Information Security:

Further Efforts Needed to Fully Implement Statutory Requirements in DOD

GAO-03-1037T: Published: Jul 24, 2003. Publicly Released: Jul 24, 2003.

Additional Materials:


Robert F. Dacey
(202) 512-3317


Office of Public Affairs
(202) 512-4800

The Department of Defense (DOD) faces many risks in its use of globally networked computer systems to perform operational missions--such as identifying and tracking enemy targets--and daily management functions--such as paying soldiers and managing supplies. Weaknesses in these systems, if present, could give hackers and other unauthorized users the opportunity to modify, steal, inappropriately disclose, and destroy sensitive military data. GAO was asked, among other things, to discuss DOD's efforts to protect its information systems and networks from cyber attack, focusing on its reported progress in implementing statutory information security requirements.

In its fiscal year 2002 report on efforts to implement information security requirements under Government Information Security Reform law, DOD reported that it has an aggressive information assurance program and highlighted several initiatives to improve it. These initiatives included developing an overall strategy and issuing numerous departmentwide information security policy documents. DOD's reporting highlighted other accomplishments, but acknowledged that a number of challenges remain for the department in implementing both its policies and procedures and statutory information security requirements. DOD reported several material control weaknesses, which included needing to decrease the time necessary for correcting reported weaknesses and ensuring that computer security policies are enforced and security capabilities are tested regularly. Further, performance data DOD reported for a sample of its systems showed that further efforts are needed to fully implement key information security requirements, such as testing systems' security controls, throughout the department. Although DOD has undertaken its Defense-wide Information Assurance Program to promote integrated, comprehensive, and consistent practices across the department and has recently issued both policy guidance and implementation instructions, it does not have mechanisms in place for comprehensively measuring compliance with federal and Defense information security policies and ensuring that those policies are consistently practiced throughout DOD.

Feb 6, 2018

Sep 28, 2017

Aug 3, 2017

Jul 27, 2017

Jul 26, 2017

May 31, 2017

May 23, 2017

Apr 4, 2017

Mar 30, 2017

Mar 28, 2017

Looking for more? Browse all our products here