Information Security
The Defense Logistics Agency Needs to Fully Implement Its Security Program Gao ID: GAO-06-31 October 7, 2005The Defense Logistics Agency's (DLA) mission is, in part, to provide food, fuel, medical supplies, clothing, spare parts for weapon systems, and construction materials to sustain military operations and combat readiness. To protect the information and information systems that support its mission, it is critical that DLA implement an effective information security program. GAO was asked to review the efficiency and effectiveness of DLA's operations, including its information security program. In response, GAO determined whether the agency had implemented an effective information security program.
Although DLA has made progress in implementing important elements of its information security program, including establishing a central security management group and appointing a senior information security officer to manage the program, it has not yet fully implemented other essential elements. For example, the agency did not consistently assess risks for its information systems; sufficiently train employees who have significant information security responsibilities or adequately complete training plans; annually test and evaluate the effectiveness of management and operational security controls; or sufficiently complete plans of action and milestones for mitigating known information security deficiencies. In addition, DLA has not implemented a fully effective certification and accreditation process for authorizing the operation of its information systems. Key reasons for these weaknesses are that responsibilities of information security employees were not consistently understood or communicated and DLA has not adequately maintained the accuracy and completeness of data contained in its primary reporting tool for overseeing the agency's performance in implementing key information security activities and controls. Until the agency addresses these weaknesses and fully implements an effective agency-wide information security program, it may not be able to protect the confidentiality, integrity, and availability of its information and information systems, and it may not have complete and accurate performance data for key information security practices and controls.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-06-31, Information Security: The Defense Logistics Agency Needs to Fully Implement Its Security Program
This is the accessible text file for GAO report number GAO-06-31
entitled 'Information Security: The Defense Logistics Agency Needs to
Fully Implement Its Security Program' which was released on October 11,
2005.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Committees:
October 2005:
Information Security:
The Defense Logistics Agency Needs to Fully Implement Its Security
Program:
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-31]:
GAO Highlights:
Highlights of GAO-06-31, a report to congressional committees:
Why GAO Did This Study:
The Defense Logistics Agency‘s (DLA) mission is, in part, to provide
food, fuel, medical supplies, clothing, spare parts for weapon systems,
and construction materials to sustain military operations and combat
readiness. To protect the information and information systems that
support its mission, it is critical that DLA implement an effective
information security program. GAO was asked to review the efficiency
and effectiveness of DLA‘s operations, including its information
security program. In response, GAO determined whether the agency had
implemented an effective information security program.
What GAO Found:
Although DLA has made progress in implementing important elements of
its information security program, including establishing a central
security management group and appointing a senior information security
officer to manage the program, it has not yet fully implemented other
essential elements. For example, the agency did not consistently assess
risks for its information systems; sufficiently train employees who
have significant information security responsibilities or adequately
complete training plans; annually test and evaluate the effectiveness
of management and operational security controls; or sufficiently
complete plans of action and milestones for mitigating known
information security deficiencies. The table below indicates with an
’X“ weaknesses in the implementation of key information security
practices for the 10 DLA systems that GAO reviewed.
Weaknesses in Information Security Practices and Controls:
[See Table 1]
In addition, DLA has not implemented a fully effective certification
and accreditation process for authorizing the operation of its
information systems.
Key reasons for these weaknesses are that responsibilities of
information security employees were not consistently understood or
communicated and DLA has not adequately maintained the accuracy and
completeness of data contained in its primary reporting tool for
overseeing the agency‘s performance in implementing key information
security activities and controls. Until the agency addresses these
weaknesses and fully implements an effective agencywide information
security program, it may not be able to protect the confidentiality,
integrity, and availability of its information and information systems,
and it may not have complete and accurate performance data for key
information security practices and controls.
What GAO Recommends:
To assist DLA in fully implementing its security program, GAO is making
recommendations to the Secretary of Defense to direct the DLA Director
to take several actions to fully implement key information security
practices and controls.
In commenting on a draft of this report, the Department of Defense
agreed with most of GAO‘s recommendations and described efforts to
address them. However, the department disagreed with recommendations
related to annual security testing and evaluation, verification of
certification tasks, and the accuracy of performance data in DLA‘s
reporting tool.
www.gao.gov/cgi-bin/getrpt?GAO-06-31.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Gregory C. Wilshusen at
(202) 512-6244 or wilshuseng@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
DLA Has Not Yet Fully Implemented Its Security Program:
Conclusions:
Recommendations for Executive Actions:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Scope and Methodology:
Appendix II: Comments from the Department of Defense:
Appendix III: GAO Contact and Staff Acknowledgments:
Tables:
Table 1: Weaknesses in Information Security Practices and Controls:
Table 2: Percentage of DLA Locations and Systems Subjected to Program
Reviews During the Last 3 Years:
Figure:
Figure 1: Simplified Overview of the Defense Logistics Agency's
Information Assurance Management and Reporting Structure:
Abbreviations:
DOD: Department of Defense:
DLA: Defense Logistics Agency:
FISMA: Federal Information Security Management Act:
NIST: National Institute of Standards and Technology:
OMB: Office of Management and Budget:
Letter October 7, 2005:
The Honorable John Warner:
Chairman:
The Honorable Carl Levin:
Ranking Minority Member:
Committee on Armed Services:
United States Senate:
The Honorable Duncan L. Hunter:
Chairman:
The Honorable Ike Skelton:
Ranking Minority Member:
Committee on Armed Services:
House of Representatives:
Information security is a critical consideration for any organization
that depends on information systems and computer networks to carry out
its mission. It is especially important for government agencies, where
maintaining the public's trust is essential. Federal agencies face
increasing security risks from viruses, hackers, and others who seek to
disrupt federal operations or obtain sensitive information that is
stored in federal computers. In our reports to Congress since 1997--
most recently in January 2005[Footnote 1]--we have identified
information security as a governmentwide high-risk issue.
The Defense Logistics Agency (DLA) relies extensively on information
systems in supporting America's military forces with food, fuel,
medical supplies, clothing, spare parts for weapons systems, and
construction materials. To protect the information and information
systems that support its operations and assets, it is critical that DLA
implement an effective information security program. Recognizing that
the major underlying cause for the majority of information security
problems in federal agencies is the lack of an effective information
security program, Congress passed the Federal Information Security
Management Act of 2002 (FISMA), which set forth a comprehensive
framework for ensuring the effectiveness of information security
controls over the information resources that support federal operations
and assets.
The National Defense Authorization Act for Fiscal Year 2001 required us
to review the efficiency and effectiveness of DLA's operations. In
response to this mandate, we previously evaluated the effectiveness of
information system general controls[Footnote 2] at one of DLA's
critical business support units and reported significant findings,
conclusions, and recommendations in a "limited official use only"
report in January 2004. As agreed with your offices, the objective for
this review was to determine whether DLA has implemented an effective
agencywide information security program.
We performed our review at DLA facilities in the Washington, D.C.
metropolitan area; Columbus, Ohio; and Denver, Colorado, from September
2004 to July 2005 in accordance with generally accepted government
auditing standards. Details of our scope and methodology are contained
in appendix I.
Results in Brief:
DLA has not yet fully implemented an effective agencywide information
security program to protect the information and information systems
that support its operations and assets. While DLA has implemented
important elements of its information security program--including
establishing a central security management group, appointing a senior
information security officer to manage the program, and ensuring that
employees and contractors receive information security awareness
training--it has not yet fully implemented other elements of its
program. Specifically, risks that could result from the unauthorized
access, use, disclosure, or destruction of information or information
systems were not consistently assessed; employees who had significant
information security responsibilities did not receive sufficient
training, and security training plans sometimes lacked key information;
security testing and evaluation of management and operational controls
were not annually performed; and plans of action and milestones for
mitigating known information security deficiencies were not
sufficiently completed. In addition, DLA has not implemented a fully
effective certification[Footnote 3] and accreditation[Footnote 4]
process for authorizing the operation of its information systems.
Key reasons for these weaknesses are that the responsibilities of key
information security employees were not consistently understood or
communicated and DLA has not maintained the accuracy and completeness
of the data contained in its central management database--the primary
reporting tool for managing and overseeing the agency's performance in
implementing key information security activities and controls. Until
DLA addresses these weaknesses and fully implements an effective,
agencywide information security program, it may not be able to protect
the confidentiality, integrity, and availability of its information and
information systems.
To assist DLA in fully implementing its information security program,
we are making recommendations to the Secretary of Defense to direct the
DLA Director to take several actions to fully implement key information
security practices and controls, including strengthening the process
for certifying and accrediting information systems, and maintaining the
accuracy and completeness of the data contained in DLA's primary
reporting tool.
In providing written comments on a draft of this report, the Deputy
Under Secretary of Defense (Business Transformation) agreed with 7 of
our 10 draft recommendations and described ongoing and planned efforts
to address them. For the remaining recommendations, however, the Deputy
Under Secretary gave reasons for the department's disagreement that did
not address the intent of our recommendations. Accordingly, we have
revised our draft recommendations to make our intent clear. Written
comments from the Deputy Under Secretary of Defense (Business
Transformation) are reprinted in appendix II.
Background:
The dramatic expansion in computer interconnectivity and the rapid
increase in the use of the Internet are changing the way our
government, the nation, and much of the world communicate and conduct
business. Because of the concern about attacks from individuals and
groups, protecting the computer systems that support critical
operations and infrastructures has never been more important. These
concerns are well founded for a number of reasons, such as escalating
threats of computer security incidents, the ease of obtaining and using
hacking tools, the steady advances in the sophistication and
effectiveness of attack technology, and the emergence of new and more
destructive attacks. According to experts from government and industry,
during the first quarter of 2005, more than 600 new Internet security
vulnerabilities were discovered, thereby placing organizations that use
the Internet at risk.
Computer-supported federal operations are likewise at risk. IBM
recently reported that there were over 54 million attacks against
government computers from January 2005 to June 2005.[Footnote 5]
Without proper safeguards, there is risk that individuals and groups
with malicious intent may intrude into inadequately protected systems
and use this access to obtain sensitive information, commit fraud,
disrupt operations, or launch attacks against other computer systems
and networks. How well federal agencies are addressing these risks is a
topic of increasing interest in both Congress and the executive branch.
This is evidenced by recent hearings on information security intended
to strengthen information security.[Footnote 6]
DLA Is a Major Defense Supplier:
DLA is an agency of the Department of Defense (DOD). As DOD's supply
chain manager, DLA provides food, fuel, medical supplies, clothing,
spare parts for weapon systems, and construction materials to sustain
DOD military operations and combat readiness. To fulfill its mission,
DLA relies extensively on interconnected computer systems to perform
various functions, such as managing about 5.2 million supply items and
processing about 54,000 requisition actions per day for goods and
services. DLA employs about 22,575 civilian and military workers,
located at about 500 field locations in 48 states and 28 countries.
