DOD Information Security

Serious weaknesses in the Defense Department's (DOD) information security continue to give hackers and hundreds of thousands of unauthorized users a chance to modify, steal, inappropriately disclose, and destroy sensitive military data. These weaknesses impair the military's ability to (1) control physical and electronic access to its systems and data; (2) ensure that software is properly authorized, tested, and functioning; (3) limit employees' ability to perform incompatible functions, and (4) resume operations in the event of a disaster. Defense functions, including weapons and supercomputer research, logistics, finance, procurement, personnel management, military health, and payroll, have already been harmed by system attacks or fraud. Although some corrective measures have been taken in response to an earlier GAO report (GAO/AIMD-96-84, May 1996), DOD's progress in correcting the control weaknesses cited during GAO's earlier review has been inconsistent, and weaknesses persist in every area of general controls.

GAO noted that: (1) serious weaknesses in DOD information security continue to provide both hackers and hundreds of thousands of authorized users the opportunity to modify, steal, inappropriately disclose, and destroy sensitive DOD data; (2) these weaknesses impair DOD's ability to: (a) control physical and electronic access to its systems and data; (b) ensure that software running on its systems is properly authorized, tested, and functioning as intended; (c) limit employees' ability to perform incompatible functions; and (d) resume operations in the event of a disaster; (3) as a result, numerous DOD functions, including weapons and supercomputer research, logistics, finance, procurement, personnel management, military health, and payroll, have already been adversely affected by system attacks or fraud; (4) GAO's review found that some corrective actions have been initiated in response to the recommendations GAO's 1996 reports made to address pervasive information security weaknesses in DOD; (5) however, progress in correcting the specific control weaknesses identified during GAO's previous reviews has been inconsistent across the various DOD components involved and weaknesses persist in every area of general controls; (6) accordingly, GAO reaffirms the recommendations made in its 1996 reports; (7) the DOD component activities GAO evaluated generally did not have effective processes for identifying and resolving information security weaknesses; (8) however, the Defense Information Systems Agency (DISA) which operates the Defense Megacenters (DMC), has established and is implementing a comprehensive security review process; (9) DISA developed Standard Technical Implementation Guides (STIG), which prescribe clear and detailed standards for configuring its systems software; (10) also, DISA's Security Readiness Review process enables it to test DMC compliance with the STIGs and other DISA security standards, track the weaknesses identified by the testing, and monitor and report on efforts to correct them; (11) DOD announced in January 1998 its plans for a Defense-wide Information Assurance Program (DIAP) under the jurisdiction of the DOD Chief Information Officer to provide a comprehensive, departmentwide information security program; and (12) in December 1998, DOD also implemented the Joint Task Force for Computer Network Defense, which DOD expects will support the DIAP by monitoring DOD's computer networks and defending against hacker attacks and other unauthorized access.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: