Intelligence Community Directive to Restrict Foreign Spyware Use Set for Jan. 15 Signing

Directive Expected Thursday at ODNI Headquarters

The director of national intelligence is expected to sign a directive on Jan. 15 that sharply restricts the use of foreign-made commercial spyware across the intelligence community, according to three officials familiar with the plan. The directive, titled Policy Guidance on Foreign Commercial Cyber Surveillance Tools, will bar most civilian intelligence agencies from deploying or funding spyware products developed by vendors based outside the United States, United Kingdom, Canada, Australia, or New Zealand, the officials said.

The order will apply to the CIA, NSA, FBI, DIA, NGA, and NRO, as well as to contractors operating on behalf of those agencies, two of the officials said. A senior official, speaking on condition of anonymity, said the directive will require each agency to submit a complete inventory of existing spyware contracts, licenses, and evaluation agreements by Feb. 28. Agencies that wish to continue using a restricted tool must obtain a waiver signed by the DNI and the agency head, the official said.

The policy stems from a classified review launched in late October by the Office of the Director of National Intelligence, according to a former Senate Intelligence Committee staffer who was briefed on the findings. The review identified at least four foreign spyware vendors whose products had been used in ways that created counterintelligence risks, including one instance in which a vendor's infrastructure communicated with a server linked to a Russian internet provider, the staffer said.

The directive will be signed at 10 a.m. on Jan. 15 in the ODNI conference room on Liberty Crossing Drive in McLean, Virginia, one official said. A small group of agency general counsels and counterintelligence officials are expected to attend, the official said.

Review Found Network Exposure and Vendor Risks

The classified review, which ran for 74 days and involved personnel from ODNI, NSA, and CISA, concluded that at least three U.S. government networks had been exposed to foreign-controlled infrastructure through spyware deployments, according to two officials familiar with the matter. The officials declined to identify the affected agencies but said none of the incidents involved classified systems.

One official said the review examined 23 commercial spyware products and found that 14 relied on infrastructure outside the Five Eyes alliance for command and control, data exfiltration, or license verification. The official said the findings were summarized in a 42-page report circulated to agency general counsels on Jan. 9. That report, labeled SECRET/NOFORN, included a classified appendix listing each product and its assessed counterintelligence risk, the official said.

The review also examined $430 million in intelligence community spending on commercial surveillance tools during fiscal years 2023 through 2025, according to a congressional aide briefed on the figures. The aide said roughly $170 million of that total went to vendors headquartered outside the Five Eyes countries, with the largest share flowing to two Israeli firms and one Italian firm. The aide said the new directive does not immediately cancel those contracts but requires agencies to justify any renewal or extension through the waiver process.

The directive marks a significant shift from a 2023 policy that allowed agencies to evaluate foreign spyware on a case-by-case basis, one official said. That earlier policy was intended to preserve access to tools used by adversaries, but the review concluded that the risks of foreign control over software updates and data routing outweighed the intelligence benefits, the official said.

The directive will not apply to military cyber operations conducted under Title 10 authorities, two defense officials said. U.S. Cyber Command and the NSA's Tailored Access Operations unit will retain separate authority to acquire and evaluate foreign tools under existing oversight procedures, the officials said. The restriction also exempts law enforcement agencies outside the intelligence community, though the FBI is covered because it carries both law enforcement and foreign intelligence responsibilities, one official said.

What Happens Next

A classified implementation memo will follow the directive within 72 hours, according to one official familiar with the schedule. The memo will name the four vendors whose products triggered the review and will set a March 31 deadline for agencies to terminate any non-waived contracts, the official said.

Congressional intelligence committees were briefed on the broad outlines of the policy on Jan. 12, two congressional aides said. The committee's ranking member is expected to raise questions about waiver procedures and oversight at a closed hearing scheduled for Jan. 21, one aide said. The House Intelligence Committee has requested a separate briefing no later than Jan. 17, the other aide said.

Industry analysts said the directive could disrupt a global spyware market estimated by one research firm at $12 billion annually. Two U.S. defense contractors present at a Jan. 8 industry briefing said they were told to expect a 90-day transition period before any existing contracts must be terminated or moved to an approved waiver process. One contractor said the briefing slide deck included a chart showing that seven current vendor relationships would require waivers to continue.

Watch for an official ODNI statement on Jan. 15, followed by possible pushback from European spyware vendors and from lawmakers who argue the policy does not cover state and local law enforcement agencies. The White House is not expected to comment publicly until after the directive is signed, officials said.