Skip to main content

DOD Information Security: Serious Weaknesses Continue to Place Defense Operations at Risk

AIMD-99-107 Published: Aug 26, 1999. Publicly Released: Aug 26, 1999.
Jump To:
Skip to Highlights

Highlights

GAO updated its previous report on the security of the Department of Defense's (DOD) information systems, focusing on DOD's efforts to: (1) address specific weaknesses identified in GAO's 1996 reports; and (2) develop a comprehensive departmentwide information security program.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense To realize the full potential and maximize the effectiveness of DISA's security oversight program, the DIAP, and other DOD information assurance initiatives, the Secretary of Defense should direct the DISA Director to expand the Security Readiness Review process to include timely and independent verification of the corrective actions reported by DMCs or other responsible parties.
Closed – Implemented
DISA has modified its procedures to include a check of the validity of SRR database entries and to note any incorrect entries or repeat findings as serious concerns to DMC facility directors. As a result, DISA has a more accurate assessment of its overall security posture.
Department of Defense To realize the full potential and maximize the effectiveness of DISA's security oversight program, the DIAP, and other DOD information assurance initiatives, the Secretary of Defense should direct the DOD's Chief Information Officer to ensure that the Defense-wide Information Assurance Program defines how its efforts will be coordinated with the Joint Task Force and other related initiatives.
Closed – Not Implemented
DOD is working on defining these interfaces and interactions. The Information Assurance Panel is establishing roles, responsibilities and coordination among IA initiatives. Minutes of the IAP meetings show that coordination is indeed taking place, despite a lack of formal endorsement of the IAP by its parent body -- the Military Communications Electronic Board (MCEB). GAO conducted a review of the DIAP in Report GAO-01-307 (Information Security: Progress and Challenges to an Effective Defense-Wide Information Assurance Program) and noted that DIAP had begun to address issues related to monitoring IA issues throughout the Department.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Computer crimesComputer fraudComputer securityConfidential communicationsData integrityInformation resources managementInformation securityInformation systemsInternal controlsSoftwareSoftware verification and validationSystem software