January 17, 2014

Slides about NSA's Upstream collection

(Updated: August 16, 2015)

In July and September of last year, the Brazilian weekly television magazine Fantástico broadcasted news reports about NSA operations, while showing a series of slides from an unpublished NSA powerpoint presentation in the background.

The slides seem to be about NSA's corporate partners for the "collection of communications on fiber cables and infrastructure as data flows past" - which became known as "Upstream collection", a term mentioned in one of the PRISM-slides.

The corporate partnerships are one of three ways NSA is intercepting the world's main internet cables:
- Cooperation with telecommunication companies
- Cooperation with foreign intelligence agencies
- Unilateral cable tapping operations

On twitter, Glenn Greenwald once said that these slides would also be published and explained separately, but so far this hasn't happened - that's why it's done here.

Almost two years after these slides were shown on Brazilian television, the full NSA presentations to which some of them belong were finally published, as part of a report by The New York Times and Pro Publica from August 15, 2015.

> See: FAIRVIEW: Collecting foreign intelligence inside the US


The first series of slides was shown in a Fantástico report from September 8, 2013. These slides are posted here in the order in which they were seen in the report, which might be the order of the original NSA powerpoint presentation.

The slides show the logos of the National Security Agency (top left) and its Special Source Operations (SSO) division (top right). They are marked TOP SECRET // COMINT // NOFORN, which means they are classified Top Secret, in the compartment for Special (Signals) Intelligence and that it's not allowed to distribute them to foreigners, not even to the Five Eyes partners.

Probably one of the first slides of the presentation shows a map of "optical fibre submarine networks", which was prepared by the telecommunications company Alcatel Lucent in 2007. Based upon dates in some of the slides, this NSA presentation seems to be from late 2011 or early 2012.

The Corporate Portfolio of collection programs in which SSO is cooperating with corporate partners is listed in the following slide. It is assumed that FAIRVIEW, BLARNEY and STORMBREW are for collection within the US and the programs under the OAKSTAR umbrella are intercept facilities elsewhere in the world. Two programs seem to be conducted by SSO in cooperation with TAO, which is NSA's computer hacking division:

The next slide is about the Transit Authority, which is the most mysterious of the four legal authorities that govern NSA operations. Until now, it's not clear what the legal basis of the Transit Authority is. One option is a secret presidential directive signed by Bill Clinton or George W. Bush, another option is that this method was authorized by the FISA court.

Transit Authority applies when both ends of a communication are foreign, which is checked by filters at the front-end collection systems. When the TOPI (Target Office of Primary Interest, a unit that conducts the data analysis) discovers that accidently one end of the communication is in the US, the SSO Corp Team has to be informed, which reports to the Oversight and Compliance unit (NSA/SV):

The Transit Authority is illustrated in the next slide. With a close look one can see there's a star placed between Iran and Iraq, one in the US and one somewhere near French Guyana. There's an elliptical line connecting them, as an example of communications traffic from Iran to Guyana, which transits the United States:

Some "unique aspects" of the upstream collection are that it takes place under various legal authorizations:
- Executive Order 12333: for collection outside the US
- Transit: for collection within the US, with both ends foreign
- FISA: for collection within the US, with one end foreign and targets approved individually by the FISA Court
- FAA: for collection within the US, with one end foreign and a list of targets approved anually by the FISA Court

Under section 702 FAA, NSA is also collecting data from internet service providers under the PRISM program. From a 2011 FISA Court ruling (pdf) that was declassified upon request of the Electronic Frontier Foundation we learn that under section 702 FAA, NSA acquires more than 250 million "internet communications" each year. This number breaks down as follows:
- Upstream: ca. 9% or more than 22 million communications *
- PRISM: ca. 91% or more than 227 million communications
The ruling doesn't explain what exactly a "internet communication" is. A problem that troubled both NSA and the FISA court was that under Upstream it's technically very difficult to distinguish between single communications to, from or about targeted persons and those containing multiple communications, not all of which may be to, from or about approved targeted addresses. The latter may contain to up to 10,000 domestic communications each year.*

The actual intercept facilities are probably located at sites of telecommunication companies or collection is done with their assistance.
There are delays between the tasking, which is when an analyst orders particular information to be collected, and the actual collection of those data.

The following slides show details of a number of different programs involved in the Upstream collection. For each program there's the SIGINT Activity Designator (SIGAD), the Producer Designator Digraph (PDDG), the legal authority, what is collected, the key targets and in some cases a custom logo for the program. There are no slides with details about DARKTHUNDER, STEELFLAUTA, ORANGEBLOSSOM, BLUEZEPHYR and COBALTFALCON.

SILVERZEPHYR is for collecting internet content and metadata under FAA authority, and telephony content and metadata under Transit Authority, focussed on South, Central and Latin America. As the program operates under Transit Authority, the intercept facility is most likely located in the US. The corporate partner is codenamed STEELKNIGHT:

YACHTSHOP is for collecting worldwide internet metadata, which are stored in the MARINA database. Probably the program operates under EO 12333 authority and the corporate partner, codenamed BLUEANCHOR, is outside the US:

ORANGECRUSH was not active at the time of the presentation, but was intended to collect internet and telephony content and metadata at an intercept facility outside the US in cooperation with a corporate partner codenamed PRIMECANE and a 3rd Party partner agency.

According to the book 'Der NSA-Komplex' by Spiegel journalists Marcel Rosenbach and Holger Stark, ORANGECRUSH is a cooperation with an American high-tech company and a Polish intelligence agency to collect metadata and content related to the Middle East and Afghanistan from fiber optic cables in Europe. This means PRIMECANE is the cover name of this American tech company and confirms that Poland is a 3rd Party partner of NSA.

SHIFTINGSHADOW is for collecting telephony content and metadata from the telecommunications providers MTN Afghanistan, Roshan GSM and Afghan Wireless Communication Company (AWCC). This is done through an intercept facility which is probably in or near Afghanistan. It seems NSA is not cooperating with these Afghan telecom providers, hence they wouldn't be named openly in this slide:

MONKEYROCKET is for collecting internet metadata and content focussed on counter-terrorism in het Middle East, Europe and Asia. The collection takes place at an intercept facility outside the US and is therefore authorized under EO 12333:

There are also a number of programs and partners for collection of both internet and telephony data under FAA authority. They are designated by a SIGAD in the format US-984X*. From another source we know that there are:
- Eight facilities under STORMBREW (US-984XA-H)
- Two facilities under FAIRVIEW (US-984XR and US-984X2)
- Nine companies cooperating in the PRISM program (US-984XN)
As this is under FAA authority, the intercept facilities and corporate partners are in the United States. Maybe some of these partners are the ones with the codenames WOLFPOINT, ARTIFICE, LITHIUM, SERENADE and STEELKNIGHT, which are mentioned in other documents.

The next slide shows a bar chart with green bars for sources where the SSO division uses arrangements with corporate partners, and blue bars for sources where there are no such arrangements needed, which means SSO can collect the data on its own. From the most to the least productive source, the bars represent:
- US-984X*: Programs under FAA authority
- US-990: FAIRVIEW (Transit authority only)
- USJ-751: ?
- US-984: BLARNEY under FISA authority
- USJ-799: LADYLOVE (the satellite station in Misawa, Japan)

BLARNEY is for collecting telephony and internet data under FISA authority, which means a FISA Court order is needed. Main targets are foreign diplomats and governments, terrorists and economic targets. As collection is under FISA authority, the intercept facility is in the US. According to the Wall Street Journal and confirmed by Marc Ambinder, BLARNEY stands for cooperation with AT&T.

MADCAPOCELOT is for collecting internet content and metadata focussed on Russia and European counter-terrorism. Collected data are processed and analysed by XKEYSCORE with metadata being stored in MARINA and content in PINWALE. As the program is operating under EO 12333, the intercept facility must be outside the US. For reasons unknown, MADCAPOCELOT is closely related to the STORMBREW program.

For the STORMBREW program a map shows a line marked as OC-3, which runs across the United States. OC-3 is a network line with a transmission data rate of up to 155.52 Mbit/s using fiber optics. This is too low for being a regional, let alone a national backbone link, so the blue line does not represent an intercepted internet backbone. The cable connects eight locations marked with a green dot, one with a grey dot, one with a sun symbol and one marked as "Site C":

The meaning of this map was claryfied by a new slide from a different NSA presentation, which was disclosed in Glenn Greenwald's book 'No Place To Hide' on May 13, 2014. It shows seven international choke points of telecommunication cables that serve as access points for the STORMBREW collection program:
In the book, Greenwald lists an additional site called QUAILCREEK. These cover names are real names of holiday and ski resorts, some of them actually even near the dots on the map. These locations correspond to the green dots in the previous slide, so the OC-3 cable in that map most likely connects these various collection sites to transfer the data to a central location. The grey dot might then be an intercept site that is not active yet/anymore and "Site C" maybe the location where the centralized "Collection" takes place.

