Information Security

The components, military services, and agencies of the Department of Defense (DOD) share many risks in their use of globally networked computer systems to perform operational missions. Many reports of vulnerabilities, organized intrusions, and theft related to department systems and networks have underscored weaknesses in DOD systems. In January 1998, DOD responded to these risks by announcing its plans for a Defense-wide Information Assurance Program to promote integrated, comprehensive, and consistent information assurance (IA) practices across the department. Although the program has addressed issues related to DOD's departmental IA goals, established new IA policy, improved communication across the department, and introduced mechanisms for monitoring IA efforts throughout DOD, many IA issues remain unaddressed. Given the high priority that DOD puts on IA, GAO believes the the program should have made progress on more of its implementation plan objectives by this time and gone further with the ones it has begun to address. Top-level DOD management has not carried out oversight commensurate with the program's high-priority role and the program has not received the resources that were judged necessary by DOD when the program was initiated. DOD continues to face significant personnel, technical, and operational challenges in implementing an effective departmentwide IA program--something it cannot afford to ignore. A stronger management framework for the program consisting of adequate funding and oversight would establish the foundation needed to make greater progress in addressing such challenges.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: