DOD Information Security:
Serious Weaknesses Continue to Place Defense Operations at Risk
AIMD-99-107, Aug 26, 1999
GAO updated its previous report on the security of the Department of Defense's (DOD) information systems, focusing on DOD's efforts to: (1) address specific weaknesses identified in GAO's 1996 reports; and (2) develop a comprehensive departmentwide information security program.
GAO noted that: (1) serious weaknesses in DOD information security continue to provide both hackers and hundreds of thousands of authorized users the opportunity to modify, steal, inappropriately disclose, and destroy sensitive DOD data; (2) these weaknesses impair DOD's ability to: (a) control physical and electronic access to its systems and data; (b) ensure that software running on its systems is properly authorized, tested, and functioning as intended; (c) limit employees' ability to perform incompatible functions; and (d) resume operations in the event of a disaster; (3) as a result, numerous DOD functions, including weapons and supercomputer research, logistics, finance, procurement, personnel management, military health, and payroll, have already been adversely affected by system attacks or fraud; (4) GAO's review found that some corrective actions have been initiated in response to the recommendations GAO's 1996 reports made to address pervasive information security weaknesses in DOD; (5) however, progress in correcting the specific control weaknesses identified during GAO's previous reviews has been inconsistent across the various DOD components involved and weaknesses persist in every area of general controls; (6) accordingly, GAO reaffirms the recommendations made in its 1996 reports; (7) the DOD component activities GAO evaluated generally did not have effective processes for identifying and resolving information security weaknesses; (8) however, the Defense Information Systems Agency (DISA) which operates the Defense Megacenters (DMC), has established and is implementing a comprehensive security review process; (9) DISA developed Standard Technical Implementation Guides (STIG), which prescribe clear and detailed standards for configuring its systems software; (10) also, DISA's Security Readiness Review process enables it to test DMC compliance with the STIGs and other DISA security standards, track the weaknesses identified by the testing, and monitor and report on efforts to correct them; (11) DOD announced in January 1998 its plans for a Defense-wide Information Assurance Program (DIAP) under the jurisdiction of the DOD Chief Information Officer to provide a comprehensive, departmentwide information security program; and (12) in December 1998, DOD also implemented the Joint Task Force for Computer Network Defense, which DOD expects will support the DIAP by monitoring DOD's computer networks and defending against hacker attacks and other unauthorized access.
- Closed - implemented
- Closed - not implemented
Recommendations for Executive Action
Recommendation: To realize the full potential and maximize the effectiveness of DISA's security oversight program, the DIAP, and other DOD information assurance initiatives, the Secretary of Defense should direct the DISA Director to expand the Security Readiness Review process to include timely and independent verification of the corrective actions reported by DMCs or other responsible parties.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: DISA has modified its procedures to include a check of the validity of SRR database entries and to note any incorrect entries or repeat findings as serious concerns to DMC facility directors. As a result, DISA has a more accurate assessment of its overall security posture.
Recommendation: To realize the full potential and maximize the effectiveness of DISA's security oversight program, the DIAP, and other DOD information assurance initiatives, the Secretary of Defense should direct the DOD's Chief Information Officer to ensure that the Defense-wide Information Assurance Program defines how its efforts will be coordinated with the Joint Task Force and other related initiatives.
Agency Affected: Department of Defense
Status: Closed - Not Implemented
Comments: DOD is working on defining these interfaces and interactions. The Information Assurance Panel is establishing roles, responsibilities and coordination among IA initiatives. Minutes of the IAP meetings show that coordination is indeed taking place, despite a lack of formal endorsement of the IAP by its parent body -- the Military Communications Electronic Board (MCEB). GAO conducted a review of the DIAP in Report GAO-01-307 (Information Security: Progress and Challenges to an Effective Defense-Wide Information Assurance Program) and noted that DIAP had begun to address issues related to monitoring IA issues throughout the Department.