PART 3. FOCUS QUESTIONS:
FOCUS QUESTIONS: Answer the following focus questions.
(1) Training for original classification authorities. (This applies
only to Components

with original classification authority).
(1) Original classification authorities are required to receive
training in proper classification and declassification each
calendar year (5200.01-V?). What percentage of the original
classification authorities at your Component has
received this training?

(2) Have any waivers to this requirement been granted?
Answer: 100% of NRO OCAs have received training. No waivers have been granted.
FOCUS QUESTIONS: Answer the following focus questions.

(2) Training for persons who apply derivative classification markings.
(1) Persons who apply derivative classification markings are required
to receive training in the proper application of the
derivative classification principles of the E0 13526 prior to
derivatively classifying information and at least once
every two years thereafter. What percentage of the derivative
classifiers at your Component has received this
training?
(2) Have waivers to this requirement been granted?
Answer: Percentage unknown. The DSS and CAPCO Derivative Classifier
training is available through the
NRO computer network; however, NRO has not made this training
mandatory because of the cost of two
hours of direct labor charged by each contractor. No waivers have been granted.
FOCUS QUESTIONS: Answer the following focus questions.

(3) Initial training.
(1) All cleared agency personnel are required to receive initial
training on basic security policies, principles, practices,
and criminal, civil, and administrative penalties. What percentage of
these personnel at your Component has
received this training?
Answer: 100% of new employees have received initial training.
FOCUS QUESTIONS: Answer the following focus questions.

(4) Refresher training.
(1) Components are required to provide annual refresher training to
all employees who create, process, or handle
classified information. What percentage of these employees at your
Component has received this training?
Answer: 100% of employees have received refresher training.
FOCUS QUESTIONS: Answer the following focus questions.

(5) Identity of persons who apply derivative classification markings.
(1) Derivative classifiers must be identified by name and position, or
by personal identifier on each classified
document. What percentage of the documents sampled meet this
requirement? (Also, indicate the number of
documents reviewed for this requirement.)
Answer: NRO personnel are directed to use a personal identifier. 100%
of documents have met this
requirement. The number of documents reviewed is unknown.
FOCUS QUESTIONS: Answer the following focus questions.

(6) List of multiple sources.
(1) A list of sources must be included on or attached to each
derivatively classified document that is classified based on
more than one source document or classification guide. What percentage
of the documents sampled meet this
requirement? (Also, indicate the number of documents reviewed for this
requirement.)
Answer: 100% of documents have met this requirement. The number of
documents reviewed is unknown.

UNCLASSIFIED
6

UNCLASSIFIED
INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST
T1 TLEPAIBJECT/ACT1VITY1FUNCTIONAL AREA

Information Security Program Self-Inspection Checklist
NO.

NRO APPROVED FOR RELEASE
28 August 2014

National Reconnaissance Office
OPR

DATE

Security Manager

11 October
2012

ITEM

FOCUS QUESTIONS: Answer the following focus questions.

(7) Performance evaluations.
(1) The performance contract or other rating system of original
classification authorities, security managers, and other
personnel whose duties significantly involve the creation or handling
of classified information must include a
critical element to be evaluated relating to designation and
management of classified information. What percentage
of such personnel at your Component has this element in their
performance contracts?

Answer: The NRO is comprised of government individuals from various
agencies. Parent agencies set the
rules for their performance contract or rating system. Based on the
rules for each parent agency,
approximately 40% have this element in their performance contract
PART 4. DISCREPANCIES: Specific information with regard to the
findings of the annual review of

the Component's original and derivative classification actions to
include the volume of classified
materials reviewed and the number and type of discrepancies identified.
1. "Discrepancies" are instances when the classification and/or
marking requirements of the Order, Directive and Agency
regulation are not met. Among these are:
(1) Overclassification: information does not meet the standards for
classification.
(2) Overgraded/Undergraded: Information classified at a higher/lower
level than appropriate.
(3) Declassification: Improper or incomplete declassification
instructions or no declassification instructions.
(4) Duration: A shorter duration of classification would be appropriate.
(5) Unauthorized classifier: A classification action taken by someone
not authorized to do so.
(6) "Classified By" line: A document does not identify the OCA or
derivative classifier by name and position or by
personal identifier.
(7) "Reason" line: An originally classified document does not cite a
reason from section 1.4 of the Order.
(8) "Derived From" line: A document fails to cite, or cites
improperly, the classification source. The line should
include type of document, date of document, subject, and office/agency
of origin.
(9) Multiple sources: A document cites "Multiple Sources" as the basis
for classification, but list of these sources is
not included on or attached to the document.
(l0)Marking: A document lacks overall classification markings or has
improper overall classification markings.
(I 1 ) Portion Marking: The document lacks required portion markings.
(12) Instructions from a classification guide are not properly applied.
For additional information on marking, consult the l)oDM 5200.01-V2.
List identified program deficiencies here. Also list actions taken or
are planned to correct identified program
deficiencies, marking discrepancies, or misclassification actions, and
to deter their reoccurrence:
Answer: Improper application of portion marking. Individuals will
receive additional training and review of
their documents by security officers.
PART 5. BEST PRACTICES: List best practices that were identified
during self inspections here:
- Comprehensive security database developed which reflects final
adjudication and investigation of security incidents
- SCIF decertification process assembled consisting of:
-- SCIF decertification checklist
-- Sanitization steps for offices
-- SCIF decertification roles and responsibilities
- The self-assessments, methodology, and supporting application is a
model for other industry sites
- Comprehensive Open/Close procedures
- Plexiglas inspection window and inspection ports for checking
penetration of perimeter by HVAC, wiring, etc.
-

DoD SELF INSPECTION PROGRAM REQUIREMENTS: This portion of the
checklist meets specific
-

requirements for a standard DoD Information Security Program based on
the DoDM 5200.01-V1 thru
V3. Please answer the following questions below.
NO.PROGRAM MANAGEMENT (EO 13526 REQUIREMENTS)
I YES I NO I N/A

UNCLASSIFIED
7

UNCLASSIFIED
INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST
TITLE/SUBJECT/ACTIVITY/FUNCTIONAL AREA

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

IL

National Reconnaissance Office
OPR

Information Security Program Self-Inspection Checklist
NO.

NRO APPROVED FOR RELEASE
28 August 2014

Security Manager
ITEM

Has the head of each activity in the Component appointed a security
manager to manage and implement the activity's information security
program which implements the provisions of DoDM 5200.01-M? (DoDM
5200.01-M, Vol 1, End 2, para 8.b & 9.a)
Does the Component Head develop and implement, through the security
manager, security instructions necessary for program implementation?
(DoDM 5200.01-M, Vol 1, Encl 2, para 9.d)
Are sufficient resources and personnel committed to implement the
classified national security information security program? (DOOM 5200.01-M,
Vol 1, Encl 2, para 6.d)
Are OCAs delegated classification authorities in writing? (DoDM 5200.01-M, Vol
1, Encl 4, para 5.c)
Has the security manager attended the required training? Note: Training and
education shall be provided before, concurrent with, or not later than six
months following appointment. (DoDM 5200.01-M, Vol 3, End 5, paras 4.a and
10)
Does the security manager conduct security inspections (self-inspections)?
(DoDM 5200.01-M, Vol 1, Encl 2, para 7.d)
• Is the Component Head informed of the results of such inspection?
Does the security manager establish, implement and maintain an effective
security education program as required by DoDM 5200.01-M, Volume 3,
Enclosure 5, to include initial orientation and continuing/refresher training
for assigned members? (DoDM 5200.01-M, Vol 1, End 2, para 7.g & 9.f; Vol 1,
Encl 3, Para 6.c; and Vol 3, Encl 5, para 7 & 8)
• Do security managers document all security-related training? (DoDM
5200.01-M, Vol 3, End 5, para 11)
Are procedures established to prevent unauthorized access to classified
information? (DOOM 5200.01-M, Vol 1, End 2, para 7.e)
• Note: Examples include implementing visitor controls, restricting
combinations to cleared members, establishing end-of-day security
checks, etc)
Are emergency plans developed for the protection, removal, or destruction
of classified material in case of fire, natural disaster, civil disturbance, or
terrorist activities to minimize the risk of compromise? (DOOM 5200.01-M, Vol
1, Encl 2, para 9.d)
Are procedures established for ensuring that all persons handling classified
material are properly cleared and have a need-to-know? (DOOM 5200.01-M,
Vol 1, End 3, para 11.a)
Does the security manager maintain a continuity handbook?

DATE

11 October
2012

x

x

x

x
x

x
x
x

x
x
x

x

x

x

ORIGINAL CLASSIFICATION (EO 13526 REQUIREMENTS)

12.

Are Original Classification Authorities (OCAs) trained on the process and
requirements for original classification (DOOM 5200.01-M, Vol 1, Encl
4, para 6),
to include?

x

Applicable standards and categories for classification? (D0DM 5200.01-m,

x

UNCLASSIFIED
8

UNCLASSIFIED
INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST
ITTLE/SUBJECT/ACTIVITYTUNCTIONAL AREA

Information Security Program Self-Inspection Checklist
NO.

NRO APPROVED FOR RELEASE
28 August 2014

National Reconnaissance Office
OPR

DATE

Security Manager

11 October
2012

ITEM

1, Encl 4, para 1)
Levels of classification and damage criteria associated with each one?
(DoDM 5200.01-M, Vol 1, Encl 4, para 3)
• Avoidance of over - classification? (DoDM 5200.01-M, Vol 1, End 4, para 6.f)
• Classification prohibitions and limitations? (DoDM 5200.01-M, Vol 1, Encl 4,
para 2)
• Required markings, including those for dissemination and handling?
(DoDM 5200.01-M, Vol 1, Encl 4, para 6.h; Vol 2, Ends 3 & 4)
• Determination of declassification instructions? (DoDM 5200.01-M, Vol 1,
Encl 4, para 13.a)
• Delegations of OCA responsibilities? (DoDM 5200.01-M, Vol 1, Encl 4, para 5
& 5.c)
• Classification challenges? (DoDM 5200.01-M, Vol 1, Encl 4, para 22)
13. Have OCAs prepared, as appropriate, classification guides to facilitate the
proper and uniform derivative classification of information? (DoDM 5200.01,
Vol 1, Encl 4, para 6.h; Vo11, Encl 6, para 1)
14.
Do the guides meet the requirements of section 2.2 of E.O. 13526 and section
2001.15 of title 32, Code of Federal Regulations (CFR)?
Vol

•

X

X
X
x
x
X
x

X

DERIVATIVE CLASSIFICATION (EO 13526 REQUIREMENTS)
15.

Are persons who apply derivative classification markings trained on the
process and requirements for derivative classification (DoDM 5200.01-M, Vol 1,
Encl 4, para 11 & 12), to include?
• Identity of derivative classifier? (DoDM 5200.01-M, Vol 2, End 3, para 7 &
8.c. (1)(a))
• Use of source documents, including classification guides? (DoDM
5200.01M, Vol 2, Encl 3, para 8.c.(1)(b), 8.c.(2) & 8.c.(3))
• Declassification instructions? (DoDM 5200.01-M, Vol 2, Encl 3,
para 8.c.(1)(d),
8.c.(4)-(9) & 9)
• Proper application of markings? See Classification Markings/Document
Review section below. (DoDM 5200.01-M, Vol 2, Encl 3 & 4)
• Classification challenges (DoDM 5200.01-M, Vol 1, Encl 4, para 22)

x
x
X
X
X

CLASSIFICATION MARKINGS/DOCUMENT REVIEW (EO 13526 REQUIREMENTS)

16.

Reviews of original and derivative classification actions shall be conducted in
accordance with section 2001.60(c)(2) of title 32, CFR, and should evaluate the
classification and marking of documents to include: (DOOM 5200.01-M, Vol 1,
Encl 2, para 7.d)
• Have the standards of classification been met? (DoDM 5200.01, Vol 1, Encl
4, para 1 & 2)
• Could damage to the national security be reasonably expected in the
event of unauthorized disclosure? (DoDM 5200.01, Vol 1, Encl 4, para 3)
• Have the requirements for original classification of Part 1 of E.0.13526 or
for derivative classification in Part 2 of E.O. 13526 been met?
• Have the required markings been applied in accordance with E.O. 13526
and Subpart C of title 32, CFR? (DOOM 5200.01-M, Vol 2, para 3)

UNCLASSIFIED
9

x

X

x
x
X

1

UNCLASSIFIED
INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST
11TLEISUBJECTIACTIVITY/FUNcnONAL AREA

Information Security Program Self-Inspection Checklist
NO.

NRO APPROVED FOR RELEASE
28 August 2014

National Reconnaissance Office
OPR

DATE

Security Manager

11 October
2012

ITEM

•
•

•

Overall classification level (DoDM 5200.01-M, Vol 2, Encl 3, para 5)
"Reason for Classification" line (originally classified documents only)
(DoDM 5200.01-M, Vol 2, Encl 3, para 3.b.(1)(b) & 3.b.(4))
The Agency, Office or Origin, and Date (DoDM 5200.01-M, Vol 2, Encl 3, para
7)

•
•

17.

18.

19.

20.

21.

22.

23.

24.

A "Derived From" line (DOOM 5200.01-M, Vol 2, Encl 3, para 8.c.(1)(b))
A "Classified By" line (DoDM 5200.01-M, Vol 2, Encl 3, para 8.b.(1)(a) &
8.c.(1)(a))
• identification of the sources of classification (DoDM 5200.01-M, Vol 2, End
3, para 8.c.(1)(b), 8.c(2), & 8.c.(3))
• "Declassify On" line (DoDM 5200.01-M,Vol 2, Encl 3, para 8.c.(d))
• Downgrading instructions, if required (DoDM 5200.01-M, Vol 2, Encl 3, para
8.a.(4))
• Page and Portion Markings (DoDM 5200.01-M, Vol 2, Encl 3, para 5 & 6)
• Have any unauthorized or invalid markings been applied to documents?
Are Agency personnel who conduct reviews of the agency's original and
derivative classification actions trained on the classification and marking
requirements of E.O. 13526, part 2001 of title 32, CFR, and DoDM 5200.01; and
do they have access to pertinent security classification guides?
Are "subjects" or "titles" of classified documents marked with the
appropriate symbol (TS), (S), (C), or (U) following and to the left of
the title or
subject? (DoDM 5200.01-M, Vol 2, Encl 3. Para 6.e.(2) & 14)
Is each section, part, paragraph, or similar portion of a classified document
marked to show the highest level of classification of information it contains,
or that it is unclassified? Portion of text shall be marked with the
appropriate abbreviations (TS, S, C, or U). (DOOM 5200.01-M, Vol 2, Encl 3, para
6)
Are portions within documents containing Restricted Data and Formerly
Restricted Data marked with the abbreviation "RD" or "FRO" (e.g. S//RD or
TS//FRD)? (DoDM 5200.01-M, Vol 2, Encl 4, para 8.a & 8.b)
Are portions within documents containing foreign government or North
Atlantic Treaty Organization (NATO) information marked with the foreign
classification or NATO and the appropriate classification level (e.g. //GBR S or
//NATO C)? (DoDM 5200.01-M, Vol 2, Encl 4, para 4)
Is the abbreviation "FOUO" used to designate unclassified portions that
contain information that may be exempt from mandatory release to the
public under the Freedom of Information Act (FOIA)? (DoDM 5200.01-M, Vol 2,
Encl 4, para 10.b & Vol 4, End 3, para 2.c)
Are charts, graphs, photographs, illustrations, figures, and similar items
within classified documents marked to show their classification? (DoDM
5200.01-M, Vol 2, Encl 3, para 6.a & 18)
Are the markings placed within the chart, graph, photograph, illustration,
figure, etc. or next to the item? (DoDM 5200.01-M, Vol 2, End 3, para 6.e.(3) &
18)

UNCLASSIFIED
10

..

x
X
X

x
x
x
x
x
x
X

x

x

x

x

x

x

x

UNCLASSIFIED
INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST
TITLE /SUBJECT/ACTIVITWFUNCTI ONAL AREA

Information Security Program Self-Inspection Checklist
NO.

25.

26.

27.

28.

29.

NRO APPROVED FOR RELEASE
28 August 2014

National Reconnaissance Office
OPR

Security Manager

ITEM

Is the highest classification level placed on the top and bottom of each page
containing classified information or marked "unclassified"? (This is called the
"banner line")
• Do the markings stand out from the balance of the information on the
page (must be readily visible)? (DoDM 5200.01-M, Vol 2, Encl 3, para 5)
Are TRANSMITTAL documents properly marked to include either its highest
classification or a notation "Unclassified when separated from classified
enclosures"? (DoDM 5200.01-M, Vol 2, Encl 3, para 15)
For ELECTRONIC documents:
• Are e-mails, blog entries, bulletin board postings, and other electronic
documents marked as finished documents, not working papers? (DoDM
5200.01-M, Vol 2, Enc 3, para 17.a.(2))
• Do e-mails include the appropriate banner line, portion markings, and
classification authority block? Is the subject line portion mark the
classification of the subject, not the overall classification of the e-mail?
(DoDM 5200.01-M, Vol 2, Encl 3, para 17.b)
• Do classified URLs contain embedded portion marks? (DoDM 5200.01-M,
Vol 2, Encl 3, para 17.d)
• Are briefing slides, including any speaker notes and hidden slides, marked
as required for text documents? (DoD 5200.01-M, Vol 2,Encl 3, para 16)
• Are maps, charts, blueprints, photographs, and other special types of
materials marked in the same fashion as for documents, to the extent
feasible? (DoD 5200.01, Vol 2, Encl 3, para 18)
Are Files, Folders, and Groups of documents clearly marked on the outside of
the file or folder (attaching a classified document cover sheet to the front of
the folder or holder will satisfy this requirement)? (DoDM 5200.01-M, Vol 2,
Encl 2, para 4.a)
Are removable storage media (e.g. magnetic tape reels, disk packs, diskettes,
CD-ROMS, removable hard disks, disk cartridges, tape cassettes, etc.) marked
with the appropriate Standard Form label (SF 706/707/708/710)? (DoDM
5200.01-M,Vol 2, Encl 2, para 4.b)

DATE

11 October
2012

x

X

x

x
x

x
x
x

x

x

DECLASSIFICATION (EO 13526 REQUIREMENTS)
30.

31.

Is there a records management system to facilitate public release of
declassified documents?
Are procedures established for automatic, systematic, discretionary, and
mandatory declassification review?

x
x

SAFEGUARDING AND STORAGE (EO 13526 REQUIREMENTS)

32.
33.
34.

35.

Is the program designed and maintained to optimize safeguarding of
classified information?
Are there control measures to prevent unauthorized access to classified
information?
Are personnel aware of procedures for identifying, reporting, and
processing unauthorized disclosures of classified information?
Are there procedures to ensure that appropriate management action is
UNCLASSIFIED
11

x
x
x
x

1

UNCLASSIFIED
INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST
TITLE/SUBJECT/ACTIVITY/FUNCTIONAL AREA

Information Security Program Self-Inspection Checklist
NO.

NRO APPROVED FOR RELEASE
28 August 2014

National Reconnaissance Office
OPR

DATE

Security Manager

11 October
2012

ITEM

taken to correct identified problems?
Are there methods for transmitting classified information, preparing it
correctly for mailing, and for hand carrying or escorting classified material?
37.
Is classified information removed from storage kept under constant
surveillance of authorized persons? (DoDM 5200.01-M, Vol 3, Encl 2, para 8)
38.
Are cover sheets placed on all documents removed from storage? (DoDM
5200.01-M, Vol 3, End 2, para 8)
39.
Are end-of-day security checks established for areas that process or store
classified information to ensure the area is secure at the close of each
working day? (DOOM 5200.01-M, Vol 3, Encl 2, para 9)
40.
Is the SF 701, Activity Security Checklist, used to record end-of-day checks?
(DoDM 5200.01-M, Vol 3, Encl 2, para 9)
41.
is the SF 702, Security Container Check Sheet, used to record the closing of
each vault, secure room, or container used for storage of classified material?
(DoDM 5200.01-M, Vol 3, Encl 2, para 9)
42.
Is the SF 700, Security Container Information, properly completed and
posted inside the LOCKING drawer of the security container, or inside the
door of vault and similar facilities? (DoDM 5200.01-M, Vol 3, Encl 3, para 10)
43.
Are storage containers (safes) that may have been used to store classified
information inspected by properly cleared personnel before removal from
protected areas or before unauthorized persons are allowed access to them?
(DoDM 5200.01-M, Vol 3, Encl 3, para 13)
44•
Are combinations to security containers changed at the required intervals?
(DoDM 5200.01-M, Vol 3, Encl 3, para 11.b)
45.
If written records of the combination are maintained, are they marked and
protected at the highest classification of the material stored therein? (DOOM
5200.01-M, Vol 3, Encl 3, para 11.a)
• Is the combination stored in a security container other than
the one for
which it is being used?
46.
Are entrances to secure rooms or areas under visual control at all times
during duty hours to prevent unauthorized access or equipped with electric,
mechanical or electromechanical access control devices to limit access
during duty hours? (DoDM 5200.01-M, Vol 3, Encl 3, para 12.a)
47.
Does each vault or container bear an external marking for identification
purpose? NOTE: The level of classification stored therein must NOT be
marked on the outside of the container(s). (DoDM 5200.01-M, Vol 3, Encl 3,
Para 9)
48.
is Top Secret material stored only in a GSA approved security container (safe)
having one of the following supplemental controls: (DOOM 5200.01-M, Vol 3,
Encl 3, para 3.a)
• Guard or duty personnel cleared to the Secret level inspect the security
container once every two hours
• An Intrusion Detection System (alarm system) meeting requirements of
para 2 of the Appendix to Encl 3 of DoDM 5200.01-M, Vol 3.
36.

UNCLASSIFIED
12

x
x

x

x
x

x

x

x
x

x
x

x

x

x
x

UNCLASSIFIED
INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST
TITLE/SUBJECT/ACTIVITY/FUNCTIONAL ARE A

Information Security Program Self-Inspection Checklist
NO.

NRO APPROVED FOR RELEASE
28 August 2014

National Reconnaissance Office
OPR

DATE

Security Manager

11 October
2012

ITEM

•

49.

so.
51.

52.

53.

3,
54.

Combination lock meeting Federal Specification FF-L-2740 (X0-7) with
security-in-depth
Is Secret material stored in a GSA approved security container (safe) without
supplemental controls or in the same manner as Top Secret? (NOTE:
Approved containers will have a certification label on the container itself)
(DOOM 5200.01-M, Vol 3, Encl 3, para 3.b)
Is Confidential material stored in a GSA approved security container? (DoDM
5200.01-M,Vol 3, End 3, para 3.c)
Are security container repairs (e.g. drilled because of a forgotten
combination) done in accordance with FED-STD 809? (DoDM 5200.01-M, Vol 3,
Encl 3, para 14)
Is equipment (e.g. copiers, facsimile machines, AIS equipment and
peripherals, electronic typewriters and word processing systems) used for
processing classified information protected from unauthorized access?
(DoDM 5200.01-M, Vol 3, Encl 2, para 14.a)
Do appropriately cleared and technically knowledgeable personnel inspect
the equipment and media used for processing classified information before
the equipment is removed from the protected areas? (DoDM 5200.01-M, Vol
Encl 2, para 14.d)
Are GSA approved field safes and special purpose one and two drawer
lightweight security containers securely fastened to the structure or under
sufficient surveillance to prevent their theft? (DoDM 5200.01-M, Vol 3, End 3,
para 6.a)

x
x

x
x

X

x

x

TELECOMMUNICATIONS, AUTOMATION INFORMATION SYSTEMS, AND NETWORK
SECURITY MO 13526 REQUIREMENTS)
55.

56.

