NSA clears up misconceptions about compliance

Monday - 6/18/2012, 10:52am EDT

June 20, 2012 - Agency of the Month

Download mp3

You may not be familiar with John DeLong, the National Security Agency's compliance director, but the work done in his office is extremely important to NSA's mission — so important that every new employee at the agency is briefed by a member of his staff when they join the team.

"The rules that we focus on are the ones that afford privacy protection to U.S. persons as we conduct the two big core missions of NSA - signals intelligence and information assurance," DeLong said in his first-ever interview.

So, from the second new employees walk through the door, they are reminded of their obligations to report anyone not following those rules.

"I like to think about compliance as essentially bringing rules to life," DeLong said in an interview for Federal News Radio's Agency of the Month show. "Compliance is really about the place where the rules and the laws intersect with the technology, intersect with the people, intersect with the actual activities that we do."

(Read full bio.)

DeLong is NSA's first compliance director. He took the job in 2009 after the position was statutorily mandated. He had previously served as the deputy director of the NSA/CSS Commercial Solutions Center.

"By creating this position, by resourcing it, it's really a very outward sign of our focus on how we protect privacy. In fact, the motto of our organization is 'protecting privacy at mission speed,'" said DeLong. "This is a high stakes area. There's national security at stake. We're the National Security Agency by name and by mission, and it's something we really have to do — we have to protect privacy and we have to do it at mission speed."

A few hundred people now work in the compliance arena across NSA — an area that has evolved rapidly over the past three years, according to DeLong.

"Initially, I think, in any new thing you are very much focused on the present," said DeLong. "What we've been able to do is really continue to focus on the present but really spend more and more time looking one year, two years out, trying to anticipate changes in technology, trying to understand legal and policy things at a very granular level and making sure we're really planning for that."

But managing those predictions can be challenging, DeLong said.

"How do you predict something that occurs two years from now? How do you try to anticipate a technology change, plan for it, but how do you leave enough wiggle room such that two years from now you understand? And, how do you do that with laws and policies that are constantly evolving?"

Future of the Compliance Workforce

DeLong said staffing within his compliance department is both a short-term and long-term goal. On a daily basis, DeLong is responsible for making sure the compliance organizations across the agency are well staffed, have the resources they need, and are sychronized with each other. In the long term, he's working to make sure he has the right kind of people in the compliance pipeline.

"Im thinking of the couple hundred folks across NSA. How am I getting that pipeline in there? Are they going through the right sets of tours of positions that are really setting us up to be a really value-added compliance organization," DeLong said.

As for the types of people he is looking for, DeLong said it's pretty simple. He's looking for "great people."

"The deputy director asked me when I took this job, he said, 'I want compliance to be a microcosm of NSA.' And that's really very reflective of what compliance is. It's a place where the technology people work with the mission folks and with the lawyers," DeLong said. "I'm looking for folks that aren't just great in one area but that are great across multiple areas and are able to really bring people together so we can keep those things connected all the time."

DeLong said most of his staff is homegrown and comes internally from NSA. But, he said, he sees that evolving too.

"My longterm thing is really to understand how do we get that pipeline of people and bring in some external perspectives into the compliance program. There's really a compliance community that is emerging in industry and acedemia and I really want to leverage that."