Post-Snowden, NSA Crafts New Plan to Protect National Secrets

In the aftermath of Edward Snowden's revelations, the National Security Agency has "reached a point where a single individual can cause catastrophic harm," said NSA's first chief risk officer, Anne Neuberger. Named CRO last September, Neuberger described the philosophy behind NSA's nascent risk management framework, saying it's a system that measures the risks of each decision and each program. The agency has been developing its own framework over the past several months, and "building a common definition of what low, medium and high risk means" and that the value of a program's mission "always exceeds that risk." The framework could include principles such as not putting an employee's life at risk "without X approval, without Y value determinant," she said. It could also help employees assess, and potentially mitigate, the risk of sharing sensitive information.

Being transparent with employees about that kind of framework shows employees "the way we as an enterprise value you, the value of your work, [and] how we approach that value." The agency should then continually assess, and re-assess that framework, Neuberger said. A risk management framework might also pay more attention to risk indicators that could tip them off to potential problems, Neuberger said. She noted, for instance, an influx of letters to Congress about the Department of Veterans Affairs -- mostly from veterans complaining about extended wait times and lack of care -- indicated that some programs were at risk of failing.