FAS Note: This NSA policy document was partially released under the Freedom of Information Act.



Issue Date: 20 March 2006



(U) This document establishes policy and procedures and assigns responsibilities for identifying unauthorized disclosures of classified NSA/CSS information appearing in the media and for communicating significant disclosures to NSA/CSS organizations, the Department of Defense, the Director of National Intelligence, and the Department of Justice. This policy implements References a-e.

(U) This policy addresses only unauthorized disclosures of classified NSA/CSS information that appear in the media.

(U) This policy does not address procedures and responsibilities subsequent to the determination that unauthorized media disclosures do not meet the criteria for significant disclosures. In those cases, the evaluating organizations may still have further internal or corporate obligations to pursue that are beyond the scope of this policy.

(U) This policy applies to all NSA/CSS elements worldwide.

Chief of Staff

Endorsed by
Director of Policy

(U) Annex - Questions Related to Potential Unauthorized Media Disclosures

DC36 (Archives)

(U) This Policy 1-27 supersedes portions of NSA/CSS Regulation 10-2, dated 23 November 1992, that relate to reporting significant unauthorized media disclosures of classified NSA/CSS information.

(U) OPI: Information Policy, DC32, 963-4582s.

(U) No section of this document shall be released without approval from the Office of Policy and Records, DC3.


1. (U) NSA/CSS shall identify unauthorized media disclosures of classified NSA/CSS information. In accordance with the procedures and responsibilities outlined below, significant media disclosures of NSA/CSS classified information shall be communicated to NSA/CSS organizations, the Department of Defense (DoD), the Director of National Intelligence (DNI), and the Department of Justice (DoJ).

2. (U) The determination that an unauthorized disclosure qualifies as a significant unauthorized disclosure shall be made by the Office of Policy and Records (DC3) and the Office of General Counsel (D2). Organizations with purview over disclosed information shall not make this determination.

3. (U//FOUO) Information associated with an unauthorized media disclosure shall be classified at the level of the disclosure. Until an actual classification level has been determined, references to potential unauthorized disclosures shall be protected as classified.

4. (U//FOUO) Indications or assessments of potential damage resulting from an unauthorized disclosure shall not be releasable to foreign countries or international organizations unless specifically directed otherwise by the Director, NSA/Chief, CSS (DIRNSA/CHCSS) or the Director of Policy and Records. Information regarding unauthorized disclosures of intelligence information shall be marked as NOFORN, and transmittal of any information regarding unauthorized disclosures shall employ special protections (e.g., encryption).


5. (U//FOUO) Upon discovery of a potential unauthorized media disclosure of classified NSA/CSS information, the organization with purview over the information shall notify the Office of Information Policy (DC32) and the OGC Litigation Practice Group (D28) via email with a courtesy copy to the Assistant Director for Security and Counterintelligence (Q07 and Q22). At this time, DC32 will issue a tracking number to the organization with purview over the information. The email shall include:

6. (U) If a potential unauthorized disclosure is discovered by an organization without purview over the information, the discovering organization shall inform DC32. DC32 will then contact the organization with purview over the information, providing a tracking number. That organization shall then be responsible for actions related to the potential unauthorized disclosure as described in this policy.

7. (U) Within two weeks of receipt of the tracking number, the organization with purview over the information shall provide the following information via Staff Processing Form (SPF) to DC32 and D28 with a courtesy copy to Q07 and Q22 (in cases where the disclosure is not textual or graphic in nature [e.g., videotape, CD, etc.] contact DC32 for format guidance):

8. (U) Upon receipt of the SPF with Tabs, DC32 and D28 shall determine if the disclosure meets the criteria for DoD and/or DNI notification, and/or reporting to DoJ. DC32 shall then inform the organization with purview over the information of the decision. For those disclosures not meeting the criteria, the organization may still have further internal or corporate obligations to pursue that are beyond the scope of this policy.

9. (U) DC32 shall inform the Associate Director for Security and Counterintelligence of the decision.

10. (U) For significant unauthorized media disclosures, DC32 shall prepare an SPF and a package for DIRNSA/CHCSS. For disclosures not in text or graphic format (videotape, CD, etc.), the information shall be conveyed in the SPF as determined by DC32. For significant disclosures in text or graphic format, the following information shall be provided in the SPF and package:

11. (U) Upon receipt of information on a significant unauthorized media disclosure that is determined to be reportable, the OGC (D2) shall prepare correspondence to DoJ and any other appropriate law enforcement organizations.

12. (U) DC3 shall notify the Foreign Affairs Directorate of any significant unauthorized media disclosure that impacts a foreign partner.


13. (U) Mission, Associate, and Principal Directorates shall:

14. (U) All NSA/CSS Components, including Extended Enterprise Organizations, and Service Cryptologic Elements, shall:

15. (U) The Office of Policy and Records (DC3) shall:

16. (U) The Office of General Counsel (D2) shall:

17. (U) The Corporate Communications Strategy Group (DC6), in its role as the media organization for NSA/CSS, shall monitor media for the purpose of identifying potential unauthorized disclosures of classified NSA/CSS information in the media and notify DC32.

18. (U//FOUO) The Foreign Affairs Directorate shall notify an NSA/CSS foreign partner that is impacted by a significant unauthorized disclosure only with DIRNSA/CHCSS or Chief, DC3 approval.


19. (U) References:


20. (U) Classified NSA/CSS Information -- Information that is classified pursuant to the standards of Executive Order 12958, as amended, or any predecessor order. It includes, but is not limited to, intelligence and intelligence-related information, sensitive compartmented information (information concerning or derived from intelligence sources and methods), and cryptologic information (information concerning communications security and signals intelligence, including information which is also sensitive compartmented information) protected by Section 798 of Title 18, United States Code.

21. (U) Media -- Any print, electronic, or broadcast outlet (including blogs) where information is made available to the general public.

22. (U) Need-to-know -- The determination by an authorized holder of classified information that a prospective recipient, with appropriate security clearance, requires access to specific classified information in order to perform or assist in a lawful and authorized governmental function.

23. (U) Significant Disclosure -- An unauthorized disclosure that is either extensive in scope, indicates pervasive breach of security procedures, or is otherwise likely to have a serious effect on national security interests. Examples include:

24. (U) Unauthorized Disclosure -- A communication or physical transfer of classified information to one or more persons who do not have the appropriate security clearance, access approval, and need-to-know to receive such information.


(U) Questions Related to Potential Unauthorized Media Disclosures

1. (U) What is the date and identity of the media item that is the subject of the unauthorized disclosure?

2. (U) Is the disclosed information accurate?

3. (U) What are the specific statements that are classified? What is the classification of each of the statements?

4. (U) What is the extent of official dissemination of the information that was disclosed?

5. (U) Has the disclosed information been the subject of a prior authorized official release?

6. (U) Has the disclosed information previously appeared in an open source publication? If yes, identify the publication and date of publication.

7. (U) Have any requests for publication or release (official or unofficial) of the information been made (for example, a FOIA request, a Demarche)? If yes, identify the requestor, date of the request, and disposition of the request.

8. (U) Has the information, portions thereof, or enough background data been published (officially or unofficially) that would allow someone to arrive at the information through speculation?

9. (U) What are the potential short-term and long-term impacts of the unauthorized disclosure?

10. (U) Have any declassification determinations been made regarding the disclosed information? If so, indicate the date, information declassified, and declassification authority.

11. (U) For unauthorized disclosures of Information Assurance-related information, does the unauthorized disclosure potentially put U.S. or allied communications at risk of adversary exploitation? What degree of difficulty could an adversary have in putting countermeasures in place?