As we continue to read through documents released on February 3 that collectively detail the intelligence community's efforts to implement Presidential Policy Directive-28, (PPD-28), we thought it would be helpful to overview briefly, and to compare. implementing documents issued by three agencies in particular: NSA, CIA, and FBI.

Overall, there is a great deal of overlap between the three agencies' implementation policies. But they differ from each other in interesting ways, both with regard to retention and dissemination of information, and with regard to permitted departures from general rules contemplated by the policies themselves.

A quick look at the three agencies' PPD-28 implementation materials follows below.

NSA

NSA's procedures for implementing PPD-28 are contained in USSID SP0018.

First things first. Unsurprisingly, departures from the general procedures set forth elsewhere in the document are authorized. Such deviations are permitted in "unanticipated or extraordinary circumstances" if the NSA Director or a designee, after consultation with ODNI, the National Security Division of the DOJ, and the Office of the Secretary of Defense, approves of the departure; or in emergency situations, at the sole behest of the NSA Director or the Director's senior representative present.

Next, the document describes the regulatory terrain on which it operates. Recognizing that sometimes legitimate intelligence activity may result in the acquisition of communications that contain personal information of non-U.S. persons, the document specifies that such information will either be regulated by FISA or, if FISA doesn't regulate the collection, by procedures described in the document itself.

USSID SP0018 also sets forth limits on bulk collection, consistent with the larger rules handed down in PPD-28. When the NSA collects nonpublic communications without the use of a "selection term"---for example, without a specific email address linked to a terrorist organization targeted for collection---that data may only be used to detect and counter espionage, terrorism, weapons of mass destruction, cybersecurity threats, threats to U.S. or allied armed forces and personnel, and "transnational criminal threats, including illicit finance and sanctions evasion" related to the previous items on the list. Those limits, however, do not apply to signals intelligence data "that is temporarily acquired to facilitate targeted collection."

Next, the NSA guidance discusses parameters for retention of collected data. Consistent with principles announced in the DNI's implementation report, a nonpublic communication that contains personal information about non-U.S. persons can be retained for up to five years, unless the DNI expressly certifies that continued retention is in the national security interests of the United States. There are four exceptions to this. The five year rule may be waived if the information is: (i) publicly available; (ii) related to an authorized foreign intelligence requirement; (iii) related to a crime that has been, is being, or is about to be committed, or (iv) indicates a threat to the safety of any person or organization, it can be retained indefinitely in original or transcribed form. (For analysis of the five year rule, see Carrie's February 4 post.)

Lastly, the document issues guidelines for dissemination of data. If intelligence containing personal information was obtained through the consent of a non-U.S. person, then it can be disseminated in accordance with the terms of their consent. If there is no consent, then signals intelligence containing personal information may be disseminated if it falls into any of the four categories listed in the prior paragraph about retention.

CIA