Doc ID: 663 6967


NATIONAL SECURITY AGENCY
CENTRAL SECURITY SERVICE
POLICY 6-20

Issue Date: 31 March 2014
Revised: 8 November 2016

   

 

 

(U) SECOND PARTY ACCESS TO CLASSIFIED INFORMATION
SYSTEMS

(U) PURPOSE AND SCOPE

(U) This policy de?nes processes and procedures for Second Party access to 
classi?ed information systems This policy applies to all United States System
(USCS) organizations that sponsor Second Party tmegrees, USCS personnel who initiate or
approve requests for Second Party personnel access to US. classi?ed intelligence and
information, and USCS personnel who implement Second Party personnel and
systems access to any classi?ed 183.

   
 

i. JR.
Acting Director, NSA

Endorsed

Associate Director for Policy

(U) Encl:
Annex Second Party Access information

(U) 
T823

DJ2 (Vital Records)
D16 (Archives)

(U) This Policy 6-20 supersedes Policy 6-20 dated 2 July 2007.
(U) IT Policy. T823, 303-18965.



. . NSA Case 100386 Page 00585
Approved for Release by NSA on 09?20?2018, FOIA Litigation Case #100386 1

 

Doc ID: 663 6967


Policy 6-20 Dated: 31 March 2014

(U) This Policy 6-20 supersedes Policy 6-20 dated 2 July 2007. The Chief, Policy
approved an administrative update on 26 February 2015 to re?ect new guidance on limited
administrator access, align the de?nition of Second Party Integree with Policy 
and make other administrative changes. The Chief, Policy approved an administrative update on
2 November 2015 to update the de?nition ?Authorizing Of?cial.? The Chief, Strategy, Plans,
and Policy approved an administrative update on 8 November 2016 to enable quali?ed Second
Party Liaison of?cers to routinely obtain direct access to The administrative update
also clari?es the terms ?second party personnel? and ?second party integrees?, and makes their
use more consistent; improves accuracy in specifying access type; clari?es a Second
Party and Multinational Affairs Division (P523) responsibility; updates de?nitions; and makes
minor administrative updates.
(U) 0P1: Technology Policy, P12T, 717-02203.
(U) No section of this document shall be released without approval from the Of?ce of Policy
(P12).
(3) -P.L. 86-36
(U) POLICY 

(U) It 15 the policy of to share with Second Party ("gyro/age cpartners all
information relevant to the arrangements outlined 1n K: Communications Intelligence
Agreement (Reference 3) and subsequent bilateral understandings with each Second
Party partner as outlined in!  (Reference 
?Second Party Intranet Connection (Reference and
(Reference 

 

 

2. (U) Second Party system access shall be provided in accordance with the
requirements speci?ed in Intelligence Community Directive 503, ?Intelligence Community
Information Technology Systems Security Risk Management? (Reference 

3. Second Party Personnel may not perform information technology (IT)
systems administrative functions or be granted privileged access on IT systems, with
the exception of limited administrative privileges in direct support of mission requirements (Le,
a virtual machine or workstation the administrative access to which is expressly required for
mission purposes).

4. (U) Second Party system connection and access policy agreements between the USC 
information steward and each Second Party country shall be established in a Memorandum of
Understanding (MOU). Documents will be maintained and posted by Office of Policy (P 12) on
SS Classi?ed Network 

5. (U) Second Party integrees and Second Party Liaison of?cers who meet the access
requirements in this policy shall routinely be given direct access to 183 via individual
accounts.

6. (U) Second Partv Headquarters Personnel shall routinely access SS classi?ed
185 indirectly via the Second Party proxy server.

2


SA FOIA Case 100386 Page 00586

Doc ID: 6636967

UN 
Policy 6?20 Dated: 31 March 2014

7. (WW Second Party Personnel who are not eligible for direct access and whose
requirements cannot be accommodated via the proxy server may request an exception to obtain
direct access to IS via an individual account.

8. (U) All requests for Second Party direct access to 183 shall be approved by
the Second Party authority with parallel responsibility to SS mission or mission-support
information signals intelligence (SIGINT), information assurance (IA), research) before
presentation to for consideration. Second Party requests for individual 
accounts must be authorized in writing by the responsible Second Party authority.

9. (U) All Second Party personnel who require direct access to classi?ed 18$
for the performance of a SIGINT production mission must also follow the guidance within:

a. (U) SIGINT Directorate (SID) Management Directive 421, ?United States SIGINT
System Database Access? (Reference 

b. (U) SID Management Directive 422, Mission Delegation? (Reference 
and

c. (U) SID Management Directive 427, ?Access to Classi?ed U.S. Intelligence
Information for Second Party Personnel? (Reference 

10. (U) For direct access to classified 185, eligible Second Party personnel
must be appropriately cleared and approved by the Second Party and Multinational Affairs
Division (P523). In addition, Second Party integrees must be sponsored by a Global Enlerprise
Leader.

1 1. (U) All Second Party personnel who have obtained an user account shall
complete Information Assurance training 180, ?Cyber Awareness
Challenge,? OVSC 1000, ?Intelligence Oversight Training?) prior to access and yearly thereafter.

12. (U) All Second Party personnel with direct access to must obtain and use
Agencies Domain certificates if possessing citizenship in a Five Eyes country.
Additional information can be found on the SA Corporate Public Kev Infrastructure (PKll
Information Page;

13. (U) All Second Party personnel with direct access to 185 shall be subject
to all SS Information Technology policies and procedures.

14. (U) The citizenship of all Second Party personnel given individual accounts
shall be uniquely identified in the Directory Service SEARCHLIGHT) in order
to provide strong network and 133 access control.

15. (U) Second Party personnel with individual accounts may be directly
connected only to those classified 185 required to perform sponsored functions. For
integrees, the sponsoring organization shall be the authority to identify what is required and shall

3

NSA FOIA Case 100386 Page 00587

Doc ID: 6636967


Policy 6-20 Dated: 31 March 2014

have a process to account for the systems and information accessed by the integree. ?[11:26 stem
Security Plans (SSPs) of all systems identi?ed for Second Party integree access must be updated
to re?ect this access. .

 



 

 

 

 

 

nrumxumul

 

 

 

 



 

 

 

 

19. (U) All Second Party access to information on 183 shall be
controlled in accordance with an agreement with the information steward or procedures
established by the information steward. Access to 185 containing information
must be approved, in writing, by the originating agency of the data, and documented in the SSP.

20. (U) Under no circumstances will any Second Party Personnel to include partners,
liaison of?cers or integrees be provided direct access to 18s that are used to generate,
produce, or electronically track and distribute U.S.-only keying materials, or Nuclear Command
and Control Ii-szrma/ion Assurance Materials (NCCIM).

21. (U) All Second Party personnel who no longer require access to classi?ed
183 shall have their access terminated upon completion of those speci?c of?cial duties. This
access is not transferable. If Second Party personnel require access in a new position, they must
reapply for the access based on their new duties.



22. (U) Procedures for Second Party Indirect Access to Information
Systems via Second Parg Proxy Server:

a. (U) Written authorization is not required for Second Party personnel access to
SS 153 via SecondParty proxy servers; and

4

UN 
SA FOIA Case 100386 Page 00588

Doc ID: 663 6967


Policy 6-20 Dated: 31 March 2014

b. (U) Second Party personnel are not required to register with before
accessing resources via Second Party proxy servers.

23. (U) Procedures for Second Party Direct Access to Information
Systems: As noted above, Second Party liaison of?cers and integrees at will be
routinely sponsored for accounts on Other Second Party personnel may be approved
for such access on a case-by-case basis. The following procedures, therefore, apply to all Second
Party liaison of?cers and integrees and to specially approved other Second Party personnel, as
noted below. USC organizations that wish to sponsor Second Party personnel for direct access
to 183 shall:

a. (U) Acquire and maintain, for each Second Party candidate, a record of the
information speci?ed within the Annex;

b. (U) For integrees only, prepare a formal requirements statement describing the
systems, information, and services required for the Second Party individual(s) to perform
of?cial NSA/CSS-sanctioned duties; and

c. (U) Forward the sponsor and candidate information described in the above
subparagraphs a (and when applicable), to the Second Party and Multinational Affairs
Division (P523) for approval and subsequent transferal to the Of?ce of Security and
Counterintelligence (A5) for Personnel Security System Database g,
CONCERTO) record development. Semice Partners will forward sponsor and candidate
information through their respective of?ces at NSAW Washington).

24. (U) Exceptions to Access Policy: Organizations requesting an exception to this
policy or its annex shall coordinate a written request with their Information System Security
Of?cer (1880). Requests will be reviewed by the Information System Security Manager (ISSM)
and Second Party and Multinational Affairs Division (P523), prior to submission to the
SS Authorizing Of?cial (A0) for decision.

