https://crsreports.congress.gov
April 20, 2022
Controlled Access Programs of the Intelligence Community
Introduction
The Controlled Access Programs (CAPs) that the
Intelligence Community (IC) has developed to further limit
the sharing of the most sensitive classified information have
raised questions for Congress. In response, as part of the
Intelligence Authorization Act (IAA) for Fiscal Year 2022,
(Division X of P.L. 117-103, the Consolidated
Appropriations Act for Fiscal Year 2022) Congress added
new oversight requirements with respect to these programs.
CAPs compartmentalize intelligence on the basis of the
sensitivity of the activity, sources, or methods involved.
Congressional concern has centered on the over-
classification of intelligence and potential negative impacts
of keeping materials from those who need to know in order
to perform their duties. Recent legislation seeks to promote
an appropriate balance between protecting the most
sensitive sources, methods, and activities, while making
sure information is shared with those who have a legitimate
need for it. Effective oversight of CAPS may require an
understanding of how these programs are authorized and
administered, and how they intersect with other
classification programs and schema.
Definitions
Intelligence Community Directive (ICD) 906, Controlled
Access Programs, provides guidance for management of
CAPs and defines a CAP as “a top-level control system and
any compartment or sub-compartment under that control
system.” Within the IC, the topmost level within a CAP
structure is called a control system. Common examples of
control systems include SI (Special Intelligence), TK
(Talent Keyhole), and HCS (Human Intelligence Control
System). Control systems can have compartments and sub-
compartments.
The names for many CAPs are unclassified, and, in some
cases, known to the public (their substance is classified).
There are, however, also unacknowledged CAPs. These are
CAPs whose existence is known only to those who are
authorized for access to the information.
Outside of the Intelligence Community the equivalent term
for similarly sensitive programs is Special Access Program
(SAP). Executive Order (E.O.) 13526, Classified National
Security Information, defines a SAP as “a program
established for a specific class of classified information that
imposes safeguarding and access requirements that exceed
those normally required for information at the same
classification level.” Although CAP is the IC term for a
SAP, CAPs are managed separately from the SAPs
established under the authority of the National Security
Council (NSC) or the non-IC components of the
Departments of Defense, Justice, Homeland Security, State,
and Energy.
CAPs vs. Classification Levels
A CAP is not a level of classification. A CAP is a
compartmentalized control system within a level of
classification, involving compartments and sub-
compartments. Levels of classification include TOP
SECRET, SECRET, and CONFIDENTIAL indicating the
relative sensitivity of intelligence activities, sources and
methods described within, and the relative damage to
United States national security that could result from the
document’s unauthorized disclosure. Within the IC, CAPs
are most commonly compartments or sub-compartments of
the TOP SECRET level of classified intelligence.
CAPs vs. Dissemination Controls
CAPs are not the same as dissemination controls.
Dissemination controls are markings appended to the
security classification that provide guidance on additional
restrictions on access to, or dissemination of, a document.
Common dissemination control markings include ORCON
(the document’s originator controls further dissemination),
PROPIN (contractor proprietary information), REL TO
(releasable to a particular foreign partner(s)), IMCON
(controlled imagery), RELIDO (releasable by a designated
Intelligence Disclosure Official), and NOFORN (U.S.-only;
no foreign dissemination). Separate dissemination control
markings exist for non-intelligence information.
Authority for Establishing a CAP
ICD 906 specifies that the Director of National Intelligence
(DNI) and the Principal Deputy Director of National
Intelligence (PDDNI) have the authority to “create,
validate, substantially modify, or terminate” a CAP.
ICD 906 also provides that the DNI can delegate to a CAP
Program Manager, via the head of any of the 18 statutory
IC elements, the authority to “create, substantially modify,
or terminate” compartments or sub-compartments of an
established control system.
The Intelligence Authorization Act for Fiscal Year 2022
(Division X of P.L. 117-103, the Consolidated
Appropriations Act for Fiscal Year 2022) requires that the
head of an IC element notify Congress prior to establishing
a CAP.
Standards for Establishing a CAP
Under ICD 906, establishment of a CAP requires (1) a
finding that “the vulnerability of, or threat to, specific
information is exceptional,” such that the normal criteria for
determining eligibility for access to information classified
at the same level are insufficient to protect the information
