National Security Agency / The Unofficial Org Chart. (C) 2014 Marc Ambinder, Inc.

Get Started. It's Free
or sign up with your email address
Rocket clouds
National Security Agency / The Unofficial Org Chart. (C) 2014 Marc Ambinder, Inc. by Mind Map: National Security Agency / The Unofficial Org Chart. (C) 2014 Marc Ambinder, Inc.

1. Cross-functional units // co-located with SID S2 Production Lines

1.1. Integrated Broadcast Support Services Office — Provides SIGINT "RSS" feeds to customers

1.2. DEFSMAC: Defense Special Missile and Aerospace Center

1.3. Unified Cryptologic Architecture Office

1.3.1. Integration

1.3.2. Systems Engineering/Architecture Analyses and Issues

1.3.3. Architecture

1.3.4. Process

1.3.5. Planning and Financial Management

1.4. Plans and Exercise Office

1.4.1. NSA Continuity Programs Office

1.4.2. Military Exercise Office

1.4.3. Continuity Engineering Office

1.5. J2 Cryptologic Intelligence Unit (collects intelligence on worldwide cryptologic efforts).

2. F6: Special Collection Service HQ (Beltsville, MD) —STATEROOM-- Joint CIA/NSA field collection agency operating from embassies and other denied locations. Director reports to DIRNSA


3.1. SI or COMINT -- top-level SCI compartment; denotes sensitive SiGINT, DNI and cyber sources and methods

3.1.1. ECI -- COMINT subcompartment. with further subcompartments, which protect NSA relationships with other government agencies and private companies as well as specific sources, cryptalanaric breakthroughs and capabilities ECI-FGT --> SCS Product ECI-AMB Ambulate ECI-PIQ Picaresque ECI compartments include PIEDMONT, PENDLETON, PITCHFORK, PAWLEYS, AUNTIE, PAINTEDEAGLE

3.2. VRK -- exceptionally sensitive sources of national and strategic importance

3.3. RAGTIME -- protects "product " gathered from FISA intercepts

3.4. RAMPART --codeword for foreign leader SIGINT - RAM-A, RAM-X, RAM-T, RAM-M


3.6. TSP -

4. Directorate for Education and Training

5. Directorate for Corporate Leadership

6. Foreign Affairs Directorate — Liaison with foreign intelligence services, counter-intelligence centers, UK/USA and FIVE EYES exchanges

6.1. Office of Export Control Policy

6.2. SUSLOs

6.3. UKUSA governing council

7. NSA Acquisitions and Procurement Directorate

7.1. Program Executive Office — Oversees acquisition of major NSA backbone projects like TRAILBLAZER, CMM, REBA, JOURNEYMAN, and ICEBERG

7.2. Advanced Analytical Laboratory

7.3. Corporate Assessments Offices

7.4. Rebuilding Analysis Program Office

7.5. Knowledge System Prototype Program Office

7.6. Maryland Procurement Office

7.6.1. Acquisitions Program Manager for Signals Intelligence

7.6.2. Acquisitions Program Manager for Research

7.7. Acquisition Logistics Integrated Product Team

8. Top Priority SIGINT Missions

8.1. Support to USSS / presidential protection and national programs, including, under special authorities, NSSEs

8.2. Warning / imminent military and strategic threats from China, Russia,

8.3. Counter-foreign intelligence and counter-intelligence

8.4. CT/CN/CP/CE

8.5. Collection on military plans and strategies of China, Russia, Iran, North Korea, Israel

8.6. Ballistic missile defense

8.7. Domestic electronic CT wall

8.8. Political intelligence

8.9. Iranian, North Korean, Israeli, Pakistani proliferation and defensive CI activities

9. T: Technical Directorate

9.1. TE: Enterprise Systems Engineering and Architecture

9.2. TS: Information Systems and Security

9.2.1. Public Key Infrastructure (PKI) Program Management Office (PMO)

9.3. TT: Independent Test and Evaluation

9.4. T1: Mission Capabilities

9.4.1. T132 — The "scissors" team: division that physically separates traffic by type once it's been ingested

9.4.2. Strategic SATCOM Security Engineering Office

9.4.3. T1221

9.5. T2: Business Capabilities

9.6. T3: Enterprise IT Services

9.6.1. T3221: Transport Field Services

9.6.2. T334: National Signals Processing Center

9.6.3. T335: Deployable Communications Operations

9.6.4. T332 Global Enterprise Command Center

9.7. T5: CARILLION — High performance computing center

9.8. T6: Technical SIGINT and Ground Capabilities

9.9. OTRS -- Office of Target Reconnaissance and Survey -- provides rapid technological solutions for tactical SIGINT problems

10. Information Assurance Directorate

10.1. IC: Cyber Integration Division

10.2. IE: Engagement Division

10.2.1. Client Engagement and Community Outreach Group

10.2.2. Interagency Operations Security Support Staff (OPSEC)

10.3. I2: Trusted Engineering Solutions

10.3.1. I2N: Office of National and Nuclear Command Capabilities — Provides the launch codes for nuclear weapons Electronic Key Support Central Management Facility — Provides over-the-air code keying for the entire national security establishment

10.3.2. Information Technology Infrastructure Services (ITIS) System Office

10.4. I3: Information Operations

10.4.1. Mission Integration Office

10.4.2. Technical Security Evaluations

10.4.3. Red Cell — Conducts surprise penetrations of U.S. government networks

10.4.4. Blue Cell — Conducts audits of U.S. government networks

10.4.5. HUNT: Advanced adversary network penetration cell — Monitors NSA networks 24/7 to detect advanced cyber penetrations

10.4.6. Joint Communications Security Monitoring Agency

10.5. I4: Fusion, Analysis, Mitigation

11. Requirements and Tasking

11.1. NIPF

11.2. IIR

11.3. Colesium

11.4. Validation

11.4.1. DNI Mission Managers

11.4.2. SOO / SigDev

11.4.3. NSRTasking

11.4.4. Deconfliction

11.4.5. Successor to Echelon

11.4.6. S34

12. Research Directorate

12.1. R1: Math

12.2. R2: Trusted Systems

12.3. R3: LPS — Physical science lab

12.4. R4: LTS — Telecom science lab ( high-speed networks, wireless communications, and quantum key distribution)

12.5. R05: Center for the Advanced Study of Language

12.6. R6: Computer and Information Science

12.7. RX: Special Access Programs/Compartmented Research

13. Collection types

13.1. Midpoint collection

13.2. CNE enabled implants

13.3. Endpoint collection

13.4. Corporate access point collection

13.5. Overhead collection

13.6. foreign satellite collection

13.7. Clandestine signal collection

13.8. Undersea collection

13.9. Airborne collection

13.10. Close access point collection

14. Large domestic operating field sites

14.1. Columbia, MD

14.2. Friendship Annex, Linthicum, MD

14.3. Finksberg, MD

14.4. Bowie, MD

14.5. College Park, MD

14.6. Ft. Belvoir, VA

14.7. Fairfax, VA

14.8. Washington, DC

14.9. Ft. Detrick (Site R)

14.10. Camp Williams, UT

14.11. NSA Georgia (Ft. Gordon)

14.12. NSA Texas (Lackland AFB, San Antonio)

14.13. Greenville, TX

14.14. NSA Denver (Aurora), co-located with CIA's National Resources Division

14.15. NSA Oak Ridge (Tennessee)

14.16. Yakima, WA JACKNIFE

14.17. Winter Harbor, ME

14.18. Formerly: Sugar Grove, WV, Rosman, NC TIMBERLINE

14.19. NSA Continuity of Government site

14.20. NSA CMOC -- Cheyenne Mounfain

14.21. NSA Field Stations — Remote collection and analytical facilities

14.21.1. F74: Meade Operations Center — 24/7 SIGINT support to deployed military units

14.21.2. SORC/FP: Special Operations Readiness Cells (Focal Point) — Support to special operations forces as part of the Focal Point Special Access Program

