Purpose. This paper provides guidance to CTIIC personnel for assessing when and how information
may be disseminated.
Background. CTIIC may disseminate information in accordance with Intelligence Community (IC)
policy to the extent the information is or contains information of or concerning a United States
person (USP), in accordance with EO 12333, the applicable Attorney General (AG) approved USP
procedures, and the Privacy Act, if applicable. The specific rules governing CTIIC dissemination will
depend on several factors, including, but not limited to: whether the information relates to CTIIC’s
mission; whether the information contains information concerning a USP; the source of the
information; whether the information resides in a Privacy Act system of records; whether the
information is being disseminated under exigent circumstances; the intended recipient; and the
disseminator’s status as ODNI cadre, detailee, or assignee.
I. CTIIC Mission.
a. One of the primary factors in determining whether information may be disseminated is
whether it relates to CTIIC’s mission.
b. CTIIC’s mission is to build understanding of foreign cyber threats to US national interests in
order to inform decisionmaking by federal cyber centers, departments and agencies, and
policymakers. CTIIC integrates information from network defense, intelligence, and law
enforcement communities; facilitates information sharing; leads community analysis of cyber
threats; and supports interagency planning to develop whole-of-government approaches
against cyber adversaries.
(1) Consistent with longstanding IC precedent and ODNI’s authority, CTIIC’s authorities relate
to “foreign” cyber threats—meaning information that identifies foreign cyber intentions,
capabilities, and activities regarding critical infrastructure, capabilities, networks, and
information of US national interest or targets of US cyber operations in support of
national security objectives. This includes unattributed malicious activity and actors
known or suspected of having the desire or capability to penetrate or deny the use of
critical US systems.
(2) The inability to immediately determine the source of a threat does not necessarily mean
that CTIIC is precluded from analyzing or reporting information related to that threat.
However, once CTIIC determines that the threat is not related to a foreign cyber threat,
CTIIC will defer to those federal agencies or elements with the authority to report the
information, such as DHS or FBI.