National Guard:

Effective Management Processes Needed for Wide-Area Network

GAO-02-959: Published: Sep 24, 2002. Publicly Released: Sep 24, 2002.

Additional Materials:

Contact:

Randolph C. Hite
(202) 512-6256
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Fiscal Year 2002 Defense Authorization Act required GAO to review GuardNet, the National Guard's wide-area network, which is used to support various Defense applications and was used to support homeland security activities after the terrorist attacks of September 11th. GAO was asked to determine the current and potential requirements for GuardNet and the effectiveness of the processes for managing the network's requirements, configuration, and security.

The National Guard does not fully know the current or potential requirements for GuardNet or how it is being used, because it has not fully documented requirements. Guard officials provided GAO with a list of applications that the network supports, but they would not attest to the list's completeness, and GuardNet users identified other applications. The processes for managing GuardNet are not effective in three key areas: Requirements: For example, the Guard has not developed a requirements management plan or clearly established users' roles in developing and changing requirements. Configuration: For example, the Guard has not documented the network's configuration and is not controlling changes to configuration components. Security: For example, the Guard has not implemented needed security controls, such as firewalls, to protect GuardNet and does not monitor controls on an ongoing basis to ensure that implemented controls are working as intended. According to Guard officials, establishing these management processes has not been a priority. Without these basic processes, the Guard cannot ensure that GuardNet will perform as intended and provide its users with reliable and secure services. GuardNet is thus a dubious option for further support of critical mission areas such as homeland security.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: According to NGB, it has identified all GuardNet user organizations and has signed memoranda of agreement (MOA), which gives these organizations the authority to connect to and use GuardNet. These MOAs are contained within GuardNet's system security authorization agreement (SSAA), which documents the network's weaknesses and vulnerabilities. According to NGB, all network users are provided online access (through the National Guard's web portal, Guard Knowledge Online) to the SSAA, thereby enabling them to remain aware of any security concerns. In addition, the MOAs also identify security actions and policies that the users must comply with to ensure continued and reliable network services. Finally, NGB officials indicated that the SSAA would be provided to potential network users, including homeland security-related users, once those users have received initial approval to use the network.

    Recommendation: To strengthen the National Guard Bureau's (NGB) management of GuardNet and reduce the risks associated with federal, state, and local governments relying on it to perform mission critical functions, the Secretary of Defense should direct the Secretary of the Army to ensure that GuardNet management is given the priority attention and resources commensurate with the criticality and importance of the network's current and potential uses. To this end, the Secretary, through the Secretary of the Army, should direct the NGB Chief to immediately (1) develop a complete and comprehensive inventory of network user organizations; (2) fully disclose to these users all known network management weaknesses and security vulnerabilities; (3) advise these users to take appropriate steps to ensure that their respective needs for reliable and secure network services are met; and (4) fully disclose, in a controlled manner, all known network management weaknesses and security vulnerabilities to all known potential network users, particularly potential homeland security-related users at the federal, state, and local government levels.

    Agency Affected: Department of Defense

  2. Status: Closed - Implemented

    Comments: NGB provided a list of all change requests approved since GAO issued its report. GAO's review of a random sample of these approved system change requests showed that the changes appeared to be limited to those required to address performance and security issues. In its January 2004 quarterly report, the bureau stated that GuardNet's configuration was under control and that the bureau considered this recommendation to be met.

    Recommendation: The Secretary of the Army should direct the NGB Chief to ensure that near-term changes to the network are limited to those needed to address already identified performance and security problems.

    Agency Affected: Department of Defense: Department of the Army

  3. Status: Closed - Implemented

    Comments: In fiscal year 2003, NGB contracted with Mitretek to perform a study of GuardNet's requirements, configuration, and security posture. The contractor completed this study and issued reports that, according to NGB, provided a comprehensive baseline of the network's requirements, configuration, and security posture. GAO's review of the contractor's report shows that it does provide a high-level understanding of the network's requirements, configuration, and security posture.

    Recommendation: During this period of limited network change, the Chief of NGB should develop an authoritative and comprehensive baseline understanding of GuardNet's requirements, configuration, and security posture.

    Agency Affected: Department of Defense: Department of the Army: National Guard Bureau

  4. Status: Closed - Implemented

    Comments: NGB has (1) developed a requirements management plan, (2) established a requirements management process that involves network users, and (3) established controls for assessing and approving proposed changes to the baseline. In its January 2004 quarterly report, the bureau stated that it had developed a requirements baseline document and that it planned to use recently acquired software to document any changes from the baseline.

    Recommendation: The Secretary of the Army should direct the NGB Chief to correct each network management process weakness discussed in this report. More specifically, the NGB Chief should develop management process improvement plans for requirements management, configuration management, and security management. Each of these plans, at a minimum, should specify measurable goals and objectives, assign roles and responsibilities, involve network users, and identify work tasks, implementation schedules, and resource needs. In addition, the requirements management improvement plan should provide for establishing a process that includes (1) developing a requirements management plan, (2) involving network users in developing and changing requirements, (3) developing requirements management baseline documentation, such as a mission needs statement and an operational requirements document, and (4) establishing controls for assessing and approving proposed changes to the baseline.

    Agency Affected: Department of Defense: Department of the Army

  5. Status: Closed - Implemented

    Comments: NGB has established a formal change process that involves users and ensures that network documentation is updated. NGB has also established an audit process to ensure that documentation is complete and accurate. According to NGB, it has established a process for identifying and documenting the network's components and it has created a baseline configuration of the network.

    Recommendation: The Secretary of the Army should direct the NGB Chief to correct each network management process weakness discussed in this report. More specifically, the NGB Chief should develop management process improvement plans for requirements management, configuration management, and security management. Each of these plans, at a minimum, should specify measurable goals and objectives, assign roles and responsibilities, involve network users, and identify work tasks, implementation schedules, and resource needs. In addition, the configuration management improvement plan should provide for establishing a process that includes (1) identifying and documenting the network's components/subcomponents (hardware and software), (2) creating a baseline configuration (development, test, and production environments) of these component parts, (3) controlling changes to these configuration baselines through a formal change process that allows only the NGB-AIS Configuration Control Board to approve changes to GuardNet, (4) ensuring that network documentation remains current to enable accurate reporting of changes as the network evolves, and (5) periodically auditing to ensure that the documentation is complete and accurate.

    Agency Affected: Department of Defense: Department of the Army

  6. Status: Closed - Implemented

    Comments: NGB has established a process for implementing security controls. Specifically, NGB has (1) assessed risks to determine security needs, (2) established a monitoring function and performed security penetration tests to evaluate existing controls, and (3) certified and accredited the network. According to NGB, it has implemented needed controls to address security needs, which was the basis for certification and accreditation.

    Recommendation: The Secretary of the Army should direct the NGB Chief to correct each network management process weakness discussed in this report. More specifically, the NGB Chief should develop management process improvement plans for requirements management, configuration management, and security management. Each of these plans, at a minimum, should specify measurable goals and objectives, assign roles and responsibilities, involve network users, and identify work tasks, implementation schedules, and resource needs. In addition, the security management improvement plan should provide for establishing a process that includes (1) assessing risks to determine security needs, (2) implementing needed controls in accordance with applicable policy and guidance, (3) monitoring existing controls to ensure that they are operating as intended, and (4) ensuring that the network is certified and accredited in accordance with Department of Defense policy.

    Agency Affected: Department of Defense: Department of the Army

  7. Status: Closed - Implemented

    Comments: NGB issued several quarterly reports to the Secretary of the Army on the status of NGB's efforts to address GAO's recommendations--the final report was issued in January 2004. According to NGB, it did not provide progress reports to the Office of Homeland Security because a decision had not been made regarding GuardNet's role, if any, in homeland security. However, NGB stated that any authorized homeland security-related users would have access to the network's SSAA, which provides information on the network's associated capabilities and security limitations and concerns.

    Recommendation: Until these recommendations are fully implemented, the NGB Chief should report to the Secretary of the Army and advise the Director of the White House's Office of Homeland Security, on a quarterly basis, on NGB's progress in implementing each of these recommendations and the associated reliability and security risks faced by GuardNet users in the interim.

    Agency Affected: Department of Defense: Department of the Army: National Guard Bureau

 

Explore the full database of GAO's Open Recommendations »

Sep 22, 2016

Sep 21, 2016

Sep 19, 2016

Sep 12, 2016

Sep 8, 2016

Sep 7, 2016

Sep 6, 2016

Aug 25, 2016

Looking for more? Browse all our products here