STORMBREW is for collecting internet data under FISA and FAA authority and telephony data according to a certain directory. With collection being authorized under FISA and FAA, the interception takes place in cooperation with a major US telecommunications provider with access to international cables, routers and switches. According to NSA historian Matthew Aid, the provider codenamed STORMBREW is Verizon.

FAIRVIEW is for collecting internet and telephony data and is a "key corporate partner with access to international cables, routers and switches" just like STORMBREW. The slide below was published in 'No Place To Hide' but with the bottom part removed. From a similar presentation we know that there it says that under FAIRVIEW, internet collection is limited to "port 25 collection", which means e-mail, and telephony collection uses the mysterious "Directory ONMR". Slides from this other presentation will be posted on this weblog separately.

For the FAIRVIEW program there's also a map, but this one shows a large number of many different markers with no lines or cables between them. At the moment it isn't clear how to interpret this:

Former NSA official Thomas Drake told DailyDot.com that FAIRVIEW is a highly classified program for tapping into the world’s intercontinental fiber-optic cables. It's an "umbrella program" with other programs underneath it. One of them is BLARNEY, which accesses internet data at key junctions and is facilitated by arrangements with commercial cable companies and internet service providers.


According to The Guardian, the real names of the corporate partners mentioned in various of these slides are so sensitive that they are classified as Exceptionally Controlled Information (ECI), which is "a higher classification level than the Snowden documents cover", thereby suggesting that he had no access to that kind of information - although a regional German paper was able to publish the real names of seven major submarine cable companies (but they had GCHQ covernames).

In the Upstream slides we see partners codenamed STEELKNIGHT, BLUEANCHOR and PRIMECANE. In other documents, WOLFPOINT, ARTIFICE, LITHIUM and SERENADE are also mentioned as covernames for corporate partners. Most likely all four are American companies.

Another series of slides was shown in a Fantástico report from July 9, 2013. Maybe they are from another presentation, but because they have the same layout and are also about "upstream collection" it's also possible they belong to the series posted above.

This series contain a number of maps, which, according to Brazilian media, show the amount of exchanged messages and phone calls (although actually DNI only refers to internet traffic) by various countries in the world with North Korea, Russia, Pakistan and Iran on March 4-5, 2012.

In the first slide we see internet traffic to Pakistan, which is eligible for collection under Transit authority:

The slide below has a map showing the internet traffic to Pakistan, which is eligible for collection under FAA authority:

The next slide shows a list of "Top 20 Pakistani domains (.pk)" which where tracked between February 15, 2012 and March 11, 2012:

A map representing "1 Day view of authorized (FAA ONLY) DNI traffic volumes to North Korea within FAIRVIEW environment", which means internet traffic which is eligible for collection under FAA authority:

Next is a list op "Top 20 North Korean domains (.kp)" which where tracked between February 15, 2012 and March 11, 2012. Note that only two websites generate notable traffic, all other have less than 1 Kbps:

A map showing internet traffic to Iran, which is eligible for collection under FAA authority:

A map showing internet traffic to Russia, which is eligible for collection under Transit authority:

The following slide says the collection programs in which Special Source Operations (SSO) cooperates with corporate parters, contributed to 1230 reports of NSA's Counter Foreign Intelligence Product Line (S2D). As this represented circa 29%, this product line produced a total of some 4240 reports in 2011:

The next slide shows a table with the headers and/or some of the top rows apparently blacked out, so we can only see a list of some programs and a range of numbers without knowing what they stand for. The SIGADs at the left designate the following programs:
- US-984*: BLARNEY under FISA authority
- US-984X*: Programs under FAA authority
Although we don't know what the numbers stand for, it's clear that the programs under FAA authority (which also include PRISM) are by far the most productive ones:

Probably one of the final slides provides contact information: first the names/e-mail aliasses of the collection managers for the FAIRVIEW, STORMBREW, BLARNEY, OAKSTAR, and MADCAPOCELOT programs. Brazilian television showed this slide uncensored with the names visible, but here we blacked them out. Under "Mission Management" is an e-mail address (in the strange format NSA uses for internal messages) for contacting the SSO corporate program mission management and finally there are keywords for finding out more information on NSA's intranet and the NOFORN-Wiki:

An article in the French paper Le Monde from May 8, 2014 lists a number of targets of the Upstream collection method during a month in 2013. These targets included the vice president of the Philippines Jejomar Binay; the interior minister of that country Manuel Roxas; the Ensenada Resort & Convention Center in Tela, Honduras; the International Centre for Theoretical Physics (ICTP) in Trieste, Italy; the American att.net and the Austrian chello.at e-mail domains, as well as the stc.com.sa top-level domain of the Saudi Telecom Company. Finally the Pakistani IT security firm Tranchulas and the Lybian International Telecom Company were mentioned as being targets of NSA.

