![[Image]](nsa-164.jpg)
|
This file is available on a Cryptome DVD offered by Cryptome. Donate $25 for a DVD of the Cryptome 10+-years archives of 37,000 files from June 1996 to December 2006 (~3.7 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. Archives include all files of cryptome.org, cryptome2.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org. Cryptome offers with the Cryptome DVD an INSCOM DVD of about 18,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985. No additional contribution required -- $25 for both. The DVDs will be sent anywhere worldwide without extra cost. | |||
11 December 2006
Compare to 1999 NSA organizational studies:
http://www.nsa.gov/releases/relea00007.cfm
http://www.rand.org/pubs/monographs/MG187/
Top to Bottom and End to End
Improving the National Security Agency’s Strategic Decision ProcessesThis document has been withdrawn.
http://stinet.dtic.mil/cgi-bin/GetTRDoc?AD=A433055&Location=U2&doc=GetTRDoc.pdf
[198 pages, 9.5MB.]
Leslie Lewis, Roger Allen Brown, John Y. Schrader
[By hand] MG-187-NSA
Prepared for the National Security Agency
Approved for public release; distribution unlimited
RAND NATIONAL DEFENSE RESEARCH INSTITUTE
[Tag]
THIS DOCUMENT CONTAINED
BLANK PAGES THAT HAVE
BEEN DELETED
DISTRIBUTION STATEMENT A
Approved for Public Release
Distribution Unlimited
The research described in this report was prepared for the National Security Agency. The research was conducted in the RAND National Defense Research Institute, a federally funded research and development center supported by the Office of the Secretary of Defense, the Joint Staff, the unified commands, and the defense agencies under Contract DASW01-01-C-0004.
Library of Congress Cataloging-in-Publication Data
Lewis, Leslie.
Top to bottom and end to end: improving the National Security Agency's strategic decision processes / Leslie Lewis, Roger Brown, John Schrader.
p. cm.
"•MG-187."
Includes bibliographical references.
ISBN 0-8330-3766-8 (pbk. : alk. paper)
1. United States. National Security Agency/Central Security Service-Evaluation.
2. Military intelligence-United States-Decision making-Evaluation. I. Brown,
Roger, 1940- II. Schrader, John, 1940- III.Title.
UB25I.U5L48 2005
353.1'234'0973--dc22
2005004834
The RAND Corporation is a nonprofit research organization providing objective analysis and effective solutions that address the challenges facing the public and private sectors around the world. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.
RAND" is a registered trademark.
© Copyright 2005 RAND Corporation
All rights reserved. No part of this book may be reproduced in any form by any electronic or mechanical means (including photocopying, recording, or information storage and retrieval) without permission in writing from RAND.
Published 2005 by the RAND Corporation
1776 Main Street, P.O. Box 2138, Santa Monica, CA 90407-2138
1200 South Hayes Street, Arlington, VA 22202-5050
201 North Craig Street, Suite 202, Pittsburgh, PA 15213-1516
RAND URL: http://www.rand.org/
To order RAND documents or to obtain additional information, contact
Distribution Services: Telephone: (310) 451-7002;
Fax: (310) 451-6915; Email: order[at]rand.org
The National Security Agency (NSA), established in 1952, is charged with the duty of protecting our nation's information systems (Information Assurance) and the gathering and interpretation of foreign signals intelligence (SIGINT). The NSA's missions necessitate that, although it is a Department of Defense (DoD) agency, it report to both DoD and the Director of Central Intelligence. Given the complexity of NSA's missions and the high operational demands on the agency since the collapse of the Soviet Union and, more recently, the September 11, 2001, attacks on the United States, it is necessary for the agency to have a seamless union with both its customer base and its external overseers and stakeholders. Of particular importance is the development and implementation of corporate strategic decision processes -- strategy and planning, capability needs, programming and budgeting, execution, and performance -- that provide an end-to-end management structure to ensure that the senior NSA leadership can identify its current and future needs, allocate resources, and assess the impact of its resource decisions on current, midterm, and long-term mission and transformational goals. Critical to NSA's strategic decision processes is that they must be responsive to DoD and Intelligence Community guidance and schedules.
This report discusses the RAND Corporation's work on the development and implementation of NSA's corporate strategic decision processes. The governance model selected by the NSA leadership is structured to be participatory; this model is hierarchical and if fully implemented provides an end-to-end, top-to-bottom, and bottom-to-top decision and management structure that will ensure that quality information is brought forward to the senior leadership to support informed decisionmaking.1 The report discusses how the RAND Corporation project team, working with NSA, defined and assisted in the implementation of the strategy and planning, capability needs, programming and budgeting, and some aspects of the execution processes. Subsequent work will discuss the further integration of the initial set of processes, the further implementation of a coherent budget structure, and the design and use of relevant performance metrics. The processes must also provide an audit trail of decisions, be repeatable, be well understood by the broader institution, and be credible. We also include interim reports and assessments on the corporate acquisition function and its support of the corporate decision processes in our appendices.
____________________
1 "End-to-end," as used in this context, refers to a closed-loop complete set of decision processes from initiation of a corporate vision and detailed plans to the measurement of outcomes of performance in execution. The "top-to-bottom" and "bottom-to-top" refer to first the flow of guidance and direction from the corporate (top) leadership to lower levels of the organization, which in turn inform the leadership on details for planning and performance activities.
This work should be of interest to individuals wanting to understand the importance of having corporate strategic decision processes within government organizations that are unique to the organization while also maintaining consistency with external overseers and stakeholders. The report should also be of interest to individuals seeking knowledge of how complex processes in large government bureaucracies are designed and implemented.
National Defense Research Institute
This research was sponsored by the NSA's Chief of Financial Management (CFM), Ethan Bauman, and the Chief of Corporate Planning, Requirements, and Performance (DC4), Rod Kelly. The study was done within the Intelligence Policy Center of the RAND National Defense Research Institute (NDRI), a federally funded research and development center sponsored by the Office of the Secretary of Defense, the Joint Staff, the Unified Commands, and the defense agencies.
For more information on RAND's Intelligence Policy Center, contact the Acting Director, Greg Treverton. He can be reached by email at GregTreverton[at]rand.org; by phone at 310-393-0411, extension 7122; or by mail at RAND, 1776 Main Street, Santa Monica, CA 90407-2138. More information about RAND is available at www.rand.org.
Figures
Tables
Acknowledgments
Abbreviations
Background and Introduction
Background
Concept of the Corporate Review Group
Decision Processes to Support the CRG
Purpose and Structure of the Report
Strategic Decision Processes
Corporate Strategic Decisionmaking Processes
The PPBE Process
Planning Phase
Programming Phase
Budgeting Phase
Proposed Changes to the PPBE Process, 2003
NSA's Strategic Decision Architecture and Corporate Processes
The CRG Concept and Its Implementation
Implementation of the CRG
Summary
Linking Strategy and Planning with Performance
Background
Concept for Development of FY 2004-2009 Strategic Plan and FY 2006 Business Plan
Performance Metrics and Milestones
Corporate Summary
The Corporate Capabilities Generation Process
Background
Concept of the NSA CCGP Concept
CCGP Management Thresholds
Essential Steps in a Capabilities Generation Process
Step One: Identify the Deficiency, Capability Gap, or the Need
Step Two: Document the Capability Need
Step Three: Validate the Capability Need
Step Four: Approval by the DIRNSA
Implementation of NSA's Corporate Capabilities Requirements Process
Assessment of Process
Summary
Corporate Programming and Budgeting and Execution Processes
Background
Concept of the NSA Corporate Programming and Budgeting Process
Implementation of the Programming Process
The PWG
Insights from the Initial Programming Cycle
Developing a Program Analysis and Evaluation Capability
Improving NSA's Budget Structure to Support Programming
The PWG Operates to Ensure Execution
Conclusions and Recommendations
Conclusions
Recommendations
APPENDIX A. Rebaselining NSA's Acquisition Function -- 2003
APPENDIX B. Rand Assessment of NSA's Acquisition Function and Supporting Decision Processes -- 2004
S.1. NSA's Corporate Structure and Processes
1.1. RAND Concept for NSA Oversight
2.1. Combined Programming and Budgeting Process
2.2. End-to-End Decision Process: Connecting Planning, Capabilities, Programming,
Budgeting, Performance, and Execution
2.3. NSA's End-to-End Strategic Decision Processes
2.4. Linking Enterprise Strategy to Capabilities and Resources
2.5. Relating the Budget Structure Through Programs and Projects-Capabilities
Approach
3.1. NSA's End-to-End Strategic Decision Processes-CRG
3.2. CRG Governance Structure, Spring 2003
4.1. NSA's End-to-End Strategic Decision Processes-Strategy and Planning
4.2. Top-Down Hierarchical NSA Metrics
5.1. NSA's End-to-End Strategic Decision Processes-Capability Needs
5.2. NSA CCGP
5.3. NSA Corporate Capabilities Generation and Acquisition Process
Crosswalk
6.1. NSA's End-to-End Strategic Decision Processes-Programming and Budgeting
and Execution
6.2. NSA's Financial Management Organization
6.3. The "Issue Slide"
6.4. Illustrative NSA Programming Trade-Off Chart
A. 1. RAND 2001 NSA Assessments
A.2. RAND 2001 NSA Assessments Continued
A.4. RAND 2003 NSA
A.5. RAND 2003 NSA Assessments Continued
2.1 Hierarchy of PPBE Process Phases: Integrated Corporate End-to-End Strategic
Decisionmaking Process Phases
5.1. Four Essential Steps in the NSA Capabilities Process
6.1. Capabilities to Support Programming and Budgeting
A. 1. Status of NSA's Strategic Decision Processes
A.2. NSA SAE's Roles and Responsibilities
The National Security Agency (NSA) is a Department of Defense (DoD) agency and by nature of its missions and responsibilities is also part of the larger Intelligence Community (IC). The span of the NSA's missions and responsibilities oblige it to report to both the DoD and the Director of Central Intelligence (DCI) with regard to resources and mission performance. As a result of the necessity of reporting to the two organizations, the NSA must submit its plans and resource allocation decisions through both the DoD Program Object Memorandum (POM) and the IC Intelligence Program Objective Memorandum (IPOM). Therefore, the NSA participates in the decisionmaking processes in DoD and the IC. Within DoD, the process is called the Planning, Performance, Budgeting, and Execution (PPBE) process.
In 2002, the Director of NSA (DIRNSA) determined that the NSA needed an end-to-end1 corporate strategic decisionmaking process that had established schedules and that provided the necessary information to both the DoD and the IC on NSA's planning and resourcing of its current, midterm, and long-term mission and transformational activities. The process also needed be "top-down" in that it incorporated the external guidance provided by the national security goals and guidance established by the Secretary of Defense and the DCI. The externally defined goals needed to be translated into specific NSA goals that related to mission and transformation. The NSA process also needed to be "bottom-up" by making sure that corporate guidance and decisionmaking were informed by the organizations performing mission and mission-support activities.
____________________
1 "End-to-end" describes a set of processes used cyclically to establish objectives and priorities, allocate appropriate resources, and take the steps to ensure execution in a linked and integrated manner.
The foundation of the NSA's strategic decision processes was the establishment
in 2002 of the Corporate Review Group (CRG). The CRG is a forum convened
by the DIRNSA and attended by the senior managers-Deputy Director NSA (DDIRNSA),
Chief Financial Manager (CFM), Senior Acquisition Executive (SAE), Directors
of Signals Intelligence Directorate (SID) and Information Assurance Directorate
(IAD), Deputy Chief Central Security Services (CSS) and the Chief of Staff
(CoS)-for the purpose of reviewing and discussing key issues affecting the
agency's mission and transformation. The CRG is an advisory body to the
decisionmaker, the DIRNSA, and is designed to raise and discuss key topics
affecting the NSA's mission and transformation. The CRG's purpose is to ensure
that the DIRNSA and DDIRNSA have sufficient information to make informed
decisions. The CRG is responsible for:
____________________
2 Corporate Review Group Structure Meeting, May 10, 2002.
The CRG is supported by a set of integrated strategic processes designed to provide quality information to the leadership. Five interrelated processes -- strategy and planning, capability needs, programming and budgeting, execution, and performance -- underpin the CRG.3 The DIRNSA established the Office of Chief of Planning, Capabilities, and Performance (DC4) to manage the corporate processes and the CRG. The DC4 is the secretary of the CRG. The CFM manages the programming and budgeting and execution processes.
____________________
3 Although acquisition is part of the strategic decision processes, it is discussed in this work in terms of how it functionally relates and informs the other processes. Earlier work done by the project team addresses acquisition's role in the corporate strategic decision processes. See Lewis et al. (2002).
The NSA's processes are designed to be responsive to those operating in DoD and the IC, but they are also tailored to NSA's activities and culture. The NSA strategic decisionmaking processes are hierarchical and interactive as information is shared and refined through a set of working groups that inform each phase of the process. In several instances, a single working group performs different but related functions, depending on what phase of the process is operating. For example, during the planning phase, the Strategic Planning and Performance Group (SPPG) assists in the development of the NSA Strategic and Business Plans, but it also oversees performance at the strategic level. The ongoing performance assessments throughout the process ensure that NSA is assessing and measuring at each phase how it is performing against the goals and objectives contained in the strategic and business plans. Similarly, the Programming Working Group (PWG) assists in the programming phase but also performs during the budgeting and execution phases, although with some different members. The working groups' design ensures that the process is top-down and bottom-up and that issues are raised and debated and options are developed through each phase of the process, with performance assessment an integral part of the overall process.
Critical to the implementation of the recommended end-to-end process is a well-defined corporate architecture. Concurrent with the development of end-to-end strategic decision processes is the development of a coherent and logical enterprise architecture that ensures that the operational and business architectures are linked and mutually informed. The DIRNSA directed the Chief Systems Engineer (CSE) in the Directorate of Engineering (DE) to develop an enterprise architecture that is supportive of the corporate strategic decisionmaking processes. As of this writing, the enterprise architecture is still being developed, but the four architectural segments have been defined and are in operation. They are Signals Intelligence (SI), Information Assurance (IA), Corporate Business Services (CBS), and Information Technology and Infrastructure, which together constitute the totality of NSA activities and resource allocation. Figure S.1 shows the structure being developed and implemented at the NSA and the hierarchical relationships.
The development and implementation of an end-to-end management architecture and supporting corporate decision process also necessitate that the NSA leadership keep track of the direct as well as the indirect costs of all the activities occurring NSA-wide. The DIRNSA and the DDIRNSA argued that they also needed the ability to have a single budget structure that incorporated the Consolidated Cryptologic Program (CCP) and Information Systems Security Program (ISSP). A single budget structure needed to be defined and established to provide this information.
The emerging corporate architecture and strategic decision processes also
necessitated the development of a single, coherent budget structure. The
project team first assessed the current SID and IAD budget structures to
ascertain if any commonalities would aid in creating a single corporate
structure. The team found a lack of consistency at the different levels with
which the two organizations operate. Therefore, it was necessary to develop
a common set of definitions:
The project team concluded that a common five-level4 budget structure needed to be developed that linked enterprise strategy to capabilities and resources. In August 2003, the DIRNSA approved the five-level budget structure and directed the CFM's office to oversee the continued realignment and standardization across the NSA. The next several paragraphs summarize the key processes and their implementation.
____________________
4 The NSA CFM has provided flexibility in the budget structure to accommodate user organizations that desire to add levels between the project level, level four, and cost-center level (the lowest financial level) for intermediate levels of management.
Between 1999 and 2002, NSA attempted to develop and implement several strategic and business plans with little or no success given that the plans did not fit within a broader strategic decision framework and management process. The Office of Corporate Strategic Planning and Performance (DC4) initially used the existing strategic and business plans with the goal in mind of establishing a more mature process in fiscal years (FYs) 2003 and 2004 to inform the development of the FYs 2006-2011 POM/IPOM.
In October 2003, a group of senior managers began work on identifying the
issues associated with the strategic and business plans. The effort was supported
by analysis done in the DC4's organizations. After reviews with the DIRNSA
and DDIRNSA, four strategic goals were identified:
The project team found that the goals represented the key aspects of the NSA enterprise. The FY 2006 business plan is also well linked to the FY 2006-2009 strategic plan.
Addressing the congressional concerns that NSA lacked a corporate requirements process,5 the DIRNSA directed the DC4 to establish the process. The process is designed to identify critical capability gaps that could affect NSA's ability to perform its mission. Through assessing the two business units -- SID and IAD -- it was discovered that both have a process but are driven by two different focuses. While IAD has a well-defined and understood requirements process driven primarily by external customer demands, SID's requirements process is patterned after the high-level process used by the Joint Staff that focuses on the development of the documents to support the DoD Joint Requirements Oversight Council UROC) review of capabilities with joint utility or impact.
____________________
5 Note that during the course of this research, the federal national security community changed all its requirements processes to be focused on capabilities. Hence, those terms are used synonymously in portions of this report.
The corporate capability generation process (formerly the requirements process)
must be hierarchical, inform external overseers, and identify capability
gaps and capabilities needed by the DIRNSA to achieve objectives in the DoD
Strategic Planning Guidance (SPG) and DCI's guidance. The capability needs
are identified and adjudicated at the corporate level through a set of thresholds
recommended by the project team and refined by NSA's senior leadership. The
six thresholds are:
The NSA corporate requirements process takes place over a four-month period,
and it contains these four essential steps: identify the deficiency or the
need, document the need, validate the need, and approve the need. The NSA
process consists of six well-defined activities, with each activity involving
the major business units and the various enabler organizations working through
the Capabilities Working Group (CWG):
The process was initiated in November 2002 with the appointment of a Capabilities Generation Process Manager. Since November 2002, tension has existed between the corporate process and those found in SID and IAD. Both organizations have argued that their individual processes were sufficient and that the corporate process is too intrusive.
The programming process was designed to use both the corporate planning process and the corporate capabilities generation process (CCGP) to build a corporate set of programs based on strategic priorities and validated requirements. A new element toward the approach of a corporate programming process was the establishment of a Director's Withhold of Resources, which could be applied during the process to programs that required special attention to either solve long-standing problems or fund new initiatives that accelerate transformation. Each expenditure center was allocated a funding total for the program based on the previous programming and budgeting cycle. The amount was reduced by 2 percent, which was placed in the Director's Withhold, to ensure that he has sufficient funds at his discretion. Early discussions of the programming process identified the long-standing problem of the need for a corporate financial management system.
The PWG goals were introduced at its first meeting: increasing visibility and openness, improving collaboration, ensuring program integration, validating changes to the database, and institutionalizing process and structure. The most ambitious goal for the PWG was ensuring program integration, which it defined as ensuring that all projects are understood by all enablers and are funded appropriately. To obtain the needed information to portray that status of programs NSA-wide, the PWG developed an "issue slide," which served as a common document that would present program decision information including the programmed resources and proposed changes. It was also the goal of the leadership that the PWG would be responsible for addressing and balancing the NSA portions of four defense programs -- the ISSP, the Defense Cryptologic Program (DCP), the Defense Counterdrug Intelligence Program, and the Defense Airborne Reconnaissance Program -- and one IC program -- the National Foreign Intelligence Program (NFIP) CCP.
Throughout the process, frequent interactions with the CRG occur. These interactions present issues to leadership for guidance and review as well as recommendations from the senior managers for approval to pursue a particular course of action. Although most participants viewed the first PWG as very successful, it was very labor-intensive and could not address all of NSA's programs. The single greatest deficiency in the development of a corporate programming process at NSA is the inability to provide independent analysis of program alternatives. In FY 2004, the CFM attempted to establish this capability within the financial management function. Further work needs to be done in logically grouping resources to better inform corporate decisions. NSA was able to complete the first year of implementing the programming process with a functioning PWG that gained the trust of leadership and the components to provide an objective process to present information and balanced recommendations for DIRNSA decisions.
Since 2002, NSA has made great strides in developing and implementing robust and responsive corporate strategic decision processes. Several of the recommendations made by the RAND project team built on either existing processes or ones that had at one point been operating at the agency. To have a successful corporate strategic decision process, it was paramount to take into account the NSA culture but at the same time ensure that the external overseers and stakeholders were provided with the necessary information. Critical to the success and implementation of the corporate strategic decision processes was the establishment of the CRG and consequently the supporting office, the DC4. The CRG operates as the corporate governance framework through which the processes are able to provide critical information to the senior leadership. The DC4 operates as a neutral figure, providing support, objective analysis, and development of options for the senior leadership for review and decision while concurrently maintaining an audit trail. The project team feels that the one flaw in the design is that the DC4 is a staff organization that reports up through the Chief of Staff organization. The DC4 should have a direct reporting line to the DIRNSA because of the sensitive issues he addresses. The corporate performance metric activities should also be placed under the DC4 organization to ensure that performance is an integral element of office-assigned responsibility for managing the corporate processes. The project team also argued that the current alignment of the programming function with budget and execution should be sustained.
The most difficult task in establishing working corporate strategic decision processes has been the dialogue between the business units and the corporate processes. While the first formal cycle of the planning, corporate capabilities, and programming process was difficult in terms of developing a common template for discussion and decisionmaking, the FY 2006-2011 POM/IPOM cycle appears to have been smoother with fewer contentious issues emerging.
As of the completion of this report, the corporate strategic decision processes have been established, but their full institutionalization is still in progress. Full implementation, like any management of change effort, will require continued leadership involvement and cultural adaptation. Further work by this project team and NSA will focus on integration of the processes and identification of those processes within the mission and mission-support divisions that do not contribute utility to the corporate processes or mission support. In Chapter Seven, we provide some specific recommendations to further the integration, synchronization, and maturity of the decision processes and suggest some organizational and resource changes to assist further improvement. In the appendices, we also provide an examination of other corporate improvements through our assessments in 2003 and 2004 of the NSA acquisition function and its relationship to the corporate decision process as an added prospective on the structural and management changes during this period.
This report greatly benefited from the support and assistance we received from several people at NSA. In particular, we appreciate the assistance from the DC4 and the Finance Directorate (DF). We thank Rod Kelly, Chief, DC4, and Ethan Bauman, CFM, who fully supported the project throughout its duration, provided access to process deliberations, and were receptive to our interim recommendations for implementation. Our special appreciation goes to Lt. Gen. Michael Hayden, DIRNSA, and Bill Black, DDIRNSA, for ensuring that the research team was provided full access and was included in many sensitive decision discussions of the NSA senior leadership and the CRG to better understand the breadth and depth of decision options, comprehend the overarching importance of mission, and appreciate the cultural aspects of the agency with regard to decisionmaking.
We also thank the following individuals who gave much of their time as well as provided invaluable insights: Bonnie Kind, Gary Mullen, Cathy Blemley, Jim Hartney, Harry Gatanas, and Roger Carter.
We also appreciate the valuable assistance provided by several colleagues at RAND who contributed to this report. We especially appreciated the support and counsel throughout the project from our NDRI Intelligence Center program director, Kevin O'Connell. This report also benefited from the insightful comments and suggestions of RAND reviewers Harry Thie and Greg Treverton, and the superb efforts of our assistant, Abigail Chapman, who edited and prepared the report for publication. We also thank Dan Sheehan for his fine editorial work in helping this report get from manuscript to publication.
The content and conclusions of the report, however, remain solely the responsibility of the authors.
ACAT 1 Acquisition Category 1
ACAT/1A Acquisition Category 1A
ADMP Architecture Development and Management Plan
ADBPL Acquisition Development Program Baseline
AoA Analysis of Alternatives
APG Annual Programming Guidance
ARB Acquisition Review Board
ARC Acquisition Resource Center
ASD (C3I) Assistance Secretary of Defense (Command, Control, Communications and Intelligence)
ASD (NII) Assistant Secretary of Defense (Network and Information Integration)
CAIG Cost Analysis Improvement Group
CAO Corporate Assessment Office
CA/CSE Corporate Architect and Chief Systems Engineer
CCGP Corporate Capabilities Generation Process
CCP Consolidated Cryptologic Program
CCRD Cryptologic Capstone Requirements Document
CEPR Corporate Executive Program Review
CFM Chief Financial Manager
CIO Chief Information Officer
CJCS Chairman, Joint Chiefs of Staff
CJCSI Chairman, Joint Chiefs of Staff Instruction
CMM Cryptologic Mission Management
CMS Community Management Staff
COO Chief Operating Officer
CoS Chief of Staff
CRDs Capstone Requirement Documents
CRG Corporate Review Group
CSE Chief Systems Engineer
CSS Central Security Services
CWG Capabilities Working Group
DAWIA Defense Acquisition Workforce Improvement Act
DC4 Office of Corporate Strategic Planning and Performance
DCI Director of Central Intelligence
DCP Defense Cryptologic Program
DDIRNSA Deputy Director of NSA
DE Directorate of Engineering
DF Financial Directorate
DIRNSA Director of NSA
DoD Department of Defense
DOTMLPF Doctrine, organization, training, materiel, leadership and education, personnel, and facilities
DRB Defense Resources Board
EAB External Advisory Board
ERB Executive Requirements Board
ESE Enterprise Systems Engineer
EWG Enablers Working Group
FMS Financial Management Systems
FY Fiscal year
FYDP Future Years Defense Program
GC General counsel
HR Human Resources
I&L Installation and logistics
IA Information assurance
IAD Information Assurance Directorate
IC Intelligence Community
IPOM Intelligence Program Objective Memorandum
IPT Integrated product team
ISSP Information Systems Security Program
IT Information technology
ITIS Information Technology and Information Systems
JCIDS Joint Capabilities Integration and Development System
JMIP Joint Military Intelligence Program
JROC Joint Requirements Oversight Council
JWCA Joint Warfighting Capability Assessments
MAA Mission Area Analysis
MDA Milestone Decision Authority
MOE Measure of effectiveness
MRB Mission Review Board
NCS National Cryptologic School
NDRI National Defense Research Institute
NFIP National Foreign Intelligence Program
NGA National Geospatial-Intelligence Agency
NIMA National Imagery and Mapping Agency
NRO National Reconnaissance Office
NSA National Security Agency
NSDD National Security Decision Directive
NSSD National Security Study Directive
NTO NSA Transformation Office
OIPT Overarching Integrated Product Team
OMB Office of Management and Budget
ORD Operational Requirements Document
OSD Office of the Secretary of Defense
OTA Office of Technology Assessment
PART Program Assessment Rating Tool
PBD Program Budget Decision
PDM Program Decision Memorandum
PE Program element
PEO Program Executive Office
PFR Program for Record
POM Program Objective Memorandum
PPBE Planning, Programming, Budgeting, and Execution
PWG Programming Working Group
QDR Quadrennial Defense Review
QPR Quarterly Program Reviews
R&D Research and development
RDT&E Research, development, test, and evaluation (programs)
RWG Requirements Working Group
SAE Senior Acquisition Executive
SALT Senior Agency Leadership Team
SCRD SIGINT Capstone Requirements Document
SEAB Systems Engineering and Architecture Board
SETA Scientific Engineering and Technical Assistance
SecDef Secretary of Defense
SI Signals intelligence
SID Signals Intelligence Directorate
SIGINT Signals intelligence
SLA Service-Level Agreement
SLG Senior Leadership Group
SPG Strategic Planning Guidance
SPPG Strategic Planning and Performance Group
SROB SID Requirements Oversight Board
STO Strategic Transformation Organization
UCA CRD Unified Cryptologic Architecture Capstone Requirements Document
USAF U.S. Air Force
UCAO Unified Cryptologic Architecture Organization
UFA Unified Cryptologic Functional Areas
USD (AT&L) Under Secretary of Defense for Acquisition, Technology, and Logistics
RAND's 2002 report on the National Security Agency's (NSA's) strategic decision processes provided recommendations on how NSA oversight might be improved.1 In that report, two types of oversight were addressed-internal and external. The internal oversight recommendations focused on ensuring that key organizations and managers are either involved in the strategic decisionmaking or are informed of key decisions that affect their work and the overall NSA mission. The external oversight recommendations sought to improve the knowledge of external stakeholders, customers, users, and partners and increase the transparency of NSA's strategic decisions that impacted the mission.
____________________
1 The recommendations are taken from the RAND report on the NSA. See Lewis et al. (2002, pp. 45-48).
The RAND project team sought to improve oversight by adapting existing organizations and structures. In cases where a function was absent (e.g., external oversight), RAND provided recommendations on how the function might be established by adapting existing organizations and structures with little or no disruption to current NSA structures. Although the project team attempted to use existing structures, the primary objective was to ensure that the process was disciplined and therefore applied the analytic templates of hierarchical decisionmaking; separability and independence; and supply, demand, and integration.
The 2002 RAND project team found that the Signals Intelligence Directorate (SID) and the Information Assurance Directorate (IAD) managed the major program funds (i.e., the Consolidated Cryptologic Program [CCP] and the Information Systems Security Program [ISSP]) with little or no corporate visibility. Because the two business units were mission-centric, most of their focus was on meeting near-, mid-, and some long-term mission requirements. SID, the dominant organization in NSA, began to design a series of strategic decision processes that managed SID requirements, program reviews, and investment management. The directorate also had its own strategic and business plans. SID's management of the Unified Cryptologic Architecture Organization (UCAO), the overarching architecture for signals intelligence (SIGINT), gave it the authority to oversee all critical aspects of the SIGINT mission. SID represented major SIGINT programs in all external forums-the Joint Requirements Oversight Council (ROC) and the IC Mission Review Board (MRB). The NSA enablers were subordinate to SID and IAD in that they received their funding from the two business units. All enabler programs had to be approved by either SID or IAD prior to being funded.
The primary result of this decentralized model was that the business units identified operational requirements and subsequently linked to and justified all resources through them. More important, although SID and IAD endorsed NSA's transformational goals, they were captive to mostly near-term operational requirements because of the high volume of mission demands. Institutional requirements, or those requirements that ensure that NSA can perform its institutional support missions (e.g., security, physical plant, and infrastructure) but are only indirectly linked to the more specific business unit missions, were largely ignored. Institutional requirements must be identified and their priorities established so that they are allowed to compete for resources with operational requirements that are directly related to mission (Lewis et al., 2002, p. 45).
In 2001, NSA had no formal mechanism by which critical management issues could be discussed and courses of actions decided. The Director of NSA (DIRNSA) had abolished most boards, arguing that they were inefficient and provided few solutions. Most strategic decisions were negotiated between individuals or a small set of senior managers and the Deputy Director of NSA (DDIRNSA) and/or DIRNSA.
In February 2001, the DIRNSA formed an informal organization composed of selected senior managers within NSA. It was called the "Breakfast Club" and currently meets once a week or when critical agency issues arise. The official group consists of the DIRNSA, DDIRNSA, the Chief Financial Manager (CFM), the Senior Acquisition Executive (SAE), Chief of Staff (CoS), Directors of SID and IAD, the General Counsel, and the Chief of Legislative Affairs. The DIRNSA chairs the meetings. The group uses the meetings to coordinate courses of actions associated with the NSA transformation or any pressing topic. Although the Breakfast Club in 2001 was an important step in sharing information at the corporate level, its true importance was its status as a corporate-level forum to raise and discuss problems and to advise the DIRNSA about solutions for decision.
The Breakfast Club was and is not a decision body supported by careful preparation and analysis or the development of fiscally informed options. Often, the Breakfast Club has met without prior knowledge of the agenda, although this void has been gradually addressed, requiring its members to provide discussion and advice without the benefit of analysis or broader staffing. Since 2002, the Breakfast Club's membership has become more inclusive. The Chief Information Officer (CIO) and the head of the Corporate Analysis Office (CAO) have been officially added to the meetings. Deputies from the enablers and SID and IAD also attend many meetings. The Breakfast Club does not have a formal charter.
In 2002, the DIRNSA formed the Senior Leadership Group (SLG). The SLG was composed of all the key business unit directors, associate directors, and key staff who report directly to the DIRNSA. It aims to provide and share information on important issues. The SLG is not a decision forum and operates with no written charter. RAND recommended that a forum was needed to be responsible for a variety of corporate-level activities that supported process oversight and NSA's transformation and was directly connected to resource decisions. It needed to have a charter, be supported by analysis, and operate as the principal agency decision forum. The initial recommendation called for formation of an Executive Requirements Board (ERB).
The ERB could raise and resolve many key issues before they reach the DIRNSA. The ERB concept adheres to the principles of hierarchical, structured, participatory decisionmaking. Most of the activities need to focus on agency-level process integration functions associated with strategic decisionmaking. The ERB would be chaired by the DDIRNSA and be charged with review of the business plan and related resource issues. Integral to its function would be establishing critical cross-functional measures of effectiveness (MOEs) and an ability to assess corporate resource implications.
The ERB would be the new authority for all corporate NSA requirements (e.g., institutional and operational). The board would periodically direct and review programs and their status. It would also obtain external assessments from users, stakeholders, and customers. The establishment and formal review of requirements at the agency level is one area that many recent external reviews of NSA had indicated was absent.
The ERB would oversee the management of the implementation of NSA transformation. This responsibility includes the synchronization of the architecture, planning, and execution. In addition, it would consider future mission requirements and their impacts on the agency, including assessment of NSA's ability to meet its future mission requirements. Importantly, the ERB would provide a critical mechanism for senior managers to provide information and feedback between midlevel managers and the DDIRNSA.
The ERB's functions and membership would be formalized in an NSA circular. The meetings would be biweekly and scheduled for no more than 90 minutes. They would consist of information exchanges between the DDIRNSA and the participants. Agenda items would be determined beforehand and consist of no more than three topics. The agenda items would be accompanied by a readahead package to inform the participants about the topics two days before the meeting. The meeting would have about 20 minutes of open discussion before actions were decided. One ERB meeting per month would focus on a major requirements review. The ERB would have a secretariat to record minutes of the meetings, manage agenda items, and provide read-ahead packages.
The ERB concept was designed for a small number of people "to ensure that decisions could be made." The DDIRNSA would chair the meetings. The permanent membership would consist of the director of SID, director of IAD, the CFM, and the SAE. Other functional managers or subject-matter experts would participate in ERB meetings as appropriate to inform decisions on selected issues or requirements.
RAND also suggested that a smaller and more disciplined version of the Senior Agency Leadership Team (SALT) be reinstated. The DIRNSA argued that the SALT and many other management boards and committees were ineffective and that his former CoS, under his direction, had painstakingly abolished them. He further noted that agendas were rarely followed and that too many "midlevel" managers were involved. He preferred to utilize the Breakfast Club and something equivalent to the ERB and then to assess their effectiveness before establishing another committee or board. The DIRNSA also indicated that he wanted to sustain a flat organizational and hierarchical management structure. The senior functional and operational managers were responsible for keeping the midlevel managers informed. The DIRNSA did not want large numbers of managers directly reporting to him or to the DDIRNSA.
The RAND assessment also found that NSA lacked sufficient oversight mechanisms to provide external customers, users, partners, and stakeholders insight into its resource decisionmaking and management. The lack of insight into NSA's decision processes and the resulting decisions was at the root of many of Congress's and the IC's oversight issues.
RAND recommended that NSA develop a hierarchical oversight management structure and outlined its concept of operations. The external and internal oversight would be managed through the External Advisory Board (EAB) and the ERB. The structure shown in Figure 1.1 illustrates the recommended EAB that includes the customers, partners, stakeholders, and users. The EAB interacts primarily with the ERB. The interactions consist of information-sharing and the raising of issues and their adjudication. The lower right-hand side of the figure shows how the congressional oversight might be addressed through formalized interactions with the ERB.
![[Image]](nsa-166.jpg)
The institutionalization of these fundamental internal and external oversight mechanisms would improve NSA's management, process integration, structure, and ability to address critical issues. The proposed structure is consistent with the DIRNSA's desire to maintain a relatively flat management system while it ensures that midlevel managers and external stakeholders, users, customers, and partners are included at the appropriate levels in NSA oversight and management.
In late March 2002, the DIRNSA concluded that the NSA transformation was not occurring at the pace that he had envisioned. Several key staff members recommended that he adopt the RAND recommendations concerning the formation of the ERB and the EAB. The DIRNSA reviewed the need to establish a corporate advisory board structure, considered how such a structure would support his responsibilities, and concluded that such a body was necessary.
The DIRNSA decided that RAND's recommendations for the formulation of the two oversight bodies would violate one of his goals: ensuring that the management and board structure was as flat as possible. Therefore, the RAND recommendations concerning the formation of the EAB and the ERB would be modified -- only one oversight board would be formed. It is called the Corporate Review Group (CRG) and would be the organizational structure that reviewed critical NSA issues with senior NSA managers and obtained advice on critical decisions, as well as informing external stakeholders.
The DIRNSA initiated this activity with the development of a formal charter. He wrote the charter himself to ensure that the CRG was formulated based on his vision. The CRG charter went through several revisions based on feedback the DIRNSA received from senior managers and the RAND project team. The resulting charter for the CRG contained six major areas: a mission statement, identification of functions, membership, executive secretary, implementation, and approval authority. The mission statement clarified that the DIRNSA's vision for corporate management is broader than just the establishment of the CRG. The mission statement outlines the goals of the CRG:
To better integrate, synchronize, and prioritize strategic and business planning, requirements, programming, acquisition, and fiscal operations at the corporate level of the Agency while providing our external stakeholders, users, partners, and customers visibility into the process. (NSA/CSS, 2002b.)
The CRG's mission statement also established the DIRNSA's intent to revise
the previous decentralized management structure in which the two business
units had predominated in NSA decisionmaking. The emerging model was more
centralized, with a structured participatory dialogue among the two business
units, corporate process owners, and supporting enablers. The DIRNSA decided
that he would chair the CRG rather than delegating it to the DDIRNSA in order
to ensure that top-level guidance was provided. The CRG's activities span
eight broad tasks:
One of the most contentious issues in establishing the CRG is whether it is a decision body or a forum that provides information to the DIRNSA and DDIRNSA for their review, guidance, and decision. The functions of the CRG charter make it clear that the management model is centralized decisionmaking with decentralized execution that provides for structured participation from the business units and enablers to make informed decisions. For example, the charter specifically states that the CRG will validate and prioritize objectives and corporate requirements and review and approve NSA program budget submissions and strategic and business plans. In particular, the charter reiterates that one of the most important functions of the CRG is to ensure that such key corporate processes as requirements, mission capabilities and mission support interfaces, and transformational issues will be reviewed in the CRG. The establishment of credible corporate decision processes was one of the key needs that RAND identified in the NSA. The statement of functions indicates that NSA's senior leadership wanted an end-to-end corporate decision processes established. The decision processes needed to include planning, capabilities, programming and budgeting, and execution to ensure support for both internal and external organizational demands.
The proposed membership of the CRG was also a contentious issue, particularly with the major business units, because the new corporate body usurped much of their decision authority. The RAND assessment found that earlier decision bodies had failed because they were too inclusive, thereby resulting in consensus-driven decisions, or they followed the lead of the major business units, which often lacked a corporate vision. The CRG was not designed to be a consensus body but rather to raise and debate key issues, including resource allocation, that affected NSA's mission and transformation and to provide recommendations and advice to the DIRNSA and DDIRNSA. Formal membership in the body and attendance had to be limited. The DIRNSA concluded that the CRG would be chaired by himself or in his absence by the DDIRNSA. The formal membership would consist of the DIRNSA; DDIRNSA; Deputy Chief, Central Security Services (CSS); CoS; Director, Signals Intelligence (SI); Director, Information Assurance (IA); SAE; and CFM. However, the senior leadership of the supporting enabler functions of NSA would be invited to attend the CRG meetings to ensure that all aspects of issues were aired prior to a DIRNSA decision.
Another controversial issue concerning membership was the role of NSA enablers--e.g., such supporting functions as research, security, human resources, and education and training. Several representatives from different enabler organizations approached the DIRNSA about membership on the CRG. They argued that, given the critical role they played in accomplishing the mission, it was imperative that they belong to the senior members group to allow their supporting elements to have direct input and insight into corporate decisions. RAND countered that once the enablers became full members of the body it would be too large and complex, again running the risk of suboptimization. The DIRNSA agreed with the RAND proposal that representatives from the different enabler organizations should attend the CRG meetings but would not be formal members.
The DIRNSA also wanted the ability to invite selected nonmembers to attend the CRG when it is required to discuss a specific issue. The charter specifies that representatives from any NSA element can be called to present information at a CRG meeting.
Because NSA is a defense agency whose mission responsibilities are under the direction of both the Secretary of Defense (SecDef) and the Director of Central Intelligence (DCI), the NSA must answer to two reporting chains in terms of its capabilities, use of resources, and mission performance. Similar to a military department in the Department of Defense (DoD), it has the authority and responsibility to construct and execute a program to support the military for the SecDef that is included in DoD's budget. However, NSA must also construct and execute a separate program responsive to the demands of the DCI in his capacity as overseer and manager of the national intelligence mission. The goals and objectives of NSA's program are submitted to the SecDef in the Program Objective Memorandum (POM) and to the DCI in the Intelligence Program Objective Memorandum (IPOM). The DIRNSA participates in the resource decisionmaking processes in both DoD and the Intelligence Community (IC). In DoD, this process is called the Planning, Programming, Budgeting, and Execution (PPBE) system. The analogous process for the IC is called the Intelligence Program and Budget System (IPBS).
For NSA to participate effectively in DoD and IC resource management processes, NSA's decision processes must adhere to the structure and time lines of those operated by DoD and the IC and provide necessary information to support both external overseers. However, NSA's resource allocation and management processes must also accommodate the unique aspects of the internal NSA program to be responsive to NSA-identified demands that ensure that the future missions can be performed effectively and efficiently. NSA concluded that its current business processes did not sufficiently address the issues with the rigor and discipline necessary to support its various missions as well as its transformational objectives. In defining and establishing a disciplined end-to-end system of decision processes, NSA's ability to provide requisite information and meet external decision process time lines to essentially two bosses -- DoD and the IC -- was integral to the design. The strategic decision processes also had to perform certain functions -- identification of goals and objectives that include all of NSA and not just its two separate mission organizations, development of options, performance of trade-off analyses, and identification of key issues over time. The process also must be top-down in that the processes were informed by external guidance provided by the national security goals and from the SecDef and DCI. The process also needed to be sufficiently structured so that established top-to-bottom linkages were used to clarify corporate goals and the associated resource issues. Any proposed process had to include analytic tool support and linked databases.2
____________________
2 These issues are not unique to NSA. NSA, like the National Geospatial Intelligence Agency (NGA), reports through two management structures, which necessitates that they have well-articulated and understood strategic decision and resource management processes. See Lewis, Coggin, and Roll (1994) for a discussion of how U.S. Special Forces addressed many of the same issues.
Building on the prior RAND research and recommendations, NSA asked RAND to assist in the development of an end-to-end corporate strategic decisionmaking process. This report documents the work on the development and implementation of these corporate strategic decision processes. The next five chapters discuss in detail the concept, development, and institutionalization of NSA's strategic decision organization and processes: Chapter Two, an overview of the corporate-level strategic decision processes; Chapter Three, the CRG; Chapter Four, strategic and business planning; Chapter Five, the Corporate Capabilities Generation Process (CCGP); and Chapter Six, programming and budgeting. Each chapter discusses the conceptual model for the individual process, the implementation of the process, and the difficulties encountered during implementation. Chapter Seven contains the research conclusions and next steps. The appendices provide additional perspective through the RAND research team's assessments of NSA's acquisition function, done in 2003 and 2004, and discuss the relationship of acquisition to the corporate decision processes and other supporting corporate functions, such as systems engineering.
The development of corporate decision processes is critical to the management of NSA. The corporate processes, if implemented correctly, provide a structured way for the senior leadership to plan, program, and budget the agency's various activities-transformation initiatives, divestiture, and mission. Every organization, whether in the private or public sector, needs a process by which it identifies near-, mid-, and long-term goals and objectives, funds the initiatives, and tracks their performance. In industry, the corporate strategic processes run the gamut from being highly structured activities with two- to five-year time horizons to ad hoc processes with very short time horizons frequently operating in weeks or months. One indicator in the private sector of a company's maturity is its adoption of formal corporate processes. Private-sector strategic planning organizations can be small with simple direct processes. However, to be successful, they must represent what the leadership wants accomplished, work within the timeframes associated with an initiative, and then provide recommendations on how the corporate leadership might achieve the objectives. In the private sector, approved planning activities are usually funded by the Chief Operating Officer (COO) or the chief financial officer (in NSA's case, the CFM) because most large companies usually use a portfolio management approach. The portfolio management or product approach works in industry because companies are largely shaped by customer demands. The company's chief operating principle is to be responsive to customer needs in a profitable way.
Public-sector strategic decision processes tend to be more complex because of the numerous exogenous oversight bodies and external decision processes to which they must respond. Government organizations, such as NSA, are often highly complex bodies that, although driven by mission (e.g., customer demands), must also manage large workforces, develop many different products, follow government regulations, adhere to external guidance, and conform to external decision processes (i.e., DoD, IC-Community Management Staff [IC-CMS], Congress, etc.) -- all of which influence their activities and their funding. It is often for these reasons that private-sector business models applied directly to government organizations fail. While business decision models are predominantly driven by market demands, the demands on large public bureaucracies are more varied and complex. For example, the NSA cannot easily divest itself of a particular activity that it deems no longer core to its SI mission. Large external and internal constituencies consisting of congressional staffers, the CMS, DoD staffers, customers, mission partners, and NSA product line managers often work to maintain the status quo. Frequently, NSA managers are the strongest obstacles to divestiture. They want legacy and heritage systems to continue because they are well-understood systems with clearly defined processes. Finally, if all the various participants agree, the program must be formally canceled in the DoD and IC funding programs (e.g., Future Years Defense Program [FYDP] and in the National Foreign Intelligence Program [NFIP]). The complexity of the relationships often fosters process-laden bureaucracies that long ago lost sight of what information the processes need to yield in order to inform decisionmaking.
Management literature stresses that strategic decisionmaking processes must
have certain attributes. The processes need to be transparent in that they
are simple to define and well understood. The information they provide must
have a clear audit trail and be credible. In complex organizations-those
with more than one business unit-a single business cannot dominate an
organization's overall decisionmaking process. The decision processes must
be informed by sound analytics. They need to contain clearly defined outputs
that link to the next phase of the process to form an end-to-end process.
Every strategic decisionmaking process must have several distinct elements.
Another dilemma confronted by NSA and similar DoD-IC agencies is that DoD has relatively well-defined strategic decision and management processes, while those of the IC are underdeveloped and underresourced. Therefore, most of the agencies tend to mimic or mirror-image DoD's processes without understanding what information the strategic decision processes need to yield and their applicability to NSA decisionmaking. For example, the SID requirements process mirror-images the DoD JROC process, but only a fraction of SID's requirements and ensuing proposed acquisition programs meet JROC thresholds for review and approval.1 The SID frequently focuses more on process management than on defining technically sound requirements.
____________________
1 The JROC is the advisory council to the Chairman, Joint Chiefs of Staff (CJCS) to assist him in his duties to advise the Secretary of Defense on military requirements, programs, and force readiness.
In defining an end-to-end strategic decision process for NSA, the goal was to develop an NSA structure consistent with the DIRNSA's management structure and style while ensuring that the end-to-end system provided needed information in a timely manner to overseers (SecDef and DCI) and stakeholders (mission partners and other defense intelligence agencies). Given that the PPBE structure used by DoD is well developed, the project team used it as a starting point to define specific phases of an end-to-end structure. Once defined, each of the phases would be tailored in its design and execution to ensure that it met NSA's needs while being responsive to DoD and IC information demands and time lines.
PPBE is DoD's primary system for planning and managing defense resources. It links the overall national security strategy to specific programs. It was designed to facilitate fiscally constrained planning, programming, and budgeting in terms of complete programs (i.e., forces and systems), rather than through artificial budget categories.2 The goal is to determine needed capabilities that include forces and systems. PPBE is designed to elicit options and provide for an evaluation of these options in terms of costs and benefits. The output of the process, the defense program, is the official record of major resource allocation decisions made by the SecDef.
____________________
2 This discussion is based on an earlier body of work done by Leslie Lewis and Roger Allen Brown on strategic resource management. See, for example, Lewis, Brown, and Roll (2001).
PPBE is one of the SecDef's key management tools. The process provides the SecDef with the means to set and control the department's agenda. The goal is to frame issues in national, rather than service-specific, terms. The process, which includes documentation and databases, is intended to capture all important decisions affecting current and future defense budgets.
The process is not supposed to be linear, either during a phase or from one phase to the next. Rather than being a "lockstep" system, it is designed to be highly interactive. The PPBE process provides the forum for both the informal and formal debate of the issues and options at all levels of the DoD. To prepare for the formal debates, the decisionmakers and their staffs must interact with one another on an informal basis to share information, develop options, and even define a particular participant's strategy in the debate for resources. There is a hierarchy to the PPBE process (see Table 2.1). The planning phase starts with broad decisions involving the senior decisionmakers in DoD and progresses to the budgeting phase, where prior decisions are reviewed in detail to determine how they can best be implemented.
![[Image]](nsa-167.jpg)
Table 2.1 shows the key PPBE events as they have existed since the implementation of the two-year budget cycle.3 In practice, Congress has generally appropriated funds on an annual basis, and therefore the internal DoD process has been forced to compromise with the demands of producing a budget submission every year. From an external perspective, this behavior could resemble the one-year cycle that existed before 1986. DoD is currently attempting to implement a two-year POM/IPOM cycle.
____________________
3 The two-year budget cycle has never been fully followed since its initial implementation in 1986. Every year, the POM/IPOM has been updated, with every other year being a major POM/IPOM build. In May 2003, DoD issued Management Initiative Decision (MID) that reimplements the two-year cycle. See DoD (2003a).
A new PPBE cycle usually begins with initiation of planning before a new budget is submitted to Congress. During the planning phase, whose horizon may extend 15 years into the future, the existing military posture of the United States is assessed against the various concerns, including national security objectives and resource limitations, available military strategies, and national security objectives contained in National Security Decision Directives (NSDDs) and National Security Study Directives (NSSDs).
____________________
4 Since the research for this report was initiated, the Office of the Secretary of Defense (OSD) has launched an initiative called Joint Capabilities Planning. The attributes of this initiative are similar and consistent with those being implemented at NSA (OSD, 2004).
The Strategic Planning Guidance (SPG) is also informed by several planning documents developed by the Joint Staff for the Chairman, Joint Chiefs of Staff (CJCS). The national military strategy is developed by the Joint Staff. The Joint Staff also writes the Joint Planning Document, which defines the programming priorities and requirements to support the national military strategy. In addition, the Joint Staff further informs the SPG in the Joint Warfighting Capability Assessments (JWCA), which is an ongoing analysis done by the different elements of the Joint Staff that identifies requirements and capability gaps in nine warfighting mission areas (Roberts, 2002, p. 6). The JWCA provides inputs to the Chairman's Program Recommendations, which in turn informs the programming phase.
The output of the process is the strategic plan for developing and employing future capabilities. The planning phase provides the framework for identification of capability gaps (e.g., requirements). The plan is defined in the SecDefs SPG, which may be published in an early draft in November of the year before the next budget. The SPG contains the SecDef's top-level guidance for producing the defense program. It is responsive to the President's national security strategy, from which the national military strategy and fiscal guidance are derived, as set out by the President through the National Security Advisor and OMB. It may also contain explicit program guidance regarding core programs that the SecDef wants the armed services and DoD agencies to fund in the POMs. The final version if the SPG is usually published in April or May of the year, with a POM due in August. The SPG may also direct studies that the services or elements of Office of the Secretary of Defense (OSD) will perform to address issues of strategy and problems requiring additional analysis. The studies are designed to inform further guidance (DoD, 2003, p. 5).
In recent years, DoD has attempted to strengthen the planning function to ensure that it drives the programming and budgeting phases. In 2002, the SecDef concluded that the processes for strategic planning, identification of military capabilities, systems development and acquisition, and budget were not well integrated. DoD now seeks to strategically link, in a single-thread system, major decisions for acquisition, force structure, operational concepts, and infrastructure, starting with the SPG through the programming phase and into the budgeting phase. Key to this alignment is the Quadrennial Defense Review (QDR). The QDR is designed to identify DoD's major statement of defense strategy and business policy. It provides the single, hierarchical link throughout DoD that integrates and influences all internal decision processes (DoD, 2003a, p. 4; Bohls, 2002). The QDR submission is now aligned with that of the President's Budget in the second year of an administration (DoD, 2003a, p. 2).
The transition from the planning phase to the programming phase (from the SecDef's perspective) falls somewhere between the issuance of the SPG and the submittal of the POMs by the military departments and defense agencies in the summer. The POMs are the resource programs that reflect the SPG and fiscal guidance. The POMs are reviewed by the Joint Staff and OSD to determine whether the service programs meet the SecDef's guidance. The programming phase looks five to six years into the future.
The Joint Staff s evaluation of the POMs appears in an internal document, the Chairman's Program Assessment. This assessment gauges the risks in the total force proposed by the services and defense agencies in their respective POMs. Included in the assessment is an evaluation of how well the POMs satisfy the requirements identified by the various component commanders.
OSD reviews the departments' POMs and the Chairman's Program Assessment. Based on these reviews, OSD raises "issues" if problems are identified during the reviews. These problems are then discussed, debated, and resolved within the Defense Planning and Resources Board, which consists of the SecDef and selected high-level decisionmakers in OSD. Frequently, individuals (usually assistant secretaries and service chiefs) involved in a particular issue are asked to attend a specific session. Decisions on programmatic issues are published in the Program Decision Memorandum (PDM) issued by the Deputy Secretary of Defense. In recent years, there have been two issuances of the PDM, referred to as PDM I and PDM II, with the first covering broad direction of service and agency program adjustments and the second dealing with selected major programs that required further analysis and deliberation.
The PDM marks the end of the programming phase and the beginning of the budgeting phase. The reality is that the services and agencies have already begun to build detailed budgets when they submit their POMs. After they receive the Deputy SecDef's program decisions, they must adjust their programs and overall budgets to conform to the decisions. Their programs and budgets are submitted to the OSD Comptroller in the form of Budget Estimate Submissions (BES), following which hearings are held. Subsequently, the OSD Comptroller issues draft Program Budget Decisions (PBDs). Major issues may be heard in a Defense Resources Board (DRB) Budget Review, with final decision announced in a series of PBD). The sum of the final PBDs when used to revise the various BESs becomes the President's budget for DoD, which is submitted to Congress.
OSD has initiated several activities to streamline the PPBE process. It is attempting to conduct concurrent program and budget decision processes. Integral to this process is the development of common data collection and management processes to achieve a standardized programming and budgeting data system. In addition to these activities, DoD is attempting to structure its decisionmaking and resource allocation around military capabilities. The emphasis on military capabilities is resulting in a revamping of the program element structure to provide a direct link among military capabilities, programming, and budgeting (DoD, 2003a, p. 5).
DoD has sought to increase coordination with the DCI in defense agencies whose assets they share. DoD's focus is primarily on tactical intelligence and reconnaissance activities and is captured in the NFIP and the Joint Military Intelligence Program (JMIP) (DoD, 2003a).5 This process was initiated with the establishment of the Office of the Under Secretary of Defense for Intelligence in 2003.
___________________
5 Three programs capture the totality of DoD and the IC: the FYDP that contains the defense program, the NFIP that captures the IC investments or special compartmented programs, and the JMIP that contains the joint community intelligence programs. The NFIP is developed based on guidance from DoD and the DCI about what capabilities need to be obtained to support defense and national missions. Each of these programs is a database that summarizes all forces, resources, and equipment associated with programs approved by the SecDef and/or the DCI and summarizes the changes that occur throughout the resource allocation process. See U.S. Army (2001-2002, p. 9-8); Roberts, (2002, p. 1).
The most significant change is the concurrent management of the programming and budgeting phases. Because budget estimates are not forwarded immediately to the OSD Comptroller for review and approval as the program is being built, the robustness of the programming process has been questioned. The programming process needs to provide clear options within a programmatic and cost structure and not solely focus on budgetary issues. DoD maintenance of the discipline that a programming function can provide is critical while it is focused on budgetary analysis. Figure 2.1 shows the proposed combination of the programming and budgeting phases.
![[Image]](nsa-189.jpg)
Although large government agencies, such as NSA, are dominated by the desire to perform their mission effectively and efficiently, the market forces that drive industry cannot define NSA's business practices. Private sectors' "good business practices," such as effectiveness and efficiency, also apply to government bureaucracies, but how "good business practices" are achieved in government can be quite different from how they operate in the private sector. For example, the NSA cannot divest itself of a particular product or activity. The divestment of legacy systems and practices usually cannot occur as quickly as it can in industry, given that NSA's customers and stakeholders frequently are most comfortable with outdated systems and processes because the systems are known and reliable.6 As in industry, transformational activities in NSA must be driven from the top to the bottom. The leadership needs to provide policy and guidance on an ongoing basis to ensure that near-, mid-, and long-term goals are met. On the other hand, the functional business units, SID and IAD, must be allowed to perform their missions by providing ongoing mission support and to identify needed mission capabilities for near-, mid-, and long-term objectives. To manage the two different but shared aims -- transformation and mission performance -- the RAND project team recommended that the best governance model for NSA is a structured participatory process. No matter how NSA chooses to organize, it must perform planning, requirements, programming, and execution in an end-to-end process as directed by the DoD and IC decision processes. Inherent in the process is the ability to measure how it is performing as an organization. Figure 2.2 shows "the ideal" NSA structure and its linkages. The figure shows the corporate questions that must be asked in each phase of the process and how the different phases mutually inform one another. The process is designed to be iterative.
_____________________
6 These are broad generalizations, as are the broad strategic areas that corporations use in defining their strategic goal. Abundant numbers of case studies show how different industries rise and fall based on market demands. Many private-sector organizations look for a "single silver bullet" to resolve organizational or functional issues (Finkelstein, 2003, p. 140-165).
![[Image]](nsa-190.jpg)
Critical to the implementation of the recommended end-to-end process is a well-defined corporate architecture. The architecture consists of two interdependent pieces: the operational architecture and the business architecture. The corporate operational and business architectural pieces are linked and mutually informed by the corporate strategic decision processes. The business architecture is responsible for ensuring that the operational and institutional requirements are identified and assessed, priorities are set on them, options developed, and programs funded. The proposed architecture provides a multidimensional examination of NSA's missions, capabilities, and projects. The business architecture is responsible for recording and managing NSA's assets. All costs are collected in one of the five baselines: Information Technology Project Baseline, Business Project Baseline, Research Project Baseline, Acquisition Development Project Baseline, and Operations and Sustainment Baseline. The totals of the dollars and people found in these baselines account for all the financial resources in the NSA.
The development and implementation of an end-to-end management architecture and supporting corporate decision processes (as seen in Figure 2.3) necessitate that the leadership have visibility into the direct and indirect costs for all activities occurring at NSA. The leadership wants a single budget structure to provide this information, rather than pulling cost data from the separate SID and IAD structures. The current alignment is designed to reflect the CCP and ISSP budgets. The DIRNSA and DDIRNSA argued that, because NSA is developing a single corporate architecture and the supporting corporate strategic decision processes, NSA also needed the ability to have a single budget structure that incorporates the CCP and ISSP. The leadership must emphasize and adjudicate issues based on sets of capabilities that perform across an array of threats and activities that provide quick response, support improvement and cross-functional integration, meet dynamic customer demands, and support continuing and short-term activities. They also needed insight into infrastructure costs irrespective of the relation to specific missions. Importantly, the existing separate structures did not provide the needed synergy and linkages between the mission and infrastructure.
![[Image]](nsa-192.jpg)
____________________7 This figure will be shown at the beginning of the next four succeeding chapters and identifies the process being discussed.
The project team, working with several individuals from the comptroller's office, IAD, and SID, began an examination of the current SID and IAD budget structures to ascertain if any commonalities existed between the two. NSA representatives were concerned that, because the SID budget structure had undergone a significant overhaul in 2002, this structure needed to be retained to avoid any potential loss of historical financial data. SID representatives argued that SID's new structure was already capabilities-based.
Both SID's and IAD's budget structures were based on programs, projects, and subprojects. The dilemma is that the levels at which these elements operate is not consistent between the two organizations. The enabling organizations' -- infrastructure, information technology (IT), human resources (HR), etc. -- budget structures were closer to SID's alignment given that the preponderance of NSA's budget is contained in the CCP. The RAND project team concluded that a common budget structure with a minimum of five levels needed to be developed that linked enterprise strategy to capabilities and resources. Figure 2.4 shows notionally how the budget structure could be aligned into a single-thread system. The figure shows the interdependencies among the NSA strategy, strategic plan, Unified Cryptologic Architecture Capstone Requirements Document (UCA CRD), and business plan that define NSA's requirements. A five-level required budget structure emerges, beginning with Unified Cryptologic Functional Areas (UFAs), mission areas made up of expenditure centers, capabilities areas, projects, and finally, cost centers. Additional levels to support established organizational management between the project level and cost centers should be optional as needed.
![[Image]](nsa-193.jpg)
Critical to the establishment of a single NSA budget structure is the development of a common set of definitions. Definitions were developed and agreed on by RAND and the NSA for each of the budget structure levels.
1. Capability: Defines broad operational and institutional activities that NSA must perform to accomplish its mission and meet its objectives. Capabilities are derived from and are combinations of projects and people (across all the NSA baselines).2. Programs/Mission Areas:8 Supervisory-level units responsible to corporate-level function and direction. Manage and direct acquisition, operational, research, and business baselines. A program can have multiple projects and one or more project types.
3. Capability Areas: These are collections of capabilities.
4. Project: A directly funded effort that is part of a program. It can be an operational system, system in development, an effort focused on research, or a business process/system.
5. (Optional level) Subproject: A discrete activity within a project. SID and IAD have subprojects, but most enablers do not.
6. NSA Cost Center: The financial management element responsible for the administrative control of funds within an approved financial plan, including authority for obligation and expenditure of funds for specified purposes in support of its assigned organization.
_____________________
8 There are three different names for Level 2. To accommodate the different perspectives, RAND concluded that Level 2 could be called Programs/Mission Areas and expenditure centers. Within a strict budget perspective, Level 2 is expenditure centers, but SID refers to expenditure centers as Mission Areas, while NSA leadership recognizes them as essentially major programs. RAND concluded that these were basically different perspectives of the same thing-expenditure centers.
Figure 2.5 shows how the proposed budget structure could be related through programs and projects with a capabilities approach. Importantly, the proposed structure uses the best attributes of the SID structure while providing a single corporate budget structure.
![[Image]](nsa-194.jpg)
In August 2003, the DIRNSA concluded that the proposed budget structure was acceptable and directed the CFM's office to oversee the continued realignment and standardization across all programs in NSA. IAD, working with the CFM, would refocus the ISSP on capabilities and projects, while maintaining an audit trail of OSD reporting data. The SAE was to provide management oversight for all Acquisition Development Program Baseline (ADPBL) projects. The business units, enabling organizations, and research would assume responsibility for respective project baselines. Over the next six months, the CFM with the business units would develop areas of interest for costs/resources, including the cost center relationships.
The agreement on and the gradual adoption of a common budget structure are fundamental to the institutionalization of the NSA architecture and the associated corporate decision processes.
Figure 3.1 gives an overview of the CRG's place within the decision process.
![[Image]](nsa-195.jpg)
Integral to the establishment of the CRG is its management. The DIRNSA formed an office to oversee the CRG. In May 2002, the DIRNSA stood up the Office of Corporate Strategic Planning and Performance (DC4).1 The establishment of the DC4 organization is a major step in developing coherent agency end-to-end processes for corporately directed guidance, planning, capability identification, programming, acquisition, and resource management. The DC4 reports through the CoS. The DC4 is in charge of the development of the NSA strategic and business plans. He also is the secretariat of the CRG. He is responsible for ensuring that the right set of issues is identified for CRG review, that the material to be presented is analytically sound, and that the material is vetted by the senior leadership prior to the formal CRG meeting. DC4's head is responsible for documenting the various outcomes of the CRG meetings and does the follow-up activities. The organization reports through the CoS organization. This is an organizational misalignment because the DC4 should report directly to the DIRNSA and DDIRNSA. This topic will be discussed later in this chapter and in the conclusions in Chapter Seven.
_____________________
1 The name of the NSA DC4 office was later changed to the Office of Corporate Planning, Capabilities, and Performance.
In FYs 2002 and 2003, the DC4 organization was very small, with approximately five full-time NSA employees augmented by approximately ten contractors. In FY2004, the office grew to approximately 14 government employees and 20 to 30 contractors, bringing the total office size to between 30 and 40 government and contractor employees. Besides the chief and deputy, the government employees are primarily Grades 15, 14, and 13. The chief indicated that in FY 2004 he would get at least one or two senior billets. The Enterprise Architect/Chief Systems Engineering director provided additional contractor resources to the DC4 to support the corporate requirements process activities.
The DC4 office is designed to be small, consistent with the DIRNSA's goal to avoid developing a large staff office at the corporate level. The structure also necessitates that the DC4 rely on the business units and enablers to provide a lot of data and some of the analysis used to build various options on a particular topic. RAND recommended that the CAO, a small analytic organization that operates at the corporate level, should support the DC4 and eventually be merged into the DC4 organization. As of this writing, the CAO continues to operate as an independent entity within NSA, with only occasional support to the DC4. The CAO frequently operates independently and presents uncoordinated work on issues critical to the DIRNSA and DDIRNSA. This behavior often results in either the CAO's work being ignored or additional work being created for various staff members who were not consulted during CAO's issue study and who disagree or agree. RAND argues that the CAO's roles and responsibilities need to be clarified vis a' vis those of the DC4.
The DC4 owns no portfolio and needs to remain neutral in order to perform
its CRG functions. The DC4 operates as a critical sounding board, process
operator, independent analyst, and integrator of various issues associated
with key corporate topics. Therefore, the office must have no equity in any
activity. The DC4 immediately began to define for the DIRNSA and DDIRNSA
some of the topics that the CRG should address, including the following:
The CRG was initiated in May 2002 in the middle of the FY 2004-2009 POM/IPOM development. The DIRNSA initially charged the DC4 with providing a series of CRGs that discussed the development of the FY 2004-2009 POM/IPOM. Initiation of the CRG process during the POM/IPOM development had both positive and negative aspects. The senior and midlevel managers initially believed that the CRG was primarily a budgeting activity. To get insights into the SID and IAD programs, the DC4 formed the Expert Working Group (EWG) as a way to bring representatives from the business units and enabler organizations to discuss the various elements of the program. Initially, the representatives from the business units found the DC4's questions and issues to be intrusive into their planning and programming processes. Figure 3.2 shows the governance structure of the CRG and its various working groups.
![[Image]](nsa-198.jpg)
Essential to the design of the CRG structure is the goal to keep it as small as possible. The CRG could not become bogged down in working groups and boards. RAND suggested that, because the DC4 and CFM managed all the corporate processes, the CRG should have three process working groups that convened at different times, given the process that was under way. Importantly, many of the same individuals would serve on the different process working groups to ensure that shared knowledge and an institutional memory would be built. The three working groups were the Planning Working Group, Requirements Working Group (RWG),2 and the Programming Working Group (PWG). The PWG would span the programming, budgeting, and execution processes. The CFM decided to structure it this way because the budgeting working group was small and needed to meet only a few times during the course of the budget execution (Budgeting Process Meeting, 2003; NSA CRG Meeting, 2003). The working groups were the chief mechanisms to identify issues and propose options for senior leadership review and decision.
____________________
2 The name of this group was later changed to the Capabilities Working Group (CWG). See Chapter Four.
In November 2002, several senior managers suggested to the DC4 that the recommendations coming out of the CRG working groups should be initially reviewed by a corporate-level board of directors consisting of the two business unit managers, representatives of key enabler organizations (e.g., ITIS and research, development, test and evaluation [RDT&E]), the SAE, and the CFM. The purpose of the board of directors was to vet outputs from the CRG working groups and resolve outstanding issues prior to briefing the DIRNSA and DDIRNSA. If adopted, the board of directors would allow issues to be raised and debated and solutions to be proposed prior to a formal CRG session. The DC4 agreed that such a board might be useful because he found it time-consuming to be briefed by each principal prior to each CRG meeting. The DC4 also felt that the board would curtail a lot of the push back from the business units and streamline his prebrief efforts in that he had to coordinate only with the board of directors prior to a CRG meeting.
In December 2002, the DDIRNSA and DIRNSA considered the suggested board concept and informed the DC4 that they would not allow the board to be created. They argued that such a board of directors could violate their management goal of sustaining as flat a corporate management structure as possible. Furthermore, if created, the board could violate their management model of centralized decisionmaking supported by a structured participatory dialogue because the board of directors might become a mechanism to resolve issues through consensus-driven decisionmaking below the corporate level. The senior leadership needed a firsthand understanding of the issues and the various opinions surrounding them. Therefore the leadership decided that the CRG was the only forum in which these discussions were to occur. The DC4 was directed to continue briefings to the various members of the CRG in preparation for the formal meeting, but he could now have one or two principals in the same meeting.
The building of the FY 2004-2009 program and the iterative sharing of the information through the CRG mechanism yielded several critical insights to the leadership. The first was that significant unpaid bills had to be addressed. The bills focused on institutional elements of the program that fell outside of the direct mission responsibilities of the two business units. The second was that the enabler organizations had depended on the business units for all of their funding. The enablers argued that they were unable to fund critical institutional needs-workforce improvement, training, and infrastructure renewal-because all funding was directly tied to mission by being dependent on the business units. SID and IAD argued that they "owned" the CCP and ISSP, respectively, and, therefore, the enablers should only receive funding for those activities directly associated with mission (NSA CRG Meeting, 2002b).
The enabler funding issue was resolved during a June 2002 CRG in which the DIRNSA directed that several hundred million in FY 2004 CCP dollars would go to the enablers. The DIRNSA's decision established the dynamic throughout the rest of the POM/IPOM build that SID argued that those hundreds of millions of dollars would jeopardize the mission or, conversely, that the enablers should receive no additional funding for mission-related activities because they had been allocated significant additional funds (NSA CRG Meeting, 2002a).
The building of the FY 2004-2009 POM/IPOM was particularly revealing in that the DIRNSA and DDIRNSA realized that, unless they controlled the allocation of resources in a structured participatory manner, it was impossible to really integrate and synchronize transformation. Their emerging model is centralized decisionmaking within a structured participatory process that employs decentralized execution. More importantly, the FY 2004-2009 POM/IPOM activity revealed that the FY 2002 and 2003 corporate strategic and business plans were not directing and sufficiently informing transformation or resource allocation decisionmaking. They were not linked to any formal decision processes.3 Therefore, the Chief of DC4 and the CFM jointly built the FY 2004-2009 NSA program based on a series of interactions among the two business units and the enablers. They derived programming guidance from directives of the external overseers and objectives found in NSA's existing strategic and business plans. The DC4 and CFM's assessment was reviewed by the CRG and approved by the DIRNSA.
____________________
3 The earlier RAND study (Lewis and Brown, 2003) had identified the disconnected nature of the FY 2002 and FY 2003 corporate strategic and business plans. The earlier plans had been developed by the then-CFM, but she had no means by which to ensure that they informed decisionmaking. More important, many individuals in NSA argued that the plans were developed in isolation and did not inform or impact their activities. Another problem was that the business units developed their own strategic and business plans and focused on their implementation rather than following the guidance laid out in the corporate plans.
The FY 2004-2009 program build revealed that significant programmatic and funding disconnects existed between the FY 2003 and FY 2004 programs. Therefore, a bridging strategy had to be developed between the two program years. The DC4 and CFM identified problems in civilian pay, funding gaps in major acquisition programs, and underfunding of some mission elements. Overall tension existed between how to fund the transformation and supporting the mission, with its many legacy systems (NSA CRG Meeting, 2002c). The DC4 and CFM negotiated among the two business units and the enablers potential solutions to the funding shortfalls and then offered recommendations in the CRG. The FY 2004-2009 program build so dominated the CRG's agendas for the body's first six months that many senior managers argued that all the CRG did was budgeting. Some contended that very little of what the CRG working group did was strategic, but rather it was a strengthened corporate budgeting function. The DC4 and the RAND project team countered that the CRG was initiated in the middle of the FY 2004-2009 POM/IPOM development, and, therefore, it had to focus on resolving the identified resource gaps. These activities did not represent the full purpose of the CRG but did provide a critical forum in which these issues could be raised and discussed at a corporatewide level.
During the first year, the CRG addressed many issues affecting the corporate NSA. Meetings were scheduled based on the priority of the issue and the schedules of the DIRNSA and DDIRNSA. Frequently, given schedule conflicts and the importance of an issue, either the DIRNSA or DDIRNSA chaired a particular session.
The DC4 found that the hardest part of the CRG activity was its preparation. The difference between the CRG and other senior leadership organizations in NSA is that it is supposed to be analytically based. The management model of centralized decisionmaking and decentralized execution supported by structured participation required the DC4 to pull analytic information from the two business units and the enablers. Once the information was obtained, he and his staff assessed it and either requested clarification or additional information from the data sources. On a more practical level, the DC4 did not have a large analytic staff to gather information and provide assessments. Therefore, he relied on the different functional entities to provide the information and perform additional analysis as it was identified in the various working sessions.
The business units were often not forthcoming with the desired information
or clarification of the data that was supplied. Frequently, the DC4 or members
of his staff repeatedly requested information or asked for clarification
of the data provided. The problem of attaining quality data from the various
functional organizations is attributable to three issues:
These difficulties were partially overcome by the DC4 and CFM continually pushing on senior managers in the business units or enabler organizations for data. In some instances, it was agreed that the data did not exist and that these shortcomings needed to be addressed.5
____________________
4 The development of an enterprise budget structure that encompasses SID and VAD as well as the enablers has been a significant undertaking since March 2003. The initiative developed based on the DIRNSA and DDIRNSA's desire for increased transparency of budget and expenditures across the agency. In summer 2003, RAND, working with the CFM and DC4 representatives, defined an initial structure that was furthered refined by the NSA. See Lewis and Brown (2003).5 The inconsistency in data and lack of quantitative data are iteratively being addressed in a variety of areas. The CFM and Comptroller initiated an activity based on DIRNSA and DDIRNSA guidance to align the NSA budget structure so that the senior leadership has visibility into investment areas as well as a better understanding of the total cost of doing business. The SAE initiated an activity to delineate in the budgetary alignment procurement, acquisition, operational, and RDT&E programs.
The FY 2004-2009 POM/IPOM development dominated the CRG's activities through winter 2002 and into early 2003. Once the FY 2004-2009 POM/IPOM was delivered to DoD and the DCI, the DC4 and CFM turned their attention to balancing the FY 2003 POM/IPOM to ensure that a sufficient bridging strategy existed between FY 2003 and FY 2004. The rebalancing of the FY 2003 program necessitated addressing and resolving civilian pay issues and several acquisition program financial shortfalls. Once this was accomplished, the DC4 and CFM turned their attention to the management of the funding supplemental for Operation Iraqi Freedom.
In January 2003, the DC4 held a meeting with representatives from the business units, enabler organizations, acquisition organization, and the DDIRNSA's staff to identify and discuss future CRG topics. A variety of issues were identified: review of the acquisition portfolio, discussion of the emerging strategic and business plans, establishment of the corporate requirements and programming processes and their outputs, workforce development, infrastructure renewal, and identification of the capabilities needed to support a possible future war with Iraq. In a separate meeting, the DIRNSA and DDIRNSA also identified topics that they wanted discussed in the CRG. These included the balance between the NSA civilian and contractor workforce, the Human Resource Development Plan, and reviews of the Groundbreaker and Trailblazer Programs and of other high-visibility acquisition programs. The DC4 soon found that so many topics were identified that he had to increase the number of CRGs and expand their meeting times. In addition to these topics, issues were brought forward as a result of the requirements and programming processes. These topics were accommodated through additional and expanded CRG meetings.
As noted earlier, in 2002 the DC4's staff was small. Because NSA's workforce is based on a civilian government billet structure with workforce ceilings, the DC4 could not hire government employees without billets being allocated to him. The DC4 was initially allocated eight government civilian billets that included three Grade 15 civilians, two Grade 14 civilians, two Grade 13 civilians, and an administrative assistant slot. The billets were taken from SID and the CoS's organization. Contractors and military personnel supplemented the rest of the DC4's workforce.
RAND raised the issue with the DC4 that most of his functions were inherently governmental,6 and therefore, the number of contractors and their activities should be held to a minimum and carefully managed. Because the DC4's responsibilities involved managing critical information associated with major decisions in NSA affecting resource allocation, the office had to ensure that contractors were not privy to data that impacted contracts or the selection of contractors. It also needed to be excluded from any involvement in recommending courses of action to the senior NSA leadership. If managed correctly, contractors could assist in the development and analysis of options but not in option selection. The DC4 argued that he certainly understood the issues associated with "inherently governmental" functions but also that he needed a workforce sufficient to perform the tasks needed to support the CRG and, later, the establishment of the requirements process. In fall 2002 and winter 2003, the contractor workforce in the DC4 numbered approximately 13 people. The DC4 focused his activities on data development and performance metrics, while his small staff focused on development of the strategic and business plans and the establishment of the corporate requirements processes.
________________________
6 Inherently governmental functions are defined in several government instructions and regulations. The general definition is as follows: "An inherently governmental function is a function so intimately related to the public interest it mandates performance by government employees. These functions include those activities that require either the exercise of discretion in applying government authority or the use of value judgment in making decisions for the government" Policy Letter (1992) established the policy for Inherently Governmental Functions.
After each CRG session, the notes and the resulting decisions are summarized and published by the DC4, who is the CRG secretary. The minutes are usually provided by e-mail, and the notes identify the agenda, contain the briefing, and document general outcomes of each meeting. They provide a schedule for the next CRG and identify new and/or unresolved issues.
On several occasions, stakeholders and overseers argued that they were not invited to all of the CRG meetings; rather, they were invited to selected meetings. The RAND project team indicated to several overseers that often CRG meetings addressed issues that external overseers should only be privy to the outcomes of rather than to the internal debate. For example, some overseers argued that they should attend all CRG meetings that addressed the FY 2004-2009 POM/IPOM development. RAND project team members countered that in DoD, the representatives from the OSD do not sit in on the military departments' program and budget meetings, but rather they reviewed the finished POMs for completeness and responsiveness to the SecDef's guidance. The DIRNSA informed external overseers and stakeholders that they could attend only those CRG meetings to which they were invited.
During the year in which the CRG was established, the DIRNSA and DDIRNSA became increasingly supportive of the forum as a way to raise issues and discuss them. They used the CRG to share issues with senior NSA managers and to communicate to the managers the status of various issues with Congress, the IC-CMS, and DoD. The DIRNSA and DDIRNSA also used the CRG to provide general guidance to senior managers. The CRG and the establishment of the DC4's office initiated the process of more-centralized decisionmaking within NSA. The structure provided a mechanism for the DIRNSA to determine how the objectives associated with transformation and mission were being met. The culture responded in a way that was to be expected. The dominant business units viewed their prerogatives as being challenged based on earlier management models of decentralized decisionmaking and execution, while the enablers saw the more centralized approach as providing them a mechanism to voice their concerns and issues.
Critical to the establishment and operation of the CRG was the DC4 office. The selection of a manager knowledgeable about DoD processes who is a retired military officer with "no stake in NSA" (except the establishment of the processes) allowed the senior leaders to trust his actions and decisions. The DC4 was also helped by the establishment of a strong working relationship with the CFM and his staff. This alignment provided a critical link between planning and resources and, even more important, brought significant analytic and institutional knowledge together to inform the leadership about a variety of issues associated with NSA's transformation and mission performance.
The weakness in this alignment is that the DC4 was a reporting office through the CoS. The CoS has no knowledge of planning or programming, and, more important, the DC4 was often forced to vet sensitive issues and briefings through the CoS chain of command prior to discussing them with the DDIRNSA and DIRNSA. Another shortcoming in this functional alignment is that the CoS retained oversight over corporate metrics, thereby disconnecting the DC4's office from shaping and determining the types of metrics and supporting data necessary to evaluate how the institution is performing.
Figure 4.1 highlights strategy and planning's place in the corporate decision process and how it links with performance.
![[Image]](nsa-199.jpg)
Since the initiation of NSA's transformation activities in 1999, strategic planning has undergone many changes. In the early phases of Lt. Gen. Michael Hayden's tenure as DIRNSA, 1999-2000, the two business units, SID and IAD, retained the primary responsibility for defining their strategic and business plans. The NSA Transformation Office (NTO) developed the corporate guidance; the corporate plans provided broad strategic guidance in response to the vision developed by the DIRNSA. In early 2000, NTO developed a high-level strategic plan designed to inform the business units and enablers about the major transformation initiatives. It was up to the business units to develop their plans in response to the corporate-level guidance. The initial corporate plan was judged too ambitious and was soon abandoned. In early 2001, the NTO was disbanded because it was viewed as ineffectual.
The business unit managers argued that, because they were responsible for executing the vision, they should be responsible for the strategic plan. Therefore, the director of IAD was appointed to write the second corporate strategic plan that was published in mid-2000. This plan was also not implemented because many senior managers viewed it as not sufficiently ambitious and lacking focus. In early 2001, a third corporate plan was developed by the CFM to focus on objectives in the near term. The CFM's effort produced a business plan that covered only 20 percent of the agency's resources and concentrated on four vital near- to midterm initiatives. It was a business plan derived from the leadership's guidance. The CFM argued that, similar to corporate business practices, the CFM should be responsible for writing and managing both the strategic and business plans because she could ensure that the initiatives could be financially supported and traced and that executing organizations would be held accountable for their activities.
None of these earlier strategic plans were fully implemented because the two major business units viewed them as intrusive to their activities. In a 2002 RAND report (Lewis et al., 2002, pp. 17-19), the project team attributed this execution failure to the continued independence of SID and IAD and the lack of a corporate-level review process to monitor compliance with strategic plans. In addition, none of the strategic plans or the business plans contained sufficient MOEs that could hold the business units accountable.
In that RAND assessment, the SID and IAD business plans were also reviewed. SID's 2000 business plan reflected an organization that continued to determine its own requirements and set priorities in the absence of strong and visible corporate processes. The SID's business plan in 2001 focused on initiatives needed to improve mission performance in the next five to ten years. The director of SID had a thorough understanding of the SID business plan and its goals.
Since the initial assessment was done, the director of SID undertook several additional initiatives. A manager was appointed to integrate and oversee SID planning, programming, and budgeting and requirements processes. Each of the individual SID processes has a manager. A separate process was established for strategic planning. However, all the processes are designed to operate within a construct in which SID, as the dominant mission organization, operates almost independent of the corporate NSA. For example, the SID requirements function is designed to mimic that of the JROC without consideration that the majority of SID's requirements do not meet JROC-defined thresholds. SID also vetted its requirements and planning objectives with external overseers and stakeholders without having it reviewed by the emerging corporate processes. Its planners and requirements managers argued that SID was focused on compliance with the Unified Cryptologic Architecture (UCA) that encompasses the entirety of the SI community, and because SID was charged through the DIRNSA with the management of the UCA office, it needed to be responsive to UCA. Again, between 1999 and 2002 the NSA followed a decentralized model that entrusted these activities to the responsible business units.
IAD's business plan consists of six volumes and contains a great deal of detail concerning IAD's intertemporal requirements, the fiscal constraints facing the directorate, and its near-, mid-, and long-term objectives. It also establishes metrics for performance. IAD receives much of its guidance and direction from the Assistant Secretary of Defense for Network and Information Integration (ASD [NII]) and therefore tends to conform more closely to DoD policies and practices. Although the organization interacts with SID in meeting part of its IA responsibilities, its principal overseer is the ASD (NII). The ASD (NII) establishes most of IAD's priorities and is responsible for ensuring that IAD's requirements are represented through the DoD PPBS. IAD has its own resource program that also provides a basis for independent management and oversight. The director of IAD manages the directorate according to the business plan. Every quarter, the plan is reviewed, and program managers must provide data on how they are meeting the plan's objectives. The IAD business plan is updated annually.
The major challenge in establishing a corporate planning process that is part of a larger corporate end-to-end decisionmaking and management structure was that the business units' activities were not designed to be part of or integrated at the corporate level. The DC4 became the responsible corporate office and decided to tackle the problem over a two-year period beginning in FY 2002 by gradually driving the business unit planning activities by necessitating that they be responsive to the emerging corporate planning process. Key to the corporate process is the development of lessons learned and then applying the lessons to the development of the FY 2006-2011 program development. The initial activity included the enablers to ensure that they have a voice in the emerging corporate planning process with regard to the identification of the key initiatives that they should undertake that are not otherwise accommodated in the business units' plans. The FY 2003 activity concentrated on developing FY 2004-2005 strategic and business plans. The process was truncated because it started late, but the DC4 viewed it as critical to begin the process and to ensure that it could at least marginally inform the emerging Capabilities Generation Process. (See Chapter Five for a discussion of the Capabilities Generation Process.)
The DC4 appointed members of his staff1 to manage the strategic and business planning activities. In FY 2003, the DC4's strategic and business plans managers initiated a primarily bottom-up process. Lacking sufficient staff in the DC4's office and seeking to gradually incorporate and integrate the SID and IAD activities, the DC4 planners formed working groups composed of representatives from SID, IAD, and the enablers. The foundation for all the initial work was the FY 2002-2003 NSA strategic and business plans. The working groups developed a set of five strategic goals and then a set of objectives under each goal. Responsibility was assigned to SID, IAD, and some of the key enablers for each of the goals. For example, in the FY 2004 strategic plan, three of the five goals were assigned to SID, one to IAD, and one to the enablers. The organization with oversight over a goal would flesh it out and refine it, identify key objectives, and determine the associated metrics. Once the corporate goals were identified, the business plan focused on those aspects of the goals and associated objectives that would be addressed in the FY 2004-2005 program.
____________________
1 The DC4 did not have billets to form his own staff. To get sufficient staff to develop some of the corporate processes, he borrowed personnel from SID and IAD. In the case of one planner, he was on a temporary duty assignment to the DC4. It was not until beginning FY 2004 that the DC4 received his own staffing billets and an ability to hire some contractors to establish a true DC4 staff. As will be discussed later in this chapter, personnel problems persist in the development and retention of a qualified corporate process management staff.
The major shortcoming of the FY 2004-2005 corporate strategic and business plans is that they were too bottom-up oriented. The goal of the FY 2004-2005 planning process was to begin the development of useful corporate strategic and business plans. However, they only marginally informed the subsequent capabilities generation and programming processes. The difficulty was that the business units and enablers argued that almost all of their activities supported the strategic goals. Because the plans were so bottom-up, clarity was not provided on potential divestiture issues or what was truly transformational. The DDIRNSA complained that although the planning processes improved corporate oversight they were not sufficiently managed from the top down to focus, provide resources for, and manage NSA's transformation. The process was long and laborious in that the business units refused to provide needed data or use the plans to inform their activities. The DC4 found that many of the strategic and business plan initiatives were not followed or that insufficient data were collected to assess whether the NSA had reached the goals and objectives identified in the plans.
Importantly, the DC4 initiated a lessons learned activity that identified many of the problems cited above. The lessons learned insights informed the leadership about how the FY 2006 strategic and business plan activities could be improved. The lessons learned from the FY 2004-2005 business plan revealed that the plans were too bottom-up and therefore did not corporately drive the transformation. The DC4 also found that too much time was spent building the business plan. Because the plan was bottom-up, the DC4 lacked data for evaluating how successful the plan was in driving change. Key to the business plan is the development of metrics or performance objectives that can be iteratively evaluated to ensure that NSA's objectives are met.
For the FY 2006-2011 program build, the DC4 initiated a strategic planning process that is more top-down. This concept dictates that the FY 2006 business plan would contain the detailed fiscally informed guidance for near-term actions. Five working groups were established to scrub and redefine (if necessary) the five goals selected by the DIRNSA and develop their respective objectives. Another panel consisting of senior managers from SID, IAD, and the enablers was formed to integrate across the goals and objectives. The groups' initial outputs were reviewed and refined by the DC4's planning process managers and their small staffs.
The initial set of strategic planning goals lacked consistency. They reflected the perspectives of the team leaders' organizational affiliation rather than corporate NSA. A lack of consistency was found among the objectives within a specific goal. Very few of the objectives were truly transformational in nature or promoted different behaviors to attain the desired transformation. Generally, the objectives failed to provide either methods or measures for attaining strategic goals. The strategic plan needed to identify the differences among corporate-level metrics or objectives, policy, practices and/or resources. And finally, the corporate metrics activities (delineated in unpublished NSA documents), designed to inform the strategic plan, contained a lot of collected data, but what the data meant in terms of accomplishing NSA FY 2004-2009 strategic goals was not provided and how the data might be used to inform the programming activities was unclear.
On October 10, 2003, the DC4 informed the goal leaders via an internal e-mail that the goals and objectives needed to be refined in terms of making them more transformational and focused. The leaders needed to complete their work by October 15, 2003, so the DC4 could review and refine the work prior to having the DDIRNSA review it for approval by the DIRNSA. On October 21, 2003, the DIRNSA held a townhall meeting for employees to address the NSA goals and objectives for the FY 2004-2009 strategic plan. He indicated during that townhall meeting that the DC4 had been directed to corporately manage the goals and associated objectives developed in the working groups. The DC4 was also entrusted with ensuring that the goals and objectives were strategically managed from the enterprise level and through the mechanisms developed within the CRG process.
In October 2003, the manager of the strategic management process established the Strategic Working Group (now the Strategic Planning and Performance Group [SPPG]) as a component of the CRG process. The SPPG included representatives from the business units and from the enablers. The charter describes the SPPG's responsibilities as ensuring that issues associated with the strategic plan were raised and vetted materials were developed within the various strategic planning working groups as well as reviewing and providing feedback on the analysis done by the corporate strategic planner and her analytic staff. The SPPG makes recommendations to the DC4 on topics and issues that need to be reviewed by the CRG for ultimate DIRNSA review and approval. The strategic planning process manager wrote a charter for the SPPG and asked for it to be reviewed and approved by the business unit and enabler managers. As of this writing, the charter is still in review.
Based on guidance received from the DC4, the strategic planning working group and integration team reviewed and revised the four strategic goals and their associated objectives. It was agreed that the DC4 would do very little revision of the goals and objectives but would, as part of his responsibilities to build performance measures into the NSA strategic and business plans, review and refine the performance metrics identified in the initial draft materials. In October 2003, the DIRNSA approved four strategic goals for the FY 2006-2009 strategic plan:
1. Deliver responsive signal intelligence and information assurance for national security.2. Radically improve the production and protection of information.
3. Enhance an expert workforce to meet the global cryptologic challenges.
4. Create and integrate business management capabilities within the enterprise and with stakeholders.
A breakthrough goal of transforming the cryptologic system was also identified to provide an overarching connectivity to the four goals. RAND found that that the breakthrough goal really did not substantially add to the understanding of the four transformational strategic goals identified for the FY 2006-2009 strategic plan. The four strategic goals had improved substantially in their structure and focus from earlier versions. They now represented the key aspects of the NSA enterprise-performing the mission, ensuring Information Assurance (IA), development of the future workforce, and institutionalization of corporate strategic management processes. The four goals were also consistent with the overarching set of capabilities that RAND recommended be used from the NSA Reference Model: "Get It," "Know It," "Use It," and "Manage It." The strategic goals also provided a mechanism by which each element of NSA's organization -- mission, enablers, and business management -- had responsibilities in support of their respective goals.
The working groups had also made considerable progress on the supporting objectives for each of the strategic goals. Many of the objectives had been refined so that they were more focused, but overall the transformational attributes of the objectives remain insufficiently defined. Several of the goals also had too many objectives. For example, Goal 1 had seven objectives under it. Many of the objectives could operate as subobjectives under some of the more expansive objectives associated with Goal 1.
The weakest of the four goals and associated objectives is Goal 3: enhance an expert workforce to meet the global cryptologic challenges. The objectives associated with it were too tactical and failed to identify methods to develop and sustain a future workforce that supported the other transformational goals. Goal 3 is a dependent goal in that it is informed by and its objectives are shaped by the other three goals and objectives. Goal 3 needs objectives that support the development of a technically competent crypotologic workforce. The goal leader was asked to reexamine the goal and identify several objectives that support the development of a competent NSA workforce.
The FY 2006 corporate business plan is more linked to the FY 2006-2009 strategic plan. The business planning process was shortened to a half-day off-site meeting with well-articulated objectives. Because the leadership and strategic planning team spent so much time on the strategic plan and its associated goals and objectives, the DDIRNSA and DC4 concluded that the business plan could be developed in a shorter and highly focused effort. Beginning in December 2003, the DIRNSA's quarterly off-site with NSA's senior managers took place and addressed the FY 2006 business plan. The session was initiated through the presentation of environmental analysis -- an assessment done by the DC4's staff -- that outlined the strengths and potential problems identified in NSA that might impede the transformational and mission activities. The DC4 evaluation provided the foundation for the senior manager to identify and discuss potential areas for divestiture and needed critical investment. Importantly, the off-site provided a mechanism by which the senior NSA managers discussed with the DIRNSA and DDIRNSA the critical issues that they believed challenged NSA's ability to modernize selected capabilities and achieve the desired transformation.
The December off-site yielded a long list of investment needs and divestiture topics. In mid-December, the DC4 held a small meeting consisting of the most senior manager and the DIRNSA and DDIRNSA. They met to discuss fiscally informed options that were an outgrowth of the earlier off-site's discussions. The selected options were incorporated into the FY 2006 business plan. The options were developed and analyzed by the DC4's staff. The assessments identified linkages and potential problems with each priority area. In January 2004, the options and cost estimates, final list of investments, and the divestiture areas were presented to the CRG for review and final approval by the DIRNSA (NSA Business Plan Working Papers, 2003). The approved material will be published as the FY 2006 Business Plan.
The most problematic aspect of the corporate strategic and business plans is the development of the performance metrics and milestones. NSA has not fully defined what it wants to measure and how it should do the measuring. It has also not clarified what questions it wants answered. As noted earlier in this report, the DC4 is responsible for performance metrics, but the function resides in the CoS organization, which relies primarily on contractors to perform this work. Unfortunately, the lack of connectivity between the corporate processes and performance analysis causes many NSA metrics activities to be disconnected. The existing metrics activities continue to collect a lot of detailed data, but to date these measures have failed to provide useful insights into mission performance, responsiveness, and transformation.
The NSA FY 2004-2009 strategic plan is responsible for the development of performance measures and the milestones associated with the different goals and objectives identified during the strategic planning process. The performance measures and milestones developed for the most part reflect the assigned goal manager's perspective. For example, SID manages Goal 1, and the performance measures and milestones reflect those organizational perspectives. Objective 1.1 is "collaborate and integrate with customers and partners to improve identification of key decision points, information needs, opportunities, and priorities." Supporting this objective are a number of performance measures -- e.g., conduct an evaluation of customer satisfaction with products and services twice a year and note the number of integrated relationships with customers and partners. Several of the key milestones are really tasks rather than milestones in the true sense. For example, one milestone associated with Objective 1.1 in unpublished NSA documents is "SIGINT/IA customer support plans for all customers are to be completed in a defined period."
The RAND project team found that the performance measures and key milestones were more focused on long-term goals and the tasks associated with attaining them. The project team honed several of the performance measures based on key questions or issues that the leadership might want answered. For example, one performance measure identified for Objective 1.1 was responsiveness to customer needs. The project team thought that the performance measure needed to measure several broad interrelated issues, such as how many queries were received from the customer, the turnaround times associated with the queries, and how many NSA did not respond to and why. Therefore, the real performance measure is NSA's ability to provide timely and accurate information to customers and mission partners. Rather than base the performance measure on customer response surveys, several interrelated data sources needed to be consulted. The NSA needed to assess the types and kinds of demands placed on the SIGINT analysts and their ability to ensure that the information reached customers in time to affect the mission. For example, which types of SIGINT and sources were the most problematic in meeting customer demands and why? What steps have been taken to remedy these deficiencies, and are there technical gaps that need to be addressed? Therefore, another dimension of the performance measure is what constitutes responsiveness.
Another potential issue raised by the RAND project team is that there are too many performance measures. There is no standard rule for how many performance measures should be developed, but most management literature argues that a handful of well-articulated measures are more desirable than multiple sets of measures (Niven, 2003, pp. 204-206). One author argues that strategic measures should number around 20; NSA had defined 91 performance measures spread across the four strategic goals. Another potential problem with NSA's performance measures is that many were too tactical -- measuring finite quantitative data. The measures were not focused to answer some of the leadership's most important questions. The potential difficulty with this approach is that culturally NSA is most comfortable collecting vast amounts of data with little or no thought to what operational and institutional questions it is really trying to answer.
There is no "correct way" to develop strategic and business plans. Some organizations have formal planning organizations that impose a corporate plan on the various business units who in turn develop implementation plans indicating how they are going to respond to the guidance. General Electric uses this practice (Labich, 1999, pp. 101-105).2 Other organizations rely on the business units to develop strategic and business plans in response to broad corporate guidelines, usually associated with projected profits and losses. This model is prevalent in many large technology or software companies with clearly defined product lines.
____________________
2 The article discusses how the Boeing Company is attempting to adopt the General Electric business model in terms of aligning its business units and corporate management structures.
NSA has tried three different approaches between 1999 and 2001 to develop and implement corporate strategic and business plans. As noted earlier in this report, those attempts failed because the processes were either too centralized at the corporate level or, conversely, too decentralized within the business units. Therefore, the DC4 initiated a process that was more inclusive and structured to ensure that there was "buy-in" from the business units and the enablers. In this model-centralized decisionmaking with structured participation-the DIRNSA plays the significant role in providing the corporate guidance that informs the strategic and business plans. The DC4 is responsible for managing the processes and ensuring that the outputs are consistent with the DIRNSA's vision, but again the performance metrics remained disconnected from the planned objectives and desired outcomes.
The NSA FY 2004-2009 strategic plan and FY 2006 business plan are in some respects consensus-built documents but are a result of carefully structured dialogues among the senior NSA leadership. The interactions were shaped by the DIRNSA and DDIRNSA's vision of the future NSA and its role as the premier organization responsible for SI and IA. To ensure that the strategic and business plans' objectives are attained within the time periods defined in milestones, each goal is assigned an overall leader. Each objective also has an assigned person responsible for its achievement within defined timeframes. The DDIRNSA also wants the individuals responsible for goals and objectives to be held accountable in their performance reviews.
This approach ensures that the corporate strategic and business plans are followed and implemented. The difficulty with this approach is that many of the objectives, performance measures, and milestones are too tactical. In various meetings with DC4 process managers, these concerns was raised and discussed. The process owners indicated that they agreed that many of the performance measures were insufficiently defined and that most of the milestones were tasks but contended that it was significant that organizations were accepting the corporate strategic and business planning processes that were guiding behaviors across NSA. They also argued that they viewed these documents as the first step in attempting to develop "a corporate memory" through the development of enterprisewide databases and information to be used to manage the enterprise.
The project team agreed with these perspectives. Therefore, an important step in the process is to ensure that the process owners in DC4 develop and codify the key issues that the DIRNSA and DDIRNSA want addressed or managed through the strategic and business plans. For example, if the ultimate goal of the leadership is to create a learning organization, it is the job of the DC4 to ensure that the goals are documented and that they are raised with the leadership in subsequent discussions to ensure that they remain visible. It is also the responsibility of the process owners to ensure they are the bridge between the near-term activities and the desired end state. To do this, the DC4 needs to hire, train, and retain a qualified government workforce, who will be the institutional memory.
In addition to these recommendations, the RAND-National Defense Research Institute (NDRI) project team developed sets of questions for each strategic goal area that are the types of questions that the DC4 should use to evaluate the effectiveness of the strategic and business plans. For example, under Goal 1 in the strategic plan, several key NSA corporate issues emerged: What new behaviors have resulted in the attainment of the identified goals? What existing operational procedures and activities are impeding the desired transformation of the SIGINT mission? How was responsiveness ultimately defined in the implementation of this goal? These questions reflect the types of analytic issues the DC4s need to iteratively assess to ascertain if the corporate goals and objectives are being met and what impacts they are having on the overall NSA transformation. The DC4's staff and the RAND project team will assess questions similar to these for each of the goal areas to ascertain how the NSA strategic and business plans are shaping institutional behaviors.
In part, the fact that corporate metrics were managed by the CoS and not
the DC4, who was in charge of assessing corporate performance, formed a natural
disconnect. The CoS was focused on collecting data without being informed
about the types of issues -- mission and transformation -- that needed to
be assessed through quantitative data. A new template was needed that linked
corporate goals to performance metrics. The template contains three types
of hierarchical metrics:
The RAND project team recommended that the set of corporate capabilities based on the NSA Reference Model3 be adopted at the highest level and provide categories for the emerging goals and their associated objectives. As mentioned earlier, the four capability categories are Get It, Know It, Use It, and Manage the Mission and Manage the Enterprise. The first three capability categories-Get It, Know It, and Use It-focus on the mission. "Get It" means NSA's ability to acquire the vast amount of SIGINT data. "Know It" focuses on NSA's ability to synthesize and analyze the data to understand the threat, and, finally, "Use It" implies applying the data to counter the adversary. "Manage the Mission" is the ability of the NSA to manage in a coherent and meaningful manner the SI and IA missions. Finally, "Manage the Enterprise" is NSA's ability to manage itself through well-designed and well-used corporate processes and functions.
____________________
3 The NSA Reference Model contains several hierarchical levels of Signals Intelligence. Beginning with (1) signals, transformed to (2) data, analyzed for (3) information, developed into (4) knowledge, and finally produced as finished (5) intelligence.
Figure 4.2 shows the RAND project team's proposed analytic template for how the strategic goals and objectives might be aligned and linked to well-structured and informative metrics.
![[Image]](nsa-201.jpg)
Corporate metrics continued to be managed by the CoS. The DC4 by charter has responsibility for corporate performance, but the COS's office argued that it needed to manage metrics because it is an oversight function. RAND disagreed and indicated that the DC4's organization, as part of its process, needed to manage the corporate metrics and assess how NSA is attaining its transformation and mission objectives.
NSA has made significant progress in establishing credible strategic and business planning processes. Given the prior decentralized nature of these activities and the lack of accountability that used to exist, the 2003 planning activities mark a significant attempt to ensure that the planning process is driven from the top and that the business units and enablers are held accountable for achieving the goals and objectives. A fully mature process with strategic-level goals and objectives is at least one if not two planning cycles away. The project team does not view this as all bad; the time-phasing of the institutionalization of the process allows for the business units to accept that a top-down process will be implemented and that it will allow a structured dialogue between the corporate leadership and the workforce. The incremental implementation approach then allows for the needed analytic databases and information gathering to be developed and refined. The incremental approach necessitates that the DC4 operate as the corporate memory in that it must retain the vision of the strategic goals and their achievement while managing many of the tactical objectives and milestones contained in the current plans. The next step in validating the strategic and business plans is determining if their outputs inform the capabilities generation process and the subsequent programming process.
____________________
1 Throughout this discussion, "corporate capabilities process" and "corporate requirements process" are used interchangeably, with the former being the current terminology and the latter being consistent with earlier DoD terminology and processes.
Figure 5.1 highlights the place of capability needs in NSA's strategic decision process.
![[Image]](nsa-202.jpg)
Soon after the DIRNSA established the CRG, he decided to respond to congressional concerns that NSA lacked a corporate requirements process. The DC4 was given responsibility for developing the process. The RAND project team designed the process and assisted in its implementation during winter 2002 through summer 2003. This chapter describes the design of the process, its implementation over a 12-month period, and an assessment of its performance.
The NSA's requirements process was designed to identify critical capability gaps that might affect NSA's ability to perform its mission in the near- (up to two years), mid- (two to five years), and long-term (six to ten years) future. The focus on capabilities is consistent with DoD's move to define its resource requirements in terms of sets of capabilities.3 A capability is defined as:
A broad set of operational and institutional activities NSA must perform to accomplish its mission and meet its strategic planning objectives. Capabilities are derived from and are combinations of materiel, processes, and people (across all the NSA baselines).4
____________________
2 The establishment of the CCGP at NSA is an example of how the pure application of "business" or "commnercial" practices does not always work for government organizations. In industry, requirements are determined and shaped by market forces; therefore, few private-sector organizations have a capability process. Usually this function is an inherent part of the strategic planning process. In government entities, such as NSA, a distinct phase in the corporate decision processes must include a capabilities process because of the need to identify operational and institutional gaps from a broad spectrum of users.3 In October 2002, DoD initiated several concurrent activities focused on the development of sets of core and joint operational capabilities to provide a common template by which all DoD resources are identified, adjudicated, and resourced. The activity is part of a broader DoD initiative that addresses the redesign and streamlining of the Planning, Programming and Budgeting System process.
4 RAND defined capabilities based on DoD definitions tailored to NSA. The definition was later refined by the programming organization within the CFM's organization.
The process's objective is the identification and validation of new capability
needs for investment consideration in the POM/IPOM. The process is part of
the end-to-end strategic corporate decision processes that NSA is developing
to ensure that its corporate strategic plan informs capability needs,
programming, and budgeting (Mullen, 2003, p. 3). Six issues that needed to
be addressed in the design of the process were identified:
Several assumptions were developed concerning how capabilities were currently
generated and managed in the NSA.
Given that IAD is closely aligned with DoD's processes, it has a well-defined and understood requirements process that is driven primarily by external customer demands. SID also places requirements for IA capabilities on IAD, and these are managed through IAD's requirements process. SID had initiated a set of interrelated management initiatives to establish its business unit processes, such as requirements and strategic planning. The SID requirements process mirrors the process used by the Joint Staff to support the JROC.5 The SID requirements process focused exclusively on the development of the Operational Requirements Documents (ORDs) and Capstone Requirement Documents (CRDs) associated with large acquisition programs in DoD. SID has also established an SID Requirements Oversight Board (SROB) chaired by the director of SID and consisting of external stakeholders, overseers, and customers. The goal of the SROB is to review and approve major system requirements and the subsequent ORD. The SROB was a response to congressional contentions that NSA did not have a structured and well-understood requirements process for CCP-funded programs. The establishment of the SID requirements process and its various elements was in response to this criticism.6
____________________
5 Chairman, Joint Chiefs of Staff, Instruction (CJCSI) 3170.01B, "Requirements Generation System," and subsequently CJCSI 3170.01C, "Joint Capabilities Integration and Development System (JCIDS)," June 24, 2003.6 The SID requirements process is modeled after the Joint Requirements Oversight Council UROC) operated in the DoD Joint Staff. The difficulty is that the SID process is not designed around the NSA or SID's structure and culture. The SID process is a lockstep process designed to capture large Acquisition Category I (ACAT 1) programs, which make up a small percentage of the overall SID acquisition and procurement activities.
The SID requirements organization is charged with preparing the documentation for requirements generated by the various SID mission areas. The SID requirements are informed by the UCAO, CRD, and the Cryptologic Capstone Requirements Document (CCRD), which is produced later. The UCAO covers the entire cryptologic architecture that includes the NSA, the U.S. military departments, the IC, and the mission partners. The CCRD addresses the pieces of the cryptologic architecture for which the NSA is responsible.7 As will be discussed later in this report, considerable tensions emerged between the corporate and SID requirements processes. The weakest element was that most of the existing organizational processes were not underpinned by strong analysis. This deficiency must be addressed in the design of the corporate capabilities process.
____________________
7 The CCRD is a good example of how DoD and CMS organizations often do not agree on how joint DoD and IC agencies should be managed. DoD supported the development of the CCRD as a way to get better fidelity on the structure and investment profile of NSA. On the other hand, the CMS, and in particular the overseers of the MRB -- the IC's requirements process -- argued that the UCAO should serve as the overarching document to inform the new detailed system requirements.
Several process attributes were identified for the CCGP. The process must be hierarchical in that the business units and enablers identify the requirements and establish priorities for them as part of their mission and mission support activities. Figure 5.2 conceptually shows the hierarchical nature of NSA's capability needs process.
![[Image]](nsa-203.jpg)
Capability gaps need to be identified based on mission and transformation objectives contained in the NSA strategic and business plans. The capabilities needs process must be part of the broader single-thread strategic decision processes being developed at NSA. This should ensure that a common template for decisionmaking is being used and that high-quality, consistent data inform decisionmakers. Finally, the capabilities generation process must inform external overseers, stakeholders, and customers about the gaps in NSA's capabilities and their potential impacts on mission.
The structured participatory model adopted by the DIRNSA assigns roles and responsibilities to the business units and enablers.8 The process is designed for mission directorates and designated enablers to operate their own requirement processes. The requirements generated in the field are input to the appropriate business units and designated enablers. The two mission directorates manage by operational requirements generated by the field as well as internally; the designated enablers-ITIS, HR, research and development (R&D), facilities, and security-manage mission support requirements either internally generated or received from the field. Many of the critical enablers did have requirements processes, given that prior to the establishment of corporate processes they had individually negotiated their needs with SID and IAD. For example, the ITIS and security managers had processes that identified their requirements associated with the SI and IA missions. Some of the enabler processes also identified critical mission support requirements, but SID or UAD funded few of these requirements because they were judged to be lower priorities. The establishment of a CCGP raised the profile of mission support requirements, giving insights into their importance to the performance of NSA's overall mission.
____________________
8 The NSA model is based on the one used by the U.S. Air Force. The Air Force model is designed to allow the Major Commands to provide the knowledge and expertise from the field and various mission perspectives. The corporate Air Force provides guidance and the final adjudication of the total Air Force program. See Lewis, Brown, and Roll (2001).
The goal of the proposed process is to develop a list of new corporate capabilities and ensure that priorities have been set among them. The process is designed to inform POM/IPOM program development. NSA's strategic and business plans inform the participants in the process about mission and transformation objectives.
The capability needs identified and adjudicated at the corporate level are
done so through a set of thresholds recommended by RAND and refined by NSA's
senior leadership. RAND developed the threshold criteria from DoD management
practices tailored to NSA's needs and activities. Six thresholds were identified:
____________________
9 The CMM is the development of new cryptologic mission management capabilities; Trailblazer involves the development of a new SI backbone to support the NSA SI mission. Groundbreaker is the systems management program designed to support general computer IT activities within NSA.
NSA's corporate requirements process is similar to those found operating
in the DoD in that it contains four essential steps:
Each of the steps outlined in Table 5.1 contains different activities that result in the identification of a set of operational and institutional capability gaps. The different activities contained in the four steps are modeled after those in the DoD process but tailored to NSA and its strategic decision processes. The capability requirements process then informs the programming/budgeting phase about the capabilities needed and their relative priority.
![[Image]](nsa-204.jpg)
Step One: Identify the Deficiency, Capability Gap, or the Need
The first step begins with the Mission Area Analysis (MAA). The goal is for the business units and enablers to identify deficiencies or capability gaps that will result from their efforts to implement the corporate strategic and business plans demands and the current program. In addition, operational and mission support capability gaps might also be identified based on ongoing mission and mission support demands. The assessment must reveal how the identified deficiency will affect NSA and in what timeframe. The timeframes need to be consistent with those identified in the strategic and business plans. Once a deficiency or gap is defined, the proponent of solving the deficiency or gap should identify alternatives that address how the deficiency can be overcome (e.g., proposes a materiel or nonmateriel alternative). Importantly, Step 1 is not fiscally constrained, and its purpose is not to identify current programs or activities that are underfunded. Its purpose is to identify operational or institutional capability deficiencies or gaps that in the near-, mid-, or long-term threaten NSA's ability to perform its mission as it is defined in the strategic and business plans.
Step Two: Document the Capability Need
Step Two concentrates on documentation of the identified need by the proponent. The proponent must define the needed capability specifically enough to ensure understanding about a solution to the identified deficiencies or gaps. The proponent also recommends a priority for the needed capability based on a set of priority categories. The documentation needs to address how the proposed new capability will affect the current NSA baseline and over what periods.
Step Three: Validate the Capability Need
As noted in the design criteria, the corporate requirements process is designed to be hierarchical. The business units and enablers identify operational and mission support capability gaps. Corporate NSA does not need to oversee or manage every requirement that emerges within NSA. Rather, requirements that breach identified thresholds are entered into the corporate process and eventually will go to the CRG for review and approval. The CWG reviews the set of identified capability needs, their relative corporate priority, and their resource impacts and recommends approval or disapproval to the DIRNSA.
Step Four: Approval by the DIRNSA
Corporate-level requirements can only be approved or disapproved by the DIRNSA and DDIRNSA. Once a capability requirement is approved, it can then compete for resources during the various program years. All capability needs requiring further external approval (e.g., by the JROC and/or MRB) must be reviewed by the CWG and approved by the DIRNSA.
Because the DIRNSA had given specific guidance to the RAND project team that he wanted a relatively flat management structure for the corporate processes, RAND proposed that two working groups be formed to support the capabilities generation process. The CWG was established as the principal group supporting the process; it has representatives from business units and enablers and is chaired by the DC4. An EWG chaired by the DC4 was also recommended. The EWG reviews and determines the relative priority of mission support requirements. The EWG ensures that the various enabler organizations do not form their own separate requirements organizations. The DC4 oversees the EWG and ensures that enabler-identified deficiencies are vetted and that priorities are established among the various enabler requirements. EWG requirements are forwarded to the CWG for further discussion and an establishment of their relative priority within all of NSA corporate requirements. In practice, it was determined that establishing a separate EWG would add little because all the enablers were represented in the CWG and members that represented mission would ultimately review the mission support needs. Hence, only the CWG was established.
The CWG reviews and validates mission and mission support capability requirements and makes recommendations to the CRG for approval. The CRG performs corporate-level requirements review and validation. Under the guidance of the DC4, options are developed, relative priorities among mission and mission support requirements are established, and program impacts are identified. The DIRNSA makes the final decisions on all corporate requirements. The DC4 is responsible for maintaining an inventory and oversight of all approved corporate requirements. The CAO and the Corporate Architect and Chief System Engineer (CA/CSE) provide analytic support to augment the DC4's staff. Figure 5.1 shows the organizational structure of NSA's capabilities generation process and its alignment with the CRG. Again, the corporate process is one element of an end-to-end set of corporate strategic processes.
The CCGP occurs over a four-month period beginning with the DIRNSA's approval of the NSA strategic and business plans in December of the off year. The process takes place between December and April of the year with a major review to support POM/IPOM build years and a minor update occurring in the off year. The 2003 process studied for the this assessment was a major review given that the process was new and the DIRNSA wanted to implement it prior to the initiation of the major FY 2006-2011 POM/IPOM build.
The CCGP process consists of six well-defined activities, each of which involves the major business units and the various enabler organizations. The first is the identification and cataloguing of deficiencies and capability gaps as the basis to develop capability needs from the business units and the enablers. This activity is an outgrowth of implementation plans developed by the business units and enablers that determine respective objectives to achieve corporate goals.
The second involves an assessment of the identified capability shortfalls or gaps. The evaluation includes an assessment of the completeness of the description of the capability needed, some determination of how critical it is to NSA's mission and transformation, and an assessment of whether other similar capabilities exist or have been identified by others.
The third activity contains two parts. The initial part focuses on ensuring that the capability need is consistent with the goals and objectives contained in the most recent NSA strategic and business plans. The assessment also evaluates the needed capability's consistency with external guidance-from Congress, CMS, and DoDconcerning NSA and its mission. The second part of this activity involves evaluating what dependencies and/or tails (i.e., added supporting resources, including personnel, facilities, and equipment) a needed capability might have. The goal of going to a capability-based process is to ensure that all elements of a capability are identified early in the process. These can include such dependent elements as logistics support, facilities, personnel, training, security, etc. This step also attempts to provide information on the time frames when the particular capability is needed, its feasibility in terms of needed technology or the existence or fielding of critical systems to support it, and potential resource impacts. The resource impact assessment is not a detailed costing of the capability but rather a rough initial estimate of the potential fiscal impacts on NSA's program.
The fourth part of the CCGP process addresses the potential challenges that could inhibit NSA's ability to acquire the capability. They include a summary of legal, policy, and external constraints; timing; resource impacts; and risks. These are presented to the CWG for comment and guidance. During this step, the CWG develops priorities for validated capabilities needs.
The fifth step involves an independent review by the Corporate Architect to ensure that a potential capability is consistent with NSA's technical and operational architectures and that the full array of interdependencies and gaps have been identified.
The final activity is the presentation of the list of capability needs to the CRG for review and recommendation for approval by the DIRNSA.
The CCGP was initiated in November 2002 with the appointment of a capabilities generation process manager with a strong technical background and a thorough knowledge of NSA, both necessary prerequisites to establishing a technically and mission informed process. He initiated the activity by meeting with representatives from the participant organizations from across NSA as well as the field components. A small analytic team called the Capabilities Analysis Team supported the process with analysis. The team was largely provided by the Corporate Architect organization and consisted primarily of contractors. It was formed to ensure sufficient resources to support the independent assessments needed by the manager of the requirements process.10 The requirements process manager also commercially acquired a database to ensure that identified and approved requirements were recorded and auditable. The METIS database was adopted and used to provide a comprehensive and interlinking capability. The tool records both the technical and functional analysis of the requirements process.11
____________________
10 In RAND's initial concept, the CAO was to provide the analytic capabilities to the DC4, but the director of the CAO argued that his responsibilities focused on providing independent assessments to the DIRNSA and not the support of the DC4.11 METIS is a proprietary data-organizing and display software (METIS, 2003).
The capabilities generation process manager automated the process as much as possible. An automated submissions form was developed (i.e., the Capability Submission Form) with a web-based application managed through the Dynamic Object Oriented Requirements Systems database. Each capability submitted to the DC4 is given an identification number so it can be tracked across NSA. The process implemented by the DC4 includes the four steps laid out in the DoD process. Figure 5.3 shows the crosswalk between DoD and NSA capabilities generation processes.
![[Image]](nsa-205.jpg)
The CCGP was initiated in January 2003 with a message sent by the DIRNSA to the workforce indicating that the process was under way and that it was part of the larger corporate strategic decision processes being implemented in the agency. The CWG was convened to describe the process and ensure that senior representatives were appointed for the duration of the process. The project team recommended that representatives to the CWG be formally appointed by their respective organizations and that they should be empowered throughout the process to represent their organizational perspectives in all aspects of the process. The purpose of this position was to ensure that, once decisions were made, they had to be adhered to by all members of a particular organization.12 The initial meetings of the CWG concentrated on explaining the CCGP. Many enabler organizations immediately embraced the concept because the process provided them a mechanism to identify and vet capability needs separate from SID or IAD missions. The business unit representatives also argued that the CCGP offered them few advantages and that the process was redundant because they already had operating requirements processes. The business unit representatives argued that their processes were consistent with those in DoD, especially in the Joint Staff; therefore, the corporate process was not needed. One business unit representative argued that the corporate process needed to mirror DoD's JROC process to be accepted by the business unit because its process followed JROC guidelines. Another representative argued that unless the output of the requirements process was a set of funded requirements it was of no value to NSA.
____________________
12 This recommendation is a result of the project team's experience in the development of strategic decision processes in large organizations and their assessment of the DoD Quadrennial Defense Review. See Schrader, Lewis, and Brown (2003).
The various challenges to the process by the business unit representatives were systematically addressed in multiple meetings held by the DC4, the process manager, and the RAND project team. The CCGP was designed to identify gaps between the goals and objectives contained in the corporate NSA strategic and business plans. It was designed to cover both mission and mission support requirements, whereas the JROC process is designed to address primarily joint mission and special-interest capability needs. The JROC addresses primarily materiel-oriented capability needs that often result in large acquisition programs (e.g., ACAT 1 programs). The SID and IAD requirements processes are subordinate to the CCGP. RAND further argued that ideally the SID process should not interact directly with the Joint Staff, but rather that NSA capability needs that require JROC approval should be vetted first through the corporate process and approved by the DIRNSA. The output of the CCGP is a NSA-wide vetted list of capability needs not addressed in the current program baseline. In addition, part of the vetting process is an assessment of potential dollar impacts and the identification of the technical feasibility of the capability within the needed time frame. One problem identified with the current SID and IAD processes is their limited scope and strong bottom-up orientation. This often results in operational needs that consider only the impacts the need will have on SID and IAD resources. This narrow view fails to identify the support tails and their resource impacts and the overall impact on NSA's ability to perform its mission.
The tensions between the emerging corporate process and those operating in SID and IAD has been a chronic issue throughout the duration of the operation of the CCGP. Representatives from both business units argued that their own processes were sufficient and that a corporate process was intrusive. In each step of the process, the business units either missed deadlines or refused to share information with the CWG. The DDIRNSA finally directed the business units to participate in the process. This directive resulted in somewhat better cooperation, but the business unit representatives challenged each step of the process, requiring extensive coordination between the DC4 and the business unit directors.
Soon after the process began, the DIRNSA decided that the dollar thresholds needed to be lowered to $2 million to get sufficient insight into the various activities. At one of the initial meetings of the CWG, discussions were focused almost exclusively on the process. In this instance, SID argued that the process was too intrusive with such low review thresholds. The leadership maintained the position that NSA management needed sufficient visibility into what was occurring in the business units. The DDIRNSA allowed that once the corporate processes were institutionalized the thresholds might be raised, but until then the $2 million thresholds would provide oversight and visibility into the business unit and enabler requirements.
As the CCGP unfolded, the process manager realized that he needed independent analytic capabilities to provide objective and independent assessments of the various proposals put forward by the CWG members. For example, he needed to know if a proposed capability already existed, was redundant with other capability needs brought forward, already funded, etc. The DC4's office was understaffed to provide analytic support to the CCGP. The CAO was unable to provide analysts, arguing that his organization was also understaffed and needed to operate independently of the DC4. The process manager turned to the Chief Engineer/Corporate Architect to provide a small cadre of contractors to support his various activities. The contractor team, made up of approximately six computer scientists and policy analysts, needed training about the process and the types of analysis needed. The process manager recognized the immediate need to train the new analytic team. The team did not understand the types of analytic support the process manager needed. For example, the team's members wanted to develop forms and automate the process, given that they were primarily computer scientists, rather than provide a knowledgeable assessment about the current program baseline and whether a new capability need was already being met in the program. The manager needed a scheme for setting priorities on a capability need, but the capabilities analysis team concentrated on developing an automated program for inputting data. With the help of the RAND project team and the process manager, a scheme was developed to evaluate a capability need and set priorities on the various capabilities. Once the information needed for assessment was identified and a form structured, the capabilities analysis team could provide the detailed analytic support.
The real work in the CCGP was done in the CWG. Often, business unit representatives bogged down the process by arguing that they did not understand the process's purpose and its time demands and that it duplicated work already being done in their respective organizations. Many meetings were rescheduled because the organization designated to present its capability gaps was not ready. The enablers viewed the process as providing them a mechanism to identify and vet their requirements, while the business unit representatives argued that the process was really designed to take resources away from their programs -- CCP and ISSP. The process raised a broader issue within the NSA of who really owns and manages the multiple resource programs. The DIRNSA concluded that he was responsible for all of NSA's resources, and he delegated the oversight of the various programs to the CFM and Comptroller.
By March 2003, the process yielded approximately 120 capability gaps when Step One was completed. Steps Two (document the capability need) and Three (validate the capability need) focused on the review and assessment of the defined set of corporate capability needs. The process manager then sought from the CWG some assessment of whether the need was for a distinctly new capability or whether the capability was already identified and in development but was experiencing funding or time line problems. This issue was resolved with some analytic augmentation provided by the capability analysis team. The majority of the 120 identified capabilities were already funded in the current NSA program but were viewed by the various proponents as underfunded, not clearly defined, or having difficulty meeting their various time lines for fielding. Once the different dimensions of the existing capability need were understood, it was either forwarded to the NSA programmer for consideration of resource adjustment to the current program or sent back to the proponent for further information and evaluation. The review process resulted in 91 of the capability needs being handled through one of these two avenues. However, the 91 capabilities now had a better definition of the problems -- funding shortfalls, support tails being omitted, time line problems, etc. -- that needed to be addressed either by the proponent or in other NSA corporate processes. Interviews with participants indicated that the CWG was beneficial because it provided a mechanism for sharing information about what was occurring in NSA and how a particular activity might affect other supporting organizations. One example was the realization that the hiring of additional analysts in NSA resulted in a need for more office space, computers, training, and security clearances. None of capability needs and their associated resources had been identified prior to the commencement of the CCGP.
The process identified 29 new capability needs that supported corporate and external objectives. The process manager now needed a structured way to identify the needed capability's relative priority and potential resource impacts. A three-tiered subjective evaluation criteria was developed to set priorities on the new requirements. Level One contained only capability needs identified as critical to NSA's mission or transformation. Level Two contained the capabilities judged to be essential to NSA's mission and transformation. Level Three contained capabilities determined to be desirable but not essential to NSA's mission and transformation. Potential resource impacts were more difficult to determine. Initially, most members of the CWG wanted to determine the exact cost of the capability. RAND argued that if a capability were new and undefined many elements of its solution space were unknown. The capabilities process identifies capability shortfalls or gaps and should not define the material solution for how to overcome the gap. Therefore, the process should provide some insights on what the resource impacts of a potential capability might be but should not develop detailed cost analyses.13 The process manager turned to the proponent of a capability need to outline the different elements of his capability need-type of technologies that might not be involved, time lines for when the need had to be met, dependencies in terms of workforce, workspace, support capabilities, etc. From this information, some rough order of costs were identified and shared with the CWG.
_____________________
13 This is a major issue in the institutionalization of an NSA process. Until this point, a requirement defined in SID or IAD was for a specific piece of equipment or a system. Once the equipment or system was identified, it became a funded requirement without ever considering alternatives for how the need might be met or the cost impacts on other NSA activities or programs. The RAND model argued that capability needs were just that -- a needed capability of which technical solutions should only be considered once the need was validated in the corporate process. The validated need could then be met through the development of several proposed solutions based on technical feasibility, technical complexity, cost, risk, etc. The proponent of the needed capability would work with the acquisition organization to find the most achievable solution based on cost, schedule, risk, and performance.
Once the potential resource impacts, complexities, and time lines were shared with the CWG, some panel members argued that expensive, complex, near-term capability needs should be assigned a lower priority within the three bands, contending that the capability needs could not be accommodated within the current program. The process manager and RAND argued that the purpose of the CCGP was not to decide which of the new capabilities should be funded but rather to identify for the CRG and DIRNSA the mission and mission support capability gaps that threaten accomplishment of NSA's near-, mid-, and long-term mission and its overall transformation. The programming and budgeting processes are responsible for providing different options for how the gaps might be overcome and their impacts on the baseline program. However, all of the Level One capability needs were funded in the FY 2005 program.
The corporate capabilities process has been the most difficult corporate process to implement. The process is the first corporate activity that involved detailed information from the major business units, who view this activity as intrusive. SID believed that its processes were sufficient and that it did not have to respond to the corporate ones, particularly because the processes were not well defined when they were initiated.
The CCGP is unique in that it captures both institutional and mission requirements and attempts to set priorities on needs through priority bands. The process is consistent with the Joint Capabilities Planning Process that DoD/OSD is attempting to establish.
In January 2004, the leadership initiated the second capabilities generation process. The process manager now has databases and a well-trained analytic team. Nonetheless, he is confronted with significant challenges to the process by many who argue that they want it to result in a "one to n" prioritized list of requirements and definitions of solutions and their costs.
The 2003 process resulted in Level One priority capability needs being identified as critical to NSA's mission and transformation. The majority of the 29 capability gaps were given a Level Three priority. They were determined by the CWG to be needed but not essential to NSA's mission or transformation. However, the assessment process was largely subjective because NSA lacked robust assessment tools to provide the CWG with sufficient quantitative data. The process manager found that most options and recommendations for DIRNSA approval were developed in the discussion of the CWG. Importantly, many members of the CWG increasingly acquired corporate perspectives rather than advocating solely for their respective organizations. The enabler organizations became strong advocates for the overall process, arguing that the linkage between the CCGP and the CRG provided a corporate mechanism for their issues and concerns to be raised and objectively adjudicated.14 The director of IAD indicated that initially he saw little value added by the CRG and the CCGP, but after participating in both the processes thought that IAD had been able to fairly raise its issues and argue its concerns. He also indicated that providing the enablers an independent mechanism to raise NSA-wide issues was important.15 Representatives from SID contended that the CRG and CCGP were duplicative of their processes. In particular, the CCGP was not consistent with their processes and that the CCGP should be designed after the JROC. These issues continue to dominate the discussions between SID and the DC4 over NSA Directive 1-36 defining the CCGP.
____________________
14 Interviews with NSA officials, June 10, 2003.15 Interview with IAD senior manager, July 25, 2003.
Since the initiation of the CCGP, the process manager and the DC4 have continued to refine the process to use it for the FY 2006-2011 POM/IPOM development. The process manager has developed and instituted a Web-based set of instructions to accompany the directive. He has also improved the analytic tool capabilities by acquiring several data tracking tools as well as assessment capabilities. The capabilities analysis team continues to function, utilizing a small contractor team that manages the database and analytic tools. The DC4 is continuing to work on the process to garner full support from all CWG representatives for the CCGP.
Figure 6.1 highlights the two segments of the decision processes discussed in this chapter.
![[Image]](nsa-206.jpg)
In addition to the previously discussed CCGP, RAND was asked to assist the CFM and his staff in the Financial Directorate (DF) in reviewing the existing programming processes and establishing a corporate process consistent with the congressional intent of providing adequate senior leadership oversight of NSA's resources. Because budgets have had to be submitted throughout NSA's history, programs were built each year tailored to the requirements of the Pentagon and the IC-CMS. These activities resulted in a POM and IPOM documented in Congressional Justification Books for DoD programs and Congressional Budget Justification Books for intelligence programs. Although these programming activities met the letter of the law, they were not part of an integrated set of corporate planning, programming, and budgeting processes.
The NSA's programming and budgeting process was designed to use both the corporate planning process and the CCGP to build a set of programs based on strategic priorities and validated requirements that would ultimately become the NSA budget and its justification. The intent of the new process was to ensure that resources were allocated to executable programs in a balanced way to maximize the capabilities of the NSA for current operations while making the necessary investments to provide transformational future capabilities. The resources involved are both dollars and people (government civilian employees, military personnel, and contractors). We make a distinction between programming activities associated with future year allocation of funds and budgeting activities where programming decisions are translated into the President's Budget submitted annually to Congress and eventually appropriated into funds that can be executed by NSA.
The corporate programming process for NSA has two important dimensions: time and breadth. The program is developed for each of six years into the future.1 Estimates of costs are necessarily less precise the farther out the program goes, but NSA's overseers require it to produce a fully funded program across the FYDP. The second dimension (new for NSA) is breadth, where the entire enterprise is considered as an integrated set of activities, not separate stovepipes meeting individual unit priorities without consideration of their impact of other parts of the organization. In the past, anticipated resources were allocated to business units (SID, IAD, ITIS, Security, etc.), and each unit would develop programs using allocated funds and would argue with the NSA leadership for additional funds to meet shortfalls and to provide additional capabilities. This resulted in piecemeal decisions to take resources from one unit and reallocate them to another in a process that appeared arbitrary. A new, truly corporate process would need to bring together the affected parties to review their program plans in front of other claimants in a structured and repeatable process. Major decisions would be referred to the senior leadership in the CRG for resolution after supporting analysis had been conducted in the programming process.
____________________
1 In DoD, this is known as the Future Years Defense Program. It was previously the Five-Year Defense Program with the same acronym (FYDP) but, with the advent of biannual programming, it is developed for six years in even years and updated for the remaining five years of the FYDP in the subsequent odd years.
The RAND project team met with the CFM and his staff in late 2002 to discuss expectations and to review the existing programming process. It was clear that the CRG was providing a corporate focus for decisionmaking, but the programming, budgeting, and execution processes needed to change to support achieving the DIRNSA's intent. The DF's organization (see Figure 6.2) was reviewed and possible changes were considered, including moving the programming activities out of the CFM organization to the DC4 to provide stronger linkage to planning and performance.
![[Image]](nsa-207.jpg)
The review concluded that many of the program building capabilities already existed in DF3, so initially only minor organizational changes would occur. The capability needs process had already started working on identifying and prioritizing new requirements in the RWG (now the Capabilities Working Group) and the new program build needed to produce the FY 2005-2009 POM/IPOM. Because this was an "odd" year, only minor adjustments to the FY 2004-2009 submission were anticipated, and this would provide time to establish new procedures and develop working relationships among participants. This would allow NSA to be ready for a more substantive programming process to support the development of the FY 2006-2011 POM/IPOM. As a result, planning began for a PWG that would be led by DF with membership from all NSA organizations.
A cost analysis capability to support all corporate processes was an acknowledged need. The nature of that capability will vary from highly aggregated estimates for strategic planning and requirements where decisions need to be "resource-informed" to much more detailed estimates to support the programming and budgeting processes. Very little of either capability existed at NSA, but no decision took place on where that capability would ultimately reside. At this point, the little capability that did exist was in DA where cost estimates were developed for some of their acquisition programs.
By January 2003, it was becoming clear that there would be no DoD requirement for a new POM and there would be time to build a corporate programming capability. A programming guidance document had been written, but it was not a strategic document. It addressed the tactical issues of timing and formats for submitting stovepiped pieces to DF for assembly into a program that met the submission requirement of DoD, CMS, and Congress. The RWG was on a schedule to establish priority groups of new capabilities and to identify the support associated with these capabilities. The RWG also made an effort to estimate the resource impacts of each validated capability. This served as a useful input to the PWG's efforts. There was also some hope that the RWG might identify changes in priorities for new capabilities in the Program for Record (PFR) as well as possible areas for divestiture in the PFR.2 RWG activities were scheduled to finish in March 2003 when the new PWG would begin.
____________________
2 The PFR is the result of the prior year's programming process that has been incorporated in the President's Budget submitted to Congress for review and appropriation.
One new element of the new approach to empower a corporate programming process was the establishment of a DIRNSA's "withhold of resources" that could be applied during the programming process to programs that either required special attention to solve long-standing problems or to fund new initiatives that accelerate transformation or other corporate priorities. Each expenditure center was allocated a funding total for its entire program based on the previous programming and budget cycle. However, the amount anticipated was reduced by 2 percent for two reasons. First, it caused a more critical initial review and prioritization because the total allocated would not cover all planned activities. Second, this equally applied "tax" provided a mechanism for the DIRNSA and the senior leadership to immediately address the highest corporate priority shortfalls. In the past, anticipated resources were allocated to the business units for their own prioritization and, in the endgame, the DIRNSA could review their allocations but had no resources to apply to solve problems without "taxing" individual units. Clearly, this old process resulted in severe underfunding of institutional requirements (infrastructure, security, personnel development). The NSA leadership acknowledged that the previous programming process failed to present them with options and that any new process should enhance the role of senior leadership by presenting sets of alternatives. Throughout the process, the PWG maintained a continuously updated list of prioritized unfunded capabilities. Because of the frequent interactions between the PWG and the CRG, early action could be taken to apply additional funds in the most critical areas.
These early discussions of the programming process identified another long-standing problem -- the need for a corporate financial management system. Because the program had in the past been built in stovepiped pieces, not surprisingly, each business unit had its own set of databases and spreadsheets. This meant that their outputs eventually needed to be merged with the mixture of financial systems being used in DF. The previous CFM had initiated development of a new Financial Management System (FMS), but its development was constrained by DoD guidance limiting expenditure on financial data systems until an umbrella approach for all of DoD had been developed. The new FMS development was also hindered by a lack of understanding about the data requirements of the emerging end-to-end corporate business processes. There was not even an accepted, workable budget structure that would allow linking programming and budgeting resources to corporate objectives in the strategic and business plans. The goal of one corporate financial system was clear, but the path to achieving that goal was not.3
____________________
3 The issues with OSD on a new FMS conforming to DoD-wide standards have been resolved, and NSA is moving forward as a prototype, with initial capabilities expected to be available in FY 2005.
As the RAND project team began to work with NSA to define and implement a new corporate programming process, it was necessary to understand the existing relationships between DF and the other major players' processes. In particular, the SID and IAD processes needed to be integrated with a goal of reducing the total workload while ensuring corporate visibility for major trade-offs. Both SID and IAD already generated much of the information needed to support the PWG, and ultimately the CRG, but barriers to sharing information needed to be broken down. RAND had worked with the Air Staff in establishing corporate programming functionality at its headquarters, and NSA's decision to bring in a new director for the PWG with extensive Air Force programming experience provided a jump start to applying lessons learned from the Air Force experience.
Although the CWG was in the middle of its review of new capabilities and did not plan to complete its work until the end of March 2003, the PWG was initiated in February 2003 to be ready for the handoff from the RWG. With a new organization intending to perform new functions, the programming chief decided to build his new enterprise team by developing a charter that addressed the concerns of the participants and that could be endorsed by the senior leadership. This approach not only led to a better understanding of just what the group would be doing, but it also allowed the members to get to know one another in a nonthreatening environment.
PWG goals were introduced at the first meeting. They included increased visibility and openness (for the programming process); improved collaboration (across stovepipes); ensuring that the program is integrated; validating changes to database; and institutionalizing process and structure (Hartney, 2003). The most ambitious part of this agenda was integration, which was defined as ensuring that all projects are understood by all enablers and funded appropriately. This requires a shared understanding of linkages, dependencies, and redundancies, as well as an understanding of the risks associated with planned program scope and resources. The desired end state is a balanced program proposal (or program alternatives) for review and approval by the CRG. Table 6.1 shows the capabilities the RAND project team suggested for NSA consideration in a corporate programming process. The cost estimation and analysis capability remains problematic, but it is an acknowledged need.
![[Image]](nsa-208.jpg)
The PWG required a convergence of disparate programming processes that had existed in the various business units. To that end, a common summary table of information was necessary. This template became known as the "issue slide" because it was intended to include all the necessary information to portray the status of a particular program element. Figure 6.3 is a blank issue slide presenting programmed resources (dollars and people) as well as proposed changes and their impacts. Expenditure center managers would also have additional supporting data to respond to anticipated questions, but the issue slides serve as a common reference point for the PWG.
![[Image]](nsa-209.jpg)
To achieve balance in the program, priorities of the individual business units need to be integrated into a corporate set of priorities. This was accomplished by building internal priorities in the components, where "most dear" (highest-priority) and "least dear" elements were identified and shared with the PWG. As funding adjustments were made based on fact-of-life increases in costs or decisions to terminate programs, the most important capabilities would be protected and the least important rescoped or canceled. This categorization also allowed review by the PWG and the CRG of internal business unit priorities. Here, the leadership had an early opportunity to question or better understand the perspectives of the business units, with enough time remaining to make changes without major disruptions.
The PWG leadership made clear from the beginning that this process was a "zero-sum game." Any emerging new requirement for funds or disconnects where a previous program was inadequately resourced would require an offset from a "least dear" activity. Figure 6.4 illustrates the trade space for competing "least dear" new programs versus "most dear" programs in the funded PFR. Items that could not be fit into the allocated resources would be addressed later in an overguidance review, but they could also be identified during the periodic CRG reviews of the evolving program for funding from the DIRNSA's withhold.
![[Image]](nsa-210.jpg)
As previously noted, NSA prepares programs for both the SecDef and the DCI. In fact, there are four DoD programs -- the ISSP, the Defense Cryptologic Program (DCP), the Defense Counterdrug Intelligence Program, and the Defense Airborne Reconnaissance Program-and one IC program-the NFIP CCP -- that provide resources to NSA. The clear intent of the senior leadership is that the PWG (and other corporate decision processes) address and balance all five programs. For this first year, the PWG limited its detailed review activities to the CCP, while building familiarity with issues associated with the other programs. The FY 2006-2011 POM/ IPOM addressed all five programs.
Because there was no history of working together to develop a balanced program, it was important to build a team committed to a common goal -- building the best possible program for the agency. By having a leader who had considerable experience in building Air Force programs and considerable skills in working with groups with disparate parochial interests, the establishment of this new process went very well. From the beginning, emphasis was placed on letting each member of the team have his or her say and building consensus on decisions. These interactions began with building a PWG charter that established agreed-on procedures and addressed concerns about the scope of the group's activities. At the same time, a very open process of crafting an Annual Programming Guidance (APG) document was initiated, using the internal Web to post draft copies and receive comments. Ultimately, the APG is a corporate directive reflecting the leadership's priorities, but it was much more effective because it had roots at the working level and concerns were aired in an open forum. As previously noted, this was the first attempt to build a balanced enterprise program and the goals for this first year were modest. Looking back, this was a very effective way to build a foundation for handling more issues next year and dealing with more contentious issues.
As described earlier in this report, NSA did not (and still does not) have a budget structure that facilitates capabilities-based programming and budgeting. The structure is evolving, and it is improving but still reflects the previous stovepiped approach to programming and budgeting. The PWG was forced to use the existing structure, but it did require specific addressing of program linkages and dependencies. The key to this approach was identifying an appropriate level of aggregation for issues that would be addressed by the PWG. The level chosen was expenditure center. In some organizations, all of the activities fell into one center but larger organizations, such as SID, had several expenditure centers. Because of the size of SID's program, it makes sense to have several centers focused on mission areas or functions. However, a balancing of resources across all SID expenditure centers is needed. The SID leadership better understands the interdependencies among their expenditure centers and how corporate priorities are best reflected in accomplishing their mission. Nevertheless, expenditure center programs are still addressed in the PWG and priorities may change, either in the PWG or when controversial issues are bumped up to the CRG. This structure continues to change with parallel goals of simplification and better association of resources to missions. The PWG should provide recommendations to DF on possible changes to the expenditure center structure based on lessons learned in the first year.
Initially, the center managers were provided training on the kinds of program data and related information that would be required for the PWG deliberations. The substantive PWG activities began with presentations by center managers of their programs and the priorities for those activities from their perspective as center managers. These presentations included priorities for unfunded requirements, "fact-of-life" changes to programs since the last budget was submitted, and preliminary linkage of capabilities in the expenditure center to corporate strategic goals and objectives. Although timeconsuming, these reviews built a crucial, common understanding of both NSA activities that directly supported the mission and the enabling capabilities that underpinned mission success.
The APG provided the center managers with basic guidance on the information necessary to support PWG activities. This included providing resource data in a common format for both dollars and people and identification of dependencies. The center managers also presented an overview of how the various constraints (DIRNSA's withhold, DCI guidance, and other APG direction) influenced the building of their piece of the program. In this first year, the focus was on the largest program, CCP, but the IAD expenditure center managers did make presentations on their program. Another first-year simplification was the deferral of overguidance issues until after the base program was balanced.
Throughout this process, frequent interactions with the CRG occurred. The purpose was multifaceted. First, it showed the corporate leadership that a process existed. Second, it provided an opportunity for difficult issues to be addressed early enough in the process to allow for some analysis on options and some decisions from the leadership. Third, it helped develop the PWG team because the members knew that their work was not just another new process whose output would be ignored. Fourth, the interactions prepared the senior leadership for the final POM/IPOM recommendations of the PWG. From the beginning, the PWG anticipated long and difficult sessions with the CRG at the end of the process, as recommended actions were reviewed and decided. To the surprise of some, the final stages were uneventful because the leadership had been following the PWG development of major issues and alternatives and the group's recommendations were largely endorsed.
After the PWG completed its work on the basic program, it reconvened for two more sets of sessions to develop an overguidance package and to identify the lowest 5 percent of the base program. Both of these activities were greatly facilitated by the prior PWG activities. Issues were understood by the members and the "most dear," "least dear" lists provided a starting point. In the past, the agency treated these as separate activities or left them to the DF staff to somewhat arbitrarily put the packages together. This year, both overguidance and the lowest 5 percent process were part of an integrated set of activities that could much more easily be defended as consistent with external guidance and NSA priorities.
Although this first round was viewed as very successful by most of the participants, it was very labor-intensive (for the PWG members and those preparing data for PWG review), and it did not address all of NSA's programs. There were many lessons learned from this first year's activities, and these are being reviewed within DF in anticipation of starting the much more difficult FY 2006-2011 program build. Many of the actions resulting from the lessons-learned sessions are tactical and address technical details of the process, as unpublished NSA documents attest. However, strategic issues also need to be considered.
NSA is simultaneously working to improve all the major corporate processes: strategy and planning, capability needs, programming and budgeting, and execution and performance. This is a very dynamic environment, and many activities not only take place in overlapping periods, but the same process may be addressing issues for more than one time frame. These processes are generally cyclical with initial decisions on a future program under review while its antecedent is still under review by Congress. These realities require shared knowledge among senior leaders and process managers. In particular, the programming process and its associated databases need to identify decisions, outside the formal activities of the PWG, that impact programs that have already been reviewed. Therefore, although the principal activity of the PWG occurs after a handoff from the CWG, the group will at other times need to meet to discuss the impact of changes in anticipated resources or changes in corporate priorities. In addition, a small staff will be required throughout the year to gather data and interface with other processes.
Developing a Program Analysis and Evaluation Capability
The single greatest deficiency at this point in the development of NSA's programming process is the inability to provide independent analysis of program alternatives. NSA has a history of building POM/IPOMs in order to function, and there are trained staff and some new hires with experience in the mechanics of collecting data and submitting information for external review. However, no experience base exists in independent review of program content and resource alternatives. Most program information comes from those responsible for executing the programs, and too often they are advocates for the decisions that they have made in the course of their management responsibilities. This information is part of the programming decision process, but it is not sufficient to provide NSA's senior leadership with an understanding of opportunity costs. The desired capabilities are more than just independent cost analysis. They require a staff that understands technical aspects of programs, corporate priorities, and high-level cost analysis. The capabilities also need tools for analysis, such as those that would support comparative cost-benefit analyses. If NSA is unable to hire a nucleus of program analysts, it may be possible to arrange for a temporary assignment of one or two analysts from OSD Program Analysis and Evaluation to guide initial activities and develop training plans.
Improving NSA's Budget Structure to Support Programming
As previously noted, the emerging programming process is keyed to the expenditure center structure, and we see no reason to change that. What does need further work is the supporting lower structure. Resources need to be logically grouped so corporate decisions can be implemented and tracked. Therefore, some common aggregate (a redefined "project" or an expanded cost center) approach needs to be implemented that allows all the resources associated with a capability to be easily identified and tracked. Future NDRI work in support of DF and the CRG will help to develop alternatives and implement solutions. As previously noted, a useful start would be to have the PWG suggest possible changes to the expenditure center structure or aggregations of cost centers to better represent sets of capabilities.
The PWG Operates to Ensure Execution
The RAND research team interviewed several senior members of the DF to develop a way to ensure that the execution of the NSA budget was properly directed and integrated with the other corporate decision processes supporting the CRG. Originally, the research team considered the utility of a new body supporting the CRG that would be focused on execution only. However, it became evident that execution required many of the same managers who were involved in programming and budgeting activities. This led to the RAND team recommending to the CFM that the PWG become the oversight and integration body to operate the execution activities for the CRG. The team also recommended that the leadership of the PWG during execution activities be moved from the chief of programming (DF3 1) to the director responsible for financial execution operations in DF1. The CFM considered our recommendation and raised the initiative to the DIRNSA and DDIRNSA, who approved it. The CFM subsequently briefed the CRG of the decision, and the proposed manner of operation, to use the PWG to assist the agency in the execution of its annual financial plan and to ensure that programs were executed according to their individual program plans. The PWG would also ensure that the agency was obtaining the most for the resources appropriated in its budget. The PWG initiated execution activities in 2004.
NSA has made remarkable progress in the first year, with a functioning PWG that is trusted by the leadership and the components to provide an objective process to present information, to conduct ordered discussions, and to provide balanced recommendations. The members of the group were skeptical in the beginning, but a combination of good leadership for the PWG and commitment by the DIRNSA, DDIRNSA, and CFM to make the process succeed places NSA in a position to deal with the much more complex programming decision process for the FY 2006-2011 POM/IPOM. This first year addressed only incremental changes. This will be a new start with new transformation objectives and less likelihood of significant overguidance funding to ease the pain for programs that did not make the cut.
NSA has made significant progress in the development of robust and responsive corporate strategic decision processes. The implementation of the processes has succeeded because of the guidance and leadership provided by the DIRNSA and DDIRNSA and the ongoing work by the managers of the Planning, Requirements, and Performance (DC4), CFM, Chief System Engineer (CSE), and Acquisition organizations to ensure that the processes are interconnected and provide the information needed for strategic decisionmaking. The managers of SID and IAD underpin these managers by ensuring that critical mission needs are identified and discussed through the various corporate processes. Through these interactions, a structured participatory management structure is gradually taking hold within the NSA.
NSA had to develop strategic decision processes that facilitated their effectively interacting with those processes operating in DoD and the IC. NSA's processes must adhere to the structure and schedules of these external processes. In designing many of the needed strategic decision processes, the RAND project team often used or built on elements of NSA processes that were either operating at the agency or had historically operated and for various reasons had been abandoned. Key to the design and implementation of strategic processes was to ensure that they were consistent with NSA's culture while ensuring that the outputs of the processes provided the necessary information to decisionmakers, external stakeholders, and overseers.
This case study of change management also reveals that "change" is an iterative process that frequently succeeds only after several prior attempts have failed to fully yield the desire results. NSA was able to accept, modify, and implement the initial set of RAND recommendations because it had tried several other times to develop strategic decisionmaking processes and these efforts did not achieve the desired results. This report also supports the finding of other studies of change management that successful change necessitates a combination of leadership guidance and support and the presence of a tier of senior managers who support the objectives of the leadership and implement them. The second tier of managers must be able to raise, discuss, and resolve their differences within the broader context of supporting the enterprise. RAND found that, over the past two years, the DIRNSA selected and assigned senior managers in several functional areas who were able to work together for the common good, and often this was a result of compromise among many of the senior managers.
Critical to the design and implementation of the corporate strategic decision processes was the establishment of the DC4 organization. The manager of the organization has a strong background in Air Force planning and programming and the requisite knowledge about how these processes must operate within the broader context of DoD decisionmaking. The DC4 organization has succeeded because its responsibilities focus on the management of the strategic planning and corporate capabilities processes, with the most critical task being the support of decisionmaking through the CRG. The CRG operates as the corporate framework by which the other processes -- strategy and planning, programming and execution, capability needs, and performance supported by systems engineering and acquisition -- provide critical information for leadership review and decision. In this model, the DC4 operates as the neutral integrator whose primary interest and responsibility focuses on objective analyses and the development of options for senior leadership review and decision. The DC4 is also responsible for sustaining the audit trail of decisions to ensure that a corporate memory is developed and sustained.
One organizational misalignment in the NSA model is that the DC4 is a staff function that reports up through the CoS organization. The roles and responsibilities of the DC4 in operating and managing enterprisewide processes and, as part of the processes, providing objective analysis and options to the leadership, necessitates that the office report directly to the DIRNSA, similar to the Acquisition, Financial Management, and Systems Engineering corporate functions. The DC4 generates and is privy to sensitive leadership information on issues and decisions that should be shared only with the DIRNSA and DDIRNSA. In the current alignment, the DC4 vets materials first through the CoS. Similarly, the corporate performance metrics activities continue to be managed by the CoS organization. The RAND project team strongly recommends that this function also be placed under the DC4 to ensure that performance is an integral element of that office and consistent with the office's charter. The CoS organization should be charged with the administration of staff and policy functions and staff coordination. It is appropriate for the CoS to be the advocate for Corporate Business Services activities because that responsibility includes the identification of corporately shared data systems and databases. However, the DC4 office is becoming a CoS action office for Corporate Business Services, which presents the perception of bias toward that architectural segment. Such a perception may compromise the neutrality of DC4 in operating the corporate processes and should be avoided.
The hiring and retention of a high-quality workforce to support the various corporate functions continues to be a challenge to NSA. The institution has not fully accepted that business practices and processes are as critical to successful management as the accomplishment of mission. There continues to be an inherent institutional bias against those members of the professional workforce who are not directly affiliated with the mission. Until recently, the leadership believed that the corporate processes could be fully supported by the professional workforce drawn from the mission directorates. In many instances, this has been a successful strategy in that the workforce drawn from the mission directorates has in-depth knowledge of its directorate processes, but, because NSA is establishing new corporate processes, it will need to go outside to hire individuals with broader knowledge and experience in these enterprise processes. The senior leadership has recently begun to aggressively recruit senior professionals from outside the agency to fill some of these gaps. The DC4 and Acquisition Directorates are actively pursuing this strategy.
The CRG organization and its supporting decision process have become embedded elements of this DIRNSA's management structure. Whether the CRG will be sufficiently institutionalized after the departure of former DIRNSA Lt. Gen. Michael Hayden remains to be seen, but he is intent on ensuring its full implementation prior to his departure. The corporate strategic and business planning activities have improved significantly since their initiation in 1999. The FY 2004-2005 planning activities were based on the FY 2002-2003 plans developed by the CFM organization. The NSA leadership decided that the FY 2004-2005 planning activities had to be driven more from the top. That goal was significantly furthered with the development of the FY 2006-2009 strategic plan and the FY 2006 business plan. The assignment of senior managers as sponsors of an initiative and holding various managers accountable in supporting the goals and objectives contained in the FY 2006-2009 strategic plan represent an attempt to embed the goals and objectives across the enterprise. The success of this endeavor will be evaluated throughout the CCGP and programming activities that support the development of the FY 2006-2011 POM/IPOM.
As of this writing, the senior leadership is focused on the continued development of a corporate structure supported by the four architectural segments discussed earlier in this report. The CSE continues to push for development of an enterprise architecture, which will encompass the four segments. Once this is accomplished, NSA will have a stronger ability to assess how new capabilities will be developed and fielded and, more important, how divestiture of legacy capabilities and system migrations will be systematically managed.
Also as of this writing, the corporate strategic decision processes have been established, but their full institutionalization is in progress. Subsequent work by this RAND project team and NSA will begin to address the integration of the processes so that data calls will be minimized and better connectivity will be achieved among the different processes. For example, the FY 2006 business plan provides critical information about the senior leadership's priorities and their potential resource impacts. It is imperative that this information informs the CCGP and the programming process. These linkages need to be inherent in the processes. Another dimension of institutionalization is the divestiture of processes and activities in the business units that are not directly linked to and do not inform the corporate decision processes. For example, multiple organizations in SID collect metrics data, but the data are internally focused, and little is known about if and how the data should or could inform corporate performance metrics. The manager of client interfaces in SID is beginning to address how the metrics being collecting might be better used to inform NSA at the enterprise level on how it is meeting its mission demands.
NSA has received considerable scrutiny from congressional overseers and stakeholders, who specifically direct the agency, about how it should organizationally and functionally manage itself. The RAND project team has observed that frequently within NSA change is driven by the senior leadership's ongoing desire to develop credible and logical decision processes that support and measure its progress toward achieving transformation and mission objectives. For example, the external overseers have been very direct about developing an enterprise architecture and better management of NSA's systems engineering resources. They recommended an alignment that placed the systems engineering functions under the Acquisition Directorate. NSA's leadership concurred that the system engineering resources needed to be more centrally managed but contended that aligning the capability under the SAE ran the risk of creating another functional stovepipe, something that has historically plagued the agency. The compromise was the centralization of the system engineering capabilities under the CSE as well as raising the UCAO's management to the corporate level, thereby providing a dual-hatted CSE responsible for managing and integrating both functions. This alignment is working well. The CSE is providing matrixed systems engineering capabilities throughout the NSA while being responsible for establishing and maintaining enterprise-level engineering standards. This is an example at NSA that demonstrates that many successful outcomes often stem from tailoring organizational functions and their alignment in ways consistent with the organization's culture.
The most difficult part of implementing corporate strategic decision processes at NSA has been structuring the dialogue between the business units and the corporate processes. Prior to the establishment of the CRG and its associated processes, the business units operated as separate entities, each managing its portfolio based on the funding sources. The business units viewed the emerging corporate structure as challenging their prerogatives and making them accountable to the enterprise at a much more detailed level than they had had to be before the establishment of the CRG. The business units found that their activities needed to have greater transparency, and they now had to often rationalize their decisions within the context of the enterprise. As to be expected, many managers within the business units viewed the CRG and the other corporate processes as threatening and demanding information that heretofore had not been required. The first formal cycle of the planning, corporate capabilities, and programming processes to build and reconcile the FY 2004-2005 program was challenging and often contentious. The FY 2006-2011 POM/IPOM cycle appears to have been much smoother, with fewer contentious issues emerging. This is a result of maturity and experience, with the participants having been through the different processes and knowing what is expected of them. The managers of the corporate processes have been refining and clarifying their processes based on the lessons learned from last year. Although the full development of tools and analytic capabilities will likely take several more years, the DC4, SAE, CSE, and CFM are developing suites of tools and analytic capabilities to support the corporate processes. Finally and of major importance, the senior NSA leadership strongly supports and guides the processes by defining their expectations for outcomes and providing the resources necessary for their operation.
In the context of NSA's corporate processes, the acquisition function is operating as the provider of capabilities. The acquisition function continues to place pressures on the rest of the processes. For example, critical to a credible acquisition function is having clearly articulated capability needs that define the mission requirement and the gaps that must be overcome. The major acquisition programs are increasingly refining their requirements through a series of well-structured dialogues with the business units and the users of the potential capabilities. Recently, the senior leadership recognized that the smaller acquisition programs, which make up the largest percentage of NSA's acquisition resources, need similar discipline. The insight came during the development of the FY 2006 business plan and the senior leadership's desire to understand the dollars and requirements associated with each of the non-PEO managed programs. As an outgrowth of this insight, the DC4, CFM, CSE, and SAE are reviewing each of the smaller programs to understand the exact requirement, its codification, the needed funding, and some assessment of how it fits in the enterprise architecture. Again the process is not trying to be intrusive into the activities of the business units, but rather it is attempting to establish a corporate discipline and dialogue to ensure that NSA is providing needed goods and services in support of mission and the transformation.
The greatest threat to the sustainment of NSA's corporate decision structure is that it can become too complex and bogged down by additional subprocesses. The leadership needs to be vigilant to ensure that the structure remains as flat as possible and does not become captive to the bureaucracy but rather stays focused on the processes yielding critical management and decisionmaking information. In large bureaucracies, the tendency is to continue to create subprocesses and discussion bodies so that "everyone can participate." Too often, well-structured decision processes collapse because they become a large bureaucratic apparatus, bogged down in subprocesses, more focused on managing the process than on securing needed information. NSA decision processes were designed to be hierarchical and not consensus-driven. In this model, leadership must be engaged and willing to make the tough decisions after it is presented the issues and the associated options. The NSA model has the DIRNSA as the ultimate decisionmaker, and the processes are designed to provide him critical information to make informed decisions. The model is designed to bring hard issues forward for discussion, option development, review supported by analysis, and decision rather than to either push them to the margins or adopt consensus-driven solutions.
The development of corporate strategic decision processes at NSA also reveals that frequently DoD and IC guidance and goals are inconsistent with one another or not sequenced in time to be supportive, setting up a dynamic that either allows the agencies to define their own course of action or, more seriously, forces the unit to operate within a narrow functional stovepipe. There is no doubt that the DoD and IC-CMS are interested in ensuring that intelligence capabilities and assets are cost-effectively developed and used, but the lack of an overarching architecture and set of common processes that communicate across the two interfaces hinders the ability of the DoD-IC organizations and agencies to make optimum decisions. This shortcoming results in suboptimization across the IC because each major decision is made without the benefits of an IC-wide enterprise knowledgeable about investments, future needs, and how capabilities might be optimized across the community. This insight does not diminish the various coordinating committees and bodies operating across the IC, DoD, and various IC agencies. Their contributions are significant. The insight does argue that decisionmaking and resource management could be substantially improved if an overarching architecture and common set of processes were in place that facilitated a structured dialogue about mission priorities, investment, and divestiture across the entire community, rather than operating through two stovepipes and their large bureaucracies. In terms of ensuring that DoD-IC agencies are responsive to mission needs and are moving from their post-Cold War practices to ones responsive to the new threats since September 11, 2001, a DoD-IC structure must be established that provides clear guidance and consistent oversight.
The RAND project team recommends that the NSA senior leadership ensure that each of the corporate decision processes is reviewed for simplification and improvement based on lessons learned from prior experience in application. The gathering of these lessons has already been initiated. We recommend that the senior NSA leadership continue its support and involvement to institutionalize the corporate decision processes and the management structure provided by the CRG. We also recommend, as discussed earlier, that additional resources be provided to the appropriate process operator organizations to develop and implement additional analysis tools to support the decision processes. For example, most of the programming process lacked the ability to analyze program options on a comparable capability cost-effective basis, thus limiting the utility of several recommendations on trade-offs of current programs for new capabilities to simple resource equivalents.
Improvements to the established individual processes, while having value, will only marginally benefit the outcomes of corporate decisionmaking. The synchronization, maturity, and integration of the decision processes and their supporting functional processes, such as acquisition and systems engineering, into a well-connected, end-to-end system offer the potential for both reduction in effort while ensuring that the desired leadership objectives for mission and transformation are realized. We recommend that, during the next year of operation of the CRG and the supporting decision processes, more effort be given to ensuring synchronization, integration, and maturity. The development of the NSA 1-36 manual that documents the key decision processes and their supporting functional processes has provided the foundation for these future efforts. Minimizing and standardizing the information inputs to be compatible in several of the processes are an example of integration that offers an opportunity to reduce the effort to operate the processes. Others include Web-based interfaces and information flows between individual processes, such as the CCGP and the programming process, and common databases for corporate decision information.
The maturation of the corporate performance efforts has the potential to provide more information and currency on the utility of efforts at all organizational levels to achieve corporate mission and transformation objectives. We recommend that the performance area receive added analytic and management resources to ensure that this potential is realized. The operation of corporate decision processes is critical to the management of the agency, the development of new capabilities, and the allocation of its resources. The RAND project team has witnessed firsthand the burden that these processes have placed on a small number of the corporate staff and their supporting elements in the business units and enabler functions. We recommend that the NSA leadership support an increase in the numbers of government personnel assigned to these process organizations, including personnel with the necessary analytic skills to ensure that needed analysis is performed so that full implementation of the end-to-end decision process system can be achieved and maintained. The sensitivity and integrity of these decisions must be ensured by the primary use of government personnel, augmented by such external trusted agents as federally funded research and development centers. The financial and acquisition activities of the agency are clearly inherently governmental, and the other corporate decision processes are no less sensitive or important. As mentioned earlier, we also recommend that the key process operators report to the senior NSA leadership. More specifically, we recommend that the DC4 report directly to the DIRNSA to ensure that the corporate processes operated in this office are not inhibited by staff management actions and direction.
The RAND project team has observed and assisted the agency for the past two years in its transformation in management style and structure from one that was decentralized and largely operated by the two major business units to one that has a more cohesive top-to-bottom directed participatory structure with an end-to-end set of supporting corporate strategic decision processes. The full potential of this new management structure and its positive impact on mission performance is only now beginning to be realized and appreciated. Implementation of these recommendations will further the achievement and consolidation of the DIRNSA's corporate management objective.
In 2001, RAND conducted an extensive assessment of NSA's acquisition function
(see Lewis et al., 2002). The assessment evaluated the acquisition function
from three dimensions:
In that assessment, RAND found that significant progress had been made in the establishment of a credible acquisition process. The institutionalization of the process was at risk given the resignation of the Senior Acquisition Executive (January 2002). The RAND report concluded that without credible corporate decisionmaking processes it would be difficult to fully institutionalize NSA's acquisition function. In early 2002, the DIRNSA was moving towards accepting that a formal corporate review board needed to be established. He and the deputy director (DDIRNSA) were increasingly concerned with the integration of decision processes and information across the agency. They also sought to improve systems engineering. RAND found that the NSA culture remained resistant to the establishment of such credible corporate processes as acquisition and financial management. The institutional focus remained in the two key business units of IAD and SID, with SID dominating most decisionmaking.
Two interdependent dynamics result in SID's predominance in NSA decisionmaking: the DIRNSA's role in functional management of SI and the size of the SI budget in terms of overall NSA funding. The DIRNSA is the functional manager of the SI for the SecDef and the DCI. The functional management responsibilities provide him with most of his authorities and responsibilities within DoD and the IC. NSA's budget consists largely of two programs: the CCP and the ISSP. The largest portion of NSA's budget, about 75 percent, is within the CCP, which relates primarily to SID.
Figures A.1 and A.2 show a summary of the RAND research team's assessments done in 2001 at the midpoint and conclusion of its study. The research team used as the foundation of its assessment the work done by Anita Cohen, IC Acting SAE, in her study Congressionally Directed Action Report: Independent Review of the National Security Agency Acquisition Processes, published June 1, 2000. We divided the IC SAE recommendations according to the key management categories in the business literature: architecture, oversight and management, process, standards, culture, and human capital. As indicated in the figures, two assessments were done, one in July 2001 and the other in December 2001. Although substantial progress had been made since the IC SAE report and between RAND's first and second assessments, RAND identified several areas in need of more effort or further examination (full-scale assessment figures can be found later in this appendix) (Lewis et al., 2002, pp. 107-121).
![[Image]](nsa-212.jpg)
![[Image]](nsa-214.jpg)
The June 2002 NSA Acquisition information memorandum reviewed nine issues
of concern raised by DoD and the IC in their joint report to the congressional
intelligence oversight committees (NSA Acting SAE, 2003; ASD [C3I] and DDCI
[CM], 2002).
Since RAND completed its 2001 assessments, considerable changes have occurred within NSA. This assessment is based on RAND's ongoing work in assisting NSA in the institutionalization of the acquisition process and in the development and implementation of corporate strategic decision and resource management processes.
Development and institutionalization of corporate strategic decision processes at NSA is difficult, given its culture. At NSA, establishing strong corporate decision processes runs counter to the existing culture of highly decentralized decisionmaking and management in the principal business units, SID and IAD. Although several senior individuals interviewed repeatedly argued that corporate guidance is needed, in actuality the business units are quite comfortable operating as nearly independent entities with little corporate oversight. It has only been in the past year that CCP and ISSP have been managed as corporate responsibilities rather than the delegated responsibility of the respective business units, SID and IAD. The predominance of the business units in NSA's management has been the case until the development of FY 2004-2009 POM/IPOM. In prior years, the enablers -- NSA's mission support organizations -- individually negotiated their resourcing directly with SID and IAD, with SID being the dominant player because of the magnitude of the CCP resources they controlled. A commonly held view in SID is that any funds allocated to the enablers from the CCP must directly support the SI mission. This resourcing situation effectively subordinated the enablers, including acquisition, to the business units and primarily to SID.
The establishment in May 2002 of the CRG1 and its supporting secretariat organization, DC4, was a major step in developing coherent agency end-to-end processes for corporately directed guidance, planning, requirements, programming, acquisition, and resource management. The building of the FY 2004-2009 POM/IPOM was particularly revealing in that the DIRNSA and DDIRNSA realized that, unless they controlled the allocation of resources in a structured participatory manner, it was impossible to really integrate and synchronize transformation. Their emerging decision model is centralized decisionmaking within a structured participatory process that employs decentralized execution. More important, the FY 2004-2009 POM/IPOM activity revealed that the corporate strategic and business plans were not directing or sufficiently informing resource allocation decisionmaking because they had not been linked to any formal decision processes. Therefore, the Chief of DC4 and CFM jointly built the FY 2004-2009 NSA program using an iterative series of interactions among the two business units and the enablers. They derived programming guidance from directives of the external overseers and objectives found in NSA's existing strategic and business plans that were reviewed by the CRG and approved by the DIRNSA.
____________________
1 The establishment of such a body was a key recommendation in the original RAND report (Lewis et al., 2002, pp 45-50). In May 2002, the DIRNSA established the body with an official charter as the NSAICSS CRG.
The agency leadership realized that key issues and decisions on plans, programs, and investments affecting all elements of NSA must be addressed comprehensively and consistently. Their deliberations need to be supported by sound analytic information and in compliance with guidance directed from the top down rather than developed from the bottom up, as had been done in previous years. The NSA leadership also found the CRG to be extremely useful in decisionmaking because the meetings had clearly defined agendas. The leadership realizes that often the supporting information is insufficient to make informed decisions on resource allocation questions critical to NSA's mission and transformation. For example, in preparing for the CRG sessions and then during the CRG reviews, it was revealed to the DIRNSA and DDIRNSA that the enablers did not receive separate consideration in the allocation of resources. The enablers argued in the CRG that they were unable to perform their assigned missions and functions or to enhance their organizations and workforces because of the constant lack of independent resourcing. The DIRNSA directed significant FY 2004 resources to be allocated to the specific needs of the enablers in the program. While the operation of CRG has progressively matured, the FY 2004-2009 programming activities and recent FY 2003 Financial Plan development have also served to show the need for improved NSA-wide analytic capabilities and quality information to support decisionmaking.
The FY 2004-2009 POM/IPOM build revealed that this NSA activity had been primarily an update of the existing program and budget developed and determined largely by SID and IAD. The leadership had little detailed insight into how many of NSA's programs supported key aspects of mission and the transformation, measurement of the progress to achieve transformation, and the totality of the resource impacts on the agency caused by key programs, such as Trailblazer and Groundbreaker. The research team characterizes these past activities as "stuff to budget" because there was little visibility of agencywide resource impacts and sparse direct consideration of impacts on the NSA infrastructure. The senior leadership attempted to ensure that key programs and issues were addressed in the FY 2004-2009 program build, using the CRG and some ad hoc processes, but the lack of prior top-down planning guidance with well-defined benchmarks for building NSA's program became obvious, as did the lack of a structured programming function based on the outputs of a corporate requirements process. The CRG reviews provided a managed forum in which these issues were repeatedly raised and iteratively addressed. We view these insights, shared by NSA's leadership, as the principal motivation for the leadership's commitment to the continued development and institutionalization of strong end-to-end corporate decisionmaking processes.
In December 2002, the DIRNSA approved a corporate requirements generation process for implementation in January 2003. The process is compatible with the SID's emerging operational requirements process but encompasses the entire agency and all of the capability needs. The corporate requirements process was vetted with and supported by the Assistant Secretary of Defense (Command, Control, Communications, and Intelligence) (ASD [C3I]), J-8, and IC-CMS staff and leadership. The DIRNSA and DDIRNSA further directed the Chief of DC4 and the CFM to develop a single-thread corporate-level planning, requirements, programming, and budgeting process. On the planning side, the DC4's small staff has developed the NSA strategic plan and FY 2005 business plan that will inform the emerging corporate requirements generation process, and the CFM, with support from DC4, initiated work to develop an NSA programming process for implementation in the FY 2005-2009 program update that took place in spring 2003. The objectives of these two complementary processes are the establishment of a disciplined, credible, and auditable process to validate and approve new and existing operational and institutional capability requirements and a complementary process to develop fiscally informed options for consideration within resource allocation guidance provided in the programming process. Both will support informed corporate decisionmaking. Key to the design of the programming process is the ability to develop options for needed capabilities that are based on the planning guidance contained in the approved FY 2005 strategic and business plans.
The development of a credible budgeting function in which the financial databases are consistent throughout NSA will be essential to supporting a viable and auditable single-thread planning, requirements, programming, and budgeting system. The CFM's organization is complying with DoD guidelines in its development of a comprehensive and credible supporting financial management system at NSA. Fundamental to these end-to-end decision processes is a financial system that had been realigned in 2002 with cost centers at a lower management level. The CFM organization, with the assistance of the SAE organization, business units, and supporting NSA enabler functions, is working to purify the cost centers to operate on only the resources from a single appropriation (e.g., RDT&E) as part of their work on NSA baseline projects, including the ADPBL. This is no small task and while significant progress has been achieved, it needed the continued efforts of all parties to be completed in 2003 and is an essential foundation for acquisition management and execution.
The schedule for these process activities is ambitious but appears feasible. The DIRNSA and DDIRNSA asked that the initial end-to-end system be developed and at least partially implemented in 2003. The research team recommended to the NSA leadership that implementation should be designed to include ongoing reviews to identify refinements and subsequent changes, given that the requirements and programming functions are brand-new processes and the financial management structure is a relatively new design that will not be available for at least another year. Thus, incremental changes can be expected to improve the effectiveness of the new processes. The directors of SID and IAD will assist in implementing these processes and, where possible, ensure that existing directorate-level processes link to the respective corporate processes. The DIRNSA and DDIRNSA insisted from the outset that the corporate processes be designed to operate within current organizational staffing and that hierarchical structures supporting these processes remain as flat as possible to ensure that no large bureaucratic apparatus is developed to support them, which affects resources available for mission performance.
RAND has observed that many enabler organizations are attempting to initiate their own strategic planning, requirements, and programming functions to ensure that their equities are represented. In the December 20, 2002, CRG, the DIRNSA informed attendees that no mirror-imaging processes were to be created throughout NSA but rather existing business units and enablers would work through the corporate requirements structure to vet their requirements issues. The level of success ýt adherence to this guidance remains to be seen, for again NSA culture often works to preserve organizational equities at the expense of the effectiveness of the larger integrated enterprise.
These corporate strategic decision processes are evolving and being implemented sequentially but deliberately with coordinated efforts to ensure integration and open communications across the individual processes. The key to their success will be the continuing direct involvement of the DIRNSA and DDIRNSA to ensure that the selected management model of centralized decisionmaking with structured participation and decentralized execution is being followed. The NSA leadership must be watchful that the CRG and its decision process do not become laden with multiple working groups, boards, and integrated product teams, whose potentially layered activities in similar organizations have been viewed by RAND as providing mechanisms for suboptimization of corporate-level decisionmaking. Such hierarchical layering often allows subordinate business units and enablers to manage by committee below the corporate level. Table A.1 shows the project team's assessment of the status of the critical corporate strategic decision processes of planning, requirements, programming, and budgeting as of January 2003.
![[Image]](nsa-215.jpg)
It is within this emerging corporate structure that the role of NSA acquisition
must now be assessed. The RAND research team reviewed the many acquisition
reform initiatives under way within DoD, the Goldwater-Nichols legislation
(1986), and the Acquisition Reform Act (1985) and conducted interviews with
DoD officials and members of the Community Management Staff (CMS). The foundation
for the definition of the responsibilities of an acquisition organization
is contained in the Goldwater-Nichols legislation (Public Law 99-433, October
1, 1986); the legislation directs that a civilian acquisition executive be
appointed who reports to the SecDef. Each of the service secretaries must
also appoint a civilian acquisition executive. The services will develop
a hierarchical structure with no more than three tiers consisting of an SAE,
Program Executive Officers (PEOs), and program managers. The acquisition
function was designed to address the "how to buy" question after the planning
and requirements process have decided on "what to buy?" (i.e., the capability
needed). The objective of the acquisition system is to take the "what to
buy" decisions on required capabilities and determine "how they should be
bought." The latter includes a detailed examination of the options within
the solution space for the needed capability as well as the manner in which
the selected option is obtained. The ideal acquisition process ensures that
desired capabilities are acquired in a timely manner and at a reasonable
cost. The acquisition organization accomplishes the following specific functions:
These functions are key to acquisition's overall performance. The program planning and management activities are associated with the proactive management and integration of the total acquisition portfolio, all the activities supported by RDT&E, and procurement appropriated resources. The SAE and his organization should have complete visibility over all financial information associated with the organization's "how to buy?" issues. It is the management of this information that facilitates the SAE's ability to play a significant role in NSA's programming and budgeting activities, where options on the "how to buy?" issues are developed. DoD acquisition organizations, including NSA's SAE, are responsible for generating costeffective alternatives for how needed capabilities might be acquired during the programming function. In the budgeting phase, acquisition works to ensure that the acquisition portfolio is coherent, internally consistent, integrated, executable, and balanced within the organization's overall budget (Executive Management Course, 2003). NSA's acquisition organization should perform a similar role for the agency.
The oversight and management of the procurement, acquisition, contract management, program management, and cost estimation functions enable the SAE to adopt and manage using state-of-the-art acquisition practices -- evolutionary or spiral developments, activities-based costing, performance-based contracting, earned value management, etc. -- that can further ensure that needed capabilities are acquired in the most efficient and cost-effective manner.
Neither the Goldwater-Nichols legislation nor the Acquisition Reform Act specifies that the SAE must have execution responsibility for acquisition resources-specifically the procurement and RDT&E appropriated funds. However, the acquisition executives in the services are responsible for managing all aspects of the "How to buy?" question. These executives also provide options for how a needed capability can be cost-effectively attained; manage the acquisition program; ensure that programs meet cost, schedule, performance, and risk management goals; and oversee the balance of resources across the acquisition portfolio.2
____________________
2 The recent DoD acquisition guidelines reconfirm these alignments. The acquisition, requirements, and financial management communities will maintain "continuous and effective communications with each other and the operational users." See OSD (2002).
The issue of who "owns" -- i.e., has execution decision authority over -- the acquisition resources in NSA is not trivial, and it must be decided within the broader context of the assigned authorities of the SAE vis-a-vis the emergence of corporate decision processes and the roles of the principal business units. Regardless of who "owns" the money, the SAE should perform the critical role of managing all aspects of the "how to buy?" question. The SAE should have the undisputed authority and responsibility to initiate or stop an acquisition program. The SAE should provide critical options to the leadership on how an identified capability might be acquired in the most cost-effective manner and over what time periods. The SAE should be a critical player in informing the programmer, financial manager, and corporate leadership during the POM/IPOM builds and during budget execution about how various acquisition programs might be adjusted or redirected to ensure that the overall agency acquisition ortfolio is balanced and executable. The SAE office should provide fiscally informed options to the programmers and budgeters on the "how to buy?" issues. The PEOs, if they become part of the NSA acquisition organization, and program managers must have the authority and responsibility to manage their respective acquisition programs to ensure that the programs have a sound acquisition strategy that can be implemented and that attains the needed capability. The SAE must be empowered to perform integration across the acquisition portfolio, and PEOs, if established, should be empowered to integrate across their assigned programs. Further, the SAE's independence and authorities are critical and should be employed to sustain a cooperative but healthy tension in the agency's adjudication of trade-offs between the "what to buy?" (e.g., requirements for new capabilities) and the "how to buy?" (e.g., acquiring a solution suitable to meet the needed capability) issues.
The real issue is the ability of NSA's SAE to perform his functions as prescribed by the Goldwater-Nichols legislation and the Acquisition Reform Act. The creation of NSA's current acquisition function was a result of congressional pressures put on the agency to establish it. In 2001, it had been established but only marginally institutionalized. NSA leadership strongly believes that the acquisition function must be maintained in an oversight role in order to not re-create the old director of operations and director of technology bipolar structure that dominated prior to the reorganization initiatives started by DIRNSA Lt. Gen. Michael Hayden in 2000. In that former organizational structure, the director of operations and director of technology operated independently of one another, each with their own budgets and authorities. Therefore, the "what to buy?" (director of operations) and "how to buy?" (director of technology) issues were never integrated and often resulted in a continuing mismatch between needed capabilities and acquired capabilities. This construct argued that acquisition needed to be actively engaged in defining acquisition strategies and providing expertise in developing options to support the operational needs of the business units.
Currently, NSA's acquisition function is focused on supporting programs in the SID with some support provided to the IAD and the key agency enablers, such as ITIS. Acquisition's workforce numbers approximately 360 government personnel, with the program management and contracting organizations being the largest two divisions. Until recently, the function relied on SID and IAD to provide many of its billets and much of its funding. In mid-2002, the acting SAE succeeded in his arguments to receive sufficient billets to moderately increase his program management and contracting officer activities. As an outcome of the FY 2004 program, the acquisition organization received separate funding for the first time. Draft NSA/CSS Policy 8-1 authorizes the SAE to manage all acquisition programs at NSA. He has the authority to approve or disapprove program milestones, acquisition strategies, procurements, and contracts. The acquisition practices laid out in Draft NSA/CSS Manual 8-1 call for lean and agile acquisitions. Table A.2 identifies the SAE's responsibilities and authorities as laid out in the draft NSA policy (NSA/CSS, 2003).
![[Image]](nsa-216.jpg)
In 2002, Congress required NSA to develop project baselines, which included the ADPBL. The baselining activity was largely focused on SID's research, development, and acquisition programs because their activities constitute the largest share of NSA's budget. SID programs also constitute the largest number of programs served by the acquisition function. The development of the ADPBL involved the detailed identification of currently funded programs and, more important, differentiated them into appropriate management categories -- research, development, etc. The development and maintenance of the ADPBL has been a significant effort that aids the SAE's management efforts but also provides useful detailed program information for use by NSA's overseers. While the several parties, CFM, SAE, acquisition program managers, and business unit program managers and leaders continue their combined efforts to realign NSA cost centers within the ADPBL to accurately report resources related to acquisition programs by appropriation, this effort may require several additional iterations in 2003 across the agency. However, ultimately, the ADPBL will define the depth and scope of the NSA acquisition portfolio by covering all RDT&E and procurement funds programmed, budgeted, appropriated, and executed at the agency and relate them to specific projects and cost centers. This major achievement will assist the SAE in performing responsibilities for the project management and oversight of NSA resources related to the ADPBL.
As noted in the earlier RAND report, the SAE reports directly to the DIRNSA. The SAE conducts QPRs on a regular basis and selected program reviews by the Acquisition Review Board (ARB), which the SAE chairs. Recently NSA initiated the Corporate Executive Program Reviews (CEPRs), which are co-chaired by the SAE and the Director of SID and have executive-level participation from across the agency's business units and functions, providing enhanced internal executive information and involvement. Internal and external stakeholders participate in all these reviews -- the QPRs, ARBs, and CEPs -- ensuring open forums for providing a continuing exchange of information and insights with NSA and its Executive Branch overseers, including representatives from Office of the ASD (C3I) and Deputy DCI for Community Management. The CEPR appears to provide a useful forum to integrate and solve "how to buy?" and "what to buy?" issues within NSA.
NSA now has more than 80 percent of its acquisition programs managed under acquisition plans approved by the SAE, reviewed at the QPRs, used as management tools by acquisition program managers, and that form measures of performance for the SAE. Progress toward the goal of having an approved acquisition plan for each acquisition project continues in a positive fashion. Also, the SAE has continued to manage the Financial Acquisition Spend Plan (FASP) database and established an internal control mechanism ensuring that all funds controlled by FASPs are executed as they were programmed and planned for each acquisition project. Ultimately, the SAE would have FASP's visibility over the totality of NSA RDT&E and procurement resources. Together, the ADPBL, acquisition plans, FASP, financial database, recurring reports from acquisition program managers, and formal reviews provide the SAE with adequate information and sufficient insight to perform his acquisition management and oversight functions.
Continuing the initiative of the former SAE, NSA has attempted to bring together all the different facets affecting program management -- requirements, financial management, acquisition, systems engineering, etc. -- through the establishment of Integrated Product Teams (IPTs). Although the research team supports the IPT concept, we recognize that the operational program manager remains the dominant decision authority within the IPT. Our interviews and research suggest that this concept works unevenly, especially within SID, in that some acquisition program managers report that they have significant inputs to and influence over the management of their programs, while others argue that they only marginally affect decisions in their assigned programs because their only real authority is to stop an acquisition or contract, which is broadly viewed as counter to the accomplishment of the agency's mission. Also, the current IPT relationship generally places the operational program managers in positions that subordinate the acquisition program managers and allow their acquisition knowledge and experience to be ignored. This raises serious questions about the actual utility of the IPT concept and the ability of the SAE to ensure that sound acquisition practices in program management are being followed throughout the agency. Increased visibility of IPT activities would assist the SAE in performing his oversight responsibility.
The Acquisition organization is also the proponent at NSA for the development and maintenance of the acquisition workforce in accordance with the Defense Acquisition Workforce Improvement Act (DAWIA) and supporting DoD directives and instructions. As mentioned earlier, program managers are assigned by the business and functional units at NSA to manage the majority of acquisition programs and projects. While these program managers are outside the Acquisition organization, they are members of the extended NSA acquisition workforce and benefit from the assigned acquisition program managers in their respective IPTs. However, few of these operational program managers have received the formal education, training, and experience required by DAWIA, and very few have achieved the appropriate level of DAWIA certification. Within the Acquisition organization, we have observed the continual improvement in meeting DAWIA qualifications on the part of acquisition program managers and contracting officers. While education and qualification are continuing efforts and by no means complete, qualified DAWIA personnel fill a majority of the acquisition-critical positions within the SAE's organization. However, a review is needed to establish a current list of all critical positions within the total acquisition workforce beyond the SAE organization, and necessary efforts should then be initiated to properly develop, train, and qualify those personnel assigned to critical acquisition positions throughout the agency. It would also seem prudent to require operational program managers who exercise responsibilities for program management to obtain DAWIA qualification as members of the agency acquisition workforce or, lacking those credentials, to place qualified acquisition program managers directly in charge of major acquisition programs.
Recognizing the breadth and depth of the SAE's management of NSA's acquisition function, the real question to ponder is whether the current program management alignment supports the Acquisition organization's ability to operate as a separate and independent entity within NSA in terms of providing the best advice to the leadership and mission managers on issues associated with the "how to buy?" question. By independence, we mean the ability of the acquisition organization to provide objective and unbiased professional advice concerning the "how to buy?" issues while operating as a team player within the broader NSA enterprise. As noted in the RAND 2001 assessment, the acquisition program managers who report directly to the SAE within the Acquisition organization do not direct or manage execution for the majority of acquisition programs in SID or, for that matter, within NSA. In fact, they support the operational mission managers and/or their program managers who manage the totality of a program -- both the "what to buy?" and the "how to buy?" issues. As mentioned earlier, the acquisition program managers' relationships are structured as members of IPTs or in the case of Acquisition Category 1 or 1A (ACAT 1 or 1A) programs an Overarching Integrated Product Team (OIPT) that is focused on one or more major projects. The acquisition program manager provides the professional advice and knowledge of acquisition but is generally in the role of an advisor to the operational program manager from the responsible mission organization that leads the IPT.3 The weakness in this IPT structure is that the requirements and acquisition decisions are not separate and independent as dictated by the Goldwater-Nichols legislation, and in this case the authority of the operational mission managers and operational program managers predominate, thereby diminishing the acquisition program manager's ability to perform the classic role in DoD acquisition program management. Further, the SAE, as the functional overseer and manager of NSA's total acquisition portfolio, is limited in the scope of efforts easily available to gain broader program efficiencies and integration.
____________________
3 This construct emerged in response to the DIRNSA's concern that the old director of operations/director of technology dynamic that separated operational and acquisition elements not be allowed to reemerge. In the 2000 NSA reorganization, these organizational stovepipes were collapsed and decisionmaking consolidated under the director of SID for operational and acquisition management. Similarly, the director of IAD was given program management responsibility within that business unit. The functional alignment was in response to NSA's desire to concentrate management responsibility at the lowest practical level, a decision that is gradually being revisited with the development of corporate decision processes at NSA.
Acquisition's subordinate position within NSA program management is further revealed in the Service-Level Agreements (SLAs) written in late December 2001.4 Acquisition's SLAs with SID and IAD outlined that acquisition would support these organizations in all aspects of acquisition management. However, the SLAs are quite dear that acquisition operates as a supporting function to SID and IAD. They do not identify how SID or IAD will support the acquisition function (SLAs, 2001). During the same period, the CFM refused to provide SLAs, arguing that financial management was a corporate function and therefore operated as part of the DIRNSA organization. We believe that acquisition is no less of a corporate function.
____________________
4 NSA has undertaken another activity to clarify organizational missions and responsibilities in which any needed SLAs will be drafted. Any required SLAs were to be completed by February 2003.
The SAE organization has developed a cost estimation and analysis capability to support acquisition programs. This capability has steadily grown in size (both government and contract personnel) and competence since its inception some two years ago. While generally limited to analog and parametric cost estimation and generally focused on major acquisition programs, the analysts in this element of the SAE organization are of significant value to the supported program managers. Of note, the CFM at NSA has no cost estimation and analysis capability to review program costs independently. It is apparent that the lack of such a capability, using program experience cost factors developed by the OSD Cost Analysis Improvement Group (CAIG) and from industry for NSA unique developments, limits the effectiveness of the agency in their review of acquisition programs. At the enterprise level, this lack of capability within the CFM organization also limits useful analysis to support decisionmaking during NSA programming and budget activities.
Another area of interest has been the continuing efforts of the NSA SAE organization to expand and maintain a viable contractor base to support NSA's shift to a preferential "buy versus make" policy.5 The SAE established an Acquisition Resource Center (ARC) in 2001 to provide a Web-based mechanism for contractors to register with the NSA contracting office and hence expand the potential contractor base. This effort parallels those seen at other government agencies but as originally established was limited to a one-way information flow supporting NSA but failing to provide the contractors with information on both current solicitations and potential future contracts. During 2002, the NSA Acquisition organization reviewed the utility of the ARC and related contractor comments to determine ways to improve their outreach. Subsequently in 2002, the NSA ARC has added current solicitations to their Web site and has initiated efforts to develop a sound mechanism that will allow them to announce future contract interests.
____________________
5 It should be noted that overseers from both the Executive Branch and Congress have been critical of NSA's "buy versus make" policy and the apparent ease in obtaining waivers to the policy.
Three options were developed to address different ways NSA might improve the independence and separability of the "What to buy?" and "How to buy?" activities. Each of the options is described and assessed in the following discussion.
Option 1. Maintain the Current Alignment -- The current structure and assignment of responsibilities would continue to operate, but the director of SID would agree to separate out the requirements management within the IPTs for acquisition programs. Interviews suggest that the director of SID recognizes that mission managers and operational mission managers are neither well trained in program oversight nor do they have the time to provide the necessary direction on acquisition programs. Therefore, this option argues that the director of SID continue to manage both the "what to buy?" and "how to buy?" elements of the CCP but separate the two activities within the SID organization. This would necessitate each project IPT to designate an operational member other than the operational project manager to be responsible for the requirement or the needed capability. The operational program manager would continue to direct the project and manage execution of CCP resources, and the acquisition program manager would continue to perform the current role in the IPT as the acquisition advisor to the operational program manager.
This option provides some separation of the "what to buy?" and the "how to buy?" issues, but it continues to be suboptimal because corporate NSA is not managing its acquisition. It also requires additional human resources from the business unit to support the IPTs, and it does nothing to address program integration across the acquisition portfolio. Rather, the director of SID and other business and functional directors retain management responsibility for both the requirements function and the execution of the acquisition. This option would continue to diffuse the authorities of the DIRNSA in managing the total enterprise and maintain the SAE in a supporting role. Hence, this option only partially addresses NSA program management activities and fails to lead to a corporate acquisition function that fosters the capability of the SAE to manage across the entirety of NSA's acquisition portfolio.
Option 2. Endow the Acquisition Function with Management and Oversight Responsibility for Acquisition Programs and Execution Decision Authority for Acquisition Resources -- This option argues that the SAE should not only manage all aspects of the "how to buy?" issue but also manage the execution of resources associated with the acquisition portfolio, specifically NSA's RDT&E and procurement resources. This option, if adopted, would establish acquisition as a critical corporate function with its own authorities. Under this option, acquisition program managers would assume full authority for project management and operational program managers would only be charged with ensuring that the needed capabilities were obtained. Within the IPTs, the acquisition program manager would exercise decision authority on all program matters.
This model does not facilitate the integration of strong corporate decision processes because it consolidates all acquisition authorities and the associated resources under the acquisition function below the CRG.6 The independence of the acquisition function within other organizations has caused significant problems in those institutions' management and resolution of the "what to buy?" and "how to buy?" issues. If NSA adopts this model, it might risk the re-creation of the director of operations/director of technology dichotomy in that acquisition can operate as a completely separate authority in terms of making its own acquisition decisions and executing them because of its execution responsibility for all acquisition resources. One could argue that the sustainment and expansion of the IPT concept could ameliorate some of the problems that could result from this option, but once the funding and responsibilities are consolidated under a single organization, there is little or no ability to ensure that the IPTs will continue or operate with balance. Hence, the operational mission functions that determine the "what to buy?" could lose influence on the output of acquisition. It would improve the quality of program management because all programs would be under the direct supervision of the SAE and managed by qualified acquisition program managers. However, there would be little incentive for the business units to invest human resources in the IPTs if they felt their positions were subordinated to the acquisition program managers and SAE.
____________________
6 The Air Force continues efforts to reestablish its once-strong corporate management processes through the creation of capabilities-based planning and programming and the redesign of the corporate Air Force board structure. For a more comprehensive understanding of the Air Force decision model, see Lewis et al. (2001, pp. 61-79).
Option 3: Assign Acquisition All "How to Buy?" Responsibilities; Consolidate All NSA Resource Management Under the CFM -- This option is designed to further develop and implement NSA's corporate processes while ensuring that acquisition's roles and responsibilities are appropriately aligned. In this option, the DIRNSA retains control of resources at the corporate level and delegates their management through the CFM through expenditure center managers. The key "what to buy?" and "how to buy?" issues are worked through with their separate mission and acquisition functional proponents through corporate processes-planning, requirements, programming, and budgeting. Once decisions are made, the CFM allocates the resources to support these decisions. The acquisition function is responsible for all aspects of managing the acquisition portfolio and is fully involved in defining "how to buy?" options for the corporate programming and budgeting processes. The SAE is responsible for managing the acquisition programs based on the corporately decided resource allocations. The mission directorates perform their role as the stewards of the "what to buy?" capability decisions. The corporate oversight ensures the balance of these functions and the acquisition organization is motivated to adopt the most efficient and cost-effective means to acquire each needed capability. The existing IPTs would be retained with the operational members representing the "what to buy?" aspects of projects and the acquisition program managers overseeing the "how to buy?" aspects supported by financial and systems engineering members. The expenditure center managers and subordinate elements would be accountable for execution decisions with both CFM and SAE oversight below the CRG.
This model allows the operational mission managers to refocus on managing mission and the identification of mission requirements, while acquisition would have sole responsibility for acquiring the required capabilities. This model supports the continuation of the IPTs and would provide a healthier atmosphere for the IPTs in that the authorities and responsibilities of members and stakeholders would be more clearly understood and balanced.
This model is also consistent with those found in the military departments and is similar to the acquisition model adopted by the National Geospatial-Intelligence Agency (NGA).
In each of these models, the acquisition function plays the critical role of informing the overall enterprise about acquisition issues and ensuring that a healthy balance exists between the "what to buy?" and the "how to buy?" functions. It also must find ways to manage and integrate programs across the acquisition portfolio. The acquisition function must be accountable (as are all corporate functions) through the corporate processes to the CRG and the DIRNSA for its performance and balanced by the "what to buy?" proponents of needed capabilities, such as SID.
The research team recommends that NSA adopt Option 3. This option supports NSA's development of strong corporate decision processes, ensures responsiveness to the requirements processes, and provides necessary independence to the acquisition authority but makes acquisition accountable to the enterprise for its performance, and resources would be managed by the CFM through authorities delegated by the DIRNSA. The inherent tension between the "what to buy?" and "how to buy?" questions ensures further discipline. This option ensures that the DIRNSA manages and oversees all aspects and functions of the NSA enterprise without the potential for suboptimization below the corporate level.
In the 2002 RAND report, it was noted that systems engineering was one of the two weakest areas within the architecture category. We found that the systems engineering function continued to be managed in a stovepiped manner. It had not been strategically linked to the transformation programs that were designed to move the agency from its legacy systems to its new systems. The research team also found confusion about whether the agency was attempting to do systems engineering or systems integration. The research team argued that what appeared to be absent was a coherent and well-articulated integrated systems architecture that provided a roadmap for how the agency would transform itself.
In March 2002, the NSA initiated an agencywide systems engineering process to structure the development and implementation of all future capabilities (e.g., institutional and operational systems). The structure was also designed to ensure interaction with the broader IC. The NSA Enterprise Systems Engineer (ESE) has produced several drafts and now some approved documents that describe the activities defined, developed, and managed in the NSA architecture process (NSA/CSS, 2002a; NSA/CSS, 2002c). The NSA/CSS Enterprise Architecture Development and Management Plan (ADMP) guides the development and integration of the four subordinate mission and support directorate ADMPs. The four are SI, IA, ITIS, and Corporate Business Services.
Since our assessment, the issue of management of the system engineering capabilities has been debated within NSA and significant steps have been taken to consolidate and improve the function. In May 2002, NSA proposed the consolidation of systems engineering under ESE oversight. The concept was devised to provide consolidation of the function through a structured participatory model consisting of three hierarchical tiers. The enterprise level is managed by the Cryptologic Systems and Professional Health Office (CSPHO). The second tier consists of the four mission and support directorates with ADMPs as cited above. The third tier consists of the program/project level systems engineers that support the individual programs and projects being implemented against approved organizational requirements within each of the four directorates. The overall structure is managed at the corporate level through the Systems Engineering and Architecture Board (SEAB) chaired by the ESE and reporting to the DIRNSA. The board is composed of the ESE and the senior systems engineering representatives from each of the mission and support directorate's systems engineering offices.
The research team's assessment of the systems engineering function is that progress has been made toward the "consolidation" of systems engineering to support the entire enterprise. The remaining critical issues are the explicit roles to be played by enterprise engineering, the ESE, and the SEAB and how the systems engineering function will support acquisition, particularly in defining the solution space at the program and project levels. While no single correct model exists for how the enterprise engineering and systems engineering functions should be organized, they need to interact in a complementary manner. Recent literature suggests that enterprise engineering needs to provide a corporate perspective that develops strategic plans and implementation strategies for the corporate processes and major operational systems. The ESE should develop the overarching systems architecture, provide guidance on standards, and ensure that discipline is achieved through configuration control (Polydys, 2002, pp. 193-211). In addition, management of integration and interfaces among major processes and key systems is also a critical enterprise function (Carlock, Decker, and Fenton, 1999, pp. 99-109). The NSA/CSS ADMP and its associated supporting next-tier ADMP volumes could provide the management and direction for performing these functions and guide the next level of system engineering. This approach is consistent with the management literature on enterprise engineering, industry practices, and applicable DoD guidance. However, it is critical that the enterprise engineering function not become bogged down in a large bureaucratic apparatus. It must remain agile and responsive to the broad enterprise needs. It is essential to the systems engineering function that the ESE be focused at the strategic level of the organization. The ESE office must understand NSA-wide and communitywide needs and the environment in which they operate. It must remain objective and perform technically astute assessments. Its unbiased perspective must also translate into providing broad guidelines and coordination between the enterprise and program and project systems engineering elements. It should also ensure that qualified systems engineering resources are provided, focused, and used in an efficient and effective manner. The ESE must also be the instrument of the NSA leadership and ensure that its activities have impact. The ESE should play a critical support role in corporate program and budget deliberations by providing information on the corporatewide impacts of current and future major operational systems.
The research team's concern with NSA's current approach is the manner in which the enterprise activity interacts with systems engineering below the enterprise level. Currently, funding for the enterprise engineering function is managed by the ESE with contracted systems engineering support allocated on a project, program, and organizational basis. Systems engineering below the enterprise and directorate levels usually addresses individual systems or projects and focuses on a technical requirements definition, usually within a fixed budget; selection of standards; definition of interfaces with existing systems or new ones; and configuration management. New systems at this level generally have well-defined cost, schedule, technical performance, and benefits baselines. This element of systems engineering appears to be continually improving, as shown through regular program reviews supported by the increased role of acquisition in reviewing various NSA programs and some oversight from the SEAB. One potential problem is that enterprise engineering should be providing architectural guidance and standards and not necessarily management of the systems engineering capability. Currently, the ESE manages the engineering function through the operation of the SEAB and allocation of systems engineering contractor resources. Implementation review over the next several months should provide a sound basis to examine these concerns further.
Another systems engineering model to consider is to separate the enterprise engineering function from systems engineering at lower levels and have the Acquisition organization assume the management responsibility for the program- and project-level systems engineering. In this model, systems engineering capabilities are matrixed from and managed centrally by the Acquisition organization throughout NSA and focused on systems and projects. This approach would facilitate a tighter linkage between acquisition and systems engineering. In acquisition, systems engineering plays a critical role in the definition of the technical requirements to meet a capability need and then to propose an array of technical options from within the solution space for how the capability might be achieved. This alignment would be more representative of the DoD model and the structure currently employed by NGA.7 If managed correctly, this approach provides a critical thread between the need for operational capabilities and the actual acquisition of capabilities. The linkage to acquisition can be critical in that it could assist the development of programming and budget options for individual programs, ensure that program issues (e.g., overruns, delays, etc.) are identified and managed within the context of the total acquisition portfolio, and support the "what-if?" debates within broader NSA programming (Marino and Kohler, 2002). A concern with this model is whether the engineering function becomes "owned" by acquisition, loses connectivity with the enterprise architecture and standards and then is no longer viewed as a corporate NSA asset. The insight from this model is the importance of ensuring that systems engineering supports the project level. The current NSA IPT structure connects systems engineering with each project team.
____________________
7 The current alignment of systems engineering in NGA is being corporately reexamined. Some contend that it should be managed corporately. In NGA, the acquisition organization is systems engineering-centric and therefore placing systems engineering under the enterprise engineer or chief architect would have substantial impacts on the acquisition fimction. On the other hand, the acquisition-centric nature of the systems engineering function has inhibited its ability to be viewed and used as an NGA-wide asset (NGA Working Papers, 2002; Lewis and Brown, 2004).
More recently, NSA has been considering additional changes to the systems engineering organization. The first major change being considered is the elimination of the middle or second tier of the systems engineering architecture at the mission and support directorate level. This would have the ESE providing contractor support resources directly to the program and project level without the intervention or support of the mission and mission support functional components. Because systems engineers at the program and project levels are usually members of an IPT, their roles would remain essentially unchanged. However, the management of the entire systems engineering function would seem to be stretched beyond the effective limits of the ESE.
A second potential major change being considered would place the program and project-level systems engineers under the NSA SAE organization working in support of the acquisition function, similar to the alternative model mentioned earlier. Under this change, the ESE would maintain current direction of the SEAB, architecture, and configuration control management and standards but the systems engineering contract support resources would be allocated to two levels: ESE and SAE. The merit of this potential change is to provide informed direction and allocation of systems engineering assets by those knowledgeable about the entire portfolio of programs and able to determine where added effort would be most beneficial. As discussed earlier, the research team has observed successful application of systems engineering at the program and project level under the supervision and direction of the acquisition function in other agencies, such as NGA. However, any organizational model that provides the necessary systems engineering participation in and support of project-level IPTs would fill a similar role.
The research team sees merit in both approaches to systems engineering at NSA. In both instances of potential change to the NSA systems engineering organization, a full appreciation of their impact must await subsequent assessments after approval and implementation. The assessment of the interactions of the enterprise-level engineering and the program- and project-level systems engineering would be critical in determining which course would best suit NSA.
Figures A.3 and A.4 show the research team's current assessment of NSA's acquisition activities using the original 35 areas in the June 2000 acting IC SAE evaluation. Although several individual ratings have changed, overall we have observed continued progressive effort toward improvement. The development and implementation of corporate decision processes, which will better support the acquisition function, are potentially the most significant of these. Of even more significance is the continuing involvement and commitment of senior NSA leadership to the establishment of fully integrated corporate decision processes that form an end-to-end system from planning, requirements, programming, and budgeting to execution, including acquisition and performance review. Several areas need additional improvement or continuing attention, 'such as training acquisition managers and contracting officers and aligning systems engineering to ensure support at the project level in concert with enterprise architecture and standards. Acquisition policy needs to be implemented and followed throughout the agency. The SAE's ability to manage NSA's acquisition portfolio and the effectiveness of acquisition oversight and management through the current IPTs and acquisition program managers, with operational program managers charged with execution who are not in the SAE chain of authority but who are responsible to the mission managers, remains an area of concern.
![[Image]](nsa-217.jpg)
![[Image]](nsa-219.jpg)
Reflecting on the state of NSA's acquisition function and the lack of supporting corporate decision processes observed in early 2001 and noting the many changes since, we have observed a remarkable advancement for that two-year period. We are cautiously optimistic that the needed corporate-level decisionmaking processes will be established and fully implemented, providing the structural support for the acquisition function. We have seen the NSA acquisition function respond in rapid fashion to needs resulting from the terrorist attacks of September 11, 2001, and the progressive development of strong attributes that could make it a fully functional acquisition organization that will contribute to NSA's transformation. The continued involvement and commitment of NSA's senior leaders is essential to that achievement.
In 2000, the RAND project team did an analysis, published in 2002, of NSA's acquisition function (Lewis et al., 2002). The RAND report found that to institutionalize a robust and credible acquisition function the NSA needed to establish a set of interdependent corporate strategic decision processes. The processes are planning, capabilities generation, programming and budgeting, and execution. Acquisition is a critical corporate functional process responsible for acquiring the goods and services in the most efficient and effective manner in response to requirements for capabilities established and resourced by NSA's strategic decision processes.
Since the 2002 report, the RAND project team has continued to assist the SAE and NSA's leadership in the establishment and institutionalization of the corporate processes, including acquisition, identified in the 2002 report. In March 2003, the RAND project team completed a second assessment of NSA's acquisition function that included the 2002 initiatives and their implementation that contributed to the development of the key decision and management processes that support acquisition. Although RAND found that implementation of these processes was slow to take hold and be accepted throughout the agency, it was clearly evident that steady progress was being made (Lewis and Brown, 2003).
In early 2003, another IC-CMS/OSD assessment of NSA's acquisition function
was provided to oversight committees in Congress. The nine categories of
the IC-CMS/OSD 2003 assessment that remain from the original June 2000 35
assessment areas are the following:
This RAND assessment is largely based on two research efforts conducted at NSA during 2003. The first is part of a multiyear effort to assist the agency in the establishment of end-to-end strategic decision processes. The work includes the acquisition function because it is a functional element of the corporate strategic decision processes. The research and analysis will be documented in a forthcoming report. The second input is the RAND project team's effort for NSA's Acquisition Directorate on the agency's "buy versus make" policy and its implementation across the agency. This work will be contained in a forthcoming RAND report (Lewis and Brown, forthcoming). The research findings of these two efforts were supplemented by additional interviews to ensure coverage of those areas not addressed in depth in the two reports.
The RAND project team concluded that basing its 2003 assessment on the 35
assessment areas originally used in IC-CMS/OSD evaluations done in June 2000
(Congressionally Directed Action Report, 2000) and as had been done in the
subsequent 2001 RAND report was no longer necessary for many of the issues
raised in those assessments had been satisfactorily addressed by the NSA
or are no longer of interest to external overseers. The RAND project team
also chose not to focus their assessment on the nine assessment areas in
the IC-CMS/OSD 2003 report (ASD [C3I] and DDCI, 2003) to Congress to ensure
an understanding of the broader context of the NSA's strategic decision processes
in which the acquisition function operates. The RAND assessment addresses
seven topics covered by the past year's research:
The RAND assessment attempts to capture the interactions of the topics in the broader context of how NSA is managing its overall enterprise and the synergistic effect that multiple initiatives are having in the establishment of credible decision and management processes, including acquisition. Also, NSA is conducting a self-assessment of its performance in the nine IC-CMS/OSD categories to present to the overseers prior to the completion of the IC-CMS/OSD 2004 assessment for Congress. The new IC-CMS/OSD assessment was due to be completed and submitted to Congress in February 2004.
NSA is the only DoD-IC agency that Congress has directed to be evaluated each year, beginning in 2000, by the IC-CMS/OSD for the performance of its acquisition function. Furthermore, while these assessments have generally focused on NSA's acquisition policy, practices, and management, they have also included related functions outside acquisition, such as systems engineering and requirements generation, that are necessary to support a successful acquisition function. The assessments identified areas that the external overseers view as critical to the development of a well-managed acquisition function in a government agency and that often operate as catalysts to promote change at NSA.
Changes at NSA Since the January 2003 IC CMS/OSD Assessment
In the FY 2004 defense authorization bill, Congress revoked NSA's Milestone Decision Authority (MDA) until the end of FY 2005, asserting that NSA has not made sufficient progress in the development of a credible acquisition function to exercise this authority.1 The IC-CMS/OSD 2003 assessment contributed to the congressional decision to remove MDA from NSA. The language identified critical deficiencies in such areas as requirements generation, systems engineering, and program management. The language also specifically addressed the management of two NSA ACAT 1 programs (i.e., Trailblazer and Cryptologic Mission Management). In signing the DoD authorization bill into law, the President indicated that the Executive Branch reserved the right to decide how the MDA authorities would be managed. These decisions would be delegated through the SecDef because he has management authority over DoD agencies. As of this writing, the Under Secretary of Defense for Acquisition, Technology, and Logistics (USD [AT&L]) has not determined which NSA programs are affected and how DoD will execute the MDA responsibilities for NSA's acquisition. The DIRNSA has undertaken an aggressive campaign to demonstrate to external overseers that the agency has already made significant progress in the development of credible acquisition management processes. The RAND project team examines the major elements of these changes in our following assessment.
____________________
1 National Defense Authorization Act for Fiscal Year 2004, H.R 1588, November 7, 2003.
Since the January 2003 IC-CMS/OSD assessment, significant progress has been made on the development and implementation of the corporate strategic decision processes. The CRG and its underpinning processes of planning, capabilities generation process, programming and budgeting, and execution have matured enough to place significant demands on the acquisition function to provide credible options for how various NSA's capabilities might be acquired. The corporate processes have also begun to establish corporate management discipline and guidance that RAND found largely absent in its 2001 report. During this past year, the RAND project team has observed improvements and further maturity in the NSA acquisition function, including policy, practices, oversight, and program management. Integration of corporate decision processes and functions supporting acquisition, such as finance and systems engineering, has also demonstrated progressive improvement. The area of greatest deficiency affecting the acquisition function remains the inadequacy of requirements definition. It is against this backdrop that the current RAND assessment has been performed.
Corporate Review Group
In early 2002, the DIRNSA initiated steps in the establishment of a formal executive-level NSA review board called the CRG. In last year's assessment, RAND found that the NSA culture remained resistant to establishment of credible corporate processes, such as planning, programming, and financial management. In May 2002, the DC4 was established.2 The DC4 and the Financial Management Directorate have made significant progress in the development and institutionalization of end-to-end processes for corporately directed guidance, planning, corporate requirements, programming and budgeting, and execution. In the RAND 2003 assessment, it was noted that, in the building of the FY 2004-2009 POM/IPOM, the DIRNSA realized that the corporate strategic and business plans were not directing or sufficiently informing resource allocation decision-making because they had not been linked to any formal decision processes.
____________________
2 This office has evolved over the past several months to its present configuration and broader set of responsibilities as the Corporate Planning, Requirements, and Performance Office (DC4).
Corporate Planning Process
In early fall 2003, the DC4 initiated the FY 2004-2009 strategic planning activity that attempted to respond to many of the DIRNSA's concerns. The effort began with the DIRNSA issuing guidance in his Transformation 2.0 memorandum. The manager of strategic planning (within DC4) derived from the DCI and from early drafts of DoD's guidance documents the key external guidance and policy issues that affect NSA. The activity resulted in several major goals key to NSA's mission and transformation defined in the early drafts of NSA's FY 2005-2009 strategic plan.3 Subsequently, five panels were formed, headed by NSA senior managers, to flesh out each of the major goals and their associated objectives. Specific actions were identified for each two-year period identified in the strategic plan. Responsibility and accountability for each of the initiatives were assigned to leaders within the agency, with metrics identified for each activity. The DDIRNSA insisted that accountability be ensured by including in the performance objectives of the senior individuals either responsible for or supporting a particular initiative a significant weighting on the achievement of their respective initiatives in the strategic plan.
____________________
3 Ideally, the NSA strategic plan should cover the time spans identified in DoD guidance FY 2006-2011. However, given that NSA is establishing a planning process that attempts to cover gaps in planning and programming, the senior leadership concluded that its plan could dose those gaps only through including the current year and then projecting forward to FY 2009. The NSA business plan addresses the two-year increments of FY 2005-2006. The structure allows the planning and programming function to address program gaps in FY 2005-2006 while forming strong links among current year, future year, and outyear planning.
In November 2003, the DC4 initiated the corporate FY 2006 business plan. The outputs of the strategic planning activity informed and focused the business plan activities. In early December 2003, the DC4 held a half-day off-site meeting in which the senior leadership of NSA, including the DIRNSA and DDIRNSA, met to debate and discuss the establishment of priorities among several key initiatives, their key attributes, and potential trade-offs in areas in which the agency was willing to take greater risk. This session was followed by several weeks of analysis lead by the DC4's organization that resulted in identifying broad resource impacts for each of the initiatives, positing options for where potential resources might be found, and identifying areas in which the leadership is seeking greater transparency in terms of outputs and resource impacts. The discussions among the senior leaders and managers were frank, and difficult issues were raised and debated. The outputs of the final executive-level leadership meetings were to direct the DC4 to refine the options in some areas and to develop new ones. Several proposed options required the Acquisition Directorate to provide detailed data on several programs and project areas.
In early January 2004, these efforts were scheduled to culminate in the approved FY 2005-2006 NSA Business Plan that informs the CCGP and the programming process for the FY 2006-2011 POM/IPOM development. The RAND project team found the planning process to be similar to those operating in the Air Force and Navy in that broad initiatives identified in the strategic plan and further refined in the business planning activities inform the capabilities generation and programming processes about key initiatives or new requirements that are critical to mission accomplishment or transformation. The capabilities process will determine the need for the new capabilities and their broad resource impacts to achieve the plans' objectives and initiatives. The programming process will determine how the new priorities and requirements might be accommodated within the existing program and will reallocate resources to best support these needs over the program period.
Importantly, the strategic and business planning activities revealed to the senior leadership that additional information and management initiatives must be developed and implemented to better manage their resource allocation and management processes. For example, one issue raised in the business planning meetings was the need to sustain several legacy databases and divest NSA of others. To accomplish this objective, NSA must have an operational architecture with corporate configuration control mechanisms. The DIRNSA in response to this need established an IPT that includes members from the CSE, Acquisition Directorate, SID, and IAD.
Requirements/Capabilities Process
The CCGP4 is probably the most difficult of the corporate processes to implement in NSA. In 2003, this was the first process that challenged the predominance of the business units by seeking detailed information on various initiatives within the business units and attempting to identify capability gaps that might affect mission and mission support activities. The CCGP was vetted with and supported by senior managers in DoD and the IC-CMS prior to its initiation in January 2003. Business units and supporting enablers (e.g., Security, Installation and Logistics (I&L), etc.) develop implementation plans based on guidance in the corporate strategic and business plans. The structured process is designed to capture both mission and mission support capability gaps that emerge between the program for record (PFR) and new mission and mission support planning objectives. The process is designed around a $2 million corporate threshold because any new capability need or requirement that might equal or exceed this amount must be vetted in the process. The process operates between January and April each calendar year, with updates occurring throughout the year to accommodate emerging capability needs. The output of the process is reviewed by the CRG and is the basis of leadership guidance to the next phase in the system. The objective of the CCGP is to establish a disciplined, credible, and auditable process to identify, document, validate, and approve new and existing operational and institutional capability needs and to inform the programming process of their potential resource impacts on the existing program.
____________________
4 Originally, the CCGP had been called the Corporate Requirements Generation Process, but the name was changed to align with the emerging CJCS Joint Capabilities Integration and Development System (JCIDS). Also see CJCSI (2003).
Initially, representatives from the planning, programming, and requirements office in SID argued that the CCGP was duplicative of their requirements process, which is designed after the CJCS Requirements Generation System managed by the J-8 in the DoD Joint Staff for the JROC (CJCSI, 2003). In several instances, the SID representatives rebuffed the corporate process, arguing that it was primarily a resource drill and not focused on the identification of new capabilities. SID argued that the process was designed to benefit only the enablers, thereby jeopardizing the mission. The enabler organizations (e.g., ITIS, HR, NCS, I&L, Security) found the process as a way to vet their nonmission support capability needs and obtain corporate visibility for later consideration during the resource allocation process. Heretofore, all enabler requirements were reviewed and funded only through decisions by the two business units. Several meetings and interactions occurred between the DC4 and SID management to facilitate the capabilities process. In the end, SID reluctantly provided information but necessitated numerous additional meetings and negotiations between the DC4 and various SID representatives. When the RAND project team conducted interviews for a lessons learned assessment after the annual CCGP was completed, it learned from several SID representatives and senior mission directors that the SID representatives to the CCGP had not appropriately or adequately presented the information on their capability needs.
This year, early preparations for the CCGP began in December and SID representatives in the CWG were demonstrating many of the behaviors seen in the previous year's process. The new director of SID has indicated strong support for the CCGP, but representatives from the SID planning, programming, and requirements organization continue to argue that the process is duplicative of their requirements processes and that SID should only report its requirements up through the CRG and not formally participate in the CWG. The SID requirements process will be discussed in more detail later in this appendix.
Corporate Programming
The FY 2005-2009 program build was the first time a formal program build was conducted at NSA as part of an integrated corporate process supporting the CRG. The FY 2005-2009 activity built on the lessons learned from the prior FY 2004-2009 program build that had been a joint effort using DC4, CFM, and an expert working group that had been a difficult experience for all concerned. The FY 2005-2009 activity was informed by senior leadership guidance and the outputs of the CCGP. As an off-year programming effort, the FY 2005-2009 program build afforded the opportunity to introduce a more formalized process led by programming representatives from Financial Management and a Program Working Group that supported the process for the CRG. The initial activity addressed primarily reviewing the PFR, rebalancing based on known changes in FY 2004 that impacted later years in the program, defining and developing options for overcoming outyear resource gaps, and considering new capabilities not resourced in the PFR. The FY 2005-2009 programming activity focused primarily on the CCP affecting SID and the enablers, with the ISSP affecting IAD and the other relatively small DoD-funded program activities operating separately but in parallel.
The FY 2006-2011 programming activity will be a single process in that all NSA programming issues (i.e., including CCP, ISSP, and other DoD-funded programs) will be addressed in the corporate process rather than separately within the business units and later integrated. The director of IAD has supported folding IAD's separate planning, requirements, and programming processes into the corporate structure. IAD representatives actively participated in corporate planning activities and posited fiscally informed options. Representatives from the directorate are involved in the CCGP and programming activities.
During this same period, the CFM organization spent considerable time in the development of a single budget structure by which greater transparency could be attained across all resources within the organization. The NSA Comptroller also developed financial management rules to ensure that funding is accounted for and obligated appropriately throughout NSA.
In 2004, NSA focused on the further institutionalization of its corporate decision and functional management processes. It is codifying the corporate processes (i.e., NSA Policy and Manual 1-36), identifying business unit and enabler processes that need to be eliminated because of redundancy or obsolescence, and further integrating the corporate processes. The DC4 and CFM also focused on ensuring that the processes are as efficient as possible. For example, one goal is to minimize the number of data calls through standardization of information and data and maximize the type of data collected in a single data call. Senior managers worked to clarify and manage more rigorously their resource management baselines (e.g., operations and support, research, acquisition development, and infrastructure).
NSA's requirements processes are hierarchically structured in the CCGP (described above) and in the business units' requirements/capabilities processes. The enabling organizations vet their operationally oriented requirements through the respective business units because they are generally part of a broader operational capability need, while non-mission support requirements are entered directly into the CCGP and vetted through the CWG. DoD drives the majority of MAD's requirements process, and therefore, it easily parallels and links to NSA's CCGP.
SID has developed a requirements process that attempts to replicate that of the CJCS Joint Requirements Generation Process operated by the J-8. The recent adoption by the CJCS of the JCIDS process has caused SID to revise its process to try to mirror-image the new capabilities process while grandfathering requirements documents already in process. However, the SID requirements/capabilities process is deficient in several critical areas. The process primarily focuses on major programs and the preparation of the documents needed by the JROC for approval, rather than ensuring a rigorous requirements definition and review for the full spectrum of capabilities. For major programs, the SID process has been focused on the SIGINT Capstone Requirements Document (SCRD) and mission-level ORDs rather than providing definition for system-level requirements essential to the development of sound acquisition programs. Furthermore, the mission-level documents have been neither vetted nor managed as part of the corporate capabilities process. The ORDs have been reviewed by the CRG, which SID process managers have viewed as sufficient prior to sending the documents to the Joint Staff for coordination, review, and final approval. Currently, several of the SID-developed mission-level ORDs supporting key programs have yet to be approved by the JROC, and the IC-CMS/OSD assessment has cited a lack of systems-specific capabilities documents as an agency deficiency.
SID programs not requiring JROC approval generally lack well-defined requirements and often experience considerable program turbulence as a result. These programs consume the largest percentage of CCP development resources. SID representatives argue that it is the responsibility of the acquisition business managers to codify program requirements in particular procurement requests as part of their acquisition activities. However, DoD policy places these responsibilities on the "demander" of a capability to clearly define and codify a requirement prior to initiation of an acquisition activity.5 The SID requirements/capabilities process needs to strengthen the technical and analytic rigor underpinning them, and it must ensure that well-articulated capability needs are clearly identified and system-specific requirements are formally documented before the initiation of any acquisition activities. The operational expertise in NSA exists in the business units (i.e., SID, IAD, and ITIS), and each must provide explicit identification of their new capability needs to the acquisition function. Those capability needs exceeding the corporate $2 million resourced threshold must be vetted through the CCGP and approved by the CRG. Unless this is done, acquisition is hindered in "acquiring" the appropriate systems and capabilities in a timely and costeffective manner, particularly in the smaller but important non-PEO managed programs.
____________________
5 If SID is following DoD guidelines, as it asserts, the operational requirements must be documented and technically vetted prior to their submission to the Acquisition Directorate. Within the military departments, the smaller acquisition programs still receive validated, vetted, and documented requirements before any procurement activities are initiated.
In 2003, the DIRNSA consolidated the systems engineering function at NSA under the CSE. In this capacity, the CSE is responsible for the management of all engineering activities and resources in the agency. Secondly, the DIRNSA placed the responsibility for the UCAO under the CSE, thereby dual-hatting the CSE. The rationale behind these management decisions was to be responsive to congressional complaints that NSA's systems engineering function was too dispersed and should be consolidated. The leadership did not want to place systems engineering under the SAE because the function might become too stovepiped within the Acquisition Directorate. In addition, NSA's systems engineering needs to reach far beyond the Acquisition Directorate. Furthermore, the DIRNSA wanted to be consistent with the military services and DoD by viewing systems engineering as an enterprisewide asset and not the exclusive domain of the acquisition function.6 The CSE's management of the UCAO is part of the DIRNSA's responsibilities as the functional manager of the cryptologic mission and, therefore, should be corporately managed. The UCAO is now managed as part of the corporate enterprise rather than within a single business unit. This also ensures alignment and appropriate integration of both the larger functional cryptologic architecture and NSA corporate architecture in a single organization.
____________________
6 None of the military departments in DoD places systems engineering under the acquisition function. The systems engineering capabilities are allocated to acquisition but centrally managed. The DIRNSA also examined the emerging model at NGA in which systems engineering resources are centrally managed by the Strategic Transformation Office (STO) and the Chief Engineer within that organization.
The current alignment appears to be working. The CSE is providing significant numbers of Scientific Engineering and Technical Assistance (SETA) and government engineers to support acquisition, the corporate business processes, and the business units. The engineering assets are directly under the control of the organizations, including the program managers, to which they are assigned, with quality control overseen by the CSE organization. The RAND project team found no evidence that the two responsibilities are hampering the CSE's ability to provide system engineering management and oversight throughout the enterprise. The most critical system engineering gap that needs to be addressed by the CSE is the development and validation of an enterprise architecture that baselines the operational, acquisition, and business processes and infrastructure activities in NSA. Although the CSE has developed both corporate and business unit-level ADMPs, the enterprise architecture is essential to configuration management across the entire enterprise, and, in particular, to the identification of the legacy systems that could be candidates for divestiture or that will migrate into the new operational backbone.
The development of the ADPBL has been a focus of external overseers for the last three years. In 2003, the acquisition organization further refined the baseline by getting greater clarity on how O&M and RDT&E funding was being managed for acquisition programs in the agency. The agency obtained greater clarity on the eight PEO programs now managed by the SAE, but the smaller procurements have not provided a similar level of transparency. In December 2003, as a result of the business planning activities, the DRINSA directed the Acquisition Directorate and SID to flesh out the non-PEO programs to provide greater clarity on how these dollars are being spent and what requirements they are satisfying. In November 2003, the DDIRNSA hired several senior consultants to review and assist completion of a capabilities baselining activity that will link legacy program transition in support of the ADPBL. Additionally, the contracted effort will contribute information to the systems engineering efforts to develop an Integrated Master Schedule for the agency. At this writing, the consultants have focused on identifying a process for how to perform the work but have not completed their effort. A critical issue the SAE is addressing concerns how the ADPBL, in particular the non-PEO managed programs, will be managed once the capabilities baselining activity is completed.
In 2000, NSA initiated the establishment within the acquisition function of a small cost-estimation capability to have some rudimentary capability to perform independent cost analysis. Since then, the NSA cost-estimation capability has slowly but steadily increased in size and experience, using both government and contractor personnel, but the recruitment of additional capabilities has been hindered by the general lack of experienced cost estimators. NSA is one of only a few defense agencies to have developed a cost-estimation capability.
The RAND project team supports the IC-CMS/OSD report in urging NSA to develop a credible cost-estimation capability because cost estimation is an inherently governmental function. However, the RAND project team found a significant shortage of qualified government cost estimators across the government. Such organizations as the National Reconnaissance Office (NRO), NGA, and the U.S. Air Force (USAF) are all experiencing problems in hiring qualified government cost analysts and estimators.7
____________________
7 The deficiency in numbers of qualified government cost estimators is widespread in DoD and the IC and is a result of several outsourcing efforts and a lack of concerted effort to recruit, train, and maintain personnel in this skill.
In September 2003, the DIRNSA established a PEO and a dual acquisition program management structure for the agency. Acquisition programs are now aligned into two major management areas -- PEO and non-PEO programs. ACAT 1, ACAT 1A, and NSA major acquisition programs are aligned under the PEO management structure, including such programs as Trailblazer, Cryptologic Mission Management, and Journeyman -- some eight programs total. The PEO programs make up approximately 30-40 percent of NSA's acquisition program resources. The non-PEO programs make up the majority of resources in NSA's acquisition activities. Both sets of programs are to be managed through IPTs that include mission, acquisition, systems engineering, and finance under the direction of the program manager.8 The model is similar to that operating in the military departments, but in NSA one PEO oversees the portfolio of major programs (Lewis and Brown, 2003). The SAE has complete authority over these programs through the PEO; manages the resources for these programs; and, along with the PEO, rates the program managers on their performance.
____________________
8 The senior NSA leadership is sensitive to ensuring that requirements and acquisition are strongly linked in the agency. Upon the DIRNSA's arrival at NSA, he found that the operations directorate responsible for requirements and technical directorate responsible for acquisition were not linked to ensure that the operational requirements were being sufficiently addressed by the directorate entrusted with acquisition. This problem is referred to within the agency as the "DOIDT problem." (i.e., the "director of operations/director of technology problem").
The alignment of NSA's acquisition management into PEO and non-PEO programs has had significant impacts on the overall Acquisition Directorate-in particular, the management and manpower areas. The establishment of the PEO structure caused significant shifts of qualified acquisition personnel from positions in the broader acquisition organization. Often the most qualified and experienced acquisition personnel, including program managers and support personnel, were moved into larger, more complex PEO-managed programs, resulting in problems in executing the non-PEO programs oversight responsibilities of the SAE. The non-PEO programs have concentrated their oversight function through the IPT structures organized to serve IAD, ITIS, and supporting enablers and to match the financial expenditure center manager level of organization within SID, which develops the majority of non-PEO programs. In Lewis and Brown (2003), RAND encouraged the further institutionalization of the IPTs, arguing that they provided the best mechanism to tie together operations, systems engineering, acquisition, and financial management. The concept is consistent with what DoD is attempting to do with many of its acquisition reform initiatives. In 2003, the IPTs became increasingly structured along SID organizational lines rather than capabilities and systems as a result of a lack of qualified personnel in acquisition and financial management that could be assigned to IPTs. They have not matured in the way that the NSA leadership had hoped because of many countervailing forces, including high mission demands, lack of emphasis in SID on full implementation of IPTs, and shortage of resources.
Second, the former SAE concentrated his efforts mostly on the major programs now under PEO management and their realignment, rather than on the total acquisition portfolio.
Third, the establishment of the PEO structure diverted resources and focus away from the non-PEO programs and the IPTs. As noted earlier in this assessment, the non-PEO programs have significant requirements problems, while acquisition's oversight is not consistent given the high workload demands and significant shortages in qualified personnel.9
____________________
9 The acquisition organization has approximately 80 unfilled acquisition billets, although approximately 300-400 government employees in NSA who are not in the Acquisition Directorate are acquisition-qualified. As will be discussed below under "Acquisition Workforce Development," acquisition along with other skills associated with business management are not viewed as a "career enhancing" activity in NSA, and therefore, significant recruitment and workforce retention issues continue to plague that skill group at NSA.
The IPTs are not functioning as they were initially conceived in that the involvement of the acquisition program managers by the operational mission managers is inconsistent because some acquisition program managers are viewed as administrators and therefore precluded from the deliberations about how a requirement can best be satisfied. Many contend that they are informed about how a loosely defined requirement will be satisfied and that their job is to assist the business manager in assembling the procurement package and then "walking the package through the system."10
____________________
10 NSA Acquisition Off-Site Meeting, December 5, 2003.
To remedy this situation, several acquisition program managers need additional training in their acquisition role and authorities and further qualification in their acquisition skills. Additional qualified acquisition personnel must be recruited and retained to adequately manage the non-PEO programs. With the addition of more qualified personnel, the IPTs need to be fully implemented and realigned to support needed capabilities rather than be aligned organizationally. In addition, the full membership of the IPTs must be involved in the Analysis of Alternatives (AoA) deliberations to ensure that requirements are clearly defined and the appropriate solutions are considered for obtaining a capability. Appointing a technical manager in each of the business units with responsibilities to ensure that requirements are rigorously defined, that the full array of options for obtaining a capability are considered, and that redundant efforts are eliminated would be beneficial. As discussed below, this recommendation also supports ensuring that the "buy versus make" policy is properly implemented across the NSA.
NSA is the only DoD-IC organization that has a published "buy versus make" policy. In 2003, based on the IC-CMS/OSD assessment and the RAND project team's research, assessment, and recommendations, the NSA policy was simplified and cumbersome annexes were eliminated. Two outstanding issues remain with the revised policy and its implementation across the agency. The first is NSA's definitions of what constitutes a "buy" and "make." In NSA, any activity that utilizes SETA contractors to modify a commercially acquired capability inside the NSA constitutes a "make" activity. In other DoD and IC organizations, similar activities are judged to be "buys" and in-house modifications performed by SETA and government employees are referred to as "mission tailoring" (Lewis and Brown, 2004). Secondly, many senior managers in NSA believe that it is the responsibility of the "buy-make" policy to ensure that NSA's strategic strongholds, or core competencies, are identified and protected by this acquisition policy. The RAND report on this subject (Lewis and Brown, 2004) strongly recommends that the strategic strongholds be removed from the "buy-make" policy. The strategic strongholds, like core capabilities or competencies, operate as the ethos of an institution, and their workforce components should be managed by an agency manpower function or policy organ other than the "buy" advocate in the acquisition organization.11
____________________
11 Lewis and Brown (2004) argues that the strategic strongholds are important to NSA in that they really identify a set of critical operational capabilities unique to the agency; therefore, they need to be strategically managed within NSA. In one sense, they form the ethos of the institution and are the responsibility of everyone -- the workforce needs to be knowledgeable about them. These capabilities encompass major components of the technical skills that ensure the viability of the agency mission and should be formally managed either through an agency manpower function or policy organ responsible for the strategic workforce plan and maintenance of these core capabilities (Lewis and Brown, 2004).
The RAND project team found that three types of activities occur in the context
of the "buy-make" decision at NSA. The first involves pure "buys" when a
commercially acquired capability is obtained and immediately applied to the
mission. The second involves pure "makes" when a mission manager or operational
program manager directs NSA employees and SETAs to develop a capability in
house. The third is a commercially acquired capability modified by SETAs
and NSA's employees to fit the mission demands. The RAND project team could
find no quantitative information on what percentage of NSA's "buy-make"
activities fall into each of the three categories. Extensive interviews revealed
that the PEO-managed programs are primarily "buys" with some modifications
of capabilities or "make" activities once they are on site. Most "make"
activities are likely to occur in the non-PEO programs, but this insight
is based on anecdotal evidence because little or no quantitative data has
been collected. Therefore, it is impossible for the "buy" advocate to collect
any data on how the "buy versus make" policy is being implemented across
the agency. In the non-PEO programs, most of the "buymake" decisions are
made during the AoA phase of the requirements process, which is generally
informal, and, as noted above, the IPTs and acquisition program managers
are not involved in this phase of the deliberations. To ensure successful
policy implementation, the senior leadership needs to recognize that the
AoA constitutes a critical decision in the development of capabilities. It
necessitates that requirements be well articulated and codified and that
a full range of options be developed that address and ultimately document
the "buy-make" decision for each capability. With full implementation of
the IPT concept, these issues would be raised, debated, and documented during
the AoA. Lewis and Brown (2004) makes two recommendations:
Shortly after the appointment of the SAE in late summer 2000, the formal management of the NSA acquisition workforce took on a more structured design. While such acquisition-qualified personnel as contracting officers and program managers have been resident at NSA since the advent of DAWIA of the late 1980s, their formal management and training lacked organization, direction, and resources. Since 2000, the SAEs have been instrumental in establishing formal programs to recruit, manage, train, and develop NSA personnel in the key acquisition workforce skills and obtain additional resources to support their management. However, it must be recognized that during this period the nascent acquisition organization has undergone significant growth in size and workload that continues to challenge the resources applied. The size of the Acquisition organization has almost doubled over the past four years, and the availability of qualified personnel to fill billets has not kept pace with this growth. Similarly, the growing demands of the mission have placed increased demand on the existing Acquisition organization. The results have been more difficulties in recruiting and maintaining qualified acquisition personnel. While the number of DAWIA-qualified personnel in the Acquisition Directorate has increased over the years, it has not met established needs. The RAND project team has learned that NSA has several hundred acquisition-qualified personnel outside the Acquisition Directorate who have continued to avoid acquisition assignments.
Recruitment and maintenance of an adequate and qualified workforce remains a challenge at NSA, much as it does in the other DoD and IC agencies. The RAND project team has identified several facets to this complex manpower management problem. First, acquisition is viewed by those in the agency's broader workforce as a supporting business area that is less important than mission-related jobs. Second, the broader NSA workforce has lengthy experience to demonstrate that promotions, recognition, bonuses, and employee satisfaction are more focused on the direct mission-related organizations and their skilled positions. Third, the NSA culture generally does not recognize acquisition as important to the mission, although some change has recently become apparent because of the increased resources that acquisition must administer. Fourth, even personnel with acquisition qualifications and experience often look for positions outside the acquisition function to obtain relief from heavy workloads or achieve a variety of experience. The inability to address this complex manpower problem is largely responsible for the unfilled positions within the Acquisition Directorate and serves to increase the burden on current incumbents and hurts morale. A concerted effort that addresses all aspects affecting the acquisition workforce is necessary to remedy this continuing issue.
In December 2003, the DIRNSA appointed Harry Gatanas the SAE. Mr. Gatanas returned to NSA in the same position that he had vacated in early 2002 to take an industry job. The returning SAE is focused on how the MDA issue will be managed and in establishing a strong PEO program management structure. He also is addressing several issues related to the management of the non-PEO programs and the issue of recruiting and maintaining a qualified acquisition workforce. While these efforts are well received, they should not be expected to provide quick solutions.
NSA continues to make significant progress in the development of credible corporate decisionmaking and management processes. As NSA implements the processes and develops analytic expertise, many of the initiatives have a synergistic affect. For example, the strategic and business planning activities led to the leadership's need to fully understand the amount of resources being expended against requirements in the non-PEO programs. This insight put significant pressure on the business units and the Acquisition Directorate to flesh out these programs and to justify them within the next few months. Similarly, the CSE has initiated efforts to complete the enterprise architecture to ensure that the CCGP and programming functions are fully informed about the impacts of potential new capabilities and the divestiture of legacy systems. To this end as part of the planning process, the DIRNSA directed that several IPTs be formed to provide information on a variety of issues associated with the enterprise architecture, legacy systems and databases, and migration plans for the legacy databases that will be retained.
The ongoing work done by the RAND project team finds that some significant problems remain with the SID requirements processes in that they are primarily focused on major programs (i.e., ACAT 1) and processes (e.g., the generation of documents) rather than ensuring that activities are robust, technically informed, and well defined. Sound requirements processes must operate in the business units because they have the tightest linkage to mission and possess the operational expertise essential to meeting mission demands. The SID requirements process needs to be restructured in both the PEO and non-PEO areas to ensure that strong technical requirements are identified and vetted. The SID processes must be tied to the corporate processes as well as linked to those operating in the DoD and ICCMS. The initial step is to appoint a technical manager in SID who is knowledgeable about mission and requirements to review all requirements activities to ensure that the capability needs are fleshed out, well articulated, and codified. Because of IAD's strong affiliation with DoD and the services, RAND finds most of IAD's processes to be well defined and responsive to both NSA and DoD processes.
The non-PEO program IPTs need to be reconfigured, specifically within SID, to align better with capabilities rather than with the organization. If this were done, it would provide better insights on potential duplicative requirements, programs, and initiatives. The IPTs need to be fully implemented by bringing all the playersfinance, systems engineering, acquisition, and operators-together to discuss the full array of issues associated with a requirement and to ensure that options are developed during the AoA that consider the specific capability need, strategic strongholds, and "buy-make" decisions in the context of cost, schedule, and performance. Unless this is done, the IPT concept as envisioned by the leadership will not be fully implemented.
Having already reviewed the PEO-managed programs, the new SAE has given priority to improving the oversight of the non-PEO managed programs. To support these programs, sufficient resources must be brought to bear. The Acquisition Directorate has continued to expand its oversight throughout NSA, and it is now an accepted part of NSA's business model. Since the 2002 RAND report, the Acquisition Directorate has its own billets and funding line in the NSA program and has receive added resources. Nonetheless, the Acquisition Directorate is confronted with several interrelated problems. Because Acquisition, like all business management-related organizations at NSA, is not viewed as a "career enhancing" activity, it is difficult to attract sufficient qualified people and the unit is plagued by high personnel turnover because workers want to go to positions that will lead to promotions. This workforce issue must receive the NSA leadership's support.
The NSA leadership must also ensure that career opportunities exist to attract and retain very good people in positions to operate the corporate strategic decision processes. The unfilled positions and high turnover rates plaguing some corporate offices (e.g., DC4) hinder the NSA's ability to implement the needed processes and develop an institutional knowledge about the processes, their analytic underpinnings, and historical perspectives. The corporation must also accept that many of the positions in corporate offices cannot be filled by contractors because many of the functions that support corporate strategic decisionmaking are inherently governmental and contain such sensitive information that it should not be shared with nongovernment employees.
ASD (C3I) and DDCI (CM), "Report on National Security Agency Acquisition Management Capability" July 1, 2002 (government publication; not available to the general public).
____, "Report on National Security Agency Acquisition Management Capability," February 28, 2003 (government publication; not available to the general public).
Bohls, Robert J., Sr., "Planning, Programming and Budgeting System, Executive Management Course," EMC, briefing, October 2002.
Budgeting Process Meeting, NSA, June 29, 2003.
Carlock, Paul G., Steven C. Decker, and Robert E. Fenton, "Agency-Level Systems Engineering for 'Systems of Systems,'" Systems and Information Technology Review Journal Spring/Summer 1999.
Chairman, Joint Chiefs of Staff Instruction (CJCSI), "Joint Capabilities Integration and Development System (CIDS)," CJCSI 3170.01C, June 24, 2003.
____, "Requirements Generation System," CJCSI 3170.01B, April 15, 2001.
Congressionally Directed Action Report, prepared by the acting Senior Acquisition Executive (SAE) and approved by the Office of the Assistant Secretary of Defense, C3I, and the Deputy Director of Central Intelligence for Community Management (DDCI/CM), Independent Review of the National Security Agency Acquisition Processes, June 1, 2000 (government publication; not available to the general public).
DoD Issues Management Initiative Decision (MID) 913, May 22, 2003.
DoD Memorandum, "Procedures and Schedule for FY 2005-2009 Program Budget and Execution Review," May 21, 2003.
Executive Management Course, January 9, 2003.
Finkelstein, Sydney, Why Smart Executives Fail and What You Can Learn from Their Mistakes, New York: Penguin Books, 2003.
Hartney, Jim, "Program Working Group Initial Meeting 13 Feb 03," briefing slides, DF31, 2003.
IAD senior manager, interview July 25, 2003.
Interviews with senior NSA officials, June 10, 2003.
Labich, Kenneth, "Boeing Finally Hatches a Plan," Fortune, March 1, 1999.
Lewis, Leslie, and Roger Allen Brown, Buy Versus Make Policy and Its Implementation at the National Security Agency, Santa Monica, Calif.: RAND Corporation, MG-183, 2004.
Lewis, Leslie, Roger Allen Brown, and C. Robert Roll, Service Responses to the Emergence of Joint Decisionmaking, Santa Monica, Calif.: RAND Corporation, MR-1438-AF, 2001.
Lewis, Leslie, Roger Allen Brown, Harry Thie, and John Y. Schrader, Getting Down to Business: Improving the National Security Agency's Acquisition Function, Santa Monica, Calif.: RAND Corporation, MR-1507-NSA, 2002.
Lewis, Leslie, James A. Coggin, and C. Robert Roll, The United States Special Operations Command Resource Management Process: An Application of the Strategy-to-Tasks Framework, Santa Monica, Calif.: RAND Corporation, MR-445-A/SOCOM, 1994.
Marino, Peter, and Robert Kohler, "Why Systems Engineering for the DCI and the Intelligence Community?" briefing, September 2002.
Memorandum to the acting SAE, from the acting IC SAE, May 17, 2002.
METIS Database Demonstration, briefing, July 2003.
Mullen, Gary, DC4 Capabilities Process Briefing, July 30, 2003.
National Defense Authorization Act for Fiscal Year 2004, H.R. 1588, November 7, 2003.
Niven, Paul R., Balanced Scorecard Step-by-Step for Government and Nonprofit Agencies, New York: John Wiley and Sons, 2003.
NSA, "Review of the New Acquisition Program Executive Office (PEO) Responsibilities," memorandum to the Deputy Director of NSA, August 12, 2003.
NSA Acquisition Off-Site Meeting, December 5, 2003.
NSA Acting SAE Information Memorandum, "Subject: Input for DCI and SecDef Congressionally Directed Action to Review NSA's Acquisition Process, June 2002 (government publication; not available to the general public), and NSA, Briefing, July 11, 2003.
NSA Business Plan working papers, November 2003.
NSA, CRG, programming briefing, July 11, 2003.
NSA Corporate Review Group (CRG) Meeting, Structure, May 10, 2002.
____, FY 2004-2009 POM/IPOM Build, briefing, August 13, 2002a.
____, NSA FYs 2003 and 2004 Program Balance, Briefing, August 26, 2002b.
____, SID Program Briefing, August 9, 2002c.
____, Programming Briefing, NSA, July 11, 2003.
NSA/CSS, Architecture Development and Management Plan (ADMP), March 2002a.
____, Corporate Review Group (CRG) Charter, final, May 2002b.
____, Corporate Business Services Architecture Development and Management Plan (ADMP for Corporate Business Services), 2002c.
____, Policy Number 8-1, NSA/CSS Acquisition Management System Draft, January 2003 (government publication; not available to the general public).
Office of the Secretary of Defense (OSD), Draft Acquisition Guidelines, October 2002.
____, Program Evaluation and Analysis and Acquisition, Technology, and Logistics, Joint Capabilities Planning, final report February 2004.
Policy Letter 92-1 to the Heads of Executive Agencies and Departments, September 23, 1992.
Polydys, Mary Linda, "Interoperability in DoD Acquisition Through Enterprise 'Architecting,"' Acquisition Review Quarterly, Summer 2002.
Roberts, Julian R., Jr., "Planning, Programming, and Budgeting Systems," Business, Cost Estimating, and Financial Management Department, Defense Acquisition University, October 2002.
Schrader, John, Leslie Lewis, and Roger Allen Brown, Quadrennial Defense Review 2001: Lessons on Managing Change in the Department of Defense, Santa Monica, Calif.: RAND Corporation, DB-349-JS, 2003.
Service-Level Agreement Between the Information Assurance Directorate and the Acquisition Directorate, December 2001.
Service-Level Agreement Between the Signals Intelligence Directorate and the Acquisition Directorate, December 19, 2001.
U.S. Army, How The Army Runs, A Senior Leader Reference Handbook, Carlisle, Pa.: U.S. Army War College, 2001-2002.
The National Security Agency (NSA) is in the process of transforming itself while it conducts its current, midterm, and long-term missions. Are the changes NSA is making contributing to the accomplishment of this ambitious agenda? NSA has been implementing the recommendations of the authors of this report and previous reports to change the way it works to better respond to the needs of its overseers at the Department of Defense and the Intelligence Community. To that end, it has established new corporate decision processes and formed a Corporate Review Group and an Office of Chief of Planning, Capabilities, and Performance. These bodies advise and inform the Director of NSA so he has the knowledge he needs to guide the agency as it transforms itself and performs its missions. This book chronicles the progress of these efforts and finds that, while the decision processes have been established, their full institutionalization is still in progress.
This product is part of the RAND Corporation monograph series.
RAND monographs present major research findings that address the challenges facing the public and private sectors. All RAND monographs undergo rigorous peer review to ensure high standards for research quality and objectivity.
RAND
OBJECTIVE ANALYSIS.
EFFECTIVE SOLUTIONS.
ISBN 0-8330-3766-8
MG-187-NSA
HTML by Cryptome.