UNCLASSIFIED
C IDsCommentsncelink Central
Director of Central Intelligence Directive
umber: 29
Subject: CONTROLLED ACCESS PROGRAM OVERSIGHT COMMITTEECI Advisory Bodies
DIRECTOR OF CENTRAL INTELLIGENCE9
Controlled Access Program Oversight Committee
Pursuant to the provisions ofthe National Security Aas amended, and Executive, the Controlled Access Program Oversight Committee is hereby established to assist the Director of Central Intelligence in carrying out his responsibilities for controlled access programs wilhin the National Foreign Intelligence Program.
ontrolled Access Programs
The following controlled access programs are covered by this Directive:
Sensitive Compartmented mformarionhe National Security Act7 and Executiverant the Director of Central Intelligence (DCI) the authority to protect classified information concerning or derived from intelligence sources, methods, or analytical processes. This Directive covers all programs within the SCI control system.
Special Access Programs Pertaining to Intelligence Activities. The National Security Act7 and Executiveuthorize thc DC! to create special access programs pertaining to intelligence activities (including special activities, but excluding military operational, strategic and tacticalhis Directive covers all such programs.
Restricted Collateral Information. This Directive also covers programs other than SCI or special access programs that impose controls governing access to classified intelligence information or control procedures beyond those normally provided for access to Confidential. Secret, or Top Secret
i. and for which funding is specifically ioenftfigtk^itVfiuiecUve does not coyer acces] tanizat
ontrolled Access Policy
All proposals io create or maintain controlled access programs shall be reviewed by the Controlled Access Program Oversight Committeeontrolled access programs shall be kepi to an absolute minimum and only established and maintained to protect the Nation's mosi sensitive and critical intelligence information. Decisions to establish controlled access programs shall be basedisk assessment, considering the sensitivity, risk of disclosure and exploitation, and value of the information to bc protected.
Thc DCI or DDCI shall deiermine whether to create, modify, or terminate controlled access programs. Creation or continuation of controlled access programs shall only be madepecific finding that:
vulnerability of, or threat to, specific information is exceptional; and
normal criteria for determining eligibility for access applicable to informationthe same level arc not deemed sufficient to protect the information fromor
program is required by statute.
Controlled access programs shall be reviewed annually. Any such program not granted approval to continue shall be decompartmentcd or terminated.
Only ihe DCI or DDCI may create, modify, or terminate controlled access programs.
APOC
The CAPOCechanism for supporting the DCI in the effective execution of DCI responsibilities for the controlled access programs and activities within the National Foreign Intelligence Programhese responsibilities include ensuring the creation and continuation of only those controlled access programs necessary to protect sensitive intelligence information; monitoring the implementation of controlled access programs; directing program and performance audits and evaluations as necessary; and ensuring there is no conflict or unnecessary duplication between controlled access programs within the NFIP and other government programs by working with the appropriate representatives from those programs.
The CAPOC shall review and validate controlled access programs. The DCI or DDCI may waive review by thc CAPOC for programs covered by equivalent oversight mechanisms, or when review by the CAPOC is unnecessary to carry out the DCI's responsibilities.
The CAPOC shall review the creation of new controlled access programs and validate existing controlled access programs. The review shall include;
a the justification for controlled access designation or continued designation;
the controlled access program duplicates any other program;
any other program would benefit from thc information protected by theprogram or activity;
4 hether (he unacknowledged or cover status of the program should be continued, if applicable;
to require security standards in excess of standards contained in DCuDsapplicable documents; and
other matters as agreed to by the DCI and heads of agencies involved
membership of the CAPOC shall include:
DCI or the DDCI;
DepSecDef if the controlled access program is managedefense agency;
head or deputy head of the agency(s) responsible for the controlled accessreviewed (for the CIA. the Executive Director for thc Central Intelligenceattend as the agencynd
Executive Director for Intelligence Community Affairs.
The DCI may invite other individuals to participate in particular CAPOC reviews.
The DCI shall call meetings of the CAPOC. Minutes of the meetings shall be taken, including the decisions of the DCI or DDCI. and the findings required. above.
Thc DCI or DDCI may alter the procedures of the CAPOC whenontrolled access program of special sensitivity.
As necessary, the CAPOC will approve policies, procedures, and security standards pertaining to controlled access programs, consistent with the politics of the Security Policy Board, pertaining to controlled access programs.
ontrolled Access Program Coordination Office (CAPCO)
The Controlled Access Program Coordination Office (CAPCO) is established within the Office of the DCI. The Director of thc CAPCO shall be appointed by the DCI.
The CAPCO shall conduct rhe following activities:
a develop risk assessment criteria and procedures for the review and evaluation of controlled access programs;
guidance to Intelligence Community agencies concerning submissions to
with other controlled access program oversight fora to meet theof the CAPOC;
the CAPOC agenda and monitor direcied taskings;
c. review and evaluate agency submissions and make recommendations to the CAPOC;
secretariat services for thc CAPOC; and
a register of all controlled access programs in the NFIP.
CAPCO shall work in concert with the agency whose controlled access program isin preparing material for the CAPOC.
esponsibilities of Intelligence Community Agencies
Heads of Intelligence Community agencies wiih controlled access programs covered by this Directive shall
the creation, modification, or termina-.ion of controlled access programs, pursuant toinbove;
an annual review of each program, including compartments and subcompartrr.entsdocument the review.e review shall include the items mentioned in Section
each controlled access program, ensure the appointmentecurity manager who isadministration of security for the program, including record maintenance;
for any controlled access program involving industry, that proper officials withinfacility, to include the facility security office and other appropriate corporate officials,of the nature and extent of their facility's involvement in the program;
proper reporting of:dverse information on personnel with accessrogram tosecurity office; andnstances of suspected waste, fraud, and abuse to theof the agency;
an official point of contact to the CAPOC; and
agencies with more than one controlled access program,entral office toactivities in this section. The central office shall be the official point of contact to the CAPOC.
Original document.
Comment about this article, ask questions, or add new information about this topic: