INSPECTOR GENERAL DEPARTMENT OF DEFENSE 4800 MARK CENTER DRIVE ALEXANDRIA. VIRGINIA 22350?1500 June 12, 2017 Mr. Charlie Savage New York Times 1627 I Street, NW Washington, DC 20006 Dear Mr. Savage: This is in response to your Freedom of Information Act (FOIA) request, and the related case pending in the United States District Court for the Southern District of New York, The New York imes Company and Chariie Savage v. The U. S. Department of Defense, Civil Action No. l:l7?cv? 01228, and is provided in compliance with the scheduled production agreed upon the parties and approved by the court. Searches of records maintained by the Department of Defense Of?ce of Inspector General identi?ed records responsive to your request, and those records were also reviewed by the National Security Agency for consultation on their equities and release determination. Sixty pages of documents are being provided to you at this time. Of these 60 pages, 1 page, Bates 000022, is exempt ?'om release in its entirety pursuant to 5 U.S.C. 552(b)(l), which protects information properly classi?ed in the interest of national defense or foreign policy; and 5 U.S.C. 552(b)(3), which pertains to information exempt from release by statute, in this instance 50 U.S.C. 3605. The remaining 59 pages, Bates 000001? 000021 and Bates 000023 -000060, are appropriate for release with redactions. The redacted information is exempt from release under the FOIA, speci?cally FOIA exemption which protects properly classi?ed information; exemption which pertains to information speci?cally exempt from disclosure by statute, in this instance 50 U.S.C. 3605; exemption which protects privileged interagency or intra?agency memoranda or letters, except under ceitain circumstances; and exemption which protects personnel and medical ?les and similar documents, the disclosure of which would constitute a clearly unwarranted invasion of personal privacy. Sincerely, 3; MW, Catherine M. DelPrete Supervisory Attorney OIA, Privacy and Civil Liberties Of?ce Enclosures: As stated t? ?n chi-MIN? a: EFFICIENCY ?k ACCOUNTABILITY air EXCELLENCE Mission :1 1"";"0ur mission is to provide independent, relevant, and timely oversight 6 'Of the Department of Defense that supports the warfighter; promotes - accountability, integrity, and efficiency; advises the Secretary of Defense and Congress; and informs the public. Vision Our vision is to be a model oversight organization in the Federal I I'Government by leading change, speaking truth, and premoting diverse organization, working together as one I professional team, recognized as leaders in our field. ud Waste . Department of Defense dodig. SEW I For more information about whistleblower protection, please see. the inside back cover. Bates 000002 Finding NSA of?cials effectively implemented or partially implemented four of the seven privileged access-related STN initiatives included in our audit: 0 develop and document a plan for a new system administration model; - assess the number of system administrators3 across the enterprise; 0 implement two-person access controls over data centers and machine rooms; and implement two-stage authentication controls for system administration. However, NSA did not have guidance concerning key management and did not consistently secure server racks and other sensitive equipment in the data centers and machine rooms in accordance with the initiative requirements and policies, and did not extend two-stage authentication controls to all high-risk users. 66W In addition, NSA of?cials did not effectively implement three privileged access-related STN initiatives: 0 fully implement technology to oversee privileged user activities; 0 effectively reduce the number of privileged access users; and effectively reduce the number of authorized data transfer agents. 3 (U) System administrators have privileged access to maintain, con?gure, and operate computer systems. Ii SE SHELF Bates 000003 n'n'ri tomments and 0 Response The Director, Technology Directorate, Central Security Service Chief Information Of?cer, agreed with all recommendations. However, the comments did not fully address all speci?cs of the recommendations. The Director did not include all system and network administrators in his strategy to expand two-stage authentication controls m, and did not implement to provide technology?based monitoring across the entire privileged access community. In addition, the Director did not identify speci?c actions NSA would take to ensure approvers used consistent processes to grant privileged access or data transfer authority. Therefore, we re quest that the Director, Technology Directorate, Central Security Service Chief Information Of?cer, provide additional documentation and comments on this ?nal report by September 27, 2016. Please see the Recommendations Table on the back of this page. 3), sousc - 13526. sec. 14(9); (13) (3)4 50 USC see. 3605 (PL. 86?36, sec. 6) lo SEW 88?65000004 (U) Recommendations Table Director, Technotogy Directorate, 2.a, 2.b, 3.a 1.3, 1.b, 3.b, 3.c Chief Information Officer UNCLASSIFIED (U) Please provide Management Comments by:' September 27, 2016. DODIG-2016-129 I SEW Bate-$000005 GENERAL DEPARTMENT OF DEFENSE 4800 MARK CENTER DRIVE ALEXANDRIA, VIRGINIA 22350-1500 August 29, 2016 MEMORANDUM FOR DIRECTOR, TECHNOLOGY DIRECTORATE, NATIONAL SECURITY CENTRAL SECURITY SERVICE CHIEF INFORMATION OFFICER SUBJECT: The National Security Agency Should Take Additional Steps to Effectively Implement Its PrivilegedAccess-Related Secure-the-Net initiatives [Report No. We are providing this report for review and comment. We conducted this audit in response to a congressional requirement. NSA effectively implemented or partially implemented four of the seven privileged access-related Secure-the-Net initiatives included in our audit. However, NSA did not effectively implement the other three initiatives. Consequently, NSA did not fully meet the intent of decreasing the risk of insider threats to its operations and the ability of insiders to ex?ltrate data. We considered management comments on a draft of this report. Instruction 7650.03 requires that recommendations be resolved Comments from the Director, Technoiogy Directorate, Central Security Service Chief Information Of?cer, partially addressed Recommendations 2.a, 2.b, and 3.a. Therefore, we request that the Director, Technology Directorate, NSA/Central Security Service Chief Information Of?cer, provide additional comments on'those recommendations by September 27, 2016. Please provide comments that conform to the requirements of Instruction 7650.03. Classified comments must be sent electronicall . ocothwork. Please send a PDF ?le containing your comments Copies of your comments must havethe actuai signature of the authorizing of?cial for your organization. We cannot accept the /Signed/ symbol in place of the actual signature. Comments provided on the ?nal report must be marked and portion-marked, as appropriate, in accordance with DOD Manual 5200.0 1. (U) We appreciate the courtesies extended to the staff. Please direct questions to me at [703] 699-7331 (DSN 329-7331]. Cain/?lm Carol N. German Assistant Inspector General Readiness and Cyber Operations DODIG-2016-129 I iv sis-Woman (U) Contents (U) (U) Objective 1 (U) Background 1 (U) NSA Mission and Infrastructure 1 (U) STN Initiatives . .. 2 (U) NSA Responsibilities for Implementing STN initiatives 4- (U) Review of Internal Controls 4 (U) Finding 5 (UMP-9693 NSA Did Not Fuily Complete and Effectively Implement All Initiatives NSA Effectively Implemented Two and Made Progress in Completing Two 6 NSA Developed a New System Administration Model 6 (U) NSA Assessed the Number of SAs and Removed PRIVAC for Users Who Did Not Require It 7 NSA Partiaily Implemented TPA Controls Over DCMs 9 W) NSA Partially Implemented TSA Controls 13 NSA Did Not Effectively Implement Three Initiatives 17- NSA Did Not Effectively implement Technology to Monitor PRIVAC Activities 17 (UH-F9693 NSA Did Not Reduce the Number of Privileged Users 19 NSA Did Not Reduce the Number of DTAs 20 NSA Lacked a Comprehensive Strategy to Effectively implement STN Initiatives 22 (UH-13039) Insider Threat Risks Remain Despite implementing STN Initiatives 23 (U) Management Comments on the Finding and Our Response 24. (U) Management Comments on Approach to Completing STN Initiatives 24 (U) Our Response. 25 (U) Management Comments on Reducing Insider Threat Risks 25 (U) Our Response 26 Recommendations, Management Comments. and Our Response 26 (U) Recommendation 1 26 (U) Recommendation 2 28 (U) Recommendation 3 30 DONG-2016429 sewer-ens ?33000007 . . 32 Scope and Methodology 32 Use of Computer-Processed Data 33 (U) Use ofTechnica] Assistance . I 34 Prior Coverage . . 24 (U) Appendix 35 STN Initiatives I 35 Management Cammeata 39 (U) National Security Agency 39 (U) .. 4-5 (U) Searee a? Classified 48 (U) Acranyms and 50 DONG-2016429 Vi SEW Ba?esomos (U) Finding (U) Introduction ijective Our audit objeCtive was to determine whether the National Security Agency (NSA) Secure-the-Net initiatives were effectively implemented to improve security controls over data, systems, and personnel activities. This report is one in a series on the implementation of STN initiatives and focuses on the controls to limit privileged access to NSA systems and data, and to monitor privileged user actions for unauthorized or inappropriate activity. Please see Appendix A for scope and methodologyland prior audit coverage related to the objective. The classified annex to the Intelligence Authorization Act for FY 2016 requires the DOD Office of Inspector General to assess whether NSA remedied the vulnerabilities exploited by a security breach and completed all STN initiatives.5 Background (U) NSA Mission and Infrastructure 67W NSA/Central Security Service (CSS) leads US. Government operations focused on signals intelligence and information assurance products and services, and enables computer network operations to gain a decision making advantage for the United States and its allies. NSA uses advanced information technology to store, process, and protect its activities and information. enterprise NSAFCSS: (I). ED I353). sec. 321(3); [bl USC sec. 3695 36?36. sec. En) 4 Policy instruction 6?0001, Privileged Access," January 20, 2016, defines as a higher level of access than the access needed to perform normal processes and system operations. 5 The congressional request was included in the classified annex to HR. 114-144 to accompany HR. 2596. HR. 2596- was incorporated into H.R. 4127, the ?nal version of the Intelligence Authorization Act for FY 2016. HR. 4127 was included in P.L. 114-113, ?Consolidated Appropriations Act, 2016,? December 18, 2015. 6 is the art and science of making and breaking codes and ciphers. is responsible for creating the systems that protect 0.5. communications and for analyzing systems and communications used by foreign powers. DOING-2016429 1 Ballroom Finding NSAFCSS: {l 1). H.526, sec. St] sec. 36th5 sec. 6) (U) STN Initiatives NSA was evaluating its security posture when the unathorized disclosures of classified data in June 20137 prompted it to implement additional processes and security measures to protect its infrastructure, systems, and data against insider threats. Speci?cally, in June 2013, NSA began developing and implementing 4O STN initiatives8 to improve controls over NSA computer systems and data, and increase oversight of its personnel. approach to implement the STN campaign was based on the size and complexity of their infrastructure and organziation, and focused primarily on increasing layered protection to reduce the risk of insider threats. See Appendix for a list and description of the 40 STN initiatives. The ?Director, NSA, requested completion of all STN initiatives by Iune 2015.9 in June 2015, NSA reported to the Senate Select Committee on Intelligence and the House Permanent Select Committee on Intelligence that it had completed 34 of the 40 STN initiatives. For this audit, we focused on 7_ of the 40 STN initiatives that we determined presented a higher risk to ability to secure network access, protect against insider threats, and provide increased oversight of personnel with PRIVAC to network devices, and infrastructure. Those seven initiatives are as follows: 0 EBB-63 develop and document a new system administration model [intiative 22 in Appendix B), assess the number of system administrators across the enterprise [intiative 34-), Between August 2012 and May 2013, an NSA contractor in Hawaii exfiltrated about 1.5 million. classified and sensitive documents from NSA systems through various techniques. 3 (ii/[F9665 The number of STN initiatives changed over time; however, as ofJune 2015, NSA reported 40 STN initiatives to the House Permanent Select Committee on Intelligence. 9 in September 2014, the NSA Chief information Officer updated the Director, NSA on the status of completing the STN initiatives. Although NSA officiais stated that the Director approved an extension for completing eight of the STN initiatives, the documentation provided did not support that decision. 1" (U) SAs have PRIVAC to maintain, configure, and operate computer systems. BODIES-2016429 2 sews-Fees Bates 000010 (U) Finding 0 (U EBB-83 implement two-person access (TPA) control over data centers and machine roomsll [intiative 21], I implement two-stage authentication control for system administration [intiative 4),12 0 reduce the number of personnel with PRIVAC [intiative 35), 0 EBB-63 reduce the number of authorized data transfer agents (DTAs) [intiative 33],13 and oversee privileged user activities (intiative 36). (U) We nonstatisticaliy selected the following four SA installations to include in our audit: 50 use see. (U FPS-EH33 NSA Washington serves as NBA headquarters,eos 86-36, sec. 5} (3), .so use sec. 3505 (P.L. 85?36, sec. I. and is located in the Northeast region. NSA Texas is one of the four NSA 3230233221)? asiurss: St! use sec. 3.305 563 6, 5:06. (I) NSA Utah Data Center is a comprehensive national cybersecurity intelligence data center located in the West region. 0 [4136-3-83 North Carolina State University Laboratory for Analytic Sciences primarily supports research and development, and is located in the Southeast region. 11 DCMs are facilities that host computing systems, servers, data storage, and machine rooms. 12 (weave) swan Seesaw 3605 (WE-BUG) DTAs are designated personnel approved by an authorizing officer to use removable media to transfer data to or from an information system. 14 The four centers are located in Texas, Georgia, Hawaii, and Colorado. 3 Beam? (U) Finding (U) NSA Responsibilities for Implementing STN Initiatives Wig STN is an ongoing campaign requiring involvement from all NSA directorates; however, the NSA Technology Directorate is the primary lead for implementing the initiatives.15 The Directorate, led by the Chief Information Officer, usiucss: it?) Bo Issac, sec. 1.4m, 1.4g}; (in so use see. arias sass. sec. in #9138993 The NSA Associate Directorate for Security and Counterintelligence protects worldwide information, personnel, activities, and facilities through its internal counterintelligence programs. The NSA Associate Director for Security and Counterintelligence appoints security personnel to provide guidance and assist NSA personnel in making security-related decisions. Review of internai Controls Instruction 5010.4016 requires organizations to implement a comprehensive system of internal controls that provides reasonable assurance that programs are operating as intended and to evaluate the effectiveness of the controls. We identified internal control weaknesses related to the initiatives we reviewed. Specifically, NSA did not develop a strategy and a detailed-implementation plan that clearly described the process for implementing and measuring progress toward completing the STN initiatives. Additionally, NSA did not consistently secure server racks and other sensitive equipment inside the DCMs and did not implement an is} so l3'3 2"I.scc. 5c, - sw?M, ?3 We W111 prov1de a copy of the report to the senior official responsible for internal controls at NSA. NSA is planning to restructure its organization beginning on or around August 1, 2016. The NSA nomenciatures and directorate references used in this report are based on its structure as ofJulv 2016. 15 (U) Instruction 5010.40, "Managers? Internal Control Program Procedures,? May 30, 2013. 4- Eli-W 361168000012 Finding (U) Finding NSA Did at Fully Uempiete and Effectively implement All initiatives NSA officials effectively implemented or partially implemented four of the seven PRIVAC-related STN initiatives included 1n our audit: I develop-and document a plan for a new system-administration mode], assess the number of all SAs across the enterprise; I. I I :1 implement TPA controls over and implement TSA controls for system administration. WW However NSA did not have guidance concerning key management and did not consistently secure server racks and other sensit__ive__. .- equipment in the DCMs in accordance with requirements and policies, and did not - estend two~stage authentication controls to all high-risk users. in addition NSA of?cials did not effectively implement three PRIVAC- related STN initiatives: 0 fully implement technology to oversee privileged user activities; I effectively reduce the number of privileged users; and - effectively reduce the number of authoriZed WSW NSA did not effectively implement the three initiatives I 1 "because it did not develop an STN strategy that detailed a structured framework . and methodology to implement the initiatives and measure cempleteness. Asa . - result, actions to implement STN did not fully meet the intent of decreasing the risk of insider threats to NSA operations and the ability of insiders to exfiltrate data. I SEW Bates 009013 (U) Finding (U) NSA Effectively implemented Two and Made Progress in Completing ?two initiatives EBB-83 NSA effectively implemented two and partially implemented two of the seven STN initiatives included in our audit. Specifically, NSA developed and implemented a new system administration model, and assessed the number of SAs across the enterprise and removed PRIVAC from users who did not require elevated levels of access. In addition, NSA partially implemented TPA controls over DCMs and TSA controls for SAs, but will not meet the full intent of the ongoing initiatives without taking additional actions. NSA Developed a New System Administration Mode! NSA developed the Enterprise Administration Model for system administration [initiative 22] and implemented Policy instruction 6-000117 to increase oversight of privileged users and define levels of PRIVAC. NSA documentation identified that it completed the initiative to deveIOp a tiered-system administration model to limit PRIVAC based on assigned tasks in December 2014. To assess actions taken to complete the initiative, we reviewed the system administration model and veri?ed it contained tiered levels of access and defined different types of privileged users. We also reviewed and verified the accompanying policy that defined each level of access and the overall PRIVAC process. EU 1.3 59.6, sec. Hig]; l] USC see. 3605 35?36, sec. 6] 1" (U) Policy Instruction 6-0001, Priviieged Access,? January 20, 2016, defines privileged access, implements procedures, and assigns responsibilities for PRIVAC to information systems. 6 sis-W 38163000014 (U) Finding [Elf 32.. In. December 2014, NSA established a . . memcss; tiered-pyramid system administration model that Identified users as eitheribimj- following levels of access: . Tier 3 (SYS3): E0 135255.22. (airs), sousc222. sans 35.321222. (U) Tier 2 NSAICSS: (MU), EO 13526. sec". (ll) USC see. 3605 36-36, see. a} (U) NSA Assessed the Number of SAS and Removed PRIVAC for Users Who Did Not Require It NSA assessed the number of SAs across the enterprise and removed PRIVAC based on the tiered model [initiative 34). NSA documentation identified it completed the initiative to identify the number of SAs across the enterprise and remove PRIVAC from users who did not require elevated levels of access to perform assigned duties in August 2013. To assess actions taken to complete the initiative, we met with NSA officials to determine actions taken to identify privileged users immediately following the June 2013 security breach, and reviewed the system administration model and 13 (U) Public key infrastructure supports digital signature and other securityr mechanisms for functional enterprise programs. DONG-2016429 E0 13526, sec. 50 USC sec. 3605 86-35. sec. 6) Bate3000015 Finding so use sec. 3605 (PL. 36.36., Sec. 6} so use see. 3:305 (M. observed the u_r_ocess fo?nrre and approving PRIVAC 6, . (MU), a} NSA identified and categorized privileged users who performed SA functions in three distinct tiers in accordance with Office of the Director of National 50 USC see. 3605 (PL SIS-36. sec. 6) Intelligence requirements. 