OCR of the Document

View the Document >>

James R. Clapper, Jr., Director of National Intelligence, Intelligence Community Directive 121, "Managing the Intelligence Community Information Environment," January 19, 2017. Unclassified.

Managing the Intelligence Community Information Environment A AUTHORITY The National Security Act of 1947 as amended Executive Order EO 12333 as amended and other applicable provisions oflaw B PURPOSE 1 This Intelligence Community CIC Directive ICD establishes policy for an IC enterprise approach to managing the IC Information Environment IC IE in support of the IC mission through establishing roles and responsibilities and it provides guidance on using a Service Provider model information sharing and safeguarding and information technology I infrastructure and capabilities 2 An IC enterprise approach for managing the IC IE will a Advance intelligence integration and enable deeper analytic collaboration across IC elements through increased and accelerated communication information sharing and safeguarding transparency and discovery of and access to information and b Consolidate IT capabilities and infrastructure and the acquisition and procurement thereof resulting in increased efficiency and reduced duplication 3 This ICD rescinds ES 00564 Guiding Principles jor Implementing and Operating in a Common Intelligence Community Injormation Technology Enterprise 19 September 2013 and ES 00124 Leveraging the Intelligence Community Injormation Technology Enterprise 29 March 2013 C APPLICABILITY 1 This guidance applies to the IC as defined by the National Security Act of 1947 as amended and to such elements of any other department or agency as may be designated an element of the IC by the President or jointly by the Director of National Intelligence DNI and the head of the department or agency concemed 2 This guidance applies to the IC IE which consistent with ICD 502 Integrated Dejense ojthe IC IE includes the individuals organizations and IT capabilities that collect process or share Sensitive Compartmented Information or that regardless of classification are operated by the IC and are in whole or in majority funded by the National Intelligence Program D POLICY 1 IC elernents shall first use an IC enterprise approach which accounts for all IC equities and enhances intelligence integration for rnanaging the IC IE before using an IC elernentcentric solution a In instances where there is an IC IT Service of Cornrnon Concern hereafter IC IT SoCC and an IC element asserts it has unique infrastructure or enterprise architecture IT requirernents which an IC IT SoCC cannot fulfill the IC elernent rnust notify the IC Chief Inforrnation Officer IC CIO of the requirement before adopting an IC element-centric solution b In instances where there is an IC IT SoCC and an IC elernent asserts it has unique mission requirements e g critical urgent operational irnpact etc which an IC IT SoCC cannot fulfill the IC elernent must notify the Deputy Director of National Intelligence for Intelligence Integration DDNIfII of the requirernent before adopting an IC elernent-centric solution 2 IC elernents rnust understand and accept the shared risks of operating in an interconnected environment 3 The IC IE and the activities conducted therein shall support the protection of civilliberties and privacy in accordance with applicable legal and policy requirements E IC IT SERVICE PROVIDER MODEL 1 The IC will use a Service Provider model for the provisioning funding and use of designated IC IT SoCC The IC IT Service Provider model consists of two roles a IC IT Service Provider IC SP - IC elernents designated by the DNI or the Principal Deputy Director of National Intelligence PDDNI in consultation with the affected heads of the IC elernents to develop and rnaintain an IC IT capability as a SoCC in accordance with ES 00960 Designation Services Common Concern or successor policy b IC IT Service Consumer IC IT SC - IC elements or other authorized users whose IT systerns use an IC IT SoCC and the inforrnation within to support its rnission in accordance with applicable laws regulations and policies 2 The IC IT SP will coordinate with the appropriate Office of the Director of National Intelligence ODNI components and IC elements to deliver the IC IT SoCC via centralized distributed or franchised delivery rnodels When needed other delivery models rnay be ernployed on a case-by-case basis The PDDNI will provide final approval of the delivery model based on a recornrnendation frorn the appropriate IC elernent Deputies 3 The IC IT SP will coordinate with appropriate ODNI cornponents and IC elernents to develop the IC IT SoCC cost and funding model which rnay include centralized or distributed funding or fee-for-service When needed other cost and funding rnodels rnay be employed on a case-by-case basis The PDDNI will provide final approval of the rnodel based on a recornrnendation frorn the DEXCOM 4 IC IT SPs will prioritize and irnplernent rnission infrastructure and enterprise architecture capability requirernents in collaboration with DDNIfII IC CIO and IC elements F INFORMATION SHARING SAFEGUARDING AND MANAGEMENT 1 IC elernents shall use the IC IE to rnake inforrnation readily discoverable by and appropriately retrievable to the IC in accordance with ICD 501 Discovery and Dissemination or Retrieval oj Injormation within the IC 2 Authorized users shall access discover and use inforrnation in the IC IE in accordance with their approved rnission needs and applicable legal and policy requirements to include the protection of civilliberties and privacy 3 IT capabilities will support access for authorized foreign entities to the IC IE consistent with ICD 403 Foreign Disclosure and Release oj Classified National Intelligence and other applicable policies Access by Second Party Integrees is governed by ES 2016-00816 Second Party Integree Access to the IC IE 4 Consistent with EO 13526 IC elernents shall retain their Original Classification and Declassification Authority and processes to derivatively classify sanitize or downgrade information under applicable legal and policy requirements Such information shall be protected through the Originating Element's application of appropriate Original Classification Authority and derivative classification control markings dissernination and technical specifications For the purposes of this ICD an Originating Element is defined as an IC element or U S government entity that creates or collects information during the course of its business and is legally responsible for it 5 The IC IE will protect sources methods and intelligence information from unauthorized disclosures and insider threat and it will rnitigate counterintelligence and security risks through implementation of the National Insider Threat Policy EO 13587 ICD 701 Deterrence Detection Reporting and Investigation oj Unauthorized Disclosures oj Classified National Security Injormation ICD 750 Counterintelligence Programs and other applicable security and counterintelligence policies G INFORMATION TECHNOLOGY 1 IT capabilities and infrastructures will support classification markings access and dissernination controls 2 IT capabilities and infrastructures requiring interconnections with other network security dornains will do so using cross-dornain interfaces in coordination with relevant stakeholders 3 IC elernents will rnigrate to an information-centric architecture to the greatest extent possible 4 IC IT SoCC architecture will be based on commonly designed and coherently engineered enterprise-level IT components and infrastructure that separates information from applications services and processes Information separation will be achieved through a logical construct instead of by a physical separation to the greatest extent possible 5 IC elernents shall first use an IC enterprise solution for cloud storage and computing capabilities before acquiring IC elernent-centric data storage capabilities including data centers Legacy or inefficient data storage will be decomrnissioned to the maximum extent possible 6 IC elernents will develop and implement a strategy for managing the privacy and security risks associated with connecting separately authorized inforrnation systerns within the IC IE consistent with ICD 503 Intelligence Community Injormation Technology Systems Security Risk Management 7 IT capabilities shall adhere to and implement approved IT standards and technical specifications for identity management attribute-based access control user activity monitoring and auditing and data tagging 8 Programrning and budgeting of IC IE resources and IT capability requirements will be conducted in accordance with ICD 116 Intelligence Planning Programming Budgeting and Evaluation System and ICD 115 IC Capability Requirements Process 9 IC IE acquisition and procurement will be conducted in accordance with ICD 801 Acquisition H ROLES AND RESPONSIBILITIES 1 The DNI or PDDNI will a Designate IC elements in consultation with the affected heads of the IC elements as an IC IT SP to develop and maintain an IT capability as a SoCC and will define the nature and scope of the IC IT service at the time of designation b Provide oversight and strategic guidance for procurement acquisition and funding decisions related to IC IT SoCCs and c Approve the consolidated IC IE governance framework recommended by the DEXCOM 2 The DDN II shall a Collaborate with IC IT SPs and IC elements on prioritization of IC IT SoCC rnission requirements b Monitor delivery and implementation of IC IT SoCC rnission requirements c Respond to and track notifications of unique rnission IT requirements requiring IC element-centric solutions in coordination with IC CIO d Jointly develop and maintain with the IC CIO and in cool'dination with ODNI component heads a consolidated and integrated IC IE govemance structure which accounts for rnission infrastructure and enterprise architecture oversight within 60 days of the issuance of this Directive The PDDNI will provide final approval of the governance framework based on a recommendation from the DEXCOM and e Establish and maintain efficient processes for assessing the cost-benefit and implementation of changes to IC IE rnission IT standards in coordination with the Assistant Director of National Intelligence ADNI for Systems and Resource Analyses SRA and IC elements 3 The IC CIO shall a Collaborate with IC IT SPs and IC elements on prioritization of IC IT SoCC infrastructure and enterprise architecture requirements b Monitor delivery and implementation of IC IT SoCC infrastructure and enterprise architecture requiremen ts c Respond to and track notifications of unique infrastructure and enterprise architecture IT requirements requiring IC element-centric solutions in coordination with DDNVII d Issue standards and guidance related to the IC IE in accordance with ICD 101 IC Policy System and ICD 500 Director oj National Intelligence Chiej Injormation jficer e Jointly develop and maintain with DDNVII and in coordination with ODNI component heads a consolidated and integrated IC IE govemance structure which accounts for rnission infrastructure and enterprise architecture oversight within 60 days of the issuance of this Directive The PDDNI will provide final approval of the governance framework based on a recommendation from the DEXCOM f Establish and maintain efficient processes for assessing the cost-benefit and implementation of changes to IC IE infrastructure and enterprise architecture IT standards in coordination with the ADNVSRA and IC elements and g Jointly oversee acquisitions and procurements related to IC IT SoCCs with the ADNI for Acquisition Technology