February 15, 2020

The serial numbers of NSA reports

(Updated: April 16, 2021)

On January 14, the NSA disclosed a serious vulnerability in the CryptoAPI service of the Windows 10 operating system (vulnerability identifier: CVE-2020-0601). In a rare public Cybersecurity Advisory the agency even offered further details about this issue.

An interesting detail is that this Cybersecurity Advisory has two serial numbers in the same format as the NSA uses on their Top Secret intelligence reports, some of which have been published by Wikileaks and as part of the Snowden-leaks.

The serial numbers on the NSA's Cybersecurity Advisory from January 14, 2020

The NSA's Cybersecurity Advisory has three groups of letters and numbers, the last one being the date of the document in the format month/day/year, which is typical for the United States.

The first group seems to be an external serial number, while the second group is more like an internal serial number. Below, the components of both serial numbers will be discussed in detail.

External serial number

The first serial number on the public Cybersecurity Advisory is similar to the serial numbers on a range of highly classified intelligence reports which were published by Wikileaks in June and July 2015 and in February 2016. These documents were not attributed to Edward Snowden, so they were probably provided by a still unknown "second source".

These intelligence reports were part of various editions of the "Global SIGINT Highlights - Executive Edition" briefings. Wikileaks published only one report in the original layout with header and a disclaimer. In the bottom right corner they have one or two serial numbers, one number for each source of intelligence:

NSA intelligence report about an intercepted conversation between French president
Fran├žois Hollande and prime minister Jean-Marc Ayrault, May 22, 2012.
(Watermarked by Wikileaks - Click to enlarge)

The serial numbers are followed by a timestamp in the standard military notation: for example, 161711Z stands for the 16th day, 17 hours and 11 minutes ZULU (= Greenwich Mean) Time, with the month and the year as mentioned in the briefing.

The first five intelligence reports published by Wikileaks were from 2006 to 2012 and have the following serial numbers:

These kind of briefings are called serialized reports, which are described in the NSA SIGINT Reporter's Style and Usage Manual as "The primary means by which we provide foreign intelligence information to intelligence users, most of whom are not part of the SIGINT community. A report can be in electrical, hard-copy, video, or digital form, depending on the information's nature and perishability."

The NSA Style Manual also explains the serial numbers of these reports: "Serial numbers are assigned to NSA reports on a one-up annual basis according to the PDDG issuing the report. Every serial includes the classification level, the PDDG of the originator, and a one-up annual number, as in the following examples:

The classification level of a report can be represented by a variety of codes. Comparing the first part of the serial number with the classification marking of a particular report shows that they are assigned according to the following scheme (updated according to new information):
1 = Confidential (rarely used)
2 = Secret (SI and normally REL FVEY)
3 = Top Secret (SI and REL FVEY)

E = Executive series reporting, for highly sensitive political issues, very limited distribution
G = GAMMA reporting, always Originator Controlled (ORCON)
I = I-series reporting, for very sensitive intelligence operations, usually only named recipients

S = Secret (not SI)
U = Unclassified

Y = Only releasable to the United Kingdom (REL GBR)
Z = Not releasable to foreign nationals (NOFORN)

The Producer Designator Digraph (PDDG) consists of a combination of two letters and/or numbers and designates a particular "collector". These codes refer to NSA collection facilities and programs, but those with double vowels stand for the signals intelligence agencies of the Five Eyes partnership, as was already revealed in Nicky Hager's book Secret Power from 1996:
AA = GCHQ, United Kingdom
EE = DSD, now ASD, Australia
II = GCSB, New Zealand
OO = NSA, United States
UU = CSE, Canada

The one-up annual number doesn't seem like a continuous number for each year: on the Windows vulnerability report the one-up number is 104201, which would mean that the NSA produced already over one hundred thousand reports in the first two weeks of 2020 alone. That's not realistic, so maybe there are number ranges assigned to each producer or something similar.

Finally, the year in which the report was issued is represented by its last two digits.

Internal serial number

The second series of letters and numbers on the NSA's Cybersecurity Advisory seems to be an internal serial number. In this case it's PP-19-0031, a format that we also saw on the draft of the famous NSA Inspector General's report about the STELLARWIND program, which was leaked by Edward Snowden. This draft report is dated March 24, 2009 and has the serial number ST-09-0002:

Another declassified report from the NSA's Inspector General, about the "Special Study of NSA Controls to Comply with the FISA Amendments Act §§704 and 705{b) Targeting and Minimization Procedures" has a similar serial number: ST-15-0002:

Comparing these three serial numbers indicate that the two digits in the middle represent the year and the last four digits are most likely a one-up annual number. The first two letters may be an internal code for the producer: the office, bureau or unit that prepared and issued the report.

This two-letter code doesn't correspond to the PDDG and also not to NSA's organizational designators, which has D1 for the Office of the Inspector General, so there must be another, unknown system for these codes.

Two audit reports by the NSA Inspector General have the following serial numbers:
- April 3, 2019: AU-17-0008
- March 4, 2019: AU-18-0003
This could indicate that the two letter code doesn't designate an office, bureau or unit, but a particular type of report, like AU for an audit report.


After this comparative analysis it has become clear that the serial numbers (and the date) of the NSA's Cybersecurity Advisory can be explained as follows:

Update #1:
On April 24, 2020, the NSA published a survey of videoconferencing services in the same format as the Cybersecurity Advisory and accordingly it has the two serial numbers and the date as discussed above:

Update #2:
In November 2017, The Intercept published an SSO Weekly Brief from April 25, 2013 in which the following serial numbers for reports based upon PRISM Skype and Yahoo chat collection were mentioned:

3/OO/506950-13 282022Z FEB 13
3/OO/506950-13 282022Z FEB 13
3/OO/504932-13 131355Z FEB 13
3/OO/534119-12 DTG 181623Z OCT 12
3/OO/507427-13 051626Z MAR 13