The Intelligence Community Whistleblower Protection Act, 50 USC. § 3234, defines a protected whistleblower disclosure in a precise fashion.
First, “any employee of a covered intelligence community element,” such as the CIA or the NSA, may make a report to any of the following persons: “the Director of National Intelligence (or an employee designated by the Director of National Intelligence for such purpose), the Inspector General of the Intelligence Community, the head of the employing agency (or an employee designated by the head of that agency for such purpose), the appropriate inspector general of the employing agency, a congressional intelligence committee, or a member of a congressional intelligence committee.”
Second, the whistleblower does not need to have definite proof of the violation, but only needs to “reasonably believe” that his or her information “evidences” violations covered under the law.
Third, the type of misconduct or violations covered under the whistleblower law for which disclosures may be made are defined as follows:
“(1) a violation of any Federal law, rule, or regulation; or
“(2) mismanagement, a gross waste of funds, an authority, or a substantial and specific danger or safety.”
Disclosures made within these parameters are protected, and the law prevents retaliation. However, the enforcement mechanism for this law is very weak and does not permit the employee to challenge retaliation in court. Additionally, under the law, the ultimate authority responsible for protecting intelligence community whistleblowers is the President of the United States.
In addition to the whistleblower protection law, President Obama signed a Presidential Directive setting forth procedures for protecting national security/intelligence community whistleblowers. See https://kkc.com/wp-content/uploads/2020/06/intelligence_presidential-policy-directive-19-oct-10-2012.pdf.
The website of the Director of National Intelligence contains an explanation of the rights afforded Intelligence Community whistleblowers.