Organizational Context

This case examines counterintelligence (CI) case screening across the U.S. Intelligence Community, including agency CI elements, joint task forces, insider threat programs, and law enforcement partners.

Potential CI cases enter the system through insider reports, anomalous behavior indicators, foreign contact disclosures, cyber investigations, financial anomalies, and intelligence reporting.

• Volume of indicators far exceeds investigative capacity.

• Many indicators are ambiguous or benign in isolation.

• False positives carry career and trust consequences.

• Missed true cases carry national security risk.

Leadership sought consistent, defensible screening decisions, but the deeper problem was that individual CI indicators were being treated as equivalent when they were not.

How the Work Was Intended to Function

From a counterintelligence protection perspective, screening was assumed to function predictably:

• Indicators are received and logged.

• Initial credibility assessment is performed.

• Cases are screened for investigative merit.

• Appropriate cases are opened or referred.

• Non-actionable indicators are documented and closed.

Because policies, adjudicative standards, and investigative thresholds existed, the system appeared governed at an aggregate level.

What Was Actually Happening

Observed reality diverged materially:

• Low-quality indicators consumed analyst capacity.

• High-risk cases were sometimes delayed due to screening backlogs.

• Risk aversion led to inconsistent escalation thresholds.

• Documentation varied widely across units.

• Analysts experienced pressure to both avoid false accusations and prevent misses.

The underlying issue was not analyst diligence, but the absence of a shared way to interpret a single CI screening event before deciding investigative posture.

How FLOW Was Introduced

Leadership sought a stabilizing lens without expanding investigative resources or changing legal standards. Specifically, they needed:

• A common language to explain why CI indicators behave differently.

• A method to separate indicator volume from potential harm.

• A unit-centered lens rather than pattern-level aggregation.

• Governance aligned to national security risk rather than certainty alone.

FLOW was introduced as a classification lens applied before case opening, referral, or dismissal decisions.

Identifying the Unit of Effort

The organization anchored screening on a single, stable unit of work:

• Unit of Effort: one counterintelligence screening event requiring assessment and disposition.

• Multiple indicators or reports may inform the same screening event.

• Parallel analytic or investigative checks do not create new units.

• The screening event does not change as impact expands; only handling and governance change.

How Complexity Was Determined

Complexity was defined as the amount of judgment required to interpret intent, access, and risk.

• Low complexity: clearly benign indicators with innocent explanations.

• Higher complexity: ambiguous behavior or incomplete information.

• Higher complexity: access to sensitive information with unexplained anomalies.

• Higher complexity: deception indicators or counterintelligence tradecraft.

How Scale Was Determined

Scale was defined as the breadth of national security consequence if the screening decision is wrong.

• Sensitivity of information or systems accessed.

• Potential damage from compromise.

• Need for cross-agency coordination.

• Strategic or diplomatic implications.

Applying FLOW to Counterintelligence Screening

With complexity and scale definitions fixed, each screening event was classified consistently. The unit remains constant across all examples; only consequence and governance change.

• Classify complexity first.

• Classify scale second.

• Assign the single FLOW classification that best fits the unit.

FLOW A — Local, Contained Screening Events

This example involves one CI screening event. The unit does not change.

Example: a foreign contact disclosure with clear, benign explanation.

• Complexity: low.

• Scale: low.

• Handling implication: document and close.

Built-out handling: analysts validate disclosures, confirm compliance, and close the screening without further action.

FLOW B — Broader Coordination from One Screening Event

This example still involves one screening event. The unit remains the same; coordination requirements expand.

Example: indicators requiring coordination between CI, security, and insider threat offices.

• Complexity: low.

• Scale: moderate.

• Handling implication: coordinated screening and monitoring.

Built-out handling: CI elements synchronize information, align monitoring actions, and assign accountability. The distinction from FLOW A is coordination breadth.

FLOW C — Complex, Judgment-Driven Screening

This example still involves one screening event. Judgment requirements increase materially.

Example: ambiguous indicators involving access to sensitive systems and unexplained behavior.

• Complexity: high.

• Scale: low-to-moderate.

• Handling implication: deeper assessment and hypothesis testing.

Built-out handling: analysts test explanations, evaluate access pathways, and document uncertainty before escalation.

FLOW D — System-Level Impact from One Screening Event

This example still involves one screening event. The unit remains unchanged; dependency becomes enterprise-wide.

Example: screening event indicating possible foreign intelligence penetration.

• Complexity: variable.

• Scale: high.

• Handling implication: senior governance and national coordination.

Built-out handling: leadership coordinates investigative posture, resource allocation, and strategic communication.

FLOW S — Exceptional Screening Events

This example still involves one screening event, but normal governance pathways are inappropriate.

Example: imminent compromise requiring immediate containment.

• Complexity and scale vary.

• Handling implication: emergency authority.

• Key risk: catastrophic national security damage.

Built-out handling: immediate containment actions, rapid investigation, and emergency coordination.

What Changed After FLOW Classification

• Screening decisions became proportional and explainable.

• FLOW A events closed without consuming excess capacity.

• FLOW B events received structured coordination.

• FLOW C events received disciplined analytic judgment.

• FLOW D events received senior governance.

• FLOW S events followed emergency pathways.

Organizational Implications

• Reduced false positives.

• Earlier identification of high-risk cases.

• Clearer analyst accountability.

• Improved trust in CI processes.