A Review of the National Security Agency
by Sara D. Berman
Intelligence Review Directorate
Final Report on the Verification Inspection of the National Security Agency
Report Number IR 96-03
February 13, 1996
Special Warning
This report contains certain unclassified information relating to the
organization and function of the National Security Agency that may
be protected by Public Law 86-36, May 29, 1959. Reproduction or
removal of pages is prohibited. Safeguards must be taken to prevent
publication or improper disclosure of the information in this report.
FOR OFFICIAL USE ONLY
Additional Copies
To obtain additional copies of this audit report, contact the
Secondary Reports Distribution Unit, Analysis Planning and
Technical Support Directorate, at (703) 604-8937 (DSN 664-8937)
or FAX (703) 604-8932.
Suggestions for Future Audits and Evaluations
To suggest ideas for or to request future audits and evaluations,
contact the Planning and Coordination Branch, Analysis Planning
and Technical Support Directorate, at (703)604-8939 (DSN 664-
8939) or FAX (703) 604-8932. Ideas and requests can also be
mailed to:
Inspector General, Department of Defense
OAIG-AUD (ATTN: APTS Audit and Evaluation Suggestions)
400 Army Navy Drive (Room 801)
Arlington, Virginia 22202-2884
Defense Hotline:
To report fraud, waste, or abuse, contact the Defense Hotline by
calling (800) 424-9098; by sending an electronic message to
[email protected]; or by writing the Defense Hotline, The
Pentagon. Washington, D.C. 20301-1900. The identity of each
writer and caller is fully protected.
Acronyms
AIS Automated Information Systems
ASD(C3I) Assistant Secretary of Defense
(Command, Control, Communications, and Intelligence)
COMINT CommunicationsIntelligence
CPBS Capabilities Programming and Budgeting System
CSM Computer Security Manager
CSNAM Computer Securityand Network Accreditation Methodology
CSS Central Security Service
DCI Director of Central Intelligence
DFARS Defense Federal Acquisition Regulation Supplement
EO Executive Order
FAR FederalAcquisition Regulation
GPRA Government Performance and Results Act
HRRG Human Resources Review Group
IG Inspector General
IMC Internal Management Control
INFOSEC InformationSecurity
NFIP National Foreign Intelligence Program
NSA Nationl Security Agency
NSRL National Signals Intelligence Requirements List
NSTISSAM National Security Telecommunications and Information Systems
Security Advisory Memorandum
NTISSC National Telecommunications and Information Systems
Security Committee
OPSEC OperationsSecurity
PPBS Planning, Programming, and Budgeting Systems
SAP Special Access Program
SCI Sensitive Compartmented Information
SIGINT Signals Intelligence
VRK Very Restricted Knowledge
---------------------------
INSPECTOR GENERAL
DEPARTMENT OF DEFENSE
400 ARMY NAVY DRIVE
ARLINGTON, VIRGINIA 22202-2884
February 13, 1996
MEMORANDUM FOR DIRECTOR
NATIONAL SECURITY AGENCY
SUBJECT:Final Report on the Verification Inspection of the National Security Agency (Report No. IR96-03)
We are providing this final report for information and use. The
report discusses management actions taken to correct problems
identified during the 1991 Inspection of the National Security
Agency. We considered comments on a draft of this report in
preparing the final report.
Comments on the draft of this report conformed to the requirements
of DoD Directive 7650.3 and left no unresolved issues. Therefore,
no additional comments are required.
We appreciate the courtesies extended to the inspection team.
Questions on the inspection should be directed to Lt Col Michael
Simpkins, USAF, Inspection Director, at (703) 604-8872 (DSN 664-
8872). The inspection team members are listed in Appendix A. See
Appendix B for the report distribution.
Russell A. Rau
Assistant Inspector General
Policy and Oversight
Special Warning
This report contain certain unclassified information relating to the
organization and function of the National Security Agency that may
be protected by Public Law 86-36, May 29, 1959. Reproduction or
removal of pages is prohibited. Safeguards must be taken to prevent
publication or improper disclosure of the information in this report.
FOR OFFICIAL USE ONLY
---------------------------------------------------
TABLE OF CONTENTS
Page
PART I - INTRODUCTION
Background...1
1991 Inspection...2
Scope...2
Methodology...2
PART II - ORGANIZATIONAL ASSESSMENT
Overall Verification Assessment...3
PART III ISSUES AND RECOMMENDATIONS
Manpower/Organizational Structure...5
Strategic Planning...8
Internal Management Control Program...10
Special Access Programs...12
Signal Intelligence Integration...15
Operations Centers...18
Collection Evaluation System...19
Operations Security...21
Joint Decisionmaking...23
Integrated Budget System...26
Revoking Security Clearances...27
Information Security...28
Equipment Accountability...29
Contract Oversight...32
Computer Systems...37
Inspector Genera...l39
APPENDIXES
A - Inspection Team Members
B - Report Distribution
-------------------------
PART I - INTRODUCTION
BACKGROUND
The National Security Agency (NSA) is part of the
national foreign intelligence structure. That structure is comprised of
numerous Government agencies and organizations that manage the
national intelligence programs. The common thread among those
agencies and organizations is that they are concerned with some
aspect of collecting, processing, or analyzing foreign intelligence
information.GenesisThe genesis of the Intelligence Community can
be traced to the National Security Act of 1947. Before the Act, the
Departments of War, State, and Navy conducted independent
intelligence functions without the benefit of an overall national
coordinating agency or organization. The Act and subsequent
Executive Orders consolidated intelligence functions under the
Director, Central Intelligence. The National Security Agency was
created by Presidential memorandum on November 1, 1952. The
national signals intelligence (SIGINT) mission was consolidated
when the SIGINT elements of the Services, referred to as the Central
Security Service, were consolidated under the NSA in 1971.
The Director, NSA, has traditionally been a military officer of Flag
rank who is also designated as the Chief, Central Security Service.
The Director is authorized a Deputy Director, NSA (civilian), and a
Deputy Chief, Central Security Service (military).
Central Security Service
The Central Security Service is a jointly
staffed headquarters of Army, Navy, Marine Corps, and Air Force
operating elements using personnel from the Service Cryptologic
Elements. The commanders of Service cryptologic organizations and
their subordinate activities that conduct SIGINT operations receive
direction from the Chief, Central Security Service, for all matters
involving SIGINT activities. However, they receive administrative
and logistical support from their parent Services.
NSA INFOSEC Mission
In addition to SIGINT, the NSA is required to ensure secure
telecommunications and automated information security (INFOSEC)
for all departments and agencies of the U.S. Government.Director-
SIGINT AdvisorThe Director, NSA, reports to the Secretary of
Defense and serves as the principal SIGINT advisor for the Secretary
of Defense; Director of Central Intelligence; and the Chairman, Joint
Chiefs of Staff.
The NSA headquarters element is located at Fort George G. Meade,
Maryland. The NSA also has additional facilities at other locations
throughout the Baltimore/Washington area.
1991 INSPECTION
In 1991, the Inspector General, Department of Defense, conducted the
first comprehensive inspection of the NSA. The goal of the
inspection was to evaluate the processes the NSA uses to measure
achievement of its mission and to manage its functions and
organizational elements. The inspection report (May 12, 1992) had
64 recommendations.
During that inspection, we found that the growth of the Agency had
not been centrally managed or planned and that the NSA did not
have sufficient internal oversight mechanisms to ensure the Agency
efficiently accomplished its mission. Our most significant concern
regarding the NSA efficiency was the absence of management
oversight and controls in several key areas, such as organizational
structure, manpower requirements, and property management. We
also found that the NSA had identified problems through multiple
internal studies, but had not taken effective action based on those
studies.
SCOPE
We examined 16 of the 36 problem areas identified in the
original inspection. The 16 areas selected are a representative
sampling of key areas such as strategic planning, internal
management, manpower, contract management, budgeting, financial
planning, and oversight processes and mechanisms. The 16 areas
required corrective actions by the Assistant Secretary of - Defense
for Command, Control, Communications, and Intelligence or the
Director of the NSA.
METHODOLOGY
In performing the
verification inspection, we evaluated~actions on the 1991
recommendations through interviews and reviews of specific
documentation. To determine the adequacy of the corrective actions,
we analyzed the actual actions underway or completed and the extent
to which the underlying problems had been resolved. We considered
an issue closed if the problem had been corrected, regardless of
whether the corrective actions were in accordance with the 1991
inspection recommendations or were alternative solutions deemed
appropriate by the NSA. Conversely, we considered an observation
open if the underlying problem continued.
PART II - ORGANIZATIONAL ASSESSMENT
OVERALL VERIFICATION ASSESSMENT
The goal of our
inspection was to review management actions taken to correct the
problems identified during the 1991 NSA inspection and determine
whetter those actions corrected and prevented the problems from
recurring. Our verification inspection showed that the NSA
corrected 6 of the 16 issues we reviewed, but had not adequately
corrected the other 10 issues. The NSA provided responsive
comments to our recommendations that will correct the problems we
noted.
Specifically, we found the following:
Manpower/Organizational Structure.
The NSA does not adequately identify its manpower requirements. As a result, it does not know the total number of manpower requirements by quantity and skill mix to perform its mission. Strategic Planning. The NSA implemented a viable strategic and corporate planning process. Internal Management Control Program. The NSA has not included the areas of time and attendance, travel, overtime, cash management, and automated information systems accreditations as assessable units in its Internal Management Control Program. As a result, the Agency is
not using a key tool for detection of fraud, waste, and mismanagement in these vulnerable areas.
Special Access Program (SAP).
The NSA has not developed and implemented an Agency
SAP policy consistent with DoD guidance. As a result, the Agency
was not effectively overseeing the SAP programs it supports. Signal
Intelligence Integration. The NSA has not established an aggressive
customer feedback process to evaluate the quality and effectiveness
of SlGINT-generated products. Operations Centers. The NSA
reduced the number of 24hour operations centers.
Collection Evaluation System.
The NSA does not provide adequate
management oversight and accountability for controlling
unnecessary and unjustifiable collection duplications. As a result,
the Agency is unable to operate its Collection Evaluation System in
an effective and efficient manner.
Operations Security (OPSEC) Program.
The NSA has not established adequate performance
indicators to measure the effectiveness of its OPSEC program. As a
result, the Agency cannot tell how well it is performing its duties as
the Executive Agent of the National OPSEC program. Joint
Decisionmaking. The NSA synchronized some segments of the
Capabilities, Programming, and Budgeting System with the
Planning, Programming, and Budgeting System. Integrated Budget
System. The NSA reduced organizational layering in its budget
management system.
Revoking Security Clearances.
The NSA has taken the corrective actions to systemically rectify shortcomings.
Information Security. The NSA has procedures for its interface with
the North Atlantic Treaty Organization concerning information
security issues. Equipment Accountability. The NSA does not meet
DoD equipment accountability standards. As a result, the Agency
cannot account for millions of dollars worth of assets. Contract
Oversight. The NSA has not implemented adequate procedures for
Economy Act Orders that are in compliance with DoD guidance. As
a result, the Agency is in noncompliance with the Economy Act.
Computer Systems. The NSA has not made satisfactory progress in
acquiring accreditation for its automated information systems. As a
result, the Agency is unable to accredit its system and networks in
accordance with DoD guidance.
Inspector General.
The NSA rotates key personnel and its inspection staff. As a result,
independence cannot be assured because these individuals must
consider the impact of their work on prospects for future
assignments.
PART III - ISSUES AND RECOMMENDATIONS
ISSUE 1
MANPOWER/ORGANIZATIONAL STRUCTURE
Original Issue Statement
The USA lacks planning
criteria and program controls for determining the most efficient
organizational structure and for efficiently utilizing manpower and
other resources to accomplish its mission.Original
RecommendationsWe recommended that the National Security
Agency:
1. immediately validate organizational, manpower (including skill
mix), and equipment requirements to properly align resources to
perform in the most efficient and effective manner.
2. establish and use formal planning criteria and measurement tools
prior to any reorganization.
3. develop a plan and milestones to expeditiously implement
recommendations made in the study of Bureaucracy and NSA:
Mananement's Views.
Summary of Agency Response to Original IssueThe NSA partially
concurred with all three recommendations. The NSA stated that the
validation of organizational and manpower requirements is a
proactive and ongoing process. Additionally, all components were
given very explicit taskings and guidelines for reviewing and
improving efficiency, effectiveness, and economy of operations and
have completed massive organizational structure, functions, and
process reviews. The NSA also pointed out that it was incorrect for
the Inspector General (IG), DoD, to assume and state that resource
allocation and organizational structure decisions are made without
reference to " proven measurement criteria." The NSA also stated
that it has a plan for implementing the study of Bureaucracy and
NSA: Management's Views.
Verification Summary
This issue remains
open. The NSA does not have a process for determining its most
efficient organization. Layering StudyThe NSA implemented past
internal recommendations regarding its layering study, Bureaucracy
and NSA: Mananement's Views. In June 1990, the Director, NSA,
chartered a group of agency senior executives to conduct an
appraisal of organizational layering, both horizontal and vertical,
and associated procedural
dysfunctions at the NSA. The resultant study outlined possible
strategies to address identified problems and provided the impetus
for several follow-on reviews. One such review addressed a broad
spectrum of top tier issues and focused on the objectives of
streamlining operations, eliminating or consolidating top tier
functions and concentrating management authorities and
responsibilities. Another review focused on six primary processes.
The Director, NSA, implemented selected recommendations
contained in the three studies he considered to be in the best
interests of the NSA. Overall,- those recommendations resulted in a
November 1992 reorganization. That reorganization resulted in
changes such as a 40 percent reduction in the number of deputy
directors and a 29 percent reduction in middle managers. The
number of second and third echelon organizations below the
directorate level was reduced by 53 and 44 percent, respectively.
Also, the number of individuals previously reporting directly to the
Director, NSA, was reduced from approximately 90 to 15; all
support services were consolidated into one component; and all
corporate planning, budget, and congressional/ community liaison
was consolidated into a single organization. Nine directorate budget
offices were reduced to five, resulting in a total reduction of 44
percent in the budget organizational structure. Last, from fiscal years
1990 - 1995, the NSA reduced its total civilian employment by 15
percent.
Efforts to Complete Model
Although the NSA has
implemented some internal recommendations to reduce manpower
and reorganize, it has not finalized a process for determining
manpower and skill mix. In 1993, the Work Force Transition Task
Force developed a model to provide agency managers a manpower
and skill mix profile through the year 2000. Presently, that model
has not been implemented and is still being refined through the Ideal
Work Force project. Ideal Work Force ProjectTo finalize its
manpower process, the NSA formulated the Human Resources
Review Group (HRRG), which was chartered on March 9, 1995. The
HRRG was established with the objective of creating a corporate
process for determining NSA/Central Security Service (CSS) long
range manpower skill requirements and the apportionment of
appropriately skilled personnel among the operating elements. The
HRRG formed a group to work on a project known as the Ideal
Work Forceproject. That project will provide standards against
which the agency can measure its size, skill mix, structure, grades,
and demographic profile. Recently, an attrition model was developed
to predict movement into and out of the agency's various career
fields. The NSA envisions its manpower and skill mix model to be
finalized in the August/September 1995 time frame.
6 - National Security Agency
Conclusion
This issue remains open because currently the NSA does
not have a process for determining its most efficient organization.
---------
Verification Recommendation 1
We recommend that the National
Security Agency finalize and implement a manpower requirements
determination model based upon quantitative and qualitative work
load measurement techniques for identifying the required manpower
and the associated skill mix and grades.
Management Comments
The NSA concurred and stated although several efforts have produced
interim manpower models, a definitive guide that will satisfy the IG
requirements is currently under development by the Human
Resources Review Group.Evaluation of Management CommentsThe
NSA comments are responsive to the recommendation.
ISSUE 2
STRATEGIC PLANNING
Original Issue Statement
The NSA lacks an effective corporate planning strategy.
Original Recommendation
We recommended that the National Security
Agency revitalize the corporate planning process by providing
authority to the Plans and Policy Organization commensurate with
its existing responsibilities.
Summary of Agency Response to Original Issue
The NSA partially concurred. The Office of Plans and
Policy developed a corporate planning process that helped to
determine agency focus and direction, identify goals and issues, and
select appropriate strategies to pursue and accomplish
implementation. The process was approved by senior management
and was implemented.Verification SummaryThis issue is closed. The
NSA developed a viable strategic and corporate planning process.
The NSA is commended for measuring and tracking its strategic
planning through its yearly Improvement Cycle Assessment.
Strategic Planning
On May 19, 1994, the NSA board of directors agreed that
the NSA/CSS strategic planning process would consist of a
hierarchy of plans to guide the United States Cryptologic System
into the 21st century. The overall strategic plan would contain the
vision of the future and the strategy for attaining that vision. It
would be updated annually and would provide the foundation for all
other strategic planning-related documents. At the next lower level, a
set of corporate plans would address key NSA/CSS-wide issues
(such as, Support to Military Operations, Human Resource
Management, Equal Employment Opportunity, and National
Information Security Strategy).
The NSA updated its strategic plan in March 1995. The NSA
strategic plan is supported by 11 corporate plans. The NSA finalized
6 of the 11 corporate plans.
Government Performance and Results Act
The NSA is well aware of
the Government Performance and Results Act (GPRA) and has
developed an implementation plan for that Act. On May 18, 1995,
senior NSA officials were briefed on the requirements for the GPRA
and the proposed implementation for NSA. The NSA
implementation of the GPRA will be guided by the NSA Senior
Steering Group. The GPRA working groups will provide working-
level implementation for each objective. The NSA planners have
been tasked to develop and refine performance measures prior to
submission of the initial performance plan due in September
1997.
NSA Improvement Cycle
The NSA strategic planning is
measured and tracked yearly through the NSA Improvement Cycle
Assessment. The NSA Improvement Cycle Assessment is an
approach for managing agency activities based on the Presidential
Award for Quality management criteria. One of the seven criteria is
strategic planning. The NSA strategic planning process was assessed
in each of the past 2 fiscal years in such areas as the strategic quality
planning process, customer/suppliers involvement in agency strategic
planning, work force understanding of strategic goals, identification
of quality performance goals, and the allocation of resources in
accordance with prioritized strategic initiatives. ConclusionThe
NSA has fully corrected the original planning problem through its
implementation of an effective planning strategy. It has developed a
viable strategic and corporate planning process and is commended
for its yearly measuring and tracking of strategic planning.
ISSUE 3
INTERNAL MANAGEMENT CONTROL PROGRAM
Original Issue Statement
The NSA Internal Management Control (IMC) Program should be expanded to examine additional vulnerable areas and to ensure assessments are accomplished
following reorganizations.
Original Recommendations
We recommended that the National Security Agency:
1. strengthen its Internal Management Control Program by
aggressively examining and identifying vulnerabilities and by
requiring risk assessments following reorganizations.
2. ensure that assessable units include time and attendance, travel,
overtime, cash management, and automated information systems
accreditations in its vulnerability assessments.
Summary of Agency Response to Original Issue
The NSA concurred with the recommendations and agreed to amend its IMC Program
regulation (NSA/CSS Regulation 112-17) to include the
requirement that IMC Vulnerability Assessments be completed
following all reorganizations. The NSA also agreed that activities
such as time and attendance, travel, overtime, cash management, and
automated information systems accreditations should be in
vulnerability assessments.
Verification Summary
This issue remains
open. The NSA has not included the areas of time and attendance,
travel, overtime, cash management, and automated information
systems accreditations as assessable units.
Lack of Assessable Units
The NSA amended NSA/CSS Regulation 112-17 to ensure that
vulnerability assessments are conducted after all reorganizations and
that activities such as time and attendance, travel, overtime, cash
management, and automated information systems are addressed by
the IMC program. Interviews with three of eight IMC Focal Points
(to include the IMC Program Administrator) and several Group
Representatives found that the agency addressed these activities by
developing various manuals and procedures. However, the agency
failed to create assessable units for the referenced activities.
Therefore, vulnerability assessments are not being accomplished in
these areas that are vulnerable to fraud, waste, and mismanagement.
In order to establish an effective IMC program, the agency must
create assessable units and conduct vulnerability assessments to
ensure these procedures are being followed.
A review of the IMC Program documentation confirmed that the
agency is conducting vulnerability
assessments after all reorganizations or as scheduled by the
Management Control Plan.ConclusionThis issue remains open
because the NSA has not ensured that its vulnerability assessments
include the areas of time and attendance, travel, overtime, cash
management, and automated information systems accreditations.
-------------------------
Verification Recommendation 2
We recommend that the National Security Agency ensure that vulnerability
assessments are conducted
for activities such as time and attendance, travel, overtime, cash
management, and automated information systems
accreditations.Management CommentsThe NSA concurred with the
recommendation and stated that its regulation requires managers to
review time and attendance, travel, overtime, cash management, and
automated information systems accreditations when conducting
vulnerability assessments of their organization or function. They
also stated that the above activities do not qualify as separate
assessable units as defined in DoD Directive 5010.38, "Internal
Management Control Program."Evaluation of Management
CommentsThe NSA comments are responsive to the
recommendation. DoD Directive 5010.38 states that assessable units
shall be established by segmenting the DoD Component into
organizational, functional, programmatic, or other proper
subdivisions suitable for evaluating systems of internal management
controls and identifying program and administrative activities of
applicable nature and size to facilitate a meaningful assessment.
Establishing assessable units or adding these activities to existing
assessable units are necessary for internal administration of the NSA.
ISSUE 4
SPECIAL ACCESS PROGRAMS
Original Issue Statement
The NSA does not effectively monitor the Special Access
Programs it operates or supports.
Original Recommendations
We recommended that the National Security Agency:
1. develop and implement an agency Special Access Program policy
consistent with DoD guidance.
2. conduct a review to determine the actual Special Access Programs
and Special Access Program-like Programs sponsored and supported
by the agency and ensure its management of those programs
complies with DoD policy.
Summary of Agency Response to Original Issue
The NSA
nonconcurred with the Recommendation 1. It indicated that it
implemented DoD policy by incorporating DoD Directive 0-5205.7,
"Special Access Program Policy, as an enclosure to NSA/CSS
Regulation No. 120-23, July 24, 1989. The NSA partially concurred
with Recommendation 2. The Agency maintains it has "no SAP or
SAP-like programs reportable under DoD Directive 0-5205.7." It
stated that all its programs are Communications Intelligence
(COMINT) or Signals Intelligence (SIGINT) and are Sensitive
Compartmented Information (SCI), which are under the
responsibility and guidance of the Director of Central Intelligence
(DCI). Therefore, these programs do not fall under the DoD SAP
Policy.Verification SummaryThis issue remains open. The NSA has
neither developed and implemented an Agency SAP policy
consistent with DoD guidance nor has it established effective
oversight over those SAPs it supports.Very Restricted KnowledgeIn
November 1974, the NSA Director authorized the establishment of
the "Very Restricted Knowledge" (VRK) System to limit access to
uniquely sensitive SIGINT activities and programs in accordance
with his authority as in Executive Order (EO) 12333.1.2(b). The
program is administered in accordance with United States Signals
Intelligence Directive 16. The NSA contends that these VRK
programs (all SCI) are COMINT or SIGINT programs, which come
under the direction of the DCI.Lack of PolicyWe found that the
NSA had not established NSA policy for the area of SAPs. The NSA
stated that it had instituted such policy via NSA/CSS Regulation
120-3, but that it did not have any SAPs or SAP-like programs. As a
result, it does not maintain a list of SAPs or SAP-like programs,
even for those that it supports. DoD
Regulation 5200.1R, "Information Security Program Regulation,"
May 30, 1986, with changes, indicates that SAPs shall be controlled
and managed in accordance with DoD Directive 5205.7, and
component heads shall appoint a SAP coordinator for all SAPs "in
the component." That policy appears to indicate that whether or not
the SAP was established within the agency or exists in the Agency,
proper oversight must be in place.
Although the NSA advised the IG, DoD, during the inspection that
the NSA supports SAPs with other organizations, it neither
maintains a list of NSA-supported SAPs nor are these SAPs
controlled or monitored by an NSA SAP coordinator. It does,
however, maintain a list of VRK programs, which are annually
reviewed by the Director of NSA.
New Guidance
The most recent EO 12958, April 20, 1995, Sec. 4.,
defines a SAP as "a program established for a specific class of
classified information that imposes safeguarding and access
requirements that exceed those normally required for information at
the same classification level." In addition, this EO limits the
establishment of SAPs to the Secretaries of State, Defense, and
Energy and the Director of Central Intelligence. Further, it states
that each agency shall establish and maintain controls and oversight
and shall review each SAP annually to determine whether it
continues to meet the requirements of this order.
The Director of Central Intelligence Directive, DCID 3/29, June 2,
1995, implemented EO 12958 and states that the DCI or Deputy
DCI shall determine whether to create, modify, or terminate
controlled access programs. We believe that the definition of SAPs
under the EO 12958 encompasses the VRK programs currently
operating at the NSA. Further, EO 12958 requires annual reporting
of the SAPs. The EO states that "The agency head or principal
deputy shall review each SAP annually to determine whether it
continues to meet the requirements of this order." This EO indicates
that annual reporting is required. The DCI has already issued its
directive, DCID 3/29, which requires this annual review. Therefore,
if the program is SCI, then we believe that the new EO requires
annual reporting to the DCI.
Conclusion
This issue remains open because the NSA still does not
effectively monitor the SAP it operates or supports. The NSA has
neither established policy for the area of SAPs nor does it maintain a
list of NSA-supported SAPs and the SAPs controlled or monitored
by its SAP coordinator.
----------------
Verification Recommendation 3
We recommend that the National Security Agency:
a. review of all Special Access Programs, Special Access Program-
like programs and Very Restricted Knowledge programs that it has
established or supports and establish an effective oversight
mechanism to ensure proper coordination, monitoring, and tracking.
b. ensure that all Special Access Programs, Special Access Program-
like programs, and Very Restricted Knowledge programs supported
by the National Security Agency are reported annually to
Department of Defense or the Director of Central Intelligence.
Management Comments
The NSA partially concurred with the
recommendations and maintains that it does not have any SAPs as
defined by DoD Directive 0-5205.7, "Special Access Program
Policy," January 4, 1989. The NSA states that its programs are
conducted under the authority of the DCI and that DoD Directive 0-
5205.7, paragraph B. 5., specifically excludes SCI programs
established by the Director of Central Intelligence. As part of the
SCI control system, the NSA COMINT information will be reported
to the DCI in accordance with DCID 3/29 guidance.
The NSA also stated that it is developing oversight mechanisms to
ensure proper coordination, monitoring, and tracking pursuant to
DCID 3/29. The Controlled Access Program Coordination Office
established by the DCI to oversee controlled access programs shall
coordinate security policies with the Security Policy Board and the
Special Access Program Oversight Committee of the DoD. The NSA
anticipates implementation of DCID 3/29 by February 1, 1996.
Evaluation of Management CommentsThe NSA comments are
responsive to the recommendations. Our concern was that an
effective oversight process be established and implementation of
DCID 3/29 will ensure this problem is corrected.
ISSUE 5
SIGNAL INTELLIGENCE INTEGRATION
Original Issue Statement
The Signal Intelligence production process does not
function as an interrelated process and is hampered by a lack of
effective management oversight.
Original Recommendations
We recommended that the National Security Agency:
1. develop a measurable, internal oversight mechanism to track
requirements through the entire production process. In addition,
ensure that a clear link is between analytical efforts and the National
Signal Intelligence Requirements List that allows managers to
measure progress against meeting those requirements.
2. establish an effective feedback mechanism to evaluate the quality
and effectiveness of Signal Intelligence-generated products.
3. conduct a manpower study to determine the appropriate number of
Operations staff personnel and reduce excessive personnel and
organizational layering.
4. develop and document Signal Intelligence procedures for the
collection and analysis process.
5. ensure that the Operations Organization's analytical capability
keeps pace with the collection requirements.
Summary of Agency Response to Original Issue
The NSA concurred
with Recommendation 5; partially concurred with Recommendations
1, 2, and 3 and nonconcurred with Recommendation 4. The agency
stated that "the Production Oversight Tracking System allows
managers to track NSA's success in meeting SIGINT requirements
but does not track the requirements through The entire production
process; customer feedback needs to be improved to better gauge
product and service effectiveness; and the NSA components had
recently completed a massive reorganization in response to the
Layering Study findings." The NSA commented that the changing
world situation and budgeting pressures would ultimately affect the
restructuring process and determine the end state of the organization.
Further, the NSA noted that it had taken several tangible actions to
balance collection and analysis.
Verification Summary
This issue
remains open. The NSA has neither established a standardized
customer feedback process nor implemented a process for
determining its most efficient organizational structure.
Customer Satisfaction Improvements
The NSA has not fully
completed its customer satisfaction feedback procedures to evaluate
the quality and effectiveness of SlGINT-generated products. The
Agency solicits comments from its customers but the solicitation is
neither part of a standardized customer feedback format nor is it
frequently used. The agency has planned but not fully implemented
the following customer satisfaction improvements:
1)automated customer feedback response process throughout the
intelligence community,
2)customer feedback tool to measure customer satisfaction both at the
NSA and the intelligence community at large,
3)tracking system for corrective actions based on customer feedback,
and
4)standardized and user-friendly system for NSA and its customers.
Automated Tracking System
The NSA implemented an automated
production reporting and tracking system. Managers are now able to
measure timeliness and progress in completing their collection
requirement "askings. The tracking mechanism also provides a clear
link between analytical efforts and collection requirements.
We reviewed the production-tracking system and randomly selected
collection taskings to ensure that collection requirements were fully
identified and tracked throughout the production cycle. The
production-tracking system provides management with a top-down
review of its SIGINT collection requirements and production cycle.
This automated system connects and interrelates collection,
processing, analysis, and reporting throughout the entice production
cycle. The system provides management with a tool that identifies
and tracks requirement's taskings from the front end (collections) to
the back end {reporting). Consequently, NSA now has a system that
provides effective visibility over actions in the SIGINT process to
allow managers to respond to inquiries.
Enhanced Analytical Capability
The NSA has also established
mechanisms to ensure that its analytical capability keeps pace with
the collection requirements. Analytical capability has been enhanced
by the introduction of powerful new networked desktop computers
to assist in analytical efforts against virtually every SIGINT target.
The desktop computers allow the analyst to network with other
analysts as well as interface with the customer to optimize collection
and analytical functions.
Conclusion
This issue remains open primarily because the NSA has
not fully completed its customer satisfaction feedback procedures to
evaluate the quality and effectiveness of SlGINT-generated products.
However the NSA has improved its SIGINT production process
through implementing an automated production reporting and
tracking system and establishing mechanisms to ensure that its
analytical capability keeps pace with collection requirements.
---------------------
Verification Recommendation 4
We recommend that the National Security Agency:
1. standardize its customer feedback format, establish automated
customer feedback responses through the intelligence community,
and incorporate a customer feedback information data base for
National Security Agency managers.
2. establish a system for tracking corrective action based upon
customer feedback.
3. finalize and implement its model for determining manpower and
skill mix.
Management Comments
The NSA concurred with our
recommendations and stated that it chartered a SIGINT Customer
Focus and Satisfaction Team in December 1994 to identify and
recommend specific steps for senior management to establish a
systematic feedback process for evaluating the quality and
effectiveness of SlGINT-generated products. The team is developing
a process that will enable managers to better gauge the effectiveness
of SIGINT products and services. As noted in Issue 1, the Human
Resources Review Group will address manpower requirements in the
definitive guide.
Evaluation of Management Comments
The NSA comments are responsive to the recommendations.
ISSUE 6
OPERATIONS CENTERS
Original Issue Statement
The proliferation of 24-hour, 7 day-a-week operations centers has
resulted in duplication of effort.
Original Recommendation
We recommended that the National Security Agency justify those 24-
hour centers in the Operations Organization that are mission-
essential and consolidate or eliminate the rest.Summary of Agency
Response to Original IssueThe NSA partially concurred. The agency
stated that adjustments were made in response to changing
requirements. Additional changes would occur because of
downsizing, eliminating, and consolidating watch
operations.
Verification Summary
This issue is closed. The NSA
reduced the number of 24-hour operations watch centers by
approximately 43 percent since 1991.Forty Percent SavingsThe
gradual consolidation and elimination of operations watch centers
have resulted in approximately 40 percent savings in manpower costs
from Fiscal Years 1992 through 1995 with no impact on the
Agency's ability to perform its mission. Economic analysis and cost
benefit studies were not conducted for any of the NSA Headquarters
Operations Watch Centers, since NSA knew that most cost benefits
or savings would be for manpower. Economic analyses were
conducted for field activity closures, which included operations
watch centers. This analysis was done to capture the full detailed
costs and savings for the larger field site closures.ConclusionThis
issue is closed because the NSA has reduced the number of 24-hour
watch centers by approximately 43 percent, resulting in a 40-percent
savings in manpower costs from Fiscal Years 1992 through 1995
with no impact on mission accomplishment.
ISSUE 7
COLLECTION EVALUATION SYSTEM
Original Issue Statement
The Collection Evaluation System is neither effective nor efficient.
Original Recommendation
We recommended that the National Security Agency
upgrade management procedures and the
Collection Evaluation System to ensure that collection duplications
are identified and managers eliminate those duplications wherever
feasible.
Summary of Agency Response to Original Issue
The NSA
concurred stating that it needed to revamp its approach to the
Collection Evaluation System. The responsibility for accomplishing
this task would be transferred to another organization within NSA.
Once transferred, an action plan would be developed and
implemented.
Verification Summary
This issue remains open.
Although many technological improvements have been made to the
Collection Evaluation System since 1992, the NSA needs to
continue improving management oversight and accountability for
controlling unnecessary collection duplications.
Collection Evaluation System
The NSA installed a software system that
consolidates current and future collection management support
efforts into a centralized architecture.
The existing collection evaluation system has a feature that reports
collection duplications. Duplicate assignments are flagged to remind
collection managers to constantly assess the validity of the required
duplication. Although NSA collection evaluation system captures
and extracts data on unjustifiable duplications, the NSA has not
used this information to establish automated oversight-control over
wasteful collection duplication.
The NSA leaves it to the station collectors to clean up their own
duplications. While automated system information could be made
available for management oversight, the NSA has not established
standardized or automated procedures for eliminating unnecessary
duplications. Also, NSA has not devised corrective actions for
eliminating the wasteful collection duplications. Consequently, the
collection duplication portion of the NSA Collection Evaluation
system is currently not operated in an effective or efficient manner.
Conclusion
Even though the NSA has made numerous improvements
to the collection evaluation system, this issue will remain open to
ensure the NSA establishes automated oversight control over wasteful collection duplication.
-----------------------------
Verification Recommendation 5
We recommend that the National
Security Agency standardize its collection evaluation system to
eliminate unnecessary collection duplications.
Management Comments
The NSA concurred with the recommendation but
disagreed with the draft report conclusion that "NSA has not
established standardized or automated procedures for eliminating
unnecessary duplication." The NSA stated that the existing
collection evaluation system reports collection duplications. The use
of this feature and similar tools have permitted an 80 percent
reduction in duplication for fixed collection over the past 5 years.
The whole concept of "duplication of collection" dictates that many
targets are tasked in several places to insure that they are, in fact,
collected.
The NSA also stated that automation is being used and enhanced to
assist in eliminating unnecessary duplications. However, the NSA
has deemed the "human analysis factor" as more critical than
automation to solve unnecessary duplication. The NSA relies on
analysts' judgment to determine the best collector (or duplicate
collectors) against a given target based on factors such as priorities,
technical capabilities, customer needs, and deliverability of products
to customers.
Evaluation of Management Comments
The NSA comments are
responsive to the recommendation. In regard to the NSA disagreeing
with our draft report conclusion, we have restated the conclusion to
accurately reflect the condition.
ISSUE 8
OPERATIONS SECURITY
Original Issue Statement
DoD policy regarding the NSA operations security (OPSEC) mission
responsibilities have not been updated and clearly defined.Original
Recommendations
We recommended that:
1. the Assistant Secretary of Defense (Command, Control,
Communications and Intelligence) expedite the revision of draft
DoD Directive 5205.2, to reflect National Security Decision
Directive No. 298.
2. the National Security Agency propose and gain approval for
policy clarifying its roles as the Operations Security Executive
Agent and its relationship to the Interagency Operations Security
Support Staff.
Summary of Agency Response to Original Issue
The Assistant
Secretary of Defense (Command, Control, Communications and
Intelligence) (ASD[C3I]) concurred, stating that "the Deputy
Assistant Secretary of Defense, Counterintelligence and Security
Countermeasures Program, is coordinating the revision of DoD
5205.2." The NSA, concurred stating that it will draft a statement of
policy clarifying the role of the Director, NSA, as Executive Agent
for Interagency OPSEC training.
Verification Summary
This issue remains open. During our inspection, we found that both the DoD
Directive 5205.2 and the NSA Directive 120-03 had been updated
with clearly defined criteria that clarified the NSA role and
relationship as the OPSEC Executive Agent to the Interagency
OPSEC Support Staff.
Even though the NSA corrected the original problem, the NSA did
not have supporting data to show how effective It has been in
meeting its role as Executive Agent of the OPSEC Program. Its
budget figures for 4 years showed that the NSA did not use half of
the resources at its disposal. Interviews with NSA personnel did not
reveal how effectively the agency has implemented its internal
program or how effectively it has supported of DoD activities. In our
view, a viable OPSEC Program needs to measure effectiveness.
Conclusion
This issue remains open even though the NSA met the
intent of our recommendations. The NSA did not have supporting
data to show how effectively it has met its role as Executive Agent of
the OPSEC Program. We believe the NSA OPSEC Program needs to
measure effectiveness.
--------------------------------------------
Verification Recommendation 6We recommend that the National Security Agency:
1. develop a strategic plan that outlines its goals and objectives for
Operations Security program over a specified period.
2. develop performance data that shows how effectively it is
performing its Operations Security mission.
Management Comments
The NSA concurred with the
recommendations and stated that a series of activities are underway
to delineate goals and objectives to provide current and future
quality responses to customer OPSEC requirements. The Interagency
Operations Security Staff is reviewing customer information and the
mission performance measurement process to show how effectively
it is performing its OPSEC mission.
Evaluation of Management Comments
The NSA comments are responsive to the recommendations.
ISSUE 9
JOINT DECISIONMAKING
Original Issue Statement
Joint decisionmaking between the Director of Central
Intelligence and the NSA does not routinely occur where the
Planning, Programming, and Budgeting System (PPBS) and the
Capabilities Programming and Budgeting System (CPBS) intersect,
resulting in duplication and inefficiencies in management of the
processes.
Original Recommendation
We recommended that the Assistant Secretary of
Defense (Command, Control, Communications and Intelligence)
accelerate efforts to strengthen joint decisionmaking between the
programming and budgeting communities of the Director, Central
Intelligence, and DoD at key intersection points between the PPBS
and CPBS processes.
Summary of Agency Response to Original Issue
The ASD (C31) concurred stating that "as part of the Defense
intelligence restructuring plan, the Intelligence Program Support
Group was created to strengthen the interaction between the DoD
PPBS and the National Foreign Intelligence Program (NFIP)
CPBS."
Verification Summary
This issue is closed. The NSA
segments of the CPBS and the PPBS are still not fully
synchronized, although significant improvements have occurred
since 1991. For example, millions of dollars in funding were lost in
the earlier budget processes because of the lack of integration and
interface between the budget managers of the two systems. At this
time, however, key staff representatives of the Director of Central
Intelligence (DCI) CPBS budget process and the DoD ASD(C3I)
PPBS budget staff meet regularly to resolve resource and budget
management efficiency problems.Needed ImprovementsImprovement
is still needed in the two budget processes, since the NSA does not
receive its Planning and Program Budget Guidance in a timely
manner. The NSA, however, is normally not responsible for the lack
of timeliness because it is not the driving force behind the budget
resource approval process. Moreover, the NSA receives more than 80
percent of its budget under the less structured DCI NFIP CPBS
budget processes.
The following table (first, second, and fourth columns) shows when
PPBS and CPBS budget documents are normally considered due.
The third and fifth columns provide the dates when the NSA budget
office actually received the Fiscal Year 1996 budget cycle
documents.
SCHEDULE OF BUDGET EVENTS
MONTH DUE
PPBS
DOC'SDATE NSA RECEIVED PPS DOC'SCPBS DOC'SDATE
NSA RECEIVED CPBS DOCSNOVDefense Plan Guidance- -
Draft DCI GuidanceAPRJANPOM BuildMARFormal Joint
GuidanceJUNFEB & MARPOM Buildup ContinuesAPR &
MAYPOM Buildup Continues- - APRPOMs deliv. to OSDJUNDCI
Program SubmittedJUNJUNIssue Books CompiledCompleted in
AUGProgram Crosswalks by CMS/RMO and IPSG- - JULPDMs
issued by SecDefCompleted in DECExcom Program Issue Reviews-
- SEPBES submit. to OSD & OMBSEPBES submitted to DCINone
Submit.OCTPBDs issued by DepSecDefFinal PBD in DECNFIP
PBDsDECNOVDoD Budget to Pres. Issued- - DCI Completes
PBDs Decisions- - DECDoD/Pres. Budget Final- - NFIP Budget put
in Pres. Budget- - FEBPres. Budget to CongressFEBCBJB to
CongressFEBFEB - SEPCong. ActionFEB - SEPCong. ActionFEB
- SEPBESBudget EstimateCBJBCongressional Budget Justification
BookCMSCommunity Management StaffEXCOMExecutive
CommitteeIPSGInteiligence Program Support GroupPBDProgram
Budget DecisionRMOResource Management OfficeIn spite of the
time delays in receiving the CPBS Draft Joint Guidance
(approximately 5 months late), the PPBS Defense-Planning
Guidance (approximately 3 months late), the Program Decision
Memorandum (2 to 5 months late), the DCI CPBS Program Decision
totals (approximately 2 months late), the NSA still managed to
publish its congressional budgets in a timely manner.
The NSA Budget Formulation Office attends DCI Community
Management Staff meetings to discuss program resource issues as
well as discuss more efficient ways to manage the CPBS budget
process. Management Studies are now being conducted at the DCI
and ASD (C3I) to continue improving the interrelative framework
between the CPBS and PPBS budget processes.
24 - National Security Agency
ConclusionAlthough the NSA segments of the CPBS and PPBS
systems are not fully synchronized, this issue is closed because the
NSA is attempting to improve synchronization between the PPBS
and CPBS budget process.
ISSUE 10
INTEGRATED BUDGET SYSTEM
Original Issue Statement
The NSA does not have an integrated budget management
system because of excessive layering and decentralized
authority.Original RecommendationWe recommended that the
National Security Agency strengthen the Comptroller role to ensure
centralized and uniform budget processes in accordance with DoD
procedures.Summary of Agency Response to Original IssueThe NSA
partially concurred with the recommendation that the NSA budget
process be centralized and uniform and in accordance with DoD
procedures. The NSA stated that its budget management practices
also called for a considerable delegation of authority to the key
component chiefs "for management and execution of
funds."
Verification Summary
This issue is closed. The NSA budget
organizational layering has been significantly reduced since 1991.
Nine directorate budget offices have been reduced to five directorate
budget offices for a total reduction of 44 percent in the budget
organizational structure.Staff ReductionsAs a result of the
reorganization, budget staffs were reduced. For example, the Deputy
Director of Technology and Systems budget staff was reduced by 64
percent; the Deputy Director of Support Services budget staff was
reduced by approximately 16 percent; the Deputy Director
Operations and Deputy Director of Plans, Policy, and Programs
budget staff remained at the same level.
The extensive reorganization has reduced both vertical and
horizontal layering of budget offices and staff positions at NSA. The
reorganization has also benefited the budget review process, since
the NSA budget office is now able to review and prioritize the
budget at a lower level. Consequently, the NSA budget office has
increased its span of control and enhanced its capability to do in-
depth reviews of budget funds and resources.
Conclusion
This issue is closed because the NSA has significantly
reduced its budget organizational layering by 44 percent since the
1991 inspection and increased its oversight and span of control over
the budget process.
ISSUE 11
REVOKING SECURITY CLEARANCES
Original Issue Statement
The NSA is lax in disciplining and revoking security
clearances for its employees and contractor affiliates.Original
RecommendationsWe recommended that the National Security
Agency:
1. follow established guidelines for determining an employee's
suitability for continued access and employment.
2. expedite its appeal process for employees slated for discipline or
dismissal.
Summary of Agency Response to Original Issue
The NSA nonconcurred with Recommendation 1 and partially concurred with
Recommendation 2. The NSA stated that "Agency guidelines for
determining an employee's suitability for continued access and
employment are followed." It further stated, "What may appear as a
reluctance to enforce disciplinary and dismissal procedures, in
actuality, is a process to ensure fairness and due process." As for the
appeal process, the NSA stated that "the procedure for employees to
request additional information is being streamlined to allow an
employee to review files and request information through a single
focal point. This process will be implemented within 3 to 6
months."
Verification Summary
This issue is closed. The NSA has
taken the corrective actions to systemically rectify the shortcomings.
Revocations now proceed in accordance with the Director of Central
Intelligence Directive requirements, and procedures have been
developed to streamline the process. We reviewed copies of the
current system for employees access revocation and standard
operating procedure for the suspension or revocation of employee
access. We obtained two flow charts that depict the revocation
processes to ascertain the effectiveness of the current process. At the
time of the 1991 inspection, only the chief of Management Services
had the authority to revoke an employee's access to classified
information. The current process assigns authority to a lower level
within the Management Services organization. Interviews with NSA
personnel showed that management actions are responsible for many
improvements.
Conclusion
This issue is closed because the NSA has streamlined its
process to revoke security clearances and to comply with Director of
Central Intelligence Directive requirements.
ISSUE 12
INFORMATION SECURITY
Original Issue Statement
The NSA lacks procedures for its interface with the North Atlantic
Treaty Organization in addressing information security (INFOSEC)
issues.Original RecommendationWe recommended that the National
Security Agency establish procedures for its interface with the North
Atlantic Treaty Organization in addressing Information Security
issues.
Summary of Agency Respons to Original Issue
The NSA
nonconcurred with the recommendation stating that procedures
already exist to govern this process. However, at the time of our
inspection and subsequent to the inspection, the procedures were not
provided.
Verification Summary
This issue is closed. The NSA has
procedures for its interface with the North Atlantic Treaty
Organization concerning INFOSEC issues. A review of trip reports,
minutes of meetings, agendas, and continuity binders proved that the
Agency is following its procedures and that these procedures are not
ad hoc.
ISSUE 13
EQUIPMENT ACCOUNTABILITY
Original Issue Statement
The NSA failure to meet DoD equipment management and
accountability standards has resulted in equipment losses worth
millions of dollars and wasted warehousing space.
Original Recommendations
We recommended that the National Security Agency:
1. promptly resolve inventory accountability shortfalls.
2. clearly define and publish responsibilities for storing, packaging,
and documenting stored equipment to ensure protection of Agency
assets.
3. immediately reduce the tape storage volume in the Magnetic
Media Library.
4. We recommend that the Assistant Secretary of Defense for
Command, Control, Communication and Intelligence, through the
National Security Telecommunications Information Systems
Security Committee and the TEMPEST Advisory Group, publish
guidelines on me maintenance and disposal of TEMPEST certified
equipment.
Summary of Agency Response to Original Issue
The NSA concurred
with all recommendations. The NSA stated that several actions have
been initiated by to Original Issuethe Property Accountability
Process Improvement Team to reduce accountability shortfalls and
numerous others are being evaluated. Additionally, Government
Property Lost or Destroyed reports were forwarded through
management to the Deputy Director, NSA, in December 1991 to
rectify the accounting baseline and provide a good data base in
accordance with DoD guidance.
Verification Summary
This issue remains open. The NSA Property Accountability Office has made
significant improvement in its processes for controlling NSA assets
since our 1991 inspection. However, additional corrective action is
required to ensure accountability of the NSA assets. The IG, NSA
Audit Report, "Advisory Report Personal Property Accountability
Audit," July 21, 1994, confirmed this issue. This report stated that
the key components property accountability efforts have not been
effective as evidenced by continuing requests for large write-offs for
unreconciled assets ($82 million from Fiscal Years 1991 and
1992).Warehousing OperationsWe found that the NSA warehousing
operations have improved since our 1991 inspection. The NSA has
identified plans that will continue its improvement In this
area. However, the physical protection of NSA assets is hampered by
a procedural shortfall. Applicable NSA logistics directives describe
how packaging and storing requirements will be prescribed by the
key component wishing to store items. However, at the time of our
inspection, we found that the key components were not providing
proper directions for the storage of NSA assets.
During our inspection, we did not physically inspect the warehouses
used to store equipment because two warehouses with the worst
conditions were no longer in use. We are highlighting this concern
to ensure that the NSA continues to protect Government assets from
deterioration or damage.
Reduced Tape Media
The NSA has made great improvements in
managing its magnetic tape media. Since our 1991 inspection, the
NSA has significantly reduced its tape holdings. However, further
improvements in the management of tape holdings can be
experienced if the NSA applies the same standards it uses for its key
components holdings to its external customers.
Disposition of TEMPEST Equipment
Last, we found that the National Security
Telecommunications and Information Systems Security Advisory
Memorandum (NSTISSAM), TEMPEST/3-91, "Maintenance and
Disposition of TEMPEST Equipment," December 20, 1991,
provides guidance to personnel responsible for the maintenance and
disposition of TEMPEST equipment. Basically, this memorandum
corrected the shortcoming identified in our 1991 inspection. The
NSA no longer destroys TEMPEST hardware. However, another
procedural shortcoming was identified during our inspection. The
NSTISSAM TEMPEST/3-91 states, "Disposition/resale should be
consistent with established export control/technology transfer
policy." The NSA could not provide evidence that it alerts the
recipients of excess TEMPEST hardware of current technology
transfer policy.
Conclusion
The NSA has made improvements in
controlling its assets since our 1991 inspection. However, further
improvements are still needed in asset accountability, storage
protection procedures, management of tape media, and the
disposition of TEMPEST equipment.
------------------------------------------------------------------------
Verification Recommendation 7
We recommend that the National Security Agency:
1. resolve its inventory accountability shortfalls.
2. amend its applicable logistics manual(s) to place the
responsibility on the Logistics Directorate for ensuring that
Government assets are protected from physical damage during
storage.
3. enforce its standards pertaining to tape holding to its customers.
4. provide evidence that will show its compliance in alerting the
recipients of TEMPEST items.
Management Comments
The NSA concurred with the
recommendations and stated that it has drafted a list of procedures
and responsibilities applicable to requests for storage of Government
assets. The NSA also stated that it is working with a representative
of the Office of Processing Systems to draft an appropriate policy
advisory notification to recipients of excess TEMPEST
equipment.
Evaluation of Management Comments
The NSA comments are responsive to the recommendations.
ISSUE 14
CONTRACT OVERSIGHT
Original Issue Statement
Inadequate management oversight in the Office of
Contracting permits potentially wasteful practices.
Original Recommendations
We recommended that the National Security Agency:
1. establish blanket purchase agreements for 3 years with an option
to extend.
2. expedite system change requests for rotating bidders mailing list
and contractor delinquencies.
3. enhance contract management by implementing the following
System Change Requests:
a. Contractor performance records,
b. Historical data base of products and services rendered, and
c. Centralized system for awards to provide visibility of award
trends.
4. immediately increase the rate procurements are obtained through
the Federal Supply System.
5. discontinue the ordering officer practice or seek authorization for
the practice from the Defense Acquisition Regulatory Council.
6. designate a contracting owner as the Agency approving authority
for Economy Act orders.
7. institute proper financial accounting practices and procedures for
management and oversight of Economy Act Orders in accordance
with applicable National Security Ageney/Central Security Service
resource management regulations.
Summary of Agency Response to Original Issue
The NSA concurred
with Recommendations 1, 2 and 3; partially concurred with
Recommendation 4; and nonconcurred with Recommendations 5, 6,
and 7. The NSA stated with regard to Recommendation 4 that the
Agency has "implemented a number of actions to increase the
procurement rate to 50 percent"; its goal is less than the goal set in
this report and that 50 percent is a reasonable goal. For
Recommendation 5, it commented that the Agency's General
Counsel's Office had previously reviewed this matter and concluded
that sufficient Federal Acquisition Regulation (FAR) and Defense
Federal Acquisition Regulation Supplement (DFAR) authority
sustains an Ordering Officer's Program
and that the NSA Ordering Officers are, in fact contracting officers,
position titles notwithstanding.
For Recommendation 6, the NSA stated that its NSA/Central
Security Service (CSS) resources management manual is being
updated to assign the Chief, Special Operations, as the Agency
approving authority for sensitive Economy Act Orders and the
Finance and Accounting Officer as the approving authority for non-
sensitive Economy Act Orders. For Recommendation 7, the Agency
stated that financial records for Economy Act Orders are available
and that "Accounting transactions relative to all NSA Economy Act
Orders are recorded in the Agency's automated General Accounting
and Reporting system and there is a document file maintained within
the Comptroller's organization for every Economy Act Order."
Verification Summary
This issue remains open. The NSA has not
implemented thorough procedures for Economy Act Orders that are
in compliance with Secretary of Defense Guidance, February 8,
1994, and the Defense Federal Acquisition Regulation Supplement
217.5.Economy Act Order PolicyTitle 31, U.S. Code, Section 1535
provides the legal authority for orders for supplies or services to be
placed with other agencies. FAR Part 17.5 sets the policies
implementing the Act, by which an order pursuant to the Economy
Act may be placed with another agency. The Secretary of Defense in
Memorandum, February 8, 1994, subject, "Use of Orders Under the
Economy Act," further defined the conditions that must be met for
orders under the Economy Act to be sent outside the Department of
Defense. DFARS 217.5 described the role that the contracting
officer plays in the process.
Since the inspection in 1991, the process for Economy Act Orders
has changed. The Secretary of Defense in a February 8, 1994,
memorandum, stated that the Agency Head (or designee at
SES/FLAG/General Officer level) must determine that:
"a. The ordered supplies or services cannot be provided as
conveniently and cheaply by contracting directly with a private
source;
"b. The servicing agency has unique expertise or ability not available
within DoD; and
"c. The supplies or services clearly are within the scope of activities
of the servicing agency and that agency normally contracts for those
supplies or services for itself."
Further, the memorandum states that written determination and
finding approvals be provided to accounting officers prior to
committing funds on Economy Act Orders. The DFARS 217.5
defines the role of the Contracting Officer in the approval process
for Economy Act Orders.NSA PolicyWe determined during the
inspection that the NSA has implemented a policy lever, NSA/CSS
Resources Management Letter No. 3-1994, August 5, 1994,
prescribing policies and procedures for the approval of Economy Act
Orders issued outside of DoD. We reviewed 5.5 percent of the
Economy Act Orders from FY 1994 and FY 1995. Although some
orders mention the Economy Act, this mention does not constitute
the formal determination and approval process as required by the
Secretary of Defense Memorandum, February 8, 1994.
More Process Involvement
Although the DFARS 217.5 sets the role of the
Involvement contracting officer as advisor in the approval process,
we found that generally the Office of Contracting has not been
involved in the Economy Act Order process. We believe the number
of orders placed under the Economy Act at the NSA and the dollars
involved indicate that a greater level of scrutiny and attention be
placed on this very vulnerable area.NSA IG ReviewWe noted that
the Inspector General, NSA, did a followup review subsequent to the
receipt of Secretary of Defense guidance and Agency
implementation of the Economy Act. That report, ST-93-0006,
released January 2, 1996, found that the formal process of
"determination and finding" and approval at the SES/FLAG/General
Officer level is still not occurring. The Office of Contracting
indicated that it would provide assistance in correcting the formal
determination process so that the NSA would follow more
standardized procedures.
Although the NSA nonconcurred with Recommendation 7, we found
that the NSA has implemented tracking procedures for individual
Economy Act Orders and was able to provide Financial and
Accounting information including the order number, the amount
obligated, the cumulative obligations, and any unliquidated balance.
Blanket Purchase Agreement Problem CorrectedSince our
inspection in ,1991, the Agency has made strides in the correction of
Blanket Purchase Agreement procedures. During the inspection of
1991, we determined that the NSA had been issuing these
agreements annually. A review of 20 Blanket Purchase Agreements
indicated that all have been modified and
will be reissued at the beginning of FY 1996 for three years. Any
Blanket Purchase Agreements issued after the 1991 inspection were
written for three years. We found that the NSA took effective action
to correct this issue.
Limited Contracting Officer Warrants
Although the NSA originally nonconcurred on the issue of Ordering Officers,
the NSA determined that it would act on the recommendation and
has issued limited contracting officer warrants to personnel outside
the Office of Contracting. All personnel in this program are required
to take appropriate DoD training and local training provided by the
Office of Contracting. The Office of Contracting has revised its
regulations and provided oversight through the contracting
personnel, which normally provide support.
Information Upgraded
We recommended during the 1991 inspection that the NSA
upgrade the management information system in the Office of
Contracting in contractor performance records, better historical data
base of products and services, and centralized log system for awards.
The NSA is fully compliant in this area. The NSA has placed great
emphasis and resources to bring this upgrade about. Its system is
capable of providing this information, even though some portions of
the system are now being upgraded to become more effective.
Federal Supply System Usage
Since the 1991 inspection, the NSA has
undergone changes as a result of the National Performance Review
and the Defense Performance Review initiatives. Our 1991
inspection report indicated that the NSA could achieve additional
efficiencies by obtaining more line items through the Federal Supply
System. We believed that the NSA could achieve $4. 5 million
dollars in savings by better utilization of the Federal Supply System.
During this inspection, we found that the use of the Federal Supply
System has been further reduced. This decline is in part a direct
result of the NSA designation as a Reinvention Laboratory in the
Logistics and Supply area and the use of innovative means of
supporting its customers. While we understand the goals of the
National Performance Review and the Defense Performance Review,
we believe that good business practice dictates that the NSA should
emphasize the use of the Federal Supply System for common supply
items where it is more cost-effective and responsive to the customer.
Additionally, the NSA should continue to ensure that its purchases
from sources mandated by statute (Federal Prison Industries, Inc;
and the National Industries for the Blind) are purchased through the
appropriate sources.
Conclusion
This issue remains open because the NSA has not
implemented thorough Economy Act Order procedures that are in
compliance with applicable directives. However, the NSA has made
improvements in Blanket Purchase Agreements, limited contracting
officer warrants, management information system upgrades, and its
usage of the Federal Supply System.
--------------------------------
Verification Recommendation 8
We recommend that the National Security Agency:
1. review its current procedures for processing Economy Act Orders
and incorporate a sample "determination and findings" into its
National Security Agency/Central Security Service Resources
Manual.
2. provide in-house training to personnel involved in placing,
approving, or certifying Economy Act Orders.
3. implement procedures to ensure that personnel signing the
Economy Act Orders "determination and findings" are designees at
the SES/FLAG/General Office level and that a list of approved
personnel be provided to the officials certifying funds.
Management Comments
The NSA concurred with the
recommendations and stated that the National Security
Agency/Central Security Service Resources Management Manual is
being amended to include a sample "determination and findings"
statement. In-house training is being conducted to reinforce placing,
approving, or certifying Economy Act Orders in conjunction with
adding detail guidance to the Resource Management Handbook.
The NSA also stated that each signature block an the "determination
and findings" statement will include the official's position and
grades and that it will ensure that the approval meets the grade level
specified by the February 8, 1994, Secretary of Defense
memorandum.
Evaluation of Management CommentsThe NSA comments are responsive to the recommendations.
ISSUE 15
COMPUTER SYSTEMS
Original Issue Statement
The NSA does not comply with DoD security requirements for
accreditation of systems and networks and periodic training of
personnel, thus permitting security vulnerabilities and potential
compromise of national security data.
Original Recommendations
We recommended that the National Security Agency:
1. establish priorities, goals, and objectives to ensure that all
automated information systems are certified and accredited in
accordance with DoD and National Security Agency/Central
Security Service directives.
2. develop a training program and train personnel designated as
computer security officers.
Summary of Agency Response to Original Issue
The NSA concurred
with both recommendations and stated that "actions are underway to
resolve the automated information systems (AIS) and network
accreditation problem. The process to streamline and document the
Computer Security and Network Accreditation Methodology
(CSNAM) was completed by the NSA in November 1991. The
CSNAM is undergoing validation first within the Agency then by
the Service Cryptologic Elements. On completion of the CSNAM
validation planned for April 1992, work will begin on developing
the pilot training module."
The NSA also informed us that a program for training computer
security managers (CSMs) would be completed by June 1992. The
primary goals of the program are to have at least five CSMs certified
as accreditors and all CSMs trained by the end of 1992. This
program will expedite the accreditation of a large part of the AIS
network as soon as possible following installation.
Verification Summary
This issue remains open. The NSA has
progressed in training personnel to perform AIS accreditations and
continued to perform needed accreditations on its AIS systems.
However, numerically speaking, it has made little progress in getting
its AIS accreditation workload under control.AIS Accreditation
MilestoneThe NSA provided us with data that established AIS
accreditation goals and objectives in milestone charts. The charts
indicate that the NSA may be caught up with its workload by the fall
of 1996. The goal is contingent upon the NSA obtaining support
from the key components in doing some of their own accreditations.
This plan is similar to the one for property accountability. Both
plans hinge upon the Office of Operational
Computer Security obtaining support and Cooperation from the key
components. Through interviews we learned that the key components
are reluctant to use their personnel assets to do the AIS
accreditations. The key components believe AIS accreditation is a
primary responsibility of the Office of Operational Computer
Security.
Aggressive Training
The NSA provided evidence that it has
been aggressively training personnel to assist in the AIS
accreditation process. Some trained personnel are located within the
key components to allow them to accredit their own systems upon
arrival, thus preventing the backlog from growing. However, as
stated above, key components are reluctant to use their personnel for
AIS accreditations.
Conclusion
This issue remains open. Even though
the NSA has progressed in training personnel for AIS accreditation,
it has made little headway in getting its accreditation workload
under control.
----------------------------------
Verification Recommendation 9
We recommend that the National Security Agency should resolve its Automated Information Systems accreditation backlog.
Management Comments
The NSA concurred
with the recommendations and stated that it has initiated several
actions to meet the goal of materially reducing the backlog by
January 1997. The-NSA has developed an operational plan to
eliminate the current backlog of systems to be accredited, augmented
the accreditation staff to provide increased manpower, chartered a
corporate-level Operational Information System Security Steering
Group to oversee the entire process, and initiated efforts to train and
certify key components and other accreditors.
Evaluation of Management Comments
The NSA comments are responsive to the recommendations.
ISSUE 16
INSPECTOR GENERAL
Original Issue Statement
Guidance for implementing Inspector General and General
Counsel responsibilities is unclear.
Original Recommendations
We recommended that the National Security Agency:
1. promulgate written policies to establish a comprehensive
Inspector General program, to include Agency-wide planning and
more effective complaint and follow-up systems.
2. establish permanent Inspector General and Deputy Inspector
General positions, along with a cadre of permanent inspectors.
3. revise policy to clearly and completely implement DoD policies
for prompt referral of all fraud allegations to the Office of the
Inspector General, DoD, and its Defense Criminal Investigative
Service.
4. establish written policy to provide authorized oversight elements
with expeditious and unrestricted access to records.
Summary of Agency Response to Original Issue
The NSA concurred
with Recommendations 1, 3, and 4 and nonconcurred with
Recommendation 2. The Agency stressed that recent improvements
in written policies further support the rotation practices because the
policies remove the perception that the Inspector General, National
Security Agency, operates in an arbitrary manner based on
incumbent key personnel.
Verification Summary
This issue remains
open. The NSA maintains that rotating key personnel and inspectors
is the most advantageous approach for the Agency. The basis for that
positron is that rotation precludes "the complacency and narrow
perspectives that could typify long term incumbents" and has a
beneficial grooming effect for senior NSA professionals. The NSA
contends that the Office of the Inspector General benefits by using
grade 15-level personnel as inspectors because they bring adequate
seniority to ensure independence and they are senior experts in their
fields.
Rotational Positions
We acknowledge that an Inspector General (IG) assignment would have a beneficial grooming effect for NSA personnel, but disagree with making those rotational positions
key positions. The IG, NSA, is currently structured so that the IG,
Deputy IG, Assistant IG for Inspections, Assistant IG for Audit,
Assistant IG for Investigations, and the entire inspection staff are
rotational positions. We remain concerned that
independence cannot be assured under this arrangement because
these individuals must consider the impact of their work on
prospects for future assignments.Revised PoliciesThe NSA revised
and extensively expanded its policies for the Inspector General
program. Existing directives NSA/Central Security Service (CSS)
Directive 10-4, "IG Organization"; NSA/CSS Regulation 10-77, "IG
Audit Function"; and NSA/CSS Regulation 12-6 "Audit of NAFs,"
were updated and expanded. The following directives were created
since the 1991 inspection: NSA/CSS Regulation 11 -1 0, Annex D,
"IG Promotion Board"; NSA/CSS Regulation 30-3, "Whistleblower
Protection"; OIG, NSA, Audit Manual; OIG, NSA, Investigations
Manual; and memoranda of agreement with Inspectors General of the
Service Cryptologic Elements and the National Reconnaissance
Office to ensure comprehensive inspections of joint intelligence
units.
The IG, NSA, established clear policies and procedures to govern
OIG activities. The only guidance - that is lacking is an Inspections
manual, which is in the draft stage. Also enhancing OIG guidance is
the NSA "Inspector General Organization Strategic Plan" produced
in September 1992. The strategy sets OIG mission, priorities, goals,
and objectives. The plan remains current and is the foundation for
the annual Inspection and Audit plan.
The NSA produced thorough Inspection/Audit plans for each of the
last three fiscal years. The plans detail the status of on-going
inspection/audit projects and provide Agency personnel the subjects
and schedule for future inspections and audits.
Tracking System
The Assistant Inspector General for Policy and
Oversights has developed and implemented a comprehensive
management information system that tracks IG assistance request
actions and followap for inspection and audit findings. A random
review of documentation showed that they aggressively track
findings on inspections and audits. The Policy and Oversight office
also promotes an aggressive employee awareness program that
publicizes the OIG role in reducing fraud, waste, and
mismanagement; advises employees to report suspected incidents of
fraud, waste, or mismanagement; and educates the NSA work force
on And their responsibility to report such cases.Improved
CoordinationCoordination between the IG, NSA, and the DCIS has
improved significantly. Inspector General, NSA, policies and
procedures support full cooperation with the DCIS. The IG, NSA,
and DCIS officials meet quarterly to
exchange information, discuss planning and assistance issues, and
review Individual cases.
Conclusion
This issue remains open because
the NSA needs to increase the number of permanent positions within
the Office of the Inspector General. The IG, NSA, however, has
made progress in revising and expanding Inspector General program
polices, developing and implementing an IG tracking system, and
improving its coordination with the Defense Criminal Investigative
Service.
---------------------------------------
Verification Recommendation 10
We recommend that the National
Security Agency continue to increase the number of permanent
positions within the Office of the Inspector General. As a minimum,
the majority of key positions should be permanent. Either the
Inspector General or Deputy Inspector General position, along with
the three Assistant Inspector General positions, should be
permanent.
Management Comments
The NSA partially concurred
with the recommendation and stated that it has established a senior
Agency board to identify candidates external to NSA to fill the IG
position on a permanent basis. This board will be meeting with the
IGs of the Intelligence Community, including the IG, DoD, to obtain
advice regarding qualifications and other credentials for this
position. In addition, the Assistant Inspector General for Audit is
now a permanent position, which makes three of the six key
positions and the entire inspection staff rotational positions.
The NSA further stated that it established controls governing
personal independence. All auditors, inspectors, and investigators
must notify their supervisors of any personal or external impairments
that might affect (or appear to affect) their ability to make impartial
judgments. In addition, the IG gives special management attention to
the impact of rotation on individual inspectors. Inspectors are not
allowed to review the specific organizations where they were
recently assigned.
Evaluation of Management Comments
The NSA comments are to the recommendation.
------------------------------------------------
APPENDIX A
INSPECTION TEAM MEMBERS
Inspection Director
Lt Col Michael Simpkins
Assistant Inspection Director
Mr. Peter Schroder
Inspectors
Mr. Arnold Davis
Ms. Judith Heck
Mr. Barry Johnson
Mr. William Shea
Inspection Coordinator
Ms. Kenya Van Doren
------------------------------------------------------------------------
APPENDIX B
REPORT DISTRIBUTION
Office of the Secretary of Defense
Under Secretary of Defense (Comptroller)
Deputy Chief Financial Officer
Deputy Comptroller (Program/Budget)
Assistant Secretary of Defense (Command, Control,
Communications and Intelligence)
Assistant to the Secretary of Defense (Intelligence Oversight)
Joint Chiefs of Staff
Inspector General, Joint Staff
Department of the Army
Inspector General, Department of the Army
Department of the Navy
Inspector General, Department of the Navy
Headquarters, U.S. Marine Corps
Inspector General, Headquarters, U.S. Marine Corps
Department of the Air Force
Inspector General, Department of the Air Force
Other Defense Organizations
Inspector General, Central Imagery Office
Inspector General, Defense Intelligence Agency
Inspector General, National Reconnaissance Office
Director, National Security Agency
Inspector General, National Security Agency
Non-Defense Federal Organizations
Technical Information Center
National Security and International Affairs Division
General Accounting Office
Chairman and ranking minority member of each of the following congressional committees and subcommittees:
Senate Committee on Appropriations
Senate Subcommittee on Defense, Committee on Appropriations
Senate Committee on Armed Services
Senate Committee on Governmental Affairs
Senate Select Committee on Intelligence
House Committee on Appropriations
House Subbcommittee on National Security, Committee on Appropriations
House Committee on Government Reform and Oversight
House Subcommittee on National Security, International Affairs,
and
Criminal Justice, Committee on Government Reform and Oversight
House Committee on National Security
House Permanent Select Committee on Intelligence
Implemented by Sara D. Berman
|