14.22. NSA Kunia

15. Signals Intelligence Directorate

15.1. S1: Enterprise Engagement and Mission Management

15.1.1. A&R Watch (K Watch Ops) 199

15.1.2. S11: Customer Gateway

15.1.3. S12: Information Sharing and Services Branch Partnership Dissemination Cell

15.1.4. S124: Staff Services Division

15.1.5. NSA Commercial Solutions Center

15.1.6. S17 Strategic Intelligence Issues

15.1.7. S1E -- Electromagnetic Space Program Office

15.1.8. S1P Plans and Exercise Division S1P1 -- SOCOM/NORTHCOM SIGINT planning S1P2 - Combatant Commands SIGINT planning

15.2. S2: Analysis and Production Centers

15.2.1. FISA Special Adjudication Office — Provides 24/7 support to each product line shift to facilitate rapid FISA processing

15.2.2. NSA Product Lines S2A: South Asia S25A51 -- South Asian Language Analysis Branch S25A52 -- South Asian Reporting Branch S25A4 -- Pakistan S2B: China and Korea S2I: Counterterrorism Production Center S2IX: Special Counterterrorism Operations // CT Special Projects S2I42 -- Hezbollah Team S2I5 Advanced Analysis Division (FISA analysis) program manager, deputy program manager, 5 shift supervisors, 125 analysts S2I43 -- NOM Team Counterterrorism Mission Aligned Cell (CT-MAC) -- sensitive counter-terrorism support to CIA S2I4 Homeland Mission Center Metadata Analysis Center S2C: International Security S2C42 -- Western Europe and Strategic Partnership Division S2C41 Mexico Team S2C32 European States Branch S2D: Counter-foreign intelligence S2E: Middle East/Asia S2F: International Crime S2G: Counterproliferation S2H: Russia S2T: Current Threats S2T3: NSA/CSS Threat Operations Center S2J: Weapons and Space S203: Access Team for Operations Staff

15.2.3. K -- National Security Operations Center National Security Operations Center — Main NSA intelligence watch facility DECKPIN — NSA crisis cell activated during emergencies Homeland Security Analysis Center CMM — Cryptologic Management Mission program office

15.3. S3: Data Acquisition

15.3.1. S31: Cryptologic Exploitation Services Signals and Surveys Analysis Division Technical Exploitation Center Project BULLRUN S3132: Protocol, Exploitation, and Dissemination Cell — Shunts SIGINT by type to databases S31174 Office of Target Pursuit

15.3.2. S32: Tailored Access Operations Network Warfare Team — Liaison with military S321: Remote Operations Center Network Ops Center Operational Readiness Interactive Operations Division POLARBREEZE S322 Advanced Network Technologies S3222: (software implants) S32221: ? S32222: (routers, servers, etc.) S3223: (hardware implants) S3224: ? S32241: ? S32242: (GSM cell) S32243: (radar retro-refl.) S323: Data Network Technologies (researches how to penetrate secure networks) Production Operations Division S324: Telecommunications Network Technologies — Develops technologies to penetrate telecom networks S325: Mission Infrastructure Technologies — Operational computer network exploitation and enemy infrastructure vulnerability mapping Transaction Branch S327: Targeting and Requirements S328: Access Technologies Operations (computer network attack) — Works with CIA's TMO S32P. TAO Program Planning Integration Access Operations Division — Works with CIA's Technology Management Office / information Operations Division to break into foreign / CI networks TURMOIL -- NSA cover term for installation/maintenance and operation of filters, servers and splitters on servers of corporate partners w/ their permission for SIGINT and CNE operations. Each diversion device is called a QUANTUM GENIE SIGADs - 3136 (domestic) / 3137 (foreign) SSO Close Access Domestic Collection Systems on foreign targets SIGAD US-3136