19 (U #5630) Nsrucss; use see. 3605 (PL. 35?35, sec. 6) 36135 L. 86-36, sec. 6} '1 S: 1605 (PL. 36?36, sec. 6} 8 SEW Bates 000016 (U) Finding (U/fFeb?Oi NSA Partially Implemented TPA Controls Over DCMs WHY-EAL) NSA made progress in implementing TPA controls over DCMs [initiative 21), but may not meet the full intent of the initiative without taking (1). E0 1353.6, sec. Log); so use sec. 3:305 36-36., sec. 6} additional actions. To assess actions taken to complete the initiative at the four sites visited, we reviewed NSA policies and site standard operating procedures, interviewed 50 sec. 35:35 36-36, sec. 6) DCM managers and other personnel [In USC set. .3605 86-36.. sec. Ea) conducted of the DCMs Masai-r753; (3), so use sac. 3605 (PL. 86-36sec. mos mt. so-se. scc. reviewed logs Furthermore, we attempted to access server rack nslxi-?css; so use sec. 3:305 (PL. 35.3.3, sec. a) 9 (U) Finding (j I i. E0 Issac, sec. 1.4m, 14:31:: so use see. sans sis-35, sec 6) (U) Consistent Processes to Authorize Access to DCMs Were Followed 12(1)} Policy 6-16, ?Management of Information Technology Data Centers,? July 31, 2010 (revised on May 27, 2014), establishes policy for securing and managing information technology data centers. 23 USC see. 3605 (PL. 36-36, sec. 6} 2? NSA?controlled sites are locations where NSA is the host. Non-NSA-controlled sites are locations where NSA is the tenant. 25 We visited three NBA-controlled sites (NSA Washington, NSA Texas, and the Utah Data Center) and one non-NSA?controlled site (North Carolina State University Laboratory of Analytic Sciences). 25 (WW nsan s; so use sec. 35:35 (EL. eta?3:3, secDONG-2016429 10 SEW Bates 000018 Finding i} sec. it) 05 (PL. 86-3 6. sensitive equipment in the DCMs in accordance with the initiative [31(1) 0), 14(2); . 50 USC sec. 3613.5 (PL. 86-36. sec. 6) 6517953 At NSA Texas, the Utah Data Center, and North Carolina State University Laboratory of Analytic Sciences, we observed unlocked server racks and sensitive 135261539. sec. seesaw. - - equipment. 11 Bales 000019 Finding E0 Issgs, sec. 1.4135}; so use sec. 35.05 (PL. sax?3r}, Sec. NSA also was not providing sufficient oversight of personnel and equipment inside DCMS 5.3243. sec. My; sec. sen.? - lib-3o sec. {1 Not looking server and NSAICSS: (i equipment racks and E0 13526, sec. 14(9): (3). 50 USC sec. 3605 86-36, 2" (U) NSA Inspector General Report No. ?Audit of Server Security,? June 19, 2015. sec. 6} DONG-2016429 12 sewer?elm 88163000020 (U) Finding [hi 130 13526. See. ling}; SEIUSC sec. Srilii? (PL. 86-36, sec. (Elysee-raw NSA Partially Implemented TSA Controls wees-"Few NSA made progress in implementing TSA controls for its highest risk administrators but may not meet the full intent of the initiative (initiative 4] without taking additional actions. NSA began implementing the (I so 1352:}, see. so USC sec. 86?36. sec. (5) To assess actions taken to complete the initiative, we reviewed policies and procedures for monitoring and auditing privileged user activities. Msm'css: E0 [3526. see. talc), sousesee. sens - We also tested whether TSA controls prevented personnel from accessing systems, devices, or networks not previously approved. 28 ?0 13526, sec. 3.4m), Mtg); [11} (3), 50 USC sec. 3:305 (PL. 85-36. sec. (5) I 29 (W E0 13526,:1ec. 14(11): 50 USC SEC. 3605. (PL. 36-36, sec. 6) I . 50 USC sec. . 3505 (PL 85-35, sec. 6) 13 semen 38163000021 (U) Finding (1 :30 13526, sec. mg); 5.0 usr: see. 3505 (PL. 36-36. sec. 6) l) 1.3526. sec. 1.4 1.4 3' USC sec. 360.3 36-36. sec. En) m? so 130 13526, sec. Hie}. '30 USC sec. 31 EU 135.36. sec. 50 USC 5:9 I c. 3605 86-36, sec. 6) 32 NSAICSS: E0 13526, sec. 1.4m, (3), 5:3 USCsec. 36:25 (PL. 36-36, sec. 6.) 33 (U) ED I3536, 5:12.. (3), SD LIE-C (BL. 8666, sec. DODIG-2016-129 14. SEER-HEW Finding (69W TSA Controls Were Not Fully Implemented for High- -RiskAdministrators WSW NSA did not fully implement TSA controls for its highest risk useless.- (Li) ED 135.26, sec. 1.4m, Hi3); so use sec. 3:505 86-36. sec. 6) administrators. SA officials stated that they did not follow a formal process or de?ne specific parameters to assess which SYSZ users to include in their initial deployment of the additional authentication requirements. J. EO 13526. sec. 15H USC sec. 36le (PL. 86-36.. lb) (j I i. ?0 13525, see. 1.4m, 1.4g]; so use sec. 3M3 (M. lb) E0 135213, sec. Mtg); 5f: see. 36115 36-36, sec. 6) DONG-2016429 15 see-W Finding WW NSA Did Not Implement TSA Controisfor All System and Network Administrators WW NSA did not implement TSA controls for all its system and network administrators. 1353s. soo. 1.4m, mtg); (Is) so use soo. 3505 SCI-36, oso. 34 (5) (IL E0 $3526, 561:. L?ifc), 50 USC SEC. 3605 (PL. 35?361 sec. 6} DOING-2016429 16 Bates 000024 (U) Finding (Ui NSA Did Not Effectively implement Three Reiatedi initiatives WEB-HEW NSA did not effectively implement three PRIVAC-related initiatives. Specifically, NSA did not effectively implement'technology to provide oversight of all privileged user activities, and did not reduce the number of users with PRIVAC and data transfer authority. NSA Did Not Effectively Implement Technology to Monitor PRIVAC Activities 6W NSA did not fully implement technology-based capabilities to Nsai'css: in E0 uses. see. Higl; (3), oversee the activities of privileged users [initiative 36]. it. ?we, mum a, actions taken to complete the initiative, we reviewed the system administration model and verified it contained tiered levels of access and defined different types of EU I35- 36 s' cc. l-4{g SUUSCS St ?36 privileged users. 17 SEW Bates 000025 (U) Finding EU 13525. sec. Inn's), bug); 50 USC sec. 36GS (P. L. 86-36. 509.. I3) 35 .1. F50 13516. sec. Hts}. 50 3605 .3) DONG-20.16429 18 sag-W 33183000026 (U) Finding NSA Did Not Reduce the Number of Privileged Users WSW NSA took steps to identify, but not to reduce, the number of privileged users across its enterprise [initiative 35). NSA documentation identified that it completed the initiative to reduce the number of privileged users from in July 2013. Although repeatedly requested NSA officials could nut provide supporting documentation that showed the number of privileged users before and after the purge or the actual number of users purged. Therefore, to assess actions taken to complete the initiative, we requested prior reports or Spreadsheets supporting the number of privileged users and interviewed NSA officials to identify the process they followed for establishing a baseline. We used e-mails that included statistics for specific points in time beginning in March 2014 to validate the number of privileged users. Before implementing the initiative, the NSA did not know how many users had PRIVAC across the enterprise. In lune 2013, shortly after the security breach, NSA reported to the Office of the Director of National Intelligence that it had 33?? stated that they used a manually kept spreadsheet, which they no longer had, to identify privileged users. NSA officials the initial number of privileged users. In addition to not being able to support the number of privileged users reported to the Office of the Director of National NS intelligence, NSA did not support its preliminary baseline ofm, privileged users or 'The NSA DCIO stated that NSA arbitrarily removed PRIVAC from mm users and required those users to submit e-mail requests its goal for reducing privileged users to to the NSA Associate Directorate for Security and Counterintelligence and the office to re-obtain PRIVAC between July 2013 and September 2013. The NSA DCIO stated that NSA considered the individual e~mails and justification before reauthorizing PRIVAC for any user. SA