Re: [cryptome] Re: FOIPA adventures
two new for DOCSIS tech @FBI, @CIA: "Any and all "DOCSIS" technology records, including cross-references and indirect mentions, including records outside the investigation main file. This is to include a search of each of the following record stores and interfaces: the Central Records System (CRS), the Automated Case Support system ("ACS") Investigative Case Management system ("ICM"), the Automated Case Support system ("ACS") Electronic Case File ("ECF"), and the Automated Case Support system ("ACS") Universal Index ("UNI"). I also request a search of "ELSUR", the database containing electronic surveillance information, for any and all records or activities related to "DOCSIS" or "DOCSIS intercept" or "DOCSIS access" technology. In addition, please extend the search criteria across any external storage media, including I-Drives, S-Drives, or related technologies used during the course of investigation involving Cable internet data services. DITU experimental technologies or research also within scope of this request. Please include processing notes, even if request is denied in part. Please identify individuals responsible for any aspect of FOIA processing in the processing notes, along with explanation of their involvement if not typically assigned FOIA responsibilities for the record systems above." - https://www.muckrock.com/foi/united-states-of-america-10/indocsis-19725/ "Any and all records, receipts, training, technology transfer programs, research, evaluation technologies, or other materials relevant to "DOCIS" cable communication technology. This is to include "DOCSIS 1.0", "DOCSIS 2.0", "DOCSIS 3.0", and other relevant DOCSIS protocols." - https://www.muckrock.com/foi/united-states-of-america-10/indocsisxfer-19726/ On 7/12/15, coderman <coderman@gmail.com> wrote:
On 7/12/15, Douglas Rankine <douglasrankine2001@yahoo.co.uk> wrote:
Are they giving reasons for the rejections?
Glomar all around. see also:
"What Is the Big Secret Surrounding Stingray Surveillance?" - http://www.scientificamerican.com/article/what-is-the-big-secret-surrounding...
---
What Is the Big Secret Surrounding Stingray Surveillance?
State and local law enforcement agencies across the U.S. are setting up fake cell towers to gather mobile data, but few will admit it By Larry Greenemeier | June 25, 2015
Stung: Law enforcement agencies sometimes use a device called a stingray to simulate a cell phone tower, enabling them to gather international mobile subscriber identity (IMSI), location and other data from mobile phones connecting to them. Pictured here is an actual cell tower in Palatine, Ill.
Given the amount of mobile phone traffic that cell phone towers transmit, it is no wonder law enforcement agencies target these devices as a rich source of data to aid their investigations. Standard procedure involves getting a court order to obtain phone records from a wireless carrier. When authorities cannot or do not want to go that route, they can set up a simulated cell phone tower—often called a stingray—that surreptitiously gathers information from the suspects in question as well as any other mobile device in the area.
These simulated cell sites—which collect international mobile subscriber identity (IMSI), location and other data from mobile phones connecting to them—have become a source of controversy for a number of reasons. National and local law enforcement agencies closely guard details about the technology’s use, with much of what is known about stingrays revealed through court documents and other paperwork made public via Freedom of Information Act (FOIA) requests.
One such document recently revealed that the Baltimore Police Department has used a cell site simulator 4,300 times since 2007 and signed a nondisclosure agreement with the FBI that instructed prosecutors to drop cases rather than reveal the department’s use of the stingray. Other records indicate law enforcement agencies have used the technology hundreds of times without a search warrant, instead relying on a much more generic court order known as a pen register and trap and trace order. Last year Harris Corp., the Melbourne, Fla., company that makes the majority of cell site simulators, went so far as to petition the Federal Communications Commission to block a FOIA request for user manuals for some of the company’s products.
The secretive nature of stingray use has begun to backfire on law enforcement, however, with states beginning to pass laws that require police to obtain a warrant before they can set up a fake cell phone tower for surveillance. Virginia, Minnesota, Utah and Washington State now have laws regulating stingray use, with California and Texas considering similar measures. Proposed federal legislation to prevent the government from tracking people’s cell phone or GPS location without a warrant could also include stingray technology.
Scientific American recently spoke with Brian Owsley, an assistant professor of law at the University of North Texas Dallas College of Law, about the legal issues and privacy implications surrounding the use of a stingray to indiscriminately collect mobile phone data. Given the invasive nature of the technology and scarcity of laws governing its use, Owsley, a former U.S. magistrate judge in Texas, says the lack of reliable information documenting the technology’s use is particularly troubling.
[An edited transcript of the interview follows.]
When and why did law enforcement agencies begin using international cell site simulators to intercept mobile phone traffic and track movement of mobile phone users?
Initially, intelligence agencies—CIA and the like—couldn’t get local or national telecommunications companies in other countries to cooperate with U.S. surveillance operations against nationals in those countries. To fill that void companies like the Harris Corp. started creating cell site simulators for these agencies to use. Once Harris saturated the intelligence and military markets [with] their products, they turned to federal agencies operating in the U.S. So the [Drug Enforcement Administration], Homeland Security, FBI and others started having their own simulated cell sites to use for surveillance. Eventually this trickled down further to yet another untapped market: state and local law enforcement. That’s where we are today in terms of the proliferation of this technology.
Under what circumstances do U.S. law enforcement agencies use cell site simulators and related technology?
There are three examples of how law enforcement typically use stingrays for surveillance: First, law enforcement officials may use the cell site simulator with the known cell phone number of a targeted individual in order to determine that individual's location. For example, officials are searching for a fugitive and have a cell phone number that they believe the individual is using. They may operate a stingray near areas where they believe that the individual may be, such as a relative's home.
Second, law enforcement officials may use the stingray to target a specific individual who is using a cell phone, but these officials do not know the cell phone number. They follow the targeted individual from a site to various other locations over a certain time period. At each new location, they activate the stingray and capture the cell phone data for all of the nearby cell phones. After they have captured the data at a number of sites they can analyze the data to determine the cell phone or cell phones used by the targeted individual. This approach captures the data of all nearby cell phones, including countless cell phones of individuals unrelated to the criminal investigation.
Third, law enforcement officials have been known to operate stingray at political rallies and protests. Using the stingray at these types of events captures the cell phone data of everyone in attendance.
How does law enforcement get permission to perform this type of surveillance?
Federal law enforcement agencies typically get courts to approve use of something like stingray through a pen register application [a pen register is a device that records the numbers called from a particular phone line]. With that type of application, essentially the government says, we want this information. We think it’s going to be relevant to an ongoing criminal investigation. As you can imagine, that’s a pretty low bar for them to satisfy in the eyes of the court. Just about anything could fit into that description. You don’t even have to show that such an investigation would lead to an arrest or prosecution. Law enforcement is telling the court, look, we’re in the middle of this investigation. If we get this information, we think it might lead to some other important information.
Different court orders have different standards for approval. The highest standard would be for a wiretap. A search warrant likewise has a much higher standard than a pen register, requiring law enforcement to prove probable cause before a judge will grant permission to use additional means of investigation. The problem that I have with a pen register to justify use of something like a stingray is that the standard for a pen register is much too low, given the invasive nature of a pen register. Instead, I think the use of a stingray should be consistent with the Fourth Amendment of the Constitution and pursuant to a search warrant.
Why not explicitly state the type of technology being used and its specific purpose when filing for a court order?
[When] law enforcement agencies seek to obtain judicial authorization through a pen register, they do not directly indicate that they are applying for authorization to use a stingray. Doing so might cause some courts to question whether the pen register statute [as opposed to some higher standard] is the appropriate basis for authorizing a stingray. In addition, law enforcement agencies typically have to sign nondisclosure agreements with Harris Corp. in order to receive the federal Homeland Security funding needed to purchase the technology. So there’s this concern, at least at the local law enforcement level, about revealing any information about it because that would violate the agreement with Harris and maybe subject them to losing the equipment or some other consequences.
Why would law enforcement agencies sign a nondisclosure agreement with a technology company?
I’m not sure whether the agreements are being driven by the FBI or by Harris, but these agreements seem to be getting less relevant insofar as [there is less] need to keep the public unaware of the existence of this technology. In the last three or so years there’s been a lot more awareness about the technology and its use. When agencies were first signing these agreements years ago, use of this technology wasn’t widely known. Now you are getting situations where criminal defense attorneys learn about stingray and similar technologies and the role they may be playing in the arrests of some of their clients. Defense teams are starting to ask questions and require the government to produce documentation such as court orders, and that’s creating the confrontation you’re now seeing.
Why have law enforcement agencies kept their use of cell site simulators so secretive?
Some of it is the cloudy legal issues surrounding the legitimate uses of this technology. Law enforcement agencies will also argue that the more information that’s available about this technology, the harder it is for them to use these devices to fight crime. Yet there’s a growing knowledge of this technology, and a serious criminal enterprise is already aware of it. People are already using prepaid disposable phones [sometimes referred to as “burner phones”] to some extent to defeat this technology. Sophisticated criminals are aware that there’s electronic surveillance out there in myriad ways, and so they’re going to take precautions. From a technology perspective, it’s sort of a cat-and-mouse game. There’s also a device that locates cell site simulators, something referred to as an IMSI catcher. There’s an arms race back and forth to get the best technology and to get the edge.
What does it say to you about the whole process that a prosecutor or a law enforcement agency is willing to sacrifice a conviction in order to keep their methods a secret?
I think it’s a very odd approach. You are throwing away some convictions or potential convictions for the sake of secrecy. But it’s even harder to understand now that knowledge of the technology is becoming so common. There have been documented cases in Baltimore and Saint Louis where stingray has supposedly been used. The use of stingray and related technologies is a roll of the dice in the sense that law enforcement is hoping that either the defense attorneys don’t have enough savvy or wherewithal to find out about the technology and ask the right questions or, even if that does happen, they’re hoping that the judge that they have is favorable to their approach and not going to order them to reveal information about its use. In the rare occasions when things go against them, they just dismiss it.
You yourself denied a law enforcement application three years ago to use a stingray. Under what circumstances would you approve its use?
I want to make clear: I don’t have a problem with stingray itself—I understand that this can be a valuable tool in law enforcement’s arsenal. My problem is that I want it to be used pursuant to a high standard of proof that it’s needed, and that I want the approval process to be more transparent. One of the reasons I’d like to see some more documentation of stingray applications and orders is because I have this suspicion—but there’s no way of confirming it one way or another—that some judges are signing approvals to use this technology thinking that they’re just signing a pen register. If a judge thinks it’s [just] another pen register application, they’re just going to sign it without giving it much pause.
Now that the use of this stingrays and related technologies has been made public, where will this issue be a year or a few years from now?
A year from now I think we’re in the same position. You’re dealing with outdated statutes concerning new and very different technology. It’s possible in five years maybe that Congress will step in and do something. More likely, state legislatures will take most of the action to monitor this type of surveillance. Washington State, California [and others] have already acted, and Texas is evaluating the standards for approving stingray use.
and three appeals of rejected @FBI: (my first appeal(s)! :) "The number of Digital Receiver Technology units model DRT 1201 used by, or owned or leased by the agency." - https://www.muckrock.com/foi/united-states-of-america-10/drtbox-18541/ "The number of Harris Corporation KingFish systems/devices used by, or owned or leased by the agency." - https://www.muckrock.com/foi/united-states-of-america-10/kingfishing-18594/ "Any and all SKUs, Contracts, Invoices, Receipts, Billing Numbers, Agreements, PO Numbers, for any services or goods purchased from Boeing Corporation, including third party contract hours for training or related services, regarding hardware to include Digital Signal Processing (DSP) or Cell-site Simulators or Software Defined Radio (SDR) base-stations, or Stingray-like pen/trace-trap devices, or other radio surveillance technology, including technology formerly produced by Digital Receiver Technology, Inc., also known as DRT Systems, now part of Boeing, known to include the DRTBox, or DirtBox, or DirtBoxes surveillance gear. Please include antenna systems and cable hardware, as part of the radio systems to report on." - https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-1870...
new reqs: "Count of "Hardware Security Module", "HSM", "Cryptographic Accelerator", or "VPN Accelerator" devices or equivalent in use or purchased by the department. This is to include devices which are incorporated into larger computing facilities such as databases, servers, switches, and routers. Please include processing notes for this request, even if request is denied in part." @FBI https://www.muckrock.com/foi/united-states-of-america-10/hardwaresecmods-197... @CIA https://www.muckrock.com/foi/united-states-of-america-10/hardwaresecmods-197... @DoJ https://www.muckrock.com/foi/united-states-of-america-10/hardwaresecmods-197... @DoD-OIG https://www.muckrock.com/foi/united-states-of-america-10/hardwaresecmods-197... @DoD-SecDef https://www.muckrock.com/foi/united-states-of-america-10/hardwaresecmods-197... @DHS https://www.muckrock.com/foi/united-states-of-america-10/hardwaresecmods-197... @USSS https://www.muckrock.com/foi/united-states-of-america-10/hardwaresecmods-197... best regards,
moar new reqs: "The number of "HotPlug" forensic power override devices or equivalent in use or purchased by the Bureau. This is to include official CRU® WiebeTech® HotPlug™ systems or equivalent forensic power override systems by other suppliers. Please include processing notes for this request, even if request is denied in part." @FBI https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19762/ @CIA https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19763/ @DEA https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19764/ @DHS https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19765/ @DoD-OIG https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19766/ @DoD-SecDef https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19767/ @USSS https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19768/ best regards,
this new request i vote most likely to take longest time to fulfill :) "Any and all records, reports, tasking, mitigations, redesigns, post-mortems, and any other responsive materials related to compromise of "Tor" and/or "Tor Browser Bundle" and/or "Tor Vidalia Bundle" leading to breach of NSANet, JWICS, SIPRNet, and also including joint activities with access to FBINet and SCION where compromise of Tor resulted in attacker attaining access to, or potentially gaining access to these networks. Note that Tor may be incorrectly capitalized as "TOR"; please do a case insensitive search. Specific date of compromise is between July 30th 2007 and Aug. 2nd 2007; date provided to aid search efforts. CVE assigned to vulnerability is CVE-2007-4174 and provided to aid search efforts. Subject announcing vulnerability is "Tor security advisory: cross-protocol http form attack" and provided to aid search efforts. Please include results spanning the Cryptologic Services Groups, the National Security Operations Center (NSOC), the Information Assurance Directorate, the Research Associate Directorate, the Signals Intelligence Directorate, the Technology Directorate, the NSA/CSS Threat Operations Center (NTOC), and the Office of the Director, including Staff. Search of Covert Network Access technologies employed by Special Intelligence (SI) programs contained within compartmented access constraints is specifically requested, including QUANTUMTHEORY and related covert programs requiring covert Internet access. Please provide processing notes for this request, even if denied in part. Thank you!" - https://www.muckrock.com/foi/united-states-of-america-10/backhack-19811/ best regards,
P.S. this just dropped and is awesome :) https://archive.org/details/COMPLETE_FBI_VAULT_FOIA_PDF_ARCHIVES_07_15_15 54GB FBI VAULT FOIA PDF ARCHIVES V1.0 SOURCE: https://vault.fbi.gov ABOUT THIS DOWNLOAD SET (4 PARTS): – four downloadable .zip files uncompress to roughly 54GB total – complete FBI Vault online archives (up to July 15 2015) – meticulous folder structure – all individual PDF files renamed accordingly & logically – utilizes long file/folder names on Mac OS X 10.10.4 – archive created on Mac OS X 10.10.4 – master folders compressed to .zip files via standard system compression utility [SPECIAL NOTE: This version of the archive is much better than the original FBI downloadable components. This took much time to methodically download, compile and cleanup.] FOLDER DIRECTORY: http://pastebin.com/0RcBHjKP
an interesting response on the FOIA stats: https://www.documentcloud.org/documents/2124204-responsive-documents.html FOIA totals from 2005 through 2014 for FBI RIDS. PA req. contention continues... best regards,
my first payment required: https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19762/... as i do not qualify for fee waiver in their eyes. :( this diss hurts most deep, earth humans... best regards, acting in selfish self interest FOIA for profitman (?!?)
On 8/4/15, coderman <coderman@gmail.com> wrote:
... best regards, acting in selfish self interest FOIA for profitman (?!?)
i forgot to add, they also checked off: "You have not demonstrated your expertise in the subject area [forensic power supply devices for live in-situ and lab equipped volatile memory and running system analysis], your ability, and/or your intention to effectively convey the information to the public." which offends me for MuckRock as their publication platform is excellent! rude. i suppose if my competence is insulted, there is no alternative but to reclaim and defend honor so besmirched...
Privacy Act request to FBI is in third attempt, with dual copies of notarized DoJ-361 to both RIDS and MuckRock: https://www.muckrock.com/foi/united-states-of-america-10/privacyactdirect-19... enabled web tracking for real-time stats on progress of each identical USPS certified letter. expect to get next: 0. X records responsive to your request. you must pay for them and it will take three years to dribble out. 1. upon reading the dribbles, majority is redacted. now starts the remove-redact fight, more years hence... best regards,
On 8/4/15, coderman <coderman@gmail.com> wrote:
... i suppose if my competence is insulted, there is no alternative but to reclaim and defend honor so besmirched...
able to pre-pay for the most technical report on FBI procurement of forensic power overrides: https://www.pay.gov/public/search/global?formSearchCategory=FOIA%20Request and FBI specifically at: https://www.pay.gov/public/form/start/37210538 updated MuckRock accordingly, https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19762/ fun to see how pre-payment processed? :) best regards,
most recent batch: P25Count Count of the number of P25 capable radio units or systems in use by, or owned, or leased, or otherwise utilized by the Bureau. This includes any of the Motorola ASTRO APX P25 portables, Vertex Standard P25 portables, ICOM P25 portables, RELM Wireless P25 portables, Motorola MOTOTRBO DMR radios, and Mobile P25 Radios. This includes any P25 Phase 1 and Phase 2 capable radios. Please include yearly break-down by radio model, if available. Please include processing notes for this request, even if denied in part. @FBI https://www.muckrock.com/foi/united-states-of-america-10/p25count-20168/ @DEA https://www.muckrock.com/foi/united-states-of-america-10/p25count-20169/ @USMarshals https://www.muckrock.com/foi/united-states-of-america-10/p25count-20170/ @ATF https://www.muckrock.com/foi/united-states-of-america-10/p25count-20171/ @CoastGuard https://www.muckrock.com/foi/united-states-of-america-10/p25count-20172/ @USSS https://www.muckrock.com/foi/united-states-of-america-10/p25count-20173/ @DoJ(crim. div.) https://www.muckrock.com/foi/united-states-of-america-10/p25count-20174/ @CIA https://www.muckrock.com/foi/united-states-of-america-10/p25count-20175/ @NSA https://www.muckrock.com/foi/united-states-of-america-10/p25count-20176/ @StateDept https://www.muckrock.com/foi/united-states-of-america-10/p25count-20177/ @DoT https://www.muckrock.com/foi/united-states-of-america-10/p25count-20178/ @HomeSec https://www.muckrock.com/foi/united-states-of-america-10/p25count-20179/ @NCSC https://www.muckrock.com/foi/united-states-of-america-10/p25count-20180/ @DSS https://www.muckrock.com/foi/united-states-of-america-10/p25count-20181/ @DoJ(natsec div.) https://www.muckrock.com/foi/united-states-of-america-10/p25count-20182/ @INTERPOL https://www.muckrock.com/foi/united-states-of-america-10/p25count-20183/ all reqs: https://www.muckrock.com/foi/list/?page=1&per_page=104&user=2774 best regards,
On 8/5/15, coderman <coderman@gmail.com> wrote:
... https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19762/ fun to see how pre-payment processed? :)
same day turnaround; that's a record! "The FBI has received your additional correspondence regarding your Freedom of Information Act/Privacy (FOIPA) request and it has been forwarded to the assigned analyst for review. If appropriate, a response will be forthcoming." RIDS++
On 8/5/15, coderman <coderman@gmail.com> wrote:
... able to pre-pay for the most technical report on FBI procurement of forensic power overrides... https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19762/
as expected, this was just a "go away" tactic, and once paid, they took their time to tell me they must refund, and i must give them an amount, and then they search, and then they charge me, and then they search some more, and then they give me the docs. fuck that! and happy judicial precedent later, i gave this reply: --- This is a written response regarding payment for FOIA request 1333239-000. Please be advised that I am NO LONGER WILLING TO PAY FEES and contest the notion of my request being "commercial use". Observe that in August, 2015 D.C. Circuit Judge Merrick Garland emphasized that web-based publishers are as entitled to waivers as newspapers, that outlets without a following by a broad swath of the general public can qualify for waivers and that organizations that pass analyzed government documents to media outlets can be classified as members of the news media under the federal public records law. "There is nothing in the statute that specifies the number of outlets a requester must have, and surely a newspaper is not disqualified if it forsakes newsprint for (or never had anything but) a website," Garland wrote in an opinion joined by Judges Janice Rogers Brown and David Sentelle. "There is no indication that Congress meant to distinguish between those who reach their ultimate audiences directly and those who partner with others to do so..." - http://www.cadc.uscourts.gov/internet/opinions.nsf/EF1DE205B4E1264685257EAC0... The results of my FOIA requests have been incorporated into popular reporting in the technical press and wider media, proving the value of this information to the public and my ability to ultimately reach the public audience through partner organizations. Thank you.
On Thu, Aug 27, 2015 at 12:21 AM, coderman <coderman@gmail.com> wrote:
a requester must have, and surely a newspaper is not disqualified if it forsakes newsprint for (or never had anything but) a website,"
The results of my FOIA requests have been incorporated into popular reporting in the technical press and wider media, proving the value of this information to the public and my ability to ultimately reach the public audience through partner organizations.
The medium or size is no longer relavant in demise of print. Some FOIA are published discussed here on this list. Can easily be published ftp, nntp, drone pamphleting, irc on darknets and down the river. There are interested readers, at least one, somewhere. Untill all govt docs are published, what better legit use of taxes is there? Certainly not on murder and secrets.
On 8/26/15, coderman <coderman@gmail.com> wrote:
...
https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19762/
as expected, this was just a "go away" tactic, and once paid, they took their time to tell me they must refund, and i must give them an amount, and then they search,,,,
mea culpa; this response about fees was in error, and the FOIA person apologized. so far as now, zero fees expected... this other did complete: request to Department of Defense, Office of the Inspector General of the United States of America. - https://www.muckrock.com/foi/united-states-of-america-10/hotpluggedin-19766/... they have THREE (3) WiebeTech HotPlug systems, and no other brands of this device type used. best regards,
another to complete: at least 10 P25 Motorola radios at Department of State. and some not so pretty carpet :P https://www.muckrock.com/foi/united-states-of-america-10/p25count-20177/#fil... best regards,
On 9/17/15, coderman <coderman@gmail.com> wrote:
another to complete:
at least 10 P25 Motorola radios at Department of State. and some not so pretty carpet :P
https://www.muckrock.com/foi/united-states-of-america-10/p25count-20177/#fil...
handily beat by the US Marshals, with 21,994 P25 radios! https://www.muckrock.com/foi/united-states-of-america-10/p25count-20170/#fil... i expect the DEA will be another big buyer... best regards,
most interesting reply: asked about SCIFs at the DoJ, and they forward only to FBI: https://www.muckrock.com/foi/united-states-of-america-10/scifcount-21229/#fi... surely DoJ has more SCIFs than just those used by FBI investigations? perhaps FBI is simply SCIF steward for all DoJ components... sending more FOIAs now, starting with processing notes. will advise,
I suppose prosecutors working on the Manning and Snowden cases can't work out of their offices? On Tue, Sep 22, 2015 at 9:25 PM, coderman <coderman@gmail.com> wrote:
most interesting reply:
asked about SCIFs at the DoJ, and they forward only to FBI:
https://www.muckrock.com/foi/united-states-of-america-10/scifcount-21229/#fi...
surely DoJ has more SCIFs than just those used by FBI investigations? perhaps FBI is simply SCIF steward for all DoJ components...
sending more FOIAs now, starting with processing notes. will advise,
On 9/22/15, coderman <coderman@gmail.com> wrote:
most interesting reply ...
less interesting reply, but a more interesting response on my part: FBI claiming privacy interest to refuse ALL of my FOIA regarding the Sklyarov / Elcomsoft incident years back: https://www.muckrock.com/foi/united-states-of-america-10/freedmitry-21209/ this is my first attempt to argue compelling public interest against a privacy exemption, it is as follows; Please recognize the public interest in this request for responsive records as follows: First and foremost, extensive media attention during this period was generated due to the intersection of "hacking" and "reverse engineering" combined with the DMCA provisions deeming some technologies illegal at interest to the information technology industry as a whole. This reason alone is sufficient and compelling justification for transparency in a watershed case, however, I shall continue. Second, this case involved not a US citizen, but a foreign national. As has recently been scoured in the technical press, Wassenar with its incumbent BIS obligations has brought discussion of the risks foreigners face visiting the EU and US, in addition to US citizens abroad who now find themselves subject to severe technical controls due to their industry participation. I feel that surely this must provide beyond sufficient justification for public interest in documents responsive to this request, yet I shall continue to exhaust the relevant perspectives in my quiver of inquiry. Thus thirdly, the conference venue, DEF CON security conference, itself of notoriety and high esteem in the technical community, was the operating domain for the closing moves of this investigation. The logistics and technical considerations for operating in this domain thus also compounds the public interest in the activity for which the records responsive to this request have been requested. Fourthly, and there is a fourthly for sure, the activities undertaken by the agency were at risk of alienating a talent pool the Bureau has increasingly courted and pursued for their invaluable skills in digital forensic analysis, reverse engineering, and information security. Balancing actions before a critical group who also interacts frequently with the agency, and from whom the Bureau itself draws professional talent, amplifies the interest and relevance of this inquiry, and the need for unrestrained transparency when identifying documents responsive to this request. Lastly and finally, yet not to diminish the inherent privacy rights afforded to all earth humans, inalienable, with justice for all, the privacy rights which this agency has cited in justification for limiting the documents responsive to this request, please note that the privacy exemptions provided by law are specific and limited to situations where there is a compelling personal privacy interest. The agency has not provided any compelling privacy interest on behalf of the fine Mr. Sklyarov, and his foreign status removes the common privacy concerns of an individual within a domestic community at issue in responsive documents. It is fully reasonable, per Department of Justice v. Reporters Committee for Freedom of the Press, that the FBI may provide documents detailing "what they were up to" in this investigation, without undue burden on the privacy rights of a foreign citizen briefly visiting to attend a public conference in the United States. Please do recognize and acquiescence to the public interest so broadly in view. Best regards,
On 9/27/15, coderman <coderman@gmail.com> wrote:
... less interesting reply, but ...
from the comforting responses dept., a legit Glomar: [it's been a while!] "The list of origin IPv4 CIDR prefixes or distinct IPv4 addresses used by the Office of Tailored Access Operations (TAO) within the QUANTUMSQUIRREL covert access network, which is able to impersonate any IPv4 address. Note that this program has been widely discussed in the press thus removing any claims of sensitivity on this subject matter. C.f. "The NSA and GCHQ’s QUANTUMTHEORY Hacking Tactics". firstlook.org. 2014-07-16: https://firstlook.org/theintercept/document/2014/03/12/nsa-gchqs-quantumtheo... . Please break out the list of impersonated endpoints by year, if possible." 'The request has been rejected, with the agency stating that it can neither confirm nor deny the existence of the requested documents.' - https://www.muckrock.com/foi/united-states-of-america-10/deezquantumsquirrel... best regards,
honestly didn't think i'd get a useful reply to this one: " [regarding SCIFs] Records associated with self inspection of classified materials handling pursuant to Executive Order (E.O.) 13526 and E.O. 13587 performed by the agency for the last ten (10) years. Please include results of inspection and especially guidance resulting from analysis of reviewed activities and materials. Inspection records associated with effectiveness of original classification, effectiveness of derivative classification, safeguarding material, security training, security violations, and auditing / oversight are specifically requested. Thank you! " and yet! "Please see the NRO partial response to your recent FOIA request." https://www.muckrock.com/foi/united-states-of-america-10/eeeieeeohorder-2136... :P best regards,
On 10/5/15, coderman <coderman@gmail.com> wrote:
honestly didn't think i'd get a useful reply to this one: " [regarding SCIFs]
... https://muckrock.s3.amazonaws.com/foia_files/2015/09/29/F15-0117_Peck.PDF NATIONAL RECONNAISSANCE OFFICE 14675 Lee Road Chantilly, VA 20151-1715 28 September 2015 Mr. Martin Peck MuckRock DEPT MR 21368 PO Box 55819 Boston, MA 02205-5819 Re: NRO Case #F15-0117 Dear Mr. Peck: This is in response to your request dated 19 September 2015, received in the National Reconnaissance Office (NRO) on 21 September 2015. Pursuant to the Freedom of Information Act, you are requesting "Records associated with self inspection of classified materials handling pursuant to Executive Order (E.O.) 13526 and E.O. 13587 for the last ten (10) years." We have accepted your request, and it is being processed in accordance with the FOIA, 5 U.S.C. § 552, as amended. As an interim release in response to your request, we are providing to you thirty-nine pages of responsive information that has previously been released in part to another requester. These pages are being released in part to you, as well. Information that is denied is withheld pursuant to FOIA exemption (b)(3), which is the basis for withholding information exempt from disclosure by statute. The relevant withholding statute is 10 U.S.C. § 424, which provides (except as required by the President or for information provided to Congress), that no provision of law shall be construed to require the disclosure of the organization or any function of the NRO; the number of persons employed by or assigned or detailed to the NRO; or the name or official title, occupational series, grade, or salary of any such person. Since it is unlikely we will be able to provide a complete response within the 20 working days stipulated by the Act, you have the right to consider this a denial and may appeal on this basis to the NRO Appeal Review Panel, 14675 Lee Road, Chantilly, VA 20151-1715 after the initial 20 working day period has elapsed. It would seem more reasonable, however, to allow us sufficient time to continue processing your request and respond as soon as we can. Unless we hear from you otherwise, we will assume that you agree and will continue processing your FOIA request on this basis. You will have the right to appeal any denial of records after you receive a final response to your request. The FOIA authorizes federal agencies to assess fees for record services. Based upon the information provided, you have been placed in the "other" category of requesters, which means you are responsible for the cost of search time exceeding two hours ($44.00/hour) and reproduction fees ($.15 per page) exceeding 100 pages. We will notify you if it appears that we will meet or exceed our $25.00 minimum billing threshold in processing your request. Additional information about fees can be found on our website at www.nro.gov . If you have any questions, please call the Requester Services Center at 703 - 227-9326, and reference the case number F15-0117. atricia B. Cameresi Chief, Information Review and Release Group Enclosure: Responsive information for 2012 & 2013 UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 NATIONAL RECONNAISSANCE OFFICE 14675 Lee Road Chantilly, VA 20151-1715 MEMORANDUM FOR OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE SECURITY POLICY AND OVERSIGHT DIRECTORATE SUBJECT: Annual Self - Inspection Report REFERENCES: OUSD(I) Memorandum, Annual Senior Agency Official Self - Inspection Program Report for Classified National Security Information, 8 July 2013 The National Reconnaissance Office (NRO) is providing the attached Self - Inspection Report as requested in reference. oint of contact for questions concerning this submission is A. Jamieson Burnett Director, Office of Security and Counterintelligence Attachment: NRO Annual Self-Inspection Report for 2013 UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 Enclosure 2 AGENCY ANNUAL SELF-INSPECTION PROGRAM DATA: FY 2013 (Submissions must be unclassified.) PART A: identifying Information 1. Enter the agency name. 1. National Reconnaissance Office (NRO) 2. Enter the date of this report. 3. Enter the name, title, address, phone, fax, and e-mail address of the Senior Agency Official (SAO) (as defined in E.O. 13526, section 5.4(d)) responsible for this report. 2 . 30 3. 4. Enter the name, title, phone, fax, and e-mail address of the individual or office responsible for conducting self-inspections and reporting findings. 4. 5. Enter the name, title, phone, fax, and e-mail address for the point-ofcontact responsible for answering questions regarding this report. 5 September 2013 Mr. Frank Calvelli Principal De suty Director, NRO Room (b)(3) 10 US( 14675 Lee Road, Chantilly, VA 20151 A. Jamieson Burnett Director, Office of Security and Counterintelli .ence, (b)(3) 10 USC 44 Finn= (b)(3) 10 USC 424 Chief Securit and Counterintelli ence Policy . Staff, (b)(3) 10 USC 424 Fax (b)(3) 10 USC 424 (b)(3) 10 USC 424 PART B: Classified National Security Information (CNSI) Program Profile Information 6. Has your agency been designated/delegated as an original classification authority (OCA)? 7. Does your agency perform original classification activity? 8. Does your agency perform derivative classification activity? 9. Does your agency have an approved declassification guide and declassify CNSI? 6. 7. 8. 9 ■No _I Yes ■No Yes ■No ①Yes ■No ①Yes ①PART C: Description of the Program A description of the agency's self-inspection program to include activities assessed, program areas covered, and methodology utilized. The description must demonstrate how the self-inspection program provides the SAO with information necessary to assess the effectiveness of the CNSI program within individual agency activities and the agency as a whole. Responsibility 10. How is the SAO involved in the self-inspection program? (Describe his or her involvement with the self-inspection program.) The Director of Security and Counterintelligence (D/OS&CI) advises the Senior Agency Official (SAO) when events warrant. The NRO Integrated Security Assessment Program (ISAP) results are also reported to the SAO thru the annual Management Control Plan Statement of Assurance (MCPSOA). 11. How is the self-inspection program structured to provide the SAO with information necessary to assess the agency's CNSI program in order to fulfill his or her responsibilities under section 5.4(d) of E.O. 13526? The DOS&CI receives periodic reports on the program and advises the SAO when the DOS&CI believes events warrant advising the SAO. The NRO ISAP results are also reported to the SAO thru the annual MCPSOA. 12. Whom has the SAO designated to assist in directing and administering the self-inspection program? Who conducts the self-inspections? (If the SAO conducts the self-inspections, which may be the case in smaller agencies, indicate this.) The DOS&CI is provided a Letter of Instruction by the Director, NRO which assigns his responsibilities. Approach (b)(3) 10 USC 424 13. What means and methods are employed in conducting self-inspections? (For example: interviews, surveys, data calls, checklists, analysis, etc.) NRO self-inspections are part of the NRO ISAP. Because contractors make upillif the total NRO workforce and have the overwhelming number of Sensitive Compartmented Information Facilities (SCIFs), ISAP is a collaborative between Government and industry to identify and address security vulnerabilities, provide , . , , process • ri • INFORMATION SECURITY OVERSIGHT OFFICE AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 NRO APPROVED FOR RELEASE 28 August 2014 14. If your agency performs different types of inspections (e.g., component self-inspections, command inspections, compliance reviews, etc.), describe each of them and explain how they are used. If not, indicate NA. NA 15. Do your agency's self-inspections evaluate adherence to the principles and requirements of E.O. 13526 and its implementing directive and the effectiveness of agency programs covering the following areas? (Select all that apply.) Original classification Cl Security violations [ 1 Safeguarding __I Management and oversight Derivative classification ■Declassification 11 Security education and training 16. Do your self-inspections include a review of relevant security directives and instructions? 16. ■Yes 7 No 17. Do your self-inspections include interviews with producers (where applicable) and users of classified information? 17. H Yes ■No Approach: Representative Sample (If your agency does not classify information, indicate NA.) 18. Do your self-inspections include reviews of representative samples of original and derivative classification 18. Yes ■No ■NA actions to evaluate the appropriateness of classification and the proper application of document markings? 19. Do these reviews encompass all agency activities that generate classified information? 19. ■Yes No ■NA ①20. Describe below how the agency identifies activities and offices whose documents are to be included in the sample of classification actions. (Indicate if NA.) Based on the 291 site self-assessments submitted, the ISAP Manager, Program Security Officers (PSOs) and stakeholders discuss findings and formulate recommendations for a formal assessment, if required. OS&CI talePhnlrle.re rPrirpcAnt the tr. inr (IC R,- rr clirp.rtnratF•c and nrnrrram ref-St-.F. cv rnrift, etafFc int...II -IA.11a but nett 21. Do the reviews include a sampling of various types of classified information in document and electronic 21. — Yes ■No ■NA formats? 22. How do you ensure that the materials reviewed provide a representative sample of the agency's classified information? (Indicate if NA.) Documents are selected for review in cooperation with site personnel who are familiar with the type of materials produced by the site. However, contractors are not required to count classified pages produced because of the additional costs that would be incurred by the NRO, so the documents reviewed may not be a representative 1 n-11 1 . 11 1 . A . .1 lrat-1,-IL 1 !11 1!1 I. •. nn 1 nn • 11 1 . .1 23. How do you determine that the sample is proportionally sufficient to enable a credible assessment of your agency's classified product? (Indicate if NA.) We do not attempt to do this as it would increase costs to the NRO (as explained in item 22 above). 24. Who conducts the review of the classified product? (Indicate if NA.) PSOs and Classification Management Officers (CMOs). 25. Are the personnel who conduct the reviews knowledgeable of the classification and marking requirements of E.O. 13526 and its implementing directive? 26. Do they have access to pertinent security classification guides? (Indicate if NA.) 27. Have appropriate personnel been designated to correct misclassification actions? (Indicate if NA.) If so, identify below. ■No ■NA ①Yes ■No ■NA 25. D Yes 26. 27. El Yes ■No ■NA Frequency 28. How frequently are self-inspections conducted? Annually. 29. Describe the factors that were considered in establishing this time period? The time period is defined in the NRO Security Manual (NSM). INFORMATION SECURITY OVERSIGHT OFFICE AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 Enclosure 2 NRO APPROVED FOR RELEASE 28 August 2014 Coverage 30. How do you determine what offices, activities, divisions, etc., are covered by your self-inspection program? assessed? What agency activities are Self-assessments are to be completed on each contractor SCIF. All contractor activities are assessed. 31. How is the self-inspection program structured to assess individual agency activities and the agency as a whole? Contractor SCIF locations far outnumber government SCIF locations in the NRO. Government locations are relatively few in number and have professional government security officers assigned who can monitor safeguarding and classified information production and correct errors as they occur. We chose to concentrate on . 1 rni 1 .. • Special Access Programs (SAP) (If your agency does not have the authority to create SAPs, indicate NA.) 32. If your agency has any special access programs, are self-inspections of the SAP programs conducted annually? 33. Do the self-inspections confirm that the agency head or principal deputy has reviewed each special access program annually to determine if it continues to meet the requirements of E.O. 13526? 34. Do the self-inspections determine if officers and employees are aware of the prohibitions and sanctions for creating or continuing a special access program contrary to the requirements of E.O. 13526? 32. 33. 34• ■No ■NA —I Yes III No ■NA Yes III No ■NA ①Yes ①Reporting 35. What is the format for documenting self-inspections in your agency? Self-assessments are documented using the self-assessment review tool in the NSM, Appendix B. For formal assessments, an out-briefing is provided to site security staff and other site senior management identifying ori iritu nrnorrarn c 1 'nor:wet. nhcanratinna and am, 36. Who receives the reports? cAri 1 rift! "ha et nr nti ni.c " fl I c nrafArPrl di Irina the frorm it The OS&CI ISAP Manager. 37. Who compiles/analyzes the reports? The ISAP Manager and the responsible PSO analyze the report. 38. How are the findings analyzed to determine if there are problems of a systemic nature? The ISAP Manager provides to the sponsoring Government Program Security Officer (GPSO) for review and subsequent action. 39. How and when are the results of the self-inspections reported to the SAO? The DOS&CI determines when results warrant informing the SAO. 40. How is it determined if corrective actions are required? The Government PSO and security stakeholder(s) reviews determine if corrective actions are required. 41. Who takes the corrective actions? The assessed site. 42. How are the findings from your agency's self-inspection program distilled for the annual report to the Director of ISOO? The OS&CI Security Policy Staff (SPS) tasks the ISAP Manager to distill the findings and provide them to SPS for inclusion in the annual report. 43. Has the SAO formally endorsed this self-inspection report? IN FORMATION SECURITY OVERSIGHT OFFICE 43. ■Yes ①No AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 NRO APPROVED FOR RELEASE 28 August 2014 PART D: A summary of the findings of your agency's self-inspection program The summary should present specific, concise findings from your self-inspection program for each of the required program areas below. It is not a description of the requirements of the agency's CNSI program. Rather, the summary outlines the essential self-inspection findings based on the compilation and/or distillation of the information contained in the agency's internal self-inspection reports, checklists, etc. In large agencies where findings are drawn from multiple agency offices and activities, the findings that are reported here may be the most significant or most frequently occurring. 44. Original Classification: OCAs are senior officers and mainly exercise their authority through the signing of classification guides for information unique to their activity. While OCA decisions get implemented through the classification guide, written documentation of individual OCA decisions is difficult or impossible to locate. OCA's were not using the appropriate OCA classification block but a derivative block. OS&CI Policy Branch will issue clear instructions for all classification guides to contain the appropriate OCA classification block. 45. Derivative Classification: NRO activities result in complicated Power Point slide briefings with complex tables, diagrams, and text boxes describing engineering and R&D activities. Under reduced manning from sequestration and budget cuts which have resulted in a loss of over 1,000 man-years of experience across the NRO, derivative classifiers struggle to get all derivative markings accurate after they have compiled difficult subject matter on compressed time lines under stressful conditions. It is admirable that individuals perform as well as they do. 46. Declassification: Not included in self-inspection. 47. Safeguarding: Regular conduct of exercises provides vital feedback to the physical security program. Exercises identify areas for corrective measures, enhancements, validates current tactics techniques and procedures (TTP) and the adoption/employment of new TTP to meet a dynamic threat environment. Regular inspections/audits are essential to ensuring status and validity of issued IC badges and conformity to physical security requirements. Risk assessments/physical security assessments provide a helpful "outside" perspective to site security offices. 48. Security Violations: The ISAP program is the formal mechanism by which we corroborate self-inspections. Included in these formal reviews is an assessment of the respective security violation program and trends. In addition, each component Security team evaluates Security incidents and violations by tracking them according to general broad categories. During this past FY, the majority (63%) of incidents/violations were related to categories within personnel electronic devices in SCIFs. Other categories that have multiple occurrences indicating potential trends are data 49. Security Education and Training: 100% of personnel assigned to the NRO are required to complete an SCI indoctrination briefing to include signing a Non-Disclosure Agreement. E.O. 13526 is called out specifically so that personnel fully understand their responsibilities and requirements to protect classified information. This message is repeated by the release of awareness videos and reminders throughout the year; to include presentations, written materials, and training. Specifically, OS&CI incorporates classification management questions within the Annual Security Refresher 50. Management and Oversight: Government oversight of NRO-sponsored SCIFs is achieved in a multi faceted manner. Program Security Officers, Physical/Technical, and Computer Security Officers review self-assessment results and participate in on-site reviews. Some program findings for FY 13 were identified in the following areas: • Standard Operating Procedures (SOPs) require more detail and more frequent revision to stay up-to-date with security requirements. INFORMATION SECURITY OVERSIGHT OFFICE AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 NRO APPROVED FOR RELEASE 28 August 2014 PART E: An assessment of the findings of your agency's self-inspection program The assessment discerns what the findings mean. The assessment is an evaluation of the state of each element of your agency's CNSI program based on an analysis of the specific, concise findings of the self-inspection program. It reports what you have determined the findings indicate about the state of your agency's CNSI program. The assessment should inform the SAO and other decision makers of significant issues that impact the CNSI program. It should be used to determine how security programs can be improved, whether the agency regulation or other policies and procedures must be updated, and if necessary resources are committed to the effective implementation of the CNSI program. The assessment should report trends that were identified during the reporting period across the agency or in particular activities, as well as trends detected by making comparisons with earlier reporting periods. It can be used to support assertions about the successes and strengths of an agency's program. 51. Original Classification: While OCA's produce timely and sufficient Classification Guides, decisions are not normally documented outside the guide by a separate source document. OCAs are not using an OCA style classification block but this will be corrected soon when specific detailed policy is issued by Security Policy. 52. Derivative Classification: Derivative classifiers are still wrestling with proper portion marking and classification of complex power point slide presentations and other documents concerning difficult subject matter and formats. To try and stem this tide, we are adding more classification management questions to our ASR. Dwindling budgets, reduced manpower, and "greening" (reducing) of salaries has reduced longevity, increased turnover, and reduced portion marking proficiency. 53. Declassification: Not included in self-inspection. 54. Safeguarding: Awareness and education programs are vital to ensuring the workforce maintains awareness of security policy and procedures. Regular and aperiodic exercises, inspections, and audits provide crucial inputs that are indispensable to ensuring that the physical security program is current and effective. Key challenges are maintaining adequate funding to replace aging, malfunctioning, and obsolete security equipment and training and education for new personnel. The NRO has an organization-level process for the Assessment and Authorization 55. Security Violations: The NSM detail the NRO process for reporting and investigating security incidents, infractions and violations. Appropriate and prompt corrective actions were taken to mitigate the severity of the infraction/violation, and to sanction the offender via management, counterintelligence, and personnel security processes. Infractions and violations are centrally tracked in the Security Log (the NRO incident/violation database). This database is managed by the Program Security Officers in each directorate and office, and enables the PSO to automatically 56. Security Education and Training: OS&CI works closely with PSOs, Counterintelligence personnel, and the Integrated Self Assessment Program to determine any trends or specific areas that need an additional educational awareness campaign. Security communications are then targeted, utilizing large scale efforts, per a topic area and audience for best impact results. The NRO is adding additional classification management questions to the Annual Security Refresher to better satisfy the derivative classification training requirement. OCAs complete yearly training provided by 57. Management and Oversight: The NRO has a very mature Security management and oversight program. Over the past FY, much greater emphasis has been placed on ensuring all sites and facilities accomplished the self-assessments and submited the findings to the Government within the mandated time requirements. This improved management oversight has made an impact. Our self-inspection program coupled with security officer visits, and formal team assessments provide managers a report card on the health of our security programs. When negative trends are identified, INFORMATION SECURITY OVERSIGHT OFFICE AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 NRO APPROVED FOR RELEASE 28 August 2014 PART F: Focus Questions Answer the questions below. If the response identifies a deficiency, it should be explained in Part D, Summary of Findings, under the relevant program area, and should be addressed in Part H, Corrective Actions. Training for Original Classification Authorities Original classification authorities are required to receive training in proper classification and declassification each calendar year. (Section 1.3(d) of E.O. 13526 and § 2001.70(c) of 32 C.F.R. Part 2001) (Indicate NA ifyour agency does not have original classification authority) 58. Does agency policy require training for original classifiers? 58. Yes ■No ■NA 59. Has the agency validated that this training has been received? 59. I Yes ■No ■NA ①100 60. What percentage of the original classification authorities at your agency has received this training? 60. 61. Have any waivers to this requirement been granted? 61. III Yes Actual ■Estimated No ■NA Persons who Apply Derivative Classification Markings Persons who apply derivative classification markings are required to receive training in the proper application of the derivative classification principles of E.O. 13526, prior to derivatively classifying information and at least once every two years thereafter. (Section 2.1(d) of E.O. 13526 and § 2001.70(d) of 32 C.F.R. Part 2001) (Indicate NA if your agency does not have any personnel who derivatively classify information) 62. Does agency policy require training for derivative classifiers? 62. • Yes Ill No III NA 63. Has the agency validated that this training has been received? 63. Yes ■No ■NA 64. What percentage of the derivative classifiers at your agency has received this training? 64. ■100 Actual Estimated 65. ■Yes i No Initial Training All cleared agency personnel are required to receive initial training on basic security policies, principles, practices, and criminal, civil, and administrative penalties. (0 2001.70(6) of 32 C.F.R. Part 2001) 66. Does agency policy require initial training? 66. ①Yes ■No 65. Have any waivers to this requirement been granted? 67. Has the agency validated that this training has been received? 67. ①68. What percentage of cleared personnel at your agency has received this training? 68. 100 70. Has the agency validated that this training has been received? 70. 71. What percentage of the cleared employees at your agency has received this training? 71. 100 Actual Yes ■NA ■No LI Actual • Estimated Annual Refresher Training Agencies are required to provide annual refresher training to all employees who create, process, or handle classified information. (§ 2001.70() of 32 C.F.R. Part 2001) 69. Does agency policy require annual refresher training? 69. Yes ■No ①rl Yes ■No ■Estimated Identification of Derivative Classifiers on Derivatively Classified Documents Derivative classifiers must be identified by name and position, or by personal identifier on each classified document. (Section 2.1(b)(1) of E.O. 13526 and § 2001.22(b) of 32 C.F.R. Part 2001) (Indicate NA ifyour agency does not derivatively classify information.) 72. Does your agency's review of classification actions evaluate if this requirement is being met`' 72. Yes ■No ■NA 73. What percentage of the documents sampled meet this requirement? 73 . 74. What was the number of documents reviewed for this requirement? 74. 87 166,130 pages List of Sources on Documents Derivatively Classified from Multiple Sources A list of sources must be included on or attached to each derivatively classified document that is classified based on more than one source document or classification guide. (§ 2001.22c(l)(ii) of 32 C.F.R. Part 2001) 75. Does your agency's review of classification actions evaluate if this requirement is being met? 75. • Yes ■No ■NA 76. What percentage of the documents sampled meet this requirement? 76. 88 77. What was the number of documents reviewed for this requirement? INFORMATION SECURITY OVERSIGHT OFFICE 7 7. 166,130 pages AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 Enclosure 2 a ca alai The NRO APPROVED FOR RELEASE 28 August 2014 mauct nvatuations performance contract or other rating system of original classification authorities, security managers, and other personnel whose duties significantly involve the creation or handling of classified information must include a critical element to be evaluated relating to designation and management of classified information. (Section 5.4(d)(7) of E.O. 13526 ) 78. Does agency policy require this critical element in the performance evaluations of personnel in the categories required by E.O. 13526? 79. Has the agency validated that this critical element is included in the performance evaluations of personnel in the categories requited by E.O. 13526? 80. What percentage of such personnel at your agency has this element in their performance evaluations? OCA Delegations ■Yes No 79.■Yes 0 No 78. ①80. 50% Actual • Estimated OCA delegations shall be reported or made available by name or position to the Director of the Information Security Oversight Office. (Section I .3(c)(5) of E.O. /3526). This can be accomplished by an initial submission followed by updates on a frequency determined by the £40, but at least annually. 02001.11 (c) and §2001.90(a) of 32 C.F.R. Part 2001) 81. Have there been any changes in the delegations, by name and position, of original classification authority in your agency since delegations were reported to ISOO in 2010. 82. Have all delegations been limited to the minimum required based on a demonstrable and continuing need to exercise this authority? 83. If changes have been made, have they been reported, by name or position, to ISOO? 81. 82. 83. ■Yes No ■NA Yes MI No I. NA ■Yes ■No NA Classification Challenges An agency head or SAO shall establish procedures under which authorized holders of information. including authorized holders outside the classifying agency, are encouraged and expected to challenge the classification of information that they believe is improperly classified or unclassified. (Section 1.8(b) of E.O. 13526) Classification challenges must be covered in the trainingfor original classification authorities and persons who apply derivative classification markings. 02001.7 1 and (§2001.71(d) of 32 C.F.R. Part 2001) 84. Has your agency established procedures under which the classification of information can be challenged in accordance with section 1.8(b) of E.O. 13526 and §2001.14 of 32 C.F.R. Part 2001? 85. Does your agency's training for OCAS and for personnel who apply derivative classification markings cover classification challenges? 86. Does your agency's training for all other cleared personnel cover classification challenges? 84• Yes 85. ■Yes 86. III Yes PART G: Findings of the Annual Review of Agency's Original and Derivative Classification Actions ■No ■NA ①①No ■NA No In this section provide specific information with regard to the findings of the annual review of the agency's original and derivative classification actions to include the volume of classified materials reviewed and the number and type of discrepancies identified. 87. Indicate the volume of classified materials reviewed during the annual review of agency's original and derivative classification actions. (If your agency does not classify information, indicate NA.) 87. 166,130 pages 88. Indicate the number of discrepancies found during the annual review of classification actions for each category below. For additional information on marking, consult the ISOO marking guide. 88 (a) Over-classification: Information does not meet the standards for classification. 88 (a) 28,798 88 (b) Overgraded/Undergraded: Information classified at a higher/lower level than appropriate. 88 (b) 42,779 88 (c) Declassification: Improper or incomplete declassification instructions or no declassification instructions. 88 (c) 24,043 88 (d) Duration: a shorter duration of classification would be appropriate. 88 (d) 13,889 88(e) Unauthorized classifier: A classification action was taken by someone not authorized to do so. 88(e) 0 88 (f) "Classified By" line: A document does not identify the OCA or derivative classifier by name and position or by personal identifier. 88 (f) 22,368 88 (g) "Reason" line: an originally classified document does not cite a reason from section 1.4 of E.O. 13526. 88 (g) 0 88 (h) "Derived From" line: A document fails to cite, or cites improperly, the classification source. The line should include type of document, date of document, subject, and office/agency of origin. 88 017,096 88 (i) Multiple sources: A document cites "Multiple Sources" as the basis for classification, but a list of these sources is not included on or attached to the document. 88 (i) 19,190 88(j) Marking: A document lacks overall classification markings or has improper overall classification markings. 88 (j) 34,141 88 (k) Portion Marking: The document lacks some or all of the required portion markings. 88 (k) 59,937 88(1) Instructions from a classification guide are not properly applied. 88 (1) 17,070 88 (m) Other: . 88 (m) 0 INFORMATION SECURITY OVERSIGHT OFFICE AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 Enclosure 2 NRO APPROVED FOR RELEASE 28 August 2014 • __ __..._ ..-..-... 89. Describe actions that have been taken or are planned to correct identified program deficiencies, marking discrepancies, or misclassification actions, and to deter their reoccurrence. OS&CI Policy Branch will issue written instructions that all Classification Guides and original classification decisions will use an OCA style classification block. We plan to issue NRO-wide, monthly, short written educational reminders of the most error-prone mistakes reported in item 88 which will also include the proper way to classify and mark materials. PART I: Best Practices Best practices are those actions or activities that make your self-inspection program and/or CNSI program more effective or efficient. They set your program apart through innovation or by exceeding the minimum program requirements. These are practices that may be utilized or emulated by other agencies. 90. Describe best practices that were identified during the self-inspection. One contractor site developed a database that allows self-assessments to be completed by each program area at that site. The database can apply filtering and reporting capabilities, thereby allowing managers to focus resources on a wide-range of security-related disciplines. This type of approach and comprehensive tool development had not been previously seen by the ISAP Program. PART J: Explanatory Comments Use this space to elaborate on any section of this form. If more space is needed, provide as an attachment to this fonn. Provide explanations for any significant changes in trends/numbers from the previous year's report. Item 16. All security directives and instructions are issued by the DOS&CI and are reviewed and updated annually but not as part of the self-inspection. All directives and instructions are maintained on-line and are accessible to all government employees and contractors. (b)(3) 10 USC 424 Item 27. All government and contractor PSOs and CMOs (about ' ' 'ndividuals) are authorized to correct incorrect classification, incorrect use of SCI control channels, an• incorrect dissemination restrictions. Item 68. CIA personnel (including CIA contractors with Agency Data Network or staff-like access) at the NRO are required to take the CIA "2013 Derivative Classifier Training" by their parent agency. All other government and contractors at the NRO take their training through the Annual Security Refresher briefing. Item 78. The NRO is comprised of government individuals from various agencies. Parent agencies set the rules for their performance contract or rating system which cannot be altered by the NRO. The percentage given represents the percentage of individuals from agencies that require a security performance evaluation statement. For !SOO Use Only ISOO Analyst: Date QC: Analyst Initials: AUTHORIZED FOR LOCAL REPRODUCTION 32 CFR 2001 E.O. 13526 UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 NATIONAL RECONNAISSANCE OFFICE 14675 Lee Road Chantilly, VA 20151-1 71 5 12 October 2012 MEMORANDUM FOR OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE SECURITY DIRECTORATE SUBJECT: Annual Self-Inspection Report REFERENCES: (a) OUSD(I) Memorandum, Annual Senior Agency Official (SAO) Self-Inspection Program Report for Classified National Security Information, 2 October 2012 (b) Memorandum of Agreement between the Secretary of Defense and the Director of National Intelligence concerning the National Reconnaissance Office, 21 September 2010 (c) DoDI 5200.01, DoD Information Security Program and Protection of Sensitive Compartmented Information, 9 October 2008 The National Reconnaissance Office (NRO) is providing the attached Self-Inspection Report as requested in reference (a). In accordance with Director, National Reconnaissance Office authorities in reference (b) and (c) it should be noted that the NRO does not administer a standard DoD Information Security Program based on DoDM 5200.01-V1 thru V3 and, therefore, some of the items in the attached checklist are not applicable and have been noted as such. My point of contact for questions concerning this submission is (b)(3) 10 USG 44- . Jamieson Burnett irector, Office of Security and Counterintelligence Attachment: NRO Annual Self - Inspection Report for 2012 UNCLASSIFIED UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE/SUBJECT/ACMATWFUNCRONAL AREA Information Security Program Self-Inspection Checklist NO. STEM NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office 045 R DATE Security Manager 11 October 2012 EO 13526 CLASSIFIED NATIONAL SECURITY INFORMATION AND IMPLEMENTING DIRECTIVE REQUIREMENTS PART 1. DESCRIPTION OF SELF-INSPECTION PROGRAM: A description of the DoD Components self- inspection program should include activities assessed, program areas covered, and methodology utilized. The description must demonstrate how the self-inspection program provides the senior agency official with the information necessary to assess the effectiveness of the classified national security information program within the individual Component activities and the Component as a whole. It should include the following: 1. Responsibility for the program: (1) Whom does the senior agency official designate to assist in directing and administering the self-inspection program? Answer . The Director of Security and Counterintelligence (DOS&CI) is provided a Letter of Instruction by the Director, NRO which assigns his responsibilities. (2) How is the program structured to provide the senior agency official with the information necessary to assess the agency's classified national security information program? Answer: The DOS&CI advises the Senior Agency Official (SAO) when the DOS&CI believes events warrant advising the SAO. The NRO Integrated Security Assessment Program (ISAP) results are also reported to the SAO thru the annual Management Control Plan Statement of Assurance (MCPSOA). (b)(3) 10 USC 424 (3) Who conducts the self-inspections? Answer: NRO self-inspections are part of the NRO ISAP. Because contractors make upgAof the total NRO workforce and have the overwhelming number of Sensitive Compartmented Information Facilities (SCIFs), ISAP is a collaborative process between Government and industry to identifi , and address security vulnerabilities, provide datfornlysi,findings e tmcuriyseand.Th may lead to identification and definition of risk mitigation practices, and enable sharing of best security practices across government and industry. The primary purpose of the ISAP is to ensure the proper safeguarding of classified information through a single comprehensive review by various components of the Office of Security and Counterintelligence (OS&CI). ISAP integrates reviews utilizing program security, classification management, transportation and transmission of classified information, physical and technical accreditation, information systems security, personnel security, and Counterintelligence (CI) perspectives. The integrated assessment evaluates implementation of and ensures compliance with, established security policies, procedures, and plans at all NRO government and contractor location& Site personnel conduct/document security self-assessments per requirements stated in the NRO Security Manual (NSM). Security Officers will conduct self-assessments of their SCIFs at least annually. For the reporting period there were 343 site self-assessments. The ISAP Manager or designee reviews the site assessments and enters a copy into an NRO database listing each NRO sponsored facility. Based on the self-assessments, the ISAP Manager, Program Security Officers (PSOs) and stakeholders discuss findings and formulate recommendations for a formal assessment, if required OS&CI stakeholders represent the major OS&CI divisions and program office security staffs, including, but not limited to, PSOs, Physical/Technical Certification Officers, and Security Certification Officers. Stakeholders will develop and provide ISAP candidates to the ISAP Selection Board. Each ISAP recommendation shall contain detailed factors used to formulate the recommendation. Recommendation for site visits is then provided to the selection board Sites are selected based on ring proximity, resources, budgetary constraints, time since last assessment, and random sampling. A team composition is proposed for each site visit and a Lead PSO is selected The Assessment Team will, at a minimum, consist of a Government PSO and an OS&Cl/Facilities and Information Security Division (F&ISD) representative. Additional team members will be added as needed based on site size, mission, facility risk, and subject areas being assessed. An out-briefing is provided to site security site - and other site senior management identfying security program successes, observations, and any security "best practices" discovered during the formal assessment. The results are then loaded into the facility database that contains information from all previous visits with any problem areas or "best practices" noted. A final report requiring corrective actionsto be taken within 90 days of the date of UNCLASSIFIED 1 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLESUBJECT/ACTIVITY/FUNCT1 ONAL AREA Information Security Program Self-Inspection Checklist NO. I NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR DATE Security Manager 11 October 2012 ITEM report is issued by the DOS&CI. The assessed site is required to provide follow-up reports of corrective action to the responsible PSO and the ISAP Manager every 90 days until all corrective actions are complete. The responsible PSO monitors all mitigation actions. Reports of corrective action are loaded into the NRO facilities database for historical purposes. For the reporting period, 16 formal team assessments were performed An additional 9 formal specific-issue reviews were conducted There were an additional 1,491 visits by OS&CI stakeholders to contractor SCIFs. (4) How is the senior agency official involved in the program? Answer: The DOS&CI keeps the SAO advised of trends and issues developed by the ISAP. The NRO ISAP results are also reported to the SAO thru the annual MCPSOA. 2. Approach: (1) What means and methods are employed in conducting self-inspections? Answer: For formal assessments, the Assessment Team evaluates implementation, and ensures compliance with, established NRO security policies, procedures, and plans. (2) Are different types of self-inspections conducted? If so, describe each of them. Answer: Formal assessments will vary based on the experience of the lead PSO and the stakeholders with the facility and items noted in the self-evaluation report as well as the areas of responsibility of the attending subject matter experts. However, the objective for all is to identify and address security vulnerabilities, provide data for analysis, and identift system security issues and trends. (3) Do the self-inspections evaluate adherence to the principles and requirements of E.O. 13526 and its implementing directive and the effectiveness of agency programs covering: • Original classification? Answer: Since Original Classification items only apply to 13 government employees who are Original Classification Authorities (OCA) at NRO Headquarters, a formal tasking is sent to Program Security Officers supporting the OCA to determine the date the OCA received their annual briefing and the number of original classification decisions they made during the reporting period. Experience has shown that not all of the OCAs make individual OCA decisions every year but most require their authority to sign classification guides for their area of responsibility. For the reporting period there, nine OCA decisions were made. • Derivative classification? Answer: Included. In NRO Implementing Instructions released on 31 May 2011, derivative classifiers were instructed to include in the classification block a personal identification number rather than their name to protect their identity and association with the NRO. This "Classification ID (CLID)" number exists in the NRO Access Database so the specific individual with that number can always be identyled Employees of other agencies, who already have an ID number assigned by their parent agency, will use that number instead Headquarters NRO derivative classifiers have their PSO available for questions regarding classification and marking and to review their derivatively classified documents for format and accuracy of classffication and marking. Available on the OS&CI website are the Order, Information Security Oversight Office (IS00) Implementing Directive and Marking booklet, videos and documents that explain the correct way to classify and mark documents, the Controlled Access Program Coordination Office (CAPCO) register and manual, over 120 Frequently Asked Questions with answers that are posted about portion marking a Security Policy hotline that will answer their questions in real-time, and numerous other experts who are available to answer their questions. Once the document is distributed, they face additional scrutiny from any security or classification management officer who reads it or from subject matter experts who point out classification and marking errors to security officers. The ISAP team visiting a site will review a sample of derivatively classified documents to point out errors in classification and marking, omissions of required information, and to make suggestions for improvement. • Declassification? Answer: The NRO has a formal declassification program which restricts to one office the authority to officially declassify NRO information and release it to the public, and which is not included in the self-inspection program. The results of this program are reported in the SF 311 report provided to USD(I) in October 2012. The NRO Declassification Guide (known as the Review and Redaction Guide) is updated and approved by the UNCLASSIFIED 2 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE/SUEWECT/AC71VITY/FUNCT1ONAL AREA Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR DATE Security Manager 1 1 October 2012 ITEM DNRO each year. It is currently undergoing review by the Interagency and is expected to be approved by the end of 2012. • Security Classification Appeals Panel Safeguarding? Answer: Included • Security violations? Answer: Included • Security education and training? Answer: Included • Management and oversight? Answer: Included (4) Do the self-inspections include a review of relevant security directives and instructions, as well as interviews with producers and users of classified information? Answer: All directives and instructions are issued by the DOS&Cl and are reviewed and updated annually. All directives and instructions are maintained on-line and are accessible to all government employees and contractors. (5) Do the self-inspections include reviews of representative samples of your Component's original and derivative classification actions? • Do these reviews encompass all Component activities that generate classified information? Answer: There are hundreds of individual activities that can generate classified information. While the annual self-assessment questionnaire covers 343 of these activities, the ISAP formal assessment inspects only a small percentage of these activities yearly. However, the Program Security Officers, Contractor Program Security Officers, and Classification Specialists review hundreds of classified documents yearly and provide direction to originators to correct those that are improperly marked. o How do you identify the activities to which this applies? Answer: Site personnel conduct/document security self-assessments per requirements stated in the NSM • Do the reviews include a sampling of various types of classified information in document and electronic formats? o How do you ensure that the materials reviewed provide a representative sample of the Component's classified information? Answer: Documents are selected for review in cooperation with site personnel who are familiar with the type of materials produced by the site. However, contractors are not required to count classified pages produced because of the additional costs that would be incurred by the NRO, so the documents reviewed may not be a representative sample. o How do you determine that the sample is proportionally sufficient to enable a credible assessment of your Component's classified product? Answer: We do not attempt to do this as it would increase costs to the NRO (as explained above). • Who conducts the review of the classified products? o Are they knowledgeable of the classification and marking requirements of E.O. 13526 and its implementing directive? Answer: Yes o Do they have access to pertinent security classification guides? Answer: Yes • Have appropriate personnel been designated to correct misclassification actions? If so, identify. Answer: All Program Security Officers and Classification Managemeni Specialists are authorized to correct misclassification, incorrect use of SCI channels, and incorrect dissemination restrictions. 3. Frequency: (1) How frequently are self-inspections conducted? Answer: Annually. (2) What factors were considered in establishing this time period? Answer: Time period is defined in the NSM. UNCLASSIFIED 3 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE/SUBJECT/ACTIVITY/FUNCTIONAL AREA Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office CPR DATE Security Manager 11 October 2012 ITEM 4. Coverage: (1) How do you determine what program elements and Component activities are covered by your self-inspection program? Answer: Self-assessments are to be completed on each contractor SCIF. (2) What Component activities are assessed? Answer: All contractor activities are assessed. (3) How is the program structured to assess individual Component activities and the Component as a whole? Answer: Contractor locations far outnumber government locations in the NRO. Government locations are relatively few in number and have professional government security officers assigned who can monitor safeguarding and classified information production and correct errors as they occur. We chose to concentrate on contractorfacilities which are visited relatively infrequently. The conditions at contractor locations are not directly applicable to government locations. (4) If your Component has any special access programs (SAP), are self-inspections of the SAP programs conducted annually? Answer: Most SAPs are reviewed as part of the ISAP program. The ISAP formal assessment team has PSOs assigned that are briefed for most SAPs. In addition. the NRO conducts special annual reviews (in some cases. semi-annual) of the entire Sensitive Activities portfolio. o o Do the self-inspections confirm that the Component head or principal deputy has reviewed each special access program annually to determine if it continues to meet the requirements of E.O. 13526? Answer: The NRO's entire Sensitive Activities portfolio is reviewed and briefed annually to the DNI's Senior Review Group (SRG) who then reports to Congress. Do the self-inspections determine if officers and employees are aware of the prohibitions and sanctions for creating or continuing a special access program contrary to the requirements of E.O. 13526? Answer: Yes. In keeping with E.O. 13526, all Sensitive Activities' compartments that are established terminated, or transitioned (to another program or lower classification) require NRO Special Activities Management Board review and approval, followed by notification to the DNI's Senior Review Group/Controlled Access Program Oversight Committee. 5. Reporting: (1) What format for documenting self-inspections in your Component? Answer: Self assessments are documented using the self-assessment review tool in the NSM, Appendix B. For formal assessments, an out-briefing is provided to site security staff and other site senior management identi&ing security program successes, observations, and any security "best practices" discovered during the formal assessment. The results are then loaded into the facility database that contains information from all previous visits with any problem areas or "best practices" noted A final report requiring corrective actions to be taken within 90 days of the date of report is issued by the DOS&CI. The assessed site is required to provide follow-up reports of corrective action to the responsible PSO and the ISAP Manager every 90 days until all corrective actions are complete. The responsible PSO monitors all mitigation actions. Reports of corrective action are loaded into the NRO facilities database for historical purposes. (2) Who receives the reports? Answer: The OS&CI ISAP Manager. (3) Who compiles/analyzes the reports? Answer: The ISAP Manager and the responsible PSO analyze the report. (4) How are the findings analyzed to determine if there are problems of a systemic nature? Answer: The ISAP Manager provides to the sponsoring Government Program Security Officer (GPSO) for review and subsequent action. (5) How and when are the results of the self-inspections reported to the senior agency official? Answer: The DOS&CI determines when results warrant informing the SAO. (6) How is it determined if corrective actions are required? Answer: The GPSO and security stalceholder(s) review. UNCLASSIFIED 4 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE/SUBJECTIACTIVITY/FUNCTIONAL AREA National Reconnaissance Office OPR Information Security Program Self Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 Security ITEM DATE Manager 11 October 2012 I I (7) Who takes the corrective actions? Answer: The assessed site. (8) How are the findings from your Component's self-inspection program distilled for the annual report to the Director o f ISOO? Answer: The OS&CI Security Policy Staff (SPS) tasks the ISAP Manager to distill the findings and provide them to SPS for inclusion in the annual report. Self-Inspection Program Description here: Description include in italics under questions above. PART 2. ASSESSMENT & SUMMARY: ASSESSMENT The assessment is an evaluation of the state of each element of your componenVs classified national security information program based on an analysis of the findings of the selfinspection program. It should consider if the program element is being effectively implemented in accordance with the Order and Directive and DoD 5200.01-M. It should consider whether the findings indicate that the regulation or other policies or procedures may need to be updated, and it should take into account other program information such as the Standard Form 311, "Agency Security Classification Management Program Data." If a particular element does not apply to a component (e.g., original classification authority) the report should explain this. • Original classification Rating: Satisfactory • Derivative classification Rating: Document creation: Satisfactory Training: Deficient due to cost • Declassification Rating: Satisfactory • Safeguarding Rating: Satisfactory • Security violations: Rating: Satisfactory • Security education and training Rating: Satisfactory except for Derivative Classifier training which is not required due to cost • Management and oversight Rating: Satisfactory SUMMARY: The summary should report the findings from the self-inspection program within each of the program areas. This information should support the assessment. • Original classification Rating: Satisfactory • Derivative classification Rating: Document creation: Satisfactory Training: Deficient due to cost • Declassification Rating: Satisfactory • Safeguarding Rating: Satisfactory • Security violations Rating: Satisfactory • Security education and training Rating: Satisfactory except for Derivative Classifier training which is not required due to cost • Management and oversight Rating: Satisfactory Assessment & Summary here: included in italics under headings above. UNCLASSIFIED 5 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE/SUBJECT/ACT1VITYIFU KnONAL AREA Information Security NO. Program Self-Inspection Checklist NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR DATE Security Manager 11 October 201 2 ITEM PART 3. FOCUS QUESTIONS: FOCUS QUESTIONS: Answer the following focus questions. (1) Training for original classification authorities. (This applies only to Components with original classification authority). (1) Original classification authorities are required to receive training in proper classification and declassification each calendar year (5200.01-V?). What percentage of the original classification authorities at your Component has received this training? (2) Have any waivers to this requirement been granted? Answer: 100% of NRO OCAs have received training. No waivers have been granted. FOCUS QUESTIONS: Answer the following focus questions. (2) Training for persons who apply derivative classification markings. (1) Persons who apply derivative classification markings are required to receive training in the proper application of the derivative classification principles of the E0 13526 prior to derivatively classifying information and at least once every two years thereafter. What percentage of the derivative classifiers at your Component has received this training? (2) Have waivers to this requirement been granted? Answer: Percentage unknown. The DSS and CAPCO Derivative Classifier training is available through the NRO computer network; however, NRO has not made this training mandatory because of the cost of two hours of direct labor charged by each contractor. No waivers have been granted. FOCUS QUESTIONS: Answer the following focus questions. (3) Initial training. (1) All cleared agency personnel are required to receive initial training on basic security policies, principles, practices, and criminal, civil, and administrative penalties. What percentage of these personnel at your Component has received this training? Answer: 100% of new employees have received initial training. FOCUS QUESTIONS: Answer the following focus questions. (4) Refresher training. (1) Components are required to provide annual refresher training to all employees who create, process, or handle classified information. What percentage of these employees at your Component has received this training? Answer: 100% of employees have received refresher training. FOCUS QUESTIONS: Answer the following focus questions. (5) Identity of persons who apply derivative classification markings. (1) Derivative classifiers must be identified by name and position, or by personal identifier on each classified document. What percentage of the documents sampled meet this requirement? (Also, indicate the number of documents reviewed for this requirement.) Answer: NRO personnel are directed to use a personal identifier. 100% of documents have met this requirement. The number of documents reviewed is unknown. FOCUS QUESTIONS: Answer the following focus questions. (6) List of multiple sources. (1) A list of sources must be included on or attached to each derivatively classified document that is classified based on more than one source document or classification guide. What percentage of the documents sampled meet this requirement? (Also, indicate the number of documents reviewed for this requirement.) Answer: 100% of documents have met this requirement. The number of documents reviewed is unknown. UNCLASSIFIED 6 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST T1 TLEPAIBJECT/ACT1VITY1FUNCTIONAL AREA Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR DATE Security Manager 11 October 2012 ITEM FOCUS QUESTIONS: Answer the following focus questions. (7) Performance evaluations. (1) The performance contract or other rating system of original classification authorities, security managers, and other personnel whose duties significantly involve the creation or handling of classified information must include a critical element to be evaluated relating to designation and management of classified information. What percentage of such personnel at your Component has this element in their performance contracts? Answer: The NRO is comprised of government individuals from various agencies. Parent agencies set the rules for their performance contract or rating system. Based on the rules for each parent agency, approximately 40% have this element in their performance contract PART 4. DISCREPANCIES: Specific information with regard to the findings of the annual review of the Component's original and derivative classification actions to include the volume of classified materials reviewed and the number and type of discrepancies identified. 1. "Discrepancies" are instances when the classification and/or marking requirements of the Order, Directive and Agency regulation are not met. Among these are: (1) Overclassification: information does not meet the standards for classification. (2) Overgraded/Undergraded: Information classified at a higher/lower level than appropriate. (3) Declassification: Improper or incomplete declassification instructions or no declassification instructions. (4) Duration: A shorter duration of classification would be appropriate. (5) Unauthorized classifier: A classification action taken by someone not authorized to do so. (6) "Classified By" line: A document does not identify the OCA or derivative classifier by name and position or by personal identifier. (7) "Reason" line: An originally classified document does not cite a reason from section 1.4 of the Order. (8) "Derived From" line: A document fails to cite, or cites improperly, the classification source. The line should include type of document, date of document, subject, and office/agency of origin. (9) Multiple sources: A document cites "Multiple Sources" as the basis for classification, but list of these sources is not included on or attached to the document. (l0)Marking: A document lacks overall classification markings or has improper overall classification markings. (I 1 ) Portion Marking: The document lacks required portion markings. (12) Instructions from a classification guide are not properly applied. For additional information on marking, consult the l)oDM 5200.01-V2. List identified program deficiencies here. Also list actions taken or are planned to correct identified program deficiencies, marking discrepancies, or misclassification actions, and to deter their reoccurrence: Answer: Improper application of portion marking. Individuals will receive additional training and review of their documents by security officers. PART 5. BEST PRACTICES: List best practices that were identified during self inspections here: - Comprehensive security database developed which reflects final adjudication and investigation of security incidents - SCIF decertification process assembled consisting of: -- SCIF decertification checklist -- Sanitization steps for offices -- SCIF decertification roles and responsibilities - The self-assessments, methodology, and supporting application is a model for other industry sites - Comprehensive Open/Close procedures - Plexiglas inspection window and inspection ports for checking penetration of perimeter by HVAC, wiring, etc. - DoD SELF INSPECTION PROGRAM REQUIREMENTS: This portion of the checklist meets specific - requirements for a standard DoD Information Security Program based on the DoDM 5200.01-V1 thru V3. Please answer the following questions below. NO.PROGRAM MANAGEMENT (EO 13526 REQUIREMENTS) I YES I NO I N/A UNCLASSIFIED 7 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE/SUBJECT/ACTIVITY/FUNCTIONAL AREA 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. IL National Reconnaissance Office OPR Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 Security Manager ITEM Has the head of each activity in the Component appointed a security manager to manage and implement the activity's information security program which implements the provisions of DoDM 5200.01-M? (DoDM 5200.01-M, Vol 1, End 2, para 8.b & 9.a) Does the Component Head develop and implement, through the security manager, security instructions necessary for program implementation? (DoDM 5200.01-M, Vol 1, Encl 2, para 9.d) Are sufficient resources and personnel committed to implement the classified national security information security program? (DOOM 5200.01-M, Vol 1, Encl 2, para 6.d) Are OCAs delegated classification authorities in writing? (DoDM 5200.01-M, Vol 1, Encl 4, para 5.c) Has the security manager attended the required training? Note: Training and education shall be provided before, concurrent with, or not later than six months following appointment. (DoDM 5200.01-M, Vol 3, End 5, paras 4.a and 10) Does the security manager conduct security inspections (self-inspections)? (DoDM 5200.01-M, Vol 1, Encl 2, para 7.d) • Is the Component Head informed of the results of such inspection? Does the security manager establish, implement and maintain an effective security education program as required by DoDM 5200.01-M, Volume 3, Enclosure 5, to include initial orientation and continuing/refresher training for assigned members? (DoDM 5200.01-M, Vol 1, End 2, para 7.g & 9.f; Vol 1, Encl 3, Para 6.c; and Vol 3, Encl 5, para 7 & 8) • Do security managers document all security-related training? (DoDM 5200.01-M, Vol 3, End 5, para 11) Are procedures established to prevent unauthorized access to classified information? (DOOM 5200.01-M, Vol 1, End 2, para 7.e) • Note: Examples include implementing visitor controls, restricting combinations to cleared members, establishing end-of-day security checks, etc) Are emergency plans developed for the protection, removal, or destruction of classified material in case of fire, natural disaster, civil disturbance, or terrorist activities to minimize the risk of compromise? (DOOM 5200.01-M, Vol 1, Encl 2, para 9.d) Are procedures established for ensuring that all persons handling classified material are properly cleared and have a need-to-know? (DOOM 5200.01-M, Vol 1, End 3, para 11.a) Does the security manager maintain a continuity handbook? DATE 11 October 2012 x x x x x x x x x x x x x x ORIGINAL CLASSIFICATION (EO 13526 REQUIREMENTS) 12. Are Original Classification Authorities (OCAs) trained on the process and requirements for original classification (DOOM 5200.01-M, Vol 1, Encl 4, para 6), to include? x Applicable standards and categories for classification? (D0DM 5200.01-m, x UNCLASSIFIED 8 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST ITTLE/SUBJECT/ACTIVITYTUNCTIONAL AREA Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR DATE Security Manager 11 October 2012 ITEM 1, Encl 4, para 1) Levels of classification and damage criteria associated with each one? (DoDM 5200.01-M, Vol 1, Encl 4, para 3) • Avoidance of over - classification? (DoDM 5200.01-M, Vol 1, End 4, para 6.f) • Classification prohibitions and limitations? (DoDM 5200.01-M, Vol 1, Encl 4, para 2) • Required markings, including those for dissemination and handling? (DoDM 5200.01-M, Vol 1, Encl 4, para 6.h; Vol 2, Ends 3 & 4) • Determination of declassification instructions? (DoDM 5200.01-M, Vol 1, Encl 4, para 13.a) • Delegations of OCA responsibilities? (DoDM 5200.01-M, Vol 1, Encl 4, para 5 & 5.c) • Classification challenges? (DoDM 5200.01-M, Vol 1, Encl 4, para 22) 13. Have OCAs prepared, as appropriate, classification guides to facilitate the proper and uniform derivative classification of information? (DoDM 5200.01, Vol 1, Encl 4, para 6.h; Vo11, Encl 6, para 1) 14. Do the guides meet the requirements of section 2.2 of E.O. 13526 and section 2001.15 of title 32, Code of Federal Regulations (CFR)? Vol • X X X x x X x X DERIVATIVE CLASSIFICATION (EO 13526 REQUIREMENTS) 15. Are persons who apply derivative classification markings trained on the process and requirements for derivative classification (DoDM 5200.01-M, Vol 1, Encl 4, para 11 & 12), to include? • Identity of derivative classifier? (DoDM 5200.01-M, Vol 2, End 3, para 7 & 8.c. (1)(a)) • Use of source documents, including classification guides? (DoDM 5200.01M, Vol 2, Encl 3, para 8.c.(1)(b), 8.c.(2) & 8.c.(3)) • Declassification instructions? (DoDM 5200.01-M, Vol 2, Encl 3, para 8.c.(1)(d), 8.c.(4)-(9) & 9) • Proper application of markings? See Classification Markings/Document Review section below. (DoDM 5200.01-M, Vol 2, Encl 3 & 4) • Classification challenges (DoDM 5200.01-M, Vol 1, Encl 4, para 22) x x X X X CLASSIFICATION MARKINGS/DOCUMENT REVIEW (EO 13526 REQUIREMENTS) 16. Reviews of original and derivative classification actions shall be conducted in accordance with section 2001.60(c)(2) of title 32, CFR, and should evaluate the classification and marking of documents to include: (DOOM 5200.01-M, Vol 1, Encl 2, para 7.d) • Have the standards of classification been met? (DoDM 5200.01, Vol 1, Encl 4, para 1 & 2) • Could damage to the national security be reasonably expected in the event of unauthorized disclosure? (DoDM 5200.01, Vol 1, Encl 4, para 3) • Have the requirements for original classification of Part 1 of E.0.13526 or for derivative classification in Part 2 of E.O. 13526 been met? • Have the required markings been applied in accordance with E.O. 13526 and Subpart C of title 32, CFR? (DOOM 5200.01-M, Vol 2, para 3) UNCLASSIFIED 9 x X x x X 1 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST 11TLEISUBJECTIACTIVITY/FUNcnONAL AREA Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR DATE Security Manager 11 October 2012 ITEM • • • Overall classification level (DoDM 5200.01-M, Vol 2, Encl 3, para 5) "Reason for Classification" line (originally classified documents only) (DoDM 5200.01-M, Vol 2, Encl 3, para 3.b.(1)(b) & 3.b.(4)) The Agency, Office or Origin, and Date (DoDM 5200.01-M, Vol 2, Encl 3, para 7) • • 17. 18. 19. 20. 21. 22. 23. 24. A "Derived From" line (DOOM 5200.01-M, Vol 2, Encl 3, para 8.c.(1)(b)) A "Classified By" line (DoDM 5200.01-M, Vol 2, Encl 3, para 8.b.(1)(a) & 8.c.(1)(a)) • identification of the sources of classification (DoDM 5200.01-M, Vol 2, End 3, para 8.c.(1)(b), 8.c(2), & 8.c.(3)) • "Declassify On" line (DoDM 5200.01-M,Vol 2, Encl 3, para 8.c.(d)) • Downgrading instructions, if required (DoDM 5200.01-M, Vol 2, Encl 3, para 8.a.(4)) • Page and Portion Markings (DoDM 5200.01-M, Vol 2, Encl 3, para 5 & 6) • Have any unauthorized or invalid markings been applied to documents? Are Agency personnel who conduct reviews of the agency's original and derivative classification actions trained on the classification and marking requirements of E.O. 13526, part 2001 of title 32, CFR, and DoDM 5200.01; and do they have access to pertinent security classification guides? Are "subjects" or "titles" of classified documents marked with the appropriate symbol (TS), (S), (C), or (U) following and to the left of the title or subject? (DoDM 5200.01-M, Vol 2, Encl 3. Para 6.e.(2) & 14) Is each section, part, paragraph, or similar portion of a classified document marked to show the highest level of classification of information it contains, or that it is unclassified? Portion of text shall be marked with the appropriate abbreviations (TS, S, C, or U). (DOOM 5200.01-M, Vol 2, Encl 3, para 6) Are portions within documents containing Restricted Data and Formerly Restricted Data marked with the abbreviation "RD" or "FRO" (e.g. S//RD or TS//FRD)? (DoDM 5200.01-M, Vol 2, Encl 4, para 8.a & 8.b) Are portions within documents containing foreign government or North Atlantic Treaty Organization (NATO) information marked with the foreign classification or NATO and the appropriate classification level (e.g. //GBR S or //NATO C)? (DoDM 5200.01-M, Vol 2, Encl 4, para 4) Is the abbreviation "FOUO" used to designate unclassified portions that contain information that may be exempt from mandatory release to the public under the Freedom of Information Act (FOIA)? (DoDM 5200.01-M, Vol 2, Encl 4, para 10.b & Vol 4, End 3, para 2.c) Are charts, graphs, photographs, illustrations, figures, and similar items within classified documents marked to show their classification? (DoDM 5200.01-M, Vol 2, Encl 3, para 6.a & 18) Are the markings placed within the chart, graph, photograph, illustration, figure, etc. or next to the item? (DoDM 5200.01-M, Vol 2, End 3, para 6.e.(3) & 18) UNCLASSIFIED 10 .. x X X x x x x x x X x x x x x x x UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE /SUBJECT/ACTIVITWFUNCTI ONAL AREA Information Security Program Self-Inspection Checklist NO. 25. 26. 27. 28. 29. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR Security Manager ITEM Is the highest classification level placed on the top and bottom of each page containing classified information or marked "unclassified"? (This is called the "banner line") • Do the markings stand out from the balance of the information on the page (must be readily visible)? (DoDM 5200.01-M, Vol 2, Encl 3, para 5) Are TRANSMITTAL documents properly marked to include either its highest classification or a notation "Unclassified when separated from classified enclosures"? (DoDM 5200.01-M, Vol 2, Encl 3, para 15) For ELECTRONIC documents: • Are e-mails, blog entries, bulletin board postings, and other electronic documents marked as finished documents, not working papers? (DoDM 5200.01-M, Vol 2, Enc 3, para 17.a.(2)) • Do e-mails include the appropriate banner line, portion markings, and classification authority block? Is the subject line portion mark the classification of the subject, not the overall classification of the e-mail? (DoDM 5200.01-M, Vol 2, Encl 3, para 17.b) • Do classified URLs contain embedded portion marks? (DoDM 5200.01-M, Vol 2, Encl 3, para 17.d) • Are briefing slides, including any speaker notes and hidden slides, marked as required for text documents? (DoD 5200.01-M, Vol 2,Encl 3, para 16) • Are maps, charts, blueprints, photographs, and other special types of materials marked in the same fashion as for documents, to the extent feasible? (DoD 5200.01, Vol 2, Encl 3, para 18) Are Files, Folders, and Groups of documents clearly marked on the outside of the file or folder (attaching a classified document cover sheet to the front of the folder or holder will satisfy this requirement)? (DoDM 5200.01-M, Vol 2, Encl 2, para 4.a) Are removable storage media (e.g. magnetic tape reels, disk packs, diskettes, CD-ROMS, removable hard disks, disk cartridges, tape cassettes, etc.) marked with the appropriate Standard Form label (SF 706/707/708/710)? (DoDM 5200.01-M,Vol 2, Encl 2, para 4.b) DATE 11 October 2012 x X x x x x x x x x DECLASSIFICATION (EO 13526 REQUIREMENTS) 30. 31. Is there a records management system to facilitate public release of declassified documents? Are procedures established for automatic, systematic, discretionary, and mandatory declassification review? x x SAFEGUARDING AND STORAGE (EO 13526 REQUIREMENTS) 32. 33. 34. 35. Is the program designed and maintained to optimize safeguarding of classified information? Are there control measures to prevent unauthorized access to classified information? Are personnel aware of procedures for identifying, reporting, and processing unauthorized disclosures of classified information? Are there procedures to ensure that appropriate management action is UNCLASSIFIED 11 x x x x 1 UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE/SUBJECT/ACTIVITY/FUNCTIONAL AREA Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR DATE Security Manager 11 October 2012 ITEM taken to correct identified problems? Are there methods for transmitting classified information, preparing it correctly for mailing, and for hand carrying or escorting classified material? 37. Is classified information removed from storage kept under constant surveillance of authorized persons? (DoDM 5200.01-M, Vol 3, Encl 2, para 8) 38. Are cover sheets placed on all documents removed from storage? (DoDM 5200.01-M, Vol 3, End 2, para 8) 39. Are end-of-day security checks established for areas that process or store classified information to ensure the area is secure at the close of each working day? (DOOM 5200.01-M, Vol 3, Encl 2, para 9) 40. Is the SF 701, Activity Security Checklist, used to record end-of-day checks? (DoDM 5200.01-M, Vol 3, Encl 2, para 9) 41. is the SF 702, Security Container Check Sheet, used to record the closing of each vault, secure room, or container used for storage of classified material? (DoDM 5200.01-M, Vol 3, Encl 2, para 9) 42. Is the SF 700, Security Container Information, properly completed and posted inside the LOCKING drawer of the security container, or inside the door of vault and similar facilities? (DoDM 5200.01-M, Vol 3, Encl 3, para 10) 43. Are storage containers (safes) that may have been used to store classified information inspected by properly cleared personnel before removal from protected areas or before unauthorized persons are allowed access to them? (DoDM 5200.01-M, Vol 3, Encl 3, para 13) 44• Are combinations to security containers changed at the required intervals? (DoDM 5200.01-M, Vol 3, Encl 3, para 11.b) 45. If written records of the combination are maintained, are they marked and protected at the highest classification of the material stored therein? (DOOM 5200.01-M, Vol 3, Encl 3, para 11.a) • Is the combination stored in a security container other than the one for which it is being used? 46. Are entrances to secure rooms or areas under visual control at all times during duty hours to prevent unauthorized access or equipped with electric, mechanical or electromechanical access control devices to limit access during duty hours? (DoDM 5200.01-M, Vol 3, Encl 3, para 12.a) 47. Does each vault or container bear an external marking for identification purpose? NOTE: The level of classification stored therein must NOT be marked on the outside of the container(s). (DoDM 5200.01-M, Vol 3, Encl 3, Para 9) 48. is Top Secret material stored only in a GSA approved security container (safe) having one of the following supplemental controls: (DOOM 5200.01-M, Vol 3, Encl 3, para 3.a) • Guard or duty personnel cleared to the Secret level inspect the security container once every two hours • An Intrusion Detection System (alarm system) meeting requirements of para 2 of the Appendix to Encl 3 of DoDM 5200.01-M, Vol 3. 36. UNCLASSIFIED 12 x x x x x x x x x x x x x x x UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE/SUBJECT/ACTIVITY/FUNCTIONAL ARE A Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR DATE Security Manager 11 October 2012 ITEM • 49. so. 51. 52. 53. 3, 54. Combination lock meeting Federal Specification FF-L-2740 (X0-7) with security-in-depth Is Secret material stored in a GSA approved security container (safe) without supplemental controls or in the same manner as Top Secret? (NOTE: Approved containers will have a certification label on the container itself) (DOOM 5200.01-M, Vol 3, Encl 3, para 3.b) Is Confidential material stored in a GSA approved security container? (DoDM 5200.01-M,Vol 3, End 3, para 3.c) Are security container repairs (e.g. drilled because of a forgotten combination) done in accordance with FED-STD 809? (DoDM 5200.01-M, Vol 3, Encl 3, para 14) Is equipment (e.g. copiers, facsimile machines, AIS equipment and peripherals, electronic typewriters and word processing systems) used for processing classified information protected from unauthorized access? (DoDM 5200.01-M, Vol 3, Encl 2, para 14.a) Do appropriately cleared and technically knowledgeable personnel inspect the equipment and media used for processing classified information before the equipment is removed from the protected areas? (DoDM 5200.01-M, Vol Encl 2, para 14.d) Are GSA approved field safes and special purpose one and two drawer lightweight security containers securely fastened to the structure or under sufficient surveillance to prevent their theft? (DoDM 5200.01-M, Vol 3, End 3, para 6.a) x x x x X x x TELECOMMUNICATIONS, AUTOMATION INFORMATION SYSTEMS, AND NETWORK SECURITY MO 13526 REQUIREMENTS) 55. 56. Consistent with section 4.1(f) of E.O. 13526 and section 2001.50 of title 32, CFR, have uniform procedures been established to ensure that automated information systems that collect, create, communicate, compute, disseminate, process or store classified or controlled unclassified information are protected in accordance with applicable DoD policy issuances? Have procedures been established and implemented to: • Prevent access by unauthorized persons; • Ensure the integrity of the information; • TO the maximum extent practicable, use: 1) Common information technology standards, protocols, and interfaces that maximize the availability of, and access to, the information in a form and manner that facilitates its authorized use; and 2) Standardized electronic formats to maximize the accessibility of information to persons who meet the criteria set forth in section 4.1(a) of E.O. 13526. UNCLASSIFIED 13 x x x x UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TULE/SUBJECT/ACTIVITY/FUNCTIONAL AREA Information Security Program Self-Inspection Checklist NO. 57. 58. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OPR DATE Security Manager 11 October 2012 ITEM Have procedures been established to ensure that unclassified copiers connected to the Internet are not used for classified reproduction? (DoDM 5200.01-M, Vol 3, Encl 7, para 10) • Are modems, telecommunications capabilities and network connections disabled on copiers approved for classified reproductions? (DoDM 5200.01-M, Vol 3, Encl 7, para 10) • Are classified hard drives removed from classified reproduction equipment prior to maintenance? (DOOM 5200.01-M, Vol 3, End 7, para 10) Are cameras and microphones disabled on all hardware used for classified processing, in classified spaces, or connected to networks in classified spaces? (DoDM 5200.01-M, Vol 3, Encl 7, para 10) x x x X REPRODUCTION OF CLASSIFIED MATERIAL (EO 13526 REQUIREMENTS) 59. Are procedures established to oversee and control the reproduction of classified material? (DoDM 5200.01-M, Vol 3, Encl 2, para 5.b ) 60. Are personnel, who reproduce classified, aware of the risks involved with the specific reproduction equipment and the appropriate countermeasures they are required to take? (DoDM 5200.01-M, Vol 3, Encl 2, para 5.b.(2)) 61. Are waste products generated during reproduction properly protected and disposed of? (DoDM 5200.01-M, Vol 3, Encl 2, para 5.b.(6)) 62. Is reproduction equipment specifically designated for the reproduction of classified material? (DoDM 5200.01-M, Vol 3, End 2, para 5.b.(7)) 63. [Optional] Are RULES POSTED on or near the designated equipment authorized for the reproduction of classified? (DoDM 5200.01-M, Vol 3, Encl 2, para 15) 64. [Optional) Are NOTICES prohibiting reproduction of classified POSTED on equipment used only for the reproduction of unclassified material? (DoDM 5200.01-M, vol 3, Encl 2, para 15) ■65. 66. x x x X x x DISPOSITION AND DESTRUCTION OF CLASSIFIED MATERIAL (EO 13526 REQUIREMENTS) Has each activity with classified holdings set aside at least one "Clean-Out" day each year when specific attention and effort is focused on disposition of unneeded classified material? (DoDM 5200.01-M, VoI3, Encl 3, para 17.b) Is classified materials properly destroyed by approved methods? (DOOM 5200.01-M, Vol 3, Encl 3, para 17 &18) x x TRANSMISSION AND TRANSPORTATION OF CLASSIFIED INFORMATION (EO 13526 REQUIREMENTS) 67. Whenever classified information is transmitted outside of the activity is it enclosed in two opaque sealed envelopes or similar wrappings or containers durable enough to properly protect the material from accidental exposure and facilitate detection of tampering? (DOOM 5200.01-M, Vol 3, Encl 4, para 9) • NOTE: When classified material is hand-carried outside an activity, a locked briefcase may serve as the outer wrapper. UNCLASSIFIED 14 x UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST 11TLEISUBJECTIACTNITY/FUNCTIONAL AREA National Reconnaissance Office OPR Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 Security Manager DATE 11 October 2012 ITEM 68. Is the outer wrapper addressed to an official government activity or to a DOD contractor with a facility clearance and appropriate storage capability with a complete return address of the sender? (DoDM 5200.01-M, Vol 3, Encl 4, para 9.a.(1)) 69. Is the inner wrapper or container marked with the following information: sender's and receiving activity's address and highest classification level of the contents (including where appropriate, any special markings)? (DoDM 5200.01-M, Vol 3, End 4, para 9.a.(2)) • NOTE: The inner envelope may have an "attention line" with a person's name. 70. Are procedures established to limit the hand carrying of classified information to only when other means of transmission or transportation cannot be used? (DoDM 5200.01-M, Vol 3, End 4, para 11.a) 71. Are hand-carrying officials briefed on and have they acknowledged their responsibilities for protecting classified information? (DoDM 5200.01-M, Vol 3, Encl 4, para 11.c) 72. Are courier officials provided a written statement authorizing such hand carrying transmission? (DOOM 5200.01-M, Vol 3, Encl 4, para 12) • [Optional] Does the activity list all classified carried or escorted by traveling personnel? (DoDM 5200.01-M, VoI3, Encl 4, para 11) • [Optional] Does the activity keep this list until all material reaches the recipient's activity? (DoDM 5200.01-M, Vol 3, End 4, para 11) 73. When "Confidential" classified information is sent U.S. Postal Service "First Class" mail between DOD Components within the United States, is the outer envelope or wrapper endorsed "POSTMASTER: RETURN SERVICE REQUESTED"? (DOOM 5200.01-M, Vol 3, Encl 4, para 5.d 1 74. Do recipients of First Class mail bearing the "Postmaster" notice protect it as Confidential material? x x x x x X x x x SECURITY EDUCATION (E0 13526 REQUIREMENTS) 75. 76. 77. 78. 79. 80. , Has the Component Senior Agency Official established a Security Education program? (DoDM 5200.01-M,Vol 1, Encl 2, para 7.g ) Has the activity security manager implemented the security education and training program within the activity? (DoDM 5200.01, Vol 1, Encl 2, para 9.f) Have all personnel been trained on policies for classification, safeguarding and declassification? Do all personnel who perform derivative classification receive training every 2 years? (DoDM 5200.01-M, Vol 3, Encl 5, para 7.c) All original classification authorities (OCA) must receive training in proper classification and declassification at least once a calendar year. (DoDM 5200.01-M Volt, Encl 4, para 5.d and Vol 3, Encl 5, para 5) Does this training program include an "Initial Orientation" for all assigned personnel who are cleared for access to classified information? (DoDM 5200.01-M, Vol 3, End 5, para 3) Does this orientation include the: (DOOM 5200.01-M, Vol 3, End 5, para 3) UNCLASSIFIED 15 x x x x x . UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST TITLE/SUBJECT/ACTIVITYIRJ NicnomAL AREA Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 National Reconnaissance Office OP R DATE Security Manager 11 October 2012 ITEM • • • ■x x x x • x x x x x x x x x x x SECURITY INCIDENTS AND VIOLATIONS TO INCLUDE COMPROMISES MO 13526 REQUIREMENTS) 88. Are assigned members trained on of their responsibilities to report security violations concerning classified information? (DOOM 5200.01-M, Vol 3, End 6, para 3.b) 89 Are there procedures to conduct an inquiry/investigation of a loss, possible compromise, or unauthorized disclosure of classified information? (DoDM 5200.01-M, Vol 3, Encl 6, para 6) - UNCLASSIFIED 16 x x 7 Roles and responsibilities of assigned members and key personnel? Elements of safeguarding classified information? Elements of classifying and declassifying information? 81 . Is additional training provided for members who: (DOOM 5200.01-M, Vol 3, End 5, para 4.b & c) • Are members of deployable organizations, to provide enhanced security training to meet the needs of the operational environment? • Will be traveling to foreign countries? • Will be escorting, hand carrying, or serving as a courier for classified material? • Will use automated information systems to store, process, or transmit classified? • Will have access to information requiring special control or safeguarding measures? • Will be using Foreign Government Information or work in coalition or bilateral environments? • Submit information to OCAs for original classification decisions? 82. Is Refresher training provided at least annually to assigned members? (DOOM 5200.01-M, Vol 3, Encl 5, para 7.a) 83. Is Refresher training tailored to the mission needs and address policies, principles and procedures covered in initial training? (DoDM 5200.01-M, Vol 3, End 5, para 7.a) 84. Does Refresher training address concerns identified during Component SelfInspections? (DOOM 5200.01-M, Vol 3, End 5, para 7.a) 85. Are procedures established to ensure cleared employees who leave the organization or whose clearance Is terminated receives a termination briefing? (DoDM 5200.01-M, Vol 3, End 5, para 9) 86. Are records maintained to show the names of members who participated in "Initial" and "Refresher" training? (DoDM 5200.01-M,Vol3, Encl 5, para 11 ) 87. Do training programs for "Uncleared" members include: (DoDM 5200.01-M, Vol 3, Encl 5, para 3) • The nature and importance of classified information? • Actions to take if they discover classified information unprotected? • The need to report suspected contact with a foreign intelligence collector? UNCLASSIFIED INFORMATION SECURITY PROGRAM SELF-INSPECTION CHECKLIST IITLE/SUBJECT/ACTIVITY/FUNCTIONAL AREA 90. 91. 92. National Reconnaissance Office OPR Information Security Program Self-Inspection Checklist NO. NRO APPROVED FOR RELEASE 28 August 2014 Security Manager DATE 11 October 2012 ITEM Are appropriate and prompt corrective actions taken when a violation or infraction occurs? (DoD 5200.01-M, Vol 3, Encl 6) Are inquiries and/or investigations promptly conducted to ascertain the facts surrounding reported incidents? (DoDM 5200.01-M, VoI3, Encl 6, para 6) Are individuals who commit violations or infractions subject to appropriate sanctions? (DOOM 5200.01-M, Vol1, Encl 3, para 17 and VoI3, Encl 6, para 8.b & 14) UNCLASSIFIED 17 x X x UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 NRO Explanation of N/A Responses on 2012 Information Security Program Self-inspection Checklist Item 1. Comment The DNRO appoints the DOS&CI as responsible for NRO security. The DOS&CI appoints a Government Program Security Officer (GPSO) as the head of each Directorate or Office activity who implements the provisions of the NRO Security Program. For each contractor, an NRO Contractor Program Security Officer (NCPSO) is nominated by the contractor and approved by the DOS&CI. The NCPSO is a senior Contractor PSO responsible and accountable for the security oversight of all NRO program activities at their company or corporation. 2. All security instructions are signed by the DOS&CI 5. Equivalent training is provided 6. Security evaluations and self-inspections are centrally managed under the DOS&CI. The DOS&CI is informed of the results of such inspections. 7. Security-related training will be documented in the Personnel Security File or in a listing of all personnel who completed the training 9. Yes, in areas where political instability, terrorism, host country attitude, or criminal activity suggests the possibility that a SCIF may be overrun by hostile forces. 11. If the security manager has a COOP mission, essential materials are in place at the alternate location. 12. The NRO cannot approve OCAs so we cannot delegate OCA responsibilities. 16. The NRO does not use Downgrading markings. 21. NRO personnel do not have the authority to create NATO information. 28. Most SCIFs are open storage and do not require the use of cover sheets. 38. Most SCIFs are open storage and do not require the use of cover sheets. 40. SF 701 may be used or locally designed forms may be used 41. SF 702 may be used or locally designed forms may be used 45. Yes, at the SCI level, except for SAR where the holder does not have access to the SAR compartment nor the physical area housing the container. UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 UNCLASSIFIED Please note: The best way to view the report "Agency Annual Self-Inspection Program Data: FY 2013" (attached to this explanation) is in softcopy because several of the expandable fields have text that is hidden when viewed in hardcopy. The full text of entries that exceed the viewable space of expandable fields is included below for ease of reading, however, only the softcopy form will be submitted to OUSD(I). 3. Enter the name, title, address, phone, fax, and e-mail address of the Senior Agency Official (SAO) (as defined in E.O. 13526, section 5.4(d)) responsible for this report. Mr. Frank Calvelli Principal Deputy Director, NRO Room 14675 Lee Road, Chantilly, VA 20151 (b)(3) 10 USC 424 FAX (b)(3) 10 USC 424 (b)(3) 10 USC 424 13. What means and methods are employed in conducting self inspections? (For example: interviews, surveys, data calls, checklists, analysis, etc.) - NRO self-inspections are part of the NRO ISAP. Because of the total NRO workforce and have the contractors make up overwhelming number of Sensitive Compartmented Information Facilities (SCIFs), ISAP is a collaborative process between Government and industry to identify and address security vulnerabilities, provide data for analysis, and identify system security issues and trends. Site personnel conduct/document security self-assessments, per requirements stated in the NRO Security Manual (NSM) at least annually. The ISAP Manager or designee reviews the site assessments and enters a copy into an NRO database listing each NRO sponsored facility. Based on the self-assessments, the ISAP Manager, Program Security Officers (PSOs) and stakeholders discuss findings and formulate recommendations for a formal assessment, if required. OS&CI stakeholders represent the major OS&CI directorates and program office security staffs, including, but not limited to, PSOs, 1 UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 UNCLASSIFIED Physical/Technical Certification Officers and Security Certification Officers. Stakeholders develop and provide ISAP candidates to the ISAP Selection Board. Each ISAP recommendation shall contain detailed factors used to formulate the recommendation. Recommendation for site visits is then provided to the selection board. Sites are selected based on risk, proximity, resources, budgetary constraints, time since last assessment, and random sampling. A team composition is proposed for each site visit and a Lead PSO is selected. The Assessment Team will, at a minimum, consist of a Government PSO and an OS&Cl/Facilities and Information Security Division (F&ISD) representative. Additional team members will be added as needed based on site size, mission, facility risk, and subject areas being assessed. After the on-site assessment, an out-briefing is provided to site security staff and other site senior management identifying security program successes, observations, and any security "best practices" discovered during the formal assessment. The results are loaded into the facility database that contains information from all previous visits with any problem areas or "best practices" noted. A final report requiring corrective actions to be taken within 90 days of the date of the report is issued by the D/OS&CI. The assessed site is required to provide follow-up reports of corrective action to the responsible PSO and the ISAP Manager every 90 days until all corrective actions are complete. The responsible PSO monitors all mitigation actions. Reports of corrective action are loaded into the NRO facilities database for historical purposes. For the reporting period, 291 selfassessments were received and 10 formal team assessments were performed. No additional formal specific-issue reviews were conducted. There were an additional 742 visits by OS&CI stakeholders to contractor SCIFs. In addition, a data call was conducted with all PSOs and CMOs in NRO Headquarters to answer items 87 and 88. 20. Describe below how the agency identifies activities and offices whose documents are to be included in the sample of classification actions. (Indicate if NA.) Based on the 291 site self-assessments submitted, the ISAP Manager, Program Security Officers (PSOs) and stakeholders discuss findings and formulate recommendations for a formal 2 UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 UNCLASSIFIED assessment, if required. OS&CI stakeholders represent the major OS&CI directorates and program office security staffs, including, but not limited to, PSOs, Physical/Technical Certification Officers and Security Certification Officers. Stakeholders develop and provide ISAP candidates to the ISAP Selection Board. Each ISAP recommendation shall contain detailed factors used to formulate the recommendation. Recommendation for site visits is then provided to the selection board. Sites are selected based on risk, proximity, resources, budgetary constraints, time since last assessment, and random sampling. A team composition is proposed for each site visit and a Lead PSO is selected. Additionally, several types of documents at NRO headquarters are reviewed annually by CMOs and PSOs for proper classification and marking. A data call was conducted with all PSOs and CMOs in NRO Headquarters to answer items 87 and 88. 22. How do you ensure that the materials reviewed provide a representative sample of the agency's classified information? (Indicate if NA.) Documents are selected for review in cooperation with site personnel who are familiar with the type of materials produced by the site. However, contractors are not required to count classified pages produced because of the additional costs that would be incurred by the NRO, so the documents reviewed may not be a representative sample. The data call conducted with NRO Headquarters PSOs and CMOs for item 87 and 88 represents all documents they reviewed during FY 2013. 31. How is the self-inspection program structured to assess individual agency activities and the agency as a whole? Contractor SCIF locations far outnumber government SCIF locations in the NRO. Government locations are relatively few in number and have professional government security officers assigned who can monitor safeguarding and classified information production and correct errors as they occur. We chose to concentrate on contractor facilities which are visited relatively infrequently. The conditions at contractor locations are not directly applicable to government locations. 3 UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 UNCLASSIFIED 35. What is the format for documenting self-inspections in your agency? Self-assessments are documented using the self-assessment review tool in the NSM, Appendix B. For formal assessments, an outbriefing is provided to site security staff and other site senior management identifying security program successes, observations, and any security "best practices" discovered during the formal assessment. The results are then loaded into the facility database that contains information from all previous visits with any problem areas or "best practices" noted. A final report requiring corrective actions to be taken within 90 days of the date of report is issued by the D/OS&CI. The assessed site is required to provide follow-up reports of corrective action to the responsible PSO and the ISAP Manager every 90 days until all corrective actions are complete. The responsible PSO monitors all mitigation actions. Reports of corrective action are loaded into the NRO facilities database for historical purposes. 47. Safeguarding: Regular conduct of exercises provides vital feedback to the physical security program. Exercises identify areas for corrective measures, enhancements, validate current tactics, techniques and procedures (TTP) and the adoption/employment of new TTP to meet a dynamic threat environment. Regular inspections/audits are essential to ensuring status and validity of issued IC badges and conformity to physical security requirements. Risk assessments/physical security assessments provide a helpful "outside" perspective to site security offices. NRO government and contractor personnel work in SCIFs equipped with secure telephones, FAX, and teleconferencing equipment, badges and badge readers, guard forces in several locations, document shredders and other features to ensure compromises of classified information do not occur. While the insider threat is always a possibility, we take every precaution to prevent security incidents from occurring. The NRO applies uniform procedures established by the Intelligence Community Directive (ICD)-503 family of policy and guidance for Information Technology Systems Security Risk Management and Assessment and Authorization (A&A) activities. 4 UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 UNCLASSIFIED 48. Security Violations: The ISAP program is the formal mechanism by which we corroborate self - inspections. Included in these formal reviews is an assessment of the respective security violation program and trends. In addition, each component Security team evaluates Security incidents and violations by tracking them according to general broad categories. During this past FY, the majority (63%) of incidents/violations were related to categories within personnel electronic devices in SCIFs. Other categories that have multiple occurrences indicating potential trends are data spills (9%) and inadvertent removal of classified information (12%). Personal cell phones and prohibited electronic devices are not allowed in SCIFs. While we have installed lockers outside SCIFs to secure cell phones, entry of prohibited electronic devices into SCIFs is still a problem. Visitor attendance to NRO conferences/facilities result in numerous cell phones being brought into the conference even by individuals with security duties who should know better. 49. Security Education and Training: 100% of personnel assigned to the NRO are required to complete an SCI indoctrination briefing to include signing a NonDisclosure Agreement. E.O. 13526 is called out specifically so that personnel fully understand their responsibilities and requirements to protect classified information. This message is repeated by the release of awareness videos and reminders throughout the year; to include presentations, written materials, and training. Specifically, OS&CI incorporates classification management questions within the Annual Security Refresher (ASR) web-based training (WBT). In 2014 ASR will include additional Derivative Classification questions. With as many contractors as the NRO employs, training can be a major expense. Every contractor and government employee with a secure computer account is required to take the Annual Security Refresher training otherwise they lose their computer connection. There are numerous additional courses and specialized security training available on-line even though sequestration has reduced training manpower overall to include elimination of the Information Management Branch which ran the OS&CI web site and security-specific applications. 5 UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 UNCLASSIFIED 50. Management and Oversight: Government oversight of NRO-sponsored SCIFs is achieved in a multi-faceted manner. Program Security Officers, Physical/Technical, and Computer Security Officers review selfassessment results and participate in on-site reviews. Some program findings for FY 13 were identified in the following areas: • Standard Operating Procedures (SOPs) require more detail and more frequent revision to stay up-to-date with security requirements. • Foreign travel and contact reporting were not always accomplished using the mandated NRO Counterintelligence Network (CINet). • There are undocumented information systems within facilities. • Not all employees with AIS privileged user type access have been identified and tracked. • Facility alarm test records are not always maintained for the required time period. • Red/Black cabling is not labeled for identification. 54. Safeguarding: Awareness and education programs are vital to ensuring the workforce maintains awareness of security policy and procedures. Regular and aperiodic exercises, inspections, and audits provide crucial inputs that are indispensable to ensuring that the physical security program is current and effective. Key challenges are maintaining adequate funding to replace aging, malfunctioning, and obsolete security equipment and training and education for new personnel. The NRO has an organization-level process for the Assessment and Authorization (A&A) of Information Systems and a Directive 51-1, "Information Technology, Information Assurance, and Information Management Architecture and Strategy for Certification and Accreditation" to ensure automated information systems that collect, create, communicate, compute, disseminate, process or store classified information are protected in accordance with applicable national policy issuances. 6 UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 UNCLASSIFIED 55. Security Violations: The NSM details the NRO process for reporting and investigating security incidents, infractions and violations. Appropriate and prompt corrective actions were taken to.mitigate the severity of the infraction/violation, and to sanction the offender via management, counterintelligence, and personnel security processes. Infractions and violations are centrally tracked in the Security Log (the NRO incident/violation database). This database is managed by the Program Security Officers in each directorate and office, and enables the PSO to automatically notify Counterintelligence Division and Personnel Security Division, via a system generated e-mail, of infractions/violations that require immediate CI and/or personnel security attention. The database also enables both OS&CI management as well as individual PSOs to track and analyze trends linked to the various categories of security infractions/violations. 56. Security Education and Training: OS&CI works closely with PSOs, Counterintelligence personnel, and the Integrated Self Assessment Program to determine any trends or specific areas that need an additional educational awareness campaign. Security communications are then targeted, utilizing large scale efforts, per a topic area and audience for best impact results. The NRO is adding additional classification management questions to the Annual Security Refresher to better satisfy the derivative classification training requirement. OCAs complete yearly training provided by NRO/OS&Cl/Policy Branch with direct knowledge of current CAPCO guidelines. 57. Management and Oversight: The NRO has a very mature Security management and oversight program. Over the past FY, much greater emphasis has been placed on ensuring all sites and facilities accomplished the self-assessments and submited the findings to the Government within the mandated time requirements. This improved management oversight has made an impact. Our self-inspection program coupled with security officer visits, and formal team 7 UNCLASSIFIED NRO APPROVED FOR RELEASE 28 August 2014 UNCLASSIFIED assessments provide managers a report card on the health of our security programs. When negative trends are identified, managers from across industry and the Government develop corrective action plans to reverse the trends and ensure security requirements are met. Impacts are being felt to overall security programs due to reductions in security resources. While security requirements are increasing, especially in the area of information systems management, resources are being reduced. Additionally, some sites assessed have made decisions not to fully comply with a security requirement because of resource constraints. 8 UNCLASSIFIED
$115 for responsive docs from FBI regarding FLIR equipment: https://www.muckrock.com/foi/united-states-of-america-10/flirwhere-18875/ "Any and all SKUs, Contracts, Invoices, Receipts, Billing Numbers, Agreements, PO Numbers, Billable Hours, Consulting Relationships, for any services or goods associated with FLIR Corporation (on web as flir.com), to include technologies such as "Thermal Security Cameras", "Visible-Light CCTV Cameras", "Lorex", "Airborne Systems", "Maritime Systems", "Land Systems", "Tactical Vision", and "Unmanned Systems". Please include processing notes in response to this request, even if denied in part; thank you!" might this be the first request with fees required? stay tuned for: Thread Next >>
On 10/9/15, coderman <coderman@gmail.com> wrote:
$115 for responsive docs from FBI regarding FLIR equipment: https://www.muckrock.com/foi/united-states-of-america-10/flirwhere-18875/
sent $105 through MuckRock itself in response to fee request for PON info: ''' Any and all records, including cross-references and indirect mentions, including records outside the investigation main file pertaining to Passive Optical Network (PON) technical surveillance, including Fiber To The Premises (FTTP) and Fiber To The Home (FTTH) technologies as well as "Metro Ethernet" over Optical Fibre. PON types explicitly to include BPON, or broadband PON; GPON, or gigabit-capable PON; GPON, or gigabit-capable PON based on IEEE 802.3ah or IEEE 802.3av. Internal records and research projects are in scope of this request. This is explicitly to include a count of PON technical surveillance capable devices owned, leased, or otherwise in use by the Bureau. Requested search to include each of the following record stores and interfaces: the Central Records System (CRS), the Automated Case Support system ("ACS") Investigative Case Management system ("ICM"), the Automated Case Support system ("ACS") Electronic Case File ("ECF"), and the Automated Case Support system ("ACS") Universal Index ("UNI"). I also request a search of "ELSUR", the database containing electronic surveillance information, for any and all records or activities related to PON surveillance technology. Please include processing notes, even if request is denied in part. ''' https://www.muckrock.com/foi/united-states-of-america-10/ponpwn-20309/ still no acceptance of the prior record $115 for FLIR tech @FBI. the journey continues...
On October 12, 2015 8:39:00 PM coderman <coderman@gmail.com> wrote:
On 10/9/15, coderman <coderman@gmail.com> wrote:
$115 for responsive docs from FBI regarding FLIR equipment: https://www.muckrock.com/foi/united-states-of-america-10/flirwhere-18875/
sent $105 through MuckRock itself in response to fee request for PON info: ''' Any and all records, including cross-references and indirect mentions, including records outside the investigation main file pertaining to Passive Optical Network (PON) technical surveillance, including Fiber To The Premises (FTTP) and Fiber To The Home (FTTH) technologies as well as "Metro Ethernet" over Optical Fibre. PON types explicitly to include BPON, or broadband PON; GPON, or gigabit-capable PON; GPON, or gigabit-capable PON based on IEEE 802.3ah or IEEE 802.3av. Internal records and research projects are in scope of this request. This is explicitly to include a count of PON technical surveillance capable devices owned, leased, or otherwise in use by the Bureau. Requested search to include each of the following record stores and interfaces: the Central Records System (CRS), the Automated Case Support system ("ACS") Investigative Case Management system ("ICM"), the Automated Case Support system ("ACS") Electronic Case File ("ECF"), and the Automated Case Support system ("ACS") Universal Index ("UNI"). I also request a search of "ELSUR", the database containing electronic surveillance information, for any and all records or activities related to PON surveillance technology. Please include processing notes, even if request is denied in part. ''' https://www.muckrock.com/foi/united-states-of-america-10/ponpwn-20309/
still no acceptance of the prior record $115 for FLIR tech @FBI.
the journey continues...
Oh good job coderman, I'll be very interested to see how much of the PON info is redacted. It's such BS that they can charge that much to get digital copies of records that we've already paid for for with our taxes. -S
NSA sent a Glomar for merely a count of P25 radios: ''' Count of the number of P25 capable radio units or systems in use by, or owned, or leased, or otherwise utilized by the agency. This includes any of the Motorola ASTRO APX P25 portables, Vertex Standard P25 portables, ICOM P25 portables, RELM Wireless P25 portables, Motorola MOTOTRBO DMR radios, and Mobile P25 Radios. This includes any P25 Phase 1 and Phase 2 capable radios. Please include yearly break-down by radio model, if available. Please include processing notes for this request, even if denied in part. ''' https://www.muckrock.com/foi/united-states-of-america-10/p25count-20176/ NSA continues to exhibit oversight avoidance competence beyond most other agencies. :) best regards,
On Mon, Oct 12, 2015 at 11:38 PM, coderman <coderman@gmail.com> wrote:
Passive Optical Network (PON) technical surveillance, including Fiber
PON's are like DOCSIS systems... if the last mile is encrypted, a simple letter to the patriots at the headend gets you what you want. If not, a simple tap in the field will do... for which there's no reason for that laborious expense, see letter above.
well as "Metro Ethernet" over Optical Fibre.
Similarly open and insecure.
On 10/15/15, grarpamp <grarpamp@gmail.com> wrote:
... PON's are like DOCSIS systems... if the last mile is encrypted, a simple letter to the patriots at the headend gets you what you want. If not, a simple tap in the field will do... for which there's no reason for that laborious expense, see letter above.
field taps avoid due process :) https://peertech.org/files/docsis-mitm.jpg
well as "Metro Ethernet" over Optical Fibre.
Similarly open and insecure.
indeed. best regards,
new one per Twitter censorship drama: "Legal authorities, processes, procedures for National Security related activities to suppress, obscure, or remove social media content posted to Twitter.com as text, image, video, or links to any of same in a Tweet. This is explicitly to include responsive materials related to such activities against foreign individuals vs. US citizens as determined by Internet Protocol (IP) address of request (domestic vs. foreign IPv4 or IPv6) or by metadata associated with the Twitter account." https://www.muckrock.com/foi/united-states-of-america-10/tweetdevnull-21887/ to Department of Justice, National Security Division of the United States of America. best regards,
the NSA has one FOIA Reading Room, and it is located at: National Cryptologic Museum 8290 Colony Seven Road Annapolis Junction, MD 20701 https://www.muckrock.com/foi/united-states-of-america-10/freelyreadingrainbo...
the Department of Homeland Security operates 163 SCIFs with a total 400,000 sq. feet of work area. https://www.muckrock.com/foi/united-states-of-america-10/activeareadenied-21... (ignore the mis-chan :)
new queries regarding classification guides; seeking to collect the whole set! Count of the number of Classification Guides produced by Original Classification Authorities (OCAs) on behalf of the Attorney General within the DoJ per Executive Order 13526- Original Classification Authority. Please provide a count of classification guides in use by the Department for the years 2010 through 2015, inclusive, as available. Thank you! - https://www.muckrock.com/foi/united-states-of-america-10/guidedincrements-22... Count of the number of Classification Guides produced by Original Classification Authorities (OCAs) on behalf of the Secretary of Homeland Security within the Department per Executive Order 13526- Original Classification Authority. Please provide a count of classification guides in use by the Department for the years 2010 through 2015, inclusive, as available. Thank you! - https://www.muckrock.com/foi/united-states-of-america-10/guidedincrements-22... Count of the number of Classification Guides produced by Original Classification Authorities (OCAs) on behalf of the Director of the Central Intelligence Agency (CIA) per Executive Order 13526- Original Classification Authority. Please provide a count of classification guides in use by the Agency for the years 2010 through 2015, inclusive, as available. Thank you! - https://www.muckrock.com/foi/united-states-of-america-10/guidedincrements-22... Count of the number of Classification Guides produced by Original Classification Authorities (OCAs) on behalf of the Secretary of State within the Department per Executive Order 13526- Original Classification Authority. Please provide a count of classification guides in use by the Department for the years 2010 through 2015, inclusive, as available. Thank you! - https://www.muckrock.com/foi/united-states-of-america-10/guidedincrements-22... Count of the number of Classification Guides produced by Original Classification Authorities (OCAs) on behalf of the Secretary of Defense per Executive Order 13526- Original Classification Authority. Please provide a count of classification guides in use by the Department for the years 2010 through 2015, inclusive, as available. Thank you! - https://www.muckrock.com/foi/united-states-of-america-10/guidedincrements-22... Count of the number of Classification Guides produced by Original Classification Authorities (OCAs) on behalf of the Executive Office of the President per Executive Order 13526- Original Classification Authority. Please include Classification Guides produced on behalf of The Assistant to the President and Chief of Staff, The Assistant to the President for National Security Affairs (National Security Advisor), The Assistant to the President for Homeland Security and Counterterrorism, The Director of National Drug Control Policy, The Director, Office of Science and Technology Policy, The Chair or Co-Chairs, President's Intelligence Advisory Board within scope of this request for count of all Classification Guides produced on behalf of the Executive Office of the President. Please provide a count of classification guides in use by the Department for the years 2010 through 2015, inclusive, as available. Thank you! - https://www.muckrock.com/foi/united-states-of-america-10/guidedincrements-22... Count of the number of Classification Guides produced by Original Classification Authorities (OCAs) on behalf of the Secretary of Energy within the Department per Executive Order 13526- Original Classification Authority. Please provide a count of classification guides in use by the Department for the years 2010 through 2015, inclusive, as available. Thank you! - https://www.muckrock.com/foi/united-states-of-america-10/guidedincrements-22... Count of the number of Classification Guides produced by Original Classification Authorities (OCAs) on behalf of the Director of National Intelligence within the Department per Executive Order 13526- Original Classification Authority. Please provide a count of classification guides in use by the Department for the years 2010 through 2015, inclusive, as available. Thank you! - https://www.muckrock.com/foi/united-states-of-america-10/guidedincrements-22... best regards,
interesting response, first time ever a request has been deemed "less complicated" ! :) "We have a large backlog, our current administrative workload is 1,497 open requests. Included among these open cases are requests which are less complex than others, such as your request. " - https://www.muckrock.com/foi/united-states-of-america-10/brightzenith-21350/
DoD OIG tried to refuse my request though a creative interpretation. i have appealed: ''' I am fascinated and impressed by your interpretation of my request, such that "Your request does not seek access to records, but FOIA reading rooms.". Please let me be clear. I am not seeking access to FOIA reading rooms. I am not seeking activity records regarding FOIA reading rooms. In fact, the only information I am requesting is FOIA reading room metadata - E.g. their number, and their location. I hereby appeal this refusal to grant my request. Thank you! ''' - https://www.muckrock.com/foi/united-states-of-america-10/freelyreadingrainbo...
new request regarding declassified information: ''' A list of sites, repositories, indexes, or other responsive materials regarding linkage and effective utilization of existing agency databases of records that have been declassified and publicly released, as required to be maintained by the Director of the Information Security Oversight Office. Please also provide a list of agency heads providing this information to or on behalf of the Director of the Information Security Oversight Office as required by Executive Order 13292. Thank you! ''' - https://www.muckrock.com/foi/united-states-of-america-10/naradumps-22249/
DEA responded with the least useful docs first, https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-1871... and wants $240 for the rest. yet they closed the request to further thwart my ability to pay for it! :o ''' Any and all SKUs, Contracts, Invoices, Receipts, Billing Numbers, Agreements, PO Numbers, for any services or goods purchased from Boeing Corporation, including third party contract hours for training or related services, regarding hardware to include Digital Signal Processing (DSP) or Cell-site Simulators or Software Defined Radio (SDR) base-stations, or Stingray-like pen/trace-trap devices, or other radio surveillance technology, including technology formerly produced by Digital Receiver Technology, Inc., also known as DRT Systems, now part of Boeing, known to include the DRTBox, or DirtBox, or DirtBoxes surveillance gear. Please include antenna systems and cable hardware, as part of the radio systems to report on. '''
On 11/6/15, coderman <coderman@gmail.com> wrote:
DEA responded with the least useful docs first,
https://www.muckrock.com/foi/united-states-of-america-10/drtbeboeingbox-1871...
and wants $240 for the rest. yet they closed the request to further thwart my ability to pay for it! :o
so, ''' For the year 2014, either placed or completed, records including any and all SKUs, Contracts, Invoices, Receipts, Billing Numbers, Agreements, PO Numbers, for any hardware purchased from Boeing Corporation technology such as Cell-site Simulators or Software Defined Radio (SDR) base-stations, or Stingray-like pen/trace-trap devices, or other radio surveillance technology, including technology formerly produced by Digital Receiver Technology, Inc., also known as DRT Systems, now part of Boeing, known to include the DRTBox, or DirtBox, or DirtBoxes surveillance gear. Please EXCLUDE antenna systems, software upgrades, or other ancillary components of these primary systems - only primary technology items / invoices / technology of interest per this request. ''' - https://www.muckrock.com/foi/united-states-of-america-10/mindrtbeboeingbox-2... 2013 - https://www.muckrock.com/foi/united-states-of-america-10/mindrtbeboeingbox-2... 2012 - https://www.muckrock.com/foi/united-states-of-america-10/mindrtbeboeingbox-2...
new request: ''' This is a request under the Freedom of Information Act. I hereby request the following records: Mission statements, objectives, and staffing counts for each of the following Naval Research Laboratories in the Information Technology Division: • Freespace Communications Testbed • Mobile Robot Laboratory • Audio Laboratory • Mobile Network Modeling Laboratory • Integrated Communications Technology Test Laboratory • General Electronics Environmental Test Facility • Cognitive Radio Test Bed • Key Management Laboratory • Cryptographic Technology Laboratory • Navy Cyber Defense Research Laboratory • Wireless Security Laboratory • Navy Shipboard Communications Testbed • Virtual Reality Laboratory • Visual Analytics Laboratory • Immersive Simulation Laboratory • Warfighter Human-Systems Integration Laboratory • Motion Imagery Laboratory • Global Information Grid and Advanced Networking Facility • Large Data Research Laboratory • Affiliated Resource Center for High Performance Computing • Ruth H. Hooker Research Laboratory ''' - https://www.muckrock.com/foi/united-states-of-america-10/navystockedlabs-223...
On Tue, 10 Nov 2015 03:15:22 -0800 coderman <coderman@gmail.com> wrote:
new request: ''' This is a request under the Freedom of Information Act. I hereby request the following records:
So coderman, you've been doing this for months. What useful information have your masters graciously given you so far?
On 11/10/15, Juan <juan.g71@gmail.com> wrote:
... So coderman, you've been doing this for months. What useful information have your masters graciously given you so far?
the full retrospective at 1yr mark in January, however, useful aspects so far: - wide variety of requests and processing activity, which is useful for discerning aspects of FOIA processing at agencies of interest. - learned indicators of obfuscation or delay, which in turn is signal to dig deeper, aggressively appeal and follow up. - used specific requests as leverage to open up additional information. E.g. the laser specific "Count of Kingfish devices" which returned counts, while purchase orders and other details around Stingrays and cell site simulators in general get a Glomar. - other tidbits of varying interest. E.g. the multiple MuckRock articles making use of my responsive documents. [ all this in turn useful for sekrit $full_auto_FOIA project :] that answer your question?
On Tue, Nov 10, 2015 at 5:19 PM, coderman <coderman@gmail.com> wrote:
- learned indicators of obfuscation or delay, which in turn is signal
Metadata often more useful than data.... classic.
[ all this in turn useful for sekrit $full_auto_FOIA project :]
Tensor tentacles reaching out from bigdata to give warm fuzzies.
On Tue, 10 Nov 2015 14:19:49 -0800 coderman <coderman@gmail.com> wrote:
On 11/10/15, Juan <juan.g71@gmail.com> wrote:
... So coderman, you've been doing this for months. What useful information have your masters graciously given you so far?
the full retrospective at 1yr mark in January, however, useful aspects so far:
- wide variety of requests and processing activity, which is useful for discerning aspects of FOIA processing at agencies of interest.
f1 { so you got information regarding how the information-denying bureaucracy works? }
- learned indicators of obfuscation or delay, which in turn is signal to dig deeper, aggressively appeal and follow up.
f1 ()
- used specific requests as leverage to open up additional information. E.g. the laser specific "Count of Kingfish devices" which returned counts, while purchase orders and other details around Stingrays and cell site simulators in general get a Glomar.
I can't say if that is surprising or not surprising.
- other tidbits of varying interest. E.g. the multiple MuckRock articles making use of my responsive documents.
[ all this in turn useful for sekrit $full_auto_FOIA project :]
that answer your question?
Sort of. Thanks ;)
On 11/10/15, Juan <juan.g71@gmail.com> wrote:
...
- wide variety of requests and processing activity, which is useful for discerning aspects of FOIA processing at agencies of interest.
f1 { so you got information regarding how the information-denying bureaucracy works? }
exactly. for example, it used to be you could request "Processing Notes" for a request, and this metadata about processing the request was handed over as dry and useless. now they refuse all requests for processing notes, and you must always appeal. this is done because some of the proc notes showed how responsive documents were "overlooked" conveniently by special interpretation of the request. E.g. their bullshit got caught out :)
- learned indicators of obfuscation or delay, which in turn is signal to dig deeper, aggressively appeal and follow up.
f1 ()
this might be delays, making you wait for responsive documents until after "public interest" has waned. or your interest, for that matter. or it might be undercover feds in crown vics following you around ridiculously. or it gets bounced around a few FOIA people inside the agency to find the best way to provide the least information. or ... last but not least, i also learned it is near impossible to use MuckRock for personal Privacy Act requests about your person. still need to re-submit with legal counsel... best regards,
got a no responsive documents reply to this FOIA: https://www.muckrock.com/foi/united-states-of-america-10/guidedincrements-22... wherein they stated, "There were no responsive records with a count of the classification guides" no kidding! you literal asshats :) thus follows: ''' First page (redacted if necessary) of each and every Classification Guide produced by Original Classification Authorities (OCAs) on behalf of the Secretary of Homeland Security within the Department per Executive Order 13526- Original Classification Authority. Please provide the first page of each responsive document for all years available. Note that a count of these is not necessary, as was requested in closed request DHS/OS/PRIV 2016-HQFO-00048. I will pipe a ls into wc to count them myself. Thank you! ''' - https://www.muckrock.com/foi/united-states-of-america-10/incrementbypage-223... best regards,
this reply from the NRO: https://www.muckrock.com/foi/united-states-of-america-10/eeeieeeohorder-2136... is probably the most informative read on classification process i've enjoyed in years!
new request: ''' A list of all "Experimental Radio Licenses" granted for the years 2010 through 2015, inclusive. Please include any "Special Conditions" with each identified license. Please include "Program Experimental Licenses" as well as "Conventional Experimental Licenses" when considering records responsive to this request. ''' - https://www.muckrock.com/foi/united-states-of-america-10/experimentalwavesra...
last one for this month: ''' Reports of deployment / use of the US Secret Service Presidential RF-countermeasures Suburban during escort of POTUS or any other active use. Maryland License Plate: 05567M6 as example vehicle in class "RF-countermeasures Suburban". Please include incident reports utilizing special RF countermeasure technologies in response to perceived or senses threats. Please include records for years 2008 through 2015, inclusive. See also https://upload.wikimedia.org/wikipedia/commons/b/b4/President%27s_motorcade_... for additional information relevant to this request. ''' - https://www.muckrock.com/foi/united-states-of-america-10/radioactivitydenied...
Cecil D. Andrus, a Democrat, was elected governor of Idaho four times—in 1970, 1974, 1986, and 1990—and served as US Secretary of the Interior under President Carter. I have been involved in government at the state and federal level for a long time and have had my share of political and legal run-ins with government agencies, but rarely in more than 50 years in politics have I encountered a government agency more committed to secrecy—perhaps even deception—than the US Department of Energy. Most citizens of my state know that, since last January, former Republican Governor Phil Batt and I have been raising questions about a plan by the US Department of Energy to bring additional shipments of commercial spent nuclear fuel to the Idaho National Laboratory in eastern Idaho for “research.” http://thebulletin.org/holding-department-energy-accountable-idaho8807
On 10/19/15, grarpamp <grarpamp@gmail.com> wrote:
Cecil D. Andrus, a Democrat, was elected governor of Idaho four times—in 1970, 1974, 1986, and 1990—and served as US Secretary of the Interior under President Carter.
I have been involved in government at the state and federal level for a long time and have had my share of political and legal run-ins with government agencies, but rarely in more than 50 years in politics have I encountered a government agency more committed to secrecy—perhaps even deception—than the US Department of Energy.
yup; DoE full of guilty hands. still need to dig into Rocky Flats plant in Colorado, and the Plutonium catastrophe covered up ever since... best regards,
remember this one? the four carefully crafted retorts? On Sun, Sep 27, 2015 at 1:52 AM, coderman <coderman@gmail.com> wrote:
... less interesting reply, but a more interesting response on my part:
FBI claiming privacy interest to refuse ALL of my FOIA regarding the Sklyarov / Elcomsoft incident years back: https://www.muckrock.com/foi/united-states-of-america-10/freedmitry-21209/
this is my first attempt to argue compelling public interest against a privacy exemption, it is as follows;
Please recognize the public interest in this request for responsive records as follows:
First and foremost, extensive media attention during this period was generated due to the intersection of "hacking" and "reverse engineering" combined with the DMCA provisions deeming some technologies illegal at interest to the information technology industry as a whole. This reason alone is sufficient and compelling justification for transparency in a watershed case, however, I shall continue.
Second, this case involved not a US citizen, but a foreign national. As has recently been scoured in the technical press, Wassenar with its incumbent BIS obligations has brought discussion of the risks foreigners face visiting the EU and US, in addition to US citizens abroad who now find themselves subject to severe technical controls due to their industry participation. I feel that surely this must provide beyond sufficient justification for public interest in documents responsive to this request, yet I shall continue to exhaust the relevant perspectives in my quiver of inquiry.
Thus thirdly, the conference venue, DEF CON security conference, itself of notoriety and high esteem in the technical community, was the operating domain for the closing moves of this investigation. The logistics and technical considerations for operating in this domain thus also compounds the public interest in the activity for which the records responsive to this request have been requested.