In accordance with DOD policy,[Footnote 7] DLA has developed an
agencywide information security program to provide information security
for its operations and assets. The DLA Director is responsible for
ensuring the security of the information and information systems that
support the agency's operations. In carrying out this responsibility,
the Director has delegated to DLA's chief information officer the
authority to ensure that the agency complies with FISMA and with other
information security requirements.
DLA's chief information officer has also designated a senior agency
official to serve as Director of Information Assurance--the agency's
senior information security officer--and to head the central security
management group, commonly referred to as the information assurance
program office. This group carries out specific responsibilities,
including the following:
* documenting and maintaining an agencywide security framework to
assess the agency's security posture, identify vulnerabilities, and
allocate resources;
* establishing and managing security awareness and specialized
professional security training for employees who have significant
security responsibilities;
* ensuring that all systems are certified and accredited in accordance
with both federal and DOD processes;
* providing personnel at headquarters and the DLA locations with
guidance on, and assistance in preparing, system security authorization
agreements--single source data packages for all information pertaining
to the certification and accreditation of a system in order to, among
other things, guide actions, document decisions, specify information
security requirements, and maintain operational systems security; and:
* ensuring that field site personnel accurately assess their locations'
security postures.
Information assurance managers at the various DLA locations directly
report to the information technology chief at their location and are
expected to assist the Director of Information Assurance by
coordinating security activities, establishing and maintaining a
repository for documenting and reporting system certification and
accreditation activities, maintaining and updating system security
authorization agreements, and notifying the designated approving
authority[Footnote 8] of any changes that could affect system security.
Information assurance officers at the various DLA locations assist the
information assurance managers through the following activities:
ensuring that appropriate information security controls are implemented
for an information system, notifying the information assurance manager
when system changes that might affect certification and accreditation
are requested or planned, and conducting annual validation testing of
systems. Figure 1 below shows a simplified overview of DLA's
information assurance management and reporting structure.
Figure 1: Simplified Overview of the Defense Logistics Agency's
Information Assurance Management and Reporting Structure:
[See PDF for image]
[End of figure]
Federal and Departmental Requirements Are to Guide DLA Information
Security Activities:
Congress enacted FISMA to strengthen the security of information and
information systems within federal agencies. FISMA requires each agency
to develop, document, and implement an agencywide information security
program to protect the information and information systems that support
the operations and assets of the agency--including those that are
provided or managed by another agency, a contractor, or some other
source. The program must include the following:
* periodic assessments of the risk and magnitude of harm that could
result from the unauthorized access, use, disclosure, modification,
disruption, or destruction of information or information systems;
* training of personnel who have significant responsibility for
information security and security awareness training to educate
personnel--including contractors and other users of the agency's
information systems--about information security risks and their
responsibilities to comply with the agency's security policies and
procedures;
* periodic testing and evaluation of the effectiveness of the agency's
information security policies, procedures, and practices; and:
* a process for planning, implementing, evaluating, and documenting
plans of action and milestones that are taken to address any
deficiencies in the agency's information security policies, procedures,
and practices.
To support agencies in conducting their information security programs,
the National Institute of Standards and Technology (NIST) is publishing
mandatory standards and guidelines for providing information security
all agency operations, assets, and information systems other than
national security systems.[Footnote 9] The standards and guidelines
include, at a minimum, (1) standards to be used by all agencies to
categorize their information and information systems based on the
objectives of providing appropriate levels of information security
according to a range of risk levels, (2) guidelines recommending the
types of information and information systems that are to be included in
each category, and (3) minimum information security requirements for
information and information systems in each category.
In addition, DOD has developed and published various directives and
instructions that comprise an information assurance policy framework
that is intended to meet the information security requirements
specified in FISMA and NIST standards and publications. This framework
applies to all of DOD's systems--both national and non-national
security systems--including those operated by or on behalf of DLA.
DLA's policies and procedures for implementing its agency information
security program are contained in DLA's One Book policy and agency
handbook.
DLA Has Not Yet Fully Implemented Its Security Program:
DLA has implemented important elements of an information security
program--including establishing a central security management group,
appointing a senior information security officer to manage the program,
and providing security awareness training for its employees. However,
DLA has not yet fully implemented other essential elements of an
effective information security program to protect the confidentiality,
integrity, and availability of its information and information systems
that support its mission. Collectively, these weaknesses place DLA's
information and information systems at risk. Key underlying reasons for
the weaknesses pertain to DLA's management and oversight of its
security program.
DLA Has Implemented Important Elements of Its Security Program:
In carrying out their information security responsibilities, both the
Chief Information Officer and the Director of Information Assurance
have taken several steps to implement important elements of DLA's
security program, including the following:
* ensuring employees and contractors receive information security
awareness training;
* developing information security procedures and guidance for use in
implementing the requirements of the program;
* deploying information system security engineers to assist
headquarters and field staff in implementing security policies and
procedures consistently across the agency;
* developing an agencywide management tool--known as the Comprehensive
Information Assurance Knowledgebase--to centrally manage and report on
key performance measures, such as the status of security training,
plans of action and milestones, and certification and accreditation
activities; and:
* developing and implementing various automated information technology
initiatives to assist information assurance managers and information
assurance officers in improving DLA's security posture.
