Show Your Work: The Intelligence Standard for Sourcing
The Intelligence Fundamentals Project
Every analytic product rests on sources. The quality of those sources, the transparency with which they’re presented, and the ability of a reader to find and evaluate them independently determine whether the product earns trust or simply asks for it. Intelligence Community Directive 206 is the IC’s formal answer to a straightforward question: when you disseminate an analytic product, what do you owe the reader about where your information came from? The directive establishes specific requirements for how sourcing information must appear in finished intelligence, and while its mechanics are built for the classified environment, the problems it solves exist everywhere intelligence analysis happens.
ICD 206 applies to what it calls “covered analytic products,” which are disseminated analytic products designated by each IC agency in consultation with the Office of the Director of National Intelligence (ICD 206 2015). A disseminated analytic product is any intelligence product, such as an assessment, study, estimate, compilation, database, or graphic, created by an IC agency’s analytic arm, reviewed by that agency, and distributed to consumers outside that agency (ICD 206 2015). The directive doesn’t apply to internal working drafts or informal exchanges between analysts. It kicks in when a product leaves the building and reaches a consumer who will make decisions based on what it says.
The distinction draws a clear line between analysis in progress and analysis being presented as authoritative. A private intelligence firm faces the same boundary. An internal research memo circulated among analysts for discussion carries different obligations than a finished report delivered to a client. The moment a product is presented as a basis for decision-making, the consumer has a right to know what it’s built on. ICD 206 formalizes that right within the IC. Outside the IC, the principle applies even if the formal structure doesn’t.
What Sourcing Information Is Supposed to Do
The directive states that sourcing information serves two purposes: enhancing the credibility and transparency of intelligence analysis, and assisting readers in making an informed assessment of the quality and scope of sources underlying the analysis (ICD 206 2015). Those purposes work together. Credibility comes from showing your work. Transparency comes from showing it in a way that lets the reader evaluate it independently rather than taking your word for it. The directive adds a third functional requirement: sourcing information must enable readers to discover and retrieve the original sources themselves (ICD 206 2015). That retrieval requirement transforms sourcing from a trust signal into a practical tool. A reader who can locate and read the original source can verify the analyst’s interpretation, check for context the analyst may have omitted, and assess whether the source supports the weight the analyst placed on it.
A law enforcement analyst producing a threat assessment for a police commander faces the same set of needs. If the assessment cites a confidential informant’s reporting, the commander needs enough information to evaluate how much weight that reporting deserves: how reliable has the informant been, how direct is their access, how recent is the information? If the assessment references a commercial database query, the commander needs to know which database, what the query parameters were, and when the data was pulled. Without that information, the commander is trusting the analyst’s judgment about the sources rather than evaluating the sources themselves. That might be acceptable when time is short and trust is high, but it’s a fragile foundation for decisions with consequences.
The directive also notes that sourcing information should be sufficient to meet these purposes “while avoiding exhaustive source listings” (ICD 206 2015). The goal is transparency, not documentation for its own sake. A due diligence report that lists every database searched, every public record reviewed, and every news article scanned without indicating which sources actually mattered to the conclusions has produced volume without transparency. The reader who receives forty footnotes has no better understanding of the source base than the reader who receives none, because they can’t tell which sources drove the analysis and which were background noise.
The Four Sourcing Mechanisms
ICD 206 requires sourcing information to be presented through four mechanisms, each serving a different function (ICD 206 2015). They work together to give the reader a complete picture of what the product is built on.
Source Reference Citations: The Backbone
Source reference citations are sequentially numbered endnotes that correspond to superscript numbers in the body of the product (ICD 206 2015). An SRC must be generated each time a source is directly cited in the text or when a specific analytic judgment, assessment, estimate, alternative hypothesis, or confidence level depends on a source (ICD 206 2015). Sourcing isn’t limited to direct quotes or explicit attributions. Any time the analyst’s conclusion rests on a particular source, the reader needs to know which source and needs enough information to find it.
The directive specifies that an SRC should reference “the most original source that presents the relevant information in a form appropriate for use in analysis” (ICD 206 2015). That requirement pushes analysts past secondary reporting to primary sources. An analyst who cites a news article summarizing a government report should cite the government report itself if it’s accessible and contains the relevant information in usable form. A corporate intelligence analyst who cites a competitor’s press release based on a trade publication’s summary should cite the press release directly. Every layer of intermediation between the analyst and the original source introduces potential distortion, and the reader deserves to see the closest thing to the original that the analyst can provide.
Within the IC, each SRC endnote contains a specific set of elements. Here’s what the IC requires and what the equivalent looks like for practitioners outside the IC:
Appended Reference Citations
Appended reference citations are appropriate for information that “relates to analysis in a supplemental or complementary way, but does not expressly affect or support a specific aspect or outcome of analysis” (ICD 206 2015). ARCs provide further reading options, show broader context, or identify insights from conversations with subject matter experts outside the analyst’s organization. Their inclusion is optional, and the directive explicitly states that ARCs “shall not be included solely to delineate the overall scope of analytic inquiry or research” (ICD 206 2015). That prohibition targets a common temptation: padding the reference list to signal thoroughness. If a source didn’t contribute to the analysis, listing it doesn’t make the product stronger. It makes the sourcing section harder to navigate without adding information the reader can use.
