t n chi-MIN a EFFICIENCY k ACCOUNTABILITY air EXCELLENCE Mission 1 1 0ur mission is to provide independent relevant and timely oversight 6 'Of the Department of Defense that supports the warfighter promotes - accountability integrity and efficiency advises the Secretary of Defense and Congress and informs the public Vision Our vision is to be a model oversight organization in the Federal I I'Government by leading change speaking truth and premoting diverse organization working together as one I professional team recognized as leaders in our field ud Waste Department of Defense dodig SEW I For more information about whistleblower protection please see the inside back cover Bates 000002 Finding NSA of cials effectively implemented or partially implemented four of the seven privileged access-related STN initiatives included in our audit 0 develop and document a plan for a new system administration model - assess the number of system administrators3 across the enterprise 0 implement two-person access controls over data centers and machine rooms and implement two-stage authentication controls for system administration However NSA did not have guidance concerning key management and did not consistently secure server racks and other sensitive equipment in the data centers and machine rooms in accordance with the initiative requirements and policies and did not extend two-stage authentication controls to all high-risk users 66W In addition NSA of cials did not effectively implement three privileged access-related STN initiatives 0 fully implement technology to oversee privileged user activities 0 effectively reduce the number of privileged access users and effectively reduce the number of authorized data transfer agents 3 U System administrators have privileged access to maintain con gure and operate computer systems Ii SE SHELF Bates 000003 n'n'ri tomments and 0 Response The Director Technology Directorate Central Security Service Chief Information Of cer agreed with all recommendations However the comments did not fully address all speci cs of the recommendations The Director did not include all system and network administrators in his strategy to expand two-stage authentication controls m and did not implement to provide technology based monitoring across the entire privileged access community In addition the Director did not identify speci c actions NSA would take to ensure approvers used consistent processes to grant privileged access or data transfer authority Therefore we re quest that the Director Technology Directorate Central Security Service Chief Information Of cer provide additional documentation and comments on this nal report by September 27 2016 Please see the Recommendations Table on the back of this page 3 sousc - 13526 sec 14 9 13 3 4 50 USC see 3605 PL 86 36 sec 6 lo SEW 88 65000004 U Recommendations Table Director Technotogy Directorate 2 a 2 b 3 a 1 3 1 b 3 b 3 c Chief Information Officer UNCLASSIFIED U Please provide Management Comments by ' September 27 2016 DODIG-2016-129 I SEW Bate-$000005 GENERAL DEPARTMENT OF DEFENSE 4800 MARK CENTER DRIVE ALEXANDRIA VIRGINIA 22350-1500 August 29 2016 MEMORANDUM FOR DIRECTOR TECHNOLOGY DIRECTORATE NATIONAL SECURITY CENTRAL SECURITY SERVICE CHIEF INFORMATION OFFICER SUBJECT The National Security Agency Should Take Additional Steps to Effectively Implement Its PrivilegedAccess-Related Secure-the-Net initiatives Report No We are providing this report for review and comment We conducted this audit in response to a congressional requirement NSA effectively implemented or partially implemented four of the seven privileged access-related Secure-the-Net initiatives included in our audit However NSA did not effectively implement the other three initiatives Consequently NSA did not fully meet the intent of decreasing the risk of insider threats to its operations and the ability of insiders to ex ltrate data We considered management comments on a draft of this report Instruction 7650 03 requires that recommendations be resolved Comments from the Director Technoiogy Directorate Central Security Service Chief Information Of cer partially addressed Recommendations 2 a 2 b and 3 a Therefore we request that the Director Technology Directorate NSA Central Security Service Chief Information Of cer provide additional comments on'those recommendations by September 27 2016 Please provide comments that conform to the requirements of Instruction 7650 03 Classified comments must be sent electronicall ocothwork Please send a PDF le containing your comments Copies of your comments must havethe actuai signature of the authorizing of cial for your organization We cannot accept the Signed symbol in place of the actual signature Comments provided on the nal report must be marked and portion-marked as appropriate in accordance with DOD Manual 5200 0 1 U We appreciate the courtesies extended to the staff Please direct questions to me at 703 699-7331 DSN 329-7331 Cain lm Carol N German Assistant Inspector General Readiness and Cyber Operations DODIG-2016-129 I iv sis-Woman U Contents U U Objective 1 U Background 1 U NSA Mission and Infrastructure 1 U STN Initiatives 2 U NSA Responsibilities for Implementing STN initiatives 4- U Review of Internal Controls 4 U Finding 5 UMP-9693 NSA Did Not Fuily Complete and Effectively Implement All Initiatives NSA Effectively Implemented Two and Made Progress in Completing Two 6 NSA Developed a New System Administration Model 6 U NSA Assessed the Number of SAs and Removed PRIVAC for Users Who Did Not Require It 7 NSA Partiaily Implemented TPA Controls Over DCMs 9 W NSA Partially Implemented TSA Controls 13 NSA Did Not Effectively Implement Three Initiatives 17- NSA Did Not Effectively implement Technology to Monitor PRIVAC Activities 17 UH-F9693 NSA Did Not Reduce the Number of Privileged Users 19 NSA Did Not Reduce the Number of DTAs 20 NSA Lacked a Comprehensive Strategy to Effectively implement STN Initiatives 22 UH-13039 Insider Threat Risks Remain Despite implementing STN Initiatives 23 U Management Comments on the Finding and Our Response 24 U Management Comments on Approach to Completing STN Initiatives 24 U Our Response 25 U Management Comments on Reducing Insider Threat Risks 25 U Our Response 26 Recommendations Management Comments and Our Response 26 U Recommendation 1 26 U Recommendation 2 28 U Recommendation 3 30 DONG-2016429 sewer-ens 33000007 32 Scope and Methodology 32 Use of Computer-Processed Data 33 U Use ofTechnica Assistance I 34 Prior Coverage 24 U Appendix 35 STN Initiatives I 35 Management Cammeata 39 U National Security Agency 39 U 4-5 U Searee a Classified 48 U Acranyms and 50 DONG-2016429 