Web Content Display Web Content Display


The Army Lawyer


Administrative Actions with a Counterintelligence Twist



  PDF Version
(Credit: istockphoto.com/Smederevac)

Web Content Display Web Content Display

When there is a military justice action—whether court-martial, Article 15, or reprimand—our Corps is well-versed in the follow-on actions required. From post-trial procedures to administrative separations, judge advocates (JAs) can smoothly guide our commands through the sometimes-intricate processes to maintain good order and discipline.

Despite these well-exercised muscle movements, the process often grinds to a halt when elements of counterintelligence (CI) investigations and non-Army agency equities become intertwined with the well-rehearsed administrative processes. While CI investigations are not as routine as their Criminal Investigation Division (CID) counterparts, JAs should understand how to leverage these robust investigations as well as the multi-agency input supporting them. This article will assist JAs in coordinating within the interagency space to deliver the right evidence to the right actor in a usable format while leveraging the capabilities of other agencies to address the commander’s concerns.

Counterintelligence Investigations

Executive Order (EO) 12333 directs the Secretary of Defense to “protect the security of Department of Defense [(DoD)] installations, activities, information, property, and employees by appropriate means, including such investigations of applicants, employees, contractors, and other persons with similar associations with the [DoD] as are necessary.”1 This authority is further delegated through Army channels to the Commander of U.S. Army Intelligence and Security Command (INSCOM); it is formalized, in part, in Army Regulation (AR) 381-12, Threat Awareness and Reporting Program.2 In AR 381-12, Tables 3-1 through 3-4 set forth a series of indicators that Soldiers should report to 1-800-CALL-SPY or a number of other resources described.3

Through authorities from INSCOM—and as described in AR 381-20, Army Counterintelligence Program—CI agents examine these tips and generate CI reports that could serve as the basis for additional investigation.4 These investigations are designed to: identify activities that may constitute national security crimes; substantiate or refute allegations or indications of spying; protect Army personnel, installations, and property; and acquire evidence to assist in the prosecution by competent authorities.5

The collection of information about a subject of an investigation is further limited by the procedures outlined in DoD Manual 5240.01.6 During a CI investigation, generally, non-public information about a U.S. person7 can only be intentionally collected without consent when the individual is believed: to be engaged in intelligence activities on behalf of a foreign power or their agent; be engaged in international terrorist activities; or be acting on behalf of an international terrorist.8 Given the subject matter and predicate for CI investigations, it is common for the investigations to include information, classified at various levels, from a number of other agencies.

Using CI Evidence for Separation

With the robust quality of CI investigations, it is tempting to simply use the CI investigation for a traditional administrative action.9 While the CI investigation may resemble—or in some cases parallel—a CID investigation, the CI investigation is intelligence driven and governed by intelligence oversight procedures;10 on the other hand, the CID investigation is for an express law enforcement purpose.11 This distinction most commonly manifests as a JA’s inability to use all the evidence in the CI file for the separation process due to intelligence considerations such as the incidental disclosure of sources and methods.12

In originally classifying a piece of information, the agency head—whether DoD, Army, or other agency—is making a determination about the potential harm the release of that information could have on the national security of the United States. These published classification guides13 extend to the derivative classification of subsequent reports that restate, paraphrase, or incorporate the protected information.14 Stated another way, the classification protects the information—including specific words—rather than the form the information takes. Since intelligence from non-Army agencies may carry additional caveats or limitations on its distribution or use, derivative classification can make it difficult to include a summary of classified material in a separation packet.15

With the difficulty in sharing intelligence with the target of that intelligence, it is often necessary to find alternate methods for separation. One available option is to use the CI investigation as a starting point for a more traditional CID or administrative investigation.16 Although the CI investigation provides a highly reliable roadmap to misconduct, when considering this path, the JA should work closely with the CI agent to prevent the inadvertent exposure of a source who contributed to the initial CI investigation.

Alternatively, the command could base the separation on information the subject is legally entitled to. For example, when a subject fills out their Standard Form 86,17 or conducts an interview with the Office of Personnel Management, those files are accessible by the individual through the Privacy Act.18 Additionally, if there is inconsistent data between these sources and other available sources, such as Federal Bureau of Investigation or U.S. Customs and Immigration Service (USCIS) interviews, it is possible to justify separation without referencing sensitive materials.19

Finally, when a separation authority is reviewing the separation action, consider reading that commander into the CI investigation. In presenting the CI investigation in this manner, the purpose is to give context to assist the command in choosing from the range of options available under the Uniform Code of Military Justice and regulation, not as a reason for separation.

Sharing Evidence for Action by Other Agencies

In addition to screening the evidence from a CI investigation for use in a separation, other government agencies may use the information only as background rather than a basis for action. For example, in separating a non-U.S. citizen with identified CI risks, CI agents and their servicing JAs may need to work with USCIS to fully neutralize the threat through post-separation deportation. As CI investigations derive their authority from a component of the intelligence community, and in addition to the limitations of dissemination above, Procedure 4 limits how U.S. person information may be disseminated.20

In some cases, CI agents may uncover evidence of non-national security crimes—like threats against an investigator, theft, or the unauthorized use of a government information system.21 In these situations, with proper intelligence oversight, CI agents can share this information with the appropriate federal entity—generally CID. Through CID’s existing relationships with other law enforcement agencies—both federal and local—CID can share evidence of crimes with other interested agencies. In a hypothetical situation, CI and CID agents can compare interview notes on a subject with interviewers from USCIS so that all federal agencies are operating from a common set of facts during the various interviews of a subject. By including DoD law enforcement in the investigation of CI matters, where appropriate, investigators and their servicing JAs can leverage the law enforcement sharing agreements to address both the unit’s discipline issues and larger national security concerns.

Leveraging Outside Capabilities to Address Commander Concerns

In addition to the utility of using CI information in the administrative process and communicating relevant information to other federal authorities, JAs can coordinate with outside agencies to address the commander’s concerns. For example, if the subject of a CI investigation makes comments about going absent without leave, this information can be shared with other interested federal agencies. In some circumstances, these agencies have the authority to flag the subject’s passport when they attempt to travel with the document. While the majority of these flags will not stop travel, they will trigger a notification to the requiring agency of the travel—hopefully with time to act.

Another concern of commanders separating Soldiers with CI concerns is the ability of the soon-to-be former Soldier returning as a federal employee or contractor. With credible derogatory information that falls within one of the thirteen adjudicative guidelines,22 the special security officer (SSO) or security manager should report the information through the Joint Personnel Adjudication System to the DoD central adjudication facility.23 In future national records checks, correct reporting of derogatory information ensures future investigators will have access to the information before government employment.24


Separations with a CI twist can be more difficult to move through the process—not for a dearth of evidence, but due to the nature of the evidence. As such, these separations require JAs to work with non-traditional partners both inside and outside the DoD. In working through professional CI agents, the SSO/security manager, CID, and other federal agencies, JAs can support their commands with the maintenance of good order and discipline. These separations also safeguard the national security of the United States by removing people of questionable loyalty from having placement and access to sensitive information—or those with the sensitive information. TAL


MAJ McCullough is a command judge advocate at 500th Military Intelligence Brigade-Theater at Schofield Barracks, Hawaii.

A special thank you is owed to the truly professional Counterintelligence Agents of the 500th Military Intelligence Brigade-Theater, specifically the Hawaii Resident Office for talking me through their investigative procedures so that we could find ways for the brigade legal team to assist in their mission to protect national security.


1. Exec. Order No. 12,333, 3 C.F.R. § 200, as amended by Exec. Order No. 13,284, 13,355, and 13,470 ¶ 1.10(h) (July 30, 2008).

2. U.S. Dep’t of Army Reg. 381-12, Threat Awareness and Reporting Program (1 June 2016).

3. Id. tbl.3-1-3-4, para. 4-2. Although a single spillage event or foreign contact does not mean an individual is a counterintelligence threat, patterns of behavior or the appearance of multiple indicators will often trigger an initial investigation. Indicators include activities as obvious as: “advocating support for international terrorist organizations or objectives”; “sending large amounts of money to persons or financial institutions in foreign countries”; or “procuring supplies and equipment, purchasing bomb making materials, or obtaining information about the construction and use of explosive devices.” Id. Indicators also include more mundane or nuanced activities such as: “joking or bragging about working for a foreign intelligence service or associating with international terrorist activities”; “expressing a political, religious, or ideological obligation to engage in unlawful violence directed against U.S. military operations or foreign policy”; or “participation in political demonstrations that promote or threaten the use of unlawful violence directed against the Army, DOD, or the United States based on political, ideological, or religious tenets, principles, or beliefs.” Id. Indicators also include information technology activities such as: “downloading, attempting to download, or installing non-approved computer applications”; “unauthorized use of universal serial bus, removable media, or other transfer devices”; or “exfiltration of data to unauthorized domains or cross domain violations.” Id.

4. U.S. Dep’t of Army, Reg. 381-20, The Army Counterintelligence Program (U) (25 May 2010). While the paragraphs referenced in this article are unclassified, the overall classification of Army Regulation (AR) 381-20 is SECRET//NOFORN.

5. Id. para. 4-2.

6. U.S. Dep’t of Def., Manual 5240.01, Procedures Governing the Conduct of DoD Intelligence Activities (8 Aug. 2016) [hereinafter DoDM 5240.01]. Department of Defense Manual 5240.01 applies to all units conducting intelligence activities under DoD’s authorities. Id. para. 1.1. After approval of the Attorney General and consultation with the Director of National Intelligence, the Department of Defense (DoD) published DoDM 5240.01 as a series of procedures to guide the practice of intelligence. Id. para. 1.3. Within these procedures—colloquially known as “Procs”—2 describes when a Defense Intelligence Component (DIC) may intentionally collect U.S. person information (USPI). Id. para. 3.2. Provided that the DIC complies with Proc 2, Proc 3 describes the retention of USPI. Id. para. 3.3. Proc 4 addresses dissemination of properly collected and retained USPI—in any form—to other government entities within the DoD, the federal government, of other governments. Id. para. 3.4.

7. Id. Glossary. U.S. person includes:

A U.S. citizen. An alien known by the Defense Intelligence Component concerned to be a permanent resident alien. An unincorporated association substantially composed of U.S. citizens or permanent resident aliens. A corporation incorporated in the United States, except for a corporation directed and controlled by a foreign government or governments. A corporation or corporate subsidiary incorporated abroad, even if partially or wholly owned by a corporation incorporated in the United States, is not a U.S. person. A person or organization in the United States is presumed to be a U.S. person, unless specific information to the contrary is obtained. Conversely, a person or organization outside the United States, or whose location is not known to be in the United States, is presumed to be a non-U.S. person, unless specific information to the contrary is obtained.


8. Id. para. 3.2.c.(4)(a)-(c).

9. For simplicity, this article refers to separation as encompassing both officers and enlisted. While the regulations differ, there are similar evidentiary notice requirements for both groups. For example, during an enlisted separation, the Soldier has the right “[t]o obtain copies of documents that will be sent to the separation authority supporting the proposed separation.” U.S. Dep’t of Army, Reg. 635-200, Active Duty Enlisted Administrative Separations para. 2-2c(3) (19 Dec. 2016). For officers and enlisted Soldiers entitled to a board, the board procedures in Army Regulation (AR) 15-6 state that respondents have the right to “[e]xamine and object to the introduction of real and documentary evidence, including written statements.” U.S. Dep’t of Army, Reg. 15-6, Procedures for Administrative Investigations and Boards of Officers para. 7-8a(1) (1 Apr. 2016) [hereinafter AR 15-6]. Both AR 635-200 and AR 15-6 have general procedures for addressing classified material.

10. DoDM 5240.01, supra note 6, § 3.

11. U.S. Dep’t of Army, Reg. 195-2, Criminal Investigation Activities para. 3-1 (9 June 2014) (“The Army has investigative authority whenever an Army interest exists and investigative authority has not been specifically reserved to another agency in accordance with AR 27–10; and the MOU between the DOD and the DOJ relating to the investigation and prosecution of certain crimes (DoDI 5525.07). Generally, an Army interest exists when one or more of the following apply: (1) The crime is committed on a military installation or facility, or in an area under Army control. (2) There is a reasonable basis to believe that a suspect may be subject to the Uniform Code of Military Justice. (3) There is a reasonable basis to believe that a suspect may be a DOD civilian employee or a DOD contractor who has committed an offense in connection with his or her assigned contractual duties which adversely affects the Army. (4) The Army is the victim of the crime… (5) There is a need to protect personnel, property, or activities on Army installations from criminal conduct on, or directed against, military installations that has a direct adverse effect on the Army’s ability to accomplish its mission.”).

12. Exec. Order No. 13,526, 75 Fed. Reg. 705 § 1.4. (2010). For implementation of these rules for the Army, see U.S. Dep’t of Army, Reg. 380-5, Army Information Security Program (22 Oct. 2019) [hereinafter AR 380-5].

13. AR 380-5, supra note 12, para. 2-9.

14. Id. para. 2-1.

15. Id. para. 7-2. See also 32 C.F.R. § 2001.24j (2020) (“Dissemination control and handling markings identify the expansion or limitation on the distribution of the information. These markings are in addition to, and separate from, the level of classification.”).

16. AR 15-6, supra note, 9, paras. 3-16, 7-5 (guidelines on handling classified materials).

17. See Questionnaire For National Security Positions, U.S. Off. of Prof. Mgmt. (2016), https://www.opm.gov/forms/pdf_fill/sf86.pdf. The Standard Form 86 is the Office of Personnel Management published Questionnaire for National Security Positions. The form asks about personal, family, and financial history to determine suitability for positions of public trust.

18. The Privacy Act of 1974, 5 U.S.C. § 552a(d) (2019) (“Each agency that maintains a system of records shall—(1) upon request by any individual to gain access to his record or to any information pertaining to him which is contained in the system, permit him and upon his request, a person of his own choosing to accompany him, to review the record and have a copy made of all or any portion thereof in a form comprehensible to him, except that the agency may require the individual to furnish a written statement authorizing discussion of that individual’s record in the accompanying person’s presence.”). See also U.S. Dep’t of Army, Reg. 25-22, The Army Privacy Program (22 Dec. 2016).

19. In some instances, these investigative interviews—whether as part of an initial entry background check or for a security clearance—can constitute a false official statement under Article 107. Manual for Courts-Martial, United States pt. IV, 107 (2019) [hereinafter MCM] (“Any person subject to this chapter who, with intent to deceive—(1) signs any false record, return, regulation, order, or other official document, knowing it to be false; or (2) makes any other false official statement knowing it to be false; shall be punished as a court-martial may direct.”). For officers, it is possible to obtain separation through a two-step process. First, the derogatory CI information should be sent through Joint Personnel Adjudication System to the DoD central adjudication facility to facilitate the revocation of any clearance. Although this action requires notice to the Soldier facing the loss of their clearance, the notification makes allowance for withholding information for national security. U.S. Dep’t of Army, Reg. 380-67, Personnel Security Program para. 8-6 (24 Jan. 2014) [hereinafter AR 380-67] (“The statement shall be as comprehensive and detailed as the protection of sources afforded confidentiality under the provisions of the Privacy Act of 1974 (5 USC 552a) and national security permit.”). Second, with the above action complete, the command can begin separation for the loss of the officer’s security clearance. U.S. Dep’t of Army, Reg. 600-8-24, Officer Transfers and Discharges para. 4-2b(10) (22 Dec. 2016) (“The final denial or revocation of an officer’s Secret security clearance by appropriate authorities acting pursuant to DoDD 5200.2-R and AR 380-67.”).

20. DoDM 5240.01, supra note 6, para. 3.4(c)(5). Dissemination to non-DoD federal government entities is limited to when “the recipient is reasonably believed to have a need to receive such information for the performance of its lawful missions or functions.” Id.

21. MCM, supra note 19, 123 (“Any person subject to this chapter who—(1) knowingly accesses a Government computer, with an unauthorized purpose, and by doing so obtains classified information, with reason to believe such information could be used to the injury of the United States, or to the advantage of any foreign nation, and intentionally communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted such information to any person not entitled to receive it; (2) intentionally accesses a Government computer, with an unauthorized purpose, and thereby obtains classified or other protected information from any such Government computer; or (3) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization to a Government computer; shall be punished as a court-martial may direct.”).

22. AR 380-67, supra note 19, app. I.

23. Id. paras. 9-1-9-6.

24. Id.