As you approach the security gate you must slow your car down to navigate a serpentine pattern of red-and-white caution-striped gates, orange traffic cones, a black SUV security vehicle, a freestanding guard, in order to reach a security gate where you present identification. In this approach a sign indicates FPCON BRAVO (Force Protection Condition, level Bravo), indicating "an increased or more predictable threat of terrorist activity exists". Watching from the other side of the gate are well-prepared guards.
When entering the building you again present your badge to security. And a third time at an electronic station. If you are the first one of your team in, you have to draw a key from a wall-mounted machine to get into your work area. Don't even think of bringing in your cell phone. Leave it in your car or check it into one of the little cubby-hole lockers at the front door. They are small; big enough for an iPhone, but not an iPad.
When at work is there any way for staff to access Skype, Facebook, GMail, LinkedIn, etc.?
[Laughter] The bulk of the staff work on the high-side network which is the internal, classified network where we have a social networking system that we use for collaboration. For example, I keep an internal blog, we have lots of internal Wikis, an internal system something like Twitter that allows sharing of short messages, an internal system that's Facebookish where you can post your profile and what you are working on.
Most of us have unclassified Internet access [on the low side network] at our desks because it's useful for looking up technical topics, or sending an email to your spouse to let her know you'll be late, all that sort of thing, but it's not really intended to be a system where you do a lot of personal stuff. It's for government use. The bulk of what I use it for is for corresponding with industry and academic partners with whom I am doing some sort of work.
Have you found any devices or processes that are particularly helpful in trapping security threats?
Awareness is key; having employees aware of the policies and practices that are enforced at a given point.
Ziring adds that the NSA has spent several years working with both industry partners and customers to develop effective whitelisting strategies (and whitelisting using Software Restriction Policies) and network access control, both generally considered awkward to implement and a nightmare to maintain in a world of constant updates and configuration changes.