The National Security Agency is behind on implementing internal data system controls aimed at assuring compliance with the domestic privacy protections in the Foreign Intelligence Surveillance Act, a watchdog found.
The NSA inspector general’s office, in an unclassified version of its semiannual report released on Monday, summarized its study of the agency’s system controls related to the law’s controversial Section 702, which allows counterterrorism programs to target certain non-U.S. individuals overseas under regulated conditions.
The IG “found that NSA did not have a necessary system control,” said the July 8 report covering October 2018 through March 2019. “The agency had previously identified this as a concern and has been working to implement a new system control. Until this system control is implemented, the agency will be at risk for performing queries that do not comply with” its authority under Section 702, which was the since-amended area of the law that former contractor Edward Snowden criticized in 2013 when he leaked highly classified information on NSA surveillance.
Though the original goal for implementing the new controls was December 2017, the NSA now plans to have a prototype ready by December 2020, the IG said.
The watchdog also criticized NSA’s data system security plans, which “are often inaccurate and/or incomplete,” the report said, citing data centers and equipment rooms not properly protected with two-person access controls and removable media that “are not properly scanned for viruses.” An eight-year-old effort to better monitor the authorization of software and hardware purchases by contractors still needs finalization, auditors found.
The inspector general “also found that some aspects of NSA programs it examined were working well, and it recognized a number of best practices that could be replicated across the agency,” the report said. The agency closed 69 out of 198 new recommendations to management during the six-month period, and closed out a total of 438 past outstanding recommendations.
The agency’s investigations division received 457 contacts on its hotline, resulting in 27 investigations and 64 inquiries, as well as 14 cases referred to the Justice Department for criminal prosecution. Disciplinary actions were taken against eight employees during the reporting period, resulting in one employee’s termination and four employees resigning or retiring in lieu of removal. The NSA recouped approximately $53,000 for contractor misconduct and $11,400 for employee timecard fraud.
Examples of uncovered employee misconduct included a GS-15 civilian found to have committed reprisal against a subordinate by threatening to fire the subordinate, who had made three protected disclosures. The investigative findings were forwarded to Defense Department IG, the NSA Employee Relations office, the Office of Personnel Security and the subject’s supervisor.
In another case, a former Senior Executive, “who at the time of the investigation was a reemployed annuitant and employee of a private company, recommended that a Senior Agency Technical Director meet with his private employer,” the report said. “The former Senior Executive recommended his current private employer to the agency as capable of meeting an agency procurement requirement. The OIG substantiated that the employee had used his public office for private gain, a violation of 5 CFR § 2635.702.”