National Guard
Effective Management Processes Needed for Wide-Area Network Gao ID: GAO-02-959 September 24, 2002The Fiscal Year 2002 Defense Authorization Act required GAO to review GuardNet, the National Guard's wide-area network, which is used to support various Defense applications and was used to support homeland security activities after the terrorist attacks of September 11th. GAO was asked to determine the current and potential requirements for GuardNet and the effectiveness of the processes for managing the network's requirements, configuration, and security.
The National Guard does not fully know the current or potential requirements for GuardNet or how it is being used, because it has not fully documented requirements. Guard officials provided GAO with a list of applications that the network supports, but they would not attest to the list's completeness, and GuardNet users identified other applications. The processes for managing GuardNet are not effective in three key areas: Requirements: For example, the Guard has not developed a requirements management plan or clearly established users' roles in developing and changing requirements. Configuration: For example, the Guard has not documented the network's configuration and is not controlling changes to configuration components. Security: For example, the Guard has not implemented needed security controls, such as firewalls, to protect GuardNet and does not monitor controls on an ongoing basis to ensure that implemented controls are working as intended. According to Guard officials, establishing these management processes has not been a priority. Without these basic processes, the Guard cannot ensure that GuardNet will perform as intended and provide its users with reliable and secure services. GuardNet is thus a dubious option for further support of critical mission areas such as homeland security.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-02-959, National Guard: Effective Management Processes Needed for Wide-Area Network
This is the accessible text file for GAO report number GAO-02-959
entitled 'National Guard: Effective Management Processes Needed for
Wide-Area Network' which was released on September 24, 2002.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products‘ accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
Report to Congressional Committees:
September 2002:
NATIONAL GUARD:
Effective Management Processes Needed for Wide-Area Network:
GAO-02-959:
Highlights: National Guard: Effective Management Processes Needed for
Wide-Area Network:
Highlights of GAO-02-959, a report to the Committees on Armed Services,
U.S. Senate and House of Representatives.
Why GAO Did This Study:
The Fiscal Year 2002 Defense Authorization Act required GAO to review
GuardNet, the National Guard‘s wide-area network, which is used to
support
various Defense applications and was used to support homeland security
activities after the terrorist attacks of September 11th. GAO was asked
to
determine the current and potential requirements for GuardNet and the
effectiveness of the processes for managing the network‘s requirements,
configuration, and security.
What GAO Found:
The National Guard does not fully know the current or potential
requirements for GuardNet or how it is being used, because it has not
fully
documented requirements. Guard officials provided GAO with a list of
applications that the network supports, but they would not attest to
the
list‘s completeness, and GuardNet users identified other applications.
The processes for managing GuardNet are not effective in three key
areas:
* Requirements. For example, the Guard has not developed a requirements
management plan or clearly established users‘ roles in developing and
changing requirements.
* Configuration. For example, the Guard has not documented the
network‘s
configuration and is not controlling changes to configuration
components.
* Security. For example, the Guard has not implemented needed security
controls, such as firewalls, to protect GuardNet and does not monitor
controls on anongoing basis to ensure that implemented controls are
working
as intended.
According to Guard officials, establishing these management processes
has not been a priority. Without these basic processes, the Guard
cannot
ensure that GuardNet will perform as intended and provide its users
with
reliable and secure services. GuardNet is thus a dubious option for
further support of critical mission areas such as homeland security.
Figure: Simplified View of GuardNet:
[See PDF for image]
Source: National Guard.
[End of figure]
What GAO Recommends:
GAO is making numerous recommendations aimed at (1) limiting network
users‘ current exposure to risk; (2) understanding and evaluating the
network‘s current requirements, configuration, and security posture;
and (3) developing and implementing action plans to address current
network weaknesses and risks. The Department of Defense generally
agreed with our recommendations, stating that they were valued and
timely.
This is a test for developing highlights for a GAO report. The full
report,
including GAO‘s objectives, scope, methodology, and analysis is
available at
www.gao.gov/cgi-bin/getrpt?GAO-02-959. For additional information
about
the report, contact Randolph C. Hite (202-512-3439). To provide
comments
on this test highlights, contact Keith Fultz (202-512-3200) or
e-mail HighlightsTest@gao.gov.
Contents:
Letter:
Results in Brief:
Background:
Current and Potential Requirements of GuardNet Are Not Fully Known:
NGB Does Not Have an Effective Process for Managing GuardNet
Requirements:
NGB Does Not Have an Effective Process for Managing GuardNet‘s
Configuration:
NGB Does Not Have an Effective Process for Managing GuardNet‘s
Security:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Comments from the National Guard:
Appendix III: GAO Contact and Staff Acknowledgements:
GAO Contact:
Staff Acknowledgments:
Table:
Table 1: Summary of GuardNet Management Responsibilities and Functions:
Figures:
Figure 1: Federalized National Guard Organization/Command Structure:
Figure 2: Nonfederal National Guard Organization/Command Structure:
Figure 3: Simplified Diagram of GuardNet and Its Interconnections:
Figure 4: Simplified View of GuardNet:
AIS: Information Systems Division:
CCB: Configuration Control Board:
CIO: chief information officer:
CJCSI: Chairman of the Joint Chiefs of Staff Instruction:
CMMI: Capability Maturity Model Integration:
DISA: Defense Information Systems Agency:
DITSCAP: DOD Information Technology Security Certification and
Accreditation Process:
DLA: Defense Logistics Agency:
DOD: Department of Defense:
DODD: Department of Defense Directive:
DTTP: Distributive Training Technology Project:
EIA: Electronic Industries Alliance:
IEEE: Institute of Electrical and Electronics Engineers:
IT: information technology:
NGB: National Guard Bureau:
NIPRNet: Unclassified but sensitive Internet Protocol Router Network:
OMB: Office of Management and Budget:
SEI: Software Engineering Institute:
VTC: video teleconferencing:
WAN: wide-area network:
Letter September 24, 2002:
The Honorable Carl Levin
Chairman
The Honorable John Warner
Ranking Minority Member
Committee on Armed Services
United States Senate:
The Honorable Bob Stump
Chairman
The Honorable Ike Skelton
Ranking Minority Member
Committee on Armed Services
House of Representatives:
Although established to support Web-based training for National Guard
units in the states, the U.S. territories, and the District of
Columbia, GuardNet,[Footnote 1] which is the National Guard Bureau‘s
(NGB) wide-area network, has recently been used to support homeland
security activities. For example, when faced with overloaded public
telecommunications systems and limited radio communications on
September 11, 2001, both New York Army National Guard units and
civilian emergency authorities relied on GuardNet to perform command
and control functions. Since then, the Guard has used this network to
coordinate airport security activities, inform the public about
anthrax, and coordinate with first responders.[Footnote 2] According to
Guard and Department of Defense officials, additional homeland-
security-related uses of GuardNet are currently being considered.
The Fiscal Year 2002 Defense Authorization Act requires the Comptroller
General to review GuardNet, including its requirements and its
interconnectivity with other networks.[Footnote 3] As agreed with your
offices, our objectives were to determine (1) the network‘s current and
potential requirements and (2) the effectiveness of NGB‘s processes for
managing network requirements, configuration,[Footnote 4] and
security. (See app. I for more details on our objectives, scope, and
methodology.):
Results in Brief:
NGB does not have basic requirements documentation for GuardNet and, as
a result, does not fully know its current and potential requirements.
Instead, NGB officials told us what they characterized as their
understanding of the existing and potential uses of GuardNet, but not
the associated requirements that GuardNet needed to fulfill to support
network users. Further, while NGB officials stated that future uses of
GuardNet could include support to the homeland security mission,
including wireless communications, they had no further specifics.
Without a basic understanding of current and potential network
requirements, NGB lacks the requisite information for meeting network
users‘ needs and making informed network investment decisions.
NGB‘s lack of understanding of GuardNet‘s requirements is attributable
in part to the ineffectiveness of its processes for managing network
requirements, configuration, and security. In each of these important
areas, NGB has not adhered to the proven practices that successful
public-and private-sector organizations employ in managing their
systems, and it has not followed relevant Department of Defense (DOD)
policies and guidance. For example, NGB does not have a requirements
management plan, a requirements baseline against which changes are
controlled, or a systematic way to capture and evaluate proposed
changes. NGB also does not have a configuration management plan or
documentation describing the network‘s current configuration and
changes that have been made to the configuration. In addition, NGB has
not periodically assessed network security risks and has not
implemented appropriate security controls, such as operational
firewalls,
[Footnote 5] to address risks that it has identified. According to NGB
officials, establishing effective management processes has not been a
bureau
priority. Without these basic process controls, NGB has inadequate
assurance
that GuardNet will perform as intended and provide its users with
reliable
and secure services. This raises questions about the network‘s near-
term
viability as a communication option for mission-critical applications,
such as
homeland security.
In light of the significance of known and potential uses of GuardNet,
as well as the extent of NGB management weaknesses, we are recommending
that the Secretary of Defense, through the Secretary of the Army,
direct the NGB Chief to take a series of actions aimed at (1) limiting
network users‘ current exposure to risk; (2) understanding and
evaluating the network‘s current requirements, configuration, and
security posture; and (3) developing and implementing specific plans to
appropriately address current network weaknesses and risks.
In written comments on a draft of this report, DOD thanked us for our
timely assessment and valued recommendations, and it stated that NGB
has begun to address the deficiencies cited in our report and would use
our recommendations as a tool in enhancing GuardNet service delivery.
The department nevertheless disagreed with one aspect of one of our
recommendations, which we have addressed through a wording
clarification. It also disagreed with our recommendation for NGB to
develop a plan for putting in place missing network security management
process controls. While not challenging our finding that these process
controls were missing, DOD stated that a plan for improving its current
state of security management was not needed because NGB continually
addresses security requirements but has been unable to fund them. We
disagree that a plan is not needed. The improvement plan that we
recommend provides for establishing the processes necessary to
understand and prioritize security needs and ensure that they are
effectively met. In addition, its implementation will not only place
NGB in a better position for overcoming each of the security weaknesses
discussed in the report, it will also help it justify its funding
needs.
Background:
The National Guard consists of the National Guard Bureau (NGB)--which
includes the Army National Guard and the Air National Guard--and the
National Guard units, which are located in the 50 states, 3 U.S.
territories,[Footnote 6] and the District of Columbia. The National
Guard has played a critical role in a variety of crises in the recent
past. For example, in 1999, the North Carolina National Guard unit
assisted for more than 50 consecutive days during the aftermath of
Hurricanes Floyd and Dennis. Also, within hours of the September 11,
2001, attacks on the World Trade Center and the Pentagon, 52 Air
National Guard units were in the air over the United States,
transporting medical supplies and personnel from emergency support
organizations. By September 13th, nearly 3,800 members of the New York
National Guard, and about 1,200 members of the Virginia, Maryland, and
District of Columbia National Guard, were mobilized and on duty.
In executing its role in these crises, the Guard depends on a wide
variety of assets, including a network, commonly referred to as
GuardNet, which is to provide real-time, interactive, Web-based
communications. According to NGB officials, GuardNet is a collection of
55 wide-area networks (WAN)[Footnote 7] that link 2,700
armories[Footnote 8] and other facilities, such as colleges and
universities, around the country.
National Guard: Its Mission and Organization:
The National Guard has both a federal and a state-level mission, making
it unique among U.S. military organizations. Its federal mission is to
(1) maintain well-trained and well-equipped units that are ready to be
mobilized by the President of the United States during war or
international peacekeeping efforts and (2) provide assistance during
national emergencies, such as natural disasters or civil disturbances.
In this role, the Guard is a supplemental reserve force for the Army
and the Air Force. Its state-level mission, which is executed under the
control of state and territory governors and, for the District of
Columbia, the President, is to protect life and property and preserve
peace, order, and public safety. This mission involves providing
emergency relief support during local or statewide emergencies, such as
riots, earthquakes, floods, or terrorist attacks.
The Army and Air National Guard units are located at 3,472 sites
throughout the 50 states, 3 territories, and the District of Columbia.
According to the Department of the Army, the Army National Guard is one
of three force components of the department, with the other two being
active duty Army forces and the Army Reserves. The Army National Guard
comprises military and civilian personnel who serve their country on
either a full-or part-time basis; it has about 350,000 soldiers in
1,832 units. Currently, about half of these are combat units. The Air
National Guard is a reserve component of the Department of the Air
Force, employing about 107,000 officers and airmen in 368 units. The
Air National Guard supports the Air Force in its mission of providing
air defense for the United States and provides airlift, combat
communications, and aerial refueling support to the Air Force.
Structurally, NGB (the Army National Guard and the Air National Guard)
is positioned between the state-level Guard units and the Departments
of the Army and Air Force for communication purposes. During war or
other national emergencies, the President can mobilize state-level
Guard units as federal troops. When federalized, these units report to
the Secretary of Defense (see fig. 1). Currently, about 9 percent of
the Army National Guard‘s units and 24 percent of the Air National
Guard‘s units are federalized.
Figure 1: Federalized National Guard Organization/Command Structure:
[See PDF for image]
Notes:
When deployed within the United States, National Guard units report to
an active Army or Air Force component, which reports to the Secretary
of the Army or Air Force, respectively, who reports to the Secretary of
Defense.
When deployed outside of the United States, National Guard units report
to the Secretary of Defense through their respective Theater
Commanders-in-Chief, each of whom is responsible for combatant forces
in one of seven geographical areas.
Source: NGB.
[End of figure]
When performing their state-level mission, Guard units within a state,
territory, or the District of Columbia report to a state-level
commanding officer known as the Adjutant General,[Footnote 9] who in
turn reports to either a state or territorial governor or, for the
District, the President (as commanders-in-chief). The Adjutant General
coordinates with NGB‘s Army or Air National Guard, as appropriate, on
such matters as staffing and unit readiness. The Army and Air National
Guard in turn coordinate with the Secretaries of the Army and the Air
Force, respectively. (See fig. 2 for the organizational/command
structure of the Guard when it is performing its state-level mission.):
Figure 2: Nonfederal National Guard Organization/Command Structure:
[See PDF for image]
Source: NGB.
[End of figure]
GuardNet: A Brief Description:
GuardNet is a WAN that bridges the military and civilian sectors, just
as the National Guard itself does. GuardNet was created to support
NGB‘s Distributive Training Technology Project (DTTP), a distance
learning program established by Congress in 1995 to ensure enhanced
military readiness and improve command, control, and communications for
the Guard. According to NGB, GuardNet became operational in 1998.
GuardNet is a network of interconnected federal and state military
networks (both wide-area and local-area) across the United States (see
fig. 3). Through GuardNet, states, territories, and the District of
Columbia can connect to a defense network operated by the Defense
Information Systems Agency (DISA),[Footnote 10] and through this
network to the Internet. In addition, some states and territories have
established connections to other state networks, such as local-area
networks on university campuses, which also allow access to the
Internet. According to NGB officials, firewalls exist at connections
between the federally controlled and state-controlled portions of
GuardNet, between the federally controlled portion of GuardNet and
DISA‘s network, and between DISA‘s network and the Internet. In
addition, these officials stated that while they were not certain about
the presence of firewalls between the state-controlled portions of
GuardNet and the state networks, approximately one-half of the states,
on their own initiative, might have implemented these firewalls, since
NGB has yet to do so.
Figure 3: Simplified Diagram of GuardNet and Its Interconnections:
[See PDF for image]
Legend:
DISA = Defense Information Systems Agency:
NIPRNet = Unclassified but sensitive Internet Protocol Router Network:
Source: GAO on the basis of NGB information.
[End of figure]
GuardNet comprises 7 regional hubs,[Footnote 11] each of which connects
to between 6 and 8 ’state-area command“ hubs within the 50 states, 3
territories, and the District of Columbia (see fig. 4). The seven
regional hubs are located in Sacramento, California; Cheyenne, Wyoming;
Johnston, Iowa; Latham, New York; Raleigh, North Carolina; Little Rock,
Arkansas; and the Army National Guard Readiness Center in Arlington,
Virginia. The backbone:
connections among the regional hubs are either OC-3 or T-3
lines,[Footnote 12] both of which are dedicated telecommunications
lines that support voice, video, and data transmissions. The
connections between the regional hubs and the state-area command hubs
are primarily T-1 lines.[Footnote 13] From the state-area command hubs,
leased T-1 lines provide permanent telephone connections to the DTTP
classrooms and local-area networks located at, for example,
universities and Guard armories.
Figure 4: Simplified View of GuardNet:
[See PDF for image]
Source: NGB.
[End of figure]
According to NGB, the Army National Guard provides the funding for
GuardNet. However, GuardNet management is a shared responsibility
between NGB at the federal level and directors of information:
management[Footnote 14] at the state level. The Air National Guard does
not have any management responsibilities for GuardNet. These respective
roles and responsibilities are described in table 1.
Table 1: Summary of GuardNet Management Responsibilities and Functions:
Entity: Federal level; Responsibility/Function: [Empty].
Entity: NGB Chief Information Officer (CIO); Responsibility/Function:
Serves as the senior information technology (IT) advisor to the NGB
Chief..
Entity: NGB CIO Executive Council; Responsibility/Function: Provides a
forum to improve NGB‘s IT management practices..
Entity: NGB Information Systems Division (NGB-AIS)[A]; Responsibility/
Function: Operates and maintains GuardNet..
Entity: AIS Configuration Control Board; Responsibility/Function:
Reviews and approves network change requests for GuardNet..
Entity: Army National Guard Systems Engineering
Integration Group; Responsibility/Function: Reviews and provides
technical guidance to the NGB-AIS Configuration Control Board on change
requests..
Entity: IT Requirements Control Board; Responsibility/Function:
Reviews and approves IT requirements with estimated life-cycle costs
over $100,000..
Entity: External Connection Review Board; Responsibility/Function:
Reviews requests for external connections to GuardNet..
Entity: State level; Responsibility/Function: [Empty].
Entity: Information Management Council; Responsibility/Function:
Communicates state-level concerns regarding pending network changes..
Entity: Director of Information Management/Deputy Chief of Staff for
Information Management; Responsibility/Function: Operates and
maintains state-controlled portion of GuardNet, including managing
network changes and security..
[A] According to NGB officials, AIS refers to the Information Systems
Division.
Source: NGB.
[End of table]
Current and Potential Requirements of GuardNet Are Not Fully Known:
Industry best practices[Footnote 15] and DOD guidance[Footnote 16]
recognize the importance of clearly and formally defining system
requirements. For example, DOD guidance requires the development of (1)
a mission needs statement, which defines current and future high-level
operational capabilities that a system must provide to meet mission
needs, and (2) an operational requirements document, which translates
these high-level capabilities into detailed and unambiguous functional
(what the system is to do), performance (how well it is to do it), and
interface (how it is to interact with other systems) requirements.
Without this basic requirements documentation, system owners are not in
a position to deliver systems that meet users‘ needs, evaluate system
performance, or make informed decisions about system changes.
NGB has neither a mission needs statement nor an operational
requirements document for GuardNet. According to officials of NGB‘s
Information Systems (AIS) Division, while a comprehensive and
authoritative set of requirements for GuardNet does not exist, the
bureau has a ’fairly good“ informal understanding of how the network is
currently being used. However, we did not find evidence that such an
understanding exists. For example, although the officials initially
attributed their understanding of the network‘s use to memorandums of
agreement between NGB and the states, territories, and the District of
Columbia, they subsequently stated that the memorandums do not
currently exist, but they should in the near future. In addition, while
they provided us with a list of 130 DOD and bureau applications that
GuardNet supports, they did not know whether this list was complete,
and other sources of information suggest that the list is not complete.
For example, NGB‘s fiscal year 2003 funding request states that the
network supports 135 applications.
In the absence of basic requirements documentation, we reviewed NGB
expenditure and budget documents relating to the operation and
maintenance of the network in an attempt to trace funding back to
requirements. However, these budget documents related funding needs to
very generic requirements, such as ’security“ or ’network maintenance,“
and according to NGB-AIS officials, the funding levels were not based
on specific requirements but rather on prior year funding levels. Since
fiscal year 1997, NGB estimates that its cumulative spending on
GuardNet is between $172 million and $451 million.[Footnote 17]
In addition, because NGB-AIS officials do not compare actual
performance to performance expectations (i.e., requirements), we could
not determine GuardNet requirements by reviewing such performance
analyses. The bureau provided the results of an ongoing study
commissioned by NGB‘s Chief Information Officer (CIO) to identify
future network requirements in support of homeland security command,
control, and communications activities.[Footnote 18] However, the
results to date do not yet identify GuardNet requirements. Instead,
these results raised states‘ concerns about network security and
reliability and interoperability with other networks, all of which the
states currently deemed inadequate.[Footnote 19] According to a Guard
official for Iowa, the state uses its own network, instead of GuardNet,
for video teleconferencing (VTC) because it is more reliable and
faster.
Because of states‘ concerns about GuardNet‘s capabilities, we attempted
to interview Virginia and Iowa state officials using GuardNet‘s VTC
facilities. To accomplish this, we requested that these interviews be
conducted at a site that was used for VTC purposes by the Army National
Guard and others following the September 11THterrorist attacks,
specifically asking that GuardNet be used to establish both the voice
and video connection. We experienced difficulties in getting this
connection and using the VTC capabilities at this facility. For
example, in connecting with Virginia officials, it took four attempts
to establish the initial video connection, which lasted about 15
minutes before communications were lost altogether; a voice connection
was never established. As a result, we communicated with Virginia
officials using a telephone. In the case of Iowa, a connection was
established; however, the quality of both the video and voice
connections was poor. For example, the screen froze several times
during the meeting and, at times, it was difficult to hear the Iowa
officials. After receiving a draft of this report for comment, the
Acting Director of NGB‘s Information Systems Division informed us that
the public switched network was used to connect us with the states, not
GuardNet. To verify this, we requested copies of error logs that
document problems associated with the network‘s usage. However, NGB did
not provide us the logs. Further, the NGB official who established our
connection with Virginia and Iowa told us that we had used GuardNet, as
did a Virginia official. Two other Virginia officials, however, stated
that we had not used GuardNet.
In addition to the list that NGB provided of 130 DOD and bureau
applications that GuardNet supports, NGB-AIS officials stated that the
network has been used recently to support activities related to
homeland security. For example, after last year‘s terrorist attacks,
NGB officials used GuardNet to communicate with states, territories,
and the District of Columbia on the use of National Guard units to
coordinate airport security activities. They also used GuardNet to
inform the public about anthrax and coordinate with first responders.
In addition, these officials stated that NGB‘s recently established
Homeland Security Program Office is considering GuardNet for future
homeland security support. Further, the Information Technology Advisor
of DOD‘s Homeland Security Task Force told us that GuardNet is being
considered for homeland security mission support, and although a final
decision has not been made, it may be the best choice of network
support because it already exists. In addition, NGB and several states
are currently conducting a pilot project, referred to as the Domestic
Emergency Response Information System, to evaluate GuardNet‘s
capabilities to support wireless communications between NGB and first
responders in the event of a national emergency. At the same time, the
Office of the Assistant Secretary of Defense for Reserve Affairs is
defining requirements for a Nationwide Distributed Fiber Optic Network
to support the National Guard‘s distance learning program. According to
NGB‘s CIO, this network has no link to GuardNet and will not replace
GuardNet.
NGB‘s lack of understanding about current and potential GuardNet
requirements is attributable in part to limitations in its process for
managing requirements (which is discussed in the next section of this
report), as well as what NGB-AIS officials stated was a lack of
management attention and priority given to creating and maintaining
formal requirements documentation. NGB‘s CIO agreed that this is a
problem and that an assessment of GuardNet‘s requirements is needed.
Without clearly understood and defined requirements, NGB is not able to
effectively manage the network and thus runs the serious risk that
network users are not receiving the level of support they need now, and
will need in the future, to effectively perform their respective
missions.
NGB Does Not Have an Effective Process for Managing GuardNet
Requirements:
Industry best practices[Footnote 20] and DOD guidance[Footnote 21]
recognize the importance of having an effective process for managing
system requirements. Such a process ensures that a clear and
unambiguous understanding exists between the system‘s users, acquirers,
and developers about what the system is to do (functionality), how well
it is to do it (performance), and how it is to interact with other
systems (interfaces); this process also ensures that this understanding
is sustained throughout the system‘s life. Without an effective
requirements management process, the chances of a system effectively
supporting mission needs and providing mission value commensurate with
costs are appreciably reduced.
An effective requirements management process includes, among other
things, (1) adhering to a documented requirements management plan; (2)
involving system users in developing and changing requirements; (3)
establishing a comprehensive set of requirements that serves as the
authoritative baseline against which approved changes are made; and (4)
controlling changes to the baseline by systematically capturing
proposed changes and centrally evaluating and approving changes on the
basis of cost, schedule, and risk.
NGB‘s approach to managing GuardNet requirements does not satisfy any
of these four tenets and, as a result, is not effective. First, the
bureau does not have a requirements management plan for the network and
does not have plans to develop one. Second, it does not have a clear
understanding with network users of their respective roles in managing
requirements. Specifically, NGB officials told us that 85
organizations[Footnote 22] participate in GuardNet requirements
management activities. However, officials that NGB directed us to, and
that represent 7[Footnote 23] of these 85 organizations, did not
corroborate this statement. For example, 3 stated that they did not
know whether they participated in requirements management and 3 stated
that they did not participate, even though they have concerns about
network capabilities, such as bandwidth.[Footnote 24] Moreover, the
chairman of the Administration and Support Group of the Information
Management Council, which represents the 50 states, the 3 territories,
and the District of Columbia, stated that while the council‘s
constituencies use GuardNet to varying degrees for VTC and distributed
training, they do not participate in requirements definition and
management beyond sometimes raising concerns about NGB-proposed changes
to GuardNet.
Third, NGB does not have a comprehensive and authoritative set of
requirements that serves as the baseline against which changes are made
(see prior section of this report for more information about current
GuardNet requirements). Fourth, NGB does not have a systematic way to
control changes to GuardNet requirements, such as steps to capture
proposed changes and evaluate them on the basis of cost, schedule, and
risk. According to NGB-AIS officials, requirements are received in a
’piecemeal“ fashion, and as long as the originating organization has
approved the requirements and funding is available, NGB attempts to
implement them. Further, they stated that it is not possible to fully
assess the impact of requirements on the network because they have
neither a comprehensive and authoritative set of requirements, as noted
above, nor a complete accounting of the network‘s current configuration
(which is discussed in the next section of this report).
According to NGB officials, formally managing GuardNet requirements has
not been an area of management attention or a priority. As a result,
NGB does not know what its network is being used for, what its users‘
needs are, or whether GuardNet is satisfying these needs. This means
that NGB could be investing its resources on network capabilities that
do not provide the greatest mission value to its users.
NGB Does Not Have an Effective Process for Managing GuardNet‘s
Configuration:
Industry best practices[Footnote 25] and DOD guidance[Footnote 26]
recognize the importance of configuration management when developing
and maintaining a system or network. Through configuration management,
the composition of a system is formally defined and tracked to ensure
that an unauthorized change is not introduced. Configuration management
is a key means for ensuring that additions, deletions, or other changes
to a system do not compromise the system‘s ability to perform as
intended.
An effective configuration management process consists of four primary
elements, each of which should be described in a configuration
management plan and implemented according to the plan. The four are:
* Configuration identification: Procedures for identifying,
documenting, and assigning unique identifiers (e.g., serial number and
name) to a system‘s hardware and software component parts and subparts,
generally referred to as configuration items.
* Configuration control: Procedures for evaluating and deciding whether
to approve changes to a system‘s baseline configuration, generally
accomplished through configuration control boards, which evaluate
proposed changes on the basis of costs, benefits, and risks and decide
whether to permit a change.
* Configuration status accounting: Procedures for documenting and
reporting on the status of configuration items as a system evolves.
Documentation, such as historical change lists and original designs or
drawings, are generated and kept in a library, thereby allowing
organizations to continuously know the state of a system‘s
configuration and be in a position to make informed decisions about
changing the configuration.
* Configuration auditing: Procedures for determining alignment between
the actual system and the documentation describing it, thereby ensuring
that the documentation used to support the configuration control
board‘s decisionmaking is complete and correct. Configuration audits,
both functional and physical, are performed when a significant system
change is introduced, and help to ensure that only authorized changes
are being made.
For GuardNet, NGB does not have a configuration management plan or
documentation describing the network‘s current configuration, such as
topology maps and interface control documents. Moreover, NGB is not
performing any of these four elements of the configuration management
process.[Footnote 27] For example, the bureau has not identified
network configuration items, and it does not have documentation on the
network‘s original or current baseline or on network changes that have
been made over its life. In addition, the bureau has not accounted for
and reported on the status of the network, and it has not audited the
network‘s configuration.
Further, while NGB established a configuration control board in June
2001 and chartered it to evaluate and decide whether to approve
proposed network changes, this board is not an effective body because
it lacks a configuration management plan and an authoritative
understanding of the network‘s current configuration. In addition,
board officials told us that changes are made to the network without
the board‘s knowledge and that funding availability is the board‘s sole
criterion in deciding whether to implement a change request.
According to bureau officials, knowing the network‘s configuration and
having a process for managing it have not been bureau priorities, and
thus adequate management attention and resources have not been devoted
to doing either. Bureau officials acknowledge that this needs to
change, and they told us that they plan to correct their configuration
management weaknesses. To this end, configuration control board
officials told us that the board‘s charter is being revised and that a
configuration management plan and description of the network‘s current
configuration are being developed. Further, the Army has recently
required states and territories to actively participate in network
configuration management of common user component devices.[Footnote 28]
However, these officials had not set milestones for completing these
ongoing tasks, and GuardNet officials in the three states included in
our review (Virginia, Missouri, and Iowa) told us that they were not
aware of this participation requirement and had not committed resources
to fulfilling it.
The absence of effective network configuration management is a serious
risk that further jeopardizes GuardNet‘s ability to support current and
potential requirements. Unless this situation is promptly remedied,
users of the network do not have adequate assurance that the network
will perform as intended and to the level needed to support their
respective mission areas.
NGB Does Not Have an Effective Process for Managing GuardNet‘s
Security:
An effective security management program is essential to ensuring the
confidentiality, integrity, and availability of IT assets. Our research
on best practices for IT security management shows that leading
organizations manage this vital area centrally through a continuous
cycle of risk management.[Footnote 29] The key tasks in this cycle
include (1) identifying and assessing security risks as the basis for
determining security needs and requirements; (2) establishing and
implementing policies and controls that meet security needs and
requirements; (3) conducting tests and evaluations to ensure that
policies and controls have been implemented and are functioning as
intended, and that on the basis of these tests and evaluations,
certifying and accrediting[Footnote 30] mission-critical systems as
secure; and (4) establishing a central, enterprisewide security
management function.
NGB has not adequately satisfied any of these four tenets of effective
IT security management because, according to NGB officials, it has not
treated this area as a mission priority and devoted sufficient
management attention and resources to it. As a result, the bureau does
not know, for example, how vulnerable GuardNet is to attack or when it
is under attack. This means that users of the network, and the critical
missions they perform, are likely being exposed to undue risk.
NGB Has Not Adequately Assessed GuardNet Security Risks and Has Not
Developed a Security Plan:
Our research on leading organizations,[Footnote 31] as well as DOD and
Army policy,[Footnote 32] recognizes that identifying and assessing IT
security risks is an essential step in determining the controls needed
and the resources that should be invested in these controls. Federal
and DOD guidance advocate performing these risk assessments at least
once every 3 years or when a significant change in the system has
occurred. Among other things, these assessments should address the
risks introduced through connections to other networks and the mission
impacts should network security be compromised. Federal and DOD
guidance also advocate developing security plans to define the steps to
be taken and controls to be implemented to mitigate the risks
identified.[Footnote 33] These security plans should be updated
regularly to reflect both significant changes to the system and new and
emerging threats posed by technological advances.
According to NGB-AIS officials, no risk assessment of GuardNet was
performed between 1995 and 2000. In February 2001, a risk assessment of
the Army National Guard Readiness Center‘s local-area network, which
connects to GuardNet, was prepared, and in October 2001, a draft risk
assessment was developed for GuardNet. However, neither risk assessment
is consistent with the above criteria. The February 2001 assessment was
for a single local-area network, not GuardNet. Further, the October
2001 draft assessment has not been approved, and it did not identify
all threats (e.g., GuardNet‘s interconnectivity with other entities‘
networks and the associated risks, such as the lack of operational
firewalls), and it did not provide an estimate of the potential losses
or damage if network security was breached. Nevertheless, this
assessment still identified potential network vulnerabilities that
could be exploited, such as unauthorized access to information and the
theft or destruction of system software and files.
NGB also has not developed a network security plan. Although NGB-AIS
officials stated that they were in the process of developing this plan
as part of NGB‘s ongoing efforts to certify and accredit GuardNet, they
could not provide us with any documentation to support this statement.
Moreover, NGB still does not have an approved risk assessment upon
which to base the security plan.
According to NGB officials, because GuardNet security management has
not been a bureau priority, adequate management attention and resources
have not been devoted to assessing network risks and planning for how
to address these risks. As a result, NGB is not in a position to ensure
that its investments in GuardNet include the proper mix of cost-
effective countermeasures for addressing network vulnerabilities.
NGB Has Not Implemented Basic Network Security Controls:
Our research on IT security practices employed by leading organizations
also shows that risk-based and cost-effective security policies and
related procedural and technology controls, such as firewalls, are the
means for protecting a system from compromise, subversion, and
tampering.[Footnote 34] To this end, DOD, the Army, and NGB have
established security policies that can provide for an effective
security program if the needed controls are implemented. The key is for
NGB to comply with applicable DOD and Army policies, such as DOD‘s
certification and accreditation policy[Footnote 35] and the Army‘s
information security policy,[Footnote 36] as well as its own policies
and guidance on various topics, such as intrusion detection systems,
external requests for network connections, firewalls, and information
assurance vulnerability alerts.[Footnote 37]
Despite these security policies and guidance, NGB has yet to implement
the security controls needed to satisfy them. For example, Army policy
requires that firewalls be implemented to prevent outside users from
directly accessing nonpublic information.[Footnote 38] According to NGB
officials, the bureau has implemented 54 firewalls to protect the
federally controlled portion of GuardNet, and 38 of the 54 firewalls
needed to protect the state-controlled portion are operational; the
bureau plans to complete this effort in September 2002. In the interim,
NGB officials confirmed that individuals with access to states‘ systems
could use these unprotected connections as pathways to access Army
National Guard systems. In addition, NGB has yet to certify and
accredit GuardNet as required by DOD policy.
According to NGB-AIS officials, adequate management attention and
resources have not been devoted to implementing needed security
controls. Until these controls are implemented, both GuardNet and other
organizations whose networks are connected to it will remain vulnerable
to attack, and the execution of their respective missions will be in
jeopardy.
NGB Is Not Adequately Monitoring Security Policies and Controls:
IT security management best practices[Footnote 39] and Army
policy[Footnote 40] also recognize the need to continuously monitor
controls through tests and evaluations, commonly referred to as
vulnerability assessments, to ensure that controls have been
appropriately implemented and are operating as intended. This type of
oversight is critical because it enables management to identify and
correct problems in a timely fashion.
NGB is not performing critical monitoring activities to ensure that
implemented controls are operating as intended. According to NGB-AIS
officials, only one vulnerability assessment related to GuardNet has
ever been conducted, and it covered two local-area networks connected
to GuardNet. This assessment showed significant weaknesses, such as
poor password administration (e.g., system administrator and user
accounts that do not require passwords and commonly known default
passwords that have never been changed), a lack of security training
awareness, and poorly configured operating system functions that allow
intruders to bypass security controls and overwrite existing files or
create new ones. Further, NGB security officials, who are responsible
for ensuring that the recommendations resulting from the vulnerability
assessment are implemented, stated that they are not doing so; rather,
they are relying on the operations personnel to evaluate and
appropriately implement needed security controls, and the security
officials do not know whether the recommendations have been
implemented.
NGB officials also told us that while they have placed 54 intrusion
detection devices[Footnote 41] on GuardNet as a security control, these
devices are not continuously monitored. Specifically, NGB-AIS has one
contract employee who is responsible for maintaining the devices and
monitoring the device‘s logs to identify attacks on GuardNet. However,
this individual is on duty only during East Coast business hours. As a
result, no one is actively detecting attacks during a portion of
several states‘ normal business hours. This means that a properly timed
intrusion would likely go undetected. Exacerbating this, according to
NGB officials, is that at any given time, about 10 percent of the 54
devices are not functional.[Footnote 42]
According to NGB officials, monitoring whether security controls have
been implemented according to policies has not been a priority, and
thus adequate resources have not been allocated to it. As a result,
GuardNet is unnecessarily vulnerable to undetected attack, and network
users and their missions are being jeopardized.
NGB‘s Central Organization for Managing Security Is Not Fulfilling Its
Responsibilities:
Our research shows that centralized management is the foundation of an
effective information security management program because it allows the
requisite security knowledge and expertise to be assimilated and
applied on an enterprisewide basis and the other segments of the risk
management cycle to be addressed in an integrated fashion.[Footnote 43]
Central management is especially important for managing the increased
risks associated with a highly connected computing environment, such as
GuardNet, where security weaknesses in one organization‘s network can
compromise the security of other organization‘s IT assets.
NGB has established a central management function that is responsible
for many of the tenets of effective security management, such as
assessing network risks on a periodic basis, developing security plans
to address the risks identified, implementing needed security controls,
and independently ensuring that implemented controls are operating as
intended. However, as previously discussed, NGB‘s security management
function is not effectively discharging its assigned responsibilities.
NGB officials told us that key security management duties have not been
performed because network security has not been designated a bureau
priority and thus has not received adequate management attention and
resources, including staff. Without satisfying these central security
management responsibilities, the bureau will be unable to assure itself
and other organizations that appropriate steps have been taken to
effectively protect GuardNet and will not know the extent of network
vulnerabilities.
Conclusions:
GuardNet has played an important role in critical mission areas,
including homeland security, and consideration is being given to
expanding this role, thus making the network‘s ability to support a
range of mission-critical applications in a reliable and secure manner
of paramount importance. However, GuardNet is not ready to meet this
challenge because NGB does not fully know the network‘s requirements
and is not effectively managing the network. More specifically,
important controls in the three interrelated areas of network
requirements, configuration, and security management are absent,
precluding NGB from fully knowing such things as what the true makeup
of the network is, how and by whom it is being used, how it is
performing, what risks it faces, and what security features are needed.
This absence of controls is due to insufficient NGB management
attention and resources being devoted to these three areas. Without
giving swift and immediate management attention and priority to
limiting network users‘ current exposure to risk; understanding and
evaluating the network‘s current requirements, configuration, and
security posture; and developing and implementing plans of action to
appropriately address current network management weaknesses and risks,
the mission effectiveness of not only the bureau, but also all
organizations that either use or are connected to the network, is at
risk.
Recommendations for Executive Action:
To strengthen NGB‘s management of GuardNet and reduce the risks
associated with federal, state, and local governments relying on it to
perform mission-critical functions, we recommend that the Secretary of
Defense direct the Secretary of the Army to ensure that GuardNet
management is given the priority attention and resources commensurate
with the criticality and importance of the network‘s current and
potential uses. To this end, we recommend that the Secretary, through
the Secretary of the Army, direct the NGB Chief to immediately:
* develop a complete and comprehensive inventory of network user
organizations;
* fully disclose to these users all known network management weaknesses
and security vulnerabilities;
* advise these users to take appropriate steps to ensure that their
respective needs for reliable and secure network services are met; and:
* fully disclose, in a controlled manner, all known network management
weaknesses and security vulnerabilities to all known potential network
users, particularly potential homeland security-related users at the
federal, state, and local government levels.
Next, we recommend that the Secretary of the Army direct the NGB Chief
to ensure that near-term changes to the network are limited to those
needed to address already identified performance and security problems.
During this period of limited network change, we further recommend that
the Chief develop an authoritative and comprehensive baseline
understanding of GuardNet‘s requirements, configuration, and security
posture.
Next, we recommend that the Secretary of the Army direct the NGB Chief
to correct each network management process weakness discussed in this
report. More specifically, we recommend that the NGB Chief develop
management process improvement plans for requirements management,
configuration management, and security management. We further recommend
that each of these plans, at a minimum, specify measurable goals and
objectives, assign roles and responsibilities, involve network users,
and identify work tasks, implementation schedules, and resource needs.
In addition, we recommend that:
* the requirements management improvement plan provide for establishing
a process that includes (1) developing a requirements management plan,
(2) involving network users in developing and changing requirements,
(3) developing requirements management baseline documentation, such as
a mission needs statement and an operational requirements document, and
(4) establishing controls for assessing and approving proposed changes
to the baseline;
* the configuration management improvement plan provide for
establishing a process that includes (1) identifying and documenting
the network‘s components/subcomponents (hardware and software), (2)
creating a baseline configuration (development, test, and production
environments) of these component parts, (3) controlling changes to
these configuration baselines through a formal change process that
allows only the NGB-AIS Configuration Control Board to approve changes
to GuardNet, (4) ensuring that network documentation remains current to
enable accurate reporting of changes as the network evolves, and (5)
periodically auditing to ensure that the documentation is complete and
accurate; and:
* the security management improvement plan provide for establishing a
process that includes (1) assessing risks to determine security needs,
(2) implementing needed controls in accordance with applicable policy
and guidance, (3) monitoring existing controls to ensure that they are
operating as intended, and (4) ensuring that the network is certified
and accredited in accordance with DOD policy.
Last, we recommend that, until these recommendations are fully
implemented, the NGB Chief report to the Secretary of the Army and
advise the Director of the White House‘s Office of Homeland Security,
on a quarterly basis, on NGB‘s progress in implementing each of these
recommendations and the associated reliability and security risks faced
by GuardNet users in the interim.
Agency Comments and Our Evaluation:
In DOD‘s written comments on a draft of this report signed by the
Acting Chief of NGB (see app. II), the department agreed with our
conclusion that GuardNet is not ready to reliably and securely support
the homeland security mission, and it endorsed the network management
processes that we described as needed. In addition, the department
characterized our report as timely and our recommendations as valued,
and stated that it would use these recommendations to enhance network
services.
However, DOD did not agree with one component of our recommendation
aimed at disclosing to GuardNet users, current and future, all known
network management weaknesses and security vulnerabilities so that
these organizations could take appropriate steps. In particular, the
department did not agree with the need to first establish an inventory
of network users, stating that it would serve no meaningful purpose to
NGB because user lists are maintained by the organization that provides
local-area network access. We understand DOD‘s point and, in fact,
these user organizations are precisely the users we are referring to in
our recommendation. Therefore, we have modified our recommendation to
refer to ’users“ as ’user organizations“ to alleviate any
misunderstanding.
Also, DOD did not agree with our recommendation to develop a security
management improvement plan for establishing an effective security
management process, stating that NGB already addresses GuardNet
security requirements with appropriate representatives, attributing
current security deficiencies to funding inadequacies. We disagree with
DOD because its comments neither provide sufficient basis for the
position it takes nor refute the facts presented in the report that are
the basis for our recommendation. As we state in the report, NGB has
not established an effective security management process for the
network. For example, NGB has not performed a risk assessment to
understand security needs, implemented needed controls, or certified
and accredited GuardNet, each of which is a critical element of an
effective security management process. Accordingly, we recommended that
NGB develop a security management improvement plan that provides for
putting these missing process elements in place. Without this plan,
which should include a provision for adequate resources, NGB‘s efforts
to address its security management weaknesses are unlikely to be
successful.
Last, the Acting Director of the NGB‘s Information Systems Division
provided other clarifying comments on our experience in using GuardNet
to video teleconference with Army National Guard officials in Virginia,
which we have incorporated as appropriate in the report.
We are sending copies of this report to interested congressional
committees. We are also sending copies to the Director, Office of
Management and Budget; the Attorney General of the United States; the
Director of the White House‘s Office of Homeland Security; the
Secretary of Defense; the Secretary of the Army; and the Chief of the
National Guard Bureau. We will also make copies available to others
upon request. The report will be available at no charge on the GAO Web
site at http://www.gao.gov.
If you have any questions regarding this report, please contact me at
(202) 512-3439 or by E-mail at hiter@gao.gov. Key contributors to this
report are listed in appendix III.
Randolph C. Hite
Director, Information Technology
Architecture and Systems Issues:
Signed by Randolph C. Hite:
[End of section]
Appendixes:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
The objectives of our review were to determine (1) the current and
potential requirements of the National Guard Bureau‘s (NGB) GuardNet
and (2) the effectiveness of the processes for managing current and
potential network requirements, the network‘s configuration, and
network security.
To determine current and potential requirements of the network, we
reviewed industry best practices and Department of Defense (DOD)
guidance,[Footnote 44] as well as draft network diagrams and
performance reports, minutes from the Information Systems (AIS)
Division Configuration Control Board (CCB) meetings, system change
requests, and expenditure and budget documents. We also requested
requirements inventories, documents, and specifications, as well as a
current list of network applications, which we discovered do not exist
for GuardNet. We obtained and reviewed the results of a study
commissioned by NGB‘s Chief Information Officer (CIO) that primarily
focused on the Distributive Training Technology Project, but also
covered GuardNet performance concerns.[Footnote 45] In addition, we
interviewed officials from NGB‘s AIS Division, the chairman of the
Information Management Council‘s Administration and Support Group
(which represents the interests of the 50 states, 3 territories, and
the District of Columbia), and the directors of information management
for 3 states (Virginia, Iowa, and Missouri)[Footnote 46] to identify
network requirements and discuss network use, including the possibility
of a future homeland security mission. We also interviewed NGB‘s CIO
and officials from its Homeland Security Program Office, as well as the
Information Technology Advisor for DOD‘s Homeland Security Task Force,
to inquire whether a decision had been made regarding the network‘s
future use in support of a homeland security mission.
To determine the effectiveness of NGB‘s process for managing current
and potential network requirements, we reviewed industry best practices
and DOD guidance on establishing such a process and evaluated NGB‘s
efforts using these criteria.[Footnote 47] We also reviewed management
reports, funding proposals, documentation on network expenditures, CCB
meeting minutes, and system change requests. We interviewed officials
from NGB‘s CIO organization, AIS Division, the CCB, and the
Distributive Training Technology Project program office, including the
CIO and the Acting Chief of the AIS Division. We selected seven
organizations including three states identified by NGB as participants
in the requirements management process--Defense Logistics Agency,
Defense Information Systems Agency, Forces Command, NGB‘s Logistics
Division, Virginia, Iowa, and Missouri--and the Information Management
Council‘s Administration and Support Group chairman to determine their
respective roles in this process. We interviewed officials from the
organizations for which NGB provided a point of contact.
To determine the effectiveness of NGB‘s process for managing the
network‘s configuration, we reviewed industry best practices and DOD
policy and guidance on establishing such a process and evaluated NGB‘s
efforts using these criteria.[Footnote 48] We reviewed draft network
diagrams, minutes of AIS CCB meetings, system change requests, and the
current CCB charter. We also inquired about the status of NGB‘s efforts
to revise the CCB charter and develop a configuration management plan
and network topology for GuardNet. In addition, we interviewed NGB-AIS
and CCB officials on configuration management processes and practices,
as well as the directors of information management for Virginia, Iowa,
and Missouri on their respective roles in this process.
To determine the effectiveness of NGB‘s network security management
process, we reviewed industry best practices and DOD policy and
guidance and evaluated NGB‘s efforts using these criteria.[Footnote 49]
We
reviewed security test results, risk analyses, and associated
mitigation plans and progress reports. We also reviewed a certification
and accreditation package for a local-area network and the October 2001
vulnerability assessment test report[Footnote 50] for two local-area
networks. We interviewed NGB-AIS security officials, including the
Computer Emergency Response Team and state officials from Virginia,
Iowa, and Missouri, about their security management programs.
We conducted our work at the Army National Guard Readiness Center,
National Guard headquarters, and the Pentagon in Arlington, Virginia,
and at the Advanced Distributive Learning Co-Laboratory in Alexandria,
Virginia, from March 2002 through September 2002 in accordance with
generally accepted government auditing standards.
[End of section]
Appendix II: Comments from the National Guard:
DEPARTMENTS OF THE ARMY AND THE AIR FORCE NATIONAL GUARD BUREAU 1411
JEFFERSON DAVIS HIGHWAY ARLINGTON, VA 22202-3231:
12 September 2002:
Mr. Joel C. Willemssen:
Managing Director, Information Technology Issues United States General
Accounting Office Washington, DC 20548:
Dear Mr. Willemssen:
Thank you for your thorough review and detailed comments concerning the
National Guard‘s wide area network, GuardNet. Enclosed is the response
to the tentative findings and recommendations contained in the draft
report.
The National Guard Bureau is committed to providing the highest level
of information technology support possible to our soldiers, our units,
the 54 States, territories and District of Columbia, and the various
communities of interest that rely on GuardNet to support both their
State and Federal missions. The Army National Guard is committed to
operating and maintaining GuardNet in a manner that is consistent with
Department of Defense and Department of the Army policy. I generally
concur with the recommendations in the GAO report and look forward to
using its recommendations as a tool to enhance the service provided to
the various users of GuardNet.
Although not covered in the report, GuardNet has experienced enormous
operational successes in meeting the congressional mandate for
information technology (IT) support for administration, mobilization,
and training (distance learning) of the National Guard. In addition to
this essential congressional priority, we learned in the 9-11 crisis
that GuardNet can provide command and control for local emergencies and
natural disasters. We concur with GAO‘s conclusions that GuardNet is
not ready to assume this role as a full IT partner for the Homeland
Security mission. However, once that requirement is officially
established and funding provided for the necessary enhancements to
GuardNet, I am confident that GuardNet can participate with others in
providing critical command and control support to the Homeland Security
mission.
The National Guard Bureau is aware and endorses the processes for
managing GuardNet requirements, security, and configuration described
in the GAO report. In many cases NGB had previously identified these
requirements and initiated tasks to document and establish these
processes. The processes and other deficiencies identified do have
management‘s attention and are extremely important to our program.
Operational exigencies and a dynamic environment have consumed many of
the energies and resources available to the GuardNet function. With
adequate funding, these essential administrative and operational
(security)
deficiencies can be corrected and GuardNet with modest enhancements can
become a national resource available to the States for the Homeland
Security
mission.
I would hope that this GAO report will stimulate support for fully
funding the GuardNet IT structure and the improvements that will allow
it to function as an integral part of the Homeland Security IT
solution. The National Guard Bureau is already addressing the
deficiencies identified in the GAO report and looking forward to
reporting our progress in completing the corrective action. Our
solutions will include controls to prevent recurrence.
Again, thank you for your timely assessment and valued recommendations
concerning the Army National Guard‘s wide area network.
Sincerely,
Raymond F. Rees:
Major General, U.S. Army:
Acting Chief, National Guard Bureau:
Signed by Raymond F. Rees:
Enclosure:
Recommendations and Comments United States General Accounting Office
Draft Report (GAO-02-959) National Guard Effective Management Processes
Needed for Wide-Area Network:
Recommendation 1: We recommend that the Secretary, through the
Secretary of the Army, direct the NGB Chief to immediately: (1) develop
a complete and comprehensive inventory of network users; (2) fully
disclose to these users all known network management weaknesses and
security vulnerabilities; (3) advise these users to take appropriate
steps to ensure that their respective needs for reliable and secure
network services are met; and (4) fully disclose, in a controlled
manner, all known network management weaknesses and security
vulnerabilities to all known potential network users, particularly
potential homeland security-related users at the federal, state, and
local government levels.
Comments: Non-concur with the recommendation to develop a comprehensive
inventory of network users. This recommendation would serve no
meaningful purpose at the National Guard Bureau level. User-lists and
their associated network authorizations are maintained by the
organization that provides local area network access. In the next 45
days NGB will develop documentation that identifies the network‘s
capabilities and limitations to be provided to prospective network
users. This documentation will be placed under configuration control to
ensure it evolves as the network evolves.
Recommendation 2: We recommend that the Secretary of the Army direct
the NGB Chief to ensure that near-term changes to the network are
limited to those needed to address already identified performance and
security problems. During this period of limited network change, we
further recommend that the Chief develop an authoritative and
comprehensive baseline understanding of GuardNet‘s requirements,
configuration, and security posture.
Comments: Concur. NGB has taken steps to ensure that network
configuration changes are limited to those that are deemed to be
operational necessities. NGB believes the steps taken to limit wide
area network changes meets the intent of this recommendation.
Recommendation 3: We recommend that the NGB Chief develop management
process improvement plans for requirements management, configuration
management, and security management. We further recommend that each of
these plans, at a minimum, specify measurable goals and objectives,
assign roles and responsibilities, involve network users, and identify
work tasks, implementation schedules, and resource needs. In addition,
we recommend that:
(1) the requirements management improvement plan provide for
establishing a process that includes (a) developing a requirements
management plan, (b) involving network users in developing and changing
requirements, (c) developing requirements management baseline
documentation, such as a mission needs statement and an operational
requirements document, and (d) establishing controls for assessing and
approving proposed changes to the baseline;
Enclosure:
(2) the configuration management improvement plan provide for
establishing a process that includes (a) identifying and documenting
the network‘s components/ subcomponents (hardware and software); (b)
creating a baseline configuration (development, test, and production
environments) of these component parts; (c) controlling changes to
these configuration baselines through a formal change process that
allows only the NGB AIS configuration control board to approve changes
to GuardNet; (d) ensuring that network documentation remains current to
enable accurate reporting of changes as the network evolves; and (e)
periodically auditing to ensure that the documentation is complete and
accurate; and:
(3) the security management improvement plan provide for establishing a
process that includes (a) assessing risks to determine security needs,
(b) implementing needed controls in accordance with applicable policy
and guidance, (c) monitoring existing controls to ensure that they are
operating as intended, and (d) ensuring that the network is certified
and accredited in accordance with DOD policy.
Comments:
Requirements Management: Concur with the intent of this recommendation.
NGB will work more closely with functional representatives to better
define network requirements changes as part of implementing its
configuration management improvement plan.
(2) Configuration Management: Concur. NGB has taken action to allocate
additional resources in FY03 to enhance its configuration management
activities.
Security Management: Non-concur with the recommendation to create and
implement a separate security management improvement plan. NGB
recognizes the importance of information security and continually
addresses information security requirements with representatives of
HQDA and appropriate functional representatives. In the past NGB has
been unable to adequately resource its information security
requirements. However, we anticipate the allocation of additional
resources in FY03 enabling the NGB to address information security in a
more holistic manner.
Recommendation 4: We recommend that, until these recommendations are
fully implemented, the NGB Chief report to the Secretary of the Army
and advise the Director of the White House‘s Office of Homeland
Security, on a quarterly basis, on NGB‘s progress in implementing each
of these recommendations and the associated reliability and security
risks faced by GuardNet users in the interim.
Comments: Concur. NGB will provide quarterly updates on the
implementation of the recommendations contained in the GAO report.
[End of section]
Appendix III: GAO Contact and Staff Acknowledgments:
GAO Contact:
Cynthia Jackson, (202) 512-5086
Staff Acknowledgments:
In addition to the individual named above, key contributors to this
report were Justin Booth, Joanne Fiorino, Sophia Harrison, Anjalique
Lawrence, and William Wadsworth.
FOOTNOTES
[1] Over the years, the network has been called the Distance Learning
Network, the Distributive Training Technology Project (DTTP) network,
and GuardNet XXI. For the purposes of this report, the network is
referred to as ’GuardNet.“ DTTP is used when we refer specifically to
the National Guard‘s distance learning program.
[2] ’First responders“ refers to emergency personnel, such as local
police, firefighters, and medical professionals.
[3] Fiscal Year 2002 Defense Authorization Act, Public Law 107-107,
Section 363.
[4] ’Network configuration“ refers to the hardware and software items
that comprise the network.
[5] Network firewalls are devices or systems that control the flow of
traffic between networks with different security requirements.
Organizations employ firewalls in an attempt to prevent unauthorized
access to the respective systems and resources within the more
sensitive areas.
[6] The three territories are Guam, Puerto Rico, and the U.S. Virgin
Islands.
[7] A wide-area network is a network that provides data communications
to a large number of independent users and spans a relatively large
geographical area.
[8] Armories are buildings where one or more National Guard units may
be housed and where training is conducted.
[9] For the District of Columbia, this commanding officer is referred
to as the ’Commanding General.“
[10] This DISA-controlled network is called the ’Unclassified but
sensitive Internet Protocol Router Network“ (NIPRNet).
[11] Hubs are common connection points for devices in a network. They
accept signals from one point and redistribute them to other points in
the network.
[12] OC-3 and T-3 are used to designate a telecommunications line that
can transmit voice and data information at the rate of approximately
155 million bits per second and 45 million bits per second,
respectively, in each direction.
[13] T-1 is used to designate a telecommunications line that transmits
voice and data information at the rate of approximately 1.5 million
bits per second in each direction.
[14] States, territories, and the District of Columbia have either a
Director of Information Management, a Deputy Chief of Staff for
Information Management, or both. These individuals have similar
responsibilities.
[15] See, for example, Institute of Electrical and Electronics
Engineers (IEEE), Standard for Application and Management of the
Systems Engineering Process (IEEE Standard 1220-1998, Jan. 22, 1999);
and the Software Engineering Institute (SEI), Capability Maturity Model
Integration (CMMI), Version 1.1 (March 2002).
[16] Chairman of the Joint Chiefs of Staff Instruction: Requirements
Generation System (CJCSI-3170.01b, Apr. 15, 2001).
[17] Data on the bureau‘s spending on GuardNet for fiscal years 1995
and 1996 were not available.
[18] C3 Requirements Definition: Using DTTP and GuardNet XXI in Support
of the National Guard C3 Mission, requirements document-report to the
CIO, NGB. (Feb. 14, 2002).
[19] The states that participated in this study were California, Iowa,
Louisiana, New Jersey, New York, Oklahoma, Pennsylvania, Texas,
Virginia, and Washington.
[20] See, for example, IEEE Standard 1200-1998; SEI CMMI, Version 1.1;
Electronic Industries Alliance: National Consensus Standard for
Configuration Management (EIA-649, August 1998); and IEEE/EIA, Industry
Implementation of International Standard ISO/IEC 12207:1995: Standard
for Information Technology-Software Life Cycle Processes (March 1998).
[21] Department of Defense, Military Handbook 61A(SE): Configuration
Management Guidance (Feb. 7, 2001).
[22] These organizations include (1) functional areas within NGB (e.g.,
personnel and logistics); (2) other DOD components, such as DISA, the
Defense Logistics Agency (DLA), and Forces Command; and (3) the 50
states, 3 territories, and the District of Columbia.
[23] The 7 organizations were NGB‘s Logistics Division, DISA, DLA,
Forces Command, Missouri, Iowa, and Virginia.
[24] NGB officials could not identify an official at the seventh
organization for us to contact.
[25] See, for example, IEEE Standard 1200-1998, and SEI CMMI, Version
1.1.
[26] Military Handbook 61A(SE).
[27] An October 2001 Texas Army National Guard study of GuardNet also
reported that NGB-AIS needed to establish a configuration management
process.
[28] Department of the Army, Army Regulation 25-1: Army Information
Management (May 31, 2002).
[29] U.S. General Accounting Office, Information Security Management:
Learning From Leading Organizations, GAO/AIMD-98-68 (Washington, D.C.:
May 1998).
[30] Certification is the technical and nontechnical evaluation that is
conducted to verify that IT systems comply with security requirements.
Accreditation is the formal declaration that the appropriate safeguards
have been properly implemented and that the residual risk is
acceptable.
[31] GAO/AIMD-98-68.
[32] DOD Instruction 5200.40: DOD Information Technology Security
Certification and Accreditation Process (DITSCAP), (Dec. 30, 1997); DOD
Directive (DODD): Security Requirements for Automated Information
Systems (DODD 5200.28, Mar. 21, 1988); Department of the Army, Army
Regulation 380-19: Information Systems Security (Feb. 27, 1998); and
Army Regulation 25-1.
[33] Office of Management and Budget (OMB), Management of Federal
Information Resources, OMB Circular A-130, Appendix III (Nov. 30,
2000). Additional guidance on effective risk assessment is available in
the National Institute of Standards and Technology publications and in
the U.S. General Accounting Office, Information Security Risk
Assessment: Practices of Leading Organizations, GAO/AIMD-00-33
(Washington, D.C.: November 1999). See also, DODD 5200.28 and Army
Regulation 380-19.
[34] GAO/AIMD-98-68.
[35] DOD Instruction 5200.40.
[36] Army Regulation 380-19.
[37] See for example, NGB‘s Internal Vulnerability Assessment Policy
for GuardNet, November 2000; NGB‘s Intrusion Detection System Policy
for GuardNet XXI, November 2000; NGB‘s External Connection Policy for
GuardNet XXI, November 2000; NGB‘s Firewall Baseline Security
Configuration Policy for GuardNet XXI, November 2000; and NGB‘s
Information Assurance Vulnerability Alert Policy for GuardNet XXI,
November 2000.
[38] Army Regulation 380-19.
[39] GAO/AIMD-98-68.
[40] Army Regulation 380-19.
[41] Intrusion detection devices are software or hardware systems that
monitor network traffic and help identify cyberthreats.
[42] The bureau does not compile statistical data on the failure rate
of these devices.
[43] GAO/AIMD-98-68.
[44] Institute of Electrical and Electronics Engineers (IEEE), Standard
for Application and Management of the Systems Engineering Process (IEEE
Standard 1220-1998, Jan. 22, 1999); the Software Engineering Institute
(SEI), Capability Maturity Model Integration (CMMI), Version 1.1,
(March 2002); and Chairman of the Joint Chiefs of Staff Instruction:
Requirements Generation System (CJCSI-3170.01b, Apr. 15, 2001).
[45] C3 Requirements Definition: Using DTTP and GuardNet XXI in Support
of the National Guard C3 Mission, requirements document-report to the
CIO, NGB (Feb. 14, 2002).
[46] We selected these 3 states because (1) Virginia does not have a
state network and, therefore, relies solely on GuardNet to access DOD
and NGB applications and the Internet, and (2) Iowa and Missouri were
recommended by NGB as examples of states that are using GuardNet.
[47] IEEE Standard 1200-1998; SEI CMMI, Version 1.1; and Department of
Defense, Military Handbook 61A(SE): Configuration Management Guidance
(Feb. 7, 2001).
[48] IEEE Standard 1200-1998; SEI CMMI, Version 1.1; Military Handbook
61A(SE); and Department of the Army, Army Regulation 25-1: Army
Information Management (May 31, 2002).
[49] See for example, U.S. General Accounting Office, Information
Security Management: Learning From Leading Organizations, GAO/AIMD-98-
68 (Washington, D.C.: May 1998); Office of Management and Budget (OMB),
Management of Federal Information Resources, OMB Circular A-130,
Appendix III (Nov. 30, 2000); DOD Directive (DODD): Security
Requirements for Automated Information Systems (DODD 5200.28, Mar. 21,
1988), and Department of the Army, Army Regulation 380-19: Information
Systems Security (Feb. 27, 1998).
[50] Texas Army National Guard Information Operations Vulnerability
Assessment Team 1, National Guard Bureau: Vulnerability Assessment
Findings Report (Readiness Center, Arlington, Va.: Nov. 1, 2001).
GAO‘s Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO‘s commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO‘s Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as ’Today‘s Reports,“ on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select ’Subscribe to daily E-mail alert for newly
released products“ under the GAO Reports heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office
441 G Street NW,
Room LM Washington,
D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.
General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.
20548:
