Information Security:
The Defense Logistics Agency Needs to Fully Implement Its Security Program
GAO-06-31: Published: Oct 7, 2005. Publicly Released: Oct 7, 2005.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Text:
Contact:
(202) 512-6244
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
The Defense Logistics Agency's (DLA) mission is, in part, to provide food, fuel, medical supplies, clothing, spare parts for weapon systems, and construction materials to sustain military operations and combat readiness. To protect the information and information systems that support its mission, it is critical that DLA implement an effective information security program. GAO was asked to review the efficiency and effectiveness of DLA's operations, including its information security program. In response, GAO determined whether the agency had implemented an effective information security program.
Although DLA has made progress in implementing important elements of its information security program, including establishing a central security management group and appointing a senior information security officer to manage the program, it has not yet fully implemented other essential elements. For example, the agency did not consistently assess risks for its information systems; sufficiently train employees who have significant information security responsibilities or adequately complete training plans; annually test and evaluate the effectiveness of management and operational security controls; or sufficiently complete plans of action and milestones for mitigating known information security deficiencies. In addition, DLA has not implemented a fully effective certification and accreditation process for authorizing the operation of its information systems. Key reasons for these weaknesses are that responsibilities of information security employees were not consistently understood or communicated and DLA has not adequately maintained the accuracy and completeness of data contained in its primary reporting tool for overseeing the agency's performance in implementing key information security activities and controls. Until the agency addresses these weaknesses and fully implements an effective agency-wide information security program, it may not be able to protect the confidentiality, integrity, and availability of its information and information systems, and it may not have complete and accurate performance data for key information security practices and controls.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has implemented a risk-assessment process that consistently addresses potential risks to the agency's information and information resources.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by consistently assessing risks that could result from the unauthorized access, use, disclosure or destruction of information and information.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: GAO verified as of September 2008 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has issued policy on providing appropriate training for staff with information assurance duties, and is tracking the progress of its implementation.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring that training is provided for employees who have significant responsibilities for information security.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has implemented procedures to ensure that security training plans are updated and maintained.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring that security training plans are updated and maintained.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: GAO verified as of September 2008 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has instituted a process for tracking the annual security awareness training that all staff receive, and for tracking the specialized training that staff with significant information security roles receive as well as any certifications that they may acquire.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring appropriate monitoring of the agency's security training program.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has procedures in place to ensure that annual security test and evaluation activities include assessments of management, operational, and technical controls of every information system in DLA's inventory.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring that annual security test and evaluation activities include management, operational, and technical controls of every information system in DLA's inventory.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has implemented a process to document and report complete plans of action and milestones.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by documenting and reporting complete plans of action and milestones.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: GAO verified as of September 2008 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has issued a template and process description for plans of action and milestones.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by establishing specific guidance or instructions to information assurance managers and information assurance officers on what--or how--to document and report plans of action and milestones for system deficiencies.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: GAO verified as of September 2008 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) issued "interim authorization to operate" (IATO) decisions when certification tasks were not completed. This IATO designation is in accordance with DLA, Defense, and Office of Management and Budget policies.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by discontinuing the practice of issuing "time-limited" authorization to operate accreditation decisions when certification tasks have not been completed.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has instituted annual reviews of certification tasks by a central review team, which verifies that these tasks are performed correctly and are completed.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring that the DLA central review team verifies that certification tasks have been completed.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has implemented procedures to ensure the accuracy and completeness of the data in the agency's primary reporting tool for recording, tracking, and reporting performance metrics on DLA's information security practices and controls.
Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by maintaining the accuracy and completeness of the data contained in the agency's primary reporting tool for recording, tracking, and reporting performance metrics on information security practices and controls.
Agency Affected: Department of Defense
Explore the full database of GAO's Open Recommendations
»
Explore the full database of GAO's Open Recommendations
Oct 9, 2020
Aviation Cybersecurity:
FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics RisksGAO-21-86: Published: Oct 9, 2020. Publicly Released: Oct 9, 2020.
Sep 22, 2020
-
Cybersecurity:
Clarity of Leadership Urgently Needed to Fully Implement the National StrategyGAO-20-629: Published: Sep 22, 2020. Publicly Released: Sep 22, 2020.
Sep 21, 2020
-
Information Security and Privacy:
HUD Needs a Major Effort to Protect Data Shared with External EntitiesGAO-20-431: Published: Sep 21, 2020. Publicly Released: Sep 21, 2020.
Sep 17, 2020
-
Critical Infrastructure Protection:
Treasury Needs to Improve Tracking of Financial Sector Cybersecurity Risk Mitigation EffortsGAO-20-631: Published: Sep 17, 2020. Publicly Released: Sep 17, 2020.
Sep 16, 2020
-
Veterans Affairs:
VA Needs to Address Persistent IT Modernization and Cybersecurity ChallengesGAO-20-719T: Published: Sep 16, 2020. Publicly Released: Sep 16, 2020.
Aug 18, 2020
-
Cybersecurity:
DHS and Selected Agencies Need to Address Shortcomings in Implementation of Network Monitoring ProgramGAO-20-598: Published: Aug 18, 2020. Publicly Released: Aug 18, 2020.
May 27, 2020
-
Cybersecurity:
Selected Federal Agencies Need to Coordinate on Requirements and Assessments of StatesGAO-20-123: Published: May 27, 2020. Publicly Released: May 27, 2020.
May 13, 2020
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-20-411R: Published: May 13, 2020. Publicly Released: May 13, 2020.
Apr 24, 2020
-
Information Security:
FCC Made Significant Progress, but Needs to Address Remaining Control Deficiencies and Improve Its ProgramGAO-20-265: Published: Mar 25, 2020. Publicly Released: Apr 24, 2020.
Apr 13, 2020
-
Cybersecurity:
DOD Needs to Take Decisive Actions to Improve Cyber HygieneGAO-20-241: Published: Apr 13, 2020. Publicly Released: Apr 13, 2020.
Looking for more? Browse all our products here
Explore our Key Issues on Information Security
Explore our other Key Issues here