(U) RESPONSIBILITIES

25. (U) USC organizations sponsoring Second Party personnel for direct IS
access and accounts shall:

a. (U) Verify that formal access requirements, including requirements for 185,
data, and services, are de?ned for Second Party personnel and appropriately coordinated
with other organizations when access to data from multiple information stewards is
required;

b. (U) Ensure that access requests are consistent with requirements for
performance of of?cial NSA/CSS?sanctioned duties;

5

NSA FOIA Case 100386 Page 00589

Doc ID: 6636967


Policy 6-20 Dated: 31 March 2014

c. (U) Advise the Second Party and Multinational Affairs Division (P523) and
Service Of?ces (if applicable) of the formal access request requirement and
obtain Second Party and Multinational Affairs Division (P523) concurrence;

d. (U) Con?rm that the sponsored Second Party personnel are registered in the
SS Personnel Security System Database CONCERTO) and the 
Directory Service 

e. (U) Verify that the Capabilities Directorate (Y) has approved all connectivity
and access mechanisms before granting Second Party data access;

f. (U) Notify the Second Party and Multinational Affairs Division (P523),
respective Service Offices (if applicable), the IS SO, the manager of the
controlled interface, and system administrators when Second Party personnel access is no
longer required;

g. (U) Be accountable for Second Party direct system access. Report any
suspected anomalies, known or suspected unauthorized access, or problems associated
with sponsored Second Party access in accordance with Policy 6-23;
?Reporting and Handling of Information System Security Incidents?

(Reference and

11. (U) Report anomalous activity and incidents to the Of?ce of Security and
Counterintelligence (A5) and the Capabilities Directorate (Y) for appropriate
investigation.

26. (U) The Capabilities Directorate (Y) shall:

a. (U) Establish and maintain central oversight and accountability for Second
Party access through the controlled interface and its separate services; and

b. (U) Provide technical guidance on quality, technical risk assessment, and
procedures for connecting any Second Party personnel to classi?ed 183.

27. (U) The Second Party and Multinational Affairs Division (P523) shall:

a. Ensure that appropriate elements such as Capabilities
Directorate (Y) and the Of?ce of Security and Counterintelligence (A5) receive
information relative to the arrivals and departures of Second Party persons sponsored for
Direct SS IS access/NSANet accounts. This will enable Standard Identi?cation
(sid) creation, SEARCHLIGHT record/account development/deletion as appropriate, and
PKI approvals. These database records will form the core information set to enable
SS to satisfy internal, Department of Defense, and Intelligence Community
requirements for secure and discrete information access and exchange; and

6


NSA 01A Case 100386 Page 00590

Doc ID: 6636967


Policy 6-20 Dated: 31 March 2014

b. (U5413989) Approve the creation of NSANET accounts for Second Party
Personnel eligible for direct access.

28. (U) The Security and Counterintelligence (A5) shall:

a. Receive and review approved requests from the Second Party and
Multinational Affairs Division (P523) for Direct IS access/NSANet accounts
by Second Party persons and develop and maintain appropriate security records 
CONCERTO) and convey sid and record data to Capabilities Directorate (Y) directorate
systems that support and mediate such access SEARCHLIGHT, and

b. (U) Investigate anomalous activity and incidents associated with Second Party
access to classified 183 in coordination with the Capabilities
Directorate (Y).

29. (U) The Headquarters and Field ISSMs shall work with USCS
organizations sponsoring Second Party integrees to ensure that information system security

issues are addressed and resolved.

30. (U) AO shall review requests for exceptions to this policy and render
decisions.

31. (U) Privileged access users and 13803 shall:

a. (U) Notify USCS system users when Second Party personnel have accounts on
an IS or local area network;

b. Con?rm that Second Party accounts are set up correctly and
removed upon completion of specified of?cial duties per Policy 6-8,
?Information System User and Supervisor Security Responsibilities? (Reference 

c. (U) Report any anomalous activities in accordance with Reference and assist,
as necessary, in any investigations or analyses of such anomalies; and

d. (U) Assist in the enforcement of the data access procedures established by the
information steward?s or sponsor?s policies and directives.

(U) REFERENCES
32. (U) References:

a. (U) Communications Intelligence Agreement (UKUSA) dated
5 March 1946.

