The National Security Agency/Central Security Service (NSA) Office of the Inspector General (OIG) conducted this study to determine whether NSA’s implementation of controls for aging-off signals intelligence (SIGINT) data is compliant with law and policy.
Requirements for retention of SIGINT are established by statutes, minimization procedures, national and NSA policies, and court orders; they vary by authority. Together, these requirements establish data retention limits to protect civil liberties and individual privacy. In order to be compliant, NSA must ensure an adequate system of internal compliance controls has been implemented. Conversely, noncompliance could impact civil liberties and privacy protections and lead to constraints from overseers on NSA SIGINT authorities.
In this study, OIG focused on the effectiveness of age-off controls implemented in one of NSA’s largest SIGINT repositories to ensure data is retained only for the period of time authorized under legal and policy requirements.
In summary, OIG found:
- NSA’s primary content repository has retained a small percentage of the large number of SIGINT data objects beyond legal and policy retention limits in the two data stores tested. NSA has not fully implemented age-off calculations that use the most specific retention requirement with which data objects are labeled.
- Planned updates to NSA retention policy and legal and policy working aids have been delayed and do not incorporate all current law and policy.
- Current oversight must be strengthened if it is to ensure compliance with retention requirements.
- Implementation of age-off for some SIGINT collection authorities in some databases was not in compliance with NSA/CSS Policy Instruction 2-0001, Early Age-off Decisions for Unevaluated or Unminimized Signals Intelligence.
The OIG’s findings reflect significant risks of noncompliance with legal and policy requirements for retention of SIGINT data. These requirements include established minimization procedures for NSA SIGINT authorities, meaning that the deficiencies OIG identified have the potential to impact civil liberties and individual privacy. The Agency is making changes to its ingest validation process in an effort to improve its age-off methodology and the accuracy of the information used to determine age-off. The OIG believes implementation of this process for all types of SIGINT data is needed.
Overall, the OIG made 11 recommendations to assist NSA in addressing the risks, and ensuring that data retention is conducted in accordance with all applicable requirements and privacy rights. The Agency agreed with all of the OIG’s recommendations. As of the date of this summary, the Agency has taken action sufficient for the OIG to close four of the recommendations, and the OIG has determined that the actions the Agency plans to take meet the intent of the remaining recommendations.
