Information Security:

Challenges to Improving DOD's Incident Response Capabilities

GAO-01-341: Published: Mar 29, 2001. Publicly Released: Mar 30, 2001.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-3317
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

This report reviews the department of Defense's (DOD) implementation of computer incident response capabilities and identifies challenges to improving these. GAO found that during the last several years, DOD has taken several steps to build incident response capabilities and enhance computer defensive capabilities across the Department, including the creation of computer emergency response teams and incident response capabilities within each of the military services as well as the Defense Information Systems Agency and the Defense Logistics Agency. DOD also created the Joint Task Force-Computer Network Defense (JTF-CND) to coordinate and direct the full range of activities within the Department associated with incident response. GAO identified the following six areas in which DOD faces challenges in improving its incident response capabilities: (1) coordinating resource planning and prioritization activities; (2) integrating critical data from intrusion detection systems, sensors, and other devices to better monitor cyber events and attacks; (3) establishing departmentwide process to periodically review systems and networks for security weaknesses; (4) increasing individual unit compliance with departmentwide vulnerability alerts; (5) improving DOD's system for coordinating component-level incident response actions; and (6) developing departmentwide performance measures to assess incident response capabilities.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In August 2002, detailed INFOCON instructions were developed and published on DOD's secure network, including actions specifically related to mission-critical systems. Additionally, in March 2003 DOD published the Joint Task Force Computer Network Operations Tactics, Techniques and Procedures (TTP). The TTP sets out detailed technical response actions for each of the several INFOCON levels. Furthermore, the Department also published and disseminated Joint Chiefs of Staff Manual, Defense-In-Depth: Information Assurance and Computer Network Defense that provides guidance on INFOCON levels and procedures. Consistent departmentwide incident response is fostered by these actions and these measures will limit the impact of cyber attacks by improve coordination with other federal systems.

    Recommendation: The Secretary of Defense should direct the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence and the U.S. Space Command to work through the Defense-wide Information Assurance Program and the JTF-CND to refine Information Operations Condition (INFOCON) procedures to clarify the kinds of actions that need to be taken at each INFOCON level, especially with regard to priority systems, such as mission-critical systems.

    Agency Affected: Department of Defense

  2. Status: Closed - Implemented

    Comments: DOD has approved strategic goals and objectives that will increase the monitoring and awareness of vulnerabilities. Additionally, during March 2003, the Department published and disseminated the Joint Task Force (JTF)-Computer Network Operations (CNO) Tactics, Techniques, and Procedures (TTP) and a related Joint Chief of Staff (JCS) manual pertaining to computer network defense. These documents apply to all DOD components and their computers, networks and related operations. They describe mandatory procedures for acknowledging receipt of IAVAs, for applying corrective actions for the IAVAs and the timetable for such corrections inclusive of mission-critical systems, networks and capabilities. These documents also explain the procedures for monitoring IAVAs and for tracking compliance with IAVA-related requirements and the Information Assurance Vulnerability Management (IAVM) Program across DOD. Compliance metrics are generated and reported to the U. S. Strategic Command, the Joint Staff, and the Secretary of Defense. Further, these documents inform all DOD components of vulnerabilities, communicate repair steps, detail how the automated Vulnerability Compliance Tracking System (VCTS) and IAVM program are to be engaged and deployed, and how all information technology and related assets are to be registered with VCTS. The documents afford the Department a mechanism that heightens awareness of the value of complying with all aspects of the IAVA and IAVM processes, including all mission-critical systems, operations, and networks and technical bulletins and advisories distributed as part of the IAVA and IAVM processes.

    Recommendation: The Secretary of Defense should direct the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence and the U.S. Space Command to work through the Defense-wide Information Assurance Program and the JTF-CND to link IAVA compliance reporting requirements to mission-critical systems and operations to increase awareness of the value of complying with technical bulletins and advisories distributed as part of the IAVA process.

    Agency Affected: Department of Defense

  3. Status: Closed - Implemented

    Comments: DOD created policy and procedures for status reporting on information assurance vulnerability alerts in the form of the DOD 8500 series of regulations and instructions. The Department also established a working group led by USSPACECOM to resolve issues with reporting processes. Additionally, DOD responded to this recommendation by adoption of a Chairman of the Joint Chiefs of Staff Manual called Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND) in March 2003. This manual refined procedures related to DOD's Vulnerability Compliance Tracking System (VCTS) and the Information Assurance Vulnerability Management (IAVM) Program. The manual provides a comprehensive and detailed system and procedures for: (1) informing all DOD components of vulnerabilities; (2) communicating repair steps to them; and (3) collecting from them, via the automated VCTS and IAVM procedures, the repair status of all information technology and related assets. All DOD components are required to register their system assets with the VCTS, thereby providing visibility of compliance with IAVAs and required repairs and patches. The VCTS and IAVM processes create a systemic series of controls and a Defense-wide mechanism to ensure all DOD components are informed of every system vulnerability and deficiency identified. Additionally, these actions provide assurance that corrections are received and appropriate corrective measures are implemented.

    Recommendation: The Secretary of Defense should direct the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence and the U.S. Space Command to work through the Defense-wide Information Assurance Program and the JTF-CND to establish procedures to ensure consistent and complete reporting on the status of repairs required in the Information Assurance Vulnerability Alert (IAVA) process across the Department.

    Agency Affected: Department of Defense

  4. Status: Closed - Implemented

    Comments: During March 2003 DOD published the Joint Task Force (JTF)-Computer Network Operations (CNO) Tactics, Techniques, and Procedures (TTP) and a related Joint Chief of Staff (JCS) manual regarding computer network defense. The TTP created an Advanced Technology Unit that performs all vulnerability assessments. Additionally, the JCS manual updated and refined the Information Assurance Vulnerability Alert (IAVA) process, renaming it the Information Assurance Vulnerability Management (IAVM) Program. The JCS manual also describes detailed procedures and policies that pertain to the conduct and prioritization of vulnerability assessments. IAVAs are generated as part of these assessments whenever a critical vulnerability exists that poses a threat to the Department. The Defense Information Systems Agency, JTF-CNO, and the US Strategic Command (USSTRATCOM) process and distribute IAVAs to all DOD components. All components, in turn must acknowledge receipt of IAVAs, describe corrective actions for the IAVAs and the timetable for such corrections. The USSTRATCOM centrally manages the monitoring of IAVAs and tracks compliance across DOD. Compliance metrics are generated and reported to USSTRATCOM, the Joint Staff, and the Secretary of Defense through the Office of the Assistant Secretary of Defense-Networks and Information Integration. These activities afford the Department a mechanism to determine that recommended corrections based on vulnerability reviews have been made and corrective actions are applied to similar systems throughout the Department.

    Recommendation: The Secretary of Defense should direct the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence and the U.S. Space Command to work through the Defense-wide Information Assurance Program and the JTF-CND to evaluate and monitor results from vulnerability reviews to ensure that recommended repairs have been made and have been applied to all similar systems throughout DOD.

    Agency Affected: Department of Defense

  5. Status: Closed - Implemented

    Comments: DOD developed policies for conducting vulnerability assessments (the DODD 8500 series of regulations and instructions). In addition, the Information Assurance Strategic Plan, approved in August 2002, contains objectives, metrics, and a process to establish priorities and monitor the results of assessments. Also during March 2003, DOD published the Joint Task Force (JTF)-Computer Network Operations (CNO) Tactics, Techniques, and Procedures (TTP), and a related Joint Chief of Staff (JCS) manual (Defense-In-Depth: Information Assurance (IA) and Computer Network Defense (CND) regarding computer network defense. The TTP established a JTF-CNO unit to conduct vulnerability assessments and the JCS manual described detailed procedures and policies for the conduct and prioritization of such assessments. These actions constitute the Department's presentation of a systematic approach for assessment of risks and potential effects to mission-critical, high-risks systems, networks and capabilities and will enhance DOD organizations' ability to respond to and manage computer incidents.

    Recommendation: The Secretary of Defense should direct the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence and the U.S. Space Command to work through the Defense-wide Information Assurance Program and the JTF-CND to establish a systematic, Departmentwide process for prioritizing and conducting vulnerability assessments of high-risk systems and networks and capabilities needed to support mission-critical operations.

    Agency Affected: Department of Defense

  6. Status: Closed - Implemented

    Comments: DOD published the Joint Task Force (JTF) Computer Network Operations (CNO) Tactics, Techniques, and Procedures (TPP) in March 2003 that contains standardized terminology for computer incidents. The TPP provides a set of common terms and their definitions as they pertain to computer incidents that will advance DOD efforts to effectively communication and share information about such incidents throughout the Department. Furthermore, DOD's instruction for information assurance (the 8500 series of regulations) adopts the National Information Systems Security Glossary (NSTISSI No. 4009), which includes terms related to computer incidents. Additionally, USSPACECOM has expanded that standard with a lexicon of key computer network defense terms.

    Recommendation: The Secretary of Defense should direct the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence and the U.S. Space Command to work through the Defense-wide Information Assurance Program and the JTF-CND to standardize terminology for computer incidents to facilitate the integration of incident data across the Department.

    Agency Affected: Department of Defense

  7. Status: Closed - Implemented

    Comments: DOD has several efforts underway to establish an infrastructure for monitoring, integrating, and analyzing intrusions and system weaknesses, including a study of computer network defense infrastructure, an assessment of technologies to mitigate insider threats, and guidance for intrusion detection (CJCSM 6510.01M). Further, the Department has completed several initiatives to advance timely integration of threat and intrusion data. For example: (1) the information assurance strategic plan, approved in August 2002, established objectives, metrics, and a management process that will facilitate integration of data and tools across the department; (2) a common structure has been established for DOD's threat database to facilitate inputs from all DOD components; (3) DOD published the Joint Task Force Computer Network Operations Tactics, Techniques & Procedures (TTP) in March 2003 (the TTP communicates the priority and urgency needed to respond to computer incidents); (4) DOD has expedited the development of systems and processes to address incident and computer intrusions through the implementation of After Action Reviews, changes to the Commander's Critical Information Requirements (CCIR) that now require incident close-out reports in the form of a standard Joint Universal Lessons Learned (JULL) that is disseminated to all DOD organizations; (5) DOD plans to continue its efforts to identify and use computer network defense sensors; and (6) furthermore, DOD plans to advance its efforts to develop and enhance systems for learning lessons from intrusion events and for distributing those lessons appropriately. These measures, which include procedures regarding insider attacks and all computer vulnerabilities and risks, were implemented as priorities and accelerated so that they were operational in March 2003. When these measures are coupled with automated systems used for Information Assurance Vulnerability Alerts and the Information Assurance Vulnerability Managegment program and other procedures within these processes, they provide mechanisms for timely implementation of responsive Defense-wide incident and intrusion systems and processes that will allow all DOD components to effectively use data from intrusion detection systems.

    Recommendation: The Secretary of Defense should direct the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence and the U.S. Space Command to work through the Defense-wide Information Assurance Program and the JTF-CND to expedite the development and enhancement of a complete set of systems for integrating and analyzing useful data from intrusion detection systems and other systems used to monitor computer security weaknesses, including tracking data on insider attacks.

    Agency Affected: Department of Defense

  8. Status: Closed - Implemented

    Comments: In early 2001, DOD issued policy for computer network defense that includes responsibilities and procedures for incident response (DOD Directive O-8530.1, 1/8/2001, and DOD Instruction O-8530.2, 3/9/2001). In August 2002, DOD's information assurance (IA) leadership group approved a department-wide IA strategic plan that included objectives, metrics and measures for incident response. During March 2003 DOD published the Joint Task Force (JTF) Computer Network Operations (CNO) Tactics, Techniques & Procedures (TTP), and a Chairman of the Joint Chiefs of Staff Manual called Defense-in-Depth: Information Assurance (IA) and Computer Network Defense. The TTP: (1) is linked to the Department's Information Assurance Strategic Plan; (2) represents a comprehensive incident reporting and response plan; and (3) addresses objectives, goals, priorities, and organizational resources. The JCS manual contains detailed Department-wide incident reporting and response guidance and describes the process by which the Defense Information Systems Agency and the US Strategic Command monitor and report compliance to the Secretary of Defense. These actions help establish clear areas of responsibility, a unified management approach, and detailed procedures as essential controls within the Department's effort to deploy an effective departmentwide incident response plan.

    Recommendation: The Secretary of Defense should direct the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence and the U.S. Space Command to work through the Defense-wide Information Assurance Program and the JTF-CND to finalize a Departmentwide incident response plan, including objectives, goals, priorities, and the resources needed to achieve those objectives.

    Agency Affected: Department of Defense

  9. Status: Closed - Implemented

    Comments: In August 2002, DOD officials approved an information assurance strategic plan that includes goals, measures, and management process for managing vulnerabilities and responding to intrusions. Additionally, in March 2003 DOD published the Joint Task Force (JTF) Computer Network Operations Tactics, Techniques and Procedures (TTP) and of Chairman of the Joint Chiefs of Staff Manual, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense. The TTP establishes metrics for timeliness in reporting unauthorized incidents. Further, Chairman of the Joint Chiefs of Staff Instruction, Information Assurance and Computer Network Defense, introduced a tracking system for Information Assurance Vulnerability Alert (IAVA) patches. The JTF manual and DOD Instruction, Support to Computer Network Defense, established metrics for the IAVA process that strictly govern response times. For example, all DOD components must acknowledge receipt of each IAVA--which also contains a description of the corrective action required for the vulnerabilities--within 5 days; and generally, compliance status for the IAVA must be achieved and registered within 30 days. The U.S. Strategic Command (USSTRATCOM) centrally manages the monitoring of IAVAs and tracks compliance across DOD. Compliance metrics are generated and reported to USSTRATCOM senior leadership, the Joint Staff, and the Secretary of Defense through the Assistant Secretary of Defense, Networks and Information Integration. These actions appear to effectively establish a Departmentwide basis to: (1) help reduce the prevalence of known security vulnerabilities in systems and networks that support mission-critical operations and (2) facilitate timeliness in responding to known types of cyber attacks.

    Recommendation: The Secretary of Defense should direct the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence and the U.S. Space Command to work through the Defense-wide Information Assurance Program and the JTF-CND to establish a performance-based management process for incident response activities to ensure that Departmentwide goals as well as combat requirements are achieved, including establishing goals for (1) reducing the prevalence of known security vulnerabilities in systems and networks that support mission-critical operations and (2) timeliness in responding to known types of cyber attacks.

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Looking for more? Browse all our products here