National Security Agency / The Unofficial Org Chart. (C) 2014 Marc Ambinder, Inc.

Get Started. It's Free
or sign up with your email address
National Security Agency / The Unofficial Org Chart. (C) 2014 Marc Ambinder, Inc. by Mind Map: National Security Agency / The Unofficial Org Chart. (C) 2014 Marc Ambinder, Inc.

1. SURPUUSHANGAR -- covert mechanism to ingest unclassified traffic into high side servers

2. Special FISA adjudication

3. S3221: (persistence software)



5.1. V1 Staff Services

5.2. V2 Analysis

5.3. V3 Operations

5.3.1. V34 -- Next Generation Wireless (NGW)

6. FROM THERE to Ft. Meade -- How data moves at NSA

6.1. NUCLEON — Global content database

6.1.1. CONVEYENCE DNI content database

6.2. WRANGLER — Electronic Intelligence intercept raw database

6.3. ONEROOF — Main tactical SIGINT database (Afghanistan), consisting of raw and unfiltered intercepts, associated with Coastline tool

6.4. PROTON — Large SIGINT database for time-sensitive targets/counterintelligence. Associated with Criss-Cross tool.

6.5. MARINA / MAINWAY Internet metadata collection database / SIGINT metadata collection database

6.5.1. PINWALE — SIGINT content database


6.7. FASCIA -- major metadata ingest processor that sends to Ft. Meade stuff that NSA collects out there

6.8. FASTBALL -- automated DNI analytical processing system

6.9. FALLOUT -- major content ingest processor that sends to Ft. Meade in raw, unstructured form for later processing. Generally for unstructured data.


6.11. Reporting tools

6.11.1. CPE

6.11.2. Voice master

6.11.3. Center mass

6.11.4. Gist Queue

6.11.5. YELLOWSTONE -- assigns metrics for allocation and distributing ingested SIGINT product.

6.11.6. TAC

6.11.7. AHMS




7. Top Priority SIGINT Missions

7.1. Support to USSS / presidential protection and national programs, including, under special authorities, NSSEs

7.2. Warning / imminent military and strategic threats from China, Russia,

7.3. Counter-foreign intelligence and counter-intelligence

7.4. CT/CN/CP/CE

7.5. Collection on military plans and strategies of China, Russia, Iran, North Korea, Israel

7.6. Ballistic missile defense

7.7. Domestic electronic CT wall

7.8. Political intelligence

7.9. Iranian, North Korean, Israeli, Pakistani proliferation and defensive CI activities

8. Requirements and Tasking

8.1. NIPF

8.2. IIR

8.3. Colesium

8.4. Validation

8.4.1. DNI Mission Managers

8.4.2. SOO / SigDev

8.4.3. NSRTasking

8.4.4. Deconfliction

8.4.5. Successor to Echelon

8.4.6. S34

9. Collection types

9.1. Midpoint collection

9.2. CNE enabled implants

9.3. Endpoint collection

9.4. Corporate access point collection

9.5. Overhead collection

9.6. foreign satellite collection

9.7. Clandestine signal collection

9.8. Undersea collection

9.9. Airborne collection

9.10. Close access point collection


10.1. Open Source


10.3. Mobile collection platforms (EP-3s, U-2s, etc

10.4. F6/Special Collection Service emplaced sensors, CANEX

10.5. F6/Special Collection Service embassy-based listening posts // BIRDCATCHER /EINSTEIN /CASTANET

10.6. RF Collection Sites

10.7. Collection relay mechanisms

10.7.1. SIGINT satellites and relays

10.7.2. SCS base stations

10.7.3. Encrypted packets on the regular internet

10.7.4. Hard cables / fiber optics

10.7.5. DTS covert

10.7.6. SRP platforms

10.7.7. Cables provided by ISPs


10.9. ,

10.10. Upstream collection (ingests at fiber hubs -- FAIRVIEW, etc)

10.11. Undersea cable taps (20 worldwide)

10.12. Cable hub splitters

10.13. Direct corporate partner network access points

10.14. Foreign country partner interfaces (FIVE EYES, etc)

10.15. Clandestine foreign telecom hub collection

10.16. FORNSAT intercepts (Stellar, Sounder, Snick, Moonpeny, Carboy, Timberline, Indira, Jacknife, Ironsand, Ladylove) See: for details

10.17. Ground SIGINT/FISINT collection sites

10.18. NSA, CIA and FBI implants

10.18.1. New info

10.19. LOPERS -- Public Branch Telephone System collection

10.20. Navy Underwater Reconnaissance Office

10.21. Midpoint collection -- surreptitious collection from nodes place in the middle of data links

11. Other major NSA tools and databases


11.2. CREEK





11.7. Broom Stick

11.8. JUGGERNAUT -- mobile/data communications collection

11.9. DRTBOX -- possible system for obtaining information from cell phones

11.10. Boundless Informant -- collection volume, type, location and platform visualization too


11.12. TRACfin -- financial information database

12. NSA Nitty Gritty -- databases, tasking systems and analytical interfaces


12.1.1. AQUADOR — Merchant ship tracking tool

12.1.2. ASSOCIATION Selector correlation and analysis tool

12.1.3. BANYAN — NSA tactical geospatial correlation database

12.1.4. WealthyCluster -- data mining tool for CT

12.1.5. TUSKATTIRE - data processing system

12.1.6. ShellTrumpet -- metadata processing

12.1.7. MESSIAH/WHAMI — ELINT processing and analytical database

12.1.8. TAPERLAY -- Global database of telephone numbers/selectors by type (GSM,etc)

12.1.9. OCTSKYWARD - GSM tool

12.1.10. TWINSERPENT -- phone book tool

12.1.11. WRTBOX -- collection from PSTN overseas

12.1.12. Tools Unified Targeting Tool CHALKFUN -- metadata location record database SPYDER -- SMS/metadata query tool XKEYSCORE global SIGINT analysis system AIRGAP — Priority missions tool used to determine SIGINT gaps TRAFFICTHIEF — Raw SIGINT viewer and sorter for data analysis TRANSx Bpundless Informant

12.1.13. DISHFIRE -- SMS collection and analysis from digital network information and records ingested by the MUL:KBONE database


12.2.1. CASPORT -- main NSA corporate / access identification tool used to control product dissemination

12.2.2. OCTAVE/CONTRAOCTIVE — Collection mission tasking tool -- where "selectors" live PEPPERBOX -- database of targeting requests

12.2.3. HOMEBASE — A tactical tasking tool for digital network identification

12.2.4. SURREY DNI / SIGINT tasking database

12.2.5. DISHFIRE -- Associational and relational database for political and strategic intelligence by key selectors

12.2.6. AGILITY -- database of foreign intelligence selectors (non CT)

12.2.7. CHIPPEWA -- system to exchange SIGINT tasking / data with allies

12.3. DNI/DNR and network penetration tools and system

12.3.1. CNO TOOLS SHARKFINN BROKENTIGO EMBRACEFLINT LONGHAUL EGOTISTICAL GOAT / EGOTISTICAL GIRAFFE ATLAS -- DNI geolocation and network information tool DANAUS -- DNS discovery tool / reverse DNS BLACKPEARL -- survey information tool ERRONEOUS INGENUITY TIDALSURGE -- DNI router configuration discovery ATHENA -- port discovery probe tool SNORT — Repository of computer network attack techniques/coding TREASUREMAP -- Global Internet Mapping/Analysis tool PACKAGED GOODS -- global internet exploitation tool / traces routes of information EVILOLIVE -- IP Geolocation HYPERION -- IP to IP communication survey tool WIRESHARK — Repository of malicious network signatures TRITON -- TOR node search tool ISLANDTRANSPORT -- Enterprise Message Service processor

12.3.2. FOXACID

12.3.3. TOYGRIPPE -- VPN collection FRIARTUCK MASTERSHAKE -- VSAT Terminal emulator

12.3.4. TURBULENCE -- global "advanced forward defense" internet architecture built for NSA; employs the QUANTUM THEORY system, global distributed passive sensors to detect target traffic and tip a centralized command/control node (QFIRE). TURMOIL --High-speed passive collection systems intercept foreign target satellite, microwave, and cable communications as thev transit the globe TURBINE -- active SIGINT collection off of TURBULENCE architecture TUELAGE -- active CND off the TURBULENCE architecture TUMULT -- Stage 0 server for TURBULENCE architecture



13.2. FISA Special Adjudication Office

13.3. S2I5 Compliance Staff

13.4. S343 Prioritizing and Approval of Targets

13.5. SV SIGINT Governance and Compliance Division

13.6. FBI

13.7. OGC

14. Sources: author’s reporting and research;; Matthew Aid, Edward Snowden documents; Top Level Telecommunications website;, reporting in the Guardian, New York Times, Washington Post

15. M: Human Resources — Q: Security and Counterintelligence

15.1. Q2: Office of Military Personnel

15.2. Q3: Office of Civilian Personnel

15.3. QJ1: HR operations/global personnel SA

15.4. Q43: Information Policy Division

15.5. Q5: Office of Security

15.6. Q509: Security Policy Staff

15.7. Q51: Physical Security Division

15.8. Q52: Field Security Division

15.9. Q55: NSA CCAO

15.10. Q56: Security Awareness

15.11. Q57: Polygraph

15.12. Q7: Counterintelligence

15.13. Q123

16. Cross-functional units // co-located with SID S2 Production Lines

16.1. Integrated Broadcast Support Services Office — Provides SIGINT "RSS" feeds to customers

16.2. DEFSMAC: Defense Special Missile and Aerospace Center

16.3. Unified Cryptologic Architecture Office

16.3.1. Integration

16.3.2. Systems Engineering/Architecture Analyses and Issues

16.3.3. Architecture

16.3.4. Process

16.3.5. Planning and Financial Management

16.4. Plans and Exercise Office

16.4.1. NSA Continuity Programs Office

16.4.2. Military Exercise Office

16.4.3. Continuity Engineering Office

16.5. J2 Cryptologic Intelligence Unit (collects intelligence on worldwide cryptologic efforts).

17. Directorate for Education and Training

18. Directorate for Corporate Leadership

19. Foreign Affairs Directorate — Liaison with foreign intelligence services, counter-intelligence centers, UK/USA and FIVE EYES exchanges

19.1. Office of Export Control Policy

19.2. SUSLOs

19.3. UKUSA governing council

20. NSA Acquisitions and Procurement Directorate

20.1. Program Executive Office — Oversees acquisition of major NSA backbone projects like TRAILBLAZER, CMM, REBA, JOURNEYMAN, and ICEBERG

20.2. Advanced Analytical Laboratory

20.3. Corporate Assessments Offices

20.4. Rebuilding Analysis Program Office

20.5. Knowledge System Prototype Program Office

20.6. Maryland Procurement Office

20.6.1. Acquisitions Program Manager for Signals Intelligence

20.6.2. Acquisitions Program Manager for Research

20.7. Acquisition Logistics Integrated Product Team

21. Information Assurance Directorate

21.1. IC: Cyber Integration Division

21.2. IE: Engagement Division

21.2.1. Client Engagement and Community Outreach Group

21.2.2. Interagency Operations Security Support Staff (OPSEC)

21.3. I2: Trusted Engineering Solutions

21.3.1. I2N: Office of National and Nuclear Command Capabilities — Provides the launch codes for nuclear weapons Electronic Key Support Central Management Facility — Provides over-the-air code keying for the entire national security establishment

