Information Security:

Further Efforts Needed to Fully Implement Statutory Requirements in DOD

GAO-03-1037T: Published: Jul 24, 2003. Publicly Released: Jul 24, 2003.

Additional Materials:


Robert F. Dacey
(202) 512-3317


Office of Public Affairs
(202) 512-4800

The Department of Defense (DOD) faces many risks in its use of globally networked computer systems to perform operational missions--such as identifying and tracking enemy targets--and daily management functions--such as paying soldiers and managing supplies. Weaknesses in these systems, if present, could give hackers and other unauthorized users the opportunity to modify, steal, inappropriately disclose, and destroy sensitive military data. GAO was asked, among other things, to discuss DOD's efforts to protect its information systems and networks from cyber attack, focusing on its reported progress in implementing statutory information security requirements.

In its fiscal year 2002 report on efforts to implement information security requirements under Government Information Security Reform law, DOD reported that it has an aggressive information assurance program and highlighted several initiatives to improve it. These initiatives included developing an overall strategy and issuing numerous departmentwide information security policy documents. DOD's reporting highlighted other accomplishments, but acknowledged that a number of challenges remain for the department in implementing both its policies and procedures and statutory information security requirements. DOD reported several material control weaknesses, which included needing to decrease the time necessary for correcting reported weaknesses and ensuring that computer security policies are enforced and security capabilities are tested regularly. Further, performance data DOD reported for a sample of its systems showed that further efforts are needed to fully implement key information security requirements, such as testing systems' security controls, throughout the department. Although DOD has undertaken its Defense-wide Information Assurance Program to promote integrated, comprehensive, and consistent practices across the department and has recently issued both policy guidance and implementation instructions, it does not have mechanisms in place for comprehensively measuring compliance with federal and Defense information security policies and ensuring that those policies are consistently practiced throughout DOD.

Mar 19, 2015

Mar 2, 2015

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Looking for more? Browse all our products here