17 October 2000
Source: http://www.nsa.gov/releases/nsa_external_team_report.pdf (27 pages; 2.7MB)

This is one of two reports released 17 October by the National Security Agency on October 1999 recommendations for its reorganization (after releasing them to Inside Defense under FOIA request):


The second is a 76-page report, "New Enterprise Team (NETeam) Recommendations: The Director's Work Plan for Change," 1 October 1999:


[27 pages.]



When I arrived at the National Security Agency/Central Security Service (NSA/CSS) over a year ago, I was told by many people within the Intelligence Community -- and by lifelong NSA employees -- that in order to meet the challenges of the new millennium, the Agency must undergo a deep, purposeful transformation.

The evolution of technology dictated change within the Agency and was the impetus for self-examination and introspection. More importantly, our customers and Congress, along, with other external groups, were pointing to much inefficiency in the way we manage our assets, our leadership, and our approach to technology.

To that end, I commissioned two teams of experts to assess NSA's personnel. culture. organization and processes and to present detailed recommendations for improvement. To ensure that the teams were diverse and well represented, I mandated that one team would comprise Agency employees; the other team would comprise representatives from industry. Both studies have been declassified and are enclosed for your information,

Though the teams attacked the study from diverse perspectives and approaches. their conclusions and recommendations were remarkably similar. Both teams agreed that NSA needed to make many difficult, essential changes in order to continue to maintain its place on the cutting edge of technology. Both teams agreed that NSA needed to improve in the following areas: governance, culture, vision/mission/corporate strategy, resource management, communicating with our customers/partners/stakeholders and business planning.

I listened to both teams and I have taken important pieces of each report to heart. Some of the recommendations in the reports were adopted immediately; others are still being considered. To gain the momentum for significant change, I initiated a period called. "100 Days of Change," which lasted from 15 November 1999 to 30 March 2000. From the onset, I stated that "100 Days," was just a beginning -- a starting line from which NSA can begin to transform into a first-class, 21st Century agency. We have begun

to change our ethos, which is more than changing our culture because we must change the way we think, feel and act. We have begun the difficult tasks of eliminating non-essential activities, introducing disciplined decision-making into our processes, and holding our leadership accountable. We have improved the ways we communicate within the Agency and to the public. Where we need help and new perspectives, we have selected outside talent in key positions. Our goal is an Agency that is more aware of

itself and its role in national security, more agile in its ability to respond to challenges and opportunities, and more collaborative with its partners, customers and stakeholders.

Transformation is never easy, but for NSA it is compulsory. We have moved out and have created the momentum for change. Further changes will come in the future as we strive to make progress and reach our goals. We are making the needed course corrections to ensure that NSA meets new challenges and is true to its mission in providing and protecting information essential to the national security of our nation.


Lieutenant General, USAF
Director, NSA/Chief, CSS

     As Stated


A Management Review
for the
Director, NSA

October 22, 1999


List of Acronyms
CBJB - Congressional Budget Justification Book

CIA - Central Intelligence Agency

CINC - Commander-in-Chief

CFO - Chief Financial Officer

COO - Chief Operating Officer

COS - Chief of Staff

DCI - Director of Central Intelligence

DDCM - Deputy Director for Corporate Management

DDI - Deputy Director for Information Assurance

DDO - Deputy Director for Operations

DDS - Deputy Director for Support Services

DoD - Department of Defense

EPA - Employee Promotion Assessment

ETR - Engineering, Technology and Research

IAM - Information Assurance Mission

IG - Inspector General

InfoSec - Information Security

JMRR - Joint Military Readiness Report

KAL - Key Agency Leadership

NCS - National Cryptologic School

NSA - National Security Agency

NSAAB - NSA Advisory Board

NSRL - National SIGINT Requirements List

OPP - Office of Plans and Programs

PMC - Program Management Council

PM - Program Manager

SALT - Senior Agency Leadership Team

SCE - Service Cryptologic Executive

SE - Systems Engineering

SES - Senior Executive Service

SETA - Scientific Engineering and Technical Assistance

SIGINT - Signals Intelligence

SIM - Signals Intelligence Mission

UCA - Unified Cryptologic Architecture

USSID - United States Signals Intelligence Directive


Upon assuming command of the National Security Agency (NSA), Lieutenant General Michael V. Hayden, USAF, commissioned two management review teams, one comprised of NSA employees and another composed of five outside experts, named the External Review Team. This external the External Review Team began its work on August 9, 1999 with the stipulation that it would report to the Director, NSA within 60 days. General Hayden was briefed on The External Review Team's findings and recommendations on October 12. This document constitutes the final report of the External Review Team.

The five members of the External Review Team consider it a great honor to have been asked to participate in this important work. ne NSA has long been one of America's preeminent governmental institutions whose successes, like those of its sister intelligence agencies, must often go unheralded. However, the need for secrecy, so critical to mission success, can also breed insularity, which is counterproductive to effective management.

This report aims at specific suggestions to the Director which will be actionable and which will produce rapid results. There have been a number of significant studies of NSA in selected areas over the past decade. Almost all have been done extremely well and offered good recommendations. But almost none of these recommendations have been implemented in a meaningful manner.

A major challenge facing NSA has been to understand why no action has occurred on the many previous excellent recommendations from multiple sources, and what can be done by General Hayden to ensure constructive change moving forward.

We have been extremely impressed by the dedication and skill levels of NSA employees at all levels, but recognize from our own experiences in business and in government that individual actions are usually not enough to initiate corporate-wide change. It took new Chief Executive Officers at IBM and AT&T to re-energize those previously distinguished businesses. It is our expectation that General Hayden will fulfill that same role at NSA.

The majority of senior level employees with whom we spoke believe that this entire series of managerial issues has come to the fore as a result of the ongoing reduction in resources, i.e. budget cuts, combined with an expanding demand for its excellent work. NSA funding has been reduced dramatically over the last several years. Unanimously, the External Review Team believes that the managerial issues would be no different should prior funding levels be restored. Money alone is not the answer.

The NSA mission is a cornerstone of many other aspects of American intelligence work. NSA is too critical to the well-being of our society today, and tomorrow, for the Agency to be allowed to function in a sub-optimal fashion. The House Permanent Select Committee on Intelligence has, correctly in our opinion, directed NSA to "change your culture and method of operations." The only question is how this might best be accomplished.

Tasking and Methodology

The External Review Team was specifically tasked to review prior studies and reports (including the recent Clapper Brief) and evaluate Congressional language as it relates to NSA reform. We were asked to assess NSA's personnel, culture, organization and processes, to document our findings and to present detailed recommendations for improvement. The Director placed no constraints on the scope of this study. However, Congress, the Secretary of Defense and the DCI expect "significant change" in how the Agency does business.

Our methodology was to research governing and historical documents and to review prior studies and investigations. We interviewed over one hundred people (both within and without NSA), including Agency seniors, mid-level and working staff, Congressional staffers and various NSA management teams (including the Senior Agency Leadership Team [SALT]). The External Review Team met weekly to receive corporate briefings, hold meetings with senior level personnel and update the Director on the study's progress. After collecting and analyzing all the data, The External Review Team formally briefed General Hayden and prepared this report.


We determined many good features of the Agency throughout the report. We agreed that at least the following aspects of the Agency were positive:

However, we enumerated many issues throughout this report. We agreed there are at least ten significant areas of concern:

The most serious issues are leadership, accountability, and empowerment, as evidenced by great dissatisfaction with decisionmaking within the Agency.

Business Model - Organization

The present NSA organization has been in place, generally in its current form, for some period. It works well enough to do some of the missions and get some intelligence product out the door, but we question whether this form best complements leadership, the creation of plans, the flow of money and the need for responsibility, accountability and empowerment throughout the workforce. An organization should allow the leadership to operate the Agency efficiently and dynamically. It should facilitate rapid response to change, yet permit leaders to know and be able to tell stakeholders just where things stand at all times.

What follows is the description of a new organization without reference to specific individuals who currently occupy positions of similar responsibility. We prefer to outline a pure, functional organization with responsibilities and relationships.

Fundamentally, NSA should be organized to best perform its two operational missions (the production of signals intelligence and providing information and infrastructure assurance), and to create and use the technology required to perform these two missions. All other NSA functions, which traditionally have reported high up the Agency structure, (often to the Director), now would be identified as staff functions and would report as Director's staff or to one of several operational staff elements. This key change removes Agency support leadership from an operational decision-making role. By placing control and responsibility for on-going Agency activities into the hands of the operations and technology organizations, authority and responsibility for performance are driven down as far as possible, placing programmatic and budgetary decisions as close to the intelligence problem as possible.

The job of the Director is to lead the Agency. All authority and power derive from the Director, who reserves all decisions not formally delegated to others. In practice, the Director will actually run the day-to-day operational affairs of the agency through a COO, a new position we have created. Freed of moment-to-moment operational responsibility, the Director may develop high-quality relationships with such essential external partners as the Secretary of Defense, the DCI, Congress and Congressional Staff, military, Commander-in-Chiefs (CINC), the Secretary of State, the law enforcement community and others as appropriate. We believe that much of the future success of NSA is tied to high-quality working relationships with Intelligence Community partners and all NSA stakeholders (see the chapter Stakeholder Relations). We have been persuaded that the CIA-NSA relationship is an essential element of a successful Global Network strategy. We are certain that the support and trust of the Congress must be regained and carefully nurtured. It is imperative therefore, that the Director takes the lead in establishing and maintaining personal relationships with these partners and that he have a high-level office to support him in this critical function.

Recommended Organization

[Original poor; redrawn by Cryptome]

The Director makes decisions with the advice of the Key Agency Leadership (KAL) team, which replaces the current SALT. Members of the KAL, the Director, the Deputy Director, the COO (representing the operations and engineering organizations), the CFO, the Director's COS, the Chief Council, the Inspector General (IG), and the Deputy COO for Military Affairs. Others may be invited to meetings to present or elaborate on issues, but will not sit as members. From the composition of the KAL, it should be clear that all members attend to advise the Director. The KAL is not a voting body. KAL meetings exist to debate and frame issues on cryptologic policy, Agency mission, and items of corporate importance for Director decision. The KAL should meet regularly as required.

An outside board called the NSA Advisory Board (NSAAB) will also advise the Director. Comprising ten people or less, the board includes two each of luminaries from the Intelligence Community, corporate non-government executives, technologists and retired Service Cryptologic Executive (SCE) and/or geographic CINCs. The NSAAB will take a very active role to help the Director, and will take a direct hand 'in identifying and grooming future Agency leadership. Specifically the NSAAB should:

This NSAAB should be quite vigorous and active. Members should be recruited for their boldness and enthusiasm, and should be well compensated for the significant amount of work they will do. Board members will contribute about one month per year, spread across the year.

The Deputy Director, a true deputy, not responsible for Agency operations, backs up the Director. This senior cryptologic officer would be responsible for Agency strategic planning, using resources throughout the Agency for support. The Deputy Director would assist in corporate issue resolution and external relations, and would work selected cryptologic issues as appropriate. The Deputy Director would act on the Director's behalf and would serve as the Director's emissary when so directed.

The Director's COS would control the Director's schedule and assist in the paper flow. The COS would determine, through trial and error, what the Director wishes to see and hear, which issues and decisions should be considered important, and how often and in what forms meetings are to be held, so that the COS may schedule the Director's time wisely. The COS is responsible for preparing issues for KAL meetings. The COS may act on behalf of the Director when so formally directed. The COS should assist the Director in communicating with the workforce through regular written "DirectorGrams" and live messages.

The CFO is a new position to take responsibility for the management of the flow of money required for the Agency's business. The CFO will manage the NSA budget process, guarantee the fiduciary integrity of NSA, conduct internal audits and ensure the professional training of the Agency financial corps. The CFO will create targets and benchmarks for Agency financial performance and coordinate activities internally and with the DCI, DoD and Office of Management and Budget as appropriate. In sum, the CFO will restore confidence that NSA is managing its money wisely in the execution of its mission. Financial displays generated by the CFO will make it readily clear how much money is required for the NSA mission, and how much more money would be required to take on a larger mission. The CFO position would be good for an outsider.

The Legal Department will function as it does now. It will closely advise the Director and operating elements on critical legal issues and interpretations as the Agency moves into the new mission areas. Its role should be to facilitate the execution of Agency business. The legal staff must be current on administration legal policy, international law and related disciplines.

Stakeholder Relations will perform the very important external relations and image management tasks (See the chapter Stakeholder Relations). We recommend more openness and familiarity with stakeholders by the Agency. NSA should modify its "withholding evidence" image. Improved public relations can help overcome the "Super Secret NSA" image that is no longer useful to Agency needs.

The IG duties remain the same with one addition. We recommend the IG monitor NSA progress in achieving the recommendations set forth by this panel.

The Director and the entire staff as denoted above, should be collocated in one hallway on one floor of the building. Our creation of a COO may be the most significant change to the traditional NSA organization. We are emphatic that the very significant issues of "SIGINT/INFOSEC equities" and "operations requirements versus technology development" be managed correctly. From a sources and methods perspective, we are eager to see the SIGINT Mission work very closely with the Information Assurance Mission, since they are rapidly becoming two sides of the same coin. At the same time, the technology required to support both operations is converging, especially in the Global Network arena. We feel therefore, that close coordination among these organizations is mandatory, and too important to be left to the vagaries of the coordination process. We elect then, to recommend the subordination of the two operations organizations and the one technology organization under the COO, who would be responsible for all Agency operations and technology development, and the support systems and administration they require. We do not encourage any merging of operations and technology development organizations. We believe that a natural tension should exist between the operations that require technology, and the technology developers who crave requirements. We believe that both applied and pure technology should be developed. Applied technology tied closely to operations by requirements and funding, and pure technology much more free of specific operational requirements, with the independent funding, to explore the realm of the possible in order to help both the technology and operations organizations anticipate future technological developments and leaps. If both operational requirements and pure science driven technologies can be encouraged, then bringing together the operations organizations and the technology organization at the COO level will suffice.

The COO is responsible for NSA operations. The COO could come from outside NSA, but should have strong Intelligence Community experience. Operational planning and funding is performed by a function of the COO staff in coordination with the CFO. Operations Planning and Programming will help build the operations and technology funding plan for the COO by imparting an Agency strategic perspective to mission and technology needs. Agency support functions will be outsourced wherever possible. The current Deputy Director for Services (DDS) and DDCM organizations are abolished and functionally re-subordinated under the COO.

Agency support to military operations and responsibility to the SCEs are advocated and managed by the Deputy COO for Military Affairs. This very important charter responsibility is placed close to operations, where it may have the most direct day-to-day influence. However, by placing the Deputy COO for Military Affairs on the Director's KAL, proper military voice is heard at the strategic planning and policy formulation level.

The National Cryptologic School (NCS) had a reputation as a superlative trainer of cryptologists and crypto-technologists. To regain that reputation, the NCS should be revitalized as a first class institution for training in unique cryptologic skills. The NCS should be kept current, especially in the technology-oriented disciplines, by the use of outside educators. We place the NCS under the COO administration and support function so that it may be attentive to operations and technology needs.

The COO executes operations through the three organizations (two operations and one technology) that we have referred to previously. The operations organizations are called the Signals Intelligence Mission (SIM) and the Information Assurance Mission (IAM), which are similar to the now-abolished Directorates of Operation and Information Security. The technology organization is called Engineering, Technology and Research (ETR). The new organizations are sufficiently different from their predecessors to warrant a change of names. More importantly though, is the need to divorce paradigms and loyalties from the past, and re-form bonds to new entities. The new organizations are linked intimately to mission and development both functionally and financially. Since all three implementing organizations report to the COO, leadership in SIM, IAM and ETR focuses downward, concentrating on getting the tools and running the missions that define the Agency's place in the Intelligence Community.

The SIM will organize to follow access opportunities. We believe that intelligence targets will continue to be increasingly transnational in nature, and that alignment to geographical locations and entities is obsolete. Organizing into three offices, Global Response, Tailored Access and Global Network, would seem to offer the best means to apportion investment to mission, commensurate with the changing nature of the targets. Tracking technical changes in target content and responding quickly to maximize productivity may be made easier when SIM leadership has the authority and responsibility to make such changes internally, answering to the COO for those decisions. We observe, certainly a slowness, and perhaps a reluctance, to move from legacy targets to newer targets. Whatever the attractiveness of known targets and technologies, leadership must decide smartly when to move to more difficult but potentially more lucrative targets. Toward that end, we encourage SIM leadership to increase significantly the investment in Global Network at the expense of investments in Global Response and Tailored Access. Within SIM it is perfectly reasonable to assume that some functions and talents might be best used in a matrix across the offices. We leave decisions at that level up to the new SIM leadership. The Important point is that decisions affecting operations be made in operations, by people willing to step up to the authority and responsibility.

Organizationally, the IAM remains largely unchanged from the current DDI. Changes in cash flow management that may affect IAM organization are discussed in the chapter Business Model - Resources Management.

The ETR office will change significantly in this new organization. ETR will become the home organization for all engineering and technology people. SIM and IAM will not "own" any engineers. Where and when SIM and IAM require engineering skills, they will be supplied from an engineering matrix managed by ETR. ETR will not deny SIM and IAM access to engineers and technologists. The change in affiliation is to better control the career field, provide training on the latest technology, maximize cross-pollination of ideas and promote the awareness of programs and developments within ETR. These changes should facilitate better make/buy decisions and avoid the needless duplication of technology or solutions.

ETR will supply all information technology products and services for mission-support and administrative-support. We believe that the traditional intelligence cycle events of tasking, collection, processing, exploitation and dissemination comprise a critical path that requires careful balance among, its elements. We often hear people ask why we should collect data that cannot be transported, processed or analyzed due to some inadequacy in the chain. Perhaps by assigning responsibility to one organization for the collection devices, selection-and-filtering processors and the wideband-communications backbone required to move the data, improved balance can be built into new programs and systems from the design stage forward. We expect ETR to be the Agency's program management and program acquisition center of excellence. As such, ETR should be well placed to provide the correct level of information-technology support for all Agency programs and administration.

To support the Agency's operational mission, we believe that both pure and applied research programs are necessary; ETR is the organization to develop and manage those programs. The requirements of SIM and IAM should drive the applied research program. ETR should listen to the immediate and near-term needs of the operations organizations, take their funding and do applied technology developments accordingly. In the area of pure research however, ETR should take the pulse of the global technology market and forecast which technologies should be pursued. Using Agency corporate funding tied to Agency strategic goals rather than specific operations requirements, ETR should invest in next-generation and beyond technology possibilities in anticipation of future NSA needs.

Finally, we place in ETR the key responsibility to perform system engineering and integration within and across all NSA programs to ensure efficiency and to avoid unnecessary duplication. This responsibility marks a major shift in thinking from the way NSA programs usually are formed and managed. ETR must understand operational needs and receive sufficient funding for the development from operations. Then ETR will derive and allocate technical requirements to program systems and subsystems. Programs must be architected. Trade analyses must be performed and decisions made whether to bad program components or buy them from outside suppliers. All elements must be configuration controlled. The development of all portions of the program must be coordinated throughout the program life and managed to cost and performance and delivered in a finished, usable form on schedule. To do this at the level required, ETR must develop a cadre of professional program managers (PM) trained to deliver systems.

In practice, the organizations under the COO work closely together to execute the mission of the Agency. Jointly they plan programs to address intelligence requirements, ask for and receive NSA and outside funding, develop technology, tools and other capabilities, execute operational missions, acquire, process and analyze data, and finally, produce and disseminate intelligence product to customers. They act in consonance with Agency strategy and goals and within Agency funding mandates, but are empowered to prepare for and execute the Agency's operational mission with only general oversight.

There are many organizational layers not addressed here. We do not intend to make recommendations to the finest detail of structure. It would not be appropriate to preempt the prerogatives of the leadership selected for the key positions that we chose to describe. Rather we have attempted to define an organization that retains the best of traditional Agency structure, but it is clearly focused on the future, while streamlining and introducing some modern business structure and practices.

Specifically, we recommend the following action: The Director should implement the organization discussed above.

Business Model and Resource Management

The effectiveness of an organization is influenced greatly by its processes. Key to the operation of any business is the management of resources, people, equipment, knowledge, cash or capital. In the end, most resource issues can be reduced to financial ones, and that is the focus of this discussion.

Currently, NSA does not manage its financial resources consistent with current business practices. It separates expense budgeting from headcount budgeting, it has less than state of the art cost management tools and processes, and it does not afford mission managers or oversight managers with sufficient information to understand what is being invested where. Couple this with the widely held belief that the decision making process within the Agency is not responsive and one arrives at a situation where sufficient authority, or empowerment, to cause events to happen and the resulting accountability for these actions do not exist.

Our fundamental recommendation is to change the organization and underlying funding model in order to enable the accountability and empowerment of individuals closest to mission execution.

In a business environment, such managers are called "product managers." They control the key variables of a product, its functionality, price, distribution and how it is promoted to its customers. Through control of these variables, they exercise authority over, and are responsible for, the product's profit and loss.

We call the equivalent managers in the Agency "Mission Managers." They exist in the mission operations organizations (the SIM and IAM). A Mission Manager's role is to determine the mission requirements from the perspective of the customers for whom the mission is created and develop plans for causing the mission to be realized physically and operated in steady state. They have to create a financial plan that identifies the resources required over a specific time period and the deliverables created with associated benefits.

The basic premise is that NSA should build its operating processes around these Mission Managers, empowering them to develop plans to create and operate missions, providing them resources to succeed, and holding them accountable for the success and failure of these missions. Individuals who succeed in small efforts are promoted to larger and larger ones, those who fail after repeated attempts and appropriate training, are removed from such responsibility. Decision making is pushed onto them and oversight is focused at supporting the team of day-to-day managers rather than second guessing them.

For Mission Managers to succeed, they must have complete control of all resources required to realize and operate the mission. This includes expenses, people, facilities, and capital. Thus, at the end, all supporting organizations have to subordinate their individual judgments to those of the Mission Manager, and this individual has to control their budgets in order to insure compliance with the mission plans. Therefore, a Mission Manager will work out implementation plans with supporting organizations, such as technology development ones or systems integration ones, and close with them on budgets, deliverables and timelines along with acceptance criteria.

The total budget of an operations organization is the sum of the budgets of the Mission Managers in it. The total budget of a supporting organization (such as ETR) is the sum of the budgets allocated to it by the individual Mission Managers. All costs are to be included in these budgets, for example, personnel salaries and benefits, costs of facilities, travel, professional development and equipment purchases. The present practice of separating headcount, or "billets," from financial budgets should end.

For Mission Managers to have real control over their programs, they require a feedback loop to insure that performance of the organization matches the plan. This is done with a cost accounting system that matches expenditures to specific missions, programs and projects. The government, particularly DoD, is well acquainted with such processes.

There is a class of work that has to be done within NSA that does not lend itself to sponsorship by Mission Managers, at least not the conventional ones to be found in an operating organization. This class of work can be considered corporate work. Research is a significant example, but there are others (such as Y2K work). Budgets for these organizations and functions, and for leadership offices should be driven corporately. Thus the overall budget for the entire Agency would be the sum of these corporate activities and the mission activities. Also, there are common support functions, such as human resources or financial management, that could either be supported by corporate funding or by mission funding The advantage of the former is managing similar resources in one spot, the advantage of the latter is making these support functions more responsive to the users of them. Which approach NSA takes with regard to funding these activities is not central to the overall direction. Initially, the approach that least impacts the success of the Agency should be used.

Research, both basic and applied, is sponsored and funded corporately, but is, in effect, a mission unto itself. This Mission Manager is the head of ETR and the customer is the KAL. It is with the KAL that ETR develops an investment plan and reports results, and demonstrates that the resources were well spent and the technology position of NSA is strong.

Resource management can be illustrated through a process flow diagram:

[original poor]

The numbers in the above diagram refer to the following process steps.

1. In cooperation with each other, the SIM, IAM and ETR develop investment plans for missions. They are driven by Mission needs and the overall Agency vision. This is an iterative process that balances needs against costs and achievability.

2. The SIM and IAM submit proposed investment plans containing needs, benefits and implementation plans (a "business plan") to Office of Plans and Programs (OPP) for consolidation and COO approval.

3. ETR prepares and submits a technology investment plan covering long term investments reflecting technology trends and mission needs. In the role, ETR is acting as a "Mission Manager" where the mission is not an operational one but a planning and investment one.

4. The COO submits a consolidated investment plan to the KAL for approval. It is at this step that the Director, with advice from the KAL, achieves personal ownership of the plan.

5. The KAL, through the Congressional Budget Justification Book (CBJB), submits to DoD, DCI and Congress the various intelligence plans along with budget requests.

6. DoD, DCI and Congress approve, and revise as appropriate, plans and budget requests.

7. The KAL authorizes the COO to proceed with plans and budget requests as approved.

8. The COO (through OPP) assigns monies needed for operations missions to mission leaders (SIM and IAM).

9. The COO (through OPP) assigns monies needed by ETR for corporate activities.

10. The SIM and IAM assigns monies within their teams to Mission Managers who, in turn, assign monies to ETR for realization of their particular missions along with the associated mission requirements statements.

11. The ETR team prepares technical plans to meet funding and functional requirements and returns these plans to the respective Mission Managers for approval.

12. The ETR team delivers completed mission platforms that meet mission needs and budget allocations for use by the Mission Managers.

13. The ETR team delivers completed corporate programs to KAL.

14. Lessons learned from the field are used by Mission Managers to develop future plans.

Coupled with the organizational changes discussed earlier, this overall process will focus all the necessary resources needed to achieve specific goals on specific individuals who will have the authority to allocate these resources to meet their respective needs. Decision making will occur at lower levels than today and be concentrated on individuals rather than collective groups. Success or failure will be more easily associated with specific people who can then be coached to improve or reassigned to positions better suited to their skills. With this fundamental change in how people are judged to be successful, the myriad of decisions necessary to run the organization will naturally fall out of the focus on making the Agency's missions successful.

Specifically, we recommend the following actions:

1. Continue with the current program/budget approach (since the Agency is in the middle of a budget cycle) and submit the FY2001 CBJB using the current process.

2. Use the next six months as a transition period to move from the current process to this new process.

3. Identify Mission Managers and implement the cost accounting process described above.

4. Recast the already submitted FY2001 program/budget utilizing the new process and assign these costs to Mission Managers by March 2000. The initial goal is to just move to a new process, not to revisit operational decisions. This step should start to uncover pockets of expenses that have little or no mission relevance and for which no Mission Manager is willing to take responsibility.

5. Begin managing to the new process after March 2000.

6. Have the new process finalized and in place by June 30, 2000, develop the FY2002 program/budget using the new paradigm.

Key Management Practices

We evaluated current Agency management practices to determine legacy patterns that should be changed to make NSA most effective. Unlike most government organizations that contract the majority of their work, the Agency's culture is to do the work internally. This culture is based on a predominant elite work force in the 1970s and 1980s that maintained its hegemony over the private sector. NSA became a leading industry in the collection and processing of SIGINT and the protection of the nation's Information Security (InfoSec). However during the 1990s two key events occurred that have caused a significant problem at NSA. First, the rapid expansion of cyberspace and global networks, and second, the decrease of the Agency's budget as a result of the end of the cold war and the overall reduction in the DoD Budget. As a result of these two events, NSA can no longer lead the private sector, and the present management practices in the Agency must be changed to accommodate this new reality.

We specifically selected five key management practices that are lacking in the Agency and developed recommendations to address this problem. The five management practices are:

Business Planning

To properly utilize its decreased resources in an expanding commercial field, the Agency must perform astute business planning for all of its programs as is done by the leading commercial companies. It is necessary to go back to basics and evaluate the main elements of business planning for each of the mission areas:

A NSA Business Plan should consist of the following six areas:

Business Description: The Agency must evaluate its business by clearly identifying and stating its principal products or services, markets and applications. NSA must continue to strive for excellence in those areas where it is supposed to have a distinct competence that is related to a need. As in the case of a commercial company, the Intelligence Community must be able to evaluate NSA's business and determine if its products and services are being served properly by the present institution.

Market Analysis: The Agency must analyze its industry as part of the global commercial infrastructure. Companies in the commercial sector doing work related to NSA's mission are expanding rapidly. Does this imply that the Agency must have all the equipment and personnel to address this rapid expansion? Is the Agency going to continue to concentrate in pursuing traditional SIGINT missions in this new communication infrastructure? As part of its business plan, NSA must analyze and clearly state the business implications of the present trends in the industry and prioritize its functions to provide the highest possible return with the available dollars. This analysis cannot be performed in isolation but must be performed with the assistance of all stakeholders.

Technology Research and Development: The Agency must continuously evaluate the status of the current technology to avoid obsolescence and react quickly to acquire new technologies or scientific approaches that may become essential in the next few years. Similarly, NSA must have a dynamic basic research and exploratory development program in those areas critical to the mission where the private industry is not investing to develop the same technologies. NSA must not duplicate technology research being performed by the private sector but rather buy their products or support their research.

Manufacturing Operations: The Agency must evaluate its product/service production and operations. Is the present level of production or operations commensurate with the resources being allocated to those tasks? The critical paths in the development of products and services should be to ensure no interruption in the production/operations pipeline. Since the cost of producing products or providing, services is a function of the volume, economies of scales should be used to provide a best value product/service whenever possible.

Management, Organization, and Personnel: Business planning must be performed to ensure that the Agency employees assigned to the various tasks have the correct set of skills to do the job. Management must make whatever staff changes are required to deliver the required products and services (see the chapter Business Model - Organization). Proper business planning cannot be performed without empowering NSA senior leadership to make the trades required to optimize the products and services being delivered.

Funds: A business plan must contain the required funds to accomplish the various tasks. This fund allocation process in the business plan should be a key element of the five-year budget submission (see the chapter Business Model - Resource Management). NSA should justify the funds required to execute its mission during the next five years and submit the appropriate plan to Congress via the CBJB. The present draft NSA business plan does not address all the elements of a business plan as described herein and it should be revised to incorporate them.

Specifically, we recommend the following, actions:

1. Task the COO to develop a business plan that includes the six elements above.

2. Ask the COO to hire people with systems engineering skills to develop the business plan and to allocate resources for the proposed products and services.

3. Contract for a series of lectures in business planning, to be given to the senior leadership and the COO group, to make everybody aware of the importance of proper business planning.

Strive to emulate business planning in the commercial sector.

Make Versus Buy Decisions

Once intelligence needs have been approved and a SE assessment has been made to determine what products or services need to be developed to meet the requirements, NSA must consider whether these products or services should be provided internally or should be outsourced to industry. That decision process is usually referred to as the "Make Versus Buy Decision."

Traditionally, NSA has depended on its own people to supply whatever is needed to meet its intelligence needs. But with the recent growth of the global network and the many new technologies being developed by the private sector, it is necessary for NSA to have a carefully orchestrated process to execute make versus buy decisions. Presently, make versus buy decisions are not based on the business case because the Agency does not run like a business. The present model assumes that labor is free, utility and space are also free and only component cost is compared with the cost of outsourcing the product when doing a make versus buy decision. This erroneous process does not provide the correct answers and therefore does not provide the best value to the government.

Over the last thirty years NSA has hired many government employees to perform jobs that are best done by the private sector. Government employees perform both core and non-core tasks. The present culture is to attempt to do all the jobs in-house, with whatever resources become available, and if NSA does not have sufficient people to do the job, SETA contractors are hired to extend the government workforce.

Specifically, we recommend the following actions:

1. Task the senior leadership to establish a process to:

2. Select a task force to determine which functional areas should be considered a core competency area that must be maintained in-house.

3. Develop a framework to outsource all non-core competency programs, such as information technology in DDI and some of the functions being performed by the DDCM and DDS.

4. Nominate a task force to evaluate the present "Groundbreaker Program" and make specific recommendations in the Information Technology modernization plan.

5. Do not require the eventual contractor of any new outsourced program to hire 100% of the current workforce. Abolish most government jobs when the products or services are being outsourced.

Investing in the Vision

NSA must struggle to modernize because the Agency's culture, organizational structure and processes are focused on today's operational problems at the expense of focusing on future challenges. The Agency has a tendency to support current SIGINT programs at the expense of developing new methods to deal with the global network. The recommended organizational structure (see the chapter Business Model - Organization) establishes a special place under the SIM for the Global Response Mission. The SIM must evaluate all intelligence requirements and perform the SE analysis to determine if the needs are best met using Global Response, Tailored Response or the Global Network. The funds for the Global Network should keep increasing every year while the funds for the most traditional missions should decrease.

Traditionally, NSA has been unable to stop any ongoing program when faced with budgetary constraints. Instead, the Agency makes uniform, across the board cuts that damage future programs in order to preserve legacy programs. The Agency should not exist to support the legacy infrastructure but to meet current requirements while it prepares itself for the new challenges facing the industry.

Specifically, we recommend the following actions:

1. Hire business people with a proven innovative track record from the leading commercial companies in this field and from other parts of the U.S. government (even if some of these people have to be borrowed from other parts of the U.S. government).

2. Ensure NSA's Mission is being shifted to address the needs of the emerging global network.

3. Evaluate the budget by determining which functions cannot be accomplished, discuss them with the stakeholders and then either transfer or discontinue those programs that cannot go forward.

4. Do not sacrifice any portion of an essential emerging program to meet the needs of the legacy program that is being phased out.

People and Culture

We interviewed about one hundred people in the Agency, including most senior leaders, and asked very specific questions about the way people operate and the embedded culture. We learned the Agency is a very bureaucratic government organization, and that most of the behavior patterns were established during the 1970s and 1980s when there was plenty of money to execute its mission. NSA appears to operate like an entitlement program. Most people in the Agency are highly motivated and work very hard, but a portion does not.

We also found a leadership culture that appears most interested in focusing on their positions and protecting their people's jobs at the expense of accomplishing the mission.

Most of the people at NSA are hired night out of college and spend their entire lives in the Agency. Regardless of their work performance and their job responsibility, the Agency promotes people roughly at the same rate. The institution encouraged people to get deeply involved in the promotion process, to the point that civilian personnel wrote their own promotion reports, and supervisors endorsed the reports even if they did not agree, mostly to prevent animosity.

However, the most critical aspect of the people and culture in the institution was the mindset related to lack of empowerment and accountability.

We summarize the major problems with people and culture in the Agency in the following, areas:


NSA's present culture overemphasizes loyalty to a particular function and its associated senior leadership, instead of full and frank discussions of problems, issues and concerns. This has created a culture that discourages sending bad news up the chain of command. The staff knows NSA is falling behind and is not properly addressing the inherent problems of the emerging global network, and the present management infrastructure does not appear to be supporting the required changes.

In addition, we are concerned the present mindset fostered a society where people were afraid to express their own thoughts. Even though people spoke to us with true candor, they always wanted to avoid attribution because of the perception that the information was going to be used against them.

Specifically, we recommend the following actions:

1. Establish clear behavior expectations with the new leadership team. Ask them to support your agenda to change NSA and reassign those who choose not to sign on.

2. Communicate directly with the employees on a regular basis by using "DirectorGrams."

3. Send a "DirectorGram" encouraging employees at all levels to discuss issues and present dissenting viewpoints with coworkers and supervisors.

4. Make the Director more accessible to employees by holding more "All Hands Meetings."

5. Encourage discussion of controversies at Director briefings.

6. Emphasize that the purpose of NSA is not to protect itself or maintain the status quo, but to accomplish its mission. The Director should keep restating the mission and emphasizing the vision.

Communicate with the stakeholders about the new mindset based on openness and job performance.

(U) Agency Rejuvenation

Since NSA hires most of its employees directly from college and retains them during their entire careers, there is a lack of new ideas penetrating the Agency. Very few people are ever hired as middle or upper managers from the private sector. People get promoted from within and move up to the available jobs. Therefore, the Agency is perceived by many people (both within and without) to be insular and stagnant.

Many of the supervisors in the Agency do not have the courage to deal with controversial issues. This lack of courage by supervisors to address controversial issues and make difficult decisions leads to low morale. The situation becomes quite demoralizing when some people in the Agency believe that all that they have to do to get a paycheck and be promoted is to show up for work.

Specifically, we recommend the following actions:

1. Take advantage of organizational changes to consolidate resources, to become more effective and to abolish duplicative jobs.

2. Evaluate the claim that people who lose their Jobs or disgruntled employees within or without the Agency become a security risk. We have a criminal system to deal with security violations, and doing nothing is not an option because NSA's present direction constitutes a worse security risk. People should know that the Director has the right to abolish their jobs.

3.   Hire leading commercial companies in NSA core competency areas to present weekly seminars, describing the implications of the new global network.

Staffing Crisis - Specialized Skills

In 1999 NSA was able to hire only roughly 25% of the critical skill employees that had retired in the previous year. This disturbing trend will continue because the average age of the NSA civilian employee is 43 years. In three years, NSA is likely to lose a considerable number of critical skill employees, because 13 to 23 percent of all employees with critical skills become eligible for regular retirement in 2003, while 10 to 21 percent become eligible for early retirement in 2003.

Specifically, we recommend the following actions:

1. Be more aggressive in hiring young talents at leading universities by intensive recruiting, posting job availability, and advertising in newspapers and professional journals.

2. Form a task force to make specific recommendations about hiring middle and upper managers from the commercial sector.

Salary Level DISPARITY

One of the reasons why it is difficult to hire fresh talent from leading universities is because of a disparity in the salary levels offered to graduates. Salaries in the private sector for college graduates in critical career fields are about 30% higher than the Agency's level. The situation is even worse at the upper manager level because salaries offered by NSA to potential middle and upper managers are significantly lower than in the commercial sector.

Specifically, we recommend the following action:

Task the Director of Human Resources to develop a compensation system compatible with the commercial sector, emphasizing salary distinctions based on individual performance and marketplace value rather than longevity in federal service.

Promotion System

We believe there are three basic problems with the Agency promotion system for civilian employees. First, the promotion system appears to be based on seniority. Second, the promotion system to grades GG-14 and GG-15 are done at the Agency level instead of at the Key Component Level. Third, the Employee Promotion Assessment (EPA) system is not effective. We discuss each one of these separately and provide specific recommendations for each issue.

Promotion System Appears to be Based on Seniority: NSA claims that the present promotion system is based on performance, but in fact it rewards seniority. For example, after 12 years on the job, both the top core employees and the average non-core employees are making similar wages.

Specifically, we recommend the following actions:

1. Curtail the entitlement mentality embedded in the organization by making people realize that they must produce to get promoted and that if they do not produce they can be fired.

2. Send a "DirectorGram" to all employees emphasizing that promotion shall be based on performance and not on seniority.

3. Exercise existing authority to move more promotions to core functions (e.g. engineering, analysis) rather than support staff.

4. Ensure that; all promotions meet diversity requirements.

Promotion System to Grades GG-14 and GG-15. The present promotion system reinforces the lack of thrust and empowerment of supervisors, because promotion to grades of GG-14 and GG-15 are done at the agency level. This situation is not comparable with any other major government institution. Supervisors (even at high executive levels) feel frustrated because they do not have the authority to promote their own people to GG- 14 and GG- 15. This situation creates low morale across the entire Agency. Additionally, NSA leaders serving as GG 14/15 promotion board members spend a disproportionate amount of time addressing personnel issues instead of concentrating on the mission and vision.

Specifically, we recommend the following, actions:

1. Delegate GG-14 and GG-15 promotion authority to the respective key component levels.

2. Ensure fair promotion by balancing depth of experience and competence against career diversity and mobility.

3. Perform only one promotion board per year for each grade level.

4. Hold supervisors to meeting Agency policies with regard to diversity and equity.

Employee Promotion Assessment: There are two major problems with the EPA program. First, EPA sets a negative confrontation between supervisors and their subordinates, thus many supervisors sign the EPA to prevent animosity with the employees even if the supervisor does not agree with employee's comments. Second, employees spend too much time trying to promote themselves by investigating what other people have written in their EPA to help their own cause instead of doing their jobs.

Specifically, we recommend the following action:

Abolish the EPA program and emphasize that:

Military Personnel Careers

Since nearly 50% of the people working in the Agency are military, it is necessary for NSA to pay close attention to their career paths and performance. The Agency should select military personnel with the necessary skills to fulfill the Agency's missions. Seniority of military personnel at the Agency must be monitored because two patterns have emerged. At one end of the spectrum, some military personnel leave the Agency before they develop sufficient skills to be highly productive. At the other end, military personnel after two tours of duty at the Agency tend to become part of the insular organizational mindset instead of continuing to bring innovative ideas from other parts of the U.S. government. We also noted that many military personnel in the Agency are often not assigned to job commensurate with their capabilities.

Specifically, we recommend the following actions:

1. Encourage military personnel with specialized skills (e.g. linguists) to remain affiliated with the Agency over time.

2. Encourage military personnel with general management skills to get substantial experience outside NSA and its affiliates.

3. Become a strong advocate to promote military personnel based on performance.

4. Task the Deputy COO for Military Affairs to develop a military personnel utilization plan.

Stakeholders Relations

Although there are both internal and external stakeholders, this section will focus on the external ones. Internal stakeholders, which can include an individual's superiors, peers, subordinates and employees in other parts of the organization, are addressed elsewhere in this report (see the chapters on the Business Model - Organization, and People and Culture).

Stakeholders are individuals or entities with whom NSA is mutually interdependent. The key concept is interdependence. Just as any business would fail without its customers, NSA will fail if it neglects its stakeholders. They will go elsewhere to meet their needs, or Congress will eventually reassign some NSA responsibilities. By definition, NSA successes are intertwined with those of its stakeholders.

Right now, when stakeholders tell NSA that "NSA doesn't get it," the Agency simply repeats itself or talks louder. NSA needs its stakeholders and must hold itself accountable for producing results in partnership with them. Not only is a good business plan needed, but the Agency needs to communicate it effectively in terms that stakeholders understand. Telling stakeholders that they "don't understand" is not productive.

In terms of stakeholders, the intent is to influence, and to be influenced, by those key parties that affect NSA's ability to carry out its mission. The major challenge facing NSA in this effort is to communicate information in terms that stakeholders understand, as opposed to talking to them on "NSA" terms.

Stakeholders have a variety of relationships with NSA, and both the entities and the individuals representing them have multiple personalities. This means that the Agency must work with them in distinct ways. How NSA approaches the Secretary of Defense, who is in the chain of command, may be quite different from how NSA approaches the Secretary of State, who is not. Discussions with a Military Service Chief may be quite different from that with his own SCE, simply because of the level of technical discussion. And meetings with the Army SCE might need to be focused differently from those with the Navy SCE, due to the different corporate responsibilities and the different individual personalities.

We have broken the list of Stakeholders into four categories. We see these four as representative of interest groups that require different types of attention at the highest level. Within each group it remains important that NSA focus on the uniqueness of each organization and each individual.

The four major external Stakeholder groups are:

Congress and Taxpayers

Executive Branch

Department of Defense

Related Agencies (e.g. NRO, DIA)

Stakeholder beliefs do affect NSA in a significant way. If Congress is unhappy with NSA's behavior, it will affect the level of funding that NSA receives. Congress would like to give NSA more funding, but lacks confidence that NSA's ability to utilize the money wisely. Congress itself can be influenced by almost anyone on the above list. If the Secretary of Defense or the DCI is displeased with NSAs performance, they have direct operational control over what NSA does. Stakeholders are not to be feared, but rather incorporated into Agency thinking so that NSA can benefit from their involvement.

NSA's goal must be to understand the perspectives of each stakeholder. Relationships don't work well when either party is unhappy. Stating that the other party doesn't understand is not a solution. Neither taking an aggressive stance not standing in defensive silence is likely to provide a resolution. There will be give and take in each stakeholder relationship throughout the process. NSA must maintain a position on openness toward its stakeholders.

Stakeholder Relations Today

NSA stakeholder relationships today are very uneven. Much of this can be attributed to the historic insularity of the Agency, which grew up in a culture of "NSA doesn't exist and doesn't talk to people who don't work at NSA." While this is understandable in the context of valid security needs (which remain true today), the need for constructive change exists. In a resource-constrained environment, NSA can no longer ask for money saying "trust us."

Agency customers value NSA products, but they often believe that it is difficult to work with NSA. It is easy to conclude that the last thing the Agency needs today is additional tasking from enthusiastic clients, given the proliferation of missions that has created a severe resource and requirements mismatch. But reconciliation of that mismatch occurs in a different part of the managerial process (see the chapter Business Model - Resource Management) and is not the primary job for those who focus on stakeholder relations. The Agency must always facilitate all aspects of communications between and among stakeholders.

The Stakeholder Office is not simply a customer advocate. The Agency must be able to say both "yes" and "no" to its customers -- and doing so in a way that keeps them satisfied. And saying, "no" effectively means being able to communicate the rationale for the decisions in a manner which the customer accepts as reasonable. Without good stakeholder relations, the desired transformation of NSA cannot occur.

Stakeholder Goals

NSA's primary stakeholder relations goal is, therefore, both to understand their party's perspective and to simultaneously communicate NSA's to them. The overriding objective is constantly improved communication, bringing both parties closer together and making the working relationships constantly better. Each side needs to continually learn from the other and to improve the manner in which each does business. There will always be ways in which NSA can work better with other intelligence Agencies to meet growing threats in the future. We believe that more and more of NSA's work will be conducted in conjunction with other federal agencies, making effective stakeholder relationships increasingly important.

The Agency seems to have a mindset that stakeholder relations "has to be hard!" Aspects of the mission, of course, will always be hard. And some missions will be conducted at great personal risk, as attested to by the silent memorial in the main lobby. But hard doesn't necessarily mean painful. First of all, the Agency needs to identify the particular needs and issues of each customer. Distinctions need to be made between them, as would be done in relationships with different family members. The Agency needs to ask what NSA can do for them and keep in mind that it is not just what it does but the way it does it that makes a difference.

The Agency needs to be sure that the right people are in stakeholder jobs. Not everyone is a people-oriented extrovert, and not everyone wants to be "friendly" all of the time. Different people can contribute in different ways to the NSA mission. But those who are chosen to be in the "public eye" must be those who want to be there and, who enjoy being there, and can even take some "abuse" and keep smiling. NSA needs to pick people who fit and who want stakeholder jobs. These are not " sabbatical" positions.

The Agency needs to refine its corporate and personal communications skills. As we interviewed many employees it became clear that NSA generally talks like engineers. NSA will talk about the technic parameters of constructing a watch, describing gears and springs, when the customer simply wants to understand that we have just developed a better way to tell time. Even more important, NSA needs to learn to communicate what the ability to tell time might mean to a customer.

Specifically, we recommend the following actions:

1. Take personal responsibility for the Congressional Relationship in the near-term. Over-time, this responsibility should transition back to the new stakeholder relations staff.

2. Quickly staff the new stakeholder office. Stakeholder relations are important enough to be considered as a critical skill within the Agency and have a specific career path.

3. Benchmark similar successful operations in both government and industry with the purpose of identifying behavior patterns that can be copied and integrated into NSA.

4. Integrate benchmarking into a day-to-day working plan for the Agency. The new stakeholder staff should make written commitments to the Director of what it is planning to achieve over the coming year.

5. Implement broader executive exchange programs at multiple levels. Do the same to an increasing decree on the operational side of the Agency.

6. Articulate the Agency's message clearly, understand the audience(s) better and speak in a language that the audience(s) understands. Recognize that the strength of stakeholder relationships has a direct impact on the Agency's ability to succeed.

7. Have the Stakeholder Office report directly to the Director.

8. Utilize the support of outside experts for training and apply modern "people technologies" in support of NSA's modern technology mission.


We provided many recommendations throughout the report. The most important conclusions are:

1 . Update, complete and implement the vision and mission statements and disseminate the information broadly.

2. Change the organization, the underlying funding model, and management practices to enable accountability and empowerment of individuals closest to mission execution -- the "mission managers."

3. Charge responsible managers to invest in order to avoid technical and mission obsolescence.

4. Develop and emphasize business planning, program management, and systems engineering skills needed to meet changing environment.

5. Foster a new culture that emphasizes openness, flexibility, and personal performance.

6. Acquire, develop and keep skills necessary for future success.

7. Influence, and be influenced by, the Agency's stakeholders.

Correct the promotion system and emphasize that promotion is based on performance and job responsibility.


(names removed) [Notation in original.]

Transcription and HTML by Cryptome.