and Facilities AT F through processes such as the ODNI Acquisition Review Board Executive Program Management Reviews and Quarterly Program Reviews 4 The Director of the National Counterintelligence and Security Center shall issue standards and guidance related to counterintelligence and security activities in the IC IE in accordance with ICD 101 5 ADNVAT F shall a Jointly oversee acquisitions and procurements related to IC IT SoCCs in coordination with IC CIO through processes such as the ODNI Acquisition Review Board Executive Program Management Reviews and Quarterly Program Reviews b Lead the consolidation negotiation and execution of IC Enterprise License Agreements in consultation with and on behalf of IC elements c Develop standardized contract language in coordination with IC CIO for IC elements to use to ensure vendors comply with the appropriate provisions of this Directive and d Issue standards and guidance related to acquisition and procurement in the IC IE not otherwise covered by IC CIO authorities in ICD 101 and ICD 500 6 The Civil Liberties Privacy and Transparency Officer shall coordinate with counterpart IC offices of privacy and civilliberties ODNI components and other stakeholders to ensure implementation of the IC IE and the activities conducted therein maintain the protection of civil liberties and privacy in accordance with applicable legal and policy requirements while enabling intelligence integration and responsible information sharing and safeguarding IC elements shall a Migrate IC IT capabilities to IC IT SoCCs as quickly and efficiently as possible b Provide IC IT SoCC rnission infrastructure and enterprise architecture requirements to the IC IT SPs in collaboration with DDNIIII and IC CIO and support the prioritization of requirements c Collaborate on and coordinate IC IT activities through the IC IE governance framework d Coordinate with IC IT SPs to develop training on IC IT rnission capabilities and use of the data within the IC IT SoCC to include compliance with legal regulatory and policy requirements as appropriate e Ensure that all personnel accessing the IC IE have unique identifiable identities which can be authenticated and have current and accurate attributes for accessing information in accordance with IC policies guidance and specifications for identity and access management f Plan budget and implernent cost funding and delivery rnodels for IC IT SoCCs in coordination with IC CIO AT F the Chief Financial Officer CFO DDN II SRA and IC IT SPs and g Apply an IC enterprise approach to acquisition and procurernent needs in coordination with IC CIO AT F and affected IC IT SPs 8 IC IT Service Providers shall a Manage their designated IC IT SoCC consistent with the oversight and strategic guidance provided by the DNI b Deliver IC IT SoCC capability requirernents in a tirnely rnanner c Irnplernent agreed upon IC IT infrastructure enterprise architecture and rnission IT capability requirernents for processing and protecting inforrnation provided by Originating Elernents so that it rnay be rnade available by or through IC IT SoCCs to IC IT SCs d Support the records rnanagernent responsibilities of Originating Elernents by providing a means to audit track rnanage and dispose of inforrnation as required by applicable legal and policy requirernents and coordinate with Originating Elements prior to dispositioning or destroying inforrnation 1 The IC IT SP will not be deerned to collect disserninate retain dispose or destroy inforrnation solely by the virtue of hosting or providing system support to inforrnation that originated with another IC elernent e Provide IC IT SCs responsive and cornprehensive technical support and operational awareness related to the Service provided f Coordinate with SC to develop training on IC IT rnission capabilities and use of the data within the IC IT SoCC to include cornpliance with legal regulatory and policy requirernents as appropriate g Establish cost funding and delivery rnodels in coordination with IC CIO AT F CFO DDN II SRA IC IT SC and IC elernents and h Apply an IC enterprise approach to acquisition and procurernent needs in coordination with IC CIO AT F IC IT SC and affected IC elernents 9 Originating Elernents shall a Define and provide the rules for the discovery access use dissernination and retention of their inforrnation to include U S Person protections as directed by EO 12333 as arnended to IC elements and IC IT SPs b Determine classification and dissemination controls in accordance with EO 13587 and other legal and policy requirements c Perform records management responsibilities with respect to the information they originate e g Federal Records Act Freedom oj Injormation Act Privacy Act Office of Management and BudgetlN ational Archi ves and Records Administration memoranda M -1218 Managing Government Records Directive or superseding policy and M-14-16 Guidance on Managing Email or superseding policy and record retention schedules Records management responsibilities for joint products shall be determined by agreements among the authoring organizations d Ensure data is properly tagged with accurate metadata and in accordance with IC data standards to enable reliable and accurate use of the information and e Designate an IC element as a Data Custodian as appropriate A Data Custodian is an IC element that on behalf of the Originating Element may perform mission and business datarelated tasks such as collecting tagging and processing data and grant individual users access to additional information beyond that of general systems applications and file permissions to perform such functions where appropriate 1 EFFECTIVE DATE This Directive becomes effective on the date of signature AA DieCtor of National Intelligellc q Date J r                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu