NSA personnel have access to some interesting records. Unfortunately, these retained records are not connected with a bonafide national security objective, but are files related to personal issues. The improperly transferred files are thought to relate to evidence of improper, non-official use of US government interception devices; and improper use of government resources.

Rather than freely disseminate this information between NSA personnel and contractors, NSA IG should review the NSA legal counsel's plan to adequately secure, safeguard, and avoid dissemination of this information. Some of the personnel with clearances for cryptographic information have files which fall outside what they're authorized to retain.

Also, NSA contractors should explain to the NSA IG why they are sending, storing, and receiving files unrelated to national security, law enforcement, or intelligence analysis.

When does NSA Management plan to review the improper transfer of personal files between NSA contractors related to unofficial, non-official information gleaned from US citizens?

It appears some of the contractors who have special clearances, security procedures, and compartmentalization are using this special clearance for cryptologic information to avoid adequate oversight of the files they review, transfer, and retain.

Ref: Personnel Security Policies and Procedures for Sensitive Cryptologic Information, (DoD Instruction 5210.45, November 14, 2008)

There should be a policy that says once a contractor clips a file, and re-sends it, that the sent-file is subject to privacy review: Is the file sent between contractors bonafide national security information; or is the information intended to provide contractors with amusement unrelated to work?

It's one thing to narrowly conduct a security review for information to be released; but what about information not released, but still sent without an obvious connection with the original intelligence interception objective?

Why are NSA contractors being paid to store, retain, clip, send, receive, and review audio files of American citizens, but those interceptions have no obvious connection to any intelligence objective, law enforcement purpose, or national security issue or concern?

We encourage NSA IG to provide to the Congressional Committees a copy of the report summary related to adverse actions taken under DOD Regulation 5200.2-R, Personnel Security Program, and discuss in detail the types of files the NSA personnel and contractors were improperly retaining, storing, sending, and reviewing. (See: Clearance Decisions, Adverse Adjudicative Action on Civilians)

Please discuss how various job descriptions were compared to work performed; how the NSA IG reviewed management oversight of work performed; and the method of sampling retained-transferred files to ensure consistency between work assigned, clearances granted, duties performed, and files found on the work station (See 5200.2-R, Section 3-100 , "Designation of Sensitive Positions").

Please use the date of this publication as a benchmark to monitor which retained files were removed after this date; and compare the file-deletion volume size before and after the publication date. (Possible evidence destruction, re 18 USC §2701, "Unlawful Access to Stored Communications") 

Please discuss why an "authorized access" to stored communications includes retention, dissemination, and transfer of files unrelated to a bonafide law enforcement investigation; and why disseminated files, the object of that investigation, are not adequately safeguard to prevent further inappropriate review by NSA contractors after their initial interception.

DOJ IG should review when FBI agents were assigned to review; and the timing between their access to this information, and their reports of possible criminal activity. Copies of all classified DOJ OLC memos discussing this subject should be attached to the NSA IG report to the committee, with clear markings on the retained privileges.