Information Security:
The Defense Logistics Agency Needs to Fully Implement Its Security Program
GAO-06-31: Published: Oct 7, 2005. Publicly Released: Oct 7, 2005.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Text:
Contact:
(202) 512-6244
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
The Defense Logistics Agency's (DLA) mission is, in part, to provide food, fuel, medical supplies, clothing, spare parts for weapon systems, and construction materials to sustain military operations and combat readiness. To protect the information and information systems that support its mission, it is critical that DLA implement an effective information security program. GAO was asked to review the efficiency and effectiveness of DLA's operations, including its information security program. In response, GAO determined whether the agency had implemented an effective information security program.
Although DLA has made progress in implementing important elements of its information security program, including establishing a central security management group and appointing a senior information security officer to manage the program, it has not yet fully implemented other essential elements. For example, the agency did not consistently assess risks for its information systems; sufficiently train employees who have significant information security responsibilities or adequately complete training plans; annually test and evaluate the effectiveness of management and operational security controls; or sufficiently complete plans of action and milestones for mitigating known information security deficiencies. In addition, DLA has not implemented a fully effective certification and accreditation process for authorizing the operation of its information systems. Key reasons for these weaknesses are that responsibilities of information security employees were not consistently understood or communicated and DLA has not adequately maintained the accuracy and completeness of data contained in its primary reporting tool for overseeing the agency's performance in implementing key information security activities and controls. Until the agency addresses these weaknesses and fully implements an effective agency-wide information security program, it may not be able to protect the confidentiality, integrity, and availability of its information and information systems, and it may not have complete and accurate performance data for key information security practices and controls.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has implemented a risk-assessment process that consistently addresses potential risks to the agency's information and information resources.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by consistently assessing risks that could result from the unauthorized access, use, disclosure or destruction of information and information.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: GAO verified as of September 2008 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has issued policy on providing appropriate training for staff with information assurance duties, and is tracking the progress of its implementation.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring that training is provided for employees who have significant responsibilities for information security.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has implemented procedures to ensure that security training plans are updated and maintained.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring that security training plans are updated and maintained.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: GAO verified as of September 2008 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has instituted a process for tracking the annual security awareness training that all staff receive, and for tracking the specialized training that staff with significant information security roles receive as well as any certifications that they may acquire.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring appropriate monitoring of the agency's security training program.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has procedures in place to ensure that annual security test and evaluation activities include assessments of management, operational, and technical controls of every information system in DLA's inventory.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring that annual security test and evaluation activities include management, operational, and technical controls of every information system in DLA's inventory.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has implemented a process to document and report complete plans of action and milestones.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by documenting and reporting complete plans of action and milestones.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: GAO verified as of September 2008 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has issued a template and process description for plans of action and milestones.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by establishing specific guidance or instructions to information assurance managers and information assurance officers on what--or how--to document and report plans of action and milestones for system deficiencies.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: GAO verified as of September 2008 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) issued "interim authorization to operate" (IATO) decisions when certification tasks were not completed. This IATO designation is in accordance with DLA, Defense, and Office of Management and Budget policies.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by discontinuing the practice of issuing "time-limited" authorization to operate accreditation decisions when certification tasks have not been completed.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has instituted annual reviews of certification tasks by a central review team, which verifies that these tasks are performed correctly and are completed.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring that the DLA central review team verifies that certification tasks have been completed.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has implemented procedures to ensure the accuracy and completeness of the data in the agency's primary reporting tool for recording, tracking, and reporting performance metrics on DLA's information security practices and controls.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by maintaining the accuracy and completeness of the data contained in the agency's primary reporting tool for recording, tracking, and reporting performance metrics on information security practices and controls.
Agency Affected: Department of Defense
Explore the full database of GAO's Open Recommendations
»
Explore the full database of GAO's Open Recommendations
Sep 17, 2018
Cybersecurity:
Office of Federal Student Aid Should Take Additional Steps to Oversee Non-School Partners' Protection of Borrower InformationGAO-18-518: Published: Sep 17, 2018. Publicly Released: Sep 17, 2018.
Sep 7, 2018
-
Data Protection:
Actions Taken by Equifax and Federal Agencies in Response to the 2017 BreachGAO-18-559: Published: Aug 30, 2018. Publicly Released: Sep 7, 2018.
Sep 6, 2018
-
High-Risk Series:
Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the NationGAO-18-622: Published: Sep 6, 2018. Publicly Released: Sep 6, 2018.
Jul 31, 2018
-
Information Security:
IRS Needs to Rectify Control Deficiencies That Limit Its Effectiveness in Protecting Sensitive Financial and Taxpayer DataGAO-18-391: Published: Jul 31, 2018. Publicly Released: Jul 31, 2018.
Jul 25, 2018
-
High-Risk Series:
Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the NationGAO-18-645T: Published: Jul 25, 2018. Publicly Released: Jul 25, 2018.
Jul 12, 2018
-
Information Security:
Supply Chain Risks Affecting Federal AgenciesGAO-18-667T: Published: Jul 12, 2018. Publicly Released: Jul 12, 2018.
Jun 14, 2018
-
Cybersecurity Workforce:
Agencies Need to Improve Baseline Assessments and Procedures for Coding PositionsGAO-18-466: Published: Jun 14, 2018. Publicly Released: Jun 14, 2018.
May 14, 2018
-
Protecting Classified Information:
Defense Security Service Should Address Challenges as New Approach Is PilotedGAO-18-407: Published: May 14, 2018. Publicly Released: May 14, 2018.
Apr 24, 2018
-
Cybersecurity:
DHS Needs to Enhance Efforts to Improve and Promote the Security of Federal and Private-Sector NetworksGAO-18-520T: Published: Apr 24, 2018. Publicly Released: Apr 24, 2018.
Mar 7, 2018
-
Cybersecurity Workforce:
DHS Needs to Take Urgent Action to Identify Its Position and Critical Skill RequirementsGAO-18-430T: Published: Mar 7, 2018. Publicly Released: Mar 7, 2018.
Looking for more? Browse all our products here
Explore our Key Issues on Information Security
Explore our other Key Issues here