15.3.3. S33: Link Access // Global Access Operations S332: Terrestrial SIGINT OCELOT (FORNSAT) S333: Overhead SIGINT Overhead Collection Management Center SSPO S33P ISR Portfolio Management Office S33P2 Technology Integration Division S33P3 Tactical SIGINT Technology Office Community ELINT Management Office VOXGLO -- major cyber and enterprising computing project OCEANSURF Program Office — $450m systems engineering hub

15.3.4. S35 Special Source Operations Cable programs LITHIUM MADCAPOCELOT - STORMBREW collection program using SIGAD 3140 DARKTHUNDER WINDSTOP OAKSTAR -- filtered high-volume collection off international cable transit nodes and foreign access points under FAA/Transit authority and EO12333. Divided by SIGAD and production source. SERENADE INCENSOR SIGAD US-990 -- Overseas transit switch collection of international communications from FAIRVIEW partner US-984T FISA collection from FAIRVIEW corporate access point S352: PRINTAURA — NSA unit involved in data filtering; program office for TRAFFICTHIEF tool Mission Support Hub Large Area Access Working Group S353 -- SIGAD US-984 Collection Programs SIGAD US-984 BLARNEY (digital network intelligence / dial number recognition collection from FISA court order approved targets, like spies, agents of foreign powers / traffickers using data flowing through US circuits and nodes. Producer digraph for BLARNEY is AX SIGAD US-984X -- FISA Amendments Act collection w/ various programs (including PRISM) on CT, CI, CP and CE targets. Selector must be certified and foreign. STORMBREW S3520 -- Office of Target Reconnaissance and Survey

15.3.5. S353 -- Portfolio Management Office AIRSTEED Program Office — Cell phone tracking Tactical Platforms Division Crosshair Net Management Center/Crosshair Support Center — Directing finding Radio Frequency Targeted Operations Office RFTO Special Projects Office

15.3.6. S34: Collection Strategies and Requirements Center S342: Collection Coordination and Strategies -- resource allocation and metrics S343: Targeting and Mission Management — Approves targets for analysts/makes sure that SIGINT targeting matches intelligence requirements S344: Partnership and Enterprise Management

15.4. SV -- Signals Intelligence Directorate Oversight and Compliance

15.4.1. SV4 FISA Compliance and Processing

15.5. SSG -- SIGDEV Strategy and Governance

15.5.1. SSG 1

15.5.2. SSO Optimization staff


16.1. Open Source


16.3. Mobile collection platforms (EP-3s, U-2s, etc

16.4. F6/Special Collection Service emplaced sensors, CANEX

16.5. F6/Special Collection Service embassy-based listening posts // BIRDCATCHER /EINSTEIN /CASTANET

16.6. RF Collection Sites

16.7. Collection relay mechanisms

16.7.1. SIGINT satellites and relays

16.7.2. SCS base stations

16.7.3. Encrypted packets on the regular internet

16.7.4. Hard cables / fiber optics

16.7.5. DTS covert

16.7.6. SRP platforms

16.7.7. Cables provided by ISPs


16.9. ,

16.10. Upstream collection (ingests at fiber hubs -- FAIRVIEW, etc)

16.11. Undersea cable taps (20 worldwide)

16.12. Cable hub splitters

16.13. Direct corporate partner network access points

16.14. Foreign country partner interfaces (FIVE EYES, etc)

16.15. Clandestine foreign telecom hub collection

16.16. FORNSAT intercepts (Stellar, Sounder, Snick, Moonpeny, Carboy, Timberline, Indira, Jacknife, Ironsand, Ladylove) See: for details

16.17. Ground SIGINT/FISINT collection sites

16.18. NSA, CIA and FBI implants

16.18.1. New info

16.19. LOPERS -- Public Branch Telephone System collection

16.20. Navy Underwater Reconnaissance Office

16.21. Midpoint collection -- surreptitious collection from nodes place in the middle of data links

17. Office of the Director, NSA (DIRNSA)

17.1. D01: Director’s Operation Group (DOG)

17.2. D05: Director’s Secretariat

17.3. D07: Office of Protocol

17.4. D08: Homeland Security Support Office (HSSO)

17.5. D1: Office of the Inspector General (OIG)

17.6. D2: Office of the General Counsel (OGC)

17.7. D5: Corporate Assessments Office

17.8. D5T: Technology Test and Evaluation

17.9. D6: Office of Equal Employment Oppertunity

17.10. Logo of the Central Security Service (CSS)

17.11. D7: Central Security Service (CSS)

17.12. D709: CSS Staff and Resources

17.13. D7D: Cryptologic Doctrine Office

17.14. D7P: Office of Military Personnel

17.15. D7R: Director's Reserve Forces Advisor

17.16. DC: Director’s Chief of Staff

17.17. DC0: Support

17.18. DC3: Policy

17.19. DC31: Corporate Policy

17.20. DC32: Information Policy

17.21. DC321: Freedom of Information Act and Privacy Act (FOIA/PA)

17.22. DC322: Information Security and Records Management

17.23. DC3221: Information Security Policy

17.24. DC3223: Records Management Policy

17.25. DC323: Automated Declassification Services

17.26. DC33: Technology Security, Export, and Encryption Policy

17.27. DC4: Corporate Strategic Planning and Performance

17.28. DC6: External Relations & Communications

17.29. DC8: Corporate Management Services

17.30. Unified Cryptologic Architecture Office

18. Other major NSA tools and databases


18.2. CREEK





18.7. Broom Stick

18.8. JUGGERNAUT -- mobile/data communications collection

18.9. DRTBOX -- possible system for obtaining information from cell phones

18.10. Boundless Informant -- collection volume, type, location and platform visualization too


18.12. TRACfin -- financial information database

19. NSA Nitty Gritty -- databases, tasking systems and analytical interfaces


19.1.1. AQUADOR — Merchant ship tracking tool

19.1.2. ASSOCIATION Selector correlation and analysis tool

19.1.3. BANYAN — NSA tactical geospatial correlation database

19.1.4. WealthyCluster -- data mining tool for CT

19.1.5. TUSKATTIRE - data processing system

19.1.6. ShellTrumpet -- metadata processing

19.1.7. MESSIAH/WHAMI — ELINT processing and analytical database

19.1.8. TAPERLAY -- Global database of telephone numbers/selectors by type (GSM,etc)

19.1.9. OCTSKYWARD - GSM tool

19.1.10. TWINSERPENT -- phone book tool

19.1.11. WRTBOX -- collection from PSTN overseas

19.1.12. Tools Unified Targeting Tool CHALKFUN -- metadata location record database SPYDER -- SMS/metadata query tool XKEYSCORE global SIGINT analysis system AIRGAP — Priority missions tool used to determine SIGINT gaps TRAFFICTHIEF — Raw SIGINT viewer and sorter for data analysis TRANSx Bpundless Informant

19.1.13. DISHFIRE -- SMS collection and analysis from digital network information and records ingested by the MUL:KBONE database


19.2.1. CASPORT -- main NSA corporate / access identification tool used to control product dissemination

19.2.2. OCTAVE/CONTRAOCTIVE — Collection mission tasking tool -- where "selectors" live PEPPERBOX -- database of targeting requests

19.2.3. HOMEBASE — A tactical tasking tool for digital network identification

19.2.4. SURREY DNI / SIGINT tasking database

19.2.5. DISHFIRE -- Associational and relational database for political and strategic intelligence by key selectors

19.2.6. AGILITY -- database of foreign intelligence selectors (non CT)

19.2.7. CHIPPEWA -- system to exchange SIGINT tasking / data with allies

19.3. DNI/DNR and network penetration tools and system

19.3.1. CNO TOOLS SHARKFINN BROKENTIGO EMBRACEFLINT LONGHAUL EGOTISTICAL GOAT / EGOTISTICAL GIRAFFE ATLAS -- DNI geolocation and network information tool DANAUS -- DNS discovery tool / reverse DNS BLACKPEARL -- survey information tool ERRONEOUS INGENUITY TIDALSURGE -- DNI router configuration discovery ATHENA -- port discovery probe tool SNORT — Repository of computer network attack techniques/coding TREASUREMAP -- Global Internet Mapping/Analysis tool PACKAGED GOODS -- global internet exploitation tool / traces routes of information EVILOLIVE -- IP Geolocation HYPERION -- IP to IP communication survey tool WIRESHARK — Repository of malicious network signatures TRITON -- TOR node search tool ISLANDTRANSPORT -- Enterprise Message Service processor

19.3.2. FOXACID

19.3.3. TOYGRIPPE -- VPN collection FRIARTUCK MASTERSHAKE -- VSAT Terminal emulator

19.3.4. TURBULENCE -- global "advanced forward defense" internet architecture built for NSA; employs the QUANTUM THEORY system, global distributed passive sensors to detect target traffic and tip a centralized command/control node (QFIRE). TURMOIL --High-speed passive collection systems intercept foreign target satellite, microwave, and cable communications as thev transit the globe TURBINE -- active SIGINT collection off of TURBULENCE architecture TUELAGE -- active CND off the TURBULENCE architecture TUMULT -- Stage 0 server for TURBULENCE architecture



20.2. FISA Special Adjudication Office

20.3. S2I5 Compliance Staff

20.4. S343 Prioritizing and Approval of Targets

20.5. SV SIGINT Governance and Compliance Division

20.6. FBI

20.7. OGC

21. Sources: author’s reporting and research;; Matthew Aid, Edward Snowden documents; Top Level Telecommunications website;, reporting in the Guardian, New York Times, Washington Post

22. M: Human Resources — Q: Security and Counterintelligence

22.1. Q2: Office of Military Personnel

22.2. Q3: Office of Civilian Personnel

22.3. QJ1: HR operations/global personnel SA

22.4. Q43: Information Policy Division

22.5. Q5: Office of Security

22.6. Q509: Security Policy Staff

22.7. Q51: Physical Security Division

22.8. Q52: Field Security Division

22.9. Q55: NSA CCAO

22.10. Q56: Security Awareness

22.11. Q57: Polygraph

22.12. Q7: Counterintelligence

22.13. Q123

23. SURPUUSHANGAR -- covert mechanism to ingest unclassified traffic into high side servers

24. Special FISA adjudication

25. S3221: (persistence software)

26. SATC


27.1. V1 Staff Services

27.2. V2 Analysis

27.3. V3 Operations

27.3.1. V34 -- Next Generation Wireless (NGW)

28. FROM THERE to Ft. Meade -- How data moves at NSA

28.1. NUCLEON — Global content database

28.1.1. CONVEYENCE DNI content database

28.2. WRANGLER — Electronic Intelligence intercept raw database

28.3. ONEROOF — Main tactical SIGINT database (Afghanistan), consisting of raw and unfiltered intercepts, associated with Coastline tool

28.4. PROTON — Large SIGINT database for time-sensitive targets/counterintelligence. Associated with Criss-Cross tool.

28.5. MARINA / MAINWAY Internet metadata collection database / SIGINT metadata collection database

28.5.1. PINWALE — SIGINT content database


28.7. FASCIA -- major metadata ingest processor that sends to Ft. Meade stuff that NSA collects out there

28.8. FASTBALL -- automated DNI analytical processing system

28.9. FALLOUT -- major content ingest processor that sends to Ft. Meade in raw, unstructured form for later processing. Generally for unstructured data.


28.11. Reporting tools

28.11.1. CPE

28.11.2. Voice master

28.11.3. Center mass

28.11.4. Gist Queue

28.11.5. YELLOWSTONE -- assigns metrics for allocation and distributing ingested SIGINT product.

28.11.6. TAC

28.11.7. AHMS

28.11.8. SKYWRITER