took a zero? ?based approach to remove PRIVAC from the users and required them to re- -enroll using gin-?fit however, NSA did not use a zero-based approach for the remaining privileged users. Several NSA privileged users we interviewed confirmed that NSA removed their PRIVAC and required them to 1 ng?ga 56 use also. 3605 (PL. 8636, sec. 6} DODIG-2016-129 I19. sewers-Rn Beam? Finding submit a justification in-o re?obtain PRIVAC. Although the actions taken by NSA established a baseline of the number of personnel with PRIVAC, NSA should have used the baseline as its starting point to reduce privileged users instead of using the baseline to report a reduction in privileged users. Figure 1 shows a timeline of actions between June 2013 and May 2016 to identify privileged users as well as a continued and consistent increase in the number of priv1leged users once the-nrollment process began. (U) Figure 1. Timeline of NSA Actions to Iden tijj/ and Reduce Privileged Users is) J, Bo 13526. sec. mtg); so use sec. 3:305 {rams?36. sec. (U) Source: OIG NSA Did Not Reduce the Number of DTAs NSA did not reduce the number of DTAs [initiative 33]. NSA documentation identified that it completed the initiative to reduce the number of DTAs in March 2014-. Although repeatedly requested, NSA officials could not provide supporting documentation for the total number of DTAs before and after the purge or the actual number of users purged. Therefore, to assess actions taken to complete the initiative, we requested prior reports or spreadsheets supporting the number of DTAS and interviewed NSA officials to identify the process they followed for establishing a baseline. To validate the number of DTAs, we reviewed e-mails that included statistics for specific points in time to identify the number of DTA requests . and approvals because -could not generate a report covering prewous periods. E0 13526, 890. (3). 50 USC sec. 3605 (PL. 36-36, sec. 6) Dome-2015429 20 SEW-RN 33?98000023 Finding WSW Before the STN campaign, NSA did not know how many DTAs n.!..l.nrlx .mn.11n.n it had because the manually kept list was corrupted during the months leading up to the security breach. After the STN campaign began, NSA officials estimated that they had across the enterprise; they also acknowledged the number was unsubstantiated. In January 2014, NSA took a zero-based approach to identify the actual number of authorized DTAs across the enterprise by requiring all users to submit a request for DTA privileges NS?l-lci-SZ-?l?r? . NSA officials stated that they receive DTA requests between January 2014 and March 2014. Rather than using that number as a NSAIC baseline, NSA officials determined that the DTA requests represented a reduction from their original unsupported estimate and, therefore, they considered the initiative completed. The NSA DCIO stated that although the initiate focused on reducing the number of DTA, the actions taken by NSA were not designed to reduce the number of rather, they were taken to overhaul the UTA process to identify and vet all DTAS throug m, Contrary to the initiative?s intent, NSA continued to consistently increase the number of DTAs throughout the next 12 months. Table 3 identifies the starting point after conducting the initial baseline and the steady increase of approved DTAs after the zero?based approach. (U) Table 3. Number oprproved DTAS Since March 2014 March 2014 September 2014 March 2015 Number represents a cumulative total as of a point in time. DOING-2016429 21 SW Bates 000029 E0 13526. sec, 1-4ig): (hi (3). 50 USC sec. 3605 (P.L. 86-36. sec. 6} (U) Finding. NSAicss; so lfi?l?, sec. so usc sec. sens (PL. sci-3a sec. NSA tacked a Comprehensive Strategy to Effectively implement PREVA?-Related initiatives NSA did not effectively implement three PRIVAC~related STN initiatives because it lacked a comprehensive strategy and implementation plan. Specifically, NSA lU/ - - did not develop a detailed, structured methodology to implement and measure the completion of the initiatives before it took action to complete them. NSA identified STN initiatives and activities it considered sufficient to implement each initiative through working groups and other ad hoc processes, but these discussions were not documented. When the initiatives were developed, NSA officials also did not address necessary actions to effectively measure completeness. The NSA DCIO consistently stated that NSA was more concerned with taking an action than assessing Specific risks and deve10ping a plan to mitigate them. Although SA eventually assessed the risks to its operating environment in April 2016, this assessment was completed after the STN initiatives were being implemented. Consequently, NSA officials lacked a framework for implementing TPA and TSA controls and technology-based monitoring for all privileged users, and for reducing the number of privileged users and DTAs needed to support mission requirements. 39 A user can have DTA general and privileged access simultaneously and, therefore, could be double-counted. DONG-2016429 22 answer-ens (U) Finding NSA did not keep accurate and detailed documentation that identified its methodology for completing each initiative and did not describe how it measured the initiatives? completeness and effectiveness. Instead, NSA developed internal reports that had only limited information about the actions taken to complete the initiatives. NSA officials stated that, in some instances, they developed the internal reports after reporting the initiative as complete. unstructured approach to implement the initiatives resulted in reporting the initiatives as complete when only partial progress had been made or the intent of the initiative had not been fully met. While NSA acted to complete the initiatives, the lack of a comprehensive strategy hindered its ability to determine whether the actions were sufficient to effectively reduce the risk of insider threats. WW Although NSA has begun to implement its broader Secure-the-Enterprise campaign, it has yet to effectively complete all the STN initiatives. Therefore, the Director, Technology Directorate, Chief Information Officer, should develop a strategy with milestones and metrics to expand TSA controls and impiement automated, technology-based monitoring for all system and network administrators; develop and implement procedures to ensure approVers use consistent processes to grant privileged access or data transfer authority based on mission needs; and, periodically assess and reconcile the number of privileged users and DTAs needed to support NSA mission requirements. insider Threat Risks Remain Despite lmpiementing Patent-Related STN initiatives WSW actions to implement PRIVAC?related STN initiatives did not fully decrease the risk of insider threats or the ability of insiders to exfiltrate data. The STN campaign was established in response to the June 2013 security breach in which an NSA contractor exfiltrated about 1.5 million sensitive and classi?ed documents. NSA designed the STN initiatives to reduce the vulnerabilities exploited during this breach. DOBRO-2016429 23 SEW Bates 000031 (U) Finding NSA did not align its resources and ensure that the actions taken were sufficient to fully implement the intent of the initiatives and reduce the vulnerabilities it identified. NSA also did not have a defined strategy or an implementation plan to monitor completion of the initiatives. As a result, NSA did not complete all the initiatives by June 2015 as required by the Director, NSA, and some initiatives that NSA considered fully ISO 1.3526. sec. completed were only partially completed. 3o USE-sec. we is riskof personnel with nefarious intentions exploiting vulnerabilities and again compromising highly classified national security information. (U) Management Domments on the Finding and Our Response (U) Management Comments on NSA ?5 Approach to Completing STN Initiatives The Director, Technology Directorate, Chief Information Officer, requested that we consider rewording the following sentence on page 22 of the report: "The NSA DCIO consistently stated that NSA was more concerned with taking an action than assessing specific risks and developing a plan to mitigate them.? The Director requested that we revise the sentence using the words ?tactical l! steps, sense of urgency,? or ?reactionary,? and stated that NSA took a tactical and reactionary approach to implementing the STN initiatives instead of planning and strategizing how to implement the initiatives because of the urgency of limiting-the risk of insider threats after the June 2013 security breach. 24? SW 33163000032 (U) Finding The Director also stated that NSA officials provided e-mail documentation showing that the Director and Deputy Director, NSA, supported moving . . . a - N53. 5. Leli", 1.4 l. 3 forward With only two of the rema1n1ng1n1t13t1ves,W l" 3- The Director stated that completing the remaining STN initiatives no 13536. sec. 14(3); so by lune 2015 W35 ?013 feaSible sass-sec. 6} (U) Our Response WAG We agree that NSA took a tactical and reactionary approach to limit the risk of insider threats when implementing STN initiatives based on the circumstances surrounding the security breach. Although NSA worked in a ?uid situation, NSA should have developed a strategy that detailed a structured framework and methodology for implementing STN to ensure its actions were effective and mitigated vulnerabilities exploited during the security breach. Therefore, we did not revise the report. 69W) We acknowledge that NSA provided documentation regarding the Director?s a roval to move forward with two STN initiatives. sec. Mtg); (ls) 50 see. 3603'- Six-3f), sec. (U) Management Comments on Reducing insider Threat Risks The Director, Technology Directorate, Chief Information Of?cer, requested that we consider rewording a paragraph in the report section titled ?Insider Threat Risks Remain Despite Implementing STN Initiatives.? The Director stated that the paragraph was misleading because it implied that insider threat . . 41 it.) (1;,130 1352s, sec, Hie). (3). so use sec. 3605 86-36, sec. 5} 25 . Bates 000033 (U) Finding risks could be eliminated at a point in time. The Director stated that .50 USC see. 3605 36-36, sec. 6} eliminating all risk of insider threats was not feasible, (U) Our Response $74,413.) We agree that insider threat risks cannot all be eliminated, and tha- sec. 1.4(01, (3), 50 USC see. 3605 86-36, sec. 6) reduced some of the insider threat risks. However, as stated in the report, NSA did not effectively implement or complete three of the seven initiatives included in the audit scope. We believe NSA could have taken additional actions to further mitigate insider threat risks, therefore, we did not revise the report. (U9 Recommendations, Management Comments, and Our Response (U) Recommendation 1 (U) We recommend that the Director, Technology Directorate, National Security Agency/ Central Security Service Chief Information Officer, in coordination with the Director, Associate Directorate for Security and Counterintelligence: (1), .EO [3526. sec. Hie), 14(3); (11}[3150 USC sec. 3605 86-36, sec. . (U) NSA Comments The Director, Technology Directorate, Chief Information Of? er agreed (I), 50 135.26. sec. 1.4m}, so use see 35:15 (PL seas, set. a) 0013102015429 [26 spam-swoon Bate-$000034 Finding lb} ED ?526, sec. SB USC sec. 3605 (PL. 36-36, sec. 6) (U) Our Response Comments from the Director, Technology Directorate, Chief Information Officer, addressed all Specifics of the recommendation, and no further ?0 13526. sec. 3:105 86-36. sec. 6] comments are require lb} E0 [3526. act. 1.4M. 3605 (PL. [l1] 70- (W (U) NSA Comments The Director, Technology Directorate, Chief guess: (a E0 13525, sec. juristsec. 3603021.. 8636.50: ti] Information Officer, agreed, NS (U) Our Response Comments from the Director, Technology Directorate, Chief Information Officer, addressed the specifics of the recommendation, and no further comments are required. U). 150 135.26, sec. 1-31.23, 50 use sec. 35.05. (PL. 35?35. sec, 27 ere-Wear; 3393000035 (U) Finding (U) Recommendation 2 We recommend that the Director, Technology Directorate, National Security Agency/ Central Security Service Chief Information Officer, develop a strategy that includes milestones and metrics to: 130135311. sec. 1 1(c1 1.11'11'1. 1; (111131, 511L181: sec 3111151131.- 36 36 51.5.1111. {111151 . . (U) NSA Comments The Director, Technology Directorate, Chief - - NSAICSS: b} E0 13526USC SOC. 3605 36-36, 3e: b' Information Officer, agreed, a (U) Our Response Comments from the Director, Technology Directorate, Chief Information Officer, partially addressed the recommendation. Although Therefore. 1111111111111 that the Director reconsider his position and provide additional comments on the ?nal report. SEW-RN- 86163000036 (U) Finding l) E0 Issue. soc. Lats); 50 use soo. sous (PL. tau-3t). sec. (U) NSA Comments W519 The Director Technolo_ Directorate NSA CSS Chief SLIUSC sec. 3L1 sec. 6} (U) Our Response Comments from the Director, Technology Directorate EO13526 sec Chief Information Officer, partially addressed the Ef?e 58? EO13528, sec. (3). so use see, 3805 . - . (-1), E0 135 2673 6614(0) 14(9); EOUSC see. 3605 (PL. 86?36, sec Therefore, we request that the Director provide additional comments and documentation on the final report that identify the speci?c (I). E0 Issze. sec. (L1) (3). so use soo sous Bria-:36. soc. e) ED sec. USC sec. 3605 (PL. Sta?36., sec. 6} I Bates 000037 Finding 135111.51; 1111:). 1.111111411113130 usc 5131:. 311115 (PL. 313-311, sec. 11) . 5 Therefore, we request that the Director reconsider his position and provide additional comments on the final report describing how NSA plans to meet the intent of the recommendation. (U) Recommendation 3 (H) We recommend that the Director, Technology Directorate, National Security Agency/Central Security Service Chief information Officer, in coordination with system owners: 51) see. 3605 86-35, sec. a. 119911193 NSA Comments The Director, Technology Directorate, Chief Information Officer, agreed with the recommendation. (U) 0111 Response Although the Director, Technology Directorate Chief Information Officer, agreed, he did not address all specifics of the recommendation. Therefore, we request that the Director provide additional comments on the final report that identify NSA1LSS: {[1113} must see. 31.11.1511. 31135.11ec. specific actions NSA will take (U) NSA Comments - The Director, Technology Directorate, Chief Information Officer, 3110 $61651: agreed (H- 3 SCC 5( 6) 30 Bates 000038 Finding (U) Our Response (U) Comments from the Director, Technology Directorate, Chief Information Officer, addressed all specifics of the recommendation, and no further comments are required. 1131111355.- (in) (3), 5131151? see. 3605. (PL. 311-311, sec. 13's.) C. (U (U) NSA Comments The Director, Technology Directorate, Chief Information Officer, (IL 86 -36 121: .6) f: .. agreed, .. - - (U) Our Response Comments from the Director, Technology Directorate, Chief Information Officer, addressed all speci?cs of the recommendation, and no further comments are required. 31 SEW 311135000039 Appendixes (U) Appendix A (U) Scope and Methodoiogy (U) We conducted this performance audit from Ianuary 2016 through July 2016 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based On our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. ESE-93 We initiated this audit in response to a congressional request included in the classified annex to the Intelligence Authorization Act for FY 2016, which requires the GIG to assess whether NSA remedied the vulnerabilities exploited by the lune 2013 security breach and compieted all STN initiatives. We focused on 7 of the 40 STN initiatives that we determined presented a higher risk to ability to secure network access, protect against insider threats, and provide increased oversight of personnel with PRIVAC. 6W) We met with officials at NSA headquarters from the Technology Directorate, the Associate Directorate for Security and Counterintelligence Center, and other directorates reSponsible for develOping, monitoring, implementingoverseeing completion of PRIVAC-related STN initiatives. $333,623 "[2131], - We nonstatistically seiected and visited four NSA installations located in Washington D.C., Texas, Utah, and North Carolina. We conducted of the CM 8 so usc sec. 3605 sass, sec. 6) . We met with officials responsible 50 USC see. 3005 (PL. 86?36, sec. 6) DOING-2016429 32 i Bates 000040 Appendixes EBB-9) nonstatistica?y selected and interviewed?riv?eged users about their U/?eae USC sec. 3.605 (PL. 36-36. sec. 6] NSAICSS: (3). ill.) USC sec. 3605 Stir-3th. sec. . We determined thatuo) (3). i a ata were 50 USC sec- 3305 (PL. 36?36, sec. 6) Dome-2016429 I33 SEW Bates 000041 Appendixes USC sec. 3.5.05 (PL. seer?, sec. cs) [Fe-36'] sufficiently reliable to determine a user?s PRIVAC level. (Ul Use of Technical Assistance (U) The OIG Quantitative Methods Division assited in selecting a nonstatistical sample of privileged users we used in selecting users to interview at the sites visited. . (U) Prier Coverage (U) During the last 5 years, the NSA Inspector General issued one classified report related to ability to implement STN campaign initiatives. (U) NSA Inspector General Report ?Audit of Server Security,? June 2015 [Document classified T0 USA, FVEY) DODIG-2016-129 34 5 . Bates 000042 Appendixes (U) Appendix lUl STN initiatives NSA completed or is in the process of implementing 40 STN initiatives in response to the June 2013 security breach. NSA categorized the initiatives in three major areas: tighten controls on computer systems, tighten controls on data, and increase oversight of its personnel. The table below describes the STN initiatives. (I), I352c?, sec. Hm. 3:305 354:3. sec. (- 4. implement TSA Control for System Administration Policies E0 135-36. sec. DONG-2016129 35 Bates 000043 Appendixes 556W DODIG-2016-129 I36 SEW Bate-5000044 Appendixes Initiatwe ._D.e.sc_rlpt_.l9 21. Implement TPA ControE Over DCMs 22. Develop and Document 3 New System Administration Model lib) 353 sec. leltc), (3). USC see. 3605 .L, 36?36. sec, a) 33. Reduce the Number of Authorized DTAS DODIG-2016-129 3'7 SEW 33?63000045 (U) Appendixes 34. Assess the Number of SAs Across the Enterprise 35. Reduce the Number of Personnel With PRIVAC 36. Oversight of Privileged User Activities 1- sec. 14(9). so USCsc-c. L. 86?36, sec. [3 38 Bates 000046 (U) Management Comments (U) Management Comments (w National Security Agency WW SECURITY AGENCY CENTRAL SECURITY SERVICE FORT GEORGE Cl MEACIE. HARVLAND 20356-3000 MEMORANDUM FOR DEPARTMENT OF DEFENSE INSPECTOR GENERAL INFORMATION MEMORANDUM SUBJEGT: (mm NBA Response to Discussion Draft, for 13013 313* Project, No. (UHPBUB) NBA welcomes the observations and opportunities for improvement o?'ered by the Do!) 16 to bene?t our continuing effort to mitigate insider threat across the enterprise. While the Media Leak events that led to Secure the Net (STN) were both unforeseen and serious, we consider the extensive progress we made in a short time to he a ?good news? story. We are very proud of the improvements to our security posture we have been able to achieve, all while sustaining and advancing our vital mission. across our vastly complex network, That; coupled With the fact that mission requirements shift daily as a result of world events, creates an extremely dynamic environment that must- balence mission needs with security requirements. (UHFQUG) All of these Information Technology (IT) components and the knowledgeable people to administer the oysteme must flex to meet: the changing mission needs and interopemte constantly rte-prioritizing dociaiona to impact IT services that moat he delivered 24?. In addition, policy changes resulting from Bill (such as ?need to share? versus ?need to know" and launch of an IC-wide IT environment, IC- ITE) have completely changed, in scope and method, howlT most. work to support its customers. NSA bears the lion?s share of technical work to adapt its IT systems to effect the needed changes to oucceosfully operate and Operate securely acmss the IC. (UIIFBUQ) We recognize that there are no silver bullets in information or network security - no tactic or plan that can wholly eliminate the potential for harm by myriad threats. By employing a layered defense approach rather than relying on a single initiative to pintect our networks. systems. and data. we have been able to signi?cantly reduce the risks inherent in the operation of a global. dynamic enterprise. Further, the combination of initiatives we have implemented and are continuing to develop ensure that the activities. of a nefarious actor, Classi?ed BF moved l-?mm: maroon: 1-52 Dated: 20130910 011: 204mm DONG-2016429 39 SEW Bates 000047 (U) Management Comments (U3 Na?ma? Sammy Agency (mnt?d) 30 USC sec, 36% (PL. 36?36. sec. 6) NSAICSS: (31 USC sec. 3:105 .. (3). 58 USC set. 3605 35-36. sec. (U) We appreciate the time, energy, and commitment of the audit team, as they worked to understand the measures and capabilities we have implemented over the last three years. We hope they came to appreciate the depth and breadth of the enterprise 'we am defending. and. the complexities inherent in that DOING-2016429 40 33165000048 Management Comments Nationa? Security Agonw (cont?m NBA respectfully offers the following related to the three recommandations. (U) Response to Recommendations (U) Recommendation 1 We recommend that the Director, Technology Directorate, Noziom? Security Agency 2? Central Security Service Chieflnformotim Technology,I Of?cer, in coordination with the Dimtor, Associate Directoratefor Security and Counterinte?igenoe: (hi ED 33535. See. 14(6). 14:33); St} soc. 3603 86-36, sec. . . NBA Re a nae: NS concurs the DOD recommendation. NSAECSS: {In} II, ED Sec. NSAICSS: (m m. H.526. I11) [31? 50 use set. 3605 86-36., set. 41 SEW (U) Management Comments Natima? Sammy Agency (mm?d) it} (U) Recommendation 2 We recommend that the Director, Technology Directorate, National Sammy Agency Central Security Service Chief Information Technology O?icer cleuelop a strategy that includes milestones and metrics to: (I), sec. 1.4(gl; 511': usc sec. 3505 (PL. 35?35. 30C. 5): W) LISA Reaggnse: NSA concurs with the D01) recommendation. The (1). 1353153: (3L if} 3605 (PL. Sfj??, Sec. 13') I11) EO I3536. sec. 1.403).. 36?36. sec. [In Response: NSA concurs with .. .: so believes it has satis?ed this recommendatioa_ DONG-2016429 42 SEW (U) Management Comments Notiono? Security Agency ioont?o) (U) Recommendation 3 mimosa We reminmend that the ?imctor, Technology Directorate, Nationai Semr?y Agencyfoentrai Security Service Chief Information- Officer. in coordination with system-owners: (3), 50 USC sec. 3605 36?36. sec. mam: NBA concurs with the IG's recommencl?tion. 3f] sec. JGGS L. 85?36.. set. NSA motors with the DOD recommendation and 50 sec. 3605 (PL. 86?36, sec. 6] (3), SI) use see. 3605 (PL. 86-36. sec. -nd mien and 1.2-1 (U) Thank you for the opportunity to review and oommont on the draft audit: report. GREGORY L. SMITHBERGER NSAICSS Chief Information Of?cer Eric]; (mm D00 16 Discussion Dra? - Project No. D2016-D000R0-0072QOO Comment Matrix DODIG-2016-129 43 519W Bates 000051 (U) Management Comments (U) Nat?mai Security Agency (mnt?d) 2.013..- . szn41m1 E12120 Clamle.5. .15DONG-2016429 44 38*68000052 Glossary Glossary Data Center and Machine Room. Facilities that host computing systems, servers, data storage, and machine rooms. Data Center Manager. Personnel with responsibility for overseeing and managing DCM activities and Operations. Data Transfer Agent (DTA). Designated personnel approved to use removable media to transfer data to or from an information system. Data Transfer Agent General. Personnel who have a primary responsibility to move data within the enterprise using removable media. Data Transfer Agent (DTA) Privileged. Personnel who use removable media to perform PRIVAC functions. LiSC'st-c. SGUSHU. - - Limited Administrator. Users who perform PRIVAC functions on standalone systems. WNSAIE: [loll] 33435261 sec. 141:; so .1t1so1:. c1) Network Administrators. Administrative users who maintain computer infrastructure with emphasis on networks. DONG-2016429 45 SEW 36488000053 Glossary (U) Privileged Access. A level of access that is signi?cantly greater than that of users performing normal operations. (U) Public Key Infrastructure. An enterprise-wide service supporting digital signatures and other public key-based security mechanisms for functional enterprise programs. SCI sec. 3605 35?36. sec. (U) Tier 3 SYStem Administrators (SYSB). Surnmriim HM USC sec" (U) Tier 2 System Administrators (SYSZ). 366.3? (U) System Administrator (SA). Administrative users who have privileged access to maintain, configure, and operate computer systems. (U) System Security Plans. Provide an overview of system security requirements for a Specific system and describe implemented security controls to meet the requirements. DONG-2016429 46 5W Batesoo??54 (U) Glossary 7' 3603 sec, 6) [11/ng993 TWO Person Access Requires two authorized personne- 0 USC sec. 3605 L. .86- -36, sec. 6). Two Stage Authentication (TSA). Requires administrators to use at least two separate sources of authentication LL E0 13526, sec. 513 USC see. 3605 36?36, sec. Bates 000055 (U) Source of Classified Information (U) Source Of Classified Information Source 1: Source 2: Source 3: Source 4: Source 5: Source 6: Source 7: (U) Permanent Select Committee on Intelligence, "Intelligence Authorization Act for Fiscal Year 2016:? [Document classified Declassification Date: Ianuary 1, 2040 Generated Date: October 5, 2015 (U) NSA?provided Secure-the-Net Activity Update, November 16, 2016: (Document classified SECRET Declassification Date: September 1, 2039 Generated Date: November 16, 2015 (U) NSA Associate Directorate for Security and Counterintelligence, ?Snowden Investigative Overviewf? (Document classi?ed SECRET REL TO USA, FVEY) Declassification Date: March 1, 2041 Generated Date: February 9, 2016 (U) NSA?provided Securing the Net Update, May 2015: (Document classified CONFIDENTIAL REL TO USA, FVEY) Declassification Date: May 1, 2040 Generated Date: May 2015 (U) NSA Commander Intent for ?Securing the Enterprise is the Path I Forward:? (Document Classified CONFIDENTIALHREL T0 USA, FVEY) Declassification Date: September 30, 2038 Generated Date: September 8, 2015 (U) NSA Town Hall Briefing, ?Secure the Enterprise:? (Document classi?ed T0 USA, FVEY) Declassification Date: November 1, 2040 Generated Date: November 12, 2015 (U) NSA Secure the Network Detailed Report, January 2016: (Document classified REL T0 USA, FVEY) Declassification Date: January 28, 2041 Generated Date: January 28, 2016 48 sewer?ear: ?atworm Source of Classified Information Source 8: (U) NSA List of Privileged Users: [Document classified TO USA, FVEY) Declassification Date: August 2038 Generated Date: January 28, 2016 Source 9: (U) NSA-Texas List of Privileged Users [Document classified CONFID T0 USA, FVEY) Declassification Date: February 1, 2041 Generated Date: February 16, 2016 Source 10: (U) NSA-Washington List of Privileged Users [Document classified CONFIDENTIAL TO USA, FVEY) Declassification Date: February 1, 2041 Generated Date: February 23, 2016 I E0 135%, sec. 1.4m, 1.4g); (in) (3). 50 use sec. 3503 (PL, seas. sec. Source 11: Source 12: 49 SEW 3mm? Acronyms and Abbreviations (U) Acronyms and Abbreviations USC 36-36, sec. 6) CSS Central Security Service DCM Data Center and Machine Room DCIO Deputy Chief Information Officer DTA Data Transfer Agent NSA National Security Agency NSA Network PRIVAC Privileged Access SA System Administrator STN Secure?the?Net TPA Two?Person Access I 5i] sec. 3605. 86-36, sec. 6) TSA Two-Stage Authentication DONG-2016429 50 7 ?Si ei?d Bates 000058 Whistleblower Protection U. DEPARTMENT OF DEFENSE :The Whistleblower Protection Enhancement Act of 2012 requires the Inspector General to designate a Whistleblower Protection {Ombudsman to educate agency employees about prohibitions ii? retaliation and rights and remedies against retaliation for protected disclosures. The designated ombudsman is the Hotline EDirector For more informatibn on your rights and remedies against 3' retaliation, visit dodig. mil/programs/whistleblower. Formore information aboutDoD lG imports. or activities, please contact us: Congressional Liaison congressional@dodig.mil; 703.604.8324 Media Contact public.afiairs@dodig.mil; 703.604.8324 Update dodigconnect-request@ istserve.com Reports Mailing List Twitter twittercom/DODHIG Hotline dodigmil/hotline Bates 000059