>>4768708 (lb)

OIG report findings continued from last bread:

Quick Reaction Report on the Review of the Ingest Filter of an NSA Data System

The OIG is currently conducting a Limited Scope Study of NSA Data Tagging Controls to Comply with the Foreign Intelligence Surveillance Act (FISA) Amendments Act (FAA) Sections 704 and 705(b) Minimization Procedures. As part of the study, the OIG reviewed NSA’s filtering control implemented in December 2017 to prevent data objects that contain selectors associated with Section 704 and 705(b) authorized targets from being ingested into an NSA data system integrating data from multiple intelligence platforms. The system is not approved for FISA data because it is accessible by certain foreign government partners who are not authorized to have such access and

11

provides limited data to a system accessible by other foreign government partners. During testing performed on 4 June 2018 and 18 July 2018 (each covering data ingested during the prior 10-day period), the OIG found that NSA’s filtering control did not prevent a significant number of data objects containing selectors associated with several Section 704 or 705(b) authorized targets from being ingested into the data system. The OIG issued a Quick Reaction Report in which it made six recommendations to assist the Agency in addressing these deficiencies.

pg 11&12

>>4768735

Special Study of Data Sharing with Third Party Partners

See the “Significant Problems, Abuses, and Deficiencies and Other Significant Reports in the Reporting Period” section of this report.

pg 13

Significant Problems, Abuses, and Deficiencies and Other Significant Reports

OIG projects during the reporting period did not reveal serious or flagrant problems or abuses related to the administration of Agency programs or operations that would require immediate reporting to the DIRNSA and Congress pursuant to Section 5(d) of the Inspector General Act. However, the OIG’s Special Study of Data Sharing with Third Party Partners revealed significant problems and deficiencies, as detailed below.

Report on the Special Study of Data Sharing with Third Party Partners

The OIG conducted this study to follow up on problems identified in an earlier special study, and because of the increase in the amount of data shared with Third Party Partners (certain foreign countries, hereafter referred to as “Partners”) since then. An area of emphasis in the study was the protection of the privacy rights of U.S. persons (USPs). The OIG made 22 recommendations to assist the Agency in addressing the findings of the study, which included the following:

 Governing documentation, including relevant U.S. SIGINT Directives and other policies and documents, is outdated, inaccurate, and/or incomplete;

 Inadequate Agency documentation of data flows risks potentially unauthorized or delayed sharing of data with Partners;

 Sampling documentation and processes used by the Agency to identify and mitigate potential compliance incidents require improvement;

 Partner personnel who access certain data may lack required training; and

 Intelligence Oversight Officers are not clearly identified and not all personnel who

represent NSA to the Partner have been properly trained.

Summary of Reports for Which No Management Decision Was Made

No reports without management decisions were published.

Significant Revised Management Decisions

No reports with significant revised management decisions were published.

Management Decision Disagreements

No reports with management disagreements were published.

pg 3