Consistent with section 4.1(f) of E.O. 13526 and section 2001.50 of title 32,
CFR, have uniform procedures been established to ensure that automated
information systems that collect, create, communicate, compute,
disseminate, process or store classified or controlled unclassified
information are protected in accordance with applicable DoD policy
issuances?
Have procedures been established and implemented to:
• Prevent access by unauthorized persons;
• Ensure the integrity of the information;
•
TO the maximum extent practicable, use:
1) Common information technology standards, protocols, and
interfaces that maximize the availability of, and access to, the
information in a form and manner that facilitates its authorized use;
and
2) Standardized electronic formats to maximize the accessibility of
information to persons who meet the criteria set forth in section
4.1(a) of E.O. 13526.

UNCLASSIFIED
13

x

x
x

x

UNCLASSIFIED
INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST
TULE/SUBJECT/ACTIVITY/FUNCTIONAL AREA

Information Security Program Self-Inspection Checklist
NO.

57.

58.

NRO APPROVED FOR RELEASE
28 August 2014

National Reconnaissance Office
OPR

DATE

Security Manager

11 October
2012

ITEM

Have procedures been established to ensure that unclassified copiers
connected to the Internet are not used for classified reproduction? (DoDM
5200.01-M, Vol 3, Encl 7, para 10)
• Are modems, telecommunications capabilities and network
connections disabled on copiers approved for classified
reproductions? (DoDM 5200.01-M, Vol 3, Encl 7, para 10)
• Are classified hard drives removed from classified reproduction
equipment prior to maintenance? (DOOM 5200.01-M, Vol 3, End 7, para
10)
Are cameras and microphones disabled on all hardware used for classified
processing, in classified spaces, or connected to networks in classified
spaces? (DoDM 5200.01-M, Vol 3, Encl 7, para 10)

x

x

x

X

REPRODUCTION OF CLASSIFIED MATERIAL (EO 13526 REQUIREMENTS)
59.

Are procedures established to oversee and control the reproduction of
classified material? (DoDM 5200.01-M, Vol 3, Encl 2, para 5.b )
60. Are personnel, who reproduce classified, aware of the risks
involved with the
specific reproduction equipment and the appropriate countermeasures they
are required to take? (DoDM 5200.01-M, Vol 3, Encl 2, para 5.b.(2))
61.
Are waste products generated during reproduction properly protected and
disposed of? (DoDM 5200.01-M, Vol 3, Encl 2, para 5.b.(6))
62.
Is reproduction equipment specifically designated for the reproduction of
classified material? (DoDM 5200.01-M, Vol 3, End 2, para 5.b.(7))
63.
[Optional] Are RULES POSTED on or near the designated equipment
authorized for the reproduction of classified? (DoDM 5200.01-M, Vol 3, Encl 2,
para 15)
64.
[Optional) Are NOTICES prohibiting reproduction of classified POSTED on
equipment used only for the reproduction of unclassified material? (DoDM
5200.01-M, vol 3, Encl 2, para 15)

â–
65.

66.

x
x

x
X
x

x

DISPOSITION AND DESTRUCTION OF CLASSIFIED MATERIAL (EO 13526
REQUIREMENTS)

Has each activity with classified holdings set aside at least one "Clean-Out"
day each year when specific attention and effort is focused on disposition of
unneeded classified material? (DoDM 5200.01-M, VoI3, Encl 3, para 17.b)
Is classified materials properly destroyed by approved methods? (DOOM
5200.01-M, Vol 3, Encl 3, para 17 &18)

x

x

TRANSMISSION AND TRANSPORTATION OF CLASSIFIED INFORMATION (EO 13526
REQUIREMENTS)
67.

Whenever classified information is transmitted outside of the activity is it
enclosed in two opaque sealed envelopes or similar wrappings or containers
durable enough to properly protect the material from accidental exposure
and facilitate detection of tampering? (DOOM 5200.01-M, Vol 3, Encl 4, para 9)
• NOTE: When classified material is hand-carried outside an activity, a
locked briefcase may serve as the outer wrapper.

UNCLASSIFIED
14

x

UNCLASSIFIED
INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST
11TLEISUBJECTIACTNITY/FUNCTIONAL AREA

National Reconnaissance Office
OPR

Information Security Program Self-Inspection Checklist
NO.

NRO APPROVED FOR RELEASE
28 August 2014

Security Manager

DATE

11 October
2012

ITEM

68.

Is the outer wrapper addressed to an official government activity or to a
DOD contractor with a facility clearance and appropriate storage capability
with a complete return address of the sender? (DoDM 5200.01-M, Vol 3, Encl
4, para 9.a.(1))
69.
Is the inner wrapper or container marked with the following information:
sender's and receiving activity's address and highest classification level of
the contents (including where appropriate, any special markings)? (DoDM
5200.01-M, Vol 3, End 4, para 9.a.(2))
• NOTE: The inner envelope may have an "attention line" with a person's
name.
70.
Are procedures established to limit the hand carrying of classified
information to only when other means of transmission or transportation
cannot be used? (DoDM 5200.01-M, Vol 3, End 4, para 11.a)
71.
Are hand-carrying officials briefed on and have they acknowledged their
responsibilities for protecting classified information? (DoDM 5200.01-M, Vol
3, Encl 4, para 11.c)
72.
Are courier officials provided a written statement authorizing such hand
carrying transmission? (DOOM 5200.01-M, Vol 3, Encl 4, para 12)
• [Optional] Does the activity list all classified carried or escorted by
traveling personnel? (DoDM 5200.01-M, VoI3, Encl 4, para 11)
• [Optional] Does the activity keep this list until all material reaches the
recipient's activity? (DoDM 5200.01-M, Vol 3, End 4, para 11)
73.
When "Confidential" classified information is sent U.S. Postal Service "First
Class" mail between DOD Components within the United States, is the outer
envelope or wrapper endorsed "POSTMASTER: RETURN SERVICE REQUESTED"?
(DOOM 5200.01-M, Vol 3, Encl 4, para 5.d 1
74.
Do recipients of First Class mail bearing the "Postmaster" notice protect it as
Confidential material?

x

x

x

x

x
X
x
x

x

SECURITY EDUCATION (E0 13526 REQUIREMENTS)
75.

76.
77.
78.

79.

80.

,

Has the Component Senior Agency Official established a Security Education
program? (DoDM 5200.01-M,Vol 1, Encl 2, para 7.g ) Has the activity security
manager implemented the security education and training program within
the activity? (DoDM 5200.01, Vol 1, Encl 2, para 9.f)
Have all personnel been trained on policies for classification, safeguarding
and declassification?
Do all personnel who perform derivative classification receive training every
2 years? (DoDM 5200.01-M, Vol 3, Encl 5, para 7.c)
All original classification authorities (OCA) must receive training in proper
classification and declassification at least once a calendar year. (DoDM
5200.01-M Volt, Encl 4, para 5.d and Vol 3, Encl 5, para 5)
Does this training program include an "Initial Orientation" for all assigned
personnel who are cleared for access to classified information? (DoDM
5200.01-M, Vol 3, End 5, para 3)
Does this orientation include the: (DOOM 5200.01-M, Vol 3, End 5, para 3)

UNCLASSIFIED
15

x

x
x
x

x

.

UNCLASSIFIED
INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST

TITLE/SUBJECT/ACTIVITYIRJ NicnomAL AREA

Information Security Program Self-Inspection Checklist
NO.

NRO APPROVED FOR RELEASE
28 August 2014

National Reconnaissance Office
OP R

DATE

Security Manager

11 October
2012

ITEM

•
•
•

â–

x
x
x

x
•
x
x
x
x
x
x
x
x

x
x

x

SECURITY INCIDENTS AND VIOLATIONS TO INCLUDE COMPROMISES MO 13526
REQUIREMENTS)

88.

Are assigned members trained on of their responsibilities to report security
violations concerning classified information? (DOOM 5200.01-M, Vol 3, End 6,
para 3.b)
89
Are there procedures to conduct an inquiry/investigation of a loss, possible
compromise, or unauthorized disclosure of classified information? (DoDM
5200.01-M, Vol 3, Encl 6, para 6)
-

UNCLASSIFIED
16

x

x

7

Roles and responsibilities of assigned members and key personnel?
Elements of safeguarding classified information?
Elements of classifying and declassifying information?
81 .
Is additional training provided for members who: (DOOM 5200.01-M, Vol 3,
End 5, para 4.b & c)
• Are members of deployable organizations, to provide enhanced security
training to meet the needs of the operational environment?
• Will be traveling to foreign countries?
• Will be escorting, hand carrying, or serving as a courier for classified
material?
• Will use automated information systems to store, process, or transmit
classified?
• Will have access to information requiring special control or safeguarding
measures?
• Will be using Foreign Government Information or work in coalition or
bilateral environments?
• Submit information to OCAs for original classification decisions?
82. Is Refresher training provided at least annually to assigned members? (DOOM
5200.01-M, Vol 3, Encl 5, para 7.a)
83.
Is Refresher training tailored to the mission needs and address policies,
principles and procedures covered in initial training? (DoDM 5200.01-M, Vol 3,
End 5, para 7.a)
84. Does Refresher training address concerns identified during
Component SelfInspections? (DOOM 5200.01-M, Vol 3, End 5, para 7.a)
85.
Are procedures established to ensure cleared employees who leave the
organization or whose clearance Is terminated receives a termination
briefing? (DoDM 5200.01-M, Vol 3, End 5, para 9)
86.
Are records maintained to show the names of members who participated in
"Initial" and "Refresher" training? (DoDM 5200.01-M,Vol3, Encl 5, para 11 )
87.
Do training programs for "Uncleared" members include: (DoDM 5200.01-M,
Vol 3, Encl 5, para 3)
• The nature and importance of classified information?
• Actions to take if they discover classified information unprotected?
• The need to report suspected contact with a foreign intelligence
collector?

UNCLASSIFIED
INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST
IITLE/SUBJECT/ACTIVITY/FUNCTIONAL AREA

90.

91.
92.

National Reconnaissance Office
OPR

Information Security Program Self-Inspection Checklist
NO.

NRO APPROVED FOR RELEASE
28 August 2014

Security Manager

DATE

11 October
2012

ITEM

Are appropriate and prompt corrective actions taken when a violation or
infraction occurs? (DoD 5200.01-M, Vol 3, Encl 6)
Are inquiries and/or investigations promptly conducted to ascertain the facts
surrounding reported incidents? (DoDM 5200.01-M, VoI3, Encl 6, para 6)
Are individuals who commit violations or infractions subject to appropriate
sanctions? (DOOM 5200.01-M, Vol1, Encl 3, para 17 and VoI3, Encl 6, para 8.b &
14)

UNCLASSIFIED
17

x
X
x

UNCLASSIFIED

NRO APPROVED FOR RELEASE
28 August 2014

NRO Explanation of N/A Responses on 2012 Information Security Program
Self-inspection Checklist
Item
1.

Comment
The DNRO appoints the DOS&CI as responsible for NRO security. The
DOS&CI appoints a
Government Program Security Officer (GPSO) as the head of each
Directorate or Office activity
who implements the provisions of the NRO Security Program. For each
contractor, an NRO
Contractor Program Security Officer (NCPSO) is nominated by the
contractor and approved by
the DOS&CI. The NCPSO is a senior Contractor PSO responsible and
accountable for the
security oversight of all NRO program activities at their company or
corporation.

2.

All security instructions are signed by the DOS&CI

5.

Equivalent training is provided

6.

Security evaluations and self-inspections are centrally managed under
the DOS&CI. The DOS&CI
is informed of the results of such inspections.

7.

Security-related training will be documented in the Personnel Security
File or in a listing of all
personnel who completed the training

9. Yes, in areas where political instability, terrorism, host country
attitude, or criminal activity
suggests the possibility that a SCIF may be overrun by hostile forces.
11. If the security manager has a COOP mission, essential materials
are in place at the alternate
location.
12. The NRO cannot approve OCAs so we cannot delegate OCA responsibilities.
16. The NRO does not use Downgrading markings.
21. NRO personnel do not have the authority to create NATO information.
28. Most SCIFs are open storage and do not require the use of cover sheets.
38. Most SCIFs are open storage and do not require the use of cover sheets.
40. SF 701 may be used or locally designed forms may be used
41. SF 702 may be used or locally designed forms may be used
45. Yes, at the SCI level, except for SAR where the holder does not
have access to the SAR
compartment nor the physical area housing the container.

UNCLASSIFIED

NRO APPROVED FOR RELEASE
28 August 2014

UNCLASSIFIED
Please note: The best way to view the report "Agency Annual
Self-Inspection Program Data: FY 2013" (attached to this
explanation) is in softcopy because several of the expandable
fields have text that is hidden when viewed in hardcopy. The
full text of entries that exceed the viewable space of
expandable fields is included below for ease of reading,
however, only the softcopy form will be submitted to OUSD(I).
3. Enter the name, title, address, phone, fax, and e-mail address
of the Senior Agency Official (SAO) (as defined in E.O. 13526,
section 5.4(d)) responsible for this report.
Mr. Frank Calvelli
Principal Deputy Director, NRO
Room
14675 Lee Road, Chantilly, VA 20151
(b)(3) 10 USC 424

FAX

(b)(3) 10 USC 424

(b)(3) 10 USC 424

13. What means and methods are employed in conducting self inspections?
(For example: interviews, surveys, data calls, checklists, analysis, etc.)
-

NRO self-inspections are part of the NRO ISAP. Because
of the total NRO workforce and have the
contractors make up
overwhelming number of Sensitive Compartmented Information
Facilities (SCIFs), ISAP is a collaborative process between
Government and industry to identify and address security
vulnerabilities, provide data for analysis, and identify system
security issues and trends. Site personnel conduct/document
security self-assessments, per requirements stated in the NRO
Security Manual (NSM) at least annually. The ISAP Manager or
designee reviews the site assessments and enters a copy into an
NRO database listing each NRO sponsored facility. Based on the
self-assessments, the ISAP Manager, Program Security Officers
(PSOs) and stakeholders discuss findings and formulate
recommendations for a formal assessment, if required. OS&CI
stakeholders represent the major OS&CI directorates and program
office security staffs, including, but not limited to, PSOs,
1

UNCLASSIFIED

NRO APPROVED FOR RELEASE
28 August 2014

UNCLASSIFIED
Physical/Technical Certification Officers and Security
Certification Officers. Stakeholders develop and provide ISAP
candidates to the ISAP Selection Board. Each ISAP
recommendation shall contain detailed factors used to formulate
the recommendation. Recommendation for site visits is then
provided to the selection board. Sites are selected based on
risk, proximity, resources, budgetary constraints, time since
last assessment, and random sampling. A team composition is
proposed for each site visit and a Lead PSO is selected. The
Assessment Team will, at a minimum, consist of a Government PSO
and an OS&Cl/Facilities and Information Security Division
(F&ISD) representative. Additional team members will be added
as needed based on site size, mission, facility risk, and
subject areas being assessed. After the on-site assessment, an
out-briefing is provided to site security staff and other site
senior management identifying security program successes,
observations, and any security "best practices" discovered
during the formal assessment. The results are loaded into the
facility database that contains information from all previous
visits with any problem areas or "best practices" noted. A
final report requiring corrective actions to be taken within 90
days of the date of the report is issued by the D/OS&CI. The
assessed site is required to provide follow-up reports of
corrective action to the responsible PSO and the ISAP Manager
every 90 days until all corrective actions are complete. The
responsible PSO monitors all mitigation actions. Reports of
corrective action are loaded into the NRO facilities database
for historical purposes. For the reporting period, 291 selfassessments
were received and 10 formal team assessments were
performed. No additional formal specific-issue reviews were
conducted. There were an additional 742 visits by OS&CI
stakeholders to contractor SCIFs. In addition, a data call was
conducted with all PSOs and CMOs in NRO Headquarters to answer
items 87 and 88.
20. Describe below how the agency identifies activities and
offices whose documents are to be included in the sample of
classification actions. (Indicate if NA.)
Based on the 291 site self-assessments submitted, the ISAP
Manager, Program Security Officers (PSOs) and stakeholders
discuss findings and formulate recommendations for a formal
2

UNCLASSIFIED

NRO APPROVED FOR RELEASE
28 August 2014

UNCLASSIFIED
assessment, if required. OS&CI stakeholders represent the major
OS&CI directorates and program office security staffs,
including, but not limited to, PSOs, Physical/Technical
Certification Officers and Security Certification Officers.
Stakeholders develop and provide ISAP candidates to the ISAP
Selection Board. Each ISAP recommendation shall contain
detailed factors used to formulate the recommendation.
Recommendation for site visits is then provided to the selection
board. Sites are selected based on risk, proximity, resources,
budgetary constraints, time since last assessment, and random
sampling. A team composition is proposed for each site visit
and a Lead PSO is selected.
Additionally, several types of documents at NRO headquarters are
reviewed annually by CMOs and PSOs for proper classification and
marking. A data call was conducted with all PSOs and CMOs in
NRO Headquarters to answer items 87 and 88.
22. How do you ensure that the materials reviewed provide a
representative sample of the agency's classified information?
(Indicate if NA.)
Documents are selected for review in cooperation with site
personnel who are familiar with the type of materials produced
by the site. However, contractors are not required to count
classified pages produced because of the additional costs that
would be incurred by the NRO, so the documents reviewed may not
be a representative sample. The data call conducted with NRO
Headquarters PSOs and CMOs for item 87 and 88 represents all
documents they reviewed during FY 2013.
31. How is the self-inspection program structured to assess
individual agency activities and the agency as a whole?
Contractor SCIF locations far outnumber government SCIF
locations in the NRO. Government locations are relatively few
in number and have professional government security officers
assigned who can monitor safeguarding and classified information
production and correct errors as they occur. We chose to
concentrate on contractor facilities which are visited
relatively infrequently. The conditions at contractor locations
are not directly applicable to government locations.

3

UNCLASSIFIED

NRO APPROVED FOR RELEASE
28 August 2014

UNCLASSIFIED
35. What is the format for documenting self-inspections in your
agency?
Self-assessments are documented using the self-assessment review
tool in the NSM, Appendix B. For formal assessments, an outbriefing is
provided to site security staff and other site
senior management identifying security program successes,
observations, and any security "best practices" discovered
during the formal assessment. The results are then loaded into
the facility database that contains information from all
previous visits with any problem areas or "best practices"
noted. A final report requiring corrective actions to be taken
within 90 days of the date of report is issued by the D/OS&CI.
The assessed site is required to provide follow-up reports of
corrective action to the responsible PSO and the ISAP Manager
every 90 days until all corrective actions are complete. The
responsible PSO monitors all mitigation actions. Reports of
corrective action are loaded into the NRO facilities database
for historical purposes.
47. Safeguarding:
Regular conduct of exercises provides vital feedback to the
physical security program. Exercises identify areas for
corrective measures, enhancements, validate current tactics,
techniques and procedures (TTP) and the adoption/employment of
new TTP to meet a dynamic threat environment. Regular
inspections/audits are essential to ensuring status and validity
of issued IC badges and conformity to physical security
requirements. Risk assessments/physical security assessments
provide a helpful "outside" perspective to site security
offices. NRO government and contractor personnel work in SCIFs
equipped with secure telephones, FAX, and teleconferencing
equipment, badges and badge readers, guard forces in several
locations, document shredders and other features to ensure
compromises of classified information do not occur. While the
insider threat is always a possibility, we take every precaution
to prevent security incidents from occurring. The NRO applies
uniform procedures established by the Intelligence Community
Directive (ICD)-503 family of policy and guidance for
Information Technology Systems Security Risk Management and
Assessment and Authorization (A&A) activities.
4

UNCLASSIFIED

NRO APPROVED FOR RELEASE
28 August 2014

UNCLASSIFIED
48. Security Violations:
The ISAP program is the formal mechanism by which we corroborate
self - inspections. Included in these formal reviews is an
assessment of the respective security violation program and
trends. In addition, each component Security team evaluates
Security incidents and violations by tracking them according to
general broad categories. During this past FY, the majority
(63%) of incidents/violations were related to categories within
personnel electronic devices in SCIFs. Other categories that
have multiple occurrences indicating potential trends are data
spills (9%) and inadvertent removal of classified information
(12%). Personal cell phones and prohibited electronic devices
are not allowed in SCIFs. While we have installed lockers
outside SCIFs to secure cell phones, entry of prohibited
electronic devices into SCIFs is still a problem. Visitor
attendance to NRO conferences/facilities result in numerous cell
phones being brought into the conference even by individuals
with security duties who should know better.
49. Security Education and Training:
100% of personnel assigned to the NRO are required to complete
an SCI indoctrination briefing to include signing a NonDisclosure
Agreement. E.O. 13526 is called out specifically so
that personnel fully understand their responsibilities and
requirements to protect classified information. This message is
repeated by the release of awareness videos and reminders
throughout the year; to include presentations, written
materials, and training. Specifically, OS&CI incorporates
classification management questions within the Annual Security
Refresher (ASR) web-based training (WBT). In 2014 ASR will
include additional Derivative Classification questions. With as
many contractors as the NRO employs, training can be a major
expense. Every contractor and government employee with a secure
computer account is required to take the Annual Security
Refresher training otherwise they lose their computer
connection. There are numerous additional courses and
specialized security training available on-line even though
sequestration has reduced training manpower overall to include
elimination of the Information Management Branch which ran the
OS&CI web site and security-specific applications.
5

UNCLASSIFIED

NRO APPROVED FOR RELEASE
28 August 2014

UNCLASSIFIED

50. Management and Oversight:
Government oversight of NRO-sponsored SCIFs is achieved in a
multi-faceted manner. Program Security Officers,
Physical/Technical, and Computer Security Officers review
selfassessment results and participate in on-site reviews. Some
program findings for FY 13 were identified in the following
areas:
• Standard Operating Procedures (SOPs) require more detail and
more frequent revision to stay up-to-date with security
requirements.
• Foreign travel and contact reporting were not always
accomplished using the mandated NRO Counterintelligence Network
(CINet).
• There are undocumented information systems within facilities.
• Not all employees with AIS privileged user type access have
been identified and tracked.
• Facility alarm test records are not always maintained for the
required time period.
• Red/Black cabling is not labeled for identification.
54. Safeguarding:
Awareness and education programs are vital to ensuring the
workforce maintains awareness of security policy and procedures.
Regular and aperiodic exercises, inspections, and audits provide
crucial inputs that are indispensable to ensuring that the
physical security program is current and effective. Key
challenges are maintaining adequate funding to replace aging,
malfunctioning, and obsolete security equipment and training and
education for new personnel. The NRO has an organization-level
process for the Assessment and Authorization (A&A) of
Information Systems and a Directive 51-1, "Information
Technology, Information Assurance, and Information Management
Architecture and Strategy for Certification and Accreditation"
to ensure automated information systems that collect, create,
communicate, compute, disseminate, process or store classified
information are protected in accordance with applicable national
policy issuances.
6

UNCLASSIFIED

NRO APPROVED FOR RELEASE
28 August 2014

UNCLASSIFIED

55. Security Violations:
The NSM details the NRO process for reporting and investigating
security incidents, infractions and violations. Appropriate and
prompt corrective actions were taken to.mitigate the severity of
the infraction/violation, and to sanction the offender via
management, counterintelligence, and personnel security
processes. Infractions and violations are centrally tracked in
the Security Log (the NRO incident/violation database). This
database is managed by the Program Security Officers in each
directorate and office, and enables the PSO to automatically
notify Counterintelligence Division and Personnel Security
Division, via a system generated e-mail, of
infractions/violations that require immediate CI and/or
personnel security attention. The database also enables both
OS&CI management as well as individual PSOs to track and analyze
trends linked to the various categories of security
infractions/violations.
56. Security Education and Training:
OS&CI works closely with PSOs, Counterintelligence personnel,
and the Integrated Self Assessment Program to determine any
trends or specific areas that need an additional educational
awareness campaign. Security communications are then targeted,
utilizing large scale efforts, per a topic area and audience for
best impact results. The NRO is adding additional
classification management questions to the Annual Security
Refresher to better satisfy the derivative classification
training requirement. OCAs complete yearly training provided by
NRO/OS&Cl/Policy Branch with direct knowledge of current CAPCO
guidelines.
57. Management and Oversight:
The NRO has a very mature Security management and oversight
program. Over the past FY, much greater emphasis has been
placed on ensuring all sites and facilities accomplished the
self-assessments and submited the findings to the Government
within the mandated time requirements. This improved management
oversight has made an impact. Our self-inspection program
coupled with security officer visits, and formal team
7

UNCLASSIFIED

NRO APPROVED FOR RELEASE
28 August 2014

UNCLASSIFIED
assessments provide managers a report card on the health of our
security programs. When negative trends are identified,
managers from across industry and the Government develop
corrective action plans to reverse the trends and ensure
security requirements are met. Impacts are being felt to
overall security programs due to reductions in security
resources. While security requirements are increasing,
especially in the area of information systems management,
resources are being reduced. Additionally, some sites assessed
have made decisions not to fully comply with a security
requirement because of resource constraints.

8

UNCLASSIFIED
coderman
2015-10-10 04:13:15 UTC
Permalink
$115 for responsive docs from FBI regarding FLIR equipment:
https://www.muckrock.com/foi/united-states-of-america-10/flirwhere-18875/

"Any and all SKUs, Contracts, Invoices, Receipts, Billing Numbers,
Agreements, PO Numbers, Billable Hours, Consulting Relationships, for
any services or goods associated with FLIR Corporation (on web as
flir.com), to include technologies such as "Thermal Security Cameras",
"Visible-Light CCTV Cameras", "Lorex", "Airborne Systems", "Maritime
Systems", "Land Systems", "Tactical Vision", and "Unmanned Systems".
Please include processing notes in response to this request, even if
denied in part; thank you!"

might this be the first request with fees required? stay tuned for:
Thread Next >>
coderman
2015-10-13 03:38:36 UTC
Permalink
Post by coderman
https://www.muckrock.com/foi/united-states-of-america-10/flirwhere-18875/
sent $105 through MuckRock itself in response to fee request for PON info:
'''
Any and all records, including cross-references and indirect mentions,
including records outside the investigation main file pertaining to
Passive Optical Network (PON) technical surveillance, including Fiber
To The Premises (FTTP) and Fiber To The Home (FTTH) technologies as
well as "Metro Ethernet" over Optical Fibre. PON types explicitly to
include BPON, or broadband PON; GPON, or gigabit-capable PON; GPON, or
gigabit-capable PON based on IEEE 802.3ah or IEEE 802.3av. Internal
records and research projects are in scope of this request. This is
explicitly to include a count of PON technical surveillance capable
devices owned, leased, or otherwise in use by the Bureau. Requested
search to include each of the following record stores and interfaces:
the Central Records System (CRS), the Automated Case Support system
("ACS") Investigative Case Management system ("ICM"), the Automated
Case Support system ("ACS") Electronic Case File ("ECF"), and the
Automated Case Support system ("ACS") Universal Index ("UNI"). I also
request a search of "ELSUR", the database containing electronic
surveillance information, for any and all records or activities
related to PON surveillance technology. Please include processing
notes, even if request is denied in part.
'''
https://www.muckrock.com/foi/united-states-of-america-10/ponpwn-20309/


still no acceptance of the prior record $115 for FLIR tech @FBI.


the journey continues...
Shelley
2015-10-13 03:46:52 UTC
Permalink
Post by coderman
Post by coderman
https://www.muckrock.com/foi/united-states-of-america-10/flirwhere-18875/
'''
Any and all records, including cross-references and indirect mentions,
including records outside the investigation main file pertaining to
Passive Optical Network (PON) technical surveillance, including Fiber
To The Premises (FTTP) and Fiber To The Home (FTTH) technologies as
well as "Metro Ethernet" over Optical Fibre. PON types explicitly to
include BPON, or broadband PON; GPON, or gigabit-capable PON; GPON, or
gigabit-capable PON based on IEEE 802.3ah or IEEE 802.3av. Internal
records and research projects are in scope of this request. This is
explicitly to include a count of PON technical surveillance capable
devices owned, leased, or otherwise in use by the Bureau. Requested
the Central Records System (CRS), the Automated Case Support system
("ACS") Investigative Case Management system ("ICM"), the Automated
Case Support system ("ACS") Electronic Case File ("ECF"), and the
Automated Case Support system ("ACS") Universal Index ("UNI"). I also
request a search of "ELSUR", the database containing electronic
surveillance information, for any and all records or activities
related to PON surveillance technology. Please include processing
notes, even if request is denied in part.
'''
https://www.muckrock.com/foi/united-states-of-america-10/ponpwn-20309/
the journey continues...
Oh good job coderman, I'll be very interested to see how much of the PON
info is redacted. It's such BS that they can charge that much to get
digital copies of records that we've already paid for for with our taxes.

-S
coderman
2015-10-13 20:50:57 UTC
Permalink
NSA sent a Glomar for merely a count of P25 radios:
'''
Count of the number of P25 capable radio units or systems in use by,
or owned, or leased, or otherwise utilized by the agency. This
includes any of the Motorola ASTRO APX P25 portables, Vertex Standard
P25 portables, ICOM P25 portables, RELM Wireless P25 portables,
Motorola MOTOTRBO DMR radios, and Mobile P25 Radios. This includes any
P25 Phase 1 and Phase 2 capable radios. Please include yearly
break-down by radio model, if available. Please include processing
notes for this request, even if denied in part.
'''
https://www.muckrock.com/foi/united-states-of-america-10/p25count-20176/

NSA continues to exhibit oversight avoidance competence beyond most
other agencies. :)


best regards,
grarpamp
2015-10-15 22:12:41 UTC
Permalink
Post by coderman
Passive Optical Network (PON) technical surveillance, including Fiber
PON's are like DOCSIS systems... if the last mile is encrypted, a simple
letter to the patriots at the headend gets you what you want. If not,
a simple tap in the field will do... for which there's no reason for that
laborious expense, see letter above.
Post by coderman
well as "Metro Ethernet" over Optical Fibre.
Similarly open and insecure.
coderman
2015-10-16 03:10:18 UTC
Permalink
Post by grarpamp
...
PON's are like DOCSIS systems... if the last mile is encrypted, a simple
letter to the patriots at the headend gets you what you want. If not,
a simple tap in the field will do... for which there's no reason for that
laborious expense, see letter above.
field taps avoid due process :)

Loading Image...
Post by grarpamp
Post by coderman
well as "Metro Ethernet" over Optical Fibre.
Similarly open and insecure.
indeed.

best regards,
coderman
2015-10-18 23:47:51 UTC
Permalink
new one per Twitter censorship drama:
"Legal authorities, processes, procedures for National Security
related activities to suppress, obscure, or remove social media
content posted to Twitter.com as text, image, video, or links to any
of same in a Tweet. This is explicitly to include responsive materials
related to such activities against foreign individuals vs. US citizens
as determined by Internet Protocol (IP) address of request (domestic
vs. foreign IPv4 or IPv6) or by metadata associated with the Twitter
account."

https://www.muckrock.com/foi/united-states-of-america-10/tweetdevnull-21887/
to Department of Justice, National Security Division of the United
States of America.


best regards,
coderman
2015-10-27 22:41:23 UTC
Permalink
the NSA has one FOIA Reading Room,
and it is located at:

National Cryptologic Museum
8290 Colony Seven Road
Annapolis Junction, MD 20701

https://www.muckrock.com/foi/united-states-of-america-10/freelyreadingrainbowed-21893/
coderman
2015-10-29 22:22:25 UTC
Permalink
the Department of Homeland Security operates 163 SCIFs with a total
400,000 sq. feet of work area.

https://www.muckrock.com/foi/united-states-of-america-10/activeareadenied-21346/

(ignore the mis-chan :)
coderman
2015-11-02 07:38:21 UTC
Permalink
new queries regarding classification guides; seeking to collect the whole set!

Count of the number of Classification Guides produced by Original
Classification Authorities (OCAs) on behalf of the Attorney General
within the DoJ per Executive Order 13526- Original Classification
Authority. Please provide a count of classification guides in use by
the Department for the years 2010 through 2015, inclusive, as
available. Thank you!
- https://www.muckrock.com/foi/united-states-of-america-10/guidedincrements-22194/

Count of the number of Classification Guides produced by Original
Classification Authorities (OCAs) on behalf of the Secretary of
Homeland Security within the Department per Executive Order 13526-
Original Classification Authority. Please provide a count of
classification guides in use by the Department for the years 2010
through 2015, inclusive, as available. Thank you!
- https://www.muckrock.com/foi/united-states-of-america-10/guidedincrements-22195/

Count of the number of Classification Guides produced by Original
Classification Authorities (OCAs) on behalf of the Director of the
Central Intelligence Agency (CIA) per Executive Order 13526- Original
Classification Authority. Please provide a count of classification
guides in use by the Agency for the years 2010 through 2015,
inclusive, as available. Thank you!
- https://www.muckrock.com/foi/united-states-of-america-10/guidedincrements-22196/

Count of the number of Classification Guides produced by Original
Classification Authorities (OCAs) on behalf of the Secretary of State
within the Department per Executive Order 13526- Original
Classification Authority. Please provide a count of classification
guides in use by the Department for the years 2010 through 2015,
inclusive, as available. Thank you!
- https://www.muckrock.com/foi/united-states-of-america-10/guidedincrements-22197/

Count of the number of Classification Guides produced by Original
Classification Authorities (OCAs) on behalf of the Secretary of
Defense per Executive Order 13526- Original Classification Authority.
Please provide a count of classification guides in use by the
Department for the years 2010 through 2015, inclusive, as available.
Thank you!
- https://www.muckrock.com/foi/united-states-of-america-10/guidedincrements-22198/

Count of the number of Classification Guides produced by Original
Classification Authorities (OCAs) on behalf of the Executive Office of
the President per Executive Order 13526- Original Classification
Authority. Please include Classification Guides produced on behalf of
The Assistant to the President and Chief of Staff, The Assistant to
the President for National Security Affairs (National Security
Advisor), The Assistant to the President for Homeland Security and
Counterterrorism, The Director of National Drug Control Policy, The
Director, Office of Science and Technology Policy, The Chair or
Co-Chairs, President's Intelligence Advisory Board within scope of
this request for count of all Classification Guides produced on behalf
of the Executive Office of the President. Please provide a count of
classification guides in use by the Department for the years 2010
through 2015, inclusive, as available. Thank you!
- https://www.muckrock.com/foi/united-states-of-america-10/guidedincrements-22199/

Count of the number of Classification Guides produced by Original
Classification Authorities (OCAs) on behalf of the Secretary of Energy
within the Department per Executive Order 13526- Original
Classification Authority. Please provide a count of classification
guides in use by the Department for the years 2010 through 2015,
inclusive, as available. Thank you!
- https://www.muckrock.com/foi/united-states-of-america-10/guidedincrements-22200/

Count of the number of Classification Guides produced by Original
Classification Authorities (OCAs) on behalf of the Director of
National Intelligence within the Department per Executive Order 13526-
Original Classification Authority. Please provide a count of
classification guides in use by the Department for the years 2010
through 2015, inclusive, as available. Thank you!
- https://www.muckrock.com/foi/united-states-of-america-10/guidedincrements-22201/


best regards,
coderman
2015-11-02 13:56:45 UTC
Permalink
interesting response,
first time ever a request has been deemed "less complicated" ! :)

"We have a large backlog, our current administrative workload is 1,497
open requests. Included among these open cases are requests which are
less complex than others, such as your request. "
- https://www.muckrock.com/foi/united-states-of-america-10/brightzenith-21350/
coderman
2015-11-04 09:57:23 UTC
Permalink
DoD OIG tried to refuse my request though a creative interpretation.

i have appealed:

'''
I am fascinated and impressed by your interpretation of my request,
such that "Your request does not seek access to records, but FOIA
reading rooms.". Please let me be clear. I am not seeking access to
FOIA reading rooms. I am not seeking activity records regarding FOIA
reading rooms.

In fact, the only information I am requesting is FOIA reading room
metadata - E.g. their number, and their location.

I hereby appeal this refusal to grant my request. Thank you!
'''
- https://www.muckrock.com/foi/united-states-of-america-10/freelyreadingrainbowed-21891/
coderman
2015-11-04 15:22:42 UTC
Permalink
new request regarding declassified information:
'''
A list of sites, repositories, indexes, or other responsive materials
regarding linkage and effective utilization of existing agency
databases of records that have been declassified and publicly
released, as required to be maintained by the Director of the
Information Security Oversight Office. Please also provide a list of
agency heads providing this information to or on behalf of the
Director of the Information Security Oversight Office as required by
Executive Order 13292. Thank you!
'''
- https://www.muckrock.com/foi/united-states-of-america-10/naradumps-22249/
coderman
2015-11-07 00:51:32 UTC
Permalink
DEA responded with the least useful docs first,
https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-18710/#file-61105

and wants $240 for the rest.
yet they closed the request to further thwart my ability to pay for it!
:o

'''
Any and all SKUs, Contracts, Invoices, Receipts, Billing Numbers,
Agreements, PO Numbers, for any services or goods purchased from
Boeing Corporation, including third party contract hours for training
or related services, regarding hardware to include Digital Signal
Processing (DSP) or Cell-site Simulators or Software Defined Radio
(SDR) base-stations, or Stingray-like pen/trace-trap devices, or other
radio surveillance technology, including technology formerly produced
by Digital Receiver Technology, Inc., also known as DRT Systems, now
part of Boeing, known to include the DRTBox, or DirtBox, or DirtBoxes
surveillance gear. Please include antenna systems and cable hardware,
as part of the radio systems to report on.
'''
coderman
2015-11-07 02:27:10 UTC
Permalink
Post by coderman
DEA responded with the least useful docs first,
https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-18710/#file-61105
and wants $240 for the rest.
yet they closed the request to further thwart my ability to pay for it!
:o
so,
'''
For the year 2014, either placed or completed, records including any
and all SKUs, Contracts, Invoices, Receipts, Billing Numbers,
Agreements, PO Numbers, for any hardware purchased from Boeing
Corporation technology such as Cell-site Simulators or Software
Defined Radio (SDR) base-stations, or Stingray-like pen/trace-trap
devices, or other radio surveillance technology, including technology
formerly produced by Digital Receiver Technology, Inc., also known as
DRT Systems, now part of Boeing, known to include the DRTBox, or
DirtBox, or DirtBoxes surveillance gear. Please EXCLUDE antenna
systems, software upgrades, or other ancillary components of these
primary systems - only primary technology items / invoices /
technology of interest per this request.
'''
- https://www.muckrock.com/foi/united-states-of-america-10/mindrtbeboeingbox-22286/

2013 - https://www.muckrock.com/foi/united-states-of-america-10/mindrtbeboeingbox-22287/

2012 - https://www.muckrock.com/foi/united-states-of-america-10/mindrtbeboeingbox-22288/
coderman
2015-11-10 11:15:22 UTC
Permalink
new request:
'''
This is a request under the Freedom of Information Act. I hereby
request the following records:

Mission statements, objectives, and staffing counts for each of the
following Naval Research Laboratories in the Information Technology
Division:
• Freespace Communications Testbed
• Mobile Robot Laboratory
• Audio Laboratory
• Mobile Network Modeling Laboratory
• Integrated Communications Technology Test Laboratory
• General Electronics Environmental Test Facility
• Cognitive Radio Test Bed
• Key Management Laboratory
• Cryptographic Technology Laboratory
• Navy Cyber Defense Research Laboratory
• Wireless Security Laboratory
• Navy Shipboard Communications Testbed
• Virtual Reality Laboratory
• Visual Analytics Laboratory
• Immersive Simulation Laboratory
• Warfighter Human-Systems Integration Laboratory
• Motion Imagery Laboratory
• Global Information Grid and Advanced Networking Facility
• Large Data Research Laboratory
• Affiliated Resource Center for High Performance Computing
• Ruth H. Hooker Research Laboratory
'''
- https://www.muckrock.com/foi/united-states-of-america-10/navystockedlabs-22309/
Juan
2015-11-10 21:39:30 UTC
Permalink
On Tue, 10 Nov 2015 03:15:22 -0800
Post by coderman
'''
This is a request under the Freedom of Information Act. I hereby
So coderman, you've been doing this for months. What useful
information have your masters graciously given you so far?
coderman
2015-11-10 22:19:49 UTC
Permalink
Post by Juan
...
So coderman, you've been doing this for months. What useful
information have your masters graciously given you so far?
the full retrospective at 1yr mark in January, however, useful aspects so far:

- wide variety of requests and processing activity, which is useful
for discerning aspects of FOIA processing at agencies of interest.

- learned indicators of obfuscation or delay, which in turn is signal
to dig deeper, aggressively appeal and follow up.

- used specific requests as leverage to open up additional
information. E.g. the laser specific "Count of Kingfish devices" which
returned counts, while purchase orders and other details around
Stingrays and cell site simulators in general get a Glomar.

- other tidbits of varying interest. E.g. the multiple MuckRock
articles making use of my responsive documents.


[ all this in turn useful for sekrit $full_auto_FOIA project :]



that answer your question?
grarpamp
2015-11-10 22:28:34 UTC
Permalink
Post by coderman
- learned indicators of obfuscation or delay, which in turn is signal
Metadata often more useful than data.... classic.
Post by coderman
[ all this in turn useful for sekrit $full_auto_FOIA project :]
Tensor tentacles reaching out from bigdata to give warm fuzzies.
Juan
2015-11-10 23:42:34 UTC
Permalink
On Tue, 10 Nov 2015 14:19:49 -0800
Post by coderman
Post by Juan
...
So coderman, you've been doing this for months. What useful
information have your masters graciously given you so far?
the full retrospective at 1yr mark in January, however, useful
- wide variety of requests and processing activity, which is useful
for discerning aspects of FOIA processing at agencies of interest.
f1 { so you got information regarding how the
information-denying bureaucracy works? }
Post by coderman
- learned indicators of obfuscation or delay, which in turn is signal
to dig deeper, aggressively appeal and follow up.
f1 ()
Post by coderman
- used specific requests as leverage to open up additional
information. E.g. the laser specific "Count of Kingfish devices" which
returned counts, while purchase orders and other details around
Stingrays and cell site simulators in general get a Glomar.
I can't say if that is surprising or not surprising.
Post by coderman
- other tidbits of varying interest. E.g. the multiple MuckRock
articles making use of my responsive documents.
[ all this in turn useful for sekrit $full_auto_FOIA project :]
that answer your question?
Sort of. Thanks ;)
coderman
2015-11-10 23:47:17 UTC
Permalink
Post by Juan
...
Post by coderman
- wide variety of requests and processing activity, which is useful
for discerning aspects of FOIA processing at agencies of interest.
f1 { so you got information regarding how the
information-denying bureaucracy works? }
exactly. for example, it used to be you could request "Processing
Notes" for a request, and this metadata about processing the request
was handed over as dry and useless.

now they refuse all requests for processing notes, and you must always
appeal. this is done because some of the proc notes showed how
responsive documents were "overlooked" conveniently by special
interpretation of the request. E.g. their bullshit got caught out :)
Post by Juan
Post by coderman
- learned indicators of obfuscation or delay, which in turn is signal
to dig deeper, aggressively appeal and follow up.
f1 ()
this might be delays, making you wait for responsive documents until
after "public interest" has waned. or your interest, for that matter.

or it might be undercover feds in crown vics following you around ridiculously.

or it gets bounced around a few FOIA people inside the agency to find
the best way to provide the least information.

or ...



last but not least, i also learned it is near impossible to use
MuckRock for personal Privacy Act requests about your person. still
need to re-submit with legal counsel...


best regards,
coderman
2015-11-15 19:28:44 UTC
Permalink
this reply from the NRO:
https://www.muckrock.com/foi/united-states-of-america-10/eeeieeeohorder-21368/#file-61919

is probably the most informative read on classification process i've
enjoyed in years!
coderman
2015-11-16 10:13:22 UTC
Permalink
new request:
'''
A list of all "Experimental Radio Licenses" granted for the years 2010
through 2015, inclusive. Please include any "Special Conditions" with
each identified license. Please include "Program Experimental
Licenses" as well as "Conventional Experimental Licenses" when
considering records responsive to this request.
'''
- https://www.muckrock.com/foi/united-states-of-america-10/experimentalwavesradio-22404/
coderman
2015-11-16 10:41:54 UTC
Permalink
last one for this month:
'''
Reports of deployment / use of the US Secret Service Presidential
RF-countermeasures Suburban during escort of POTUS or any other active
use. Maryland License Plate: 05567M6 as example vehicle in class
"RF-countermeasures Suburban". Please include incident reports
utilizing special RF countermeasure technologies in response to
perceived or senses threats. Please include records for years 2008
through 2015, inclusive. See also
Loading Image...
for additional information relevant to this request.
'''
- https://www.muckrock.com/foi/united-states-of-america-10/radioactivitydenied-22405/
grarpamp
2015-10-19 23:14:14 UTC
Permalink
Cecil D. Andrus, a Democrat, was elected governor of Idaho four
times—in 1970, 1974, 1986, and 1990—and served as US Secretary of the
Interior under President Carter.

I have been involved in government at the state and federal level for
a long time and have had my share of political and legal run-ins with
government agencies, but rarely in more than 50 years in politics have
I encountered a government agency more committed to secrecy—perhaps
even deception—than the US Department of Energy.

Most citizens of my state know that, since last January, former
Republican Governor Phil Batt and I have been raising questions about
a plan by the US Department of Energy to bring additional shipments of
commercial spent nuclear fuel to the Idaho National Laboratory in
eastern Idaho for “research.”

http://thebulletin.org/holding-department-energy-accountable-idaho8807
coderman
2015-10-19 23:42:54 UTC
Permalink
Post by grarpamp
Cecil D. Andrus, a Democrat, was elected governor of Idaho four
times—in 1970, 1974, 1986, and 1990—and served as US Secretary of the
Interior under President Carter.
I have been involved in government at the state and federal level for
a long time and have had my share of political and legal run-ins with
government agencies, but rarely in more than 50 years in politics have
I encountered a government agency more committed to secrecy—perhaps
even deception—than the US Department of Energy.
yup; DoE full of guilty hands. still need to dig into Rocky Flats
plant in Colorado, and the Plutonium catastrophe covered up ever
since...


best regards,
coderman
2015-12-03 01:21:21 UTC
Permalink
remember this one? the four carefully crafted retorts?
Post by coderman
...
FBI claiming privacy interest to refuse ALL of my FOIA regarding the
https://www.muckrock.com/foi/united-states-of-america-10/freedmitry-21209/
this is my first attempt to argue compelling public interest against a
privacy exemption,
it is as follows;
Please recognize the public interest in this request for responsive
First and foremost, extensive media attention during this period was
generated due to the intersection of "hacking" and "reverse
engineering" combined with the DMCA provisions deeming some
technologies illegal at interest to the information technology
industry as a whole. This reason alone is sufficient and compelling
justification for transparency in a watershed case, however, I shall
continue.
Second, this case involved not a US citizen, but a foreign national.
As has recently been scoured in the technical press, Wassenar with its
incumbent BIS obligations has brought discussion of the risks
foreigners face visiting the EU and US, in addition to US citizens
abroad who now find themselves subject to severe technical controls
due to their industry participation. I feel that surely this must
provide beyond sufficient justification for public interest in
documents responsive to this request, yet I shall continue to exhaust
the relevant perspectives in my quiver of inquiry.
Thus thirdly, the conference venue, DEF CON security conference,
itself of notoriety and high esteem in the technical community, was
the operating domain for the closing moves of this investigation. The
logistics and technical considerations for operating in this domain
thus also compounds the public interest in the activity for which the
records responsive to this request have been requested.
Fourthly, and there is a fourthly for sure, the activities undertaken
by the agency were at risk of alienating a talent pool the Bureau has
increasingly courted and pursued for their invaluable skills in
digital forensic analysis, reverse engineering, and information
security. Balancing actions before a critical group who also interacts
frequently with the agency, and from whom the Bureau itself draws
professional talent, amplifies the interest and relevance of this
inquiry, and the need for unrestrained transparency when identifying
documents responsive to this request.
Lastly and finally, yet not to diminish the inherent privacy rights
afforded to all earth humans, inalienable, with justice for all, the
privacy rights which this agency has cited in justification for
limiting the documents responsive to this request, please note that
the privacy exemptions provided by law are specific and limited to
situations where there is a compelling personal privacy interest. The
agency has not provided any compelling privacy interest on behalf of
the fine Mr. Sklyarov, and his foreign status removes the common
privacy concerns of an individual within a domestic community at issue
in responsive documents. It is fully reasonable, per Department of
Justice v. Reporters Committee for Freedom of the Press, that the FBI
may provide documents detailing "what they were up to" in this
investigation, without undue burden on the privacy rights of a foreign
citizen briefly visiting to attend a public conference in the United
States.
Please do recognize and acquiescence to the public interest so broadly in view.
it worked, flawlessly!

