Governance & Program Info

OSINT Automation — Governance

Cross-builder institution context and per-item ownership, due dates, status, and next actions for the governance-relevant checklist items in this builder.

← Back to checklist
Institution context
Program info
Applies across every builder in the app. Stored locally; nothing leaves the browser.
Checklist governance
Items (0 of 14 marked complete)
Annotate ownership, due date, status, and next action. Items on the left come from the builder's governance / compliance phases.
05 · Governance & Compliance
Maintain E.O. 12333 and AG-approved procedures compliance file
required
Documented compliance with E.O. 12333 (as amended) and the component-specific AG-approved procedures.
05 · Governance & Compliance
Align with IC OSINT Strategy 2024-2026 and DoD OSINT Strategy
required
Map program objectives to the ODNI/CIA IC OSINT Strategy (March 2024) and the DoD OSINT Strategy (2023).
05 · Governance & Compliance
Register the program with the IC OSINT Executive / DIA OSINT Manager
required
IC elements coordinate through the ODNI IC OSINT Executive office (stood up 2022 at ~$34M); DoD through DIA as lead OSINT manager.
05 · Governance & Compliance
Document ICD 203 / ICD 205 compliance at the analytic-product level
required
Every analytic product produced by the automation meets ICD 203 tradecraft standards and ICD 205 OSINT standards.
05 · Governance & Compliance
Maintain DoDI 3305.12 / 10 U.S.C. § 467 mapping (DoD only)
required
DoD OSINT program compliance with DoDI 3305.12 (May 2018, updated 2022) and the 10 U.S.C. § 467 OSINT definition.
05 · Governance & Compliance
Implement US-persons minimization workflow
requiredtrinidy
Documented minimization procedures for any US-persons content that is incidentally collected.
05 · Governance & Compliance
Apply Privacy Act obligations where applicable
required
Systems holding records retrievable by US-person identifiers may trigger Privacy Act system-of-records obligations.
05 · Governance & Compliance
Apply DoDI 5200.48 for CUI handling
required
OSINT-derived products frequently aggregate into CUI even when sources are unclassified.
05 · Governance & Compliance
Assess GDPR / UK GDPR exposure for EU / UK persons
recommended
GDPR and UK GDPR can apply to EU/UK persons even when content is collected from US territory.
05 · Governance & Compliance
Track state-level right-of-publicity law exposure
optional
Right of publicity varies by US state and can constrain automated use of celebrity / public-figure imagery.
05 · Governance & Compliance
Apply DFARS 7012 / NIST SP 800-171 to contractor-held CUI
required
Contractor systems that handle CUI-tagged OSINT products must comply with DFARS 252.204-7012 and NIST 800-171.
05 · Governance & Compliance
Apply FAR 39.2 supply chain risk controls to AI vendors
required
FAR Part 39.2 supply chain controls apply to the commercial AI and OSINT vendors in the program.
05 · Governance & Compliance
Maintain vendor inventory with In-Q-Tel / NDAA Sec. 1323 alignment
recommended
Track vendor lineage (In-Q-Tel pedigree, NDAA Sec. 1323 IC Innovation Unit acquisition path) for oversight.
05 · Governance & Compliance
Do not conflate OSINT with Section 702 FISA
required
Section 702 is a SIGINT authority. OSINT programs must avoid any procedural or documentary conflation.