National Security Agency / The Unofficial Org Chart. (C) 2014 Marc Ambinder, Inc. by Mind Map: National Security Agency
The Unofficial Org Chart. (C) 2014
Marc Ambinder, Inc.
5.0 stars - 21 reviews

National Security Agency / The Unofficial Org Chart. (C) 2014 Marc Ambinder, Inc.

SURPUUSHANGAR -- covert mechanism to ingest unclassified traffic into high side servers

Special FISA adjudication

S3221: (persistence software)



V1 Staff Services

V2 Analysis

V3 Operations

V34 -- Next Generation Wireless (NGW)

FROM THERE to Ft. Meade -- How data moves at NSA

NUCLEON — Global content database

CONVEYENCE DNI content database

WRANGLER — Electronic Intelligence intercept raw database

ONEROOF — Main tactical SIGINT database (Afghanistan), consisting of raw and unfiltered intercepts, associated with Coastline tool

PROTON — Large SIGINT database for time-sensitive targets/counterintelligence. Associated with Criss-Cross tool.

MARINA / MAINWAY Internet metadata collection database / SIGINT metadata collection database

PINWALE — SIGINT content database


FASCIA -- major metadata ingest processor that sends to Ft. Meade stuff that NSA collects out there

FASTBALL -- automated DNI analytical processing system

FALLOUT -- major content ingest processor that sends to Ft. Meade in raw, unstructured form for later processing. Generally for unstructured data.


Reporting tools


Voice master

Center mass

Gist Queue

YELLOWSTONE -- assigns metrics for allocation and distributing ingested SIGINT product.






Top Priority SIGINT Missions

Support to USSS / presidential protection and national programs, including, under special authorities, NSSEs

Warning / imminent military and strategic threats from China, Russia,

Counter-foreign intelligence and counter-intelligence


Collection on military plans and strategies of China, Russia, Iran, North Korea, Israel

Ballistic missile defense

Domestic electronic CT wall

Political intelligence

Iranian, North Korean, Israeli, Pakistani proliferation and defensive CI activities

Requirements and Tasking





DNI Mission Managers

SOO / SigDev



Successor to Echelon


Collection types

Midpoint collection

CNE enabled implants

Endpoint collection

Corporate access point collection

Overhead collection

foreign satellite collection

Clandestine signal collection

Undersea collection

Airborne collection

Close access point collection


Open Source


Mobile collection platforms (EP-3s, U-2s, etc

F6/Special Collection Service emplaced sensors, CANEX

F6/Special Collection Service embassy-based listening posts // BIRDCATCHER /EINSTEIN /CASTANET

RF Collection Sites

Collection relay mechanisms

SIGINT satellites and relays

SCS base stations

Encrypted packets on the regular internet

Hard cables / fiber optics

DTS covert

SRP platforms

Cables provided by ISPs



Upstream collection (ingests at fiber hubs -- FAIRVIEW, etc)

Undersea cable taps (20 worldwide)

Cable hub splitters

Direct corporate partner network access points

Foreign country partner interfaces (FIVE EYES, etc)

Clandestine foreign telecom hub collection

FORNSAT intercepts (Stellar, Sounder, Snick, Moonpeny, Carboy, Timberline, Indira, Jacknife, Ironsand, Ladylove) See: for details

Ground SIGINT/FISINT collection sites

NSA, CIA and FBI implants

New info

LOPERS -- Public Branch Telephone System collection

Navy Underwater Reconnaissance Office

Midpoint collection -- surreptitious collection from nodes place in the middle of data links

Other major NSA tools and databases







Broom Stick

JUGGERNAUT -- mobile/data communications collection

DRTBOX -- possible system for obtaining information from cell phones

Boundless Informant -- collection volume, type, location and platform visualization too


TRACfin -- financial information database

NSA Nitty Gritty -- databases, tasking systems and analytical interfaces


AQUADOR — Merchant ship tracking tool

ASSOCIATION Selector correlation and analysis tool

BANYAN — NSA tactical geospatial correlation database

WealthyCluster -- data mining tool for CT

TUSKATTIRE - data processing system

ShellTrumpet -- metadata processing

MESSIAH/WHAMI — ELINT processing and analytical database

TAPERLAY -- Global database of telephone numbers/selectors by type (GSM,etc)


TWINSERPENT -- phone book tool

WRTBOX -- collection from PSTN overseas

Tools, Unified Targeting Tool, CHALKFUN -- metadata location record database, SPYDER -- SMS/metadata query tool, XKEYSCORE global SIGINT analysis system, AIRGAP — Priority missions tool used to determine SIGINT gaps, TRAFFICTHIEF — Raw SIGINT viewer and sorter for data analysis, TRANSx, Bpundless Informant

DISHFIRE -- SMS collection and analysis from digital network information and records ingested by the MUL:KBONE database


CASPORT -- main NSA corporate / access identification tool used to control product dissemination

OCTAVE/CONTRAOCTIVE — Collection mission tasking tool -- where "selectors" live, PEPPERBOX -- database of targeting requests

HOMEBASE — A tactical tasking tool for digital network identification

SURREY DNI / SIGINT tasking database

DISHFIRE -- Associational and relational database for political and strategic intelligence by key selectors

AGILITY -- database of foreign intelligence selectors (non CT)

CHIPPEWA -- system to exchange SIGINT tasking / data with allies

DNI/DNR and network penetration tools and system

CNO TOOLS, SHARKFINN, BROKENTIGO, EMBRACEFLINT, LONGHAUL, EGOTISTICAL GOAT / EGOTISTICAL GIRAFFE, ATLAS -- DNI geolocation and network information tool, DANAUS -- DNS discovery tool / reverse DNS, BLACKPEARL -- survey information tool, ERRONEOUS INGENUITY, TIDALSURGE -- DNI router configuration discovery, ATHENA -- port discovery probe tool, SNORT — Repository of computer network attack techniques/coding, TREASUREMAP -- Global Internet Mapping/Analysis tool, PACKAGED GOODS -- global internet exploitation tool / traces routes of information, EVILOLIVE -- IP Geolocation, HYPERION -- IP to IP communication survey tool, WIRESHARK — Repository of malicious network signatures, TRITON -- TOR node search tool, ISLANDTRANSPORT -- Enterprise Message Service processor


TOYGRIPPE -- VPN collection, FRIARTUCK, MASTERSHAKE -- VSAT Terminal emulator

TURBULENCE -- global "advanced forward defense" internet architecture built for NSA; employs the QUANTUM THEORY system, global distributed passive sensors to detect target traffic and tip a centralized command/control node (QFIRE)., TURMOIL --High-speed passive collection systems intercept foreign target satellite, microwave, and cable communications as thev transit the globe, TURBINE -- active SIGINT collection off of TURBULENCE architecture, Resetting connections (QUANTUMSKY), Redirecting targets for exploitation (QUANTUMINSERT), Taking control of IRC bots (QUANTUMBOT), Corrupting file uploads/downloads (QUANTUMCOPPER), TUELAGE -- active CND off the TURBULENCE architecture, TUMULT -- Stage 0 server for TURBULENCE architecture



FISA Special Adjudication Office

S2I5 Compliance Staff

S343 Prioritizing and Approval of Targets

SV SIGINT Governance and Compliance Division



Directorate for Corporate Leadership

Information Assurance Directorate

IC: Cyber Integration Division

IE: Engagement Division

Client Engagement and Community Outreach Group

Interagency Operations Security Support Staff (OPSEC)

I2: Trusted Engineering Solutions

I2N: Office of National and Nuclear Command Capabilities — Provides the launch codes for nuclear weapons, Electronic Key Support Central Management Facility — Provides over-the-air code keying for the entire national security establishment

Information Technology Infrastructure Services (ITIS) System Office

I3: Information Operations

Mission Integration Office

Technical Security Evaluations

Red Cell — Conducts surprise penetrations of U.S. government networks

Blue Cell — Conducts audits of U.S. government networks

HUNT: Advanced adversary network penetration cell — Monitors NSA networks 24/7 to detect advanced cyber penetrations

Joint Communications Security Monitoring Agency

I4: Fusion, Analysis, Mitigation

F6: Special Collection Service HQ (Beltsville, MD) —STATEROOM-- Joint CIA/NSA field collection agency operating from embassies and other denied locations. Director reports to DIRNSA


SI or COMINT -- top-level SCI compartment; denotes sensitive SiGINT, DNI and cyber sources and methods

ECI -- COMINT subcompartment. with further subcompartments, which protect NSA relationships with other government agencies and private companies as well as specific sources, cryptalanaric breakthroughs and capabilities, ECI-FGT --> SCS Product, ECI-AMB Ambulate, ECI-PIQ Picaresque, ECI compartments include PIEDMONT, PENDLETON, PITCHFORK, PAWLEYS, AUNTIE, PAINTEDEAGLE

VRK -- exceptionally sensitive sources of national and strategic importance

RAGTIME -- protects "product " gathered from FISA intercepts

RAMPART --codeword for foreign leader SIGINT - RAM-A, RAM-X, RAM-T, RAM-M



T: Technical Directorate

TE: Enterprise Systems Engineering and Architecture

TS: Information Systems and Security

Public Key Infrastructure (PKI) Program Management Office (PMO)

TT: Independent Test and Evaluation

T1: Mission Capabilities

T132 — The "scissors" team: division that physically separates traffic by type once it's been ingested

Strategic SATCOM Security Engineering Office


T2: Business Capabilities

T3: Enterprise IT Services

T3221: Transport Field Services

T334: National Signals Processing Center

T335: Deployable Communications Operations

T332 Global Enterprise Command Center

T5: CARILLION — High performance computing center

T6: Technical SIGINT and Ground Capabilities

OTRS -- Office of Target Reconnaissance and Survey -- provides rapid technological solutions for tactical SIGINT problems

Large domestic operating field sites

Columbia, MD

Friendship Annex, Linthicum, MD

Finksberg, MD

Bowie, MD

College Park, MD

Ft. Belvoir, VA

Fairfax, VA

Washington, DC

Ft. Detrick (Site R)

Camp Williams, UT

NSA Georgia (Ft. Gordon)

NSA Texas (Lackland AFB, San Antonio)

Greenville, TX

NSA Denver (Aurora), co-located with CIA's National Resources Division

NSA Oak Ridge (Tennessee)


Winter Harbor, ME

Formerly: Sugar Grove, WV, Rosman, NC TIMBERLINE

NSA Continuity of Government site

NSA CMOC -- Cheyenne Mounfain

NSA Field Stations — Remote collection and analytical facilities

F74: Meade Operations Center — 24/7 SIGINT support to deployed military units

SORC/FP: Special Operations Readiness Cells (Focal Point) — Support to special operations forces as part of the Focal Point Special Access Program

NSA Kunia

Foreign Affairs Directorate — Liaison with foreign intelligence services, counter-intelligence centers, UK/USA and FIVE EYES exchanges

Office of Export Control Policy


UKUSA governing council

Sources: author’s reporting and research;; Matthew Aid, Edward Snowden documents; Top Level Telecommunications website;, reporting in the Guardian, New York Times, Washington Post

M: Human Resources — Q: Security and Counterintelligence

Q2: Office of Military Personnel

Q3: Office of Civilian Personnel

QJ1: HR operations/global personnel SA

Q43: Information Policy Division

Q5: Office of Security

Q509: Security Policy Staff

Q51: Physical Security Division

Q52: Field Security Division


Q56: Security Awareness

Q57: Polygraph

Q7: Counterintelligence


Signals Intelligence Directorate

S1: Enterprise Engagement and Mission Management

A&R Watch (K Watch Ops) 199

S11: Customer Gateway

S12: Information Sharing and Services Branch, Partnership Dissemination Cell

S124: Staff Services Division

NSA Commercial Solutions Center

S17 Strategic Intelligence Issues

S1E -- Electromagnetic Space Program Office

S1P Plans and Exercise Division, S1P1 -- SOCOM/NORTHCOM SIGINT planning, S1P2 - Combatant Commands SIGINT planning

S2: Analysis and Production Centers

FISA Special Adjudication Office — Provides 24/7 support to each product line shift to facilitate rapid FISA processing

NSA Product Lines, S2A: South Asia, S25A51 -- South Asian Language Analysis Branch, S25A52 -- South Asian Reporting Branch, S25A4 -- Pakistan, S2B: China and Korea, S2I: Counterterrorism Production Center, S2IX: Special Counterterrorism Operations // CT Special Projects, S2I42 -- Hezbollah Team, S2I5 Advanced Analysis Division (FISA analysis) program manager, deputy program manager, 5 shift supervisors, 125 analysts, S2I43 -- NOM Team, Counterterrorism Mission Aligned Cell (CT-MAC) -- sensitive counter-terrorism support to CIA, S2I4 Homeland Mission Center, Metadata Analysis Center, S2C: International Security, S2C42 -- Western Europe and Strategic Partnership Division, S2C41 Mexico Team, S2C32 European States Branch, S2D: Counter-foreign intelligence, S2E: Middle East/Asia, S2F: International Crime, S2G: Counterproliferation, S2H: Russia, S2T: Current Threats, S2T3: NSA/CSS Threat Operations Center, S2J: Weapons and Space, S203: Access Team for Operations Staff

K -- National Security Operations Center, National Security Operations Center — Main NSA intelligence watch facility, DECKPIN — NSA crisis cell activated during emergencies, Homeland Security Analysis Center, Homeland Security Mission Managers, CMM — Cryptologic Management Mission program office

S3: Data Acquisition

S31: Cryptologic Exploitation Services, Signals and Surveys Analysis Division, Technical Exploitation Center, Project BULLRUN, S3132: Protocol, Exploitation, and Dissemination Cell — Shunts SIGINT by type to databases, S31174 Office of Target Pursuit

S32: Tailored Access Operations, Network Warfare Team — Liaison with military, S321: Remote Operations Center, Network Ops Center, Operational Readiness, Interactive Operations Division, POLARBREEZE, S322 Advanced Network Technologies, S3222: (software implants), S32221: ?, S32222: (routers, servers, etc.), S3223: (hardware implants), S3224: ?, S32241: ?, S32242: (GSM cell), S32243: (radar retro-refl.), S323: Data Network Technologies (researches how to penetrate secure networks), Production Operations Division, S324: Telecommunications Network Technologies — Develops technologies to penetrate telecom networks, S325: Mission Infrastructure Technologies — Operational computer network exploitation and enemy infrastructure vulnerability mapping, Transaction Branch, S327: Targeting and Requirements, S328: Access Technologies Operations (computer network attack) — Works with CIA's TMO, S32P. TAO Program Planning Integration, Access Operations Division — Works with CIA's Technology Management Office / information Operations Division to break into foreign / CI networks, TURMOIL -- NSA cover term for installation/maintenance and operation of filters, servers and splitters on servers of corporate partners w/ their permission for SIGINT and CNE operations. Each diversion device is called a QUANTUM, GENIE SIGADs - 3136 (domestic) / 3137 (foreign), FOXACID man-in-the-middle server spoofing system. Part of GENIE., SSO Close Access Domestic Collection Systems on foreign targets SIGAD US-3136, MYSTIC, RAM-A,IX,T,M, DGO, DROPMIRE - passive collection of RF emanating from an antennae, HIGHLANDS -- collection from devices covertly implanted within denied areas, VAGRANT -- realtime or stored collection of images on computer screens, MINERALIZE -- collection from a device implanted within a local area network, OCEAN -- implanted optical collection from raster-based computer screens, CUSTOMS -- clandestine NSA collection from devices acquired by US CBP detention protocols, LIFESAVER -- hard drive imaging NOT from secret US CBP detention protocols, BLACKHEART -- domestic collection from a device implanted by the FBI, MAGNETIC -- sensor collection from magnetic emanations, DEWSWEEPER -- collection from USB ports attached to target systems that transit data via RF to a waiting secure network for collection

S33: Link Access // Global Access Operations, S332: Terrestrial SIGINT, OCELOT (FORNSAT), S333: Overhead SIGINT, Overhead Collection Management Center, U2 PMO, RC / GUAR, EP3 PMO, SSPO, GHOSTHUNTER, S33P ISR Portfolio Management Office, S33P2 Technology Integration Division, S33P3 Tactical SIGINT Technology Office, Community ELINT Management Office, VOXGLO -- major cyber and enterprising computing project, OCEANSURF Program Office — $450m systems engineering hub

S35 Special Source Operations, Cable programs, LITHIUM, MADCAPOCELOT - STORMBREW collection program using SIGAD 3140, DARKTHUNDER, WINDSTOP, DS: 200 series -- all GCHQ collection provided to NSA, Flying Pig, MUSCULAR (co-owner: UK GCHQ): SIGAD: DS;200B -- foreign access point collection from intermediary node connecting Google and Yahoo servers overseas with domestic US servers., MONKEY PUZZLE possible mid-point exploration of Microsoft servers, DS 300: series, DS 900 series, OAKSTAR -- filtered high-volume collection off international cable transit nodes and foreign access points under FAA/Transit authority and EO12333. Divided by SIGAD and production source., ORANGEBLOSSOM -- International Transit Switch Collection -- SIGAD 3251, ORANGECRUSH SIGAD 3230, PRIMECANE company partner (PDDG: 0B) w/ foreign access point / 3rd partner partner. DNI, metadata, COBALTFALCON SIGAD 3354, CHASEFALCON SIGAD 3220, BLUEZEPHYR SIGAD 3227, YACHTSHOP - SIGAD 3247, BLUEANCHOR company partner PDDG: PJ -- DNI Metadata, SHiFTINGSHADOW -- SIGAD 3217 -- collection from Afghanistan -- PDDG: MU, SILVERZEPHYR: SIGAD 3273, STEEKNIGHT company partner PDDG: SK, MONEYROCKET -- SIGAD 3206 -- Counterterrorism intelligence collected from unknown foreign access point with PDDG: 6T, WOLFPOINT, SERENADE, INCENSOR, SIGAD US-990 -- Overseas transit switch collection of international communications from FAIRVIEW partner, US-984T FISA collection from FAIRVIEW corporate access point, S352: PRINTAURA — NSA unit involved in data filtering; program office for TRAFFICTHIEF tool, Mission Support Hub, Large Area Access Working Group, S353 -- SIGAD US-984 Collection Programs, SIGAD US-984 BLARNEY (digital network intelligence / dial number recognition collection from FISA court order approved targets, like spies, agents of foreign powers / traffickers using data flowing through US circuits and nodes. Producer digraph for BLARNEY is AX, SIGAD US-984X -- FISA Amendments Act collection w/ various programs (including PRISM) on CT, CI, CP and CE targets. Selector must be certified and foreign., SIGAD US-984XN -- PRISM -- FAA collection from datasets provided to NSA directly from companies, SIGAD US-984A-H STORMBREW corporate partner access point collection /FAA, US-984X,XR FAA collection from FAIRVIEW corporate access points, SIGAD US-984XP1-P8, PA -- SIGADS within the PRISM program (specific content providers), STORMBREW, ARTIFICE, S3520 -- Office of Target Reconnaissance and Survey

S353 -- Portfolio Management Office, AIRSTEED Program Office — Cell phone tracking, Tactical Platforms Division, Crosshair Net Management Center/Crosshair Support Center — Directing finding, Radio Frequency Targeted Operations Office, RFTO Special Projects Office

S34: Collection Strategies and Requirements Center, S342: Collection Coordination and Strategies -- resource allocation and metrics, S343: Targeting and Mission Management — Approves targets for analysts/makes sure that SIGINT targeting matches intelligence requirements, S344: Partnership and Enterprise Management

SV -- Signals Intelligence Directorate Oversight and Compliance

SV4 FISA Compliance and Processing

SSG -- SIGDEV Strategy and Governance


SSO Optimization staff

NSA Acquisitions and Procurement Directorate

Program Executive Office — Oversees acquisition of major NSA backbone projects like TRAILBLAZER, CMM, REBA, JOURNEYMAN, and ICEBERG

Advanced Analytical Laboratory

Corporate Assessments Offices

Rebuilding Analysis Program Office

Knowledge System Prototype Program Office

Maryland Procurement Office

Acquisitions Program Manager for Signals Intelligence

Acquisitions Program Manager for Research

Acquisition Logistics Integrated Product Team

Directorate for Education and Training

Research Directorate

R1: Math

R2: Trusted Systems

R3: LPS — Physical science lab

R4: LTS — Telecom science lab ( high-speed networks, wireless communications, and quantum key distribution)

R05: Center for the Advanced Study of Language

R6: Computer and Information Science

RX: Special Access Programs/Compartmented Research

Cross-functional units // co-located with SID S2 Production Lines

Integrated Broadcast Support Services Office — Provides SIGINT "RSS" feeds to customers

DEFSMAC: Defense Special Missile and Aerospace Center

Unified Cryptologic Architecture Office


Systems Engineering/Architecture Analyses and Issues



Planning and Financial Management

Plans and Exercise Office

NSA Continuity Programs Office

Military Exercise Office

Continuity Engineering Office

J2 Cryptologic Intelligence Unit (collects intelligence on worldwide cryptologic efforts).

Office of the Director, NSA (DIRNSA)

D01: Director’s Operation Group (DOG)

D05: Director’s Secretariat

D07: Office of Protocol

D08: Homeland Security Support Office (HSSO)

D1: Office of the Inspector General (OIG)

D2: Office of the General Counsel (OGC)

D5: Corporate Assessments Office

D5T: Technology Test and Evaluation

D6: Office of Equal Employment Oppertunity

Logo of the Central Security Service (CSS)

D7: Central Security Service (CSS)

D709: CSS Staff and Resources

D7D: Cryptologic Doctrine Office

D7P: Office of Military Personnel

D7R: Director's Reserve Forces Advisor

DC: Director’s Chief of Staff

DC0: Support

DC3: Policy

DC31: Corporate Policy

DC32: Information Policy

DC321: Freedom of Information Act and Privacy Act (FOIA/PA)

DC322: Information Security and Records Management

DC3221: Information Security Policy

DC3223: Records Management Policy

DC323: Automated Declassification Services

DC33: Technology Security, Export, and Encryption Policy

DC4: Corporate Strategic Planning and Performance

DC6: External Relations & Communications

DC8: Corporate Management Services

Unified Cryptologic Architecture Office

Create your own awesome maps

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account?
Sign In