Almost two years after these slides were shown on Brazilian television, the full NSA presentations to which some of them belong were finally published, as part of a report by The New York Times and Pro Publica from August 15, 2015.

> See: FAIRVIEW: Collecting foreign intelligence inside the US

Links and Sources
- PCLOB.gov: Section 702 Program Report (pdf)
- DNI.gov: NSA's Implementation of Foreign Intelligence Surveillance Act Section 702 (pdf)
- Wikipedia: Upstream collection
- EmptyWheel.net: Federated Queries and EO 12333 FISC Workaround
- DailyDot.com: Forget PRISM: FAIRVIEW is the NSA's project to "own the Internet"
- The Guardian: Snowden document reveals key role of companies in NSA data collection

(credits for providing the video footage go to @koenrh)

January 10, 2014

NSA's organizational designations

(Updated: November 18, 2016)

After providing lists of NSA-related codenames, abbreviations and SIGADs, we now publish a list of the designations of the numerous divisions and units of the NSA organization itself.

Unlike other intelligence agencies such as CIA or DIA, NSA never disclosed its internal organizational structure. The following overview has been reconstructed based upon information which over the years became available from various sources, including many documents from the Snowden-leaks.

This list only gives the alphanumeric designations, the official name and, if available, the logo of NSA branches. For a description of what the most important divisions do, click the links in the list or visit the websites mentioned under Links and Sources.

In 2013, the following numbers of people worked for NSA/CSS:
- NSA: ca. 21,500 civilian personnel and ca. 13,500 military personnel
- CSS (tactical SIGINT collection units): ca. 12,000 military personnel

> Update: In 2016, a major internal reorganization of NSA was initiated

Go to the directorate designated by: D E F I K L M Q R S T V X

The NSA headquarters buildings at Fort Meade, Maryland
(Photo: AFP/Paul J. Richards)


D: Office of the Director
D0: Director's Staff
D01: Director’s Operation Group (DOG)
D05: Director’s Secretariat
D07: Office of Protocol
D08: Homeland Security Support Office (HSSO)
D1: Office of the Inspector General (OIG)
D14: ?

D2: Office of the General Counsel (OGC)
D21: Intelligence Law
D22: Legislation
D23: Administrative Law and Ethics
D24: ?
D28: Litigation and Management
D4: Office of the Director of Compliance (ODOC)

D5: Corporate Assessments Office
D5T: Technology Test and Evaluation
D6: Office of Equal Employment Oppertunity
D7: Central Security Service (CSS)
D709: CSS Staff and Resources
D7D: Cryptologic Doctrine Office
D7P: Office of Military Personnel
D7R: Director's Reserve Forces Advisor
D8: Community ELINT Management Office (CEMO)

D9 : ?

DA: Directorate of Acquisition/Senior Acquisition Executive (SAE)
DB: Corporate Strategy

DC: Director’s Chief of Staff
DC0: Support
DC3: Policy
DC31: Corporate Policy
DC32: Information Policy
DC321: Freedom of Information Act and Privacy Act (FOIA/PA)
DC322: Information Security and Records Management
DC3221: Information Security Policy
DC3223: Records Management Policy
DC323: Automated Declassification Services
DC33: Technology Security, Export, and Encryption Policy
DC4: Corporate Strategic Planning and Performance
DC6: External Relations & Communications
DC8: Corporate Management Services
DE: Unified Cryptologic Architecture Office (OCAO)
DF: Chief Financial Manager (CFM)
DJ: Policy and Records Office
DJ4: Freedom of Information and Privacy Office
DK: Chief Information Officer (CIO)
DL: Legislative Affairs Office (LAO)
DN: NSA Public Affairs Office (PAO)
DN1: ?
DP: Foreign Affairs Directorate (FAD)
DP09: FAD Staff
DP11: Second Party Affairs Office
DP13: Central/Eastern Europe Office
DP21: Information Assurance?
DT: Office of the Chief Technical Officer (CTO)

E: Associate Directorate for Education and Training (ADET)
El: Educational Services and Staff
E2: Educational Technology Integration
E3: Language
E4: Intelligence Analysis and Information Assurance
E5: Signals Analysis, Cryptanalysis, and Math
E6: ?
E63: ?
E9: ?
E92: ?
EL: Center for Leadership and Professional Development

F: Field sites
F1: Cryptologic Services Groups (CSGs)
F1C: ?
F1CA: Cryptologic Services Group USSTRATCOM
F1CD: Life Cycle Logistics
F1CD1: Technical Services Group
F1I: ?
F1I2: Joint Interagency Task Force South
F1T: ?
F1T1: Cryptologic Services Group USSOCOM
F1Z: Cryptologic Services Group CENTCOM
F1Z2: Deputy Chief, CSG CENTCOM

F2: NSA/CSS Europe and Africa (NCEUR)
F20: ?
F202: NSA unit in Stuttgart Vaihingen, Germany
F204: Support to Military Operations for AFRICOM
F22: European Cryptologic Center (ECC) near Darmstadt, Germany
F23: NCER Mons, Belgium

F25: European Technical Center (ETC) in Wiesbaden, Germany

F28: Special US Liaison Activity Germany (SUSLAG) in Bad Aibling, Germany
F3: ?
F313: Combined Group Germany (CGG) in Augsburg, Germany
F32: ?

F4: ?
F411: Military Operations Branch

F5: Liaison Support Groups
F51: Liaison Support Group at CIA

F6: Special Collection Service (SCS)
F666E: (SCS unit in the US embassy in Berlin?)

F7: ?
F74: Meade Operations Center (MOC)
F741: Deployments & Training Division
F74?: Special Operations Readiness Cell (SORC)
F77: Menwith Hill Station (MHS)
F77F: Menwith Hill unit
F79: ?
F79F: Misawa Security Operations Center (MSOC)
F7A: Alaskan Mission Operations Center (AMOC)

F7U: Utah Regional Operations Center (UROC)
F8: ?
F81: Bad Aibling Station, Germany (-2004)

F83: RAF Menwith Hill (1966-present)
F9: ?
F91: ?
FC: NSA/CSS Colorado (NSAC)
FCS: Signals Intelligence Department, Colorado

FG: NSA/CSS Georgia (NSAG)
FGD: Director, Georgia
FGS: Signals Intelligence Department, Georgia
FGS2F: SW Asia Narcotics
FGS3: Transnational issues group
FG32: ?
FG3223: Media Exploitation & Analysis

FGT3322: ISR Support Team

FGT342: ISR Support Team
FGV: Threat Operations Center, Georgia
FHQ: Security Department, Hawaii

FHS: Signals Intelligence Department, Hawaii
FHS21: ?
FHS212: ?

FHT: Technology Department, Hawaii
FHT322: Office of Information Sharing
FHT332: IT Customer Solutions

FHV: Threat Operations Center, Hawaii

FHX: ?
FHX4: ?
FTS: Signals Intelligence Department, Texas
FTS2: Analysis and Production
FTS2F1 - "Southern Arc"
FTS3: Data Acquisition
FTS32: Tailored Access Operations
FTS327: Requirements & targeting
FTV: Threat Operations Center, Texas

(ca. 3000 employees)
I0: Chief of Staff
I01: Office of Policy

I2: Trusted Engineering Solutions
I209: Support Staff
I21: Architecture
I22: Engineering
I23: ?
I231: HAIPE Program Management Office (PMO)
I2N: National Nuclear Command Capabilities (N2C2) Mission
I3: Operations
I31: Current Operations
I33: Remote & Deployed Operations
I3?: Mission Integration Office
I3?: Technical Security Evaluations
I3?: Red Cell
I3?: Blue Cell
I3?: Advanced Adversary Network Penetration Cell
I3?: Joint Communications Security Monitoring
I4: Fusion, Analysis and Mitigation
I4 ?
I412: ?

I5: ?
I54: ?
I542: ?
I543: ?
I7: ?
I73: ?
I735: ?
I8: ?
I82: ?
I823: ?
I8231: Microelectronics Anti-Tamper Solutions
I85: ?
I853: Cryptographic Engines, Modules, and Tokens
IE: Engagement
IS: Strategy
IC: Cyber Integration
IV: Oversight and Compliance

K: National Security Operations Center (NSOC)
K?: SIGINT Mission Management (SMM)
K??: [...] SIGINT Mission Management (APSMM)
K??: [...] SIGINT Mission Management (CRSMM)
K?: Counter-Terrorism Mission Management Center (CTMMC)
K9: Capabilities and Sustaining Systems (CASS)
K92: Current Capabilities for Mission Management (C2M2)

L: Associate Directorate for Installations and Logistics (ADIL)
L0: I&L Staff
LF: Facilities Services
LFl: Space Management and Facilities Planning
LF2: ?
LF3: Operations, Maintenance and Utilities
LF4: ?
LF5: Program Management
LL: Logistics Services
LL1: Material Management
LL2: Transportation, Asset, and Disposition Services
LL22: Passport Services Team
LL3: Employee Morale Services
LL4: ?
LL42: Corporate Travel Services

M: Associate Directorate for Human Resource Services (ADHRS)
MA: Office of Workforce Strategies
MB: Office of Recruitment and Staffing
MC: Office of Diversity Management (ODM)
MD: Office of Human Resource Program Management & Service
ME: Office of Occupational Health, Environmental & Safety Services (OHESS)
MG: Office of Global Human Resource Services
M2: Office of Military Personnel
M3: Office of Civilian Personnel
M4: ?
M43: Information Policy Division
MJ: ?
MJ1: HR operations/global personnel SA

Q: Associate Directorate for Security and Counterintelligence (ADS&CI)
Q0: Staff
Q05: Security Operations Center (SOC)
Q07: NSA Counterintelligence Center (NSACC)
Q09: Security Support Staff
Q1: Office of Physical Security
Q123: ?
Q2: Office of Personnel Security
Q223: Counterintelligence Awareness
Q3: Investigations Division
Q31: ?
Q311: Counterintelligence Investigations
Q312: Compromise Investigations Branch
Q5: Office of Security
Q509: Security Policy Staff
Q51: Physical Security Division
Q52: Field Security Division
Q56: Security Awareness
Q57: Polygraph
Q7: Counterintelligence

QJ: Joint Program Security Office

R: Research Associate Directorate (RAD or RD)
R1: Math & Research
R2: Trusted Systems Research
R21: Cryptographic IA Research
R211: ?
R213: High Confidence Software and Systems (HCSS)?
R22: IA Engineering Research
R222: ?
R223: Research Integration
R224: ?
R225: ?
R23: Defense Computing Research
R3: Laboratory for Physical Sciences (LPS)
R4: Laboratory for Telecom Services (LTS)
R5: Language Study
R6: Computer Information and Science
R64: ?
R66E: Human Language Technology Research
R67: Human Language Technology
R6?: Coping with Information Overload Office
R6?: Disruptive Technologies Office (DTO)
RX: Special Access Research
RV: Oversight and Compliance

(ca. 24.000 employees)
S0: SID Staff
S01: Deputy for Integrated Planning
S012: ?
S0121: SID Communications
S02: Communications and Support Operations
S0231: SID Policy Staff
S0242: ?
S02L: ?
S02L1: SIGINT Policy
S11: Customer Gateway
S111: (Desk for coordinating RFIs and responses)
S112: DEA Account Manager
S12: Information Sharing Services Branch
S12?: Partnership Dissemination Cell (PDC)
S124: Staff Services Division
S12R: SID Reporting Board
S17: Strategic Intelligence Issues
S1E: Electromagnetic Space Program Management Office
S1N: ?
S1N2: ?
S1N3: ?
S1P: Plans & Exercises Division
S20: A&P Staff
S202B: Analytic Technologies for the Enterprise
S203A: Access Interface Portfolio
S23: Human Language Technology
S24: ?
S2413: Center for Time-Sensitive Information
S2A: South Asia Product Line
S2A4: Pakistan
S2A5: (South-Asia)
S2A51: S-A Language Analysis Branch
S2A52: S-A Reporting Branch
S2B: China, Korea, Taiwan Product Line
S2C: International Security Issues (ISI) Product Line
S2C13: Strategic Partnerships & Energy SIGDEV
S2C21: ?
S2C32: European States Branch
S2C41: Mexico Leadership Team
S2C42: Brazilian Leadership Team
S2C51: ?
S2C52: (United Nations?)*
S2D: Counter Foreign Intelligence Product Line
S2E: Middle East and Africa (MEA) Product Line
S2F: International Crime & Narcotics (ICN) Product Line
S2F1: ("Southern Arc"?)
S2G: Counter Proliferation (CP) Product Line
S2G21: Office of Proliferation and Arms Control
S2G6: Office of Combating Proliferation
S2H: Russia Product Line
S2I: Counter-Terrorism (CT) Product Line
S2I11: Al-Qa'ida Leadership and Target Pursuit Branch
S2I13: Global Jihad Support Network Branch
S2I2: Middle East and Iraq Division
S2I3: ?
S2I35: ? (related to RC-135U?)
S2I4: Homeland Security Analysis Center (HSAC)
S2I41: Branch Management
S2I42: Hezbollah Team
S2I43: NOM Team
S2I5: Advanced Analysis Division (AAD)
S2I51: ?
S2I?: Metadata Analysis Center (MAC)
S2IX: Special CT Operations
S2J: Weapons and Space Product Line
S2T: Current Threats
S2S: ?
Communications Event Analysis Center (CEAC)
S31: Cryptanalysis and Exploitation Services (CES)
S310: ?
S31091: Military Operations Branch
S311: Office of Target Pursuit (OTP)
S31122: ?

