Skip to main content

Information Security: Progress and Challenges to an Effective Defense-wide Information Assurance Program

GAO-01-307 Published: Mar 30, 2001. Publicly Released: Mar 30, 2001.
Jump To:
Skip to Highlights

Highlights

The components, military services, and agencies of the Department of Defense (DOD) share many risks in their use of globally networked computer systems to perform operational missions. Many reports of vulnerabilities, organized intrusions, and theft related to department systems and networks have underscored weaknesses in DOD systems. In January 1998, DOD responded to these risks by announcing its plans for a Defense-wide Information Assurance Program to promote integrated, comprehensive, and consistent information assurance (IA) practices across the department. Although the program has addressed issues related to DOD's departmental IA goals, established new IA policy, improved communication across the department, and introduced mechanisms for monitoring IA efforts throughout DOD, many IA issues remain unaddressed. Given the high priority that DOD puts on IA, GAO believes the the program should have made progress on more of its implementation plan objectives by this time and gone further with the ones it has begun to address. Top-level DOD management has not carried out oversight commensurate with the program's high-priority role and the program has not received the resources that were judged necessary by DOD when the program was initiated. DOD continues to face significant personnel, technical, and operational challenges in implementing an effective departmentwide IA program--something it cannot afford to ignore. A stronger management framework for the program consisting of adequate funding and oversight would establish the foundation needed to make greater progress in addressing such challenges.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense To significantly improve departmentwide management of IA, the Secretary of Defense should commit senior department personnel to developing a DIAP Program Execution Plan that further defines and integrates DIAP-related roles and responsibilities, organizational relationships and accountability, ongoing efforts, and plans; establishes commitments to DIAP at the component, service, and agency levels; specifies measurable outcomes related to department operations for determining the success of DIAP and time frames for achieving them; and builds on existing DIAP accomplishments.
Closed – Implemented
The Defense-wide Information Assurance Program (DIAP) Program Execution Plan, completed in December 2001, defines the organization and functions of the DIAP office. Information assurance (IA) responsibilities (including management of the DIAP office and supporting activities) have been assigned or described in DOD policies (8500 series of regulations and related directives and instructions). IA management and coordination groups have been established with department-wide representation. A strategic plan consisting of DOD's IA goals, objectives and measures has been adopted. According to DOD IA officials, since the Program Execution Plan was developed through the cooperative efforts of representatives from all DOD organizations, the Program Execution Plan (PEP), coupled with the relevant IA regulations, directives and instructions, and representational IA groups, can ostensibly serve as the action plan for all components. The PEP is a living document deliberately intended to align IA strategies and investment decisions and guide IA activities in co-ordination with the pertinent IA regulations, directives and instructions for the entire Department.
Department of Defense To significantly improve departmentwide management of IA, the Secretary of Defense should establish written objectives and agreements for departmentwide support of DIAP that provide for clear and realistic responsibilities, adequate personnel, expected outcomes, and mechanisms for monitoring and enforcing agreements. The agreements should specify the organizational positions and entities responsible for integrating DOD's IA actions, managing IA-related aspects of DOD's mission performance, and providing independent oversight and assessment of IA improvement.
Closed – Implemented
DOD has fully coordinated and issued directives for information assurance (IA) in the form of the DOD 8500 series of regulations. These policies and related guidance assign IA responsibilities to key executives and Defense components. The department also published its IA strategic plan (including goals, objectives and measures), and established groups to monitor progress against the plan. Corresponding detailed instructions and procedures provide specify mechanisms and organizational requirements to achieve and/or assess status and progress related to IA objectives.
Department of Defense To significantly improve departmentwide management of IA, the Secretary of Defense should establish a structured process led by the DOD Chief Information Officer (CIO) and CIO Executive Board for regularly monitoring the progress of DIAP toward achieving department goals and using these results to adjust IA program objectives and resources.
Closed – Implemented
In February 2002, DOD established a department-level leadership group composed of senior executives from across the DOD agencies, services and components, to achieve common Defense-wide information assurance (IA) goals. The group includes chief information officers (CIOs) or commensurate positions. The Chair reports to the DOD CIO. The management process defined in the department's IA strategic plan, approved in August 2002, provides this group with the authority to review plans and status reports submitted to the Defensewide Information Assurance Program and adjust budgets, action plans, and performance measures as necessary.
Office of the Chief Information Officer (DOD CIO) To significantly improve departmentwide management of IA, the Secretary of Defense should establish a structured process led by the DOD Chief Information Officer (CIO) and CIO Executive Board for regularly monitoring the progress of DIAP toward achieving department goals and using these results to adjust IA program objectives and resources.
Closed – Implemented
DOD issued new guidance in the form of instructional directives that contained timeframes for reporting and/or for providing briefings to the Secretary of Defense regarding information assurance (IA) readiness assessments throughout the Department. This action will communicate the status of such assessments to top-level DOD management officials and afford them opportunities to respond to IA issues and concerns with requisite authority.
Department of Defense To significantly improve departmentwide management of IA, the Secretary of Defense should reinforce the department's commitment to the high priority of IA by providing regular reporting to the Secretary of Defense on the progress, issues, and results of actions to establish IA readiness assessment across the department.
Closed – Implemented
The department has established a process and issued new guidance in the form of instructional directives that contain specified timeframes for reporting to and/or providing briefings to the Secretary of Defense regarding information assurance readiness assessments throughout the Department. This action will provide communications about the status of such assessments to top-level DOD managers and allow them to respond to information assurance issues and concerns with requisite authority.
Office of the Chief Information Officer (DOD CIO) The DOD CIO should define a program budget element or subelement that encompasses IA-related personnel and activities of the Office of the Assistant Secretary for Command, Control, Communications and Intelligence (OASD (C3I)) and provides an annual approved budget, adequate and appropriate personnel, and performance goals and measures.
Closed – Not Implemented
DOD developed a budget, performance goals, and measures for information assurance (IA)-related personnel and activities. However, the budget for OSD's IA program was not established as a separate department-level program budget element. Instead, OSD plans to continue managing the budget for the IA program in conjunction with other CIO programs and without a distinct budget element so that funding can be easily transferred among the other programs to meet critical needs. Without a separate budget element, dedicated funding for OSD's IA activities is not assured and accountability for program performance may be at risk.
Office of the Chief Information Officer (DOD CIO) The DOD CIO should establish, document, and implement a performance-based management plan and process for the DIAP staff consistent with those of high-performing organizations.
Closed – Implemented
The Defense-wide Information Assurance Program (DIAP) Program Execution Plan (PEP) defines performance objectives, corresponding performance goals, metrics, and an assessment process for DIAP functions and DIAP staff. Further, the PEP is codified in the DOD Information Assurance Strategic Plan. Together, these documents form the management plan for IA that the Department believes constitutes a performance-based process that is consistent with similar plans and processes used by high-performing organizations.
Office of the Assistant Secretary for Command, Control, Communications, and Intelligence To enhance progress in achieving the DIAP's IA goals, the OASD (C3I) Director of Information Assurance should develop and implement a plan for instituting IA readiness metrics that addresses key obstacles that have hindered efforts to date through (1) enhancements to existing automated reporting systems to capture IA-related data, (2) improved coordination between proposed department-level and joint force IA metrics, and (3) validation of the proposed metrics to ensure that they produce useful information.
Closed – Implemented
DOD refined information assurance (IA) readiness reporting measures through the use of a new instructional directive and initiated efforts to automate the IA vulnerability management process to identify obstacles and concerns that impair IA readiness. These actions will enhance existing automated IA reporting procedures and improve co-ordination and reporting of Department-wide IA readiness concerns.
Office of the Assistant Secretary for Command, Control, Communications, and Intelligence To enhance progress in achieving the DIAP's IA goals, the OASD(C3I) Director of Information Assurance should develop and implement an action plan for achieving the department's July 2000 IA human resources policy directive.
Closed – Implemented
An implementation plan was completed in December 2000 to address all the recommendations included in the original report on improving DOD's information technology and information assurance human resources. Several of the recommendations are now complete or partially complete.
Office of the Assistant Secretary for Command, Control, Communications, and Intelligence To enhance progress in achieving the DIAP's IA goals, the OASD (C3I) Director of Information Assurance should develop comprehensive operational policies and procedures to provide consistency in IA monitoring and management across the department.
Closed – Implemented
This recommendation was fully addressed with the approval and publication of the Joint Staff's guidance and other Defense-wide 8500-series policies relating to IA monitoring and management, including vulnerability management , management of ports and protocols, and firewall configuration. Departmentwide policies were issued in early 2001 (DOD Directive O-8530.1 and DOD Instruction O-8530.2) to assign responsibilities and establish procedures related to computer network defense, a component of information assurance (IA) monitoring and management. Additional guidance covering vulnerability management, information operations conditions, red teams, and communications security has been developed and published by the Joint Staff and is being coordinated within DOD. A department IA policy framework has been established to support the evolution of additional policies and guidance relating to monitoring and management.
Office of the Assistant Secretary for Command, Control, Communications, and Intelligence To enhance progress in achieving the DIAP's IA goals, the OASD (C3I) Director of Information Assurance should expand security management technology planning to include issues beyond public key infrastructure, including workstation security, virtual private networks, and security management tools.
Closed – Implemented
The office of the Defensewide Information Assurance Program has added staff and expanded its activities in security management to include (1) coordination activities in commercial product migration, biometrics, and cryptographic modernization, and (2) evaluation of technology for remote secure network access. The recently-approved information assurance (IA) strategic plan provides a mechanism for ongoing identification, planning and monitoring of departmentwide security management efforts. These measures provide an environment for more effective use of department resources.
Office of the Assistant Secretary for Command, Control, Communications, and Intelligence To enhance progress in achieving the DIAP's IA goals, the OASD (C3I) Director of Information Assurance should complete development of an IA program baseline, including establishing a detailed system of budget codes for identifying IA resources across the department and integrating planning, programming, and budgeting data with the department's acquisition management and requirements-generation systems.
Closed – Implemented
DOD adopted Management Initiative Decision (MID) 913 that modified the Department's Planning, Programming and Budgeting System (PPBS) and related processes. As a result, information assurance (IA) resources will be identified within this system through the use of an automated application called the IA Resources Management Application (IARMA). The IARMA contains sufficient data to allow IA resources to be baselined, fully identified, and centrally and comprehensively managed in coordination with mandatory acquisition, information technology and IA criteria. This will allow the Department to have better visibility of IA resources and better coordination of IA resources with the acquisition management process and information technology requirements-generation activities and systems.
Office of the Assistant Secretary for Command, Control, Communications, and Intelligence To enhance progress in achieving the DIAP's IA goals, the OASD (C3I) Director of Information Assurance should develop and implement a strategy for establishing an integrated set of DOD IA policies, directives, and guidance, and establish a mechanism for determining whether DOD components are in compliance.
Closed – Implemented
DOD has developed and disseminated a policy framework that organizes and provides an on-going process for department directives and guidance. In addition, the Joint Staff has adopted a modular approach to its policies to facilitate incorporation of directives on new technologies. The department has defined and implemented processes to determine DOD component compliance with department IA policies with the implementation of its information assurance strategic plan and IA related regulations, instructions and directives. These actions will allow the Department to administer, monitor and assess compliance with IA policies and disclose department-wide IA concerns.
Office of the Assistant Secretary for Command, Control, Communications, and Intelligence To enhance progress in achieving the DIAP's IA goals, the OASD (C3I) Director of Information Assurance should take steps to fully address assigned DIAP responsibilities in three other areas--architectural standards and system transformation, acquisition support and product development, and research and technology.
Closed – Implemented
DIAP staff members have been specifically assigned to support departmentwide aspects of acquisition, and research and technology. To date, they have provided support for incorporating information assurance (IA) into DOD acquisition policy and guidance, aided in the development of IA strategies for acquisition programs, and analyzed the department's IA science and technology road map, among other activities. Although no individual has been specifically designated to coordinate architectural standards and system transformation, staff members have supported architecture-related activities such as the Defense collaborative tool suite and identification of technologies for computer network defense. Thus, DIAP staff are now positioned to fully support the department's goals for IA architectures, acquisition, and research.

Full Report

Office of Public Affairs

Topics

Computer networksComputer securityHomeland securityInformation resources managementInformation systemsPerformance measuresComputer resources managementInformation assuranceChief information officersHuman resources management