Intelligence Review Directorate

Final Report on the Verification
Inspection of the
National Security Agency

Report Number IR 96-03
February 13, 1996

Special Warning

This report contains certain unclassified information relating to the organization and function of the National Security Agency that may be protected by Public Law 86-36, May 29, 1959. Reproduction or removal of pages is prohibited. Safeguards must be taken to prevent publication or improper disclosure of the information in this report.

FOR OFFICIAL USE ONLY

Additional Copies

To obtain additional copies of this audit report, contact the Secondary Reports Distribution Unit, Analysis Planning and Technical Support Directorate, at (703) 604-8937 (DSN 664-8937) or FAX (703) 604-8932.

Suggestions for Future Audits and Evaluations

To suggest ideas for or to request future audits and evaluations, contact the Planning and Coordination Branch, Analysis Planning and Technical Support Directorate, at (703)604-8939 (DSN 664-8939) or FAX (703) 604-8932. Ideas and requests can also be mailed to:

Inspector General, Department of Defense
OAIG-AUD (ATTN: APTS Audit and Evaluation Suggestions)
400 Army Navy Drive (Room 801)
Arlington, Virginia 22202-2884

Defense Hotline:

To report fraud, waste, or abuse, contact the Defense Hotline by calling (800) 424-9098; by sending an electronic message to [email protected]; or by writing the Defense Hotline, The Pentagon. Washington, D.C. 20301-1900. The identity of each writer and caller is fully protected.

Acronyms
AISAutomated Information Systems
ASD(C3I)Assistant Secretary of Defense (Command, Control, Communications, and Intelligence)
COMINTCommunications Intelligence
CPBSCapabilities Programming and Budgeting System
CSMComputer Security Manager
CSNAMComputer Security and Network Accreditation Methodology
CSSCentral Security Service
DCIDirector of central Intelligence
DFARSDefense Federal Acquisition Regulation Supplement
EOExecutive Order
FARFederal Acquisition Regulation
GPRAGovernment Peroformance and Results Act
HRRGHuman Resources Review Group
IGInspector General
IMCInternal Management Control
INFOSECInformation Security
NFIPNational Foreign Intelligence Program
NSANationl Security Agency
NSRLNational Signals Intelligence Requirements List
NSTISSAMNational Security Telecommunications and Information Systems Security Advisory Memorandum
NTISSCNational Telecommunications and Information Systems Security Committee
OPSECOperations Security
PPBSPlanning, Programming, and Budgeting Systems
SAPSpecial Access Program
SCISensitive Compartmented Information
SIGINTSignals Intelligence
VRKVery Restricted Knowledge


INSPECTOR GENERAL
DEPARTMENT OF DEFENSE
400 ARMY NAVY DRIVE
ARLINGTON, VIRGINIA 22202-2884

February 13, 1996

MEMORANDUM FOR DIRECTOR, NATIONAL SECURITY AGENCY
SUBJECT:Final Report on the Verification Inspection of the National Security Agency (Report No. IR96-03)

We are providing this final report for information and use. The report discusses management actions taken to correct problems identified during the 1991 Inspection of the National Security Agency. We considered comments on a draft of this report in preparing the final report.

Comments on the draft of this report conformed to the requirements of DoD Directive 7650.3 and left no unresolved issues. Therefore, no additional comments are required.

We appreciate the courtesies extended to the inspection team. Questions on the inspection should be directed to Lt Col Michael Simpkins, USAF, Inspection Director, at (703) 604-8872 (DSN 664-8872). The inspection team members are listed in Appendix A. See Appendix B for the report distribution.

Special Warning

This report contain certain unclassified information relating to the organization and function of the National Security Agency that may be protected by Public Law 86-36, May 29, 1959. Reproduction or removal of pages is prohibited. Safeguards must be taken to prevent publication or improper disclosure of the information in this report.

FOR OFFICIAL USE ONLY


TABLE OF CONTENTS
Page
PART I - INTRODUCTION
Background
1
1991 Inspection
2
Scope
2
Methodology
2
PART II - ORGANIZATIONAL ASSESSMENT
Overall Verification Assessment
3
PART III ISSUES AND RECOMMENDATIONS
Manpower/Organizational Structure
5
Strategic Planning
8
Internal Management Control Program
10
Special Access Programs
12
Signal Intelligence Integration
15
Operations Centers
18
Collection Evaluation System
19
Operations Security
21
Joint Decisionmaking
23
Integrated Budget System
26
Revoking Security Clearances
27
Information Security
28
Equipment Accountability
29
Contract Oversight
32
Computer Systems
37
Inspector General
39
APPENDIXES
A - Inspection Team Members
B - Report Distribution


PART I - INTRODUCTION

BACKGROUND The National Security Agency (NSA) is part of the national foreign intelligence structure. That structure is comprised of numerous Government agencies and organizations that manage the national intelligence programs. The common thread among those agencies and organizations is that they are concerned with some aspect of collecting, processing, or analyzing foreign intelligence information.
Genesis The genesis of the Intelligence Community can be traced to the National Security Act of 1947. Before the Act, the Departments of War, State, and Navy conducted independent intelligence functions without the benefit of an overall national coordinating agency or organization. The Act and subsequent Executive Orders consolidated intelligence functions under the Director, Central Intelligence. The National Security Agency was created by Presidential memorandum on November 1, 1952. The national signals intelligence (SIGINT) mission was consolidated when the SIGINT elements of the Services, referred to as the Central Security Service, were consolidated under the NSA in 1971.

The Director, NSA, has traditionally been a military officer of Flag rank who is also designated as the Chief, Central Security Service. The Director is authorized a Deputy Director, NSA (civilian), and a Deputy Chief, Central Security Service (military).

Central Security Service The Central Security Service is a jointly staffed headquarters of Army, Navy, Marine Corps, and Air Force operating elements using personnel from the Service Cryptologic Elements. The commanders of Service cryptologic organizations and their subordinate activities that conduct SIGINT operations receive direction from the Chief, Central Security Service, for all matters involving SIGINT activities. However, they receive administrative and logistical support from their parent Services.
NSA INFOSEC Mission In addition to SIGINT, the NSA is required to ensure secure telecommunications and automated information security (INFOSEC) for all departments and agencies of the U.S. Government.
Director-SIGINT Advisor The Director, NSA, reports to the Secretary of Defense and serves as the principal SIGINT advisor for the Secretary of Defense; Director of Central Intelligence; and the Chairman, Joint Chiefs of Staff.
National Security Agency - 1
The NSA headquarters element is located at Fort George G. Meade, Maryland. The NSA also has additional facilities at other locations throughout the Baltimore/Washington area.
1991 INSPECTION In 1991, the Inspector General, Department of Defense, conducted the first comprehensive inspection of the NSA. The goal of the inspection was to evaluate the processes the NSA uses to measure achievement of its mission and to manage its functions and organizational elements. The inspection report (May 12, 1992) had 64 recommendations.

During that inspection, we found that the growth of the Agency had not been centrally managed or planned and that the NSA did not have sufficient internal oversight mechanisms to ensure the Agency efficiently accomplished its mission. Our most significant concern regarding the NSA efficiency was the absence of management oversight and controls in several key areas, such as organizational structure, manpower requirements, and property management. We also found that the NSA had identified problems through multiple internal studies, but had not taken effective action based on those studies.

SCOPE We examined 16 of the 36 problem areas identified in the original inspection. The 16 areas selected are a representative sampling of key areas such as strategic planning, internal management, manpower, contract management, budgeting, financial planning, and oversight processes and mechanisms. The 16 areas required corrective actions by the Assistant Secretary of - Defense for Command, Control, Communications, and Intelligence or the Director of the NSA.
METHODOLOGY In performing the verification inspection, we evaluated~actions on the 1991 recommendations through interviews and reviews of specific documentation. To determine the adequacy of the corrective actions, we analyzed the actual actions underway or completed and the extent to which the underlying problems had been resolved. We considered an issue closed if the problem had been corrected, regardless of whether the corrective actions were in accordance with the 1991 inspection recommendations or were alternative solutions deemed appropriate by the NSA. Conversely, we considered an observation open if the underlying problem continued.

2 - National Security Agency

PART II - ORGANIZATIONAL ASSESSMENT

OVERALL VERIFICATION ASSESSMENT The goal of our inspection was to review management actions taken to correct the problems identified during the 1991 NSA inspection and determine whetter those actions corrected and prevented the problems from recurring. Our verification inspection showed that the NSA corrected 6 of the 16 issues we reviewed, but had not adequately corrected the other 10 issues. The NSA provided responsive comments to our recommendations that will correct the problems we noted.

Specifically, we found the following:

    • Manpower/Organizational Structure. The NSA does not adequately identify its manpower requirements. As a result, it does not know the total number of manpower requirements by quantity and skill mix to perform its mission.
    • Strategic Planning. The NSA implemented a viable strategic and corporate planning process.
    • Internal Management Control Program. The NSA has not included the areas of time and attendance, travel, overtime, cash management, and automated information systems accreditations as assessable units in its Internal Management Control Program. As a result, the Agency is not using a key tool for detection of fraud, waste, and mismanagement in these vulnerable areas.
    • Special Access Program (SAP). The NSA has not developed and implemented an Agency SAP policy consistent with DoD guidance. As a result, the Agency was not effectively overseeing the SAP programs it supports.
    • Signal Intelligence Integration. The NSA has not established an aggressive customer feedback process to evaluate the quality and effectiveness of SlGINT-generated products.
    • Operations Centers. The NSA reduced the number of 24hour operations centers.
    • Collection Evaluation System. The NSA does not provide adequate management oversight and accountability for controlling unnecessary and unjustifiable collection duplications. As a result,
National Security Agency - 3
      the Agency is unable to operate its Collection Evaluation System in an effective and efficient manner.
    • Operations Security (OPSEC) Program. The NSA has not established adequate performance indicators to measure the effectiveness of its OPSEC program. As a result, the Agency cannot tell how well it is performing its duties as the Executive Agent of the National OPSEC program.
    • Joint Decisionmaking. The NSA synchronized some segments of the Capabilities, Programming, and Budgeting System with the Planning, Programming, and Budgeting System.
    • Integrated Budget System. The NSA reduced organizational layering in its budget management system.
    • Revoking Security Clearances. The NSA has taken the corrective actions to systemically rectify shortcomings.
    • Information Security. The NSA has procedures for its interface with the North Atlantic Treaty Organization concerning information security issues.
    • Equipment Accountability. The NSA does not meet DoD equipment accountability standards. As a result, the Agency cannot account for millions of dollars worth of assets.
    • Contract Oversight. The NSA has not implemented adequate procedures for Economy Act Orders that are in compliance with DoD guidance. As a result, the Agency is in noncompliance with the Economy Act.
    • Computer Systems. The NSA has not made satisfactory progress in acquiring accreditation for its automated information systems. As a result, the Agency is unable to accredit its system and networks in accordance with DoD guidance.
    • Inspector General. The NSA rotates key personnel and its inspection staff. As a result, independence cannot be assured because these individuals must consider the impact of their work on prospects for future assignments.

4 - National Security Agency

PART III - ISSUES AND RECOMMENDATIONS

ISSUE 1MANPOWER/ORGANIZATIONAL STRUCTURE
Original Issue Statement The USA lacks planning criteria and program controls for determining the most efficient organizational structure and for efficiently utilizing manpower and other resources to accomplish its mission.
Original Recommendations We recommended that the National Security Agency:

1. immediately validate organizational, manpower (including skill mix), and equipment requirements to properly align resources to perform in the most efficient and effective manner.

2. establish and use formal planning criteria and measurement tools prior to any reorganization.

3. develop a plan and milestones to expeditiously implement recommendations made in the study of Bureaucracy and NSA: Mananement's Views.

Summary of Agency Response to Original Issue The NSA partially concurred with all three recommendations. The NSA stated that the validation of organizational and manpower requirements is a proactive and ongoing process. Additionally, all components were given very explicit taskings and guidelines for reviewing and improving efficiency, effectiveness, and economy of operations and have completed massive organizational structure, functions, and process reviews. The NSA also pointed out that it was incorrect for the Inspector General (IG), DoD, to assume and state that resource allocation and organizational structure decisions are made without reference to " proven measurement criteria." The NSA also stated that it has a plan for implementing the study of Bureaucracy and NSA: Management's Views.
Verification Summary This issue remains open. The NSA does not have a process for determining its most efficient organization.
Layering Study The NSA implemented past internal recommendations regarding its layering study, Bureaucracy and NSA: Mananement's Views. In June 1990, the Director, NSA, chartered a group of agency senior executives to conduct an appraisal of organizational layering, both horizontal and vertical, and associated procedural
National Security Agency - 5
dysfunctions at the NSA. The resultant study outlined possible strategies to address identified problems and provided the impetus for several follow-on reviews. One such review addressed a broad spectrum of top tier issues and focused on the objectives of streamlining operations, eliminating or consolidating top tier functions and concentrating management authorities and responsibilities. Another review focused on six primary processes. The Director, NSA, implemented selected recommendations contained in the three studies he considered to be in the best interests of the NSA. Overall,- those recommendations resulted in a November 1992 reorganization. That reorganization resulted in changes such as a 40 percent reduction in the number of deputy directors and a 29 percent reduction in middle managers. The number of second and third echelon organizations below the directorate level was reduced by 53 and 44 percent, respectively. Also, the number of individuals previously reporting directly to the Director, NSA, was reduced from approximately 90 to 15; all support services were consolidated into one component; and all corporate planning, budget, and congressional/ community liaison was consolidated into a single organization. Nine directorate budget offices were reduced to five, resulting in a total reduction of 44 percent in the budget organizational structure. Last, from fiscal years 1990 - 1995, the NSA reduced its total civilian employment by 15 percent.
Efforts to Complete Model Although the NSA has implemented some internal recommendations to reduce manpower and reorganize, it has not finalized a process for determining manpower and skill mix. In 1993, the Work Force Transition Task Force developed a model to provide agency managers a manpower and skill mix profile through the year 2000. Presently, that model has not been implemented and is still being refined through the Ideal Work Force project.
Ideal Work Force Project To finalize its manpower process, the NSA formulated the Human Resources Review Group (HRRG), which was chartered on March 9, 1995. The HRRG was established with the objective of creating a corporate process for determining NSA/Central Security Service (CSS) long range manpower skill requirements and the apportionment of appropriately skilled personnel among the operating elements. The HRRG formed a group to work on a project known as the Ideal Work Forceproject. That project will provide standards against which the agency can measure its size, skill mix, structure, grades, and demographic profile. Recently, an attrition model was developed to predict movement into and out of the agency's various career fields. The NSA envisions its manpower and skill mix model to be finalized in the August/September 1995 time frame.
6 - National Security Agency
Conclusion This issue remains open because currently the NSA does not have a process for determining its most efficient organization.


Verification Recommendation 1 We recommend that the National Security Agency finalize and implement a manpower requirements determination model based upon quantitative and qualitative work load measurement techniques for identifying the required manpower and the associated skill mix and grades.
Management Comments The NSA concurred and stated although several efforts have produced interim manpower models, a definitive guide that will satisfy the IG requirements is currently under development by the Human Resources Review Group.
Evaluation of Management Comments The NSA comments are responsive to the recommendation.

7 - National Security Agency

ISSUE 2STRATEGIC PLANNING
Original Issue Statement The NSA lacks an effective corporate planning strategy.
Original Recommendation We recommended that the National Security Agency revitalize the corporate planning process by providing authority to the Plans and Policy Organization commensurate with its existing responsibilities.
Summary of Agency Response to Original Issue The NSA partially concurred. The Office of Plans and Policy developed a corporate planning process that helped to determine agency focus and direction, identify goals and issues, and select appropriate strategies to pursue and accomplish implementation. The process was approved by senior management and was implemented.
Verification Summary This issue is closed. The NSA developed a viable strategic and corporate planning process. The NSA is commended for measuring and tracking its strategic planning through its yearly Improvement Cycle Assessment.
Strategic Planning On May 19, 1994, the NSA board of directors agreed that the NSA/CSS strategic planning process would consist of a hierarchy of plans to guide the United States Cryptologic System into the 21st century. The overall strategic plan would contain the vision of the future and the strategy for attaining that vision. It would be updated annually and would provide the foundation for all other strategic planning-related documents. At the next lower level, a set of corporate plans would address key NSA/CSS-wide issues (such as, Support to Military Operations, Human Resource Management, Equal Employment Opportunity, and National Information Security Strategy).

The NSA updated its strategic plan in March 1995. The NSA strategic plan is supported by 11 corporate plans. The NSA finalized 6 of the 11 corporate plans.

Government Performance and Results Act The NSA is well aware of the Government Performance and Results Act (GPRA) and has developed an implementation plan for that Act. On May 18, 1995, senior NSA officials were briefed on the requirements for the GPRA and the proposed implementation for NSA. The NSA implementation of the GPRA will be guided by the NSA Senior Steering Group. The GPRA working groups will provide working-level implementation for each objective. The NSA planners have been tasked to develop and refine performance measures prior to
8 National Security Agency
submission of the initial performance plan due in September 1997.
NSA Improvement Cycle The NSA strategic planning is measured and tracked yearly through the NSA Improvement Cycle Assessment. The NSA Improvement Cycle Assessment is an approach for managing agency activities based on the Presidential Award for Quality management criteria. One of the seven criteria is strategic planning. The NSA strategic planning process was assessed in each of the past 2 fiscal years in such areas as the strategic quality planning process, customer/suppliers involvement in agency strategic planning, work force understanding of strategic goals, identification of quality performance goals, and the allocation of resources in accordance with prioritized strategic initiatives.
Conclusion The NSA has fully corrected the original planning problem through its implementation of an effective planning strategy. It has developed a viable strategic and corporate planning process and is commended for its yearly measuring and tracking of strategic planning.

9 National Security Agency

ISSUE 3INTERNAL MANAGEMENT CONTROL PROGRAM
Original Issue Statement The NSA Internal Management Control (IMC) Program should be expanded to examine additional vulnerable areas and to ensure assessments are accomplished following reorganizations.
Original Recommendations We recommended that the National Security Agency:

1. strengthen its Internal Management Control Program by aggressively examining and identifying vulnerabilities and by requiring risk assessments following reorganizations.

2. ensure that assessable units include time and attendance, travel, overtime, cash management, and automated information systems accreditations in its vulnerability assessments.

Summary of Agency Response to Original Issue The NSA concurred with the recommendations and agreed to amend its IMC Program regulation (NSA/CSS Regulation 112-17) to include the requirement that IMC Vulnerability Assessments be completed following all reorganizations. The NSA also agreed that activities such as time and attendance, travel, overtime, cash management, and automated information systems accreditations should be in vulnerability assessments.
Verification Summary This issue remains open. The NSA has not included the areas of time and attendance, travel, overtime, cash management, and automated information systems accreditations as assessable units.
Lack of Assessable Units The NSA amended NSA/CSS Regulation 112-17 to ensure that vulnerability assessments are conducted after all reorganizations and that activities such as time and attendance, travel, overtime, cash management, and automated information systems are addressed by the IMC program. Interviews with three of eight IMC Focal Points (to include the IMC Program Administrator) and several Group Representatives found that the agency addressed these activities by developing various manuals and procedures. However, the agency failed to create assessable units for the referenced activities. Therefore, vulnerability assessments are not being accomplished in these areas that are vulnerable to fraud, waste, and mismanagement. In order to establish an effective IMC program, the agency must create assessable units and conduct vulnerability assessments to ensure these procedures are being followed.

A review of the IMC Program documentation confirmed that the agency is conducting vulnerability

10 - National Security Agency
assessments after all reorganizations or as scheduled by the Management Control Plan.
Conclusion This issue remains open because the NSA has not ensured that its vulnerability assessments include the areas of time and attendance, travel, overtime, cash management, and automated information systems accreditations.


Verification Recommendation 2 We recommend that the National Security Agency ensure that vulnerability assessments are conducted for activities such as time and attendance, travel, overtime, cash management, and automated information systems accreditations.
Management Comments The NSA concurred with the recommendation and stated that its regulation requires managers to review time and attendance, travel, overtime, cash management, and automated information systems accreditations when conducting vulnerability assessments of their organization or function. They also stated that the above activities do not qualify as separate assessable units as defined in DoD Directive 5010.38, "Internal Management Control Program."
Evaluation of Management Comments The NSA comments are responsive to the recommendation. DoD Directive 5010.38 states that assessable units shall be established by segmenting the DoD Component into organizational, functional, programmatic, or other proper subdivisions suitable for evaluating systems of internal management controls and identifying program and administrative activities of applicable nature and size to facilitate a meaningful assessment. Establishing assessable units or adding these activities to existing assessable units are necessary for internal administration of the NSA.

National Security Agency - 11

ISSUE 4SPECIAL ACCESS PROGRAMS
Original Issue Statement The NSA does not effectively monitor the Special Access Programs it operates or supports.
Original Recommendations We recommended that the National Security Agency:

1. develop and implement an agency Special Access Program policy consistent with DoD guidance.

2. conduct a review to determine the actual Special Access Programs and Special Access Program-like Programs sponsored and supported by the agency and ensure its management of those programs complies with DoD policy.

Summary of Agency Response to Original Issue The NSA nonconcurred with the Recommendation 1. It indicated that it implemented DoD policy by incorporating DoD Directive 0-5205.7, "Special Access Program Policy, as an enclosure to NSA/CSS Regulation No. 120-23, July 24, 1989. The NSA partially concurred with Recommendation 2. The Agency maintains it has "no SAP or SAP-like programs reportable under DoD Directive 0-5205.7." It stated that all its programs are Communications Intelligence (COMINT) or Signals Intelligence (SIGINT) and are Sensitive Compartmented Information (SCI), which are under the responsibility and guidance of the Director of Central Intelligence (DCI). Therefore, these programs do not fall under the DoD SAP Policy.
Verification Summary This issue remains open. The NSA has neither developed and implemented an Agency SAP policy consistent with DoD guidance nor has it established effective oversight over those SAPs it supports.
Very Restricted Knowledge In November 1974, the NSA Director authorized the establishment of the "Very Restricted Knowledge" (VRK) System to limit access to uniquely sensitive SIGINT activities and programs in accordance with his authority as in Executive Order (EO) 12333.1.2(b). The program is administered in accordance with United States Signals Intelligence Directive 16. The NSA contends that these VRK programs (all SCI) are COMINT or SIGINT programs, which come under the direction of the DCI.
Lack of Policy We found that the NSA had not established NSA policy for the area of SAPs. The NSA stated that it had instituted such policy via NSA/CSS Regulation 120-3, but that it did not have any SAPs or SAP-like programs. As a result, it does not maintain a list of SAPs or SAP-like programs, even for those that it supports. DoD
12 - National Security Agency
Regulation 5200.1R, "Information Security Program Regulation," May 30, 1986, with changes, indicates that SAPs shall be controlled and managed in accordance with DoD Directive 5205.7, and component heads shall appoint a SAP coordinator for all SAPs "in the component." That policy appears to indicate that whether or not the SAP was established within the agency or exists in the Agency, proper oversight must be in place.

Although the NSA advised the IG, DoD, during the inspection that the NSA supports SAPs with other organizations, it neither maintains a list of NSA-supported SAPs nor are these SAPs controlled or monitored by an NSA SAP coordinator. It does, however, maintain a list of VRK programs, which are annually reviewed by the Director of NSA.

New Guidance The most recent EO 12958, April 20, 1995, Sec. 4., defines a SAP as "a program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level." In addition, this EO limits the establishment of SAPs to the Secretaries of State, Defense, and Energy and the Director of Central Intelligence. Further, it states that each agency shall establish and maintain controls and oversight and shall review each SAP annually to determine whether it continues to meet the requirements of this order.

The Director of Central Intelligence Directive, DCID 3/29, June 2, 1995, implemented EO 12958 and states that the DCI or Deputy DCI shall determine whether to create, modify, or terminate controlled access programs. We believe that the definition of SAPs under the EO 12958 encompasses the VRK programs currently operating at the NSA. Further, EO 12958 requires annual reporting of the SAPs. The EO states that "The agency head or principal deputy shall review each SAP annually to determine whether it continues to meet the requirements of this order." This EO indicates that annual reporting is required. The DCI has already issued its directive, DCID 3/29, which requires this annual review. Therefore, if the program is SCI, then we believe that the new EO requires annual reporting to the DCI.

Conclusion This issue remains open because the NSA still does not effectively monitor the SAP it operates or supports. The NSA has neither established policy for the area of SAPs nor does it maintain a list of NSA-supported SAPs and the SAPs controlled or monitored by its SAP coordinator.
National Security Agency - 13


Verification Recommendation 3 We recommend that the National Security Agency:

a. review of all Special Access Programs, Special Access Program-like programs and Very Restricted Knowledge programs that it has established or supports and establish an effective oversight mechanism to ensure proper coordination, monitoring, and tracking.

b. ensure that all Special Access Programs, Special Access Program-like programs, and Very Restricted Knowledge programs supported by the National Security Agency are reported annually to Department of Defense or the Director of Central Intelligence.

Management Comments The NSA partially concurred with the recommendations and maintains that it does not have any SAPs as defined by DoD Directive 0-5205.7, "Special Access Program Policy," January 4, 1989. The NSA states that its programs are conducted under the authority of the DCI and that DoD Directive 0-5205.7, paragraph B. 5., specifically excludes SCI programs established by the Director of Central Intelligence. As part of the SCI control system, the NSA COMINT information will be reported to the DCI in accordance with DCID 3/29 guidance.

The NSA also stated that it is developing oversight mechanisms to ensure proper coordination, monitoring, and tracking pursuant to DCID 3/29. The Controlled Access Program Coordination Office established by the DCI to oversee controlled access programs shall coordinate security policies with the Security Policy Board and the Special Access Program Oversight Committee of the DoD. The NSA anticipates implementation of DCID 3/29 by February 1, 1996.

Evaluation of Management Comments The NSA comments are responsive to the recommendations. Our concern was that an effective oversight process be established and implementation of DCID 3/29 will ensure this problem is corrected.

14 - National Security Agency

ISSUE 5 SIGNAL INTELLIGENCE INTEGRATION
Original Issue Statement The Signal Intelligence production process does not function as an interrelated process and is hampered by a lack of effective management oversight.
Original Recommendations We recommended that the National Security Agency:

1. develop a measurable, internal oversight mechanism to track requirements through the entire production process. In addition, ensure that a clear link is between analytical efforts and the National Signal Intelligence Requirements List that allows managers to measure progress against meeting those requirements.

2. establish an effective feedback mechanism to evaluate the quality and effectiveness of Signal Intelligence-generated products.

3. conduct a manpower study to determine the appropriate number of Operations staff personnel and reduce excessive personnel and organizational layering.

4. develop and document Signal Intelligence procedures for the collection and analysis process.

5. ensure that the Operations Organization's analytical capability keeps pace with the collection requirements.

Summary of Agency Response to Original Issue The NSA concurred with Recommendation 5; partially concurred with Recommendations 1, 2, and 3 and nonconcurred with Recommendation 4. The agency stated that "the Production Oversight Tracking System allows managers to track NSA's success in meeting SIGINT requirements but does not track the requirements through The entire production process; customer feedback needs to be improved to better gauge product and service effectiveness; and the NSA components had recently completed a massive reorganization in response to the Layering Study findings." The NSA commented that the changing world situation and budgeting pressures would ultimately affect the restructuring process and determine the end state of the organization. Further, the NSA noted that it had taken several tangible actions to balance collection and analysis.
Verification Summary This issue remains open. The NSA has neither established a standardized customer feedback process nor implemented a process for determining its most efficient organizational structure.
15 - National Security Agency
Customer Satisfaction Improvements The NSA has not fully completed its customer satisfaction feedback procedures to evaluate the quality and effectiveness of SlGINT-generated products. The Agency solicits comments from its customers but the solicitation is neither part of a standardized customer feedback format nor is it frequently used. The agency has planned but not fully implemented the following customer satisfaction improvements:
  • automated customer feedback response process throughout the intelligence community,

  • customer feedback tool to measure customer satisfaction both at the NSA and the intelligence community at large,

  • tracking system for corrective actions based on customer feedback, and

  • standardized and user-friendly system for NSA and its customers.
Automated Tracking System The NSA implemented an automated production reporting and tracking system. Managers are now able to measure timeliness and progress in completing their collection requirement "askings. The tracking mechanism also provides a clear link between analytical efforts and collection requirements.

We reviewed the production-tracking system and randomly selected collection taskings to ensure that collection requirements were fully identified and tracked throughout the production cycle. The production-tracking system provides management with a top-down review of its SIGINT collection requirements and production cycle. This automated system connects and interrelates collection, processing, analysis, and reporting throughout the entice production cycle. The system provides management with a tool that identifies and tracks requirement's taskings from the front end (collections) to the back end {reporting). Consequently, NSA now has a system that provides effective visibility over actions in the SIGINT process to allow managers to respond to inquiries.

Enhanced Analytical Capability The NSA has also established mechanisms to ensure that its analytical capability keeps pace with the collection requirements. Analytical capability has been enhanced by the introduction of powerful new networked desktop computers to assist in analytical efforts against virtually every SIGINT target. The desktop computers allow the analyst to network with other analysts as well as interface with the customer to optimize collection and analytical functions.
16 - National Security Agency
Conclusion This issue remains open primarily because the NSA has not fully completed its customer satisfaction feedback procedures to evaluate the quality and effectiveness of SlGINT-generated products. However the NSA has improved its SIGINT production process through implementing an automated production reporting and tracking system and establishing mechanisms to ensure that its analytical capability keeps pace with collection requirements.


Verification Recommendation 4 We recommend that the National Security Agency:

1. standardize its customer feedback format, establish automated customer feedback responses through the intelligence community, and incorporate a customer feedback information data base for National Security Agency managers.

2. establish a system for tracking corrective action based upon customer feedback.

3. finalize and implement its model for determining manpower and skill mix.

Management Comments The NSA concurred with our recommendations and stated that it chartered a SIGINT Customer Focus and Satisfaction Team in December 1994 to identify and recommend specific steps for senior management to establish a systematic feedback process for evaluating the quality and effectiveness of SlGINT-generated products. The team is developing a process that will enable managers to better gauge the effectiveness of SIGINT products and services. As noted in Issue 1, the Human Resources Review Group will address manpower requirements in the definitive guide.
Evaluation of Management Comments The NSA comments are responsive to the recommendations.

National Security Agency - 17

ISSUE 6OPERATIONS CENTERS
Original Issue Statement The proliferation of 24-hour, 7 day-a-week operations centers has resulted in duplication of effort.
Original Recommendation We recommended that the National Security Agency justify those 24-hour centers in the Operations Organization that are mission-essential and consolidate or eliminate the rest.
Summary of Agency Response to Original Issue The NSA partially concurred. The agency stated that adjustments were made in response to changing requirements. Additional changes would occur because of downsizing, eliminating, and consolidating watch operations.
Verification Summary This issue is closed. The NSA reduced the number of 24-hour operations watch centers by approximately 43 percent since 1991.
Forty Percent Savings The gradual consolidation and elimination of operations watch centers have resulted in approximately 40 percent savings in manpower costs from Fiscal Years 1992 through 1995 with no impact on the Agency's ability to perform its mission. Economic analysis and cost benefit studies were not conducted for any of the NSA Headquarters Operations Watch Centers, since NSA knew that most cost benefits or savings would be for manpower. Economic analyses were conducted for field activity closures, which included operations watch centers. This analysis was done to capture the full detailed costs and savings for the larger field site closures.
Conclusion This issue is closed because the NSA has reduced the number of 24-hour watch centers by approximately 43 percent, resulting in a 40-percent savings in manpower costs from Fiscal Years 1992 through 1995 with no impact on mission accomplishment.

18 - National Security Agency

ISSUE 7COLLECTION EVALUATION SYSTEM
Original Issue Statement The Collection Evaluation System is neither effective nor efficient.
Original Recommendation We recommended that the National Security Agency upgrade management procedures and the Collection Evaluation System to ensure that collection duplications are identified and managers eliminate those duplications wherever feasible.
Summary of Agency Response to Original Issue The NSA concurred stating that it needed to revamp its approach to the Collection Evaluation System. The responsibility for accomplishing this task would be transferred to another organization within NSA. Once transferred, an action plan would be developed and implemented.
Verification Summary This issue remains open. Although many technological improvements have been made to the Collection Evaluation System since 1992, the NSA needs to continue improving management oversight and accountability for controlling unnecessary collection duplications.
Collection Evaluation System The NSA installed a software system that consolidates current and future collection management support efforts into a centralized architecture.

The existing collection evaluation system has a feature that reports collection duplications. Duplicate assignments are flagged to remind collection managers to constantly assess the validity of the required duplication. Although NSA collection evaluation system captures and extracts data on unjustifiable duplications, the NSA has not used this information to establish automated oversight-control over wasteful collection duplication.

The NSA leaves it to the station collectors to clean up their own duplications. While automated system information could be made available for management oversight, the NSA has not established standardized or automated procedures for eliminating unnecessary duplications. Also, NSA has not devised corrective actions for eliminating the wasteful collection duplications. Consequently, the collection duplication portion of the NSA Collection Evaluation system is currently not operated in an effective or efficient manner.

Conclusion Even though the NSA has made numerous improvements to the collection evaluation system, this issue will remain open to ensure the NSA establishes
19 - National Security Agency
automated oversight control over wasteful collection duplication.


Verification Recommendation 5 We recommend that the National Security Agency standardize its collection evaluation system to eliminate unnecessary collection duplications.
Management Comments The NSA concurred with the recommendation but disagreed with the draft report conclusion that "NSA has not established standardized or automated procedures for eliminating unnecessary duplication." The NSA stated that the existing collection evaluation system reports collection duplications. The use of this feature and similar tools have permitted an 80 percent reduction in duplication for fixed collection over the past 5 years. The whole concept of "duplication of collection" dictates that many targets are tasked in several places to insure that they are, in fact, collected.

The NSA also stated that automation is being used and enhanced to assist in eliminating unnecessary duplications. However, the NSA has deemed the "human analysis factor" as more critical than automation to solve unnecessary duplication. The NSA relies on analysts' judgment to determine the best collector (or duplicate collectors) against a given target based on factors such as priorities, technical capabilities, customer needs, and deliverability of products to customers.

Evaluation of Management Comments The NSA comments are responsive to the recommendation. In regard to the NSA disagreeing with our draft report conclusion, we have restated the conclusion to accurately reflect the condition.

20 - National Security Agency

ISSUE 8OPERATIONS SECURITY
Original Issue Statement DoD policy regarding the NSA operations security (OPSEC) mission responsibilities have not been updated and clearly defined.
Original Recommendations We recommended that:

1. the Assistant Secretary of Defense (Command, Control, Communications and Intelligence) expedite the revision of draft DoD Directive 5205.2, to reflect National Security Decision Directive No. 298.

2. the National Security Agency propose and gain approval for policy clarifying its roles as the Operations Security Executive Agent and its relationship to the Interagency Operations Security Support Staff.

Summary of Agency Response to Original Issue The Assistant Secretary of Defense (Command, Control, Communications and Intelligence) (ASD[C3I]) concurred, stating that "the Deputy Assistant Secretary of Defense, Counterintelligence and Security Countermeasures Program, is coordinating the revision of DoD 5205.2." The NSA, concurred stating that it will draft a statement of policy clarifying the role of the Director, NSA, as Executive Agent for Interagency OPSEC training.
Verification Summary This issue remains open. During our inspection, we found that both the DoD Directive 5205.2 and the NSA Directive 120-03 had been updated with clearly defined criteria that clarified the NSA role and relationship as the OPSEC Executive Agent to the Interagency OPSEC Support Staff.

Even though the NSA corrected the original problem, the NSA did not have supporting data to show how effective It has been in meeting its role as Executive Agent of the OPSEC Program. Its budget figures for 4 years showed that the NSA did not use half of the resources at its disposal. Interviews with NSA personnel did not reveal how effectively the agency has implemented its internal program or how effectively it has supported of DoD activities. In our view, a viable OPSEC Program needs to measure effectiveness.

Conclusion This issue remains open even though the NSA met the intent of our recommendations. The NSA did not have supporting data to show how effectively it has met its role as Executive Agent of the OPSEC Program. We believe the NSA OPSEC Program needs to measure effectiveness.
National Security Agency - 21


Verification Recommendation 6 We recommend that the National Security Agency:

1. develop a strategic plan that outlines its goals and objectives for Operations Security program over a specified period.

2. develop performance data that shows how effectively it is performing its Operations Security mission.

Management Comments The NSA concurred with the recommendations and stated that a series of activities are underway to delineate goals and objectives to provide current and future quality responses to customer OPSEC requirements. The Interagency Operations Security Staff is reviewing customer information and the mission performance measurement process to show how effectively it is performing its OPSEC mission.
Evaluation of Management Comments The NSA comments are responsive to the recommendations.

22 - National Security Agency

ISSUE 9JOINT DECISIONMAKING
Original Issue
Statement
Joint decisionmaking between the Director of Central Intelligence and the NSA does not routinely occur where the Planning, Programming, and Budgeting System (PPBS) and the Capabilities Programming and Budgeting System (CPBS) intersect, resulting in duplication and inefficiencies in management of the processes.
Original
Recommendation
We recommended that the Assistant Secretary of Defense (Command, Control, Communications and Intelligence) accelerate efforts to strengthen joint decisionmaking between the programming and budgeting communities of the Director, Central Intelligence, and DoD at key intersection points between the PPBS and CPBS processes.
Summary of Agency
Response to Original
Issue
The ASD (C31) concurred stating that "as part of the Defense intelligence restructuring plan, the Intelligence Program Support Group was created to strengthen the interaction between the DoD PPBS and the National Foreign Intelligence Program (NFIP) CPBS."
Verification Summary This issue is closed. The NSA segments of the CPBS and the PPBS are still not fully synchronized, although significant improvements have occurred since 1991. For example, millions of dollars in funding were lost in the earlier budget processes because of the lack of integration and interface between the budget managers of the two systems. At this time, however, key staff representatives of the Director of Central Intelligence (DCI) CPBS budget process and the DoD ASD(C3I) PPBS budget staff meet regularly to resolve resource and budget management efficiency problems.
Needed Improvements Improvement is still needed in the two budget processes, since the NSA does not receive its Planning and Program Budget Guidance in a timely manner. The NSA, however, is normally not responsible for the lack of timeliness because it is not the driving force behind the budget resource approval process. Moreover, the NSA receives more than 80 percent of its budget under the less structured DCI NFIP CPBS budget processes.

The following table (first, second, and fourth columns) shows when PPBS and CPBS budget documents are normally considered due. The third and fifth columns provide the dates when the NSA budget office actually received the Fiscal Year 1996 budget cycle documents.

National Security Agency - 23
SCHEDULE OF BUDGET EVENTS
MONTH DUE PPBS DOC'S DATE NSA RECEIVED PPS DOC'S CPBS DOC'S DATE NSA RECEIVED CPBS DOCS
NOV Defense Plan Guidance - - Draft DCI Guidance APR
JAN POM Build MAR Formal Joint Guidance JUN
FEB & MAR POM Buildup Continues APR & MAY POM Buildup Continues - -
APR POMs deliv. to OSD JUN DCI Program Submitted JUN
JUN Issue Books Compiled Completed in AUG Program Crosswalks by CMS/RMO and IPSG - -
JUL PDMs issued by SecDef Completed in DEC Excom Program Issue Reviews - -
SEP BES submit. to OSD & OMB SEP BES submitted to DCI None Submit.
OCT PBDs issued by DepSecDef Final PBD in DEC NFIP PBDs DEC
NOV DoD Budget to Pres. Issued - - DCI Completes PBDs Decisions - -
DEC DoD/Pres. Budget Final - - NFIP Budget put in Pres. Budget - -
FEB Pres. Budget to Congress FEB CBJB to Congress FEB
FEB - SEP Cong. Action FEB - SEP Cong. Action FEB - SEP
BES Budget Estimate
CBJB Congressional Budget Justification Book
CMS Community Management Staff
EXCOM Executive Committee
IPSG Inteiligence Program Support Group
PBD Program Budget Decision
RMO Resource Management Office
In spite of the time delays in receiving the CPBS Draft Joint Guidance (approximately 5 months late), the PPBS Defense-Planning Guidance (approximately 3 months late), the Program Decision Memorandum (2 to 5 months late), the DCI CPBS Program Decision totals (approximately 2 months late), the NSA still managed to publish its congressional budgets in a timely manner.

The NSA Budget Formulation Office attends DCI Community Management Staff meetings to discuss program resource issues as well as discuss more efficient ways to manage the CPBS budget process. Management Studies are now being conducted at the DCI and ASD (C3I) to continue improving the interrelative framework between the CPBS and PPBS budget processes.

24 - National Security Agency
Conclusion Although the NSA segments of the CPBS and PPBS systems are not fully synchronized, this issue is closed because the NSA is attempting to improve synchronization between the PPBS and CPBS budget process.

National Security Agency - 25

ISSUE 10INTEGRATED BUDGET SYSTEM
Original Issue Statement The NSA does not have an integrated budget management system because of excessive layering and decentralized authority.
Original Recommendation We recommended that the National Security Agency strengthen the Comptroller role to ensure centralized and uniform budget processes in accordance with DoD procedures.
Summary of Agency Response to Original Issue The NSA partially concurred with the recommendation that the NSA budget process be centralized and uniform and in accordance with DoD procedures. The NSA stated that its budget management practices also called for a considerable delegation of authority to the key component chiefs "for management and execution of funds."
Verification Summary This issue is closed. The NSA budget organizational layering has been significantly reduced since 1991. Nine directorate budget offices have been reduced to five directorate budget offices for a total reduction of 44 percent in the budget organizational structure.
Staff Reductions As a result of the reorganization, budget staffs were reduced. For example, the Deputy Director of Technology and Systems budget staff was reduced by 64 percent; the Deputy Director of Support Services budget staff was reduced by approximately 16 percent; the Deputy Director Operations and Deputy Director of Plans, Policy, and Programs budget staff remained at the same level.

The extensive reorganization has reduced both vertical and horizontal layering of budget offices and staff positions at NSA. The reorganization has also benefited the budget review process, since the NSA budget office is now able to review and prioritize the budget at a lower level. Consequently, the NSA budget office has increased its span of control and enhanced its capability to do in-depth reviews of budget funds and resources.

Conclusion This issue is closed because the NSA has significantly reduced its budget organizational layering by 44 percent since the 1991 inspection and increased its oversight and span of control over the budget process.

26 - National Security Agency

ISSUE 11REVOKING SECURITY CLEARANCES
Original Issue Statement The NSA is lax in disciplining and revoking security clearances for its employees and contractor affiliates.
Original Recommendations We recommended that the National Security Agency:

1. follow established guidelines for determining an employee's suitability for continued access and employment.

2. expedite its appeal process for employees slated for discipline or dismissal.

Summary of Agency Response to Original Issue The NSA nonconcurred with Recommendation 1 and partially concurred with Recommendation 2. The NSA stated that "Agency guidelines for determining an employee's suitability for continued access and employment are followed." It further stated, "What may appear as a reluctance to enforce disciplinary and dismissal procedures, in actuality, is a process to ensure fairness and due process." As for the appeal process, the NSA stated that "the procedure for employees to request additional information is being streamlined to allow an employee to review files and request information through a single focal point. This process will be implemented within 3 to 6 months."
Verification Summary This issue is closed. The NSA has taken the corrective actions to systemically rectify the shortcomings.

Revocations now proceed in accordance with the Director of Central Intelligence Directive requirements, and procedures have been developed to streamline the process. We reviewed copies of the current system for employees access revocation and standard operating procedure for the suspension or revocation of employee access. We obtained two flow charts that depict the revocation processes to ascertain the effectiveness of the current process. At the time of the 1991 inspection, only the chief of Management Services had the authority to revoke an employee's access to classified information. The current process assigns authority to a lower level within the Management Services organization. Interviews with NSA personnel showed that management actions are responsible for many improvements.

Conclusion This issue is closed because the NSA has streamlined its process to revoke security clearances and to comply with Director of Central Intelligence Directive requirements.

National Security Agency - 27

ISSUE 12INFORMATION SECURITY
Original Issue Statement The NSA lacks procedures for its interface with the North Atlantic Treaty Organization in addressing information security (INFOSEC) issues.
Original Recommendation We recommended that the National Security Agency establish procedures for its interface with the North Atlantic Treaty Organization in addressing Information Security issues.
Summary of Agency Respons to Original Issue The NSA nonconcurred with the recommendation stating that procedures already exist to govern this process. However, at the time of our inspection and subsequent to the inspection, the procedures were not provided.
Verification Summary This issue is closed. The NSA has procedures for its interface with the North Atlantic Treaty Organization concerning INFOSEC issues. A review of trip reports, minutes of meetings, agendas, and continuity binders proved that the Agency is following its procedures and that these procedures are not ad hoc.

28 - National Security Agency

ISSUE 13EQUIPMENT ACCOUNTABILITY
Original Issue Statement The NSA failure to meet DoD equipment management and accountability standards has resulted in equipment losses worth millions of dollars and wasted warehousing space.
Original Recommendations We recommended that the National Security Agency:

1. promptly resolve inventory accountability shortfalls.

2. clearly define and publish responsibilities for storing, packaging, and documenting stored equipment to ensure protection of Agency assets.

3. immediately reduce the tape storage volume in the Magnetic Media Library.

4. We recommend that the Assistant Secretary of Defense for Command, Control, Communication and Intelligence, through the National Security Telecommunications Information Systems Security Committee and the TEMPEST Advisory Group, publish guidelines on me maintenance and disposal of TEMPEST certified equipment.

Summary of Agency Response to Original Issue The NSA concurred with all recommendations. The NSA stated that several actions have been initiated by to Original Issuethe Property Accountability Process Improvement Team to reduce accountability shortfalls and numerous others are being evaluated. Additionally, Government Property Lost or Destroyed reports were forwarded through management to the Deputy Director, NSA, in December 1991 to rectify the accounting baseline and provide a good data base in accordance with DoD guidance.
Verification Summary This issue remains open. The NSA Property Accountability Office has made significant improvement in its processes for controlling NSA assets since our 1991 inspection. However, additional corrective action is required to ensure accountability of the NSA assets. The IG, NSA Audit Report, "Advisory Report Personal Property Accountability Audit," July 21, 1994, confirmed this issue. This report stated that the key components property accountability efforts have not been effective as evidenced by continuing requests for large write-offs for unreconciled assets ($82 million from Fiscal Years 1991 and 1992).
Warehousing Operations We found that the NSA warehousing operations have improved since our 1991 inspection. The NSA has identified plans that will continue its improvement In this
National Security Agency - 29
area. However, the physical protection of NSA assets is hampered by a procedural shortfall. Applicable NSA logistics directives describe how packaging and storing requirements will be prescribed by the key component wishing to store items. However, at the time of our inspection, we found that the key components were not providing proper directions for the storage of NSA assets.

During our inspection, we did not physically inspect the warehouses used to store equipment because two warehouses with the worst conditions were no longer in use. We are highlighting this concern to ensure that the NSA continues to protect Government assets from deterioration or damage.

Reduced Tape Media The NSA has made great improvements in managing its magnetic tape media. Since our 1991 inspection, the NSA has significantly reduced its tape holdings. However, further improvements in the management of tape holdings can be experienced if the NSA applies the same standards it uses for its key components holdings to its external customers.
Disposition of TEMPEST Equipment Last, we found that the National Security Telecommunications and Information Systems Security Advisory Memorandum (NSTISSAM), TEMPEST/3-91, "Maintenance and Disposition of TEMPEST Equipment," December 20, 1991, provides guidance to personnel responsible for the maintenance and disposition of TEMPEST equipment. Basically, this memorandum corrected the shortcoming identified in our 1991 inspection. The NSA no longer destroys TEMPEST hardware. However, another procedural shortcoming was identified during our inspection. The NSTISSAM TEMPEST/3-91 states, "Disposition/resale should be consistent with established export control/technology transfer policy." The NSA could not provide evidence that it alerts the recipients of excess TEMPEST hardware of current technology transfer policy.
Conclusion The NSA has made improvements in controlling its assets since our 1991 inspection. However, further improvements are still needed in asset accountability, storage protection procedures, management of tape media, and the disposition of TEMPEST equipment.


Verification Recommendation 7 We recommend that the National Security Agency:

1. resolve its inventory accountability shortfalls.

30 - National Security Agency
2. amend its applicable logistics manual(s) to place the responsibility on the Logistics Directorate for ensuring that Government assets are protected from physical damage during storage.

3. enforce its standards pertaining to tape holding to its customers.

4. provide evidence that will show its compliance in alerting the recipients of TEMPEST items.

Management Comments The NSA concurred with the recommendations and stated that it has drafted a list of procedures and responsibilities applicable to requests for storage of Government assets. The NSA also stated that it is working with a representative of the Office of Processing Systems to draft an appropriate policy advisory notification to recipients of excess TEMPEST equipment.
Evaluation of Management Comments The NSA comments are responsive to the recommendations.

National Security Agency - 31

ISSUE 14CONTRACT OVERSIGHT
Original Issue Statement Inadequate management oversight in the Office of Contracting permits potentially wasteful practices.
Original Recommendations We recommended that the National Security Agency:

1. establish blanket purchase agreements for 3 years with an option to extend.

2. expedite system change requests for rotating bidders mailing list and contractor delinquencies.

3. enhance contract management by implementing the following System Change Requests:

    a. Contractor performance records,

    b. Historical data base of products and services rendered, and

    c. Centralized system for awards to provide visibility of award trends.

4. immediately increase the rate procurements are obtained through the Federal Supply System.

5. discontinue the ordering officer practice or seek authorization for the practice from the Defense Acquisition Regulatory Council.

6. designate a contracting owner as the Agency approving authority for Economy Act orders.

7. institute proper financial accounting practices and procedures for management and oversight of Economy Act Orders in accordance with applicable National Security Ageney/Central Security Service resource management regulations.

Summary of Agency Response to Original Issue The NSA concurred with Recommendations 1, 2 and 3; partially concurred with Recommendation 4; and nonconcurred with Recommendations 5, 6, and 7. The NSA stated with regard to Recommendation 4 that the Agency has "implemented a number of actions to increase the procurement rate to 50 percent"; its goal is less than the goal set in this report and that 50 percent is a reasonable goal. For Recommendation 5, it commented that the Agency's General Counsel's Office had previously reviewed this matter and concluded that sufficient Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFAR) authority sustains an Ordering Officer's Program
32 - National Security Agency
and that the NSA Ordering Officers are, in fact contracting officers, position titles notwithstanding.

For Recommendation 6, the NSA stated that its NSA/Central Security Service (CSS) resources management manual is being updated to assign the Chief, Special Operations, as the Agency approving authority for sensitive Economy Act Orders and the Finance and Accounting Officer as the approving authority for non-sensitive Economy Act Orders. For Recommendation 7, the Agency stated that financial records for Economy Act Orders are available and that "Accounting transactions relative to all NSA Economy Act Orders are recorded in the Agency's automated General Accounting and Reporting system and there is a document file maintained within the Comptroller's organization for every Economy Act Order."

Verification Summary This issue remains open. The NSA has not implemented thorough procedures for Economy Act Orders that are in compliance with Secretary of Defense Guidance, February 8, 1994, and the Defense Federal Acquisition Regulation Supplement 217.5.
Economy Act Order Policy Title 31, U.S. Code, Section 1535 provides the legal authority for orders for supplies or services to be placed with other agencies. FAR Part 17.5 sets the policies implementing the Act, by which an order pursuant to the Economy Act may be placed with another agency. The Secretary of Defense in Memorandum, February 8, 1994, subject, "Use of Orders Under the Economy Act," further defined the conditions that must be met for orders under the Economy Act to be sent outside the Department of Defense. DFARS 217.5 described the role that the contracting officer plays in the process.

Since the inspection in 1991, the process for Economy Act Orders has changed. The Secretary of Defense in a February 8, 1994, memorandum, stated that the Agency Head (or designee at SES/FLAG/General Officer level) must determine that:

"a. The ordered supplies or services cannot be provided as conveniently and cheaply by contracting directly with a private source;

"b. The servicing agency has unique expertise or ability not available within DoD; and

"c. The supplies or services clearly are within the scope of activities of the servicing agency and that agency normally contracts for those supplies or services for itself."

National Security Agency - 33
Further, the memorandum states that written determination and finding approvals be provided to accounting officers prior to committing funds on Economy Act Orders. The DFARS 217.5 defines the role of the Contracting Officer in the approval process for Economy Act Orders.
NSA Policy We determined during the inspection that the NSA has implemented a policy lever, NSA/CSS Resources Management Letter No. 3-1994, August 5, 1994, prescribing policies and procedures for the approval of Economy Act Orders issued outside of DoD. We reviewed 5.5 percent of the Economy Act Orders from FY 1994 and FY 1995. Although some orders mention the Economy Act, this mention does not constitute the formal determination and approval process as required by the Secretary of Defense Memorandum, February 8, 1994.
More Process Involvement Although the DFARS 217.5 sets the role of the Involvement contracting officer as advisor in the approval process, we found that generally the Office of Contracting has not been involved in the Economy Act Order process. We believe the number of orders placed under the Economy Act at the NSA and the dollars involved indicate that a greater level of scrutiny and attention be placed on this very vulnerable area.
NSA IG Review We noted that the Inspector General, NSA, did a followup review subsequent to the receipt of Secretary of Defense guidance and Agency implementation of the Economy Act. That report, ST-93-0006, released January 2, 1996, found that the formal process of "determination and finding" and approval at the SES/FLAG/General Officer level is still not occurring. The Office of Contracting indicated that it would provide assistance in correcting the formal determination process so that the NSA would follow more standardized procedures.

Although the NSA nonconcurred with Recommendation 7, we found that the NSA has implemented tracking procedures for individual Economy Act Orders and was able to provide Financial and Accounting information including the order number, the amount obligated, the cumulative obligations, and any unliquidated balance.

Blanket Purchase Agreement Problem Corrected Since our inspection in ,1991, the Agency has made strides in the correction of Blanket Purchase Agreement procedures. During the inspection of 1991, we determined that the NSA had been issuing these agreements annually. A review of 20 Blanket Purchase Agreements indicated that all have been modified and
34 - National Security Agency
will be reissued at the beginning of FY 1996 for three years. Any Blanket Purchase Agreements issued after the 1991 inspection were written for three years. We found that the NSA took effective action to correct this issue.
Limited Contracting Officer Warrants Although the NSA originally nonconcurred on the issue of Ordering Officers, the NSA determined that it would act on the recommendation and has issued limited contracting officer warrants to personnel outside the Office of Contracting. All personnel in this program are required to take appropriate DoD training and local training provided by the Office of Contracting. The Office of Contracting has revised its regulations and provided oversight through the contracting personnel, which normally provide support.
Information Upgraded We recommended during the 1991 inspection that the NSA upgrade the management information system in the Office of Contracting in contractor performance records, better historical data base of products and services, and centralized log system for awards. The NSA is fully compliant in this area. The NSA has placed great emphasis and resources to bring this upgrade about. Its system is capable of providing this information, even though some portions of the system are now being upgraded to become more effective.
Federal Supply System Usage Since the 1991 inspection, the NSA has undergone changes as a result of the National Performance Review and the Defense Performance Review initiatives. Our 1991 inspection report indicated that the NSA could achieve additional efficiencies by obtaining more line items through the Federal Supply System. We believed that the NSA could achieve $4. 5 million dollars in savings by better utilization of the Federal Supply System.

During this inspection, we found that the use of the Federal Supply System has been further reduced. This decline is in part a direct result of the NSA designation as a Reinvention Laboratory in the Logistics and Supply area and the use of innovative means of supporting its customers. While we understand the goals of the National Performance Review and the Defense Performance Review, we believe that good business practice dictates that the NSA should emphasize the use of the Federal Supply System for common supply items where it is more cost-effective and responsive to the customer. Additionally, the NSA should continue to ensure that its purchases from sources mandated by statute (Federal Prison Industries, Inc; and the National Industries for the Blind) are purchased through the appropriate sources.

National Security Agency - 35
Conclusion This issue remains open because the NSA has not implemented thorough Economy Act Order procedures that are in compliance with applicable directives. However, the NSA has made improvements in Blanket Purchase Agreements, limited contracting officer warrants, management information system upgrades, and its usage of the Federal Supply System.


Verification Recommendation 8 We recommend that the National Security Agency:

1. review its current procedures for processing Economy Act Orders and incorporate a sample "determination and findings" into its National Security Agency/Central Security Service Resources Manual.

2. provide in-house training to personnel involved in placing, approving, or certifying Economy Act Orders.

3. implement procedures to ensure that personnel signing the Economy Act Orders "determination and findings" are designees at the SES/FLAG/General Office level and that a list of approved personnel be provided to the officials certifying funds.

Management Comments The NSA concurred with the recommendations and stated that the National Security Agency/Central Security Service Resources Management Manual is being amended to include a sample "determination and findings" statement. In-house training is being conducted to reinforce placing, approving, or certifying Economy Act Orders in conjunction with adding detail guidance to the Resource Management Handbook.

The NSA also stated that each signature block an the "determination and findings" statement will include the official's position and grades and that it will ensure that the approval meets the grade level specified by the February 8, 1994, Secretary of Defense memorandum.

Evaluation of Management Comments The NSA comments are responsive to the recommendations.

36 - National Security Agency

ISSUE 15COMPUTER SYSTEMS
Original Issue Statement The NSA does not comply with DoD security requirements for accreditation of systems and networks and periodic training of personnel, thus permitting security vulnerabilities and potential compromise of national security data.
Original Recommendations We recommended that the National Security Agency:

1. establish priorities, goals, and objectives to ensure that all automated information systems are certified and accredited in accordance with DoD and National Security Agency/Central Security Service directives.

2. develop a training program and train personnel designated as computer security officers.

Summary of Agency Responseto Original Issue The NSA concurred with both recommendations and stated that "actions are underway to resolve the automated information systems (AIS) and network accreditation problem. The process to streamline and document the Computer Security and Network Accreditation Methodology (CSNAM) was completed by the NSA in November 1991. The CSNAM is undergoing validation first within the Agency then by the Service Cryptologic Elements. On completion of the CSNAM validation planned for April 1992, work will begin on developing the pilot training module."

The NSA also informed us that a program for training computer security managers (CSMs) would be completed by June 1992. The primary goals of the program are to have at least five CSMs certified as accreditors and all CSMs trained by the end of 1992. This program will expedite the accreditation of a large part of the AIS network as soon as possible following installation.

Verification Summary This issue remains open. The NSA has progressed in training personnel to perform AIS accreditations and continued to perform needed accreditations on its AIS systems. However, numerically speaking, it has made little progress in getting its AIS accreditation workload under control.
AIS Accreditation Milestone The NSA provided us with data that established AIS accreditation goals and objectives in milestone charts. The charts indicate that the NSA may be caught up with its workload by the fall of 1996. The goal is contingent upon the NSA obtaining support from the key components in doing some of their own accreditations. This plan is similar to the one for property accountability. Both plans hinge upon the Office of Operational
National Security Agency - 37
Computer Security obtaining support and Cooperation from the key components. Through interviews we learned that the key components are reluctant to use their personnel assets to do the AIS accreditations. The key components believe AIS accreditation is a primary responsibility of the Office of Operational Computer Security.
Aggressive Training The NSA provided evidence that it has been aggressively training personnel to assist in the AIS accreditation process. Some trained personnel are located within the key components to allow them to accredit their own systems upon arrival, thus preventing the backlog from growing. However, as stated above, key components are reluctant to use their personnel for AIS accreditations.
Conclusion This issue remains open. Even though the NSA has progressed in training personnel for AIS accreditation, it has made little headway in getting its accreditation workload under control.


Verification Recommendation 9 We recommend that the National Security Agency should resolve its Automated Information Systems accreditation backlog.
Management Comments The NSA concurred with the recommendations and stated that it has initiated several actions to meet the goal of materially reducing the backlog by January 1997. The-NSA has developed an operational plan to eliminate the current backlog of systems to be accredited, augmented the accreditation staff to provide increased manpower, chartered a corporate-level Operational Information System Security Steering Group to oversee the entire process, and initiated efforts to train and certify key components and other accreditors.
Evaluation of Management Comments The NSA comments are responsive to the recommendations.

38 - National Security Agency

ISSUE 16INSPECTOR GENERAL
Original Issue Statement Guidance for implementing Inspector General and General Counsel responsibilities is unclear.
Original Recommendations We recommended that the National Security Agency:

1. promulgate written policies to establish a comprehensive Inspector General program, to include Agency-wide planning and more effective complaint and follow-up systems.

2. establish permanent Inspector General and Deputy Inspector General positions, along with a cadre of permanent inspectors.

3. revise policy to clearly and completely implement DoD policies for prompt referral of all fraud allegations to the Office of the Inspector General, DoD, and its Defense Criminal Investigative Service.

4. establish written policy to provide authorized oversight elements with expeditious and unrestricted access to records.

Summary of Agency Response to Original Issue The NSA concurred with Recommendations 1, 3, and 4 and nonconcurred with Recommendation 2. The Agency stressed that recent improvements in written policies further support the rotation practices because the policies remove the perception that the Inspector General, National Security Agency, operates in an arbitrary manner based on incumbent key personnel.
Verification Summary This issue remains open. The NSA maintains that rotating key personnel and inspectors is the most advantageous approach for the Agency. The basis for that positron is that rotation precludes "the complacency and narrow perspectives that could typify long term incumbents" and has a beneficial grooming effect for senior NSA professionals. The NSA contends that the Office of the Inspector General benefits by using grade 15-level personnel as inspectors because they bring adequate seniority to ensure independence and they are senior experts in their fields.
Rotational Positions We acknowledge that an Inspector General (IG) assignment would have a beneficial grooming effect for NSA personnel, but disagree with making those rotational positions key positions. The IG, NSA, is currently structured so that the IG, Deputy IG, Assistant IG for Inspections, Assistant IG for Audit, Assistant IG for Investigations, and the entire inspection staff are rotational positions. We remain concerned that
National Security Agency - 39
independence cannot be assured under this arrangement because these individuals must consider the impact of their work on prospects for future assignments.
Revised Policies The NSA revised and extensively expanded its policies for the Inspector General program. Existing directives NSA/Central Security Service (CSS) Directive 10-4, "IG Organization"; NSA/CSS Regulation 10-77, "IG Audit Function"; and NSA/CSS Regulation 12-6 "Audit of NAFs," were updated and expanded. The following directives were created since the 1991 inspection: NSA/CSS Regulation 11 -1 0, Annex D, "IG Promotion Board"; NSA/CSS Regulation 30-3, "Whistleblower Protection"; OIG, NSA, Audit Manual; OIG, NSA, Investigations Manual; and memoranda of agreement with Inspectors General of the Service Cryptologic Elements and the National Reconnaissance Office to ensure comprehensive inspections of joint intelligence units.

The IG, NSA, established clear policies and procedures to govern OIG activities. The only guidance - that is lacking is an Inspections manual, which is in the draft stage. Also enhancing OIG guidance is the NSA "Inspector General Organization Strategic Plan" produced in September 1992. The strategy sets OIG mission, priorities, goals, and objectives. The plan remains current and is the foundation for the annual Inspection and Audit plan.

The NSA produced thorough Inspection/Audit plans for each of the last three fiscal years. The plans detail the status of on-going inspection/audit projects and provide Agency personnel the subjects and schedule for future inspections and audits.

Tracking System The Assistant Inspector General for Policy and Oversights has developed and implemented a comprehensive management information system that tracks IG assistance request actions and followap for inspection and audit findings. A random review of documentation showed that they aggressively track findings on inspections and audits. The Policy and Oversight office also promotes an aggressive employee awareness program that publicizes the OIG role in reducing fraud, waste, and mismanagement; advises employees to report suspected incidents of fraud, waste, or mismanagement; and educates the NSA work force on And their responsibility to report such cases.
Improved Coordination Coordination between the IG, NSA, and the DCIS has improved significantly. Inspector General, NSA, policies and procedures support full cooperation with the DCIS. The IG, NSA, and DCIS officials meet quarterly to
40 - National Security Agency
exchange information, discuss planning and assistance issues, and review Individual cases.
Conclusion This issue remains open because the NSA needs to increase the number of permanent positions within the Office of the Inspector General. The IG, NSA, however, has made progress in revising and expanding Inspector General program polices, developing and implementing an IG tracking system, and improving its coordination with the Defense Criminal Investigative Service.


Verification Recommendation 10 We recommend that the National Security Agency continue to increase the number of permanent positions within the Office of the Inspector General. As a minimum, the majority of key positions should be permanent. Either the Inspector General or Deputy Inspector General position, along with the three Assistant Inspector General positions, should be permanent.
Management Comments The NSA partially concurred with the recommendation and stated that it has established a senior Agency board to identify candidates external to NSA to fill the IG position on a permanent basis. This board will be meeting with the IGs of the Intelligence Community, including the IG, DoD, to obtain advice regarding qualifications and other credentials for this position. In addition, the Assistant Inspector General for Audit is now a permanent position, which makes three of the six key positions and the entire inspection staff rotational positions.

The NSA further stated that it established controls governing personal independence. All auditors, inspectors, and investigators must notify their supervisors of any personal or external impairments that might affect (or appear to affect) their ability to make impartial judgments. In addition, the IG gives special management attention to the impact of rotation on individual inspectors. Inspectors are not allowed to review the specific organizations where they were recently assigned.

Evaluation of Management Comments The NSA comments are responsive to the recommendation.

National Security Agency - 41


APPENDIX A
INSPECTION TEAM MEMBERS

Inspection Director
Lt Col Michael Simpkins

Assistant Inspection Director
Mr. Peter Schroder

Inspectors
Mr. Arnold Davis
Ms. Judith Heck
Mr. Barry Johnson
Mr. William Shea

Inspection Coordinator
Ms. Kenya Van Doren

National Security Agency Page 1 of 1


APPENDIX B
REPORT DISTRIBUTION

Office of the Secretary of Defense

Under Secretary of Defense (Comptroller)

Deputy Chief Financial Officer
Deputy Comptroller (Program/Budget)
Assistant Secretary of Defense (Command, Control, Communications and Intelligence)
Assistant to the Secretary of Defense (Intelligence Oversight)

Joint Chiefs of Staff

Inspector General, Joint Staff

Department of the Army

Inspector General, Department of the Army

Department of the Navy

Inspector General, Department of the Navy

Headquarters, U.S. Marine Corps

Inspector General, Headquarters, U.S. Marine Corps

Department of the Air Force

Inspector General, Department of the Air Force

Other Defense Organizations

Inspector General, Central Imagery Office
Inspector General, Defense Intelligence Agency
Inspector General, National Reconnaissance Office
Director, National Security Agency

Inspector General, National Security Agency

Non-Defense Federal Organizations

Technical Information Center, National Security and International Affairs Division, General Accounting Office

Chairman and ranking minority member of each of the following congressional committees and subcommittees:

National Security Agency Page 1 of 2

Page 2 of 2 National Security Agency


Implemented by Sara D. Berman