S31131: Exploitation branche
S31133: Exploitation branche
S31142: Exploitation branche
S31143: Exploitation branche
S3117: Cryptanalytic Exploitation & Discovery
S31171: PRC, N-Korea, SE Asia, Japan
S31172: Iran, Hamas, Iraqu, Saudi Arabia
S31173: Africa, Levant, Latin America, India, Pakistan, Afghanistan
S31174: Russia, Counter-Intek, Europe, FTM
S31175: Cross-Target Support Branch
S31176: Custom Thread Development for Network Encryption
S31??: Technical Exploitation Center (TEC)
S312: ?
S31213: Network Security Products
S31241: Attack Services

S313: Requirements and Thread Management (or Exploitation Solutions Office)
S3132: Protocol Exploitation and Dissemination
S31322: Digital Network Crypt Applications (DNCA)
S31323: ?
S314: ?

S316: Target Reconaissance and Survey
S3161: Special Deployments Division

S32: Tailored Access Operations (TAO)
S321: Remote Operations Center (ROC)
S321?: Network Ops Center (NOC)
S321?: Oper. Readiness Division (ORD)
S321?: Interactive Ops Division (IOD)
S321?: Production Ops Division (POD)
S321?: Access Ops Division (AOD)
S322: Advanced Network Technology (ANT)
S3221: (persistence software)
S3222: (software implants)
S32221: ?
S32222: (routers, servers, etc.)
S3223: (hardware implants)
S3224: ?
S32241: ?
S32242: (GSM cell)
S32243: (radar retro-refl.)
S323: Data Network Technologies (DNT)
S32361: ?
S324: Telecomm. Network Technologies (TNT)
S32423: ?
S325: Mission Infrastructure Technologies (MIT)
S327: Requirements & Targeting (R&T)
S326: Access Operations
S3261: Access and Target Development
S328: Access Technologies & Operations (ATO)
S3283: Expeditionary Access Operations (EAO)
S3285: Persistance POLITERAIN team

S32P: TAO Program Planning Integration
S32?: Network Warfare Team (NWT)
S32X: ?

S33: Global Access Operations (GAO) (or Link Access Programs)

S332: Terrestrial SIGINT
S33221: ?
S33223: Processing Systems Engineering and Integration Sector
S333: Overhead SIGINT
S333?: Overhead Collection Management Center (OCMC)
S33P: Portfolio Management Office (PMO)
S33P1: ?
S33P2: Technology Integration Division
S33P3: Tactical SIGINT Technology Office
S33?: CROSSHAIR Network Management Center (CNMC)
S34: Target Strategies and Mission Integration (TSMI)
S342: Collection Coordination and Strategies
S3421: ?
S3422: Geographical Regions
S3423: Technical Services
S343: Targeting and Mission Management
S344: Partnership and Enterprise Management

S35: Special Source Operations (SSO)
S350: ?
S35093: Target Exploitation Program
S351: Program Management Division

S352: Engineering & Technical Services Division
S3520: Office of Target Reconaissance and Survey (OTRS)
S3521: Special Signal Collection unit (MUSKETEER)
S353: Operations & Discovery Division
S3531: PRISM? Mission Management
S3533: ?
S35333: PRISM Collection Management

S35??: Environmental Analysis Branch
S35P: Portfolio Management Office
S35P2: Technical Integration Division
S35P3: Capabilities Integration Division
S3C: Collection Strategies and Requirements Center (CSRC)
S3C32: Collection Forwarding & Outages
S3C33: Initial Flow Management branch

S3M2: (Media Leaks Task Force?)

S3T: ?
S3T1: ?

S3W: Wireless Portfolio Management Office (WPMO)
S4: ?
S44: ?
S444: Special Operational Support

SSG: SIGDEV Strategy and Governance
SSG1: ?
SSG13: ?
SSG2: ?
SSG21: Net Pursuit Network Analysis Center
SSG22: Network Analysis Center (NAC)
SSG??: Target Analysis Center (TAC)
SSG4: Target Technology Trends Center (T3C)

SE: SIGINT & Electronic Warfare

SV: Oversight and Compliance
SV2: Training
SV21: Access Oversight Training and Strategic Guidance
SV3: Compliance Verification

SV4: FISA Authorities Division
SV41: ?
SV42: Special FISA Oversight and Processing
SV43: ?

TE: Enterprise Systems
TS: Information and Systems Security
TT: Independent Test and Evaluation

T1: Mission Capabilities
T1?: Strategic SATCOM Security Engineering Office
T11: ?
T12: Analytic Capabilities
T121: ?
T1211: ?
T122: Knowledge Services
T1221: Center for Content Extraction (CCE)
T1222: Enrichment Center/Operations
T13: ?
T132: Structured Repositories
T14: ?
T1412: (TURBINE team?)
T1422: Identifier Scoreboard
T1442: ?
T2: Business Capabilities

T3: Enterprise IT Services
T314: End User Solutions
T32: ?
T3212: Workflow, Standards and Support
T3221: Transport Field Services (TFS)
T332: Global Enterprise Command Center (GECC)
T332?: Data and Network Operations
T332?: NSA Communications Center
T332?: NISIRT (contains CERT and CSIRT)
T333: ?
T3332: Data Operations Center (DOC)
T334: National Signals Processing Center (NSPC)
T335: Deployable Communications Operations (DCO)
T33?: National Intelligence and Tactical Operations (NITO)
T5: High Performance Computing (HPC) Center
T53: HPC Integration and Production
T532: CA Databases
T5323: LONGHAUL team
T6: Ground Systems Program Office

T9: ?
T99: ?

TV: Office of compliance

V: NSA/CSS Threat Operations Center (NTOC)
V07: ?
V2: Office of Analysis
V22: ?
V222: ?
V225: ?
V23: ?
V24: ?
V25: ?
V252: ?
V26: ?
V3: Office of Operations
V32: Defensive Network Operations
V33: ?
V34: Next Generation Wireless Exploitation Program
V35: ?
V4: Technology Development Support
V43: Cyper Profiling and Operations Support
V45: Office of Technology Development
VS: ?

VV: NTOC Oversight and Compliance (NOC)

X: ?
X3: ?
X31: ?
X312: Planning & Management
X32: ?

? Associate Directorate for Policy and Records (ADPR)

? NSA/CSS Commercial Solutions Center (NCSC)

The 2000 reorganization

In the year 2000, then director Michael Hayden reorganized much of NSA's organizational structure. For this the NSA Transformation Office (NTO) was established and the directorates of Operations and of Technology were merged into the Signals Intelligence Directorate (SID).

Also new officers were appointed, like a Chief Financial manager, a Chief Information Officer (CIO), a Senior Acquisition Executive (SAE) and a Transformation Officer. Around the same time, many NSA divisions and units got new designations.

Also in 2000, a Senior Leadership team was formed, consisting of the Director (DIRNSA), the Deputy Director and the Directors of the Signals Intelligence (SID), the Information Assurance (IAD) and the Technology Directorate (TD). The chiefs of other main NSA divisions became Associate Directors of the Senior Leadership team.

The 2016 reorganization

In 2016, NSA director Michael Rogers initiated a reorganization under the name NSA21, which has to prepare the agency for "cyber" challenges. One of the most important changes will be to replace the Signals Intelligence (SID) and Information Assurance (IAD) directorates by a new Directorate of Operations that combines the operational elements of each.

Also the other existing branches will be reorganized into the following 6 new directorates:
- Workforce and Support Activities
- Business Management and Acquisition
- Engagement and Policy
- Operations
- Capabilities
- Research

Links and Sources
- Observer.com: REORG: How Not to Fix American Intelligence
- NSA: NSA21: Facing Threats to the Nation and Future Challenges with Innovation, Integration, and a Focus on Talent
- Washington Post: National Security Agency plans major reorganization
- Cryptome.org: NSA Salaries 2014
- Marc Ambinder's The NSA's org chart
- TheWeek.com: The NSA's org chart
- MatthewAid.com: Updated NSA Order of Battle
- William M. Arkin Online: NSA Tailored Access Operations
- Independent.co.uk: Inside the NSA: Peeling back the curtain on America's intelligence agency
- TheAtlantic.com: An Educated Guess About How the NSA Is Structured
- GovernmentAttic.org: Extract of pages from the NSA's intranet, 2005 (pdf)
- Cryptome.org: NSA Overhauls Corporate Structure in Effort to Improve Operations (2000)