Professional Documents
Culture Documents
Ici D02 S01 T12 Step
Ici D02 S01 T12 Step
17B
Table of Contents
Conclusion ..................................................................................................................................... 17
Notices .......................................................................................................................................... 22
Page 1 of 22
Intelligence Writing – Why It Matters
0B
Intelligence Writing –
Why It Matters
39
Page 2 of 22
Why Intelligence Writing Matters
1B
“If you are not able to clearly communicate the results of all the research, analysis, and
other grunt work you have put in, then, from the reader’s viewpoint, none of that
mattered.”
Writing and Briefing are fundamental to the intelligence profession.
Major, James S. Communicating with Intelligence. Lanham, MD: Rowman & Littlefield, 2014.
40
Page 3 of 22
Intelligence Writing – Some Tips
2B
41
Page 4 of 22
operators in the field with new insight
and meaning.
Page 5 of 22
bottom line, explore your implication,
and then anything more than five
pages on one particular topic or
event may not be read by many
people.
Who will be reading your product, or who will you be briefing to?
How much does your audience already know about the subject?
Why does your audience care?
How will your audience use / or would you like for them use the information you give
them?
42
Page 6 of 22
Intelligence Writing Is Not Academic Writing -1
4B
Introduction
Historical background
Conclusion
Page 7 of 22
diving into details, and then you have
your conclusion where you wrap up
everything in a nice summary. So
that is actually the opposite way of
how you should do intelligence
writing. Don't do that when you're
writing intelligence as a cyber
intelligence analyst.
Intelligence Writing starts with the most important concept and has reasoning and
analysis that follows.
Bottom Line Up Front
Order Typically Follows:
Key Judgements
Source Summary
Technical Analysis
Strategic Analysis
Conclusion
Page 8 of 22
this slide and these sections that I'm
about to talk about, but all of them
are going to tell you to keep the
Bottom Line Up Front, followed by
Key Judgments. So let's talk about
these more in-depth.
Page 9 of 22
Bottom-Line-Up-Front (BLUF)
6B
Page 10 of 22
bottom line is. If they have
additional questions about your
Bottom Line Up Front, they can
always ask you and you can give
them the information that they need.
So you want to get right to the point;
answer the question that your reader
wants to know in the first paragraph.
46
Page 11 of 22
looking at, and I would always
recommend writing the BLUF last
when you're doing your assessment.
Key Judgements
8B
Key Judgements
Must convey accurately and succinctly the analytical findings of the paper
Exclude source information used in the paper, persons consulted during preparation,
or analytical methodologies
Generally should not exceed 10% of your paper
Are in bullet format, listed in order of importance
Example
“We judge with high confidence that in fall 2003, Tehran halted its nuclear weapons program;
we also assess with moderate-to-high confidence that Tehran at a minimum is keeping open
the option to develop nuclear weapons.”
James S. Major. Communicating with Intelligence. Second Edition. London. 2014.. Rowman and Littlefield.
November 2007 National Intelligence Estimate, “Iran: Nuclear Intentions and Capabilities
48
Page 12 of 22
capabilities as classified and released
by the Office of Director of National
Intelligence. The example is, "We
judge with high confidence that in
the fall of 2003 Tehran halted its
nuclear weapons program. We also
assess with moderate to high
confidence that Iran at a minimum is
keeping open the option to develop
nuclear weapons." So that's an
example of a Key Judgment.
1 - 2 paragraphs – (Preferably one) Paras should not exceed five - six sentences.
Focus on types of sources, credibility, reliability, date of information, and relevance to
the intelligence provided.
Example
“Analytical findings are based on multi-source intelligence reporting over the last two years.
SIGINT detailing XYZ threat actor capabilities was corroborated with two long-time HUMINT
sources assessed to be reliable and whose reporting on past and different cyber threat
actors has been corroborated. OSINT (pastebin / IRC, dark web chats) often corroborated
classified reporting yet we are unable to fully determine the reliability and credibility of those
OSINT sources on such platforms.”
49
Page 13 of 22
your particular employer's
preference. I think it would also be a
good idea to place or note where
your intel gaps are, although I've
seen some reports where intelligence
gaps are at the end of the
assessment, and here's an example
of a Source Summary statement that
I just made up. "Analytical findings
are based on multi-source
intelligence reporting over the last
two years. SIGINT dealing with XYZ
threat actors was corroborated with
two long-time HUMINT sources
assessed to be reliable and whose
reporting on past and different cyber
threat actors has been corroborated.
OSINT often corroborated classified
reporting yet we are unable to fully
determine the reliability and
credibility of those OSINT sources on
the platform."
Page 14 of 22
Intelligence Gaps
10B
Page 15 of 22
Threat and Strategic Analysis
11B
51
Page 16 of 22
work back in decreasing order of
importance. Think of your Technical
Analysis section as your Threat
Analysis section, which should
address the what, how, where, and
when questions of your cyber issue.
Think of your Strategic Assessment
as addressing the who and the why
when it comes to particular threat
actors, or a deep analysis on trends
in the industry about a particular
topic or technology. In these
sections, you should also inform
about what analytical methods, if
any, were employed to assist your
analysis that help with your
judgments.
Conclusion
12B
Conclusion
Make sure the reader walks away with what they need.
Unique – Flows organically from everything that came before it
Substantive – Has meaning, gives the reader something to consider, more
context than BLUF
Proportional – Length of conclusion depends on length and complexity of paper
Consistent – Should convey the same overall message in the BLUF; consistent in
tone and attitude of rest of paper
Not a copy and paste of BLUF
Do not leave any cliffhangers.
Page 17 of 22
you actually have. In some cases, if
you only have a page or a page and
a half of text, you probably do not
need to write a conclusion. If you do
have a conclusion, you want to make
sure the reader walks away with
what they need to know. So think of
your conclusion as your last chance
to convey your meaning to the
audience or the reader, and because
of that, you really want a strong
conclusion. Since the consumer of
your product has already reached the
conclusion, meaning that they've
read through the entire paper, feel
free to synthesize your analysis a bit
more with more detail or in a way
that best captures your meaning and
what you want your reader to
remember and act on at the end. So
like the BLUF, the conclusion brings
all the pieces together, but in the
conclusion you have more flexibility
to allude to people, places, concepts,
attacks covered earlier in the paper.
Page 18 of 22
There should be no mixed messages,
and the conclusion should not just be
a copy-and-paste of your BLUF.
54
Page 19 of 22
for example, "The cyberattack
destroyed the server," is the active
voice. The passive voice would be,
"The server was destroyed by the
cyberattack." You want to use the
active voice.
55
Page 20 of 22
Intelligence Writing Tips -3
15B
https://en.wikipedia.org/wiki/Wikipedia:Neutral_point_of_view
56
Page 21 of 22
Notices
16B
Notices
Copyright 2020 Carnegie Mellon University.
This material is based upon work funded and supported by the Department of Homeland Security under Contract No. FA8702-15-D-
0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and
development center sponsored by the United States Department of Defense.
The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official
Government position, policy, or decision, unless designated by other documentation.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS
FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER
EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR
PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE
MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT,
TRADEMARK, OR COPYRIGHT INFRINGEMENT.
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please see
Copyright notice for non-US Government use and distribution.
CERT® is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.
DM20-0262
Page 22 of 22