Fourthly, and there is a fourthly for sure, the activities undertaken by the agency were at risk of alienating a talent pool the Bureau has increasingly courted and pursued for their invaluable skills in digital forensic analysis, reverse engineering, and information security. Balancing actions before a critical group who also interacts frequently with the agency, and from whom the Bureau itself draws professional talent, amplifies the interest and relevance of this inquiry, and the need for unrestrained transparency when identifying documents responsive to this request.
Lastly and finally, yet not to diminish the inherent privacy rights afforded to all earth humans, inalienable, with justice for all, the privacy rights which this agency has cited in justification for limiting the documents responsive to this request, please note that the privacy exemptions provided by law are specific and limited to situations where there is a compelling personal privacy interest. The agency has not provided any compelling privacy interest on behalf of the fine Mr. Sklyarov, and his foreign status removes the common privacy concerns of an individual within a domestic community at issue in responsive documents. It is fully reasonable, per Department of Justice v. Reporters Committee for Freedom of the Press, that the FBI may provide documents detailing "what they were up to" in this investigation, without undue burden on the privacy rights of a foreign citizen briefly visiting to attend a public conference in the United States.
Please do recognize and acquiescence to the public interest so broadly in view.
it worked, flawlessly! see attached response with minimal redactions: https://www.muckrock.com/foi/united-states-of-america-10/freedmitry-21209/#c... best regards,
Dnia środa, 2 grudnia 2015 17:21:21 coderman pisze:
remember this one? the four carefully crafted retorts? (...) it worked, flawlessly!
Congratulations! :) -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
a most recent Glomar: "Disclosure timeline and decision making rationale for disclosure of vulnerability MS14-066 / CVE-2014-6321 - "Vulnerability in Schannel Could Allow Remote Code Execution (2992611)" to Microsoft Corporation as part of the Vulnerabilities Equities Process. Please include timeline for initial discovery with source of discovery, first operational use, and finally, date for vendor notification." - https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustage... "The request has been rejected, with the agency stating that it can neither confirm nor deny the existence of the requested documents." - https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustage... i will discover how they stole this vuln... one day! best regards,
On 12/9/15, coderman <coderman@gmail.com> wrote:
a most recent Glomar:
"Disclosure timeline and decision making rationale for disclosure of vulnerability MS14-066 / CVE-2014-6321 - "Vulnerability in Schannel Could Allow Remote Code Execution (2992611)" to Microsoft Corporation as part of the Vulnerabilities Equities Process. Please include timeline for initial discovery with source of discovery, first operational use, and finally, date for vendor notification." - https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustage...
"The request has been rejected, with the agency stating that it can neither confirm nor deny the existence of the requested documents." - https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustage...
reply(appeal): ''' I reject and demand appeal of your rejection of this request. First and foremost, please recognize that the GSF Explorer, formerly USNS Hughes Glomar Explorer (T-AG-193), for which this Glomar response is so named, was a purely military operation, using custom-built military equipment, on an exceptionally sensitive military mission to recover military equipment. Observe that the "Vulnerabilities Equities Process" is a public outreach activity communicating with third party partners, acting in the public interest regarding software used by public citizens and business alike - a scenario at opposite ends and means from which this denial blindly overreaches. Second, observe that existing precedent supports the release of materials responsive to this request. In American Civil Liberties Union v. Department of Defense Case No: 04-CV-4151 (ACLU v. DoD) the courts have affirmed the public interest as compelling argument for favoring the public interest against clearly military efforts. The Glomar denial should be well targeted; this targeted falls well outside of the the "Vulnerabilities Equities Process", which is a public outreach activity communicating with third party partners, acting in the public interest, regarding software used by public citizens and business alike. Third, consider that it is a well established technique in the information security industry to identify the origin and nature of a defect discovery and disclosure timeline. This information is used for myriad of secondary research, analysis, and automation efforts spanning numerous industries. The utility of of disclosure timeline information and context has decades of rich support and strong evidence of public interest benefit, particularly regarding long reported and fixed defects, such as this one, which has patches available for over a year. Fourth, observe that every hour of expert opinion coupled with legal review amounts to a non-trivial expenditure of hours which are a sunk, throw away cost of FOIA communication. While as a taxpayer I appreciate the service of FOIA professionals such as those involved in this request, who provide tireless effort the all hundreds of millions of US citizens, my personal cost should be recognized. For this reason a deference in favor of public interest and disclosure is well supported for this request regarding the "Vulnerabilities Equities Process", which is a public outreach activity communicating with third party partners, acting in the public interest, regarding software used by public citizens and business alike. Thank you for your time, and best regards, ''' - https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustage...
https://en.wikipedia.org/wiki/Inslaw#Inslaw_Affair_divides_into_two_separate... Clearly you should make a request for the source code for the the Promis software as used by the FBI. It's public domain. On Thu, Dec 10, 2015 at 3:54 AM, coderman <coderman@gmail.com> wrote:
On 12/9/15, coderman <coderman@gmail.com> wrote:
a most recent Glomar:
"Disclosure timeline and decision making rationale for disclosure of vulnerability MS14-066 / CVE-2014-6321 - "Vulnerability in Schannel Could Allow Remote Code Execution (2992611)" to Microsoft Corporation as part of the Vulnerabilities Equities Process. Please include timeline for initial discovery with source of discovery, first operational use, and finally, date for vendor notification." -
https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustage...
"The request has been rejected, with the agency stating that it can neither confirm nor deny the existence of the requested documents." -
https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustage...
reply(appeal): ''' I reject and demand appeal of your rejection of this request.
First and foremost, please recognize that the GSF Explorer, formerly USNS Hughes Glomar Explorer (T-AG-193), for which this Glomar response is so named, was a purely military operation, using custom-built military equipment, on an exceptionally sensitive military mission to recover military equipment. Observe that the "Vulnerabilities Equities Process" is a public outreach activity communicating with third party partners, acting in the public interest regarding software used by public citizens and business alike - a scenario at opposite ends and means from which this denial blindly overreaches.
Second, observe that existing precedent supports the release of materials responsive to this request. In American Civil Liberties Union v. Department of Defense Case No: 04-CV-4151 (ACLU v. DoD) the courts have affirmed the public interest as compelling argument for favoring the public interest against clearly military efforts. The Glomar denial should be well targeted; this targeted falls well outside of the the "Vulnerabilities Equities Process", which is a public outreach activity communicating with third party partners, acting in the public interest, regarding software used by public citizens and business alike.
Third, consider that it is a well established technique in the information security industry to identify the origin and nature of a defect discovery and disclosure timeline. This information is used for myriad of secondary research, analysis, and automation efforts spanning numerous industries. The utility of of disclosure timeline information and context has decades of rich support and strong evidence of public interest benefit, particularly regarding long reported and fixed defects, such as this one, which has patches available for over a year.
Fourth, observe that every hour of expert opinion coupled with legal review amounts to a non-trivial expenditure of hours which are a sunk, throw away cost of FOIA communication. While as a taxpayer I appreciate the service of FOIA professionals such as those involved in this request, who provide tireless effort the all hundreds of millions of US citizens, my personal cost should be recognized. For this reason a deference in favor of public interest and disclosure is well supported for this request regarding the "Vulnerabilities Equities Process", which is a public outreach activity communicating with third party partners, acting in the public interest, regarding software used by public citizens and business alike.
Thank you for your time, and best regards, ''' - https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustage...
Make sure you ask for it in computer-readable format. Otherwise, some joker might send it to you on paper. Jim Bell From: Ryan Carboni <ryacko@gmail.com> To: cryptome@freelists.org Cc: cpunks <cypherpunks@cpunks.org> Sent: Thursday, December 24, 2015 2:41 PM Subject: Re: [cryptome] Re: FOIPA adventures https://en.wikipedia.org/wiki/Inslaw#Inslaw_Affair_divides_into_two_separate... Clearly you should make a request for the source code for the the Promis software as used by the FBI. It's public domain. On Thu, Dec 10, 2015 at 3:54 AM, coderman <coderman@gmail.com> wrote: On 12/9/15, coderman <coderman@gmail.com> wrote:
a most recent Glomar:
"Disclosure timeline and decision making rationale for disclosure of vulnerability MS14-066 / CVE-2014-6321 - "Vulnerability in Schannel Could Allow Remote Code Execution (2992611)" to Microsoft Corporation as part of the Vulnerabilities Equities Process. Please include timeline for initial discovery with source of discovery, first operational use, and finally, date for vendor notification." - https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustage...
"The request has been rejected, with the agency stating that it can neither confirm nor deny the existence of the requested documents." - https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustage...
reply(appeal): ''' I reject and demand appeal of your rejection of this request. First and foremost, please recognize that the GSF Explorer, formerly USNS Hughes Glomar Explorer (T-AG-193), for which this Glomar response is so named, was a purely military operation, using custom-built military equipment, on an exceptionally sensitive military mission to recover military equipment. Observe that the "Vulnerabilities Equities Process" is a public outreach activity communicating with third party partners, acting in the public interest regarding software used by public citizens and business alike - a scenario at opposite ends and means from which this denial blindly overreaches. Second, observe that existing precedent supports the release of materials responsive to this request. In American Civil Liberties Union v. Department of Defense Case No: 04-CV-4151 (ACLU v. DoD) the courts have affirmed the public interest as compelling argument for favoring the public interest against clearly military efforts. The Glomar denial should be well targeted; this targeted falls well outside of the the "Vulnerabilities Equities Process", which is a public outreach activity communicating with third party partners, acting in the public interest, regarding software used by public citizens and business alike. Third, consider that it is a well established technique in the information security industry to identify the origin and nature of a defect discovery and disclosure timeline. This information is used for myriad of secondary research, analysis, and automation efforts spanning numerous industries. The utility of of disclosure timeline information and context has decades of rich support and strong evidence of public interest benefit, particularly regarding long reported and fixed defects, such as this one, which has patches available for over a year. Fourth, observe that every hour of expert opinion coupled with legal review amounts to a non-trivial expenditure of hours which are a sunk, throw away cost of FOIA communication. While as a taxpayer I appreciate the service of FOIA professionals such as those involved in this request, who provide tireless effort the all hundreds of millions of US citizens, my personal cost should be recognized. For this reason a deference in favor of public interest and disclosure is well supported for this request regarding the "Vulnerabilities Equities Process", which is a public outreach activity communicating with third party partners, acting in the public interest, regarding software used by public citizens and business alike. Thank you for your time, and best regards, ''' - https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustage...
Let me know if you do, I've spent a lotta time with the case. For instance, not many people know there are several versions of the software that might be FOIA-able from different agencies. Sent from my iPhone
On Dec 24, 2015, at 5:41 PM, Ryan Carboni <ryacko@gmail.com> wrote:
https://en.wikipedia.org/wiki/Inslaw#Inslaw_Affair_divides_into_two_separate...
Clearly you should make a request for the source code for the the Promis software as used by the FBI. It's public domain.
On Thu, Dec 10, 2015 at 3:54 AM, coderman <coderman@gmail.com> wrote: On 12/9/15, coderman <coderman@gmail.com> wrote:
a most recent Glomar:
"Disclosure timeline and decision making rationale for disclosure of vulnerability MS14-066 / CVE-2014-6321 - "Vulnerability in Schannel Could Allow Remote Code Execution (2992611)" to Microsoft Corporation as part of the Vulnerabilities Equities Process. Please include timeline for initial discovery with source of discovery, first operational use, and finally, date for vendor notification." - https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustage...
"The request has been rejected, with the agency stating that it can neither confirm nor deny the existence of the requested documents." - https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustage...
reply(appeal): ''' I reject and demand appeal of your rejection of this request.
First and foremost, please recognize that the GSF Explorer, formerly USNS Hughes Glomar Explorer (T-AG-193), for which this Glomar response is so named, was a purely military operation, using custom-built military equipment, on an exceptionally sensitive military mission to recover military equipment. Observe that the "Vulnerabilities Equities Process" is a public outreach activity communicating with third party partners, acting in the public interest regarding software used by public citizens and business alike - a scenario at opposite ends and means from which this denial blindly overreaches.
Second, observe that existing precedent supports the release of materials responsive to this request. In American Civil Liberties Union v. Department of Defense Case No: 04-CV-4151 (ACLU v. DoD) the courts have affirmed the public interest as compelling argument for favoring the public interest against clearly military efforts. The Glomar denial should be well targeted; this targeted falls well outside of the the "Vulnerabilities Equities Process", which is a public outreach activity communicating with third party partners, acting in the public interest, regarding software used by public citizens and business alike.
Third, consider that it is a well established technique in the information security industry to identify the origin and nature of a defect discovery and disclosure timeline. This information is used for myriad of secondary research, analysis, and automation efforts spanning numerous industries. The utility of of disclosure timeline information and context has decades of rich support and strong evidence of public interest benefit, particularly regarding long reported and fixed defects, such as this one, which has patches available for over a year.
Fourth, observe that every hour of expert opinion coupled with legal review amounts to a non-trivial expenditure of hours which are a sunk, throw away cost of FOIA communication. While as a taxpayer I appreciate the service of FOIA professionals such as those involved in this request, who provide tireless effort the all hundreds of millions of US citizens, my personal cost should be recognized. For this reason a deference in favor of public interest and disclosure is well supported for this request regarding the "Vulnerabilities Equities Process", which is a public outreach activity communicating with third party partners, acting in the public interest, regarding software used by public citizens and business alike.
Thank you for your time, and best regards, ''' - https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustage...
new requests, ''' The number (quantity) of documents, guidelines, instructions, manuals, process documents or related materials regarding activities authorized by Executive Order 12,333. See http://www.archives.gov/federal-register/codification/executive-order/12333..... If activities are performed under multiple authorities, including E.O. 12333 and Section 215 of the Patriot Act, or Section 702 of the Foreign Intelligence Surveillance Act Amendments Act (FAA), please consider them in scope of this request for count of E.O. 12.333 materials. Please note that the documents themselves are not requested - merely the existence / revision count of unique responsive documents. If the count of responsive documents is cumbersome to provide, the first page of each responsive document, redacted as necessary, is requested in stead. This allows equivalent count via ls piped to wc -l. Thank you! ''' to FBI: https://www.muckrock.com/foi/united-states-of-america-10/12threethreethree-2... to DoJ : NatSec Div.: https://www.muckrock.com/foi/united-states-of-america-10/12threethreethree-2... to NSA: https://www.muckrock.com/foi/united-states-of-america-10/12threethreethree-2... best regards,
even more requests! ''' The URL or URI or PATH of each source code repository operated, archived, used by, or accessed on behalf-of the Bureau. This is to include source code repositories in the RCCS, CVS, Subversion (Svn), Git, Mercurial (Hg), Bazaar (Bzr), Darcs, BitKeeper, ClearCase, or any other source code control system. Please provide current revision count and rough-level storage amount consumed for each responsive repository above, as available. ''' to FBI: https://www.muckrock.com/foi/united-states-of-america-10/codeylala-23080/ to NSA: https://www.muckrock.com/foi/united-states-of-america-10/codeylala-23081/ to DHS: https://www.muckrock.com/foi/united-states-of-america-10/codeylala-23082/ :P
end of 2015 requests!! :) ''' Requests, orders, configuration requirements, technical manuals and any other responsive materials regarding "lawful intercept" of cellular communications, specifically LTE, CDMA, or GSM communications, requesting specific service levels during intercept, including "baud rate match" terminology, "channel rate match", "CBR-channel", "Fixed-bandwidth channel", and "Constant rate channel" terms indicating override of default network operator capacity provisioning during content collection. Specific requested rates or channel capacities include "0.5G", "1/2G", "half-G", "1.5G", "GPRS", "1xRTT", or "SMS-Only" service capacities. Records requested under any authority in scope of this request - focus is on technology rather than statutory authorization enabling collection. ''' to DoJ: https://www.muckrock.com/foi/united-states-of-america-10/degradedowngradedua... to FBI: https://www.muckrock.com/foi/united-states-of-america-10/degradedowngradedua... until next year, FOIA fans :) and best regards,
On 12/28/15, coderman <coderman@gmail.com> wrote:
end of 2015 requests!! :)
this makes 254 requests for my first MuckRock year. another data point, FOIA is a slow burn: 117 requests were updated in December alone! - https://www.muckrock.com/foi/mylist/?page=1&per_page=100&sort=date_updated&order=desc longer write up requires code, of course, till then!
interesting rejection technique on this one: first, reply with status of "Request received and being processed" one month after submission. Aha! inside is a Glomar rejection. . . . wait FIVE MONTHS . . 'This email pertains to the automated status of case FOIA 81798. Our records indicate that a final response was mailed to you on 14 August 2015 and the case was then closed. We have no further updates or information to provide you concerning this case.' nice trick, NSA! - https://www.muckrock.com/foi/united-states-of-america-10/backhack-19811/#com... best regards, and believe me, i will discover FOIA satisfaction for Any and all records, reports, tasking, mitigations, redesigns, post-mortems, and any other responsive materials related to compromise of "Tor" and/or "Tor Browser Bundle" and/or "Tor Vidalia Bundle" leading to breach of NSANet, JWICS, SIPRNet, and also including joint activities with access to FBINet and SCION where compromise of Tor resulted in attacker attaining access to, or potentially gaining access to these networks. Note that Tor may be incorrectly capitalized as "TOR"; please do a case insensitive search. Specific date of compromise is between July 30th 2007 and Aug. 2nd 2007; date provided to aid search efforts. CVE assigned to vulnerability is CVE-2007-4174 and provided to aid search efforts. Subject announcing vulnerability is "Tor security advisory: cross-protocol http form attack" and provided to aid search efforts. Please include results spanning the Cryptologic Services Groups, the National Security Operations Center (NSOC), the Information Assurance Directorate, the Research Associate Directorate, the Signals Intelligence Directorate, the Technology Directorate, the NSA/CSS Threat Operations Center (NTOC), and the Office of the Director, including Staff. Search of Covert Network Access technologies employed by Special Intelligence (SI) programs contained within compartmented access constraints is specifically requested, including QUANTUMTHEORY and related covert programs requiring covert Internet access. Please provide processing notes for this request, even if denied in part. yes, yes i will...
Twitter: @JasonLeopold https://twitter.com/JasonLeopold/status/684199158182494214>
FBI just sent me its file on Hugo Chavez, which consists of 739 blank pgs, in response to my 2013 #FOIA. Everything w/h & referred to OGA
w/h, withheld. OGA, 'Other Government Agency' is a euphemism for the Central Intelligence Agency. Need another laugh?
"Associated Press reporter Matt Lee laughs at a US State Department Spokesperson’s contention the U.S. is NOT involved in the recent Venezuelan coup attempt"
http://auntieimperial.tumblr.com/post/113693156429\ That smile on Lee's face, as he 'cracks' and says:
“I’m sorry. Whoah, whoah, whoah. The US has a long-standing practice of not promoting ... [coups] – how long-standing would you say?”
...is priceless: RR
usually there is no confirmation regarding active investigations in FOIA replies. unlike this one! :) [[ see attached. ]] "In short, this is a very open and very active criminal investigation and we absolutely cannot release anything, particularly [[ ...REDACTED... ]] and we cannot assist [REDACTED] by releasing anything at this time." - https://www.muckrock.com/foi/united-states-of-america-10/speedyexemptnotes-2... the reason original request was speedily rejected is two fold: 1. a prior request for similar information was made by someone in 2014. 2. in 2015, as in 2014, there was an ongoing investigation regarding the incident. the incident in question resulted from this FOIA request: ''' Reports, analysis, advisories, investigative materials and other responsive documents associated with the attack on PG&E Corporation's Metcalf Transmission Substation located outside of San Jose, California on April 16, 2013. Please include guidance issued to other critical power distribution operators as result of this incident. Please include processing notes for this request, even if denied in part. Thank you! ''' - https://www.muckrock.com/foi/united-states-of-america-10/parastoowho-21164/ now to find out who that first request was from... :P best regards,
first FOIA of the New Year! ''' To Whom It May Concern: This is a request under the Freedom of Information Act. I hereby request the following records: Records associated with the suppression, coordination, or appraisal via third parties of vulnerabilities in Dual_EC and ANSI X9.31 in ScreenOS or Juniper OS, developed by Juniper Corporation in California, and reported to the Bureau as part of the Vulnerabilities Equities Process, or as part of National Security investigations facilitated by the Data Intercept Technology Unit within the Bureau (DITU). Passive decrypt enabling of Juniper ScreenOS may also be referred to as "VPN Decryption (CVE-2015-7756) in ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20". Time frame of responsive records search is during or after 2005, and before 2016. Specific identifying terms for search include changed values for X coordinates for Dual EC curve point Q of: 9585320EEAF81044F20D55030A035B11BECE81C785E6C933E4A8A131F6578107, 2c55e5e45edf713dc43475effe8813a60326a64d9ba3d2e39cb639b0f3b0ad10, or c97445f45cdef9f0d3e05e1e585fc297235b82b5be8ff3efca67c59852018192. Note that proper matching of these cryptographic curve point values may require marshaling to a packed binary representation. A search of primary record repositories as well as cross-references to these data stores is explicitly requested. Cross reference search is demanded for proper scope of responsive materials. Please include timeline for initial discovery with source of discovery, first operational use, and finally, date for vendor notification, if applicable. Please provide emails, memorandums of understanding, agreements, or legal orders directed to Juniper Corporation relevant to this request, if applicable. Please also review records associated with activities authorized by Executive Order 12,333, or Section 215 of the Patriot Act, or Section 702 of the Foreign Intelligence Surveillance Act Amendments Act (FAA), or any other applicable authority while processing this request. Records related to coordination with partner agencies, including NSA, and especially programs including MARINA, TRAFFICTHIEF, PINWHALE, BULLRUN, AMBULANT, APERIODIC, AUNTIE, ABEYANT, DICHOTOMY, DILEMMA, FIRSTDOWN, FORBIDDEN, FORBORNE, PAWLEYS, TAREX, PENDLETON, PAINTEDEAGLE, PAWNSHOP, PERKYAUTUMN, PICAROON, PICARESQUE, PIEDMONT, PITCHFORD, PLACEBO, POMPANO, or PRESSURETWIN for explicit search of responsive materials. Note that some of these ECI Coverterms may be germane to NSA or CIA elements only; explicit resolution into current terms, if necessary, is requested. See https://robert.sesek.com/2014/9/unraveling_nsa_s_turbulence_programs.html for additional context regarding bulk decryption activities relevant to records sought in this request. Thank you! ''' - https://www.muckrock.com/foi/united-states-of-america-10/prunedkipperos-2333... :P best regards,
9585320EEAF81044F20D55030A035B11BECE81C785E6C933E4A8A131F6578107, 2c55e5e45edf713dc43475effe8813a60326a64d9ba3d2e39cb639b0f3b0ad10, or c97445f45cdef9f0d3e05e1e585fc297235b82b5be8ff3efca67c59852018192 but not
9585320EEAF81044F20D55030A035B11BECE81C785E6C933E4A8A131F6578109, 2c55e5e45edf713dc43475effe8813a60326a64d9ba3d2e39cb639b0f3b0ac10, or c97445f45cdef9f0d3e05e1e585fc297235b82b5be8ff3efca67c59852017192 ...
....... Giving away state secrets in FOIA requests... They HAVE a 'jacket' with yo' name on it... -- RR "You might want to ask an expert about that - I just fiddled around with mine until it worked..." coderman wrote:
first FOIA of the New Year! ''' To Whom It May Concern:
This is a request under the Freedom of Information Act. I hereby request the following records:
Records associated with the suppression, coordination, or appraisal via third parties of vulnerabilities in Dual_EC and ANSI X9.31 in ScreenOS or Juniper OS, developed by Juniper Corporation in California, and reported to the Bureau as part of the Vulnerabilities Equities Process, or as part of National Security investigations facilitated by the Data Intercept Technology Unit within the Bureau (DITU). Passive decrypt enabling of Juniper ScreenOS may also be referred to as "VPN Decryption (CVE-2015-7756) in ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20". Time frame of responsive records search is during or after 2005, and before 2016. Specific identifying terms for search include changed values for X coordinates for Dual EC curve point Q of: 9585320EEAF81044F20D55030A035B11BECE81C785E6C933E4A8A131F6578107, 2c55e5e45edf713dc43475effe8813a60326a64d9ba3d2e39cb639b0f3b0ad10, or c97445f45cdef9f0d3e05e1e585fc297235b82b5be8ff3efca67c59852018192. Note that proper matching of these cryptographic curve point values may require marshaling to a packed binary representation. A search of primary record repositories as well as cross-references to these data stores is explicitly requested. Cross reference search is demanded for proper scope of responsive materials. Please include timeline for initial discovery with source of discovery, first operational use, and finally, date for vendor notification, if applicable. Please provide emails, memorandums of understanding, agreements, or legal orders directed to Juniper Corporation relevant to this request, if applicable. Please also review records associated with activities authorized by Executive Order 12,333, or Section 215 of the Patriot Act, or Section 702 of the Foreign Intelligence Surveillance Act Amendments Act (FAA), or any other applicable authority while processing this request. Records related to coordination with partner agencies, including NSA, and especially programs including MARINA, TRAFFICTHIEF, PINWHALE, BULLRUN, AMBULANT, APERIODIC, AUNTIE, ABEYANT, DICHOTOMY, DILEMMA, FIRSTDOWN, FORBIDDEN, FORBORNE, PAWLEYS, TAREX, PENDLETON, PAINTEDEAGLE, PAWNSHOP, PERKYAUTUMN, PICAROON, PICARESQUE, PIEDMONT, PITCHFORD, PLACEBO, POMPANO, or PRESSURETWIN for explicit search of responsive materials. Note that some of these ECI Coverterms may be germane to NSA or CIA elements only; explicit resolution into current terms, if necessary, is requested. See https://robert.sesek.com/2014/9/unraveling_nsa_s_turbulence_programs.html for additional context regarding bulk decryption activities relevant to records sought in this request. Thank you! ''' - https://www.muckrock.com/foi/united-states-of-america-10/prunedkipperos-2333...
:P
best regards,
On January 8, 2016 10:39:08 PM coderman <coderman@gmail.com> wrote:
first FOIA of the New Year!
Thank you for continuing to seek the truth despite their shitty attempts to dissuade you! This is an especially good one.
MARINA, TRAFFICTHIEF, PINWHALE, BULLRUN, AMBULANT, APERIODIC, AUNTIE, ABEYANT, DICHOTOMY, DILEMMA, FIRSTDOWN, FORBIDDEN, FORBORNE, PAWLEYS, TAREX, PENDLETON, PAINTEDEAGLE, PAWNSHOP, PERKYAUTUMN, PICAROON, PICARESQUE, PIEDMONT, PITCHFORD, PLACEBO, POMPANO, or PRESSURETWIN
I feel like I'm looking at paint chip colors in Kafka's Home Despot :p -S
On 1/9/16, Shelley <shelley@misanthropia.org> wrote:
... Thank you for continuing to seek the truth despite their shitty attempts to dissuade you!
one day they'll figure out this only steels my resolve ;)
This is an especially good one.
after a year of practice, i am only beginning to feel not-incompetent at formulating useful requests. deceptively difficult; akin to reverse engineering, perhaps... FOIA suggestions welcome! best regards,
ramping up FOIA in the year new, a new favorite! ''' Records associated with the investigation of leaked sensitive US intelligence products identified in email communication between Hillary Clinton and Sid Blumenthal - email account name "sbwhoeop", on June 8th, 2011. The previously sensitive information subject to this request involves the clandestine planning within Sudan’s government to seize control of oil assets in Abyei. Records within the Counterintelligence Unit of the Operations Section within the National Security Division's (NSD) Office of Intelligence at the Department are specifically requested, including cross-references or related training materials, procedures, or guidelines used during evaluation of the incident described. Records involving joint activities with other agencies, including the National Security Agency (NSA) or the Central Intelligence Agency (CIA), are specifically requested, considering the role of the Counterintelligence Unit in excluding intelligence partners, foreign and domestic, from suspicion during course of investigation. Origin of sensitive material is presumed to be an exceptionally controlled program involving sensitive HUMINT and SIGINT resources in the country of Sundan or providing communications services to them. Obscuring information identifying the origin of intelligence is appropriate; this request does not seek such information. However, a search within record stores requiring special access controls is expected. Please be considerate in recognizing that while the operations and results of Counterintelligence Unit activities may be exempt from disclosure, the existence of documents may not be. Nor may procedures and policies of wider public interest related to the context of this request be denied by Glomar without sufficient basis. Note also the passage in time since the event occurred, further diminished any claims of continuing sensitivity. Last but not least, please keep in mind the spirit and letter of the Law called Freedom of Information Act while servicing this request. Thank you! Your professional time and prompt efforts are appreciated. ''' - https://www.muckrock.com/foi/united-states-of-america-10/littlebird-23349/ a title could be, "Who's spilling secrets to Sid?" :) best regards,
On 1/9/16, coderman <coderman@gmail.com> wrote:
... https://www.muckrock.com/foi/united-states-of-america-10/littlebird-23349/
a title could be, "Who's spilling secrets to Sid?"
note, the answer may be "no one"! :) regarding my earlier comment about reverse engineering, sometimes you're looking to prove a negative with a request - the "metadata" or side channels associated with processing the request sufficient to provide an answer, even if the content itself is all "[REDACTED]". see also: ''' What Sidney Blumenthal’s Memos to Hillary Clinton Said, and How They Were Handled By MICHAEL S. SCHMIDTMAY 18, 2015 In 2011 and 2012, Hillary Rodham Clinton received at least 25 memos about Libya from Sidney Blumenthal, a friend and confidant who at the time was employed by the Clinton Foundation. The memos, written in the style of intelligence cables, make up about a third of the almost 900 pages of emails related to Libya that Mrs. Clinton said she kept on the personal email account she used exclusively as secretary of state. Some of Mr. Blumenthal’s memos appeared to be based on reports supplied by American contractors he was advising as they sought to do business in Libya. Mr. Blumenthal also appeared to be gathering information from anonymous Libyan and Western officials and local news media reports. What follows are descriptions of some of the memos and how they were handled by Mrs. Clinton and her aides. Clinton Says Idea on Rebels Should Be Considered In April 2011, Mr. Blumenthal sent Mrs. Clinton a memo about the rebel forces fighting the regime of Col. Muammar el-Qaddafi. The rebels, Mr. Blumenthal wrote, were considering hiring security contractors to train their forces. Mrs. Clinton forwarded the memo to her aide, Jake Sullivan, and said that the idea should be considered. (Pages 1-3) Clinton Friend’s Libya Role Blurs Lines of Politics and Business Sidney Blumenthal counseled Hillary Rodham Clinton when she was secretary of state about Libya, where he was also advising a business venture. In 2011 and 2012, Mrs. Clinton forwarded 18 memos to Mr. Sullivan, who in turn circulated them to senior State Department officials, including Ambassador J. Christopher Stevens, who was killed in the 2012 attacks in Benghazi, and Ambassador Gene A. Cretz, who preceded him. =An Alert to Possible Terrorist Attacks in Libya In May 2011, Mr. Blumenthal sent Mrs. Clinton a memo reporting that affiliates of Al Qaeda in Libya were plotting attacks in revenge for the United States’ killing of Osama bin Laden. Mrs. Clinton forwarded the email to Mr. Sullivan, saying that it was “disturbing, if true.” Mr. Sullivan questioned its accuracy, but said he would share with others. (Pages 4-5) =Highlighting the Role of a Potential Business Partner In January 2012, Mr. Blumenthal wrote to Mrs. Clinton about challenges facing Libya’s new government. In the memo, Mr. Blumenthal said that Libya’s prime minister was bringing in new economic advisers, and that a businessman, Najib Obeida, was among “the most influential of this group.” At the time, Mr. Obeida was a potential business partner for a group of contractors whom Mr. Blumenthal was advising. Mrs. Clinton instructed Mr. Sullivan to ask for a response from senior State Department officials including Mr. Cretz, then the ambassador to Libya. (Pages 6-15) =A Memo Is Passed On, Despite Questions In March 2012, Mrs. Clinton forwarded a memo by Mr. Blumenthal to Mr. Sullivan, saying that she was dubious about its content. Mr. Sullivan agreed, stating that Mr. Blumenthal’s report resembled “a conspiracy theory” — but still asked State Department officials to review it. (Pages 16-17) =A Warning Is Forwarded to Incoming Ambassador In April 2012, Mr. Blumenthal wrote to Mrs. Clinton warning about the imminent rise of the Muslim Brotherhood in Libya. Mrs. Clinton forwarded the memo to Mr. Sullivan, who sent it to Mr. Stevens, the incoming United States ambassador to Libya. Mr. Stevens’ response — that the Brotherhood in fact had a relatively small following in Libya — was passed on to Mrs. Clinton. (Pages 18-24) =Clinton Suggests Sharing Information With Israel After receiving an August 2012 memo from Mr. Blumenthal about how the new Libyan prime minister wanted to have a better relationship with Israel, Mrs. Clinton suggested to Mr. Sullivan that they pass the intelligence along to the Israelis. (Pages 25-27) ''' - http://www.nytimes.com/2015/05/19/us/politics/what-sidney-blumenthals-memos-... best regards,
the #YallQueda group alleged witnesses to improper burning saw events which precipitated the "illegal" burn at center of this dispute. thus, FOIA! let's see if we can find confirmation in past patterns of burn behavior... ''' Records associated with controlled burns in the districts of Lakeview, Medford, and Prineville for all years available back to 2010. Records indicating the planning, execution, and subsequent evaluation of the controlled burns is requested. Records indicating complaints or concerns about plans for burning in these districts within this time frame are also requested. ''' - https://www.muckrock.com/foi/united-states-of-america-10/smokeyfired-23386/ best regards,
new FOIA: all revisions of the OIG report on Brandon Mayfield: ''' All versions of the document "A Review of the FBI's Handling of the Brandon Mayfield Case - Office of the Inspector General, Oversight and Review Division January 2006", including mandatory declassification review (MDR) under E.O. 13526 of any materials previously deemed sensitive. Note the significant time elapsed since original publication of this document when considering sensitivity of previously withheld materials, in addition to the significant public interest in this case and its ramifications. Thank you! ''' - https://www.muckrock.com/foi/united-states-of-america-10/maydayfield-23421/ original report at: https://oig.justice.gov/special/s0601/exec.pdf best regards,
still have one FOIA left for January; trying to pick a topic... it must beat this one, in terms of poking bear caliber: ''' Records of any communication, agreements, transcripts, memorandum of understanding, contracts, or other responsive materials relating to Ibragim Todashev as an Undercover Employee, Informant, or Cooperating Witness with the Bureau before his death on May 22, 2013 at age 27 in Florida while being interviewed about his possible connection to a triple murder in Waltham, Mass., on Sept. 11, 2011. Note that while the content of conversation may be withheld for privacy and other reasons, the existence of these conversations or other law enforcements records may not be concealed. Please search cross-references for Ibragim Todashev that may reveal such communication, in addition to primary indexes. Thank you! ''' - https://www.muckrock.com/foi/united-states-of-america-10/inducedbytrap-23480... best regards,
reply received! "Count of Level 4 - National Security Special Sensitive SSBI or SSBI-PR clearance screenings performed by year, for all years with responsive records." Fiscal Year: SSBI count 2005: 93801 2006: 90733 2007: 107747 2008: 111799 2009: 100623 2010: 108149 2011: 106214 2012: 93776 2013: 97611 2014: 70361 2015: 59795 Fiscal Year: SSBI-PR count 2005: 52201 2006: 76869 2007: 84815 2008: 67543 2009: 55745 2010: 54363 2011: 71138 2012: 58381 2013: 55492 2014: 54850 2015: 35489 https://www.muckrock.com/foi/united-states-of-america-10/level4up-22366/#fil... best regards,
final FOIA for January: --- https://www.muckrock.com/foi/united-states-of-america-10/injusticelaundrydep... To Whom It May Concern: This is a request under the Freedom of Information Act. I hereby request the following records: 1.) First page of documents, transcripts, guidelines, reports, and other responsive materials regarding recommend actions by the Department of Justice with regard to applications for foreign intelligence and counterintelligence electronic surveillance, as well as for other investigative activities by executive branch agencies. The first page only is requested to limit quantity of responsive materials, and also to limit scope of review of sensitive material which may be withheld according to proper specific exemptions. 2.) First page of documents, transcripts, guidelines, reports, and other responsive materials produced by, within, or in collaboration with the Intelligence Analysis Unit (IAU), which provides liaison with the intelligence community and timely intelligence product to the Attorney General and Deputy Attorney General, supporting their national security responsibilities. The first page only is requested to limit quantity of responsive materials, and also to limit scope of review of sensitive material which may be withheld according to proper specific exemptions. 3.) The first pages of responsive documents for all years since 1980 are explicitly requested, as these responsive materials will have been produced by work of the the Office of Intelligence Policy and Review (OIPR), created by Attorney General Order No. 875-80, 28 C.F.R., Part O, Subpart F-1, approved by Attorney General Civiletti in 1980. Please consider the spirit as well as the letter of the Freedom of Information Act Law while processing this request. Thank you! The requested documents will be made available to the general public, and this request is not being made for commercial purposes. In the event that there are fees, I would be grateful if you would inform me of the total charges in advance of fulfilling my request. I would prefer the request filled electronically, by e-mail attachment if available or CD-ROM, DVD-R, or BD-R if not. Thank you in advance for your anticipated cooperation in this matter. I look forward to receiving your response to this request within 20 business days, as the statute requires. --- :) best regards,
https://www.muckrock.com/foi/united-states-of-america-10/guidedincrements-22... if you've got the rest of these, let me know... :P best regards,
uncorked! ''' Procedures, Instructions, and any other materials regarding the proper handling of SSL/TLS secret keys, code signing keys, Client Certificate private keys, and other private key material obtained via National Security Letters or Court Order under PATRIOT Act, or USA FREEDOM Act authorities. E.g. Under the USA PATRIOT Act, Pub. L. No. 107-56 §505(a), 115 Stat. 272, 365 (2001) , including recent revisions; C.f. USA FREEDOM Act of 2015, Pub. L. No. 114-23, 129 Stat. 268, the FBI can issue National Security Letters requesting specific business record information, including SSL/TLS private keys used in Internet communications, code signing keys used to authenticate software, and Client Certificates used to impersonate cryptographic identities. Please recognize that agencies MUST search all records system reasonably believed to contain responsive documents, even if it means contacting former employees. Truitt v. Department of State, 897 F.2d 540, 542 (D.C. Cir. 1990) makes it explicitly clear that it is the obligation of the Department to “conduct a search reasonably calculated to uncover all relevant documents.” Enumeration and explanation for any responsive documents withheld under any authority is also requested; please identify all such excluded documents in full. Records spanning other intelligence agency activities in which this agency played a part are explicitly requested to be considered and searched, as appropriate, including activities under authority of E.O. 12333, Section 215 of the USA PATRIOT Act , and Section 702 Section 702 of the FISA Amendments Act , and any other related authorities. Thank you! ''' - https://www.muckrock.com/foi/united-states-of-america-10/keykeeperkomikaldep... which is in response to some bogus 404s... :P
with DoD finding any excuse to deny my righteous transparency desires, E.g.: https://www.muckrock.com/news/archives/2016/feb/26/biggest-foia-fee-all-time... the following laser guided narrow focused FOIA formed thusly: ''' The quantity, serial number(s), Purchase Orders, activity logs, equipment check-out/check-ins, and other responsive records associated with each "QRC Technologies ICS2" cellular survey device in use, or purchased by the Department, or operated on its behalf. See https://theintercept.com/document/2015/12/16/government-cellphone-surveillan... for a visual depiction of the device in question to assist search efforts. Note also such publication and dissemination of technical details regarding this equipment diminishes claims of sensitivity which may otherwise be grounds for redaction or withholding of responsive materials. Please include the Experimental FCC License exception number for each associated piece of equipment along with serial number and purchase order(s). Recognize that Truitt v. Department of State, 897 F.2d 540, 542 (D.C. Cir. 1990) makes it explicitly clear that it is the obligation of an agency to “conduct a search reasonably calculated to uncover all relevant documents.” Records spanning other intelligence agency activities in which this agency played a part are explicitly requested to be considered and searched, as appropriate, including activities under authority of E.O. 12333, Section 215 of the USA PATRIOT Act , and Section 702 Section 702 of the FISA Amendments Act , and any other related authorities. Thank you! ''' - https://www.muckrock.com/foi/united-states-of-america-10/ics2-dhs-ftw-24155/ for "NSA Typhoon" - https://www.muckrock.com/foi/united-states-of-america-10/typhoon-dhs-ftw-241... for "DRT 4411" - https://www.muckrock.com/foi/united-states-of-america-10/drt4411-dhs-ftw-241... for "DRT 1101" - https://www.muckrock.com/foi/united-states-of-america-10/drt1101-dhs-ftw-241... for "DRT 1301" - https://www.muckrock.com/foi/united-states-of-america-10/drt1301-dhs-ftw-241... for "DRT 1183" - https://www.muckrock.com/foi/united-states-of-america-10/drt1183-dhs-ftw-241... for "BAE Systems Traveler" - https://www.muckrock.com/foi/united-states-of-america-10/baetravler-dhs-ftw-... for "QRC Technologies Autonomous / Lighthouse" - https://www.muckrock.com/foi/united-states-of-america-10/qrcauto-dhs-ftw-241... for "QRC Technologies ICS2" - https://www.muckrock.com/foi/united-states-of-america-10/ics2-dhs-ftw-24155/ for "Key West Carman II" - https://www.muckrock.com/foi/united-states-of-america-10/carman2-dhs-ftw-241... for "Rincon IAW NRO - Deerpark" - https://www.muckrock.com/foi/united-states-of-america-10/deerpark-dhs-ftw-24... for "Martone Radio Technology, Inc. - Spartacus II" - https://www.muckrock.com/foi/united-states-of-america-10/spartacus-dhs-ftw-2... for "VIA SEPCOR Garuda (G-Box)" - https://www.muckrock.com/foi/united-states-of-america-10/gbox-dhs-ftw-24162/ for "Northrop Grumman IS ICW General Atomics - GUAVA (G-Pod)" - https://www.muckrock.com/foi/united-states-of-america-10/guava-dhs-ftw-24167... for "Martone Radio Technology, Inc. - Maximus" - https://www.muckrock.com/foi/united-states-of-america-10/maximus-dhs-ftw-241... whew! :P best regards,
last one for this month might be delayed awhile, as per usual procedure... ''' This is a request under the Freedom of Information Act. I hereby request the following records: A copy of every "Annual Report of the Undercover Review Committee" prepared by the Bureau, for all years available. Please recognize that agencies MUST search all records system reasonably believed to contain responsive documents, even if it means contacting former employees. Truitt v. Department of State, 897 F.2d 540, 542 (D.C. Cir. 1990) makes it explicitly clear that it is the obligation of the Department to “conduct a search reasonably calculated to uncover all relevant documents.” Enumeration and explanation for any responsive documents withheld under any authority is also requested; please identify all such excluded documents in full. ''' - https://www.muckrock.com/foi/united-states-of-america-10/annumicoversee-2417... best regards,
On 1/10/16, coderman <coderman@gmail.com> wrote:
ramping up FOIA in the year new, a new favorite! ...
To me, this is really amazing to watch, coderman. You are conducting/ supporting what seems to me to be quite a public interest/ public service effort - on behalf of the world really, given America's, ahem, preeminence :) <please suppress your howls of laughter - I don't expect FOIs to actually -change- US behaviour, but at least we see a tiny bit of the evidence of America's fingering the world...> I just watched the Benghazi / CIA in Libya movie tonight - yes there's the usual "thank you America" propaganda, but shit, that's the -best- they can spin this 'true' story (the American sniper movie and others have been proclaimed in the credits as "inspired by true events" - this one was proclaimed as "A true story.")!!! It's almost a wonder they let this story into the cinemas at all - provides a foundation for some genuine soul searching, in the CIA, the US military (who did not send any support whatsoever), their foreign relations procedures/ protocols, the fact they turned Libya into a failed state, etc, etc. Similar in essence to The Big Short (I think that's what it's called) - hey world, this is America. And shit, this shit needs to stop, but as we saw in the big short, it continues - the banks are out of control. I think it was Goldman Sachs, with their CDOs (crap mortgage bundling and buying and selling) which brought on the GFC, and they got merely a $5 billion fine! http://www.nytimes.com/2016/01/15/business/dealbook/goldman-to-pay-5-billion... Fundamentally, it seems even Americans realize their own nation has to be reigned in, and perhaps Hollywood is part of their way... I think it will have to implode from within, financially, before anything actually changes... Regards, Zenaan
Dnia sobota, 27 lutego 2016 11:39:34 Zenaan Harkness pisze:
On 1/10/16, coderman <coderman@gmail.com> wrote:
ramping up FOIA in the year new, a new favorite!
...
To me, this is really amazing to watch, coderman. You are conducting/ supporting what seems to me to be quite a public interest/ public service effort - on behalf of the world really, given America's, ahem, preeminence :) <please suppress your howls of laughter - I don't expect FOIs to actually -change- US behaviour, but at least we see a tiny bit of the evidence of America's fingering the world...>
For once, we agree. Thank you, coderman. Keep doing what you're doing. Your work is appreciated! -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
On Sun, 28 Feb 2016 13:50:14 +0100 rysiek <rysiek@hackerspace.pl> wrote:
Thank you, coderman. Keep doing what you're doing. Your work is appreciated!
LMAO! No, coderman's pro-government spam isn't appreciated at all. and this is what americunt 'freedom' of 'information' looks like http://motherboard-images.vice.com/content-images/contentimage/30730/1455900...
On Mon, Dec 28, 2015 at 4:24 AM, coderman <coderman@gmail.com> wrote:
provide, the first page of each responsive document, redacted as
Provide 12th page of every document containing the words "coderman", or "I2P", or phrase 'damn these punks'.
The URL or URI or PATH of each source code repository operated,
Giving them more leftfield wtf's they have to answer every week, love it.
participants (11)
-
coderman -
grarpamp -
jim bell -
juan -
Juan
-
Michael Best -
Rayzer -
Ryan Carboni -
rysiek -
Shelley -
Zenaan Harkness