SSO Dictionary Relevant Entries

ARTIFICE (TS//SI/NF) Covername for one of SSO's corporate partners BIGBIRD (TS//SI//NF) A cable modernization effort, which began in 2004 to support the theme of a more focused, agile collection, a more cost-effective cover, and access to new higher priority cable systems. As part of the FAIRVIEW/SSO broad access, focused collection strategy, the BIGBIRD effort provided the program with significant additional access to targets on selected undersea cable systems, an automated remote survey capability, and a modernized collection and processing suite for exploiting this new access. The enclosed proposal for continued cable modernization, entitled POORWILL, will specifically focus on providing increased DNR access capacity and processing across all existing cable sites. Additionally, the proposed effort includes increased processing capacity at the Program's centralized processing facility PINECONE. BLACKBELT (T//SI//NF) FAIRVIEW Access CASE NOTATION (S//SI//REL) An alphanumeric value that identifies the intercepted link being processed. CADENCE C//SI) CADENCE is a DNI tasking tool. The CADENCE system fully automates the Front-End Dictionary Management process within Operations. Utilizing CADENCE, dictionary managers as well as target analysts are able to submit, review, and forward dictionary updates electronically. Receipts for these requests are automatically generated, statistics compiled and reported, and approved updates maintained in a database containing historical information for the DDO review of "USSID-18" compliance. Finally, CADENCE provides a transparent interface to BLACKNIGHT/SHIPMASTER, COURIERSKILL, and other site dictionaries. CDR (TS//SI//NF) Call Detail Records (or Telephony Metadata) include comprehensive communications routing information, specifically, originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) number, Mobile Subscriber Integrated Services Digital Network Number (MSISDN), International Mobile station Equipment Identity (IMEI) number, also trunk identifier, telephone calling card numbers, and the time and duration of call. Telephony metadata does NOT include substantive content of any communication, or the name, address, or financial information about a subscriber or customer. (Source: BR FISA End-to-End Report Glossary, dated 29 June 2009 and ADET/SV BR FISA Training Glossary on eCampus dated Sept 2009) CNCI Comprehensive National Cybersecurity Initiative COURIERSKILL (S//SI//REL) COURIERSKILL is a project under the THEORYMASTER program. It provides high performance content Filtering and Selection (F&S) capabilities to meet the current and future needs of Data Network Intelligence. COURIERSKILL also provides content F&S services for the WEALTHYCLUSTER 2.0 system. It is designed to replace the legacy BLACKNIGHT system.

CLIFFSIDE (TS//SI//NF) A FAIRVIEW site CS (TS//SI//NF) CLIFFSIDE-A FAIRVIEW site DISHFIRE (S//REL) DISHFIRE is a Short Message Service (SMS) storage and retrieval application developed by the Target Development Services (TAC/TDS) in response to formal requirements from the Counter Terrorism Office, and coordinated with the Rebuilding Analysis Center. DishFire offers retrieval, viewing, and some manipulation of SMS messages passed through various worldwide networks. As of September 2007, an Analyst Advisory Board (AAB) has been established to provide S2 Offices with insight into and an opportunity to comment on requirements levied on the DISHFIRE system. DNI (U//FOUO) Digital Network Intelligence-is an analytic term, replacing C2C (Computer-to-Computer), referring to SIGINT derived from the 'digital network.' The term 'digital network' is commonly identified today with the Internet, but for the purposes of SIGINT includes both the Public Internet as well as private digital networks. DNR (S//SI//REL) Dialed Number Recognition-The process of extracting dialed telephone numbers from the transmitted information present in a telephone signaling system. The dialed numbers are looked up in a "directory", which contains the phone numbers of persons from whom an analyst might gain intelligence information. If the extracted number "hits" in the directory, the associated conversation is recorded. FAA FISA Amendment Actis an Act of Congress to amend the Foreign Intelligence Surveillance Act (FISA) of 1978 to establish a procedure for authorizing certain acquisitions of foreign intelligence, and for other purposes. Based on discussions by a cross-section of NSA experts from across SID, Oversight and Compliance and Office of the General Counsel, the following guidelines are provided to aid production elements in understanding and complying with the letter, spirit and intent of the procedures associated with FISA collection under the Protect America Act (PAA) and FISA Amendments Act. Under FISA authority, analysts are required to verify the foreignness of their target and confirm that the target is appropriate for tasking under PAA and FAA Certifications prior to actually tasking any selectors. Following that, analysts are required to verify the foreignness and nature of the target routinely once data begins to flow. FAA702 FAA Section 702 (certain non-USPs reasonably believed to be located overseas) FAA 702 Collection/Targeting: U. S. persons may NOT be targeted under FAA Section 702. Persons in the US may NOT be targeted under FAA Section 702. Accounts used, shared or in any way accessed by USPs or persons in the US may NOT be targeted or remain on target under FAA Section 702. This applies even if the intended targeted user of the selector remains otherwise a non-USP reasonably believed located outside the US. FAA 702 Collection/Querying:

**Update** While the FAA 702 minimization procedures approved on 3 October 2011 now allow for use of certain United States person names and identifiers as query terms when reviewing collected FAA 702 data, analysts may NOT/NOT implement any USP queries until an effective oversight process has been developed by NSA and agreed to by DOJ/ODNI. Until further notice, analysts must ensure that database queries, including federated queries, of any USP selection terms are NOT run against collected FAA 702 data (702 data is contained in MARINA, MAINWAY, NUCLEON, PINWALE (Sweet* and Sour* partitions) and other databases). FASCIA S//SI//REL TO USA, FVEY) FASCIA II is a tool used as the primary source of metadata used in target development within the SIGINT community. The FASCIA II data warehouse contains PSTN, PCS, Media Over IP (MOIP), High Powered Cordless Phone (HPCP) Call Detail Records, ISAT, and VSAT contact events, It formerly contained Digital Network Intelligence (DNI) contact events which are now in MARINA. Analysts may login to FASCIA II to utilize its query and reporting facilities to identify and locate targets based on these call events, as well as adjust collection. FASCIA II also delivers high volumes of data to multiple data marts and follow-on analytical tools that aid in target development within the Intelligence Community. The number of users that have direct access to the FASCIA II database is restricted. Therefore, most analysts access FASCIA II data through BANYAN, a calling-tree analysis tool which contains all FASCIA II call records and LAMPSHADE INMARSAT data. Other tools that access FASCIA data include ASSOCIATION, MAINWAY, HOMEBASE and SEDB. FISA Foreign Intelligence Sureveillance Act-governs the conduct of certain electronic surveillance activities within the United States to collect foreign intelligence information. A complete copy of the Act is found at Annex B to NSA/CSS Policy 1-23. The Act covers the intentional collection of the communications of a particular, known U.S. person who is in the United States, all wiretaps in the United States, the acquisition of certain radio communications where all parties to that communication are located in the United States, and the monitoring of information in which there is a reasonable expectation of privacy. The Act requires that all such surveillances be directed only at foreign powers and their agents as defined by the Act and that all such surveillances be authorized by the United States Foreign Intelligence Surveillance Court, or in certain limited circumstances, by the Attorney General. (from: USSID SP0018 / Annex A – Procedures for Implementing Foreign Intelligence Surveillance Act) FRIAR (TS//SI//NF) FAIRVIEW's covername for the east coast cable station IP Internet Protocol-a protocol by which data is sent from one computer to another on the Internet. Each computer (known as a host) on the Internet has at least one address that uniquely identifies it from all other computers on the Internet, with exceptions such as NAT (Network Address Translation) and the use of non-routable private address ranges. When you send or receive data (for example, an e-mail note or a Web page), the message gets divided into chunks called packets. Each of these packets contains both the sender's Internet address and the receiver's address. Any packet is sent first to a gateway computer that understands a small part of the Internet. The gateway computer reads the destination address and forwards the packet to an

adjacent gateway that in turn reads the destination address and so forth across the Internet until one gateway recognizes the packet as belonging to a computer within its immediate neighborhood or domain. That gateway then forwards the packet directly to the computer whose address is specified. KEYCARD (S//SI//REL) KEYCARD is the premier Target-based Filtering and Selection database. KEYCARD is an integral part of the TURMOIL collection system and a member of the TURBULENCE suite of tools. Using smart-collection capabilities, KEYCARD has transformed the way target-based development and collection is performed. KEYCARD rapidly determines whether data should be collected or ignored. Analysts develop targets for selection via the Unified Targeting Tool (IRISHBEAUTY), OCTAVE and the KEYCARD GUI. KK (TS//SI//NF) KOZYKOVE-A FAIRVIEW site KOZYKOVE (TS//SI//NF) A FAIRVIEW site LITHIUM (TS//SI//NF) BLARNEY's covername for one of their corporate partners. Need WPG ECI for company name LOPERS (S//SI//REL) LOPERS is a Dialed Number Recognition (DNR) system providing filtering, selection, and metadata extraction for intercepted telephony traffic. With the exception of the signal input card, LOPERS is entirely software based and runs on Linux on commodity Intel-based PC hardware. LOPERS also provides the ability to cluster multiple machines to operate as a single DNR system. LOPERS processes telephony traffic found on the Public Switched Telephone Network (PSTN); on GSM, CDMA, and UMTS Core networks; or in between the PSTN and a Core network. Input cards or a network-based Data Distribution Service (DDS) provide intercepted telephony traffic to the LOPERS system. LOPERS decodes the telephone numbers present in the call signaling and forwards the numbers to KEYCARD for normalization and validation. Calls including targeted selectors are captured and saved to an output directory, where MAILORDER picks them up for forwarding to follow-on processing systems. LOPERS offers four flavors of the system: one for use by first- and secondparty installations and three different flavors for third-party partners. LUMBERYARD FAIRVIEW (satisfying POC with NTOC for anomaly detection/ situational awareness) MAINWAY (TS//SI//REL) MAINWAY, or the MAINWAY Precomputed Contact Chaining Service, is an analytic tool for contact chaining. It's helping analysts do target discovery by enabling them to quickly and easily navigate the increasing volumes of global communications metadata. Mainway attacks the volume problem of analyzing the global communications network. Automated traffic analytic processes support global multimode target development, alerting and intelligence reporting. Initial requirements include global contact chaining and timelining of all telephony, e-mail and pager contacts, from both collection and toll records. Automation processes use the global contact chains to identify potential tasking changes, new communities of interest, changes in communities of interest, activity patterns of interest, number normalization

errors, COMSEC changes, and to help score/select content for forwarding and processing. Visualization tools are also available to document findings and help develop new automation algorithms. MAILORDER U//FOUO) MAILORDER is an FTP-based file transport system used to move data between various collection, processing and selection management systems. Originally developed in 1990, MAILORDER has been ported to many hardware platforms over the years. The current platform runs Linux on Intel x86 hardware with the Sybase ASE 15 database for keeping track of statistics. Ultimately MAILORDER will be replaced by JDTS, but MAILORDER Systems will continue to serve in the Transport Architecture for years to come. MAILORDER relies on information in the filename to determine how to route data. The filename must begin with the PDDG of the originating site. This is followed by a three character File Routing Trigraph, which identifies a destination system and directory. Next is a two character Source System Digraph, which identifies an individual piece of equipment within the given site. Next is a priority digit, a number between one and seven (high to low priority), which is used to prioritize files. MERLIN (T//SI//NF) FAIRVIEW'S Effort to build-out the mobility network access. It will be a multi-year, multi-phased initiative to exploit various facets of the network, which include SMS messages, Mobile Application Part (MAP), packet data and voice. Consumers are rapidly abandoning traditional telephones and migrating towards mobile devices. Secondly, consumers are also changing the way they communicate, from voice calls to text messages and e-mail. Going forward, it will be essential to have mobile communications as part of the program's comprehensive SIGINT strategy. NSAH (U//FOUO) National Security Agency Hawaii NSAW (U//FOUO) National Security Agency Washington NSOC (U//FOUO) National Security Operations Center NODDY-3 (TS//SI//NF) FAIRVIEW'S covername for Coverage of Current and Forecasted NRTM Circuits. The FAIRVIEW program is acquiring DNI access (SAGUARO) from the Partner's DNI backbone which includes OC-192 and 10GE peering circuits. The Partner has provided a current view of the forecasted and equipped 10GE and OC-192 peering circuits at the eight SNRCs as of March 2009. Based on the information presented, by the end of 2009, the total number of forecasted 10GE peering circuits at the SNRCs will be approximately six times greater than OC-192 peering circuits. However, the growth in 10GE circuits in 2009 is about 19 times greater than the forecasted growth for OC-192 circuits. As these additional links become active it is imperitive that FAIRVIEW have the ability and the agility to follow SIGINT targets of interest. This action will provide 100% coverage of the 2009 forecasted 10GE and OC-192 links. This broad coverage approach is a key part of a larger effort to recast the FAIRVIEW DNI router access to be more agile and more highvalue intelligence focused as part of the program's effort to provide broad access, continuous survey and focused collection.

NUTHATCH (TS//SI//NF) FAIRVIEW'S covername for the transport upgrade between FRIAR/PC access to accommodate growth in the cable system) OCTAVE (C//SI//REL) OCTAVE is the principal means for tasking of telephone numbers (and other telephone identification data such as IMSIs, IMEIs, and INMARSAT FTINs and RTINs) to the various DNR collection systems used by the National Security Agency and its Second Party partners. It also enables the management of those numbers. Conversely, CONTRAOCTAVE is a reference database that contains phone numbers that should not be tasked in OCTAVE or UTT. OCTAVE is scheduled to be replaced by UTT by 2011. See OCTAVE-UTT-Transition for the approximate timeline. OPSEC (U//FOUO) Operations Security-the process of denying potential adversaries information about friendly capabilities and intentions by identifying, controlling and protecting generally unclassified indicators associated with planning and conducting operations and other activities. PBX (U//FOUO) Private Branch Exchange Telephone service provided for a customer's use consisting of central office trunks, a switchboard and extension telephones which may be interconnected with the trunks or with each other through the switchboard and associated equipment. PBXs may be manual or dial, depending on the method used by extensions to place incoming or outgoing calls. PINECONE (TS//SI//NF) PINECONE-Cover name for the LITHIUM site in NJ for FAIRVIEW PINWALE (TS//SI//NF) PINWALE is NSA's primary storage, search, and retrieval mechanism for SIGINT text intercept. PINWALE's mission is to provide storage and online access to multiple terabytes of DNE and textual data upon analytical requests. It is to provide timely, accurate, and reliable Text Search and Retrieval Support to the user community. Target data is filtered through a Packet Raptor at site before exfill. Once brought back to NSAW, it is processed by a WC2, which is followed by an XKEYSCORE for selection. PLANK (TS//SI//NF) Access expansion and collection (content and metadata) via the deployment of a global SIGINT sensor grid through FAIRVIEW's LITHIUM partner. PLANK-3A (TS//SI//NF) The follow-on to FAIRVIEW's FY11 PLANK-3 access expansion effort. POC (U//FOUO) Point of Contact POORWILL (TS//SI//NF) FAIRVIEW'S effort to continue cable modernization, specifically focus on providing increased DNR access capacity and processing across all existing cable sites. Additionally, the proposed effort includes increased processing capacity at the Program's centralized processing facility - PINECONE.

PR/TT (TS//SI//NF) Pen Register / Track and Trace collection-terms relating to the collection of metadata under FISA authorities. The definitions of the Pen Register and Trap and Trace techniques were significantly expanded in the USA Patriot Act of 2001. Previously, a pen register only referred to a device that provided a list of all the numbers dialed from or to a particular phone. The Patriot Act expanded the definition of a pen register from just the attachment of a device to a telephone line to include any process that will capture dialing, routing, addressing, or signaling information. A trap and trace device is similar to a pen register, except that the device only captures incoming information. It too was expanded to include dialing, routing, addressing, or signaling. In effect, the definitions were broadened to allow the collection of both telephony and Internet metadata. (Source: PRTT Need to Know Guide dated April 2008). RAS (TS//SI//NF) Reasonable Articulable Suspicion RODEO STAR (TS//SI//NF) FAIRVIEW Site SAGURA (TS//SI//NF) DNI access from FAIRVIEW'S Partner's DNI backbone which includes OC-192 and 10GE peering circuits. The Partner has provided a current view of the forecasted and equipped 10GE and OC-192 peering circuits at the eight SNRCs as of March 2009. Based on the information presented, by the end of 2009, the total number of forecasted 10GE peering circuits at the SNRCs will be approximately six times greater than OC-192 peering circuits. However, the growth in 10GE circuits in 2009 is about 19 times greater than the forecasted growth for OC-192 circuits. As these additional links become active it is imperitive that FAIRVIEW have the ability and the agility to follow SIGINT targets of interest. This action will provide 100% coverage of the 2009 forecasted 10GE and OC-192 links. This broad coverage approach is a key part of a larger effort to recast the FAIRVIEW DNI router access to be more agile and more high-value intelligence focused as part of the program's effort to provide broad access, continuous survey and focused collection. SERENADE (TS//SI//NF) BLARNEY's covername for one of their Corporate Partner's. Need WPG ECI for name SG (U//FOUO) STARGATE-FAIRVIEW A site SC (U//FOUO) SILVERCOLLAM-FAIRVIEW site SCIF (U//FOUO) Sensitive Compartmented Information Facility SEALION (TS//SI//NF) A FAIRVIEW site Selector U//FOUO) A Selector is an identifier used in dialed number recognition (such a telephone number, IMEI, IMSI, or MSISDN) or used in digital network intelligence (such as an email address or instant messaging IDs). A selector becomes a seed once it is RAS approved. SEAGULL (TS//SI//NF) BR-FISA Metadata, LITHIUM’s billing records

SERENADE (TS//SI//NF) BLARNEY's covername for one of their Corporate Partner's. Need WPG ECI for name SILVERCOLLAM (TS//SI//NF) A FAIRVIEW site SLIVER (TS//SI//NF) SLIVER is a proof-of-concept (POC) is an effort to enable cross-mission (CNO) collaborative capabilities in a global setting. Under the SLIVER initiative, passive IP sensor nodes will be deployed at two CONUS sites and two OCONUS sites. These nodes will be fed by a small amount of traffic volume. The CONUS nodes will support both Lithium commercial network security functions, as well as SIGINT and SIGINT-enabled CND applications (i.e., end-point characterization data and IP flow data). Within the SLIVER timeframe, due to OPSEC constraints, the OCONUS nodes will only be configured to support Lithium commercial network security functions -- any Lithium-derived metadata from the OCONUS nodes will be sent to FAIRVIEW's centralized processing facility (PINECONE), under applicable SIGINT authority, for analysis and exploitation. In addition to these passive sensor nodes, active commercial security nodes will also be deployed at both the CONUS and OCONUS sites and used commercially in order to provide essential mission cover. SORA-2 (TS//SI//NF) IP Access Expansion effort for FAIRVIEW. One of the areas of FAIRVIEW's DNI backbone access (Saguaro) that has not yet been sufficiently exploited is the access side of the Common Backbone (CBB) network. The major reason for this is the sheer number of access links - tens of thousands - which would make 100% coverage prohibitively expensive. One way to overcome this constraint is to monitor uplinks out of the access routers toward CBB backbone or aggregation routers. Even so, the number of uplinks is still numerous, requiring an additional selection/prioritization strategy. Lithium, in concert with ODD, developed a strategy that rank orders access routers using several different metrics, such as the following: PRI Value, Country Value, PAA Value, CD Value and CCCD Value. The top eight router uplinks, as outlined in the attached proposal, have been analyzed and deemed of high SIGINT interest. Therefore, we are requesting approval to deploy monitoring on these uplinks. STARGATE (TS//SI//NF) A FAIRVIEW site STONEGATE (S//SI//REL) STONEGATE is an automated and scalable dial-up data modem and FAX modem demodulation system. It is used to collect, recognize, demodulate, format, forward, database, archive, and reporting on dial-up data modem, FAX modem, speech, and unknown signals. STONEGATE is designed to handle the 80% of the dial-up data modem and FAX modem traffic that can be automatically and correctly processed. The 20% of the traffic that can not be automatically and correctly processed is forwarded to a demodulation system that has the resources needed to process the traffic. If there are problems with the STONEGATE processed signal, the original signal can be automatically retrieved via the Archive Retrieval interface. Speech and unknown traffic are detected and forwarded. STONEGATE generates statistics and

reports on dial-up data modem, FAX modem, speech, and unknown signals. TITANPOINTE TU (TS//SI//NF) BLARNEY'S site in NYC (U//FOUO) TURBULENCE TUBE (C//SI//REL) TUBE is the TU Back-end; it receives SOTF objects from TML (and potentially other TU systems), determine what forwarding actions should occur, and perform any requisite pre-forwarding preparation processing so as to create objects which can be ingested by the appropriate destination repositories. This includes 2nd and 3rd party legacy databases. TUBE will also forward objects to PWV in SOTF format. TURBULENCE (TS//SI//REL) TURBULENCE is the Enterprise framework of mission modernization, an element of the Enterprise Architecture. As part of NSA/CSS Transformation, TURBULENCE unifies MidPoint and Endpoint SIGINT, and dynamic defense, and enables network attack in a manner that creates cooperative, interoperable, real-time exploitation/defense/attack-enabling capabilities between geographically distributed nodes in a peer-to-peer (P2P) manner. At one time TURBULENCE was equivalent to NCC, or more precisely, the NCC acquisition program was tasked to acquire TURBULENCE. However, in CY2008 acquisition responsibility for some parts of the TURBULENCE architecture were split off to other program offices so that the NCC program is now responsible for some but not all components of TURBULENCE. TURMOIL (S//SI//REL) TURMOIL is the passive Digital Network Intelligence (DNI) SIGINT collection component of the TURBULENCE architecture, funded by the Network Centric Capabilities (NCC) acquisition program. It consists of an architecture designed to be extensible and flexible, so that the collection posture on these accesses can be altered dynamically with minimal service interruption. TURMOIL delivers IP data, sessionized and processed, to the back-end of the SIGINT system, in an analyst-ready form. VPCS (U//FOUO) Virtual Passive Collection Suite-a collection of virtualized components of the TURBULENCE collection system targeted for lower speed environments. The Virtual Machine (VM) images provide a fully functional passive collector suite, development environment, and testing environment in one system. XKEYSCORE (S//SI/REL) XKEYSCORE is a computer network exploitation system that combines high-speed filtering with SIGDEV. XKEYSCORE performs filtering and selection to enable analysts to quickly find information they need based on what they already know, but it also performs SIGDEV functions such as target development to allow analysts to discover new sources of information. XKEYSCORE processes data at field sites, where it is collected, and allows analysts from all over the world to query it. At field sites, the XKEYSCORE software can run in clusters of few or many computers, giving it the ability to scale in both processing power and storage. All processing is plugin based, which allows new capabilities to be quickly deployed to support operational

needs. XKEYSCORE, in various configurations, is deployed around the world and is used by each FVEY partner. XKS (U//FOUO) XKEYSCORE