Vi SEW Ba esomos U Finding U Introduction ijective Our audit objeCtive was to determine whether the National Security Agency NSA Secure-the-Net initiatives were effectively implemented to improve security controls over data systems and personnel activities This report is one in a series on the implementation of STN initiatives and focuses on the controls to limit privileged access to NSA systems and data and to monitor privileged user actions for unauthorized or inappropriate activity Please see Appendix A for scope and methodologyland prior audit coverage related to the objective The classified annex to the Intelligence Authorization Act for FY 2016 requires the DOD Office of Inspector General to assess whether NSA remedied the vulnerabilities exploited by a security breach and completed all STN initiatives 5 Background U NSA Mission and Infrastructure 67W NSA Central Security Service CSS leads US Government operations focused on signals intelligence and information assurance products and services and enables computer network operations to gain a decision making advantage for the United States and its allies NSA uses advanced information technology to store process and protect its activities and information enterprise NSAFCSS I ED I353 sec 321 3 bl USC sec 3695 36 36 sec En 4 Policy instruction 6 0001 Privileged Access January 20 2016 defines as a higher level of access than the access needed to perform normal processes and system operations 5 The congressional request was included in the classified annex to HR 114-144 to accompany HR 2596 HR 2596- was incorporated into H R 4127 the nal version of the Intelligence Authorization Act for FY 2016 HR 4127 was included in P L 114-113 Consolidated Appropriations Act 2016 December 18 2015 6 is the art and science of making and breaking codes and ciphers is responsible for creating the systems that protect 0 5 communications and for analyzing systems and communications used by foreign powers DOING-2016429 1 Ballroom Finding NSAFCSS l 1 H 526 sec St sec 36th5 sec 6 U STN Initiatives NSA was evaluating its security posture when the unathorized disclosures of classified data in June 20137 prompted it to implement additional processes and security measures to protect its infrastructure systems and data against insider threats Speci cally in June 2013 NSA began developing and implementing 4O STN initiatives8 to improve controls over NSA computer systems and data and increase oversight of its personnel approach to implement the STN campaign was based on the size and complexity of their infrastructure and organziation and focused primarily on increasing layered protection to reduce the risk of insider threats See Appendix for a list and description of the 40 STN initiatives The Director NSA requested completion of all STN initiatives by Iune 2015 9 in June 2015 NSA reported to the Senate Select Committee on Intelligence and the House Permanent Select Committee on Intelligence that it had completed 34 of the 40 STN initiatives For this audit we focused on 7_ of the 40 STN initiatives that we determined presented a higher risk to ability to secure network access protect against insider threats and provide increased oversight of personnel with PRIVAC to network devices and infrastructure Those seven initiatives are as follows 0 EBB-63 develop and document a new system administration model intiative 22 in Appendix B assess the number of system administrators across the enterprise intiative 34- Between August 2012 and May 2013 an NSA contractor in Hawaii exfiltrated about 1 5 million classified and sensitive documents from NSA systems through various techniques 3 ii F9665 The number of STN initiatives changed over time however as ofJune 2015 NSA reported 40 STN initiatives to the House Permanent Select Committee on Intelligence 9 in September 2014 the NSA Chief information Officer updated the Director NSA on the status of completing the STN initiatives Although NSA officiais stated that the Director approved an extension for completing eight of the STN initiatives the documentation provided did not support that decision 1 U SAs have PRIVAC to maintain configure and operate computer systems BODIES-2016429 2 sews-Fees Bates 000010 U Finding 0 U EBB-83 implement two-person access TPA control over data centers and machine roomsll intiative 21 I implement two-stage authentication control for system administration intiative 4 12 0 reduce the number of personnel with PRIVAC intiative 35 0 EBB-63 reduce the number of authorized data transfer agents DTAs intiative 33 13 and oversee privileged user activities intiative 36 U We nonstatisticaliy selected the following four SA installations to include in our audit 50 use see U FPS-EH33 NSA Washington serves as NBA headquarters eos 86-36 sec 5 3 so use sec 3505 P L 85 36 sec I and is located in the Northeast region NSA Texas is one of the four NSA 3230233221 asiurss St use sec 3 305 563 6 5 06 I NSA Utah Data Center is a comprehensive national cybersecurity intelligence data center located in the West region 0 4136-3-83 North Carolina State University Laboratory for Analytic Sciences primarily supports research and development and is located in the Southeast region 11 DCMs are facilities that host computing systems servers data storage and machine rooms 12 weave swan Seesaw 3605 WE-BUG DTAs are designated personnel approved by an authorizing officer to use removable media to transfer data to or from an information system 14 The four centers are located in Texas Georgia Hawaii and Colorado 3 Beam U Finding U NSA Responsibilities for Implementing STN Initiatives Wig STN is an ongoing campaign requiring involvement from all NSA directorates however the NSA Technology Directorate is the primary lead for implementing the initiatives 15 The Directorate led by the Chief Information Officer usiucss it Bo Issac sec 1 4m 1 4g in so use see arias sass sec in #9138993 The NSA Associate Directorate for Security and Counterintelligence protects worldwide information personnel activities and facilities through its internal counterintelligence programs The NSA Associate Director for Security and Counterintelligence appoints security personnel to provide guidance and assist NSA personnel in making security-related decisions Review of internai Controls Instruction 5010 4016 requires organizations to implement a comprehensive system of internal controls that provides reasonable assurance that programs are operating as intended and to evaluate the effectiveness of the controls We identified internal control weaknesses related to the initiatives we reviewed Specifically NSA did not develop a strategy and a detailed-implementation plan that clearly described the process for implementing and measuring progress toward completing the STN initiatives Additionally NSA did not consistently secure server racks and other sensitive equipment inside the DCMs and did not implement an is so l3'3 2 I scc 5c - sw M 3 We W111 prov1de a copy of the report to the senior official responsible for internal controls at NSA NSA is planning to restructure its organization beginning on or around August 1 2016 The NSA nomenciatures and directorate references used in this report are based on its structure as ofJulv 2016 15 U Instruction 5010 40 Managers Internal Control Program Procedures May 30 2013 4- Eli-W 361168000012 Finding U Finding NSA Did at Fully Uempiete and Effectively implement All initiatives NSA officials effectively implemented or partially implemented four of the seven PRIVAC-related STN initiatives included 1n our audit I develop-and document a plan for a new system-administration mode assess the number of all SAs across the enterprise I I I 1 implement TPA controls over and implement TSA controls for system administration WW However NSA did not have guidance concerning key management and did not consistently secure server racks and other sensit__ive__ - equipment in the DCMs in accordance with requirements and policies and did not - estend two stage authentication controls to all high-risk users in addition NSA of cials did not effectively implement three PRIVAC- related STN initiatives 0 fully implement technology to oversee privileged user activities I effectively reduce the number of privileged users and - effectively reduce the number of authoriZed WSW NSA did not effectively implement the three initiatives I 1 because it did not develop an STN strategy that detailed a structured framework and methodology to implement the initiatives and measure cempleteness Asa - result actions to implement STN did not fully meet the intent of decreasing the risk of insider threats to NSA operations and the ability of insiders to exfiltrate data I SEW Bates 009013 U Finding U NSA Effectively implemented Two and Made Progress in Completing two initiatives EBB-83 NSA effectively implemented two and partially implemented two of the seven STN initiatives included in our audit Specifically NSA developed and implemented a new system administration model and assessed the number of SAs across the enterprise and removed PRIVAC from users who did not require elevated levels of access In addition NSA partially implemented TPA controls over DCMs and TSA controls for SAs but will not meet the full intent of the ongoing initiatives without taking additional actions NSA Developed a New System Administration Mode NSA developed the Enterprise Administration Model for system administration initiative 22 and implemented Policy instruction 6-000117 to increase oversight of privileged users and define levels of PRIVAC NSA documentation identified that it completed the initiative to deveIOp a tiered-system administration model to limit PRIVAC based on assigned tasks in December 2014 To assess actions taken to complete the initiative we reviewed the system administration model and veri ed it contained tiered levels of access and defined different types of privileged users We also reviewed and verified the accompanying policy that defined each level of access and the overall PRIVAC process EU 1 3 59 6 sec Hig l USC see 3605 35 36 sec 6 1 U Policy Instruction 6-0001 Priviieged Access January 20 2016 defines privileged access implements procedures and assigns responsibilities for PRIVAC to information systems 6 sis-W 38163000014 U Finding Elf 32 In December 2014 NSA established a memcss tiered-pyramid system administration model that Identified users as eitheribimj- following levels of access Tier 3 SYS3 E0 135255 22 airs sousc222 sans 35 321222 U Tier 2 NSAICSS MU EO 13526 sec ll USC see 3605 36-36 see a U NSA Assessed the Number of SAS and Removed PRIVAC for Users Who Did Not Require It NSA assessed the number of SAs across the enterprise and removed PRIVAC based on the tiered model initiative 34 NSA documentation identified it completed the initiative to identify the number of SAs across the enterprise and remove PRIVAC from users who did not require elevated levels of access to perform assigned duties in August 2013 To assess actions taken to complete the initiative we met with NSA officials to determine actions taken to identify privileged users immediately following the June 2013 security breach and reviewed the system administration model and 13 U Public key infrastructure supports digital signature and other securityr mechanisms for functional enterprise programs DONG-2016429 E0 13526 sec 50 USC sec 3605 86-35 sec 6 Bate3000015 Finding so use sec 3605 PL 36 36 Sec 6 so use see 3 305 M observed the u_r_ocess fo nrre and approving PRIVAC 6 MU a NSA identified and categorized privileged users who performed SA functions in three distinct tiers in accordance with Office of the Director of National 50 USC see 3605 PL SIS-36 sec 6 Intelligence requirements 19 U #5630 Nsrucss use see 3605 PL 35 35 sec 6 36135 L 86-36 sec 6 '1 S 1605 PL 36 36 sec 6 8 SEW Bates 000016 U Finding U fFeb Oi NSA Partially Implemented TPA Controls Over DCMs WHY-EAL NSA made progress in implementing TPA controls over DCMs initiative 21 but may not meet the full intent of the initiative without taking 1 E0 1353 6 sec Log so use sec 3 305 36-36 sec 6 additional actions To assess actions taken to complete the initiative at the four sites visited we reviewed NSA policies and site standard operating procedures interviewed 50 sec 35 35 36-36 sec 6 DCM managers and other personnel In USC set 3605 86-36 sec Ea conducted of the DCMs Masai-r753 3 so use sac 3605 PL 86-36sec mos mt so-se scc reviewed logs Furthermore we attempted to access server rack nslxi- css so use sec 3 305 PL 35 3 3 sec a 9 U Finding j I i E0 Issac sec 1 4m 14 31 so use see sans sis-35 sec 6 U Consistent Processes to Authorize Access to DCMs Were Followed 12 1 Policy 6-16 Management of Information Technology Data Centers July 31 2010 revised on May 27 2014 establishes policy for securing and managing information technology data centers 23 USC see 3605 PL 36-36 sec 6 2 NSA controlled sites are locations where NSA is the host Non-NSA-controlled sites are locations where NSA is the tenant 25 We visited three NBA-controlled sites NSA Washington NSA Texas and the Utah Data Center and one non-NSA controlled site North Carolina State University Laboratory of Analytic Sciences 25 WW nsan s so use sec 35 35 EL eta 3 3 secDONG-2016429 10 SEW Bates 000018 Finding i sec it 05 PL 86-3 6 sensitive equipment in the DCMs in accordance with the initiative 31 1 0 14 2 50 USC sec 3613 5 PL 86-36 sec 6 6517953 At NSA Texas the Utah Data Center and North Carolina State University Laboratory of Analytic Sciences we observed unlocked server racks and sensitive 135261539 sec seesaw - - equipment 11 Bales 000019 Finding E0 Issgs sec 1 4135 so use sec 35 05 PL sax 3r Sec NSA also was not providing sufficient oversight of personnel and equipment inside DCMS 5 3243 sec My sec sen - lib-3o sec 1 Not looking server and NSAICSS i equipment racks and E0 13526 sec 14 9 3 50 USC sec 3605 86-36 2 U NSA Inspector General Report No Audit of Server Security June 19 2015 sec 6 DONG-2016429 12 sewer elm 88163000020 U Finding hi 130 13526 See ling SEIUSC sec Srilii PL 86-36 sec Elysee-raw NSA Partially Implemented TSA Controls wees- Few NSA made progress in implementing TSA controls for its highest risk administrators but may not meet the full intent of the initiative initiative 4 without taking additional actions NSA began implementing the I so 1352 see so USC sec 86 36 sec 5 To assess actions taken to complete the initiative we reviewed policies and procedures for monitoring and auditing privileged user activities Msm'css E0 3526 see talc sousesee sens - We also tested whether TSA controls prevented personnel from accessing systems devices or networks not previously approved 28 0 13526 sec 3 4m Mtg 11 3 50 USC sec 3 305 PL 85-36 sec 5 I 29 W E0 13526 1ec 14 11 50 USC SEC 3605 PL 36-36 sec 6 I 50 USC sec 3505 PL 85-35 sec 6 13 semen 38163000021 U Finding 1 30 13526 sec mg 5 0 usr see 3505 PL 36-36 sec 6 l 1 3526 sec 1 4 1 4 3' USC sec 360 3 36-36 sec En m so 130 13526 sec Hie '30 USC sec 31 EU 135 36 sec 50 USC 5 9 I c 3605 86-36 sec 6 32 NSAICSS E0 13526 sec 1 4m 3 5 3 USCsec 36 25 PL 36-36 sec 6 33 U ED I3536 5 12 3 SD LIE-C BL 8666 sec DODIG-2016-129 14 SEER-HEW Finding 69W TSA Controls Were Not Fully Implemented for High- -RiskAdministrators WSW NSA did not fully implement TSA controls for its highest risk useless - Li ED 135 26 sec 1 4m Hi3 so use sec 3 505 86-36 sec 6 administrators SA officials stated that they did not follow a formal process or de ne specific parameters to assess which SYSZ users to include in their initial deployment of the additional authentication requirements J EO 13526 sec 15H USC sec 36le PL 86-36 lb j I i 0 13525 see 1 4m 1 4g so use sec 3M3 M lb E0 135213 sec Mtg 5f see 36115 36-36 sec 6 DONG-2016429 15 see-W Finding WW NSA Did Not Implement TSA Controisfor All System and Network Administrators WW NSA did not implement TSA controls for all its system and network administrators 1353s soo 1 4m mtg Is so use soo 3505 SCI-36 oso 34 5 IL E0 $3526 561 L ifc 50 USC SEC 3605 PL 35 361 sec 6 DOING-2016429 16 Bates 000024 U Finding Ui NSA Did Not Effectively implement Three Reiatedi initiatives WEB-HEW NSA did not effectively implement three PRIVAC-related initiatives Specifically NSA did not effectively implement'technology to provide oversight of all privileged user activities and did not reduce the number of users with PRIVAC and data transfer authority NSA Did Not Effectively Implement Technology to Monitor PRIVAC Activities 6W NSA did not fully implement technology-based capabilities to Nsai'css in E0 uses see Higl 3 oversee the activities of privileged users initiative 36 it we mum a actions taken to complete the initiative we reviewed the system administration model and verified it contained tiered levels of access and defined different types of EU I35- 36 s' cc l-4 g SUUSCS St 36 privileged users 17 SEW Bates 000025 U Finding EU 13525 sec Inn's bug 50 USC sec 36GS P L 86-36 509 I3 35 1 F50 13516 sec Hts 50 3605 3 DONG-20 16429 18 sag-W 33183000026 U Finding NSA Did Not Reduce the Number of Privileged Users WSW NSA took steps to identify but not to reduce the number of privileged users across its enterprise initiative 35 NSA documentation identified that it completed the initiative to reduce the number of privileged users from in July 2013 Although repeatedly requested NSA officials could nut provide supporting documentation that showed the number of privileged users before and after the purge or the actual number of users purged Therefore to assess actions taken to complete the initiative we requested prior reports or Spreadsheets supporting the number of privileged users and interviewed NSA officials to identify the process they followed for establishing a baseline We used e-mails that included statistics for specific points in time beginning in March 2014 to validate the number of privileged users Before implementing the initiative the NSA did not know how many users had PRIVAC across the enterprise In lune 2013 shortly after the security breach NSA reported to the Office of the Director of National Intelligence that it had 33 stated that they used a manually kept spreadsheet which they no longer had to identify privileged users NSA officials the initial number of privileged users In addition to not being able to support the number of privileged users reported to the Office of the Director of National NS intelligence NSA did not support its preliminary baseline ofm privileged users or 'The NSA DCIO stated that NSA arbitrarily removed PRIVAC from mm users and required those users to submit e-mail requests its goal for reducing privileged users to to the NSA Associate Directorate for Security and Counterintelligence and the office to re-obtain PRIVAC between July 2013 and September 2013 The NSA DCIO stated that NSA considered the individual e mails and justification before reauthorizing PRIVAC for any user SA took a zero based approach to remove PRIVAC from the users and required them to re- -enroll using gin- fit however NSA did not use a zero-based approach for the remaining privileged users Several NSA privileged users we interviewed confirmed that NSA removed their PRIVAC and required them to 1 ng ga 56 use also 3605 PL 8636 sec 6 DODIG-2016-129 I19 sewers-Rn Beam Finding submit a justification in-o re obtain PRIVAC Although the actions taken by NSA established a baseline of the number of personnel with PRIVAC NSA should have used the baseline as its starting point to reduce privileged users instead of using the baseline to report a reduction in privileged users Figure 1 shows a timeline of actions between June 2013 and May 2016 to identify privileged users as well as a continued and consistent increase in the number of priv1leged users once the-nrollment process began U Figure 1 Timeline of NSA Actions to Iden tijj and Reduce Privileged Users is J Bo 13526 sec mtg so use sec 3 305 rams 36 sec U Source OIG NSA Did Not Reduce the Number of DTAs NSA did not reduce the number of DTAs initiative 33 NSA documentation identified that it completed the initiative to reduce the number of DTAs in March 2014- Although repeatedly requested NSA officials could not provide supporting documentation for the total number of DTAs before and after the purge or the actual number of users purged Therefore to assess actions taken to complete the initiative we requested prior reports or spreadsheets supporting the number of DTAS and interviewed NSA officials to identify the process they followed for establishing a baseline To validate the number of DTAs we reviewed e-mails that included statistics for specific points in time to identify the number of DTA requests and approvals because -could not generate a report covering prewous periods E0 13526 890 3 50 USC sec 3605 PL 36-36 sec 6 Dome-2015429 20 SEW-RN 33 98000023 Finding WSW Before the STN campaign NSA did not know how many DTAs n l nrlx mn 11n n it had because the manually kept list was corrupted during the months leading up to the security breach After the STN campaign began NSA officials estimated that they had across the enterprise they also acknowledged the number was unsubstantiated In January 2014 NSA took a zero-based approach to identify the actual number of authorized DTAs across the enterprise by requiring all users to submit a request for DTA privileges NS l-lci-SZ- l r NSA officials stated that they receive DTA requests between January 2014 and March 2014 Rather than using that number as a NSAIC baseline NSA officials determined that the DTA requests represented a reduction from their original unsupported estimate and therefore they considered the initiative completed The NSA DCIO stated that although the initiate focused on reducing the number of DTA the actions taken by NSA were not designed to reduce the number of rather they were taken to overhaul the UTA process to identify and vet all DTAS throug m Contrary to the initiative s intent NSA continued to consistently increase the number of DTAs throughout the next 12 months Table 3 identifies the starting point after conducting the initial baseline and the steady increase of approved DTAs after the zero based approach U Table 3 Number oprproved DTAS Since March 2014 March 2014 September 2014 March 2015 Number represents a cumulative total as of a point in time DOING-2016429 21 SW Bates 000029 E0 13526 sec 1-4ig hi 3 50 USC sec 3605 P L 86-36 sec 6 U Finding NSAicss so lfi l sec so usc sec sens PL sci-3a sec NSA tacked a Comprehensive Strategy to Effectively implement PREVA -Related initiatives NSA did not effectively implement three PRIVAC related STN initiatives because it lacked a comprehensive strategy and implementation plan Specifically NSA lU - - did not develop a detailed structured methodology to implement and measure the completion of the initiatives before it took action to complete them NSA identified STN initiatives and activities it considered sufficient to implement each initiative through working groups and other ad hoc processes but these discussions were not documented When the initiatives were developed NSA officials also did not address necessary actions to effectively measure completeness The NSA DCIO consistently stated that NSA was more concerned with taking an action than assessing Specific risks and deve10ping a plan to mitigate them Although SA eventually assessed the risks to its operating environment in April 2016 this assessment was completed after the STN initiatives were being implemented Consequently NSA officials lacked a framework for implementing TPA and TSA controls and technology-based monitoring for all privileged users and for reducing the number of privileged users and DTAs needed to support mission requirements 39 A user can have DTA general and privileged access simultaneously and therefore could be double-counted DONG-2016429 22 answer-ens U Finding NSA did not keep accurate and detailed documentation that identified its methodology for completing each initiative and did not describe how it measured the initiatives completeness and effectiveness Instead NSA developed internal reports that had only limited information about the actions taken to complete the initiatives NSA officials stated that in some instances they developed the internal reports after reporting the initiative as complete unstructured approach to implement the initiatives resulted in reporting the initiatives as complete when only partial progress had been made or the intent of the initiative had not been fully met While NSA acted to complete the initiatives the lack of a comprehensive strategy hindered its ability to determine whether the actions were sufficient to effectively reduce the risk of insider threats WW Although NSA has begun to implement its broader Secure-the-Enterprise campaign it has yet to effectively complete all the STN initiatives Therefore the Director Technology Directorate Chief Information Officer should develop a strategy with milestones and metrics to expand TSA controls and impiement automated technology-based monitoring for all system and network administrators develop and implement procedures to ensure approVers use consistent processes to grant privileged access or data transfer authority based on mission needs and periodically assess and reconcile the number of privileged users and DTAs needed to support NSA mission requirements insider Threat Risks Remain Despite lmpiementing Patent-Related STN initiatives WSW actions to implement PRIVAC related STN initiatives did not fully decrease the risk of insider threats or the ability of insiders to exfiltrate data The STN campaign was established in response to the June 2013 security breach in which an NSA contractor exfiltrated about 1 5 million sensitive and classi ed documents NSA designed the STN initiatives to reduce the vulnerabilities exploited during this breach DOBRO-2016429 23 SEW Bates 000031 U Finding NSA did not align its resources and ensure that the actions taken were sufficient to fully implement the intent of the initiatives and reduce the vulnerabilities it identified NSA also did not have a defined strategy or an implementation plan to monitor completion of the initiatives As a result NSA did not complete all the initiatives by June 2015 as required by the Director NSA and some initiatives that NSA considered fully ISO 1 3526 sec completed were only partially completed 3o USE-sec we is riskof personnel with nefarious intentions exploiting vulnerabilities and again compromising highly classified national security information U Management Domments on the Finding and Our Response U Management Comments on NSA 5 Approach to Completing STN Initiatives The Director Technology Directorate Chief Information Officer requested that we consider rewording the following sentence on page 22 of the report The NSA DCIO consistently stated that NSA was more concerned with taking an action than assessing specific risks and developing a plan to mitigate them The Director requested that we revise the sentence using the words tactical l steps sense of urgency or reactionary and stated that NSA took a tactical and reactionary approach to implementing the STN initiatives instead of planning and strategizing how to implement the initiatives because of the urgency of limiting-the risk of insider threats after the June 2013 security breach 24 SW 33163000032 U Finding The Director also stated that NSA officials provided e-mail documentation showing that the Director and Deputy Director NSA supported moving a - N53 5 Leli 1 4 l 3 forward With only two of the rema1n1ng1n1t13t1ves W l 3- The Director stated that completing the remaining STN initiatives no 13536 sec 14 3 so by lune 2015 W35 013 feaSible sass-sec 6 U Our Response WAG We agree that NSA took a tactical and reactionary approach to limit the risk of insider threats when implementing STN initiatives based on the circumstances surrounding the security breach Although NSA worked in a uid situation NSA should have developed a strategy that detailed a structured framework and methodology for implementing STN to ensure its actions were effective and mitigated vulnerabilities exploited during the security breach Therefore we did not revise the report 69W We acknowledge that NSA provided documentation regarding the Director s a roval to move forward with two STN initiatives sec Mtg ls 50 see 3603'- Six-3f sec U Management Comments on Reducing insider Threat Risks The Director Technology Directorate Chief Information Of cer requested that we consider rewording a paragraph in the report section titled Insider Threat Risks Remain Despite Implementing STN Initiatives The Director stated that the paragraph was misleading because it implied that insider threat 41 it 1 130 1352s sec Hie 3 so use sec 3605 86-36 sec 5 25 Bates 000033 U Finding risks could be eliminated at a point in time The Director stated that 50 USC see 3605 36-36 sec 6 eliminating all risk of insider threats was not feasible U Our Response $74 413 We agree that insider threat risks cannot all be eliminated and tha- sec 1 4 01 3 50 USC see 3605 86-36 sec 6 reduced some of the insider threat risks However as stated in the report NSA did not effectively implement or complete three of the seven initiatives included in the audit scope We believe NSA could have taken additional actions to further mitigate insider threat risks therefore we did not revise the report U9 Recommendations Management Comments and Our Response U Recommendation 1 U We recommend that the Director Technology Directorate National Security Agency Central Security Service Chief Information Officer in coordination with the Director Associate Directorate for Security and Counterintelligence 1 EO 3526 sec Hie 14 3 11 3150 USC sec 3605 86-36 sec U NSA Comments The Director Technology Directorate Chief Information Of er agreed I 50 135 26 sec 1 4m so use see 35 15 PL seas set a 0013102015429 26 spam-swoon Bate-$000034 Finding lb ED 526 sec SB USC sec 3605 PL 36-36 sec 6 U Our Response Comments from the Director Technology Directorate Chief Information Officer addressed all Specifics of the recommendation and no further 0 13526 sec 3 105 86-36 sec 6 comments are require lb E0 3526 act 1 4M 3605 PL l1 70- W U NSA Comments The Director Technology Directorate Chief guess a E0 13525 sec juristsec 3603021 8636 50 ti Information Officer agreed NS U Our Response Comments from the Director Technology Directorate Chief Information Officer addressed the specifics of the recommendation and no further comments are required U 150 135 26 sec 1-31 23 50 use sec 35 05 PL 35 35 sec 27 ere-Wear 3393000035 U Finding U Recommendation 2 We recommend that the Director Technology Directorate National Security Agency Central Security Service Chief Information Officer develop a strategy that includes milestones and metrics to 130135311 sec 1 1 c1 1 11'11'1 1 111131 511L181 sec 3111151131 - 36 36 51 5 1111 111151 U NSA Comments The Director Technology Directorate Chief - - NSAICSS b E0 13526USC SOC 3605 36-36 3e b' Information Officer agreed a U Our Response Comments from the Director Technology Directorate Chief Information Officer partially addressed the recommendation Although Therefore 1111111111111 that the Director reconsider his position and provide additional comments on the nal report SEW-RN- 86163000036 U Finding l E0 Issue soc Lats 50 use soo sous PL tau-3t sec U NSA Comments W519 The Director Technolo_ Directorate NSA CSS Chief SLIUSC sec 3L1 sec 6 U Our Response Comments from the Director Technology Directorate EO13526 sec Chief Information Officer partially addressed the Ef e 58 EO13528 sec 3 so use see 3805 - -1 E0 135 2673 6614 0 14 9 EOUSC see 3605 PL 86 36 sec Therefore we request that the Director provide additional comments and documentation on the final report that identify the speci c I E0 Issze sec L1 3 so use soo sous Bria- 36 soc e ED sec USC sec 3605 PL Sta 36 sec 6 I Bates 000037 Finding 135111 51 1111 1 111111411113130 usc 5131 311115 PL 313-311 sec 11 5 Therefore we request that the Director reconsider his position and provide additional comments on the final report describing how NSA plans to meet the intent of the recommendation U Recommendation 3 H We recommend that the Director Technology Directorate National Security Agency Central Security Service Chief information Officer in coordination with system owners 51 see 3605 86-35 sec a 119911193 NSA Comments The Director Technology Directorate Chief Information Officer agreed with the recommendation U 0111 Response Although the Director Technology Directorate Chief Information Officer agreed he did not address all specifics of the recommendation Therefore we request that the Director provide additional comments on the final report that identify NSA1LSS 1113 must see 31 11 1511 31135 11ec specific actions NSA will take U NSA Comments - The Director Technology Directorate Chief Information Officer 3110 $61651 agreed H- 3 SCC 5 6 30 Bates 000038 Finding U Our Response U Comments from the Director Technology Directorate Chief Information Officer addressed all specifics of the recommendation and no further comments are required 1131111355 - in 3 5131151 see 3605 PL 311-311 sec 13's C U U NSA Comments The Director Technology Directorate Chief Information Officer IL 86 -36 121 