Every analyst faces this problem regardless of sector. When you write a report, some sources directly support your conclusions and some provided useful background that shaped your thinking without driving any specific judgment. Separating these two categories helps the reader understand which sources matter most and which are supplementary. A due diligence analyst who lists thirty sources without distinguishing between the five that drove the risk assessment and the twenty-five that provided general background has left the client to sort that out on their own.
Source Descriptors: What the Citation Can’t Tell You
A source descriptor is “a brief, narrative exposition of factors that affect or indicate the quality or credibility of a single source” (ICD 206 2015). A citation tells you where the information came from. A descriptor tells you how much weight it can bear. The directive requires source descriptors to appear either in the main body of the text or in the SRC endnote (ICD 206 2015).
The factors a source descriptor can address include:
Accuracy and completeness: Has this source provided accurate information before? Is the information partial or comprehensive?
Possible denial and deception: Could the source be deliberately misleading? Is there reason to suspect the information has been manipulated?
Age and currency: How old is the information? Is it still valid, or have conditions changed since it was collected?
Technical elements of collection: How was the information gathered? Does the collection method introduce limitations?
Source access: How close is the source to the information being reported? Direct observation, secondhand reporting, or further removed?
Validation: Has the information been corroborated by independent sources?
Motivation and possible bias: Does the source have a reason to shade the information in a particular direction?
Expertise: Does the source have the background or training to report accurately on this subject?
A law enforcement intelligence product that cites a confidential human source needs to tell the reader whether that source has provided reliable information in the past, whether they have direct or indirect access to the information being reported, and whether they have any known motivation that might color their reporting. A corporate analyst citing a trade publication’s market analysis needs to note whether that publication has a track record of accuracy on the topic, whether the analysis is based on proprietary data or publicly available figures, and whether the publication has known affiliations that might introduce bias. The citation gets the reader to the source. The descriptor tells the reader what to expect when they get there.
The directive draws a notable distinction for publicly available information. Source descriptors for intelligence-based or diplomatic sources must be derived from source documents, and if an analyst substantially changes a descriptor from what the source provides, they must indicate this with a rationale (ICD 206 2015). For publicly available information not obtained from a government-produced open source report, analysts may devise their own source descriptors (ICD 206 2015). That flexibility reflects a practical reality: publicly available sources rarely come with built-in quality assessments the way classified intelligence reports do. The analyst working with open sources has to assess source quality independently, and ICD 206 acknowledges that by giving them room to construct their own descriptors.
Source Summary Statements: The Big Picture
Source summary statements provide a holistic assessment of the entire source base supporting a product (ICD 206 2015). Where source descriptors address individual sources, source summary statements address the collection of sources as a whole. The directive says these statements should cover “strengths and weaknesses of the source base, which sources are most important to key judgments, what sources are meaningfully corroborative or conflicting, and should highlight any specific subject matter expertise used to develop the assessment” (ICD 206 2015). Source summary statements are “strongly encouraged” rather than required, but the directive notes that their importance increases with the complexity of the product, the complexity of the sources, or the number of sources cited (ICD 206 2015).
A source summary statement answers a question that individual citations and descriptors can’t: taken together, how strong is the foundation this product stands on? An analyst might cite fifteen sources, each with its own descriptor, and the reader still won’t know whether those fifteen sources are all drawing from the same underlying data, whether they corroborate each other independently, or whether the key judgment rests on a single source while the other fourteen provide only peripheral support. The source summary statement is where the analyst steps back and gives the reader that bigger picture. A corporate intelligence report assessing a potential acquisition target might note that the financial analysis draws primarily from public filings and two independent commercial databases that produced consistent results, while the assessment of the target’s internal culture relies heavily on a single former employee whose account could not be independently verified. That kind of transparency lets the reader calibrate their confidence in different parts of the assessment rather than accepting or rejecting the whole product as a unit.
Preserving What Disappears
One of ICD 206’s most practically significant requirements addresses sources that don’t stay put. The directive requires that when an analyst cites a source that is dynamic (such as an internet posting), ephemeral (such as a phone conversation), or not stored under the producing organization’s retention policies, a record of the source must be preserved for at least one year (ICD 206 2015). For products with a specified time horizon, meaning products whose judgments are intended to remain valid for a defined period, source information must be retained for that period or five years, whichever is shorter (ICD 206 2015).
A citation is only as useful as the source it points to. If a reader follows a citation to a webpage that no longer exists, a social media post that’s been deleted, or a conversation that was never documented, the entire sourcing mechanism fails. The citation becomes a dead end, and the reader is back to trusting the analyst’s word rather than evaluating the evidence independently.
The preservation problem is acute for anyone working with open sources. Websites change. Social media posts disappear. Online databases update their content. A corporate intelligence analyst who cites a competitor’s pricing page in a market assessment may find that the page has been updated by the time the client reads the report. A law enforcement analyst who cites a social media post in a threat assessment may find the post deleted by the time the case goes to court. An OSINT practitioner who identifies a relevant forum discussion may find the entire forum taken offline within weeks.
ICD 206 doesn’t prescribe a specific preservation method, but the requirement itself forces a discipline that many organizations outside the IC haven’t formalized. Archiving web pages, screenshotting social media posts with metadata, recording the date and content of phone conversations, saving copies of database queries with their results: these practices are the operational translation of the directive’s requirement. The one-year minimum retention period is a floor, not a ceiling, and for any work product that might face legal scrutiny or extended review, longer retention is prudent. A private investigator whose report becomes evidence in litigation two years later needs to be able to produce the sources that report was built on, and “the website doesn’t exist anymore” is not an answer that holds up under cross-examination.
When Time Runs Out
The directive acknowledges that perfect sourcing isn’t always possible before dissemination. If urgent requirements, crisis conditions, or time-sensitive operations make it infeasible to produce a fully sourced product before it needs to reach the consumer, the product may be disseminated first and re-issued with complete sourcing “as soon as feasible, but not more than 30 days thereafter” (ICD 206 2015). That 30-day window is a hard limit, and the re-issued product must be retained as a document of record alongside the original.
That tension exists across every intelligence discipline. The consumer who needs information now may be better served by a partially sourced product delivered in time to inform a decision than by a perfectly sourced product that arrives after the decision has already been made. ICD 203’s timeliness standard recognizes the same tension. ICD 206 insists that urgency is a reason to defer sourcing, not to skip it. The 30-day re-issuance requirement ensures that the sourcing gap is temporary and that the fully sourced version becomes the document of record.
A corporate intelligence team supporting a fast-moving acquisition negotiation faces the same dynamic. The deal team may need a preliminary assessment of a target company before close of business, and producing that assessment with full sourcing documentation may take longer than the decision window allows. Delivering the preliminary assessment with whatever sourcing is immediately available, then following up within a defined period with a fully sourced version, mirrors the ICD 206 approach. The key discipline is the follow-through: making sure the fully sourced version actually gets produced and delivered, rather than letting the preliminary version become the permanent record by default.
Institutional Accountability
ICD 206 places implementation responsibility at multiple levels. Within ODNI, a senior official designated as the Deputy Director of National Intelligence for Intelligence Integration (DDNI/II) serves as the directive’s implementing authority: compiling and annually updating a central listing of covered analytic products, monitoring compliance, and adjudicating exemption requests (ICD 206 2015). The heads of each IC agency must nominate their covered product types, implement information technology standards that support the directive, provide training and tools to their employees, and retain copies of covered products with full sourcing as documents of record (ICD 206 2015).
An agency that cannot consistently comply with specific provisions for a particular product type may request an exemption, but the request must be submitted in writing, describe the specific factors that make compliance infeasible, and be adjudicated by the DDNI/II (ICD 206 2015). Exemptions are tied to identified product types and mission-critical circumstances, not granted as blanket waivers. The structure is designed to make exemptions intentional and documented rather than informal and invisible.
Most organizations outside the IC lack this kind of formalized sourcing accountability, and that gap shows in their products. When sourcing practices are left to individual analyst judgment without institutional standards, quality varies widely. Some analysts cite meticulously; others barely cite at all. Some preserve their sources; others let ephemeral material disappear without documentation. Some provide source quality assessments; others present every source as if it were equally reliable. The IC’s approach, whatever its bureaucratic weight, recognizes that consistent sourcing is an institutional responsibility rather than an individual preference. Any organization that produces intelligence analysis for decision-makers would benefit from establishing its own version of the same framework: defined standards for what sourcing information products must contain, a designated authority responsible for compliance, training that gives analysts the skills and tools to meet the standards, and a process for handling legitimate exceptions.
Sourcing Self-Check
The following questions translate ICD 206’s requirements into a practical checklist for any analyst producing a finished product, regardless of sector:
[ ] Can the reader find my sources? Does every claim that rests on a source include enough information for the reader to locate and retrieve that source independently?
[ ] Have I cited the most original source available? Am I pointing the reader to the primary source, or to someone else’s summary of it?
[ ] Have I described source quality? Does the reader know the strengths and limitations of the sources I’m relying on, including potential bias, access level, and track record?
[ ] Have I separated what matters from what’s background? Can the reader tell which sources directly drove my conclusions and which provided context?
[ ] Have I assessed my source base as a whole? Does the reader understand whether my sources corroborate each other independently, overlap, or leave significant gaps?
[ ] Have I preserved sources that might disappear? For web pages, social media posts, phone conversations, and other ephemeral sources, do I have archived copies with dates and metadata?
[ ] If I delivered under time pressure, is there a plan to follow up? If the product went out with incomplete sourcing, is there a defined timeline for re-issuing with full documentation?
References
Intelligence Community Directive 206. 2015. Sourcing Requirements for Disseminated Analytic Products. Office of the Director of National Intelligence.
Intelligence Community Directive 203. 2015. Analytic Standards. Office of the Director of National Intelligence.