see attached response with minimal redactions:
https://www.muckrock.com/foi/united-states-of-america-10/freedmitry-21209/#comm-204252


best regards,
rysiek
2015-12-05 15:09:17 UTC
Permalink
Post by coderman
remember this one? the four carefully crafted retorts?
(...)
it worked, flawlessly!
Congratulations! :)
--
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147
coderman
2015-12-10 07:31:57 UTC
Permalink
a most recent Glomar:

"Disclosure timeline and decision making rationale for disclosure of
vulnerability MS14-066 / CVE-2014-6321 - "Vulnerability in Schannel
Could Allow Remote Code Execution (2992611)" to Microsoft Corporation
as part of the Vulnerabilities Equities Process. Please include
timeline for initial discovery with source of discovery, first
operational use, and finally, date for vendor notification."
- https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustagency-22289/

"The request has been rejected, with the agency stating that it can
neither confirm nor deny the existence of the requested documents."
- https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustagency-22289/#comm-209022


i will discover how they stole this vuln... one day!


best regards,
coderman
2015-12-10 11:54:12 UTC
Permalink
Post by coderman
"Disclosure timeline and decision making rationale for disclosure of
vulnerability MS14-066 / CVE-2014-6321 - "Vulnerability in Schannel
Could Allow Remote Code Execution (2992611)" to Microsoft Corporation
as part of the Vulnerabilities Equities Process. Please include
timeline for initial discovery with source of discovery, first
operational use, and finally, date for vendor notification."
-
https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustagency-22289/
"The request has been rejected, with the agency stating that it can
neither confirm nor deny the existence of the requested documents."
-
https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustagency-22289/#comm-209022
reply(appeal):
'''
I reject and demand appeal of your rejection of this request.

First and foremost, please recognize that the GSF Explorer, formerly
USNS Hughes Glomar Explorer (T-AG-193), for which this Glomar response
is so named, was a purely military operation, using custom-built
military equipment, on an exceptionally sensitive military mission to
recover military equipment. Observe that the "Vulnerabilities Equities
Process" is a public outreach activity communicating with third party
partners, acting in the public interest regarding software used by
public citizens and business alike - a scenario at opposite ends and
means from which this denial blindly overreaches.

Second, observe that existing precedent supports the release of
materials responsive to this request. In American Civil Liberties
Union v. Department of Defense Case No: 04-CV-4151 (ACLU v. DoD) the
courts have affirmed the public interest as compelling argument for
favoring the public interest against clearly military efforts. The
Glomar denial should be well targeted; this targeted falls well
outside of the the "Vulnerabilities Equities Process", which is a
public outreach activity communicating with third party partners,
acting in the public interest, regarding software used by public
citizens and business alike.

Third, consider that it is a well established technique in the
information security industry to identify the origin and nature of a
defect discovery and disclosure timeline. This information is used for
myriad of secondary research, analysis, and automation efforts
spanning numerous industries. The utility of of disclosure timeline
information and context has decades of rich support and strong
evidence of public interest benefit, particularly regarding long
reported and fixed defects, such as this one, which has patches
available for over a year.

Fourth, observe that every hour of expert opinion coupled with legal
review amounts to a non-trivial expenditure of hours which are a sunk,
throw away cost of FOIA communication. While as a taxpayer I
appreciate the service of FOIA professionals such as those involved in
this request, who provide tireless effort the all hundreds of millions
of US citizens, my personal cost should be recognized. For this reason
a deference in favor of public interest and disclosure is well
supported for this request regarding the "Vulnerabilities Equities
Process", which is a public outreach activity communicating with third
party partners, acting in the public interest, regarding software used
by public citizens and business alike.

Thank you for your time, and best regards,
'''
- https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustagency-22289/#comm-209748
Ryan Carboni
2015-12-24 22:41:46 UTC
Permalink
https://en.wikipedia.org/wiki/Inslaw#Inslaw_Affair_divides_into_two_separate_issues

Clearly you should make a request for the source code for the the Promis
software as used by the FBI. It's public domain.
Post by coderman
Post by coderman
"Disclosure timeline and decision making rationale for disclosure of
vulnerability MS14-066 / CVE-2014-6321 - "Vulnerability in Schannel
Could Allow Remote Code Execution (2992611)" to Microsoft Corporation
as part of the Vulnerabilities Equities Process. Please include
timeline for initial discovery with source of discovery, first
operational use, and finally, date for vendor notification."
-
https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustagency-22289/
Post by coderman
"The request has been rejected, with the agency stating that it can
neither confirm nor deny the existence of the requested documents."
-
https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustagency-22289/#comm-209022
'''
I reject and demand appeal of your rejection of this request.
First and foremost, please recognize that the GSF Explorer, formerly
USNS Hughes Glomar Explorer (T-AG-193), for which this Glomar response
is so named, was a purely military operation, using custom-built
military equipment, on an exceptionally sensitive military mission to
recover military equipment. Observe that the "Vulnerabilities Equities
Process" is a public outreach activity communicating with third party
partners, acting in the public interest regarding software used by
public citizens and business alike - a scenario at opposite ends and
means from which this denial blindly overreaches.
Second, observe that existing precedent supports the release of
materials responsive to this request. In American Civil Liberties
Union v. Department of Defense Case No: 04-CV-4151 (ACLU v. DoD) the
courts have affirmed the public interest as compelling argument for
favoring the public interest against clearly military efforts. The
Glomar denial should be well targeted; this targeted falls well
outside of the the "Vulnerabilities Equities Process", which is a
public outreach activity communicating with third party partners,
acting in the public interest, regarding software used by public
citizens and business alike.
Third, consider that it is a well established technique in the
information security industry to identify the origin and nature of a
defect discovery and disclosure timeline. This information is used for
myriad of secondary research, analysis, and automation efforts
spanning numerous industries. The utility of of disclosure timeline
information and context has decades of rich support and strong
evidence of public interest benefit, particularly regarding long
reported and fixed defects, such as this one, which has patches
available for over a year.
Fourth, observe that every hour of expert opinion coupled with legal
review amounts to a non-trivial expenditure of hours which are a sunk,
throw away cost of FOIA communication. While as a taxpayer I
appreciate the service of FOIA professionals such as those involved in
this request, who provide tireless effort the all hundreds of millions
of US citizens, my personal cost should be recognized. For this reason
a deference in favor of public interest and disclosure is well
supported for this request regarding the "Vulnerabilities Equities
Process", which is a public outreach activity communicating with third
party partners, acting in the public interest, regarding software used
by public citizens and business alike.
Thank you for your time, and best regards,
'''
-
https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustagency-22289/#comm-209748
jim bell
2015-12-24 23:00:48 UTC
Permalink
Make sure you ask for it in computer-readable format.  Otherwise, some joker might send it to you on paper.     Jim Bell


From: Ryan Carboni <***@gmail.com>
To: ***@freelists.org
Cc: cpunks <***@cpunks.org>
Sent: Thursday, December 24, 2015 2:41 PM
Subject: Re: [cryptome] Re: FOIPA adventures

https://en.wikipedia.org/wiki/Inslaw#Inslaw_Affair_divides_into_two_separate_issues

Clearly you should make a request for the source code for the the Promis software as used by the FBI. It's public domain.
Post by coderman
"Disclosure timeline and decision making rationale for disclosure of
vulnerability MS14-066 / CVE-2014-6321 - "Vulnerability in Schannel
Could Allow Remote Code Execution (2992611)" to Microsoft Corporation
as part of the Vulnerabilities Equities Process. Please include
timeline for initial discovery with source of discovery, first
operational use, and finally, date for vendor notification."
-
https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustagency-22289/
"The request has been rejected, with the agency stating that it can
neither confirm nor deny the existence of the requested documents."
-
https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustagency-22289/#comm-209022
reply(appeal):
'''
I reject and demand appeal of your rejection of this request.

First and foremost, please recognize that the GSF Explorer, formerly
USNS Hughes Glomar Explorer (T-AG-193), for which this Glomar response
is so named, was a purely military operation, using custom-built
military equipment, on an exceptionally sensitive military mission to
recover military equipment. Observe that the "Vulnerabilities Equities
Process" is a public outreach activity communicating with third party
partners, acting in the public interest regarding software used by
public citizens and business alike - a scenario at opposite ends and
means from which this denial blindly overreaches.

Second, observe that existing precedent supports the release of
materials responsive to this request. In American Civil Liberties
Union v. Department of Defense Case No: 04-CV-4151 (ACLU v. DoD) the
courts have affirmed the public interest as compelling argument for
favoring the public interest against clearly military efforts. The
Glomar denial should be well targeted; this targeted falls well
outside of the the "Vulnerabilities Equities Process", which is a
public outreach activity communicating with third party partners,
acting in the public interest, regarding software used by public
citizens and business alike.

Third, consider that it is a well established technique in the
information security industry to identify the origin and nature of a
defect discovery and disclosure timeline. This information is used for
myriad of secondary research, analysis, and automation efforts
spanning numerous industries. The utility of of disclosure timeline
information and context has decades of rich support and strong
evidence of public interest benefit, particularly regarding long
reported and fixed defects, such as this one, which has patches
available for over a year.

Fourth, observe that every hour of expert opinion coupled with legal
review amounts to a non-trivial expenditure of hours which are a sunk,
throw away cost of FOIA communication. While as a taxpayer I
appreciate the service of FOIA professionals such as those involved in
this request, who provide tireless effort the all hundreds of millions
of US citizens, my personal cost should be recognized. For this reason
a deference in favor of public interest and disclosure is well
supported for this request regarding the "Vulnerabilities Equities
Process", which is a public outreach activity communicating with third
party partners, acting in the public interest, regarding software used
by public citizens and business alike.

Thank you for your time, and best regards,
'''
 - https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustagency-22289/#comm-209748
Michael Best
2015-12-24 23:04:41 UTC
Permalink
Let me know if you do, I've spent a lotta time with the case. For instance, not many people know there are several versions of the software that might be FOIA-able from different agencies.

Sent from my iPhone
Post by Ryan Carboni
https://en.wikipedia.org/wiki/Inslaw#Inslaw_Affair_divides_into_two_separate_issues
Clearly you should make a request for the source code for the the Promis software as used by the FBI. It's public domain.
Post by coderman
Post by coderman
"Disclosure timeline and decision making rationale for disclosure of
vulnerability MS14-066 / CVE-2014-6321 - "Vulnerability in Schannel
Could Allow Remote Code Execution (2992611)" to Microsoft Corporation
as part of the Vulnerabilities Equities Process. Please include
timeline for initial discovery with source of discovery, first
operational use, and finally, date for vendor notification."
-
https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustagency-22289/
"The request has been rejected, with the agency stating that it can
neither confirm nor deny the existence of the requested documents."
-
https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustagency-22289/#comm-209022
'''
I reject and demand appeal of your rejection of this request.
First and foremost, please recognize that the GSF Explorer, formerly
USNS Hughes Glomar Explorer (T-AG-193), for which this Glomar response
is so named, was a purely military operation, using custom-built
military equipment, on an exceptionally sensitive military mission to
recover military equipment. Observe that the "Vulnerabilities Equities
Process" is a public outreach activity communicating with third party
partners, acting in the public interest regarding software used by
public citizens and business alike - a scenario at opposite ends and
means from which this denial blindly overreaches.
Second, observe that existing precedent supports the release of
materials responsive to this request. In American Civil Liberties
Union v. Department of Defense Case No: 04-CV-4151 (ACLU v. DoD) the
courts have affirmed the public interest as compelling argument for
favoring the public interest against clearly military efforts. The
Glomar denial should be well targeted; this targeted falls well
outside of the the "Vulnerabilities Equities Process", which is a
public outreach activity communicating with third party partners,
acting in the public interest, regarding software used by public
citizens and business alike.
Third, consider that it is a well established technique in the
information security industry to identify the origin and nature of a
defect discovery and disclosure timeline. This information is used for
myriad of secondary research, analysis, and automation efforts
spanning numerous industries. The utility of of disclosure timeline
information and context has decades of rich support and strong
evidence of public interest benefit, particularly regarding long
reported and fixed defects, such as this one, which has patches
available for over a year.
Fourth, observe that every hour of expert opinion coupled with legal
review amounts to a non-trivial expenditure of hours which are a sunk,
throw away cost of FOIA communication. While as a taxpayer I
appreciate the service of FOIA professionals such as those involved in
this request, who provide tireless effort the all hundreds of millions
of US citizens, my personal cost should be recognized. For this reason
a deference in favor of public interest and disclosure is well
supported for this request regarding the "Vulnerabilities Equities
Process", which is a public outreach activity communicating with third
party partners, acting in the public interest, regarding software used
by public citizens and business alike.
Thank you for your time, and best regards,
'''
- https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustagency-22289/#comm-209748
coderman
2015-12-28 09:24:27 UTC
Permalink
new requests,
'''
The number (quantity) of documents, guidelines, instructions, manuals,
process documents or related materials regarding activities authorized
by Executive Order 12,333. See
http://www.archives.gov/federal-register/codification/executive-order/12333.html.
If activities are performed under multiple authorities, including E.O.
12333 and Section 215 of the Patriot Act, or Section 702 of the
Foreign Intelligence Surveillance Act Amendments Act (FAA), please
consider them in scope of this request for count of E.O. 12.333
materials. Please note that the documents themselves are not requested
- merely the existence / revision count of unique responsive
documents. If the count of responsive documents is cumbersome to
provide, the first page of each responsive document, redacted as
necessary, is requested in stead. This allows equivalent count via ls
piped to wc -l. Thank you!
'''

to FBI:
https://www.muckrock.com/foi/united-states-of-america-10/12threethreethree-23077/

to DoJ : NatSec Div.:
https://www.muckrock.com/foi/united-states-of-america-10/12threethreethree-23079/

to NSA:
https://www.muckrock.com/foi/united-states-of-america-10/12threethreethree-23078/



best regards,
coderman
2015-12-28 09:37:51 UTC
Permalink
even more requests!

'''
The URL or URI or PATH of each source code repository operated,
archived, used by, or accessed on behalf-of the Bureau. This is to
include source code repositories in the RCCS, CVS, Subversion (Svn),
Git, Mercurial (Hg), Bazaar (Bzr), Darcs, BitKeeper, ClearCase, or any
other source code control system. Please provide current revision
count and rough-level storage amount consumed for each responsive
repository above, as available.
'''

to FBI:
https://www.muckrock.com/foi/united-states-of-america-10/codeylala-23080/

to NSA:
https://www.muckrock.com/foi/united-states-of-america-10/codeylala-23081/

to DHS:
https://www.muckrock.com/foi/united-states-of-america-10/codeylala-23082/


:P
coderman
2015-12-28 09:51:34 UTC
Permalink
end of 2015 requests!! :)

'''
Requests, orders, configuration requirements, technical manuals and
any other responsive materials regarding "lawful intercept" of
cellular communications, specifically LTE, CDMA, or GSM
communications, requesting specific service levels during intercept,
including "baud rate match" terminology, "channel rate match",
"CBR-channel", "Fixed-bandwidth channel", and "Constant rate channel"
terms indicating override of default network operator capacity
provisioning during content collection. Specific requested rates or
channel capacities include "0.5G", "1/2G", "half-G", "1.5G", "GPRS",
"1xRTT", or "SMS-Only" service capacities. Records requested under any
authority in scope of this request - focus is on technology rather
than statutory authorization enabling collection.
'''

to DoJ:
https://www.muckrock.com/foi/united-states-of-america-10/degradedowngradedualfade-23083/

to FBI:
https://www.muckrock.com/foi/united-states-of-america-10/degradedowngradedualfade-23084/


until next year, FOIA fans :)
and best regards,
coderman
2015-12-29 10:29:36 UTC
Permalink
Post by coderman
end of 2015 requests!! :)
this makes 254 requests for my first MuckRock year.

another data point, FOIA is a slow burn:
117 requests were updated in December alone!
- https://www.muckrock.com/foi/mylist/?page=1&per_page=100&sort=date_updated&order=desc


longer write up requires code, of course,
till then!
coderman
2015-12-30 15:34:58 UTC
Permalink
interesting rejection technique on this one:
first, reply with status of "Request received and being processed"
one month after submission. Aha! inside is a Glomar rejection.
.
.
.
wait FIVE MONTHS
.
.
'This email pertains to the automated status of case FOIA 81798. Our
records indicate that a final response was mailed to you on 14 August
2015 and the case was then closed. We have no further updates or
information to provide you concerning this case.'


nice trick, NSA!
- https://www.muckrock.com/foi/united-states-of-america-10/backhack-19811/#comm-213773


best regards,


and believe me, i will discover FOIA satisfaction for Any and all
records, reports, tasking, mitigations, redesigns, post-mortems, and
any other responsive materials related to compromise of "Tor" and/or
"Tor Browser Bundle" and/or "Tor Vidalia Bundle" leading to breach of
NSANet, JWICS, SIPRNet, and also including joint activities with
access to FBINet and SCION where compromise of Tor resulted in
attacker attaining access to, or potentially gaining access to these
networks. Note that Tor may be incorrectly capitalized as "TOR";
please do a case insensitive search. Specific date of compromise is
between July 30th 2007 and Aug. 2nd 2007; date provided to aid search
efforts. CVE assigned to vulnerability is CVE-2007-4174 and provided
to aid search efforts. Subject announcing vulnerability is "Tor
security advisory: cross-protocol http form attack" and provided to
aid search efforts. Please include results spanning the Cryptologic
Services Groups, the National Security Operations Center (NSOC), the
Information Assurance Directorate, the Research Associate Directorate,
the Signals Intelligence Directorate, the Technology Directorate, the
NSA/CSS Threat Operations Center (NTOC), and the Office of the
Director, including Staff. Search of Covert Network Access
technologies employed by Special Intelligence (SI) programs contained
within compartmented access constraints is specifically requested,
including QUANTUMTHEORY and related covert programs requiring covert
Internet access. Please provide processing notes for this request,
even if denied in part.

yes, yes i will...
Rayzer
2016-01-05 03:37:06 UTC
Permalink
Twitter: @JasonLeopold
https://twitter.com/JasonLeopold/status/684199158182494214>
FBI just sent me its file on Hugo Chavez, which consists of 739 blank
pgs, in response to my 2013 #FOIA. Everything w/h & referred to OGA
w/h, withheld. OGA, 'Other Government Agency' is a euphemism for the
Central Intelligence Agency.


Need another laugh?
"Associated Press reporter Matt Lee laughs at a US State Department
Spokesperson’s contention the U.S. is NOT involved in the recent
Venezuelan coup attempt"
http://auntieimperial.tumblr.com/post/113693156429\
“I’m sorry. Whoah, whoah, whoah. The US has a long-standing practice
of not promoting ... [coups] – how long-standing would you say?”
...is priceless:

RR

grarpamp
2015-12-28 22:01:52 UTC
Permalink
Post by coderman
provide, the first page of each responsive document, redacted as
Provide 12th page of every document containing the words "coderman",
or "I2P", or phrase 'damn these punks'.
Post by coderman
The URL or URI or PATH of each source code repository operated,
Giving them more leftfield wtf's they have to answer every week, love it.
coderman
2015-08-11 23:14:39 UTC
Permalink
the FBI FOIA for "Sudden unintended acceleration (SUA)" was
silent-closed without notice end of July. this is an anomaly, and
indicates worth digging extensively into:
https://www.muckrock.com/foi/united-states-of-america-10/badaccel-19510/

"This request was closed 7-30-2015."


crafting new line of inquiries and extending requests to DoT as well...

best regards,
Post by coderman
for all of you driving vehicles with hundreds of global variables
around weird machines radio linked to strange networks,
https://www.muckrock.com/foi/united-states-of-america-10/badaccel-19510/
@FBI
Use of Sudden unintended acceleration (SUA) or Unintended acceleration
in the commission of a crime, including premeditated offenses of any
kind. Please include suspicion of Sudden unintended acceleration (SUA)
or suspicion of Unintended acceleration within the scope of this
request, even if alternate cause determined. This search is to include
any and all records, including cross-references and indirect mentions,
including records outside the investigation main file. This is to
include a search of each of the following record stores and
interfaces: the Central Records System (CRS), the Automated Case
Support system ("ACS") Investigative Case Management system ("ICM"),
the Automated Case Support system ("ACS") Electronic Case File
("ECF"), and the Automated Case Support system ("ACS") Universal Index
("UNI"). Please include processing notes, even if request is denied in
part. Please identify individuals responsible for any aspect of FOIA
processing in the processing notes, along with explanation of their
involvement if not typically assigned FOIA responsibilities for the
record systems above.
Softy
2015-05-11 17:36:09 UTC
Permalink
"- Sell our culture"
"- autonomy"

haha, that's a good one. Only a job recruiter could smile while spouting
nonsense like that.

-daniel


That already exists (clearancejobs.com and others). There are actually
tons of ads all over DC for these services, most notably the "Life of a
https://www.flickr.com/photos/clearancejobs/8634488049/in/photostream/
DC is a weird place sometimes.
coderman
2015-08-21 14:39:32 UTC
Permalink
Post by coderman
"you want me to consent to make my FBI file public? Are you fucking mad?"
- https://twitter.com/thegrugq/status/563036665837789184
the FBI requests have been informative.

i have observed what i call the "sly close" at work, which i hope to
expand on further.

this involves requesting DoJ-361 documentation for a request,
"A fix is required to perfect the request."

then the request immediately goes into
"A no responsive documents response."
when documents are sent / receipt of delivery confirmation provided.

this is anomalous because a proper request goes into "An
acknowledgement letter, stating the request is being processed."
for some period before reaching a final state.


i will have to sue to get my docs, or force them to bring charges? one
conjecture is that active investigations get sly close, not just past
files with unflattering contents...


best regards,
innocentman who did not participate in the heist crimes with CHAPPiE!
coderman
2015-08-21 14:44:32 UTC
Permalink
Post by coderman
...
then the request immediately goes into
"A no responsive documents response."
when documents are sent / receipt of delivery confirmation provided.
this is anomalous because a proper request goes into "An
acknowledgement letter, stating the request is being processed."
for some period before reaching a final state.
forgot to mention other variant:

no response until you ping them, seeking follow up, then discover:
"This request was been closed <prior date>. A no responsive documents
response."

which is anomalous because in every other instance the state
transitions do not skip to end without notification.


to FOIA more FBI FOIA workflow :P


best regards,
Ryan Carboni
2015-11-08 06:53:25 UTC
Permalink
http://www.dni.gov/files/documents/FOIA/DF-2015-00270.pdf

You're famous!
intelemetry
2015-11-09 05:48:05 UTC
Permalink
Just going to throw this out there for people who don't like dni and
cryptome pdf links:

http://view.samurajdata.se/
Post by Ryan Carboni
http://www.dni.gov/files/documents/FOIA/DF-2015-00270.pdf
You're famous!
Loading...