Every intelligence judgment stands on a foundation of sources. The quality of that foundation determines whether the judgment deserves confidence or skepticism, and your reader needs enough information to make that determination for themselves. Sourcing transparency is the difference between analysis that drives sound decisions and analysis that gets people hurt.

An assessment claims high confidence but rests on a single uncorroborated human source. An estimate cites dozens of reports, but they all trace back to the same original collector. A policymaker authorizes military action, a law enforcement commander plans a raid, or a corporate executive approves an acquisition, all based on analysis whose foundations they couldn’t evaluate because the analyst never showed them. ICD 203 exists precisely because this kept happening: it requires analytic products to “properly describe the quality and credibility of underlying sources, data, and methodologies” (ICD 203 2015). ICD 206 expands on this by requiring sourcing information that helps readers make “an informed assessment of the quality and scope of sources underlying the analysis” (ICD 206 2017).

Your reader is going to make a decision based on what you tell them, whether you’re writing for the White House Situation Room or a private client’s boardroom. A phrase like “according to the US Embassy” doesn’t tell the reader whether the information is direct or indirect, observed firsthand or reported secondhand, corroborated by other sources or standing entirely alone (CIA 1995). Precision in attribution gives consumers the basis to calibrate their own confidence in what you’re telling them and in the decisions they make based on it.

How to Cite: Source Reference Citations

ICD 206 requires a Source Reference Citation each time a source is directly cited or a specific aspect of analysis depends on a source, covering judgments, assessments, estimates, alternative hypotheses, and confidence levels. The citation should reference the most original source available. If a news article quotes a government report, and you have access to the government report, cite the report. Every unnecessary intermediary in your citation chain introduces transmission error and weakens traceability. An analyst who cites a CNN article that cites a Reuters wire that cites an unnamed Pentagon official has created three points of potential distortion when a direct reference to the Pentagon statement would have created none.

Citation endnotes identify who originated the information: the publishing IC element, the named source, the liaison service’s country of origin, or for open sources, the external author and host platform (ICD 206 2017). For open source material, the endnote should include the URL, collection tool, or third-party service provider (ICS 206-01). Another analyst should be able to reconstruct your sourcing chain from your citations alone. If they can’t, your citations need work.

The practical test: Could someone with appropriate access reconstruct your sourcing chain from your citations alone? If not, your citations need work.

Evaluating Source Reliability and Information Credibility

ICD 203 requires analysts to surface the qualitative factors that affect how much weight a source deserves: “accuracy and completeness, possible denial and deception, age and continued currency of information, and technical elements of collection as well as source access, validation, motivation, possible bias, or expertise”. For intelligence sources, these descriptors must be derived from source documents, and any substantial changes require a rationale (ICD 206 2017). For open source material, you’ll craft your own. The specific factors that matter shift depending on the source type and the judgment it supports, but the reader always needs enough information to weigh the source against the specific claim you’re building on it. Telling a reader that a source is “generally reliable” tells them almost nothing. A corporate intelligence analyst writing a due diligence assessment who describes an industry source as having “provided accurate information on hiring and retention trends at three other firms over the past two years, with access through executive recruiting rather than direct employment at the target company” gives the reader something they can actually evaluate.

Several structured frameworks exist to standardize this evaluation. The specific system depends on your institutional context, but they all enforce the same core discipline: source reliability and information credibility are independent variables assessed separately.

The Military/NATO System (6×6)

The standard alphanumeric system used across NATO and the US military rates sources on a six-point letter scale from A (Reliable) through F (Cannot Be Judged), and rates information credibility on a parallel numeric scale from 1 (Confirmed) through 6 (Cannot Be Judged), with the two assessments made independently of each other (ATP 2-22.9 2015). A reliable source can deliver bad information, and an untested source can hand you something your existing collection already confirms. The scales exist separately because conflating them leads analysts to discount good information from unproven sources and accept bad information from trusted ones.

Source Reliability

Information Credibility

Reliability ratings are earned over time through a feedback process in which past reporting is compared against ground truth as it becomes available (JP 2-0 2022). New sources start at F with no track record, and their information gets evaluated on its own merits until that record develops. An F-rated source who provides information you can independently confirm starts building a case for a higher rating on the next report.

The 5×5×5 System (Law Enforcement)

UK law enforcement developed the 5×5×5 system under the National Intelligence Model to standardize how intelligence is evaluated and shared across agencies (ACPO 2007). When a detective in Manchester passes intelligence to a counterpart in London, both need to understand instantly how much trust the source and information deserve, and who’s authorized to see it. The system uses three independent five-point scales evaluated in sequence. Though formally superseded in UK policing by the 3×5×2 model in 2016, the 5×5×5 remains in wide use across international law enforcement, the private sector, and organizations that share intelligence across institutional boundaries (OSCE 2017).

First 5: Source Evaluation (A through E). The officer or analyst who obtained the information grades the source’s reliability based on track record.

Second 5 – Information Evaluation (1 through 5). This grades the information itself, independent of the source. The question isn’t “do I trust this source?” but “how well does this information hold up on its own merits?”

Third 5: Handling Codes (1 through 5). The handling code controls dissemination based on the risk that sharing poses to the source, ongoing operations, or other interests.

A grading of “B 2 1” tells you the source is mostly reliable, the information is known firsthand to the source but hasn’t been independently verified by the receiving officer, and the intelligence can move within the law enforcement community under standard conditions. An analyst or officer reading that shorthand knows immediately what they’re working with and how far they can share it.

The 5×5×5 also places the evaluation where it belongs: with the person who obtained the information (OSCE 2017). The officer who sat across the table from the informant knows things about their demeanor, access, and credibility that don’t survive the transition to a written report. The grading system captures a structured version of that firsthand assessment and carries it forward to every downstream consumer who never met the source.

Evaluating Web-Based Sources

Evaluating web-based sources requires asking different questions than evaluating a human source or a signals intercept, but the underlying discipline is the same: you need to know how much weight the information deserves before you build on it. Three factors drive that assessment.

  • First, provenance: can you verify who created the content, and do they have the credentials, institutional backing, or demonstrated expertise to speak credibly on the subject? An unsigned blog post and an analysis from a researcher with a verifiable publication history make very different claims to authority.

  • Second, verifiability: does the content reference primary sources you can check, and does it get checkable details right? A source that accurately reports facts you can confirm earns more credibility on claims you can't independently verify.

  • Third, independence: is the content separated from advertising, advocacy, or financial interest? A market analysis published by a firm with a position in the asset it's analyzing carries different weight than one published by an entity with no stake in the outcome.

Sources that blur those boundaries, including "unreviewed documents from self-published Web repositories such as blogs, Wikipedia, political sites, and commercial advertising," lack the trustworthiness that editorial review, peer review, or institutional vetting provides (ATP 2-22.9 2015). None of them are worthless by default, but all of them require harder scrutiny before you stake a judgment on what they're telling you.

Cognitive Biases in Sourcing

Analysts bring predictable cognitive distortions to source evaluation, and the sourcing standards exist partly to counteract them. Heuer identified several that bear directly on how analysts weigh sources (Heuer 1999). Vivid, concrete, firsthand reporting consistently receives more weight than abstract or statistical evidence of equal or greater value; a HUMINT source who says "I was in the room" will dominate your thinking over a pattern analysis that covers ten times the data. Analysts are oversensitive to consistency and insufficiently sensitive to reliability: three reports that trace back to the same original source feel like corroboration because they arrive through different channels, but they're the same information counted three times.

A lack of evidence rarely gets the weight it deserves; if you aren't deliberately inventorying what you expected to see but didn't, that absence will never enter your analysis. And anchoring ensures that the first report on a topic frames how every subsequent report gets interpreted, even if the first report was weak or wrong. Caveats attached to early assessments erode over time while the core judgment persists. Confirmation bias compounds all of these: once you've formed a judgment, you notice supporting evidence and discount contradictions, which means critical information from sources you've rated as low-quality may get dismissed before you've evaluated it on its own merits (US Government 2009).

Sourcing Failures

Circular reporting occurs when the same information reaches you through multiple channels and you mistake it for independent corroboration (FM 2-0 2023). Source A tells an embassy officer; a liaison service debriefs Source A’s associate, who heard it from Source A; both reports arrive through different channels and look like two sources confirming each other. Without tracing reports back to their origins, you can’t tell whether you have five sources or one source counted five times.

Adversary deception succeeds because it gives busy analysts exactly what they’re looking for: “seemingly reliable information on which to base a conclusion” (CIA 1997). An adversary who understands your collection posture and analytical expectations can feed you information that confirms your priors while leading you to the wrong conclusion. For any assessment that will drive significant decisions, you should be able to articulate why your key sources aren’t being manipulated. The CIA’s counterdeception guidance frames the core discipline: “How do you know you are not being deceived?” (CIA 1997).

Single-source dependence follows a consistent pattern: an analyst develops trust in a source, the source delivers reliably, and the analyst stops seeking corroboration. Then the source is wrong, compromised, or reports outside their actual access, and nobody catches it (US Government 2009). The 2023 DoD IG evaluation found that tradecraft training gaps were the top challenge across the Department of Defense, creating “inconsistent approaches to objectivity, bias, politicization, or other issues in analytic products” (DODIG-2023-100 2023).

Mitigation Techniques

The Tradecraft Primer describes a Quality of Information Check: a structured review that produces an honest accounting of “what we know” and “what we do not know” by checking all sources for accuracy, verifying corroboration of critical reporting, and reexamining previously dismissed information in light of new facts (US Government 2009). A related Source Check, conducted during the first full review of collected information, forces structured questions about authorship, organizational affiliation, and internal evaluation of the source, interrupting the tendency to rate sources higher when you like what they’re telling you.

Separating fact from judgment prevents a common failure where a source’s opinion gets presented as the analyst’s confirmed finding. A corporate intelligence report that states “the target company is recovering financially, as indicated by a well-placed industry contact” blurs whether the recovery assessment belongs to the analyst or the contact. The corrected version: “According to an industry contact with access to the target’s senior leadership, the CFO has told investors the company has turned the corner toward recovery.” Now the reader knows the recovery claim is the CFO’s, the reporting channel is the industry contact, and neither has been independently verified by the analyst. Each link in the chain can be evaluated on its own terms.

For issues where deliberate manipulation is a possibility, or where the client will make significant decisions based on the assessment, structured validation asks: How do we know this? What alternative explanations exist for why this information reached us? Could a competitor, a hostile party, or the target itself have planted or manipulated it? A due diligence analyst who can’t explain why their key sources on a potential acquisition aren’t being fed favorable information by the seller hasn’t finished their analysis (CIA 1997).

Sourcing Outside the IC

A corporate intelligence analyst building a competitive assessment relies on trade publications, industry sources, financial filings, and human contacts. Without structured sourcing practices, they can’t tell their client how much weight any particular claim deserves or whether multiple reports represent independent corroboration or the same rumor circulating through an industry. A private investigator tracing financial transactions through open sources needs to document where each piece of information came from, how they verified it, and what limitations apply. Law enforcement analysts preparing threat assessments must characterize sources with enough specificity that officers can calibrate their tactical responses: acting on an A1 tip and acting on an E4 tip require different postures, different levels of corroboration, and different risk tolerances.

The cognitive biases that distort source evaluation affect everyone who does analytical work. Circular reporting, single-source dependence, and adversary deception are risks wherever intelligence informs decisions. The IC’s sourcing standards evolved through decades of costly failures. Practitioners outside the IC don’t need to adopt every procedural requirement, but the core disciplines of source characterization, citation traceability, and honest accounting of source base strengths and weaknesses apply to any analyst whose reader will act on what they’re told.

References

  • ACPO. 2007. Practice Advice: Introduction to Intelligence-Led Policing. London: National Centre for Policing Excellence.

  • AFDP 2-0. Intelligence. Washington, DC: Headquarters, Department of the Air Force.

  • ATP 2-22.9. 2015. Open-Source Intelligence. Washington, DC: Headquarters, Department of the Army.

  • CIA. 1995. Factual Accuracy and Sourcing. Directorate of Intelligence. Washington, DC: Central Intelligence Agency.

  • CIA. 1997. Making Sense of Transnational Threats. Directorate of Intelligence. Washington, DC: Central Intelligence Agency.

  • DODIG-2023-100. 2023. Evaluation of DoD Intelligence Analytic Tradecraft. Alexandria, VA: Department of Defense Inspector General.

  • FM 2-0. 2023. Intelligence. Washington, DC: Headquarters, Department of the Army.

  • Heuer, Richards J., Jr. 1999. Psychology of Intelligence Analysis. Washington, DC: Center for the Study of Intelligence.

  • ICD 203. 2015. Analytic Standards. Washington, DC: Office of the Director of National Intelligence.

  • ICD 206. 2017. Sourcing Requirements for Disseminated Analytic Products. Washington, DC: Office of the Director of National Intelligence.

  • ICS 206-01. Sourcing Requirements for Open Source Intelligence. Washington, DC: Office of the Director of National Intelligence.

  • JP 2-0. 2022. Joint Intelligence. Washington, DC: Joint Chiefs of Staff.

  • Kwoun, James S., and Robert W. Schmor. 2021. Analytic Tradecraft Standards: An Opportunity to Provide Decision Advantage for Army Commanders. Accessed December 3, 2025. https://www.armyupress.army.mil/Portals/7/military-review/Archives/English/MA-21/Kwoun-Tradecraft-Standards.pdf.

  • OSCE. 2017. Good Practices in Basic Police Training: Curricula Aspects. Vienna: Organization for Security and Co-operation in Europe.

  • SACLANT. 2002. Open Source Intelligence Handbook. Norfolk, VA: Supreme Allied Commander Atlantic.

  • US Government. 2009. A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis. Washington, DC: Central Intelligence Agency.