21.3.2. Information Technology Infrastructure Services (ITIS) System Office

21.4. I3: Information Operations

21.4.1. Mission Integration Office

21.4.2. Technical Security Evaluations

21.4.3. Red Cell — Conducts surprise penetrations of U.S. government networks

21.4.4. Blue Cell — Conducts audits of U.S. government networks

21.4.5. HUNT: Advanced adversary network penetration cell — Monitors NSA networks 24/7 to detect advanced cyber penetrations

21.4.6. Joint Communications Security Monitoring Agency

21.5. I4: Fusion, Analysis, Mitigation

22. Research Directorate

22.1. R1: Math

22.2. R2: Trusted Systems

22.3. R3: LPS — Physical science lab

22.4. R4: LTS — Telecom science lab ( high-speed networks, wireless communications, and quantum key distribution)

22.5. R05: Center for the Advanced Study of Language

22.6. R6: Computer and Information Science

22.7. RX: Special Access Programs/Compartmented Research

23. Signals Intelligence Directorate

23.1. S1: Enterprise Engagement and Mission Management

23.1.1. A&R Watch (K Watch Ops) 199

23.1.2. S11: Customer Gateway

23.1.3. S12: Information Sharing and Services Branch Partnership Dissemination Cell

23.1.4. S124: Staff Services Division

23.1.5. NSA Commercial Solutions Center

23.1.6. S17 Strategic Intelligence Issues

23.1.7. S1E -- Electromagnetic Space Program Office

23.1.8. S1P Plans and Exercise Division S1P1 -- SOCOM/NORTHCOM SIGINT planning S1P2 - Combatant Commands SIGINT planning

23.2. S2: Analysis and Production Centers

23.2.1. FISA Special Adjudication Office — Provides 24/7 support to each product line shift to facilitate rapid FISA processing

23.2.2. NSA Product Lines S2A: South Asia S25A51 -- South Asian Language Analysis Branch S25A52 -- South Asian Reporting Branch S25A4 -- Pakistan S2B: China and Korea S2I: Counterterrorism Production Center S2IX: Special Counterterrorism Operations // CT Special Projects S2I42 -- Hezbollah Team S2I5 Advanced Analysis Division (FISA analysis) program manager, deputy program manager, 5 shift supervisors, 125 analysts S2I43 -- NOM Team Counterterrorism Mission Aligned Cell (CT-MAC) -- sensitive counter-terrorism support to CIA S2I4 Homeland Mission Center Metadata Analysis Center S2C: International Security S2C42 -- Western Europe and Strategic Partnership Division S2C41 Mexico Team S2C32 European States Branch S2D: Counter-foreign intelligence S2E: Middle East/Asia S2F: International Crime S2G: Counterproliferation S2H: Russia S2T: Current Threats S2T3: NSA/CSS Threat Operations Center S2J: Weapons and Space S203: Access Team for Operations Staff

23.2.3. K -- National Security Operations Center National Security Operations Center — Main NSA intelligence watch facility DECKPIN — NSA crisis cell activated during emergencies Homeland Security Analysis Center CMM — Cryptologic Management Mission program office

23.3. S3: Data Acquisition

23.3.1. S31: Cryptologic Exploitation Services Signals and Surveys Analysis Division Technical Exploitation Center Project BULLRUN S3132: Protocol, Exploitation, and Dissemination Cell — Shunts SIGINT by type to databases S31174 Office of Target Pursuit

23.3.2. S32: Tailored Access Operations Network Warfare Team — Liaison with military S321: Remote Operations Center Network Ops Center Operational Readiness Interactive Operations Division POLARBREEZE S322 Advanced Network Technologies S3222: (software implants) S32221: ? S32222: (routers, servers, etc.) S3223: (hardware implants) S3224: ? S32241: ? S32242: (GSM cell) S32243: (radar retro-refl.) S323: Data Network Technologies (researches how to penetrate secure networks) Production Operations Division S324: Telecommunications Network Technologies — Develops technologies to penetrate telecom networks S325: Mission Infrastructure Technologies — Operational computer network exploitation and enemy infrastructure vulnerability mapping Transaction Branch S327: Targeting and Requirements S328: Access Technologies Operations (computer network attack) — Works with CIA's TMO S32P. TAO Program Planning Integration Access Operations Division — Works with CIA's Technology Management Office / information Operations Division to break into foreign / CI networks TURMOIL -- NSA cover term for installation/maintenance and operation of filters, servers and splitters on servers of corporate partners w/ their permission for SIGINT and CNE operations. Each diversion device is called a QUANTUM GENIE SIGADs - 3136 (domestic) / 3137 (foreign) SSO Close Access Domestic Collection Systems on foreign targets SIGAD US-3136

23.3.3. S33: Link Access // Global Access Operations S332: Terrestrial SIGINT OCELOT (FORNSAT) S333: Overhead SIGINT Overhead Collection Management Center SSPO S33P ISR Portfolio Management Office S33P2 Technology Integration Division S33P3 Tactical SIGINT Technology Office Community ELINT Management Office VOXGLO -- major cyber and enterprising computing project OCEANSURF Program Office — $450m systems engineering hub

23.3.4. S35 Special Source Operations Cable programs LITHIUM MADCAPOCELOT - STORMBREW collection program using SIGAD 3140 DARKTHUNDER WINDSTOP OAKSTAR -- filtered high-volume collection off international cable transit nodes and foreign access points under FAA/Transit authority and EO12333. Divided by SIGAD and production source. SERENADE INCENSOR SIGAD US-990 -- Overseas transit switch collection of international communications from FAIRVIEW partner US-984T FISA collection from FAIRVIEW corporate access point S352: PRINTAURA — NSA unit involved in data filtering; program office for TRAFFICTHIEF tool Mission Support Hub Large Area Access Working Group S353 -- SIGAD US-984 Collection Programs SIGAD US-984 BLARNEY (digital network intelligence / dial number recognition collection from FISA court order approved targets, like spies, agents of foreign powers / traffickers using data flowing through US circuits and nodes. Producer digraph for BLARNEY is AX SIGAD US-984X -- FISA Amendments Act collection w/ various programs (including PRISM) on CT, CI, CP and CE targets. Selector must be certified and foreign. STORMBREW S3520 -- Office of Target Reconnaissance and Survey

23.3.5. S353 -- Portfolio Management Office AIRSTEED Program Office — Cell phone tracking Tactical Platforms Division Crosshair Net Management Center/Crosshair Support Center — Directing finding Radio Frequency Targeted Operations Office RFTO Special Projects Office

23.3.6. S34: Collection Strategies and Requirements Center S342: Collection Coordination and Strategies -- resource allocation and metrics S343: Targeting and Mission Management — Approves targets for analysts/makes sure that SIGINT targeting matches intelligence requirements S344: Partnership and Enterprise Management

23.4. SV -- Signals Intelligence Directorate Oversight and Compliance

23.4.1. SV4 FISA Compliance and Processing

23.5. SSG -- SIGDEV Strategy and Governance

23.5.1. SSG 1

23.5.2. SSO Optimization staff

24. F6: Special Collection Service HQ (Beltsville, MD) —STATEROOM-- Joint CIA/NSA field collection agency operating from embassies and other denied locations. Director reports to DIRNSA


25.1. SI or COMINT -- top-level SCI compartment; denotes sensitive SiGINT, DNI and cyber sources and methods

25.1.1. ECI -- COMINT subcompartment. with further subcompartments, which protect NSA relationships with other government agencies and private companies as well as specific sources, cryptalanaric breakthroughs and capabilities ECI-FGT --> SCS Product ECI-AMB Ambulate ECI-PIQ Picaresque ECI compartments include PIEDMONT, PENDLETON, PITCHFORK, PAWLEYS, AUNTIE, PAINTEDEAGLE

25.2. VRK -- exceptionally sensitive sources of national and strategic importance

25.3. RAGTIME -- protects "product " gathered from FISA intercepts

25.4. RAMPART --codeword for foreign leader SIGINT - RAM-A, RAM-X, RAM-T, RAM-M


25.6. TSP -

26. T: Technical Directorate

26.1. TE: Enterprise Systems Engineering and Architecture

26.2. TS: Information Systems and Security

26.2.1. Public Key Infrastructure (PKI) Program Management Office (PMO)

26.3. TT: Independent Test and Evaluation

26.4. T1: Mission Capabilities

26.4.1. T132 — The "scissors" team: division that physically separates traffic by type once it's been ingested

26.4.2. Strategic SATCOM Security Engineering Office

26.4.3. T1221

26.5. T2: Business Capabilities

26.6. T3: Enterprise IT Services

26.6.1. T3221: Transport Field Services

26.6.2. T334: National Signals Processing Center

26.6.3. T335: Deployable Communications Operations

26.6.4. T332 Global Enterprise Command Center

26.7. T5: CARILLION — High performance computing center

26.8. T6: Technical SIGINT and Ground Capabilities

26.9. OTRS -- Office of Target Reconnaissance and Survey -- provides rapid technological solutions for tactical SIGINT problems

27. Large domestic operating field sites

27.1. Columbia, MD

27.2. Friendship Annex, Linthicum, MD

27.3. Finksberg, MD

27.4. Bowie, MD

27.5. College Park, MD

27.6. Ft. Belvoir, VA

27.7. Fairfax, VA

27.8. Washington, DC

27.9. Ft. Detrick (Site R)

27.10. Camp Williams, UT

27.11. NSA Georgia (Ft. Gordon)

27.12. NSA Texas (Lackland AFB, San Antonio)

27.13. Greenville, TX

27.14. NSA Denver (Aurora), co-located with CIA's National Resources Division

27.15. NSA Oak Ridge (Tennessee)

27.16. Yakima, WA JACKNIFE

27.17. Winter Harbor, ME

27.18. Formerly: Sugar Grove, WV, Rosman, NC TIMBERLINE

27.19. NSA Continuity of Government site

27.20. NSA CMOC -- Cheyenne Mounfain

27.21. NSA Field Stations — Remote collection and analytical facilities

27.21.1. F74: Meade Operations Center — 24/7 SIGINT support to deployed military units

27.21.2. SORC/FP: Special Operations Readiness Cells (Focal Point) — Support to special operations forces as part of the Focal Point Special Access Program

27.22. NSA Kunia

28. Office of the Director, NSA (DIRNSA)

28.1. D01: Director’s Operation Group (DOG)

28.2. D05: Director’s Secretariat

28.3. D07: Office of Protocol

28.4. D08: Homeland Security Support Office (HSSO)

28.5. D1: Office of the Inspector General (OIG)

28.6. D2: Office of the General Counsel (OGC)

28.7. D5: Corporate Assessments Office

28.8. D5T: Technology Test and Evaluation

28.9. D6: Office of Equal Employment Oppertunity

28.10. Logo of the Central Security Service (CSS)

28.11. D7: Central Security Service (CSS)

28.12. D709: CSS Staff and Resources

28.13. D7D: Cryptologic Doctrine Office

28.14. D7P: Office of Military Personnel

28.15. D7R: Director's Reserve Forces Advisor

28.16. DC: Director’s Chief of Staff

28.17. DC0: Support

28.18. DC3: Policy

28.19. DC31: Corporate Policy

28.20. DC32: Information Policy

28.21. DC321: Freedom of Information Act and Privacy Act (FOIA/PA)

28.22. DC322: Information Security and Records Management

28.23. DC3221: Information Security Policy

28.24. DC3223: Records Management Policy

28.25. DC323: Automated Declassification Services

28.26. DC33: Technology Security, Export, and Encryption Policy

28.27. DC4: Corporate Strategic Planning and Performance

28.28. DC6: External Relations & Communications

28.29. DC8: Corporate Management Services

28.30. Unified Cryptologic Architecture Office