 

 

 

 






7

NSA FOIA Case 100386 Page 00591

Doc ID: 6636967


Policy 6-20 Dated: 31 March 2014

.
-. Second Partv Intranet Connection MOU

dated 

d. (UJI

e. (U) Intelligence Community Directive 503, ?Intelligence Community
Information Technology Systems Security Risk Management,? dated 21 July 2015.

 

 

 

f. (U) SID Management Directive (SMD) 421, ?United States SIGINT System
Database Access,? revised 25 March 2008.

g. (U) SID Management Directive (SMD) 422, Mission Delegation,?
revised 15 April 2008.

h. (U) SID Management Directive (SMD) 427, ?Access to Classified U.S.
Intelligence Information for Second Party Personnel,? revised 28 December 2013.

i. (U) SID Delegation of Approval Authorities Matrix dated 20 November 2014.

j. (U) LAD Management Directive 128, ?Approval and Release of Technical IA
Information,? dated 22 June 2012.

k. (U) Policv 6-23, ?Reporting and Handling of SS Information
System Security Incidents,? dated 4 December 2012 and revised 14 November 2014.

l. (U) Policv 6-8, ?Information System User and Supervisor Security
Responsibilities,? dated 1 August 2016.

(U) DEFINITIONS

33. (U) Authorizing Of?cial (A0) A senior (Federal) of?cial or executive with the
authority to formally assume responsibility for operating an information system at an acceptable
level of risk to organizational operations (including mission, functions, image, or reputation),
organizational assets, individuals, other organizations, and the Nation. (Source: CNSS
Instruction (CNSSI) 4009 dated 6 April 2015)

34. (U) Related to the collection and/or exploitation of foreign
communications and non?communications emitters, known as and solutions, products,
and services to ensure the availability, integrity, authentication, con?dentiality, and non~
repudiation of national security telecommunications and information systems, known as
Information Assurance (IA). (Source: Corporate Policv Glossary)

35. (U) Exception Indicates that an implementation of one or more security
requirements is temporarily postponed and that satisfactory substitutes for the requirement(s)

8

SA FOIA Case 100386 Page 00592

Doc ID: 6636967


Policy 6?20 Dated: 31 March 2014

may be used for a specified period of time. This is in contrast to a waiver that implies a security
requirement has been set aside and need not be implemented at all.

36. (U) Global Enterprise Leaders Directors, the NSA Chief of Staff, SCC
Commanders, Senior SS Representatives, and the military commanders/civilian chiefs of
Extended Enterprise sites. (Source: Corporate Policy Glossary)

37. (U) Information System (IS) Any telecommunications and/or computer-related
equipment or interconnected system or of equipment that is used in the
acquisition/collection, storage, manipulation, management, movement, control, display,
switching, interchange, transmission, or reception of voice and/or data, and includes software,
?rmware, and hardware. IS examples are: stand-alone systems, Local Area Networks,
supercomputers, process control computers that perform special purpose computing functions
Supervisory Control and Data Acquisition, other Industrial Control Systems, embedded
computer systems), and the communications networks that disseminate information. (Source:
Corporate Policy Glossary)

38. (U) Information Steward An agency official with statutory or operational authority
for speci?ed information and reSponsibility for establishing the controls for its generation,
collection, processing, dissemination, and disposal. (Source: CNSSI 4009)

39. (U) Classi?ed Network The information technology
that enables the to conduct its missions, including signals intelligence and
information assurance, and to support cyber operations missions in concert with the SS
Global Enterprise. Several conditions must be satis?ed before an IS can be
considered part of the In particular each and every IS that is part of the must
have a registered unique IP address; must be located in a SCIF [sensitive compartmented
information facility] accredited by or another IC agency or a Second Party Partner and
approved by to conduct activities; and be under authority.
(Source: Corporate Policy Glossary)

40. (U) Washington (NSAW) facilities at the Fort Meade,
Friendship Annex (FANX), and associated campuses [Finksburg Kent Island, and all leased
facilities in the Baltimore/Washington metropolitan area]. (Source: Corporate Policy
Glossary)

 

41. (U5413899) Nuclear Command and Control IA Material (NCCIM) IA materials
used in safeguarding and validating the use of nuclear weapons and weapon systems. These
include, but are not limited to materials used in authentication, encoding/decoding, and/or
locking/unlocking functions associated with the command and control of nuclear weapons.
(Source; Corporate Policy Glossary)

42. (U) Privileged Access (PRIVAC) A special access above those privileges required
for the normal data acquisition or operation of an agency information system. PRIVAC is
granted to the following types of users:

9

NSA FOIA Case 100386 Page 00593

Doc ID: 6636967


Policy 6?20 Dated: 31 March 2014

?7 ,2 

a. (U) Users having ?super-user, root, administrator,? or equivalent special
access to a system systems administrators, computer system operators, system
security of?cers, webmasters). Those individuals who have near or complete control of
the operating system of the machine or information system, or who set up and administer
user accounts, authenticators, and the like;

b. (U) Users who have been given the power to control and change other users?
access to data or program ?les application software administrators, administrators
of specialty ?le systems, database managers, administrators);

c. (U) Users having access to change control parameters (routing tables, path
priorities, addresses, etc.) on routers, multiplexers, and/or other important components;
and

d. (U) Users who have been given special access for troubleshooting of
information system security monitoring functions. (Source: PRIVAC website (?g9
privac?))

43. (UALFOUG) Second Party Any of these countries: Australia, Canada, New
Zealand, and the United Kingdom.

44. (U) Second Partv Headquarters Personnel Second Party personnel who work at
Government Communications Headquarters (GCHQ), Communications Security Establishment
(C SE), Australian Signals Directorate (ASD), or Government Communications Security Bureau
(GCSB) headquarters or ?eld elements and who have a valid need to access classi?ed
183 and for whom an sponsor is identi?ed.

45. Second Partv Integree Second Party personnel integrated into an
or United States System element who, when integrated into an 
environment, are working solely under the direction and operational control of the
to conduct or information assurance activities that support the
mission in accordance with authorities, rules, and regulations. Integrees
may be civilian or military Second Party SIGINT or IA personnel but may not be contractors; an
individual from one of the Second Party entities assigned to work for 
under authorities. Duties associated with an Integree?s position shall be
performed in support of the mission and in compliance with Executive Order 12333,
?United States Intelligence Activities,? as amended. (Source: Corporate Policy
Glossary)

 

46. (U) Second PartV Liaison Of?cers A government of?cial from a Second Party
country, either military or civilian, who works in support of his or her country?s objectives at a USG
organization or installation. These individuals generally act as the immediate point of contact for
of?cial interaction between USG and the 2P for that geographic location. (Source: working
de?nition, IC ITE and S?Eyes Partner Fact Sheet, June 3, 2015)

10


NSA FOIA Case 100386 Page 00594

Doc ID: 6636967


Policy 6-20 Dated: 31 March 2014

47. (U) Service Partners Those organizations with the ?ve armed services that operate
under Director, National Security Agency/Chief, Central Security Service 
authority, or joint members of the larger Uni?ed ryptologic System, but that are not part of the
CSS Army Corps, Division, Separate Brigade and Armored Cavalry Regiment or Navy
Fleet SIGINT assets that are normally under SIGINT Operational Tasking Authority (SOTA) of
a tactical commander). (Reference 

48. (U) Svstem Securitv Plan (S SP) The formal document prepared by the information
system owner (or common security controls owner for inherited controls) that provides an
overview of the security requirements for the system and describes the security controls in place
or planned for meeting those requirements. The plan can also contain as supporting appendices
or as references, other key security-related documents such as a risk assessment, privacy impact
assessment, system interconnection agreements, contingency plan, security configurations,
configuration management plan, and incident response plan. (Source: CNSSI 4009)

49. (U) United States System (USCS) The various US. Government
entities tasked with a SIGINT mission, the collection, processing, and dissemination of
SIGINT, or with an information assurance mission, preserving the availability, integrity,
authentication, con?dentiality, and nonrepudiation of national security telecommunications and
information systems. (Source: Corporate Policy Glossary)

50. (U) USCS Personnel United States Government personnel who derive their
authority to direct and conduct operations (SIGINT and IA) from the Director,
NSA/Chief, SS USC Government personnel can be defined in three
categories:

a. (U) Civilian employees of the National Security Agency;

b. (U) Military personnel and service civilians of the Service 
Components; and

c. (U) Military personnel and service civilians of the non-C SS military
organizations and civilian integrees from other US. Intelligence Community agencies
who are considered members of the USCS when performing SIGINT or operations
under the direction, authority, and control of (Source: 
Corporate Policv Glossarv)

ll


NSA FOIA Case 100386 Page 00595

Doc ID: 6636967


Policy 6-20 Dated: 31 March 2014

 

 

 

 

. Annex to Policy 6-20
(.0) 86_36 Dated: 31 March 2014
A-l

SA FOIA Case 100386 Page 00596