The CIA’s Updated Executive Order 12333 Attorney General

Guidelines
Timely, accurate, and insightful information about the activities, capabilities, plans, and intentions of
foreign powers, organizations, and persons, and their agents, is essential to informed decision-
making in the areas of national security, national defense, and foreign relations. Collection of such
information is a priority objective that the Central Intelligence Agency (CIA) pursues in a vigorous,
innovative, and responsible manner that is respectful of the principles upon which the United States
was founded, and consistent with the Constitution and applicable statutes and Presidential directives
authorizing the CIA’s activities, including the National Security Act of 1947, the Central Intelligence
Agency Act of 1949 (CIA Act), and Executive Order 12333, United States Intelligence Activities.
Under Executive Order 12333, the CIA’s collection, retention, and dissemination of information
concerning United States persons in furtherance of its intelligence mission are governed by
procedures approved by the Director of the CIA and the Attorney General, after consultation with
the Director of National Intelligence. In addition, any participation by CIA officers in organizations
in the United States without the disclosure of CIA affiliation occurs only in limited situations in
accordance with established and approved procedures. Collectively, these procedures are often
referred to as the “Attorney General Guidelines.” In January 2017, the Director of the CIA and the
Attorney General updated the CIA’s Attorney General Guidelines to reflect changes in law,
technology, and practice since the Attorney General Guidelines were last significantly updated in the
1980s. This fact sheet explains and summarizes several key provisions of the revised Attorney
General Guidelines.
While the revised Attorney General Guidelines provide the framework for ensuring that the CIA
engages in its foreign intelligence, counterintelligence, and covert action missions in support of
national security objectives in a manner that respects Americans’ privacy rights and civil liberties, it
is critical to note that the Attorney General Guidelines represent only one aspect of the
authorizations and restrictions on the CIA’s intelligence activities. The CIA’s activities are primarily
focused outside the United States, but they must nonetheless comply with a variety of other United
States laws, including but not limited to, the National Security Act, the CIA Act, the Foreign
Intelligence Surveillance Act, and the Privacy Act, as well as Executive Order 12333 and Presidential
directives such as Presidential Policy Directive 28. These Attorney General Guidelines do not, and
should not be interpreted to, authorize activities that are otherwise prohibited by United States law.
In addition to the Attorney General Guidelines, the CIA has internal regulations that govern CIA’s
intelligence activities. These internal regulations require various levels of approvals to initiate
particular intelligence activities and may impose additional requirements on the conduct of such
activities. If duly authorized intelligence activities include collecting information concerning United
States persons, participating in organizations in the United States, or other areas governed by the
Attorney General Guidelines, then CIA employees must comply with both these internal regulations
and the requirements found in these Attorney General Guidelines.
Authorization, Purpose, and Key Limitations
Sections 1 through 3 of these revised Attorney General Guidelines explain the purpose of the
Attorney General Guidelines, summarize the authorities and responsibilities of the CIA, and identify
several general principles that apply to the CIA’s intelligence activities overall. The CIA is
authorized by statute and directed by the President to collect intelligence through a variety of means,
including from human sources. In short, the CIA conducts espionage. The CIA is, however, also
an all-source intelligence agency that collects and incorporates intelligence information from a
variety of other sources and methods to produce all-source analysis. CIA intelligence includes
information ranging from relevant publicly available information (referred to as Open Source
Intelligence, or OSINT) to Geospatial Imagery Intelligence (referred to as Imagery, or GEOINT),
Measurement and Signature Intelligence (MASINT), and Signals Intelligence (SIGINT).
While statutes and Executive Order 12333 provide the general authority for the CIA to conduct
intelligence activities, the CIA does not independently determine its intelligence collection priorities.
The CIA’s intelligence activities are instead conducted in response to intelligence requirements
established by the President and the CIA’s other intelligence consumers. Specifically, the Director
of National Intelligence approves the National Intelligence Priorities Framework (NIPF), which
establishes national intelligence priorities that reflect the guidance of the President and the National
Security Advisor with input from Cabinet-level and other senior government officials. The CIA’s
duly authorized intelligence activities are conducted in response to the NIPF priorities or other
intelligence requirements imposed by the President and other intelligence consumers.
Under the framework established by Executive Order 12333, the CIA’s intelligence activities are
primarily focused outside the United States. The FBI is responsible for coordination of clandestine
collection of foreign intelligence through human sources or human-enabled means and
counterintelligence activities inside the United States. The CIA can, however, generally cooperate
with the FBI to collect foreign intelligence within the United States, subject to the restrictions
imposed by statute, Executive Order 12333, the Attorney General Guidelines, and other legal and
policy requirements. Specifically, the National Security Act prohibits the CIA from exercising police
or subpoena powers or otherwise engaging in law enforcement or internal security functions, with
the exception of the security protective officers who protect CIA facilities within a limited
jurisdiction pursuant to the CIA Act. If, for example, the FBI has a cooperative relationship with an
individual inside the United States who provides foreign intelligence information, the FBI may
appropriately consult with the CIA regarding the relationship, and the CIA may continue the
relationship for intelligence purposes should the individual travel overseas.
The CIA is also obligated to report to the Department of Justice potential violations of federal
criminal law by employees and potential violations of certain federal criminal laws by non-CIA
personnel that it incidentally acquires while seeking foreign intelligence information. For example, if
in the course of collecting foreign intelligence information about an adversarial foreign government
leader, the CIA learned that a United States citizen were engaged in trafficking controlled munitions
or technology to the foreign government, the CIA must report that information to the Department
of Justice as a potential violation of federal criminal law.

2
Executive Order 12333 recognizes that in conducting its authorized activities the Intelligence
Community, including the CIA, will collect, retain, and disseminate information concerning United
States persons, but requires that such activities be conducted in accordance with the limitations set
forth in the order and in conformance with the Attorney General Guidelines. For instance, the
Intelligence Community must use the least intrusive collection techniques feasible when collecting
information within the United States or directed against United States persons abroad.
In addition, the CIA may not collect or maintain information for the sole purpose of monitoring the
lawful exercise of rights secured by the Constitution or United States law, including First
Amendment rights. For example, the CIA could not collect the public statements of or about a
United States person merely because he or she was making critical statements regarding the United
States government. If, however, the CIA were collecting intelligence information about a United
States person engaged in international terrorism, the CIA would not have to ignore or remove from
its systems public statements made by that individual, because the collection occurred during the
course of a duly authorized intelligence activity. The explicit recognition of this principle in the
Attorney General Guidelines reflects the CIA’s enduring commitment to operate in accordance with
the United States Constitution and other law.

Collection Targeting United States Persons

Section 4 of the Attorney General Guidelines governs the CIA’s collection efforts when they are
directed at United States persons. As previously described, collection directed at United States
persons may only be conducted in the course of a duly authorized intelligence activity. Collection
against a United States person must employ the least intrusive techniques feasible that will still
obtain the required information in a reliable and timely manner. More intrusive techniques require
higher-level approvals within the CIA and, at times, by other government officials and the judicial
branch and must be documented in writing. The Attorney General Guidelines break down
collection techniques into three categories.
Basic collection generally involves the least intrusive types of collection. Basic collection includes
the collection of publicly available information (e.g., searching the public Internet to determine the
significance of a United States phone number recovered from a known terrorist’s cell phone) or
collecting information with the consent of the United States person in question (e.g., asking them
directly for information about themselves). Because the collection of these kinds of information do
not represent a significant intrusion on an individual’s privacy rights, and in certain circumstances
involve no such intrusion at all, the Attorney General Guidelines do not require special approvals
for this type of collection. However, any such collection must still be conducted in accordance with
the restrictions in these Attorney General Guidelines and other agency policies. Basic collection
must be for an authorized purpose, such as foreign intelligence or counterintelligence, and limited to
information reasonably necessary to support that purpose.
Standard collection targeting a United States person includes any collection technique directed at a
United States person that is not one of the defined forms of basic collection or a special collection

3
technique (described in the previous and following sections). Examples of standard collection
techniques include requesting another government agency to provide their records about a United
States person, asking a current CIA asset about the activities of a United States person living in a
foreign country, or asking a foreign government for information about the same person. All
standard collection techniques require approval by designated CIA officials, but there may be
additional restrictions imposed by these Attorney General Guidelines or CIA policies. For example,
the CIA may ask the FBI to conduct physical surveillance (i.e., follow a person around) of a United
States person in the United States because the individual is reasonably assessed to be involved in
espionage or international terrorism. However, the CIA is barred from conducting such physical
surveillance in the United States itself except in narrow circumstances where the target of the
physical surveillance is a current or former CIA employee or contractor, or someone applying to be
a CIA employee or contractor.
The use of special collection techniques is highly restricted. A special collection technique is any
technique that would require a warrant if the technique were used in the United States for law
enforcement purposes. Electronic surveillance or a search of a home or office are examples of
special collection techniques. With narrowly defined exceptions regarding testing and training, the
CIA may not use special collection techniques in the United States. The CIA is, however, permitted
to ask another federal agency to perform special collection techniques in the United States under
that agency’s legal authorities. The CIA may also provide technical equipment or knowledge to
another federal agency in conducting authorized special collection in the United States with the
approval of the CIA’s General Counsel. The CIA may conduct special techniques outside the
United States that target a United States person only with the approval of the Director of the CIA
(or his designee), the CIA General Counsel, the Attorney General, and (where applicable) the
Foreign Intelligence Surveillance Court.

Additional Protections for Bulk and Unevaluated Information

An important aspect of the revised Attorney General Guidelines are the provisions that govern the
processing and handling of information before it is fully evaluated. Even if the CIA never intended
to target a particular United States person, the CIA may nonetheless incidentally acquire such
information in the course of conducting its authorized intelligence activities. Therefore, collectors
must take reasonable steps to limit the information collected to only that which is necessary to
achieve the purpose of the collection. For example, if the CIA obtained a hard drive previously used
by a foreign state-sponsored hacking group, that hard drive could contain both information about
the hackers and information about United States persons the hackers had collected themselves.
Depending upon the amount and nature of information in the hard drive, the CIA might be able to
evaluate the information promptly to obtain foreign intelligence, or it might take a great deal of time
to determine what portions of the data constitute foreign intelligence information or involve United
States persons.

4
Sections 5 and 6 of the new Attorney General Guidelines include specific approval requirements for
handling datasets that cannot be promptly evaluated for their intelligence value, whether or not the
collection activity targeted a United States person. When approving the collection or ingestion of
such data, specifically designated officials must document the purpose of the collection activity, how
the data was acquired, what steps were taken to limit the collection to the smallest subset containing
the information necessary to achieve the purpose of the collection, and further determine how
sensitive the acquired data is so that appropriate controls regarding access, querying, and retention
may be imposed.
These protections respond to a range of privacy concerns regarding the handling and use of
unevaluated data, regardless of how or where the data is acquired. The protections apply to “bulk”
collection activities, which are activities that – due to technical or operational considerations –
acquire data without the use of specific identifiers or selection terms such as names, phone numbers,
or e-mail addresses. The protections apply equally to any other intelligence collection activity that
results in the acquisition of a large quantity of information, where the CIA cannot promptly
determine whether that information may be retained for a permissible purpose. The specific
protections applied to the unevaluated dataset will depend upon the nature of the collected
information.
More specifically, the revised Attorney General Guidelines impose stricter restrictions – referred to
as “exceptional handling requirements” – on unevaluated information that is inherently more
sensitive. For example, telephone or electronic communications acquired without the consent of
one of the communicants are subject to exceptional handling requirements. Approving officials will
also subject other datasets to exceptional handling requirements if they determine the data sets
contain information that identifies United States persons, and that information is significant in
volume, proportion, or sensitivity. For example, a foreign government repository of records may
include sensitive records pertaining to Americans, and if the CIA obtains those records, CIA
officials may determine that such a dataset warrants the additional protections provided by the
exceptional handling requirements.
Data subject to exceptional handling requirements must be segregated from other kinds of data, and
only CIA employees who have completed training in the handling of such sensitive data may be
granted access to it. CIA employees may query this data to retrieve information about a United
States person only for reasons related to one of the CIA’s duly authorized activities, as previously
described, and, to the extent practicable, the CIA employee must make a statement explaining the
purpose with the the query. Absent an imminent threat to life or a waiver issued by the Director of
the CIA – granted only after consultation with the CIA’s General Counsel and the CIA’s Privacy
and Civil Liberties Officer (PCLO), and reported to the CIA’s Congressional oversight committees
– the CIA must destroy any unevaluated information subject to the exceptional handling restrictions
no later than five years after the information is made available to CIA personnel for operational or
analytical use. This destruction requirement ensures that CIA has adequate time to properly identify
foreign intelligence information that may not be apparent when information is first ingested into the
CIA’s systems, while also ensuring that such sensitive information, which might include information

5
concerning United States persons, does not remain on the CIA’s systems for an indefinite period of
time.
Protections also apply to data that is unevaluated, but is of less sensitive nature than data subject to
the exceptional handling rules. For example, a foreign government’s repository of records may
include information that the CIA cannot promptly evaluate, but would not include the content of
telephone or electronic communications. Such routine unevaluated data must nonetheless be
segregated from information CIA officers have already evaluated, such as information found to
constitute foreign intelligence. Queries of routine unevaluated data must be reasonably designed to
retrieve information related to a duly authorized activity of the CIA. Routine unevaluated data must
be destroyed prior to 25 years from the date the information was made available for operational or
analytic use

Retention and Dissemination

The Attorney General Guidelines permit the retention of evaluated information concerning United
States persons only if the information falls within one of several specified categories. In some cases,
this evaluation process may occur contemporaneously when the information is first acquired. For
example, a CIA officer may ask a CIA asset about the known contacts of a particular foreign
individual. If the asset gave the names of any United States person information in response, the CIA
officer would only incorporate the United States person information into a subsequent report or
cable if the United States person information was foreign intelligence or counterintelligence
information or qualified under one of the other retention categories. Alternatively, a CIA officer
engaged in analysis might come across a reference to a United States person in a segregated database
of unevaluated information, but may only take that information out of the database and use it in a
report if it may be retained under these same criteria. Even when the information concerning the
United States person may be retained, the actual identity of that United States person may only be
disseminated outside the Intelligence Community when the identity is necessary, or reasonably may
become necessary, to understand or act upon the information.
Access limitations and other protections also apply to evaluated information that has been retained.
Access to such information must be limited to those who have a need to know related to their duly
authorized activities. Queries of evaluated retained information in CIA systems must also be limited
to queries reasonably designed to retrieve information related to the CIA’s authorities and
responsibilities.
Consistent with the Executive Order and the need to share relevant intelligence information,
information concerning United States persons may be disseminated to appropriate elements of the
Intelligence Community. Such information, whether unevaluated or evaluated, must be handled
subject to the Attorney General-approved Guidelines of the Intelligence Community element
receiving the information. Information that has been determined to meet the retention criteria may
also be disseminated outside the Intelligence Community, including to the President, the National

6
Security Council, other intelligence consumers within the Executive Branch, relevant Congressional
Committees, or foreign governments.
Special rules apply to disseminations to foreign entities, however, including specified approval levels.
Such disseminations require a review and written determination regarding the potential risks,
including the potential harm to identified individuals, resulting from the dissemination. Foreign
entities must agree to CIA specified restrictions on further use and dissemination.
The Guidelines further permit the dissemination of unevaluated information outside of the
Intelligence Community, but only with the approval of the Director of the CIA or designee,
concurrence of the CIA’s General Counsel and PCLO, and only after weighing the anticipated risks
and benefits and determining that such a dissemination is the only reasonable way to evaluate or use
the information. For example, under this provision, the CIA could work with a trusted international
partner against a high-priority intelligence target of joint interest, or share a limited amount of
unevaluated information with an individual or group that speaks a foreign dialect unfamiliar to CIA
personnel in order to determine whether the content contained foreign intelligence information.
The receiving entity must further provide appropriate assurances regarding their handling of the
material with respect to the potential risks resulting from dissemination.

Undisclosed Participation in Organizations in the United States

The Attorney General Guidelines provide requirements for participation in organizations in the
United States for the purpose of conducting lawful duly authorized intelligence activities. The
Attorney General Guidelines do not apply to CIA employees joining or participating in
organizations solely for personal purposes on their own time and at their own expense. In the rare
case that there is any question about the nature of an employee’s participation and whether the
participation would be considered personal or on behalf of the CIA, then the participant should
consult with the Office of General Counsel (OGC) for guidance.
The Attorney General Guidelines provide guidance for when a CIA employee may or may not
participate in an organization and what type of information the employee may collect. Unless
additional approvals are given under Section 4 of the Attorney General Guidelines, CIA employees
may only collect publicly available or volunteered information concerning United States persons in
the course of their undisclosed participation. Additional approvals would be required, for instance, if
a CIA officer sought to question a specific individual of the organization to obtain specific
information.
CIA employees may attend professional conferences, forums, and other events generally open to the
public. CIA officers may need, for example, to acquire further training or education relevant to their
duties or to acquire continuing education towards a professional certification. If an organization
requires the disclosure of one’s employer, then CIA officers must comply unless they have received
the appropriate approval and the nondisclosure is in furtherance of one of the specified purposes
mentioned in the Attorney General Guidelines.

7
Even when CIA employees participate in an organization without disclosing their CIA affiliation,
they may not participate for purposes of influencing the activity of the organization or its members.
For example, a CIA officer who had not disclosed their affiliation could not propose a new policy
for the organization, suggest a new course of action, attempt to convince members to modify an
established practice, or otherwise in any way attempt to influence the activities of the organization.
A very limited exception to this rule occurs only when the organization in question is both
reasonably believed to be acting on behalf of a foreign power and is composed primarily of
individuals who are not United States persons. Attempts to influence such an organization in this
limited scenario require the approval of the Director of the CIA and the concurrence of the CIA’s
General Counsel.

Compliance and Oversight

Every CIA officer shares in the CIA’s solemn obligation to protect fully the legal rights of all United
States persons, including freedoms, civil liberties, and privacy rights guaranteed by federal law. The
CIA recruits exceptionally talented individuals from diverse backgrounds with interests in national
security, public service, and world affairs. Our officers are motivated to accomplish the CIA’s
mission, which is to collect and analyze foreign intelligence and counterintelligence, and to conduct
covert action at the direction of the President. CIA officers are not motivated by a desire to
unreasonably intrude into the private lives of their fellow citizens, and do not seek to do so.
This commitment is reflected in the CIA’s governing ethos, which states in part that “we uphold the
highest standards of lawful conduct. We are truthful and forthright, [and we] maintain the Nation’s
trust through accountability and oversight.” Accountability and oversight begin with the
professional dedication of line personnel and first-level supervisors, who help to ensure a culture of
lawful vigilance.
CIA activities are continually reviewed by a variety of internal and external oversight bodies. Within
the CIA, OGC and the Office of Inspector General (OIG) are each led by an officer who, like the
Director, is appointed by the President of the United States and confirmed by the Senate. A
substantial percentage of OGC attorneys are collocated with analysts, operators, and other
professional personnel within the CIA’s Mission Centers and other CIA elements. OIG
accomplishes its mission to provide objective oversight and detect fraud, waste, and abuse, through
audits, inspections, and investigations. CIA officers, regardless of grade or position, are encouraged
to consult with OGC and OIG as appropriate, and to report any suspected violations of law or
policy. The CIA respects whistleblower protection within the Intelligence Community, and does not
tolerate reprisals or the threat of reprisals against employees on the basis of protected disclosures.
The CIA’s PCLO provides advice and assistance to senior CIA officials regarding privacy and civil
liberties concerns, including those related to these Procedures. The CIA recently re-established this
position as a dedicated full-time appointment, recognizing its importance to the CIA’s mission. The
PCLO is taking a leading role in the public discussion regarding these Procedures.

8
Within the Executive Branch, the CIA’s accountability begins with the President of the United
States and the National Security Council. The CIA reports to the President in furtherance of its
national security responsibilities, and is prohibited from engaging in any activities for purposes of
affecting or interfering with the domestic political process. The CIA also engages with and is
accountable to independent entities within the Executive Branch, including the President’s
Intelligence Advisory Board, the Intelligence Oversight Board, and the Privacy and Civil Liberties
Oversight Board.
The accomplishment of the CIA’s mission is enhanced by engagement with, and accountability to,
other executive branch agencies. Within the Intelligence Community, for example, the CIA is
governed by directives issued by the Director of National Intelligence. CIA activities are also
reviewed by the Department of Justice in various contexts, such as the National Security Division’s
audits of intelligence activities authorized by the Foreign Intelligence Surveillance Act, and the
Office of Legal Counsel’s review of important legal issues relevant to the CIA’s activities. The CIA
worked extensively with the Department of Justice and the Office of the Director of National
Intelligence in developing these Procedures.
Ultimately, the CIA is accountable to the American people. The CIA gives meaning to this
oversight, in part, through its legal obligation to keep Congress fully and currently informed of
intelligence activities. The CIA regularly engages with Congressional leadership, the Senate Select
Committee on Intelligence, and the House Permanent Select Committee on Intelligence. This
oversight is also realized through the public appraisal of CIA activities and governance structures,
including through public review of the Attorney General Guidelines released today. Our hope is
that transparency initiatives such as these will lead to greater public understanding of the CIA’s
mission, and help further the important public discussion regarding the necessary and appropriate
role of intelligence agencies within the United States.