6 f agreed - - U Our Response Comments from the Director Technology Directorate Chief Information Officer addressed all speci cs of the recommendation and no further comments are required 31 SEW 311135000039 Appendixes U Appendix A U Scope and Methodoiogy U We conducted this performance audit from Ianuary 2016 through July 2016 in accordance with generally accepted government auditing standards Those standards require that we plan and perform the audit to obtain sufficient appropriate evidence to provide a reasonable basis for our findings and conclusions based On our audit objectives We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective ESE-93 We initiated this audit in response to a congressional request included in the classified annex to the Intelligence Authorization Act for FY 2016 which requires the GIG to assess whether NSA remedied the vulnerabilities exploited by the lune 2013 security breach and compieted all STN initiatives We focused on 7 of the 40 STN initiatives that we determined presented a higher risk to ability to secure network access protect against insider threats and provide increased oversight of personnel with PRIVAC 6W We met with officials at NSA headquarters from the Technology Directorate the Associate Directorate for Security and Counterintelligence Center and other directorates reSponsible for develOping monitoring implementingoverseeing completion of PRIVAC-related STN initiatives $333 623 2131 - We nonstatistically seiected and visited four NSA installations located in Washington D C Texas Utah and North Carolina We conducted of the CM 8 so usc sec 3605 sass sec 6 We met with officials responsible 50 USC see 3005 PL 86 36 sec 6 DOING-2016429 32 i Bates 000040 Appendixes EBB-9 nonstatistica y selected and interviewed riv eged users about their U eae USC sec 3 605 PL 36-36 sec 6 NSAICSS 3 ill USC sec 3605 Stir-3th sec We determined thatuo 3 i a ata were 50 USC sec- 3305 PL 36 36 sec 6 Dome-2016429 I33 SEW Bates 000041 Appendixes USC sec 3 5 05 PL seer sec cs Fe-36' sufficiently reliable to determine a user s PRIVAC level Ul Use of Technical Assistance U The OIG Quantitative Methods Division assited in selecting a nonstatistical sample of privileged users we used in selecting users to interview at the sites visited U Prier Coverage U During the last 5 years the NSA Inspector General issued one classified report related to ability to implement STN campaign initiatives U NSA Inspector General Report Audit of Server Security June 2015 Document classified T0 USA FVEY DODIG-2016-129 34 5 Bates 000042 Appendixes U Appendix lUl STN initiatives NSA completed or is in the process of implementing 40 STN initiatives in response to the June 2013 security breach NSA categorized the initiatives in three major areas tighten controls on computer systems tighten controls on data and increase oversight of its personnel The table below describes the STN initiatives I I352c sec Hm 3 305 354 3 sec - 4 implement TSA Control for System Administration Policies E0 135-36 sec DONG-2016129 35 Bates 000043 Appendixes 556W DODIG-2016-129 I36 SEW Bate-5000044 Appendixes Initiatwe _D e sc_rlpt_ l9 21 Implement TPA ControE Over DCMs 22 Develop and Document 3 New System Administration Model lib 353 sec leltc 3 USC see 3605 L 36 36 sec a 33 Reduce the Number of Authorized DTAS DODIG-2016-129 3'7 SEW 33 63000045 U Appendixes 34 Assess the Number of SAs Across the Enterprise 35 Reduce the Number of Personnel With PRIVAC 36 Oversight of Privileged User Activities 1- sec 14 9 so USCsc-c L 86 36 sec 3 38 Bates 000046 U Management Comments U Management Comments w National Security Agency WW SECURITY AGENCY CENTRAL SECURITY SERVICE FORT GEORGE Cl MEACIE HARVLAND 20356-3000 MEMORANDUM FOR DEPARTMENT OF DEFENSE INSPECTOR GENERAL INFORMATION MEMORANDUM SUBJEGT mm NBA Response to Discussion Draft for 13013 313 Project No UHPBUB NBA welcomes the observations and opportunities for improvement o 'ered by the Do 16 to bene t our continuing effort to mitigate insider threat across the enterprise While the Media Leak events that led to Secure the Net STN were both unforeseen and serious we consider the extensive progress we made in a short time to he a good news story We are very proud of the improvements to our security posture we have been able to achieve all while sustaining and advancing our vital mission across our vastly complex network That coupled With the fact that mission requirements shift daily as a result of world events creates an extremely dynamic environment that must- balence mission needs with security requirements UHFQUG All of these Information Technology IT components and the knowledgeable people to administer the oysteme must flex to meet the changing mission needs and interopemte constantly rte-prioritizing dociaiona to impact IT services that moat he delivered 24 In addition policy changes resulting from Bill such as need to share versus need to know and launch of an IC-wide IT environment IC- ITE have completely changed in scope and method howlT most work to support its customers NSA bears the lion s share of technical work to adapt its IT systems to effect the needed changes to oucceosfully operate and Operate securely acmss the IC UIIFBUQ We recognize that there are no silver bullets in information or network security - no tactic or plan that can wholly eliminate the potential for harm by myriad threats By employing a layered defense approach rather than relying on a single initiative to pintect our networks systems and data we have been able to signi cantly reduce the risks inherent in the operation of a global dynamic enterprise Further the combination of initiatives we have implemented and are continuing to develop ensure that the activities of a nefarious actor Classi ed BF moved l- mm maroon 1-52 Dated 20130910 011 204mm DONG-2016429 39 SEW Bates 000047 U Management Comments U3 Na ma Sammy Agency mnt d 30 USC sec 36% PL 36 36 sec 6 NSAICSS 31 USC sec 3 105 3 58 USC set 3605 35-36 sec U We appreciate the time energy and commitment of the audit team as they worked to understand the measures and capabilities we have implemented over the last three years We hope they came to appreciate the depth and breadth of the enterprise 'we am defending and the complexities inherent in that DOING-2016429 40 33165000048 Management Comments Nationa Security Agonw cont m NBA respectfully offers the following related to the three recommandations U Response to Recommendations U Recommendation 1 We recommend that the Director Technology Directorate Noziom Security Agency 2 Central Security Service Chieflnformotim Technology I Of cer in coordination with the Dimtor Associate Directoratefor Security and Counterinte igenoe hi ED 33535 See 14 6 14 33 St soc 3603 86-36 sec NBA Re a nae NS concurs the DOD recommendation NSAECSS In II ED Sec NSAICSS m m H 526 I11 31 50 use set 3605 86-36 set 41 SEW U Management Comments Natima Sammy Agency mm d it U Recommendation 2 We recommend that the Director Technology Directorate National Sammy Agency Central Security Service Chief Information Technology O icer cleuelop a strategy that includes milestones and metrics to I sec 1 4 gl 511' usc sec 3505 PL 35 35 30C 5 W LISA Reaggnse NSA concurs with the D01 recommendation The 1 1353153 3L if 3605 PL Sfj Sec 13' I11 EO I3536 sec 1 403 36 36 sec In Response NSA concurs with so believes it has satis ed this recommendatioa_ DONG-2016429 42 SEW U Management Comments Notiono Security Agency ioont o U Recommendation 3 mimosa We reminmend that the imctor Technology Directorate Nationai Semr y Agencyfoentrai Security Service Chief Information- Officer in coordination with system-owners 3 50 USC sec 3605 36 36 sec mam NBA concurs with the IG's recommencl tion 3f sec JGGS L 85 36 set NSA motors with the DOD recommendation and 50 sec 3605 PL 86 36 sec 6 3 SI use see 3605 PL 86-36 sec -nd mien and 1 2-1 U Thank you for the opportunity to review and oommont on the draft audit report GREGORY L SMITHBERGER NSAICSS Chief Information Of cer Eric mm D00 16 Discussion Dra - Project No D2016-D000R0-0072QOO Comment Matrix DODIG-2016-129 43 519W Bates 000051 U Management Comments U Nat mai Security Agency mnt d 2 013 - szn41m1 E12120 Clamle 5 15DONG-2016429 44 38 68000052 Glossary Glossary Data Center and Machine Room Facilities that host computing systems servers data storage and machine rooms Data Center Manager Personnel with responsibility for overseeing and managing DCM activities and Operations Data Transfer Agent DTA Designated personnel approved to use removable media to transfer data to or from an information system Data Transfer Agent General Personnel who have a primary responsibility to move data within the enterprise using removable media Data Transfer Agent DTA Privileged Personnel who use removable media to perform PRIVAC functions LiSC'st-c SGUSHU - - Limited Administrator Users who perform PRIVAC functions on standalone systems WNSAIE loll 33435261 sec 141 so 1t1so1 c1 Network Administrators Administrative users who maintain computer infrastructure with emphasis on networks DONG-2016429 45 SEW 36488000053 Glossary U Privileged Access A level of access that is signi cantly greater than that of users performing normal operations U Public Key Infrastructure An enterprise-wide service supporting digital signatures and other public key-based security mechanisms for functional enterprise programs SCI sec 3605 35 36 sec U Tier 3 SYStem Administrators SYSB Surnmriim HM USC sec U Tier 2 System Administrators SYSZ 366 3 U System Administrator SA Administrative users who have privileged access to maintain configure and operate computer systems U System Security Plans Provide an overview of system security requirements for a Specific system and describe implemented security controls to meet the requirements DONG-2016429 46 5W Batesoo 54 U Glossary 7' 3603 sec 6 11 ng993 TWO Person Access Requires two authorized personne- 0 USC sec 3605 L 86- -36 sec 6 Two Stage Authentication TSA Requires administrators to use at least two separate sources of authentication LL E0 13526 sec 513 USC see 3605 36 36 sec Bates 000055 U Source of Classified Information U Source Of Classified Information Source 1 Source 2 Source 3 Source 4 Source 5 Source 6 Source 7 U Permanent Select Committee on Intelligence Intelligence Authorization Act for Fiscal Year 2016 Document classified Declassification Date Ianuary 1 2040 Generated Date October 5 2015 U NSA provided Secure-the-Net Activity Update November 16 2016 Document classified SECRET Declassification Date September 1 2039 Generated Date November 16 2015 U NSA Associate Directorate for Security and Counterintelligence Snowden Investigative Overviewf Document classi ed SECRET REL TO USA FVEY Declassification Date March 1 2041 Generated Date February 9 2016 U NSA provided Securing the Net Update May 2015 Document classified CONFIDENTIAL REL TO USA FVEY Declassification Date May 1 2040 Generated Date May 2015 U NSA Commander Intent for Securing the Enterprise is the Path I Forward Document Classified CONFIDENTIALHREL T0 USA FVEY Declassification Date September 30 2038 Generated Date September 8 2015 U NSA Town Hall Briefing Secure the Enterprise Document classi ed T0 USA FVEY Declassification Date November 1 2040 Generated Date November 12 2015 U NSA Secure the Network Detailed Report January 2016 Document classified REL T0 USA FVEY Declassification Date January 28 2041 Generated Date January 28 2016 48 sewer ear atworm Source of Classified Information Source 8 U NSA List of Privileged Users Document classified TO USA FVEY Declassification Date August 2038 Generated Date January 28 2016 Source 9 U NSA-Texas List of Privileged Users Document classified CONFID T0 USA FVEY Declassification Date February 1 2041 Generated Date February 16 2016 Source 10 U NSA-Washington List of Privileged Users Document classified CONFIDENTIAL TO USA FVEY Declassification Date February 1 2041 Generated Date February 23 2016 I E0 135% sec 1 4m 1 4g in 3 50 use sec 3503 PL seas sec Source 11 Source 12 49 SEW 3mm Acronyms and Abbreviations U Acronyms and Abbreviations USC 36-36 sec 6 CSS Central Security Service DCM Data Center and Machine Room DCIO Deputy Chief Information Officer DTA Data Transfer Agent NSA National Security Agency NSA Network PRIVAC Privileged Access SA System Administrator STN Secure the Net TPA Two Person Access I 5i sec 3605 86-36 sec 6 TSA Two-Stage Authentication DONG-2016429 50 7 Si ei d Bates 000058 Whistleblower Protection U DEPARTMENT OF DEFENSE The Whistleblower Protection Enhancement Act of 2012 requires the Inspector General to designate a Whistleblower Protection Ombudsman to educate agency employees about prohibitions ii retaliation and rights and remedies against retaliation for protected disclosures The designated ombudsman is the Hotline EDirector For more informatibn on your rights and remedies against 3' retaliation visit dodig mil programs whistleblower Formore information aboutDoD lG imports or activities please contact us Congressional Liaison congressional@dodig mil 703 604 8324 Media Contact public afiairs@dodig mil 703 604 8324 Update dodigconnect-request@ istserve com Reports Mailing List Twitter twittercom DODHIG Hotline dodigmil hotline Bates 000059                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu