DeLong: NSA security reforms predate Snowden
- By Adam Mazmanian
- Aug 22, 2014
Compliance Director John DeLong also says explaining what NSA does is becoming a greater part of the agency's culture.
The National Security Agency had a series of security reforms underway before Edward Snowden surfaced, according to compliance director John DeLong.
When the leaks by Snowden, a former agency contractor, became front-page news last year, the urgency certainly increased, DeLong said. "For those who have lived it, either externally or internally, it feels more like a flood sometimes, not so much a leak," he quipped. But the move to thin client solutions, efforts to reduce data exposure, a risk-based approach to systems administrators, and a switch to two-person controls for access to the most sensitive information were all in the works.
DeLong took over compliance at NSA in 2009, and since that time his shop has grown three- or four-fold, he said, to about 300 workers. Much of the growth has been in IT compliance, DeLong said. While the core mission of training staff to comply with existing law, Foreign Intelligence Surveillance Court rulings, and directives from the Justice Department has been longstanding, there are now efforts to bake compliance into the technology itself.
"Compliance is everyone's responsibility at NSA but mine first and foremost, to make sure people are set up for success: So that rules are consumable, trainable, testable, that machines can incorporate them directly into people's workflows, that we have spot checks, etc.," DeLong said.
While DeLong, who spoke at an Aug. 21 industry event hosted by FedScoop, did not dive into details, he did note that his staff is able to move quickly to respond to new policy. For instance, after President Barack Obama ordered changes to the domestic collection of bulk telephone metadata records, DeLong's team was able to put those changes into effect, in terms of training and technology.
One unanticipated benefit to the Snowden leaks, DeLong said, is that the NSA is now getting more comfortable with having a public face -- going out and explaining what it does, and what laws and orders authorize its activities. "We need to make sure we can describe what we're doing to the public," he said. "That's much more becoming part of the culture, part of trying to minimize surprise."
Adam Mazmanian is FCW's senior staff writer, and covers Congress, health IT and governmentwide IT policy. Connect with him on Twitter: @thisismaz.