Weaknesses Place DLA's Information and Information Systems at Risk:
Weaknesses in information security practices and controls place DLA's
information and information systems at risk. Our analysis of
information security activities for selected systems at 10 DLA
locations showed that the agency had not fully or consistently
implemented important elements of its program. Specifically, risks that
could result from the unauthorized access, use, disclosure, or
destruction of information or information systems were not consistently
assessed; employees who had significant information security
responsibilities did not receive sufficient training, and security
training plans were sometimes not adequately completed; testing and
evaluation of the effectiveness of management and operational security
controls were not adequately performed; and plans of action and
milestones for mitigating known information security deficiencies were
not sufficiently completed. Table 1 indicates with an "X" weaknesses in
the implementation of key information security practices and controls
for selected systems.
Table 1: Weaknesses in Information Security Practices and Controls:
DLA system[A]: 1;
Risk assessment: Yes;
Security training and awareness plan: No;
Security test and evaluation: Yes;
Plans of action and milestones: Yes.
DLA system[A]: 2;
Risk assessment: No;
Security training and awareness plan: No;
Security test and evaluation: No;
Plans of action and milestones: Yes.
DLA system[A]: 3;
Risk assessment: Yes;
Security training and awareness plan: Yes;
Security test and evaluation: Yes;
Plans of action and milestones: Yes.
DLA system[A]: 4;
Risk assessment: Yes;
Security training and awareness plan: No;
Security test and evaluation: Yes;
Plans of action and milestones: Yes.
DLA system[A]: 5;
Risk assessment: Yes;
Security training and awareness plan: No;
Security test and evaluation: Yes;
Plans of action and milestones: Yes.
DLA system[A]: 6;
Risk assessment: Yes;
Security training and awareness plan: Yes;
Security test and evaluation: Yes;
Plans of action and milestones: Yes.
DLA system[A]: 7;
Risk assessment: Yes;
Security training and awareness plan: No;
Security test and evaluation: Yes;
Plans of action and milestones: Yes.
DLA system[A]: 8;
Risk assessment: Yes;
Security training and awareness plan: No;
Security test and evaluation: Yes;
Plans of action and milestones: Yes.
DLA system[A]: 9;
Risk assessment: Yes;
Security training and awareness plan: No;
Security test and evaluation: Yes;
Plans of action and milestones: Yes.
DLA system[A]: 10;
Risk assessment: Yes;
Security training and awareness plan: Yes;
Security test and evaluation: Yes;
Plans of action and milestones: Yes.
Source: GAO analysis of information security documentation contained in
system certification and accreditation packages.
[A] The 10 systems selected consist of local area networks and Web
sites that support a DLA location; production systems, such as those
that form the bulk of the computing environment at a DLA location; or
an information system that have been replicated with the same
configuration and have been deployed at multiple locations.
[End of table]
DLA Did Not Assess Risks Consistently:
FISMA requires that agencies' information security programs include
periodic assessments of the risk and magnitude of the harm that could
result from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information and information systems
that support the operations and assets of the agency. Identifying and
assessing information security risks are essential steps in order to
determine what controls are required and what level of resources should
be expended on these controls. NIST has developed guidance to help
organizations protect their information and information systems by
using security controls that are selected through a risk-based process.
DOD established a set of baseline security controls[Footnote 10] for
each of three mission assurance categories[Footnote 11] that determine
what security controls should be implemented. These controls are
adjusted based on an assessment of risk including specific threat
information, vulnerabilities, and countermeasures relative to the
system. Vulnerabilities that are not mitigated are referred to as
residual risk. The designated approving authority considers the
residual risks in determining whether to accredit a system. Such risk
assessments, as part of the requirement to reaccredit systems, are to
be performed prior to a significant change in processing, but at least
every 3 years.
Although DLA categorized its systems in accordance with DOD guidance,
we found that it did not consistently assess the residual risk for 9 of
the 10 systems we selected for review. For example:
* nine did not use the established baseline security controls to assess
the residual risk;
* three did not clearly identify the threats, vulnerabilities, and
countermeasures;
* two did not state how the threats and vulnerabilities would affect
the mission that the system supports;
* one only referenced the security controls as the threat or
vulnerability; and:
* one had not been updated since 2001.
Unless DLA performs risk assessments consistently and assesses them
against the appropriate set of controls, it will not have assurance
that it has implemented appropriate controls that cost-effectively
reduce risk to an acceptable level.
Employees Did Not Receive Sufficient Training and Security Training
Plans Were Sometimes Incomplete:
FISMA mandates that all federal employees and contractors who are
involved in the use of agency information systems be provided training
in information security awareness and that agency heads ensure that
employees with significant information security responsibilities are
provided sufficient training with respect to such responsibilities. An
effective information security program should promote awareness and
provide training so that employees who use computer resources in their
day-to-day operations understand security risks and their roles in
implementing related policies and controls to mitigate those risks. DOD
guidance requires that individuals receive the necessary training to
ensure that they are capable of conducting their security duties and
that each component establish and implement information assurance
training and professional certification programs. DOD also requires
that security awareness and training plans be documented for each
system as part of the certification and accreditation process. These
security training plans specify that training for individuals
associated with a system's operation be appropriate to an individual's
level and area of responsibility. This training should provide
information about the security policy governing the information being
processed, as well as potential threats and the nature of the
appropriate countermeasures.
DLA provided annual security awareness training for employees and
contractors for whom it was appropriate. However, employees with
significant information security responsibilities did not receive
sufficient training. For example, of the 17 information assurance
managers and information assurance officers located where we reviewed
selected systems:
* eleven reported having received some form of training, although eight
of them had received training on only one of their security
responsibilities--developing security documentation;
* six reported never having received any security training; and:
* two reported having received no security training for 2 or more
years.
Further, security training and awareness plans for 3 of the 10 systems
we reviewed were either not system-specific or lacked detailed
information. For example, training plans for 2 systems did not specify,
for each level and area of responsibility, the system operations
appropriate for a given user. The third lacked detailed information
about training objectives, goals, and requirements.
A key reason for these weaknesses is that the individual responsible
for monitoring the agency's security training program had other
significant responsibilities and was not able to effectively ensure
that employees received the required training. As a result, DLA does
not have assurance that employees with significant security
responsibilities are equipped with the knowledge and skills they need
to understand information security risks and their roles and
responsibilities in implementing related policies and controls to
mitigate those risks.
Security Testing and Evaluation of Management and Operational Controls
Were Not Annually Performed:
Another key element that FISMA requires of an information security
program is periodic testing and evaluation of the effectiveness of
information security policies, procedures, and practices, to be
performed with a frequency based on risk, but not less than annually.
FISMA requires that such testing and evaluation activities shall
include the management, operational, and technical controls[Footnote
12] of every system identified in an agency's information systems
inventory.[Footnote 13]
DOD policy requires periodic reviews of operational systems at
predefined intervals.[Footnote 14] Such reviews include testing and
evaluating the technical implementation of the security design of a
system and ascertaining that security software, hardware, and firmware
features affecting the confidentiality, integrity, availability, and
accountability of information and information systems have been
implemented and documented. The results of testing and evaluation of
security controls are to be used in the decision-making process for
authorizing systems to operate. Further, DLA's One Book policy requires
information assurance managers and information assurance officers to
use the security test and evaluations as the method for validating the
adequacy of management, operational, and technical controls, at least
annually.
DLA did not annually test and evaluate the management and operational
security controls of its systems. According to DLA officials,
vulnerability scans[Footnote 15] and information assurance program
reviews[Footnote 16] collectively satisfied the annual requirement for
testing and evaluating management, operational, and technical controls.
However, the combination of the vulnerability scans and the program
reviews did not satisfy the annual requirement. Although DLA generally
assessed technical controls by conducting annual vulnerability scans on
its systems, it did not annually assess the management and operational
controls for each of its systems. While the program reviews are
intended to satisfy the requirement for testing and evaluating the
management and operational controls, DLA does not conduct these reviews
annually on every system. For example, less than half of DLA's
locations and systems have undergone program reviews in the last 3
years, as shown in table 2.
Table 2: Percentage of DLA Locations and Systems Subjected to Program
Reviews During the Last 3 Years:
System category: Vital to operations;
Percent: 43%.
System category: Important in support of military forces;
Percent: 26%.
System category: Necessary for day-to-day operations;
Percent: 8%.
Source: GAO analysis of DLA data.
[End of table]
Until DLA tests and evaluates management and operational controls
annually, critical systems may contain vulnerabilities that have not
been identified or appropriately considered in decisions to authorize
systems to operate. Moreover, DLA may not be able to ensure the
confidentiality, integrity, and availability of the sensitive data that
its systems process, store, and transmit.
Plans of Action and Milestones Were Incomplete:
FISMA requires each agency to develop a process for planning,
implementing, evaluating, and documenting remedial action plans to
address any deficiencies in its information security policies,
procedures, and practices. Developing effective corrective action plans
is key to ensuring that remedial action is taken to address significant
deficiencies. The Office of Management and Budget (OMB) requires agency
chief information officers to document and report all agency
information assurance weaknesses and remedial actions in plans of
action and milestones. The plans should list each security weakness and
the tasks, resources, milestones, and scheduled completion dates for
remedying each weakness.
The plans of action and milestones associated with the 10 systems we
selected for review were incomplete. For example:
* none of the plans clearly documented and reported the nature of the
weakness being addressed;
* seven did not identify the start or completion dates for addressing
the weakness;
* none specified the resources necessary to complete the action plan;
* nine did not list the risk associated with the security weakness;
* six were not based on the correct set of baseline security controls;
and:
* one plan contained steps to identify vulnerabilities rather than the
steps required to remedy vulnerabilities.
A key reason for these weaknesses is that information assurance
managers and information assurance officers reported that they did not
understand the requirements for reporting system security
vulnerabilities because DLA had not provided specific criteria or
instructions on what--or how--to document and report plans of action
and milestones for system deficiencies. Having reliable plans of action
and milestones is not only vital to ensuring that DLA's information and
information systems receive adequate protection, but it is also
important for accurately managing and reporting progress on them.
Without reliable plans, DLA does not have assurance that all
information security weaknesses have been reported and that corrective
actions will be taken to appropriately address the weaknesses.
Certification and Accreditation Process Was Not Fully Effective for
Authorizing Systems:
OMB requires that agencies establish a certification and accreditation
process for formally authorizing systems to operate. Certification and
accreditation is the requirement that agency management officials
formally authorize their information systems to process information,
thereby accepting the risk associated with their operation. This
management authorization (accreditation) is to be supported by a formal
technical evaluation (certification) of the management, operational,
and technical controls established in an information system's security
plan. The accreditation decision results in (1) a full authorization to
operate,[Footnote 17] (2) an interim authorization to operate,[Footnote
18] or (3) no authorization to operate. DOD instructions[Footnote 19]
and DLA's agency handbook provides guidance on the certification and
accreditation process.
According to DLA officials, the agency has implemented the practice of
issuing authorization to operate decisions on a "time-limited" basis--
regardless if certification tasks have been completed because of
concern that OMB might not support funding for systems that received an
interim authorization to operate decision. However, OMB, DOD, and DLA
policies and procedures do not allow for the practice of issuing "time-
limited" authorizations; they require interim authorization to operate
decisions when all certification tasks have not been completed. To
illustrate, the designated approving authority for one of the ten
systems we reviewed changed the system's status from an interim
authorization to operate to a "time-limited" authorization to operate
even though several action items for such authorization had not been
met, and this type of authorization is not allowed under current
guidance. For example, information assurance personnel had not updated
the security plan or completed a risk assessment. Unless DLA complies
with the requirements for issuing accreditation decisions, it will not
have assurance that its information systems are operating as intended
and meeting security requirements.
In addition, DLA did not effectively implement controls to verify the
completion of certification tasks. As designed and implemented, DLA
divides the responsibilities of the system certifier among the
information assurance personnel at its locations and a central review
team within the information assurance program office. To help ensure
quality over the certification process, the central review team
established a DLA quality review checklist to verify the certification
tasks performed by the information assurance personnel. However, under
the current process, the central review team did not interview
information assurance personnel at the locations or conduct on-site
visits to verify that certification tasks were performed. Instead, the
central review team relies on documentation submitted to them by the
information assurance personnel who performed the certification tasks.
However, this documentation was not always adequate. For example, the
checklist contained questions about whether physical access controls
were adequate to protect all facilities housing user workstations, but
for the central review team to verify such a task, either an on-site
inspection or a diagram of the facility or other documentation to
demonstrate the physical access controls in place would have been
needed. As a result, the certification process may not provide the
authorizing official with objective or sufficient information that is
necessary to make credible, risk-based decisions on whether to place an
information system into operation.
Improvements Are Needed in Managing and Overseeing the Security
Program:
Key underlying reasons for the weaknesses in DLA's information security
program were that the responsibilities of information assurance
managers and information assurance officers were not consistently
understood or communicated across the 10 DLA locations we reviewed and
the information assurance program office did not maintain the accuracy
and completeness of the data contained in the agency's primary
reporting tool for managing and overseeing the agencywide information
security program. The information assurance program office--as the
agency's central security management group for managing and overseeing
the security program--is responsible for providing overall security
policy and guidance, along with oversight to ensure information
assurance managers and information assurance officers adequately
perform or execute required information security activities such as
those related to performing risk assessments, satisfying security
training requirements, testing and evaluating the effectiveness of
controls, documenting and reporting plans of action and milestones, and
certifying and accrediting systems.
Although the information assurance program office developed information
security policies and procedures, it did not maintain them to ensure
information assurance personnel had current and sufficient
documentation to carry out their responsibilities. For example, of the
17 information assurance managers and information assurance officers at
the 10 locations we reviewed:
* nine were unaware of the requirement for security training specific
to an employee's information security responsibilities; and:
* three were unaware of the requirement to perform annual self
assessments, while ten others had varying understandings of how this
requirement was to be met.
In addition, data on key information security activities contained in
the primary reporting tool were inaccurate or incomplete. For example,
* for a year, the information assurance program office had not entered
weaknesses that had been identified during information assurance
program reviews into the primary reporting tool;
* information assurance personnel at DLA locations used personal
discretion for determining whether or not to report a system deficiency
to the information assurance program office for entry and compilation
in the primary reporting tool, thereby potentially underreporting
agency level plans of action and milestones; and:
* information assurance personnel at both headquarters and the DLA
locations did not consistently enter key performance metrics related to
plans of action and milestones and security training, thereby
potentially underreporting important information used to gauge the
health of the security program.
A key reason for these weaknesses was that DLA had no documentation on
the system design or its intended use and, therefore, had no
instructional material to guide users. As a result, the data in the
primary reporting tool were not reliable or effective for reporting
metrics to DOD and OMB for FISMA evaluation reporting. Moreover,
because the key information had not been entered into the database, the
agency did not readily have all the information about the deficiencies
of its program and, therefore, did not have complete information about
the security posture of its program.
DLA senior officials recognize that the agency's primary reporting tool
has not been effectively implemented and used to manage and oversee the
security program. Therefore, the agency developed an ad hoc process of
data calls to the DLA locations to aggregate the performance data.
However, continuation of this ad hoc process will likely not provide
the reliable data needed to consistently satisfy FISMA reporting
requirements. Until agencywide policies and procedures are sufficiently
documented and implemented and are consistently understood and used
across the agency, DLA's ability to protect the information and
information systems that support its mission will be limited.
Conclusions:
DLA has not fully implemented its agencywide information security
program, thereby jeopardizing the confidentiality, integrity, and
availability of the information and information systems that it relies
on to accomplish its mission. Specifically, DLA has not consistently
implemented important information security practices and controls,
including consistently assessing risk; ensuring that training is
provided for employees who have significant responsibilities for
information security, and that security training plans are updated and
maintained; annually testing and evaluating the effectiveness of
management, operational and technical controls; documenting and
reporting complete plans of action and milestones; implementing a fully
effective certification and accreditation process; and maintaining the
accuracy and completeness of the data contained in the primary
reporting tool. Although DLA's efforts in developing and implementing
its information security program have merit, it has not taken all the
necessary steps to ensure the security of the information and
information systems that support its operations. Ensuring that the
agency implements key information security practices and controls
requires top management support and leadership and consistent and
effective management oversight and monitoring. Until DLA takes steps to
address these weaknesses and fully implements its information security
program, it will have limited assurance that agency operations and
assets are adequately protected.
Recommendations for Executive Actions:
To assist DLA in fully implementing its information security program,
we are making recommendations to the Secretary of Defense to direct the
DLA Director to implement key information security practices and
controls by:
* consistently assessing risks that could result from the unauthorized
access, use, disclosure or destruction of information and information;
* ensuring that training is provided for employees who have significant
responsibilities for information security;
* ensuring that security training plans are updated and maintained;
* ensuring appropriate monitoring of the agency's security training
program;
* ensuring that annual security test and evaluation activities include
management, operational, and technical controls of every information
system in DLA's inventory;
* documenting and reporting complete plans of action and milestones;
* establishing specific guidance or instructions to information
assurance managers and information assurance officers on what--or how-
-to document and report plans of action and milestones for system
deficiencies;
* discontinuing the practice of issuing "time-limited" authorization to
operate accreditation decisions when certification tasks have not been
completed;
* ensuring that the DLA central review team verifies that certification
tasks have been completed; and:
* maintaining the accuracy and completeness of the data contained in
the agency's primary reporting tool for recording, tracking, and
reporting performance metrics on information security practices and
controls.
Agency Comments and Our Evaluation:
In providing written comments on a draft of this report (reprinted in
app. II), the Deputy Under Secretary of Defense (Business
Transformation) concurred with most of our recommendations and
described ongoing and planned efforts to address them. Specifically, he
stated that DLA has taken several actions to fully implement an
effective agencywide information security program, including publishing
a DOD manual that will soon be released to provide detailed guidance on
training for employees who have significant information security
responsibility. He also stated that DLA is issuing an interim mandatory
guide that will soon be released to assist users in documenting and
preparing plans of action and milestones, and reinforcing policy
requirements for making accreditation decisions.
The Deputy Under Secretary of Defense disagreed with our draft
recommendation to ensure the testing and evaluation of the
effectiveness of security controls for all systems annually. He stated
that this recommendation would require all information assurance
controls for all systems be tested and evaluated every year, which
essentially amounts to annual recertification. The department further
stated that the level of test and evaluation is neither practical nor
cost-effective and that the combination of DLA's assessments, tests,
and reviews allow them to ensure compliance of their controls in
accordance with DOD Instruction 8500.2.
The intent of our draft recommendation was not to require that all
information assurance controls for all systems be tested and evaluated
annually. Rather, the intent of our draft recommendation, consistent
with FISMA requirements, was to ensure that DLA's annual security test
and evaluation activities include management, operational, and
technical controls of every information system in its inventory. As
stated in our report, while DLA generally assessed technical controls
annually of every system in its inventory, it did not annually test and
evaluate management and operational controls of those systems. We agree
that testing and evaluating all controls for every system annually may
not be cost-effective. However, unless DLA's annual testing and
evaluation activities include management and operational controls, as
well as the technical controls of its systems, it may not be able to
ensure the confidentiality, integrity, and availability of its
information and information systems. Accordingly, we have clarified our
recommendation to state that the Secretary of Defense direct the DLA
Director to ensure that annual security test and evaluation activities
include management, operational, and technical controls of every
information system in DLA's inventory.
The Deputy Under Secretary of Defense also disagreed with our draft
recommendation to document procedures for performing certification
responsibilities that include specific responsibilities related to
using the checklist. He stated that the Secretary of Defense provided
sufficient direction to agency directors on the certification and
accreditation process through DOD Instruction 5200.40, and that
additional guidelines on the certification and accreditation process
are provided in DOD 8510.1-M. He further stated that DOD 8510.1-M
contains a "minimum activities checklist" that all DOD Components are
expected to follow when conducting certifications and that DLA's
information assurance One Book policy includes roles and
responsibilities for performing security certification and
accreditation.
Our draft recommendation refers to the DLA quality review checklist
used by the agency's central review team to verify completion of
certification tasks, not to the DOD "minimum activities checklist"
described in DOD 8510.1-M. Unless certification tasks performed by
information assurance personnel at the various DLA locations have been
verified, the authorizing official may not have objective or sufficient
information that is necessary to make credible, risk-based decisions on
whether to place an information system into operation. Accordingly, we
have clarified our recommendation to state that the Secretary of
Defense direct the DLA Director to ensure that the DLA central review
team verifies that certification tasks have been completed.
The Deputy Under Secretary of Defense also disagreed with our draft
recommendation to update and maintain the agency's primary reporting
tool for recording, tracking, and reporting performance metrics on
information security practices and controls. He stated that the primary
reporting tool was developed and maintained by DLA and that
responsibility for updating and sustaining the tool was transferred to
an internal application development team for continued maintenance and
support. He also stated that DLA initiated implementation of enterprise
standard DOD solutions that will replace the functionality currently
provided by the agency reporting tool and that sustainment of the tool
would not be cost effective or efficient.
The intent of our draft recommendation was to update and maintain the
accuracy and completeness of data entered into DLA's primary reporting
tool, not the application programs. While DLA has several initiatives
underway at various stages of development and implementation that are
intended to introduce new functionality or replace some of the existing
functionality in the agency reporting tool, none of these initiatives
have been fully implemented throughout the agency. If DLA continues to
use a tool for managing and overseeing its information assurance
program, the fundamental practice of having accurate and complete data-
-whether in the current tool or in a future tool--is important to
ensure the data are reliable for reporting performance metrics on key
information security practices and controls to DOD and OMB for FISMA
evaluation reporting. Accordingly, we have clarified our recommendation
to state that the Secretary of Defense direct the DLA Director to
maintain the accuracy and completeness of the data contained in the
agency's primary reporting tool for recording, tracking, and reporting
performance metrics on information security practices and controls.
We are sending copies of this report to the Deputy Under Secretary of
Defense (Business Transformation); Assistant Secretary of Defense,
Networks and Information Integration; DLA Director; officials within
DLA's Information Operations and Information Assurance office; and the
Acting DOD Inspector General. We will also make copies available to
others upon request. In addition, this report will be available at no
charge on the GAO Web site at [Hyperlink, http://www.gao.gov].
If you have any questions regarding this report, please contact me at
(202) 512-6244 or by e-mail at [Hyperlink, wilshuseng@gao.gov]. Contact
points for our Offices of Congressional Relations and Public Affairs
may be found on the last page of this report. Key contributors to this
report are listed in appendix III.
Signed by:
Gregory C. Wilshusen:
Director, Information Security Issues:
[End of section]
Appendixes:
Appendix I: Scope and Methodology:
To determine whether the Defense Logistics Agency (DLA) had implemented
an effective agencywide information security program, we reviewed the
Department of Defense (DOD) and agencywide information security
policies, directives, instructions, and handbooks. We also evaluated
DLA's agencywide tool--the Comprehensive Information Assurance
Knowledgebase--for aggregating the agency's performance data on
information security activities that are required by the Federal
Information Security Management Act of 2002 (FISMA), such as the number
and percentage of risk assessments performed, employees with
significant information security responsibilities that received
training to perform their duties, and weaknesses for which the agency
had plans of action and milestones. To gain insight into DLA's
certification and accreditation process, we reviewed the agency's
methods and practices for identifying vulnerabilities and risks and the
process for certifying systems and making accreditation decisions. We
assessed whether DLA's information security program was consistent with
relevant DOD policies and procedures, as well as with the requirements
of FISMA, applicable Office of Management and Budget (OMB)
policies,[Footnote 20] and National Institute of Standards and
Technology (NIST) guidance.
We also assessed whether selected information security plans and
documents related to risk assessments, testing and evaluation, and
plans of action and milestones were current and complete. To accomplish
this, we non-randomly selected 10 sensitive but unclassified
systems.[Footnote 21] The 10 systems came from 10 different DLA
locations and included 3 systems, 4 sites, and 3 types.[Footnote 22] We
selected these systems to maximize variety in criticality and
geographic locations. We also conducted telephone interviews with 17
information assurance managers and information assurance officers from
the 10 locations in order to gain insight into their understanding of
FISMA requirements, relevant OMB policies, NIST guidance, and
agencywide and DOD policies and procedures.:
We performed our review at DLA Headquarters, located at Ft. Belvoir,
Virginia; DLA Supply Center, located at Columbus, Ohio; and DLA's
Business Processing Center, located at Denver, Colorado, from September
2004 to July 2005, in accordance with generally accepted government
auditing standards.
[End of section]
Appendix II: Comments from the Department of Defense:
OFFICE OF THE UNDER SECRETARY OF DEFENSE:
3000 DEFENSE PENTAGON:
ACQUISITION, TECHNOLOGY AND LOGISTICS:
WASHINGTON, DC 20301-3000:
SEP 21 2005:
Mr. Gregory C. Wilshusen:
Director, Information Security Issues:
U.S. Government Accountability Office:
441 G Street, N. W.
Washington, D.C. 20548:
Dear Mr. Wilshusen:
This is the Department of Defense (DoD) response to the Government
Accountability Office (GAO) Draft Report, GAO-05-901, INFORMATION
SECURITY: The Defense Logistics Agency Need to Fully Implement Its
Security Program, dated August 19, 2005, (GAO Code 310542).
The Department has DoD instructions that comply with four of the ten
recommendations and is preparing to issue detailed interim mandatory
guidance for three additional recommendations. However, we non-concur
with the remaining three recommendations. Our response to all ten GAO
recommendations is enclosed.
We appreciate the opportunity to provide comments on the draft report
and look forward to on-going engagement and discussion with the GAO in
the area of Information Security.
Sincerely,
Signed by:
Paul Brinkley,
Deputy Under Secretary of Defense,
(Business Transformation):
Enclosure: As Stated:
GAO DRAFT REPORT - DATED AUGUST 19, 2005:
GAO CODE 310542/GAO-05-901:
"INFORMATION SECURITY: THE DEFENSE LOGISTICS AGENCY NEEDS TO FULLY
IMPLEMENT ITS SECURITY PROGRAM":
DEPARTMENT OF DEFENSE COMMENTS TO THE RECOMMENDATIONS:
RECOMMENDATION 1: The GAO recommended that the Secretary of Defense
direct the DLA Director to implement key information security practices
and controls by: consistently assessing risks that could result from
the unauthorized access, use, disclosure or destruction of information
and information. (p. 21/GAO Draft Report):
DOD RESPONSE: Concur. Department of Defense Instruction (DoDI) 8500.2
directs all services and agencies to assess risks that could result
from the unauthorized access, use, disclosure or destruction of
information and information. Experience has shown that identifying
specific threats to individual information systems can be a difficult,
expensive, time consuming task that often ultimately relies on
subjective judgment. DoDI 8500.2 uses the baseline sets of IA Controls
to mitigate risk based on the value of the information protected. This
value is as expressed in terms of Mission Assurance Category (MAC) for
availability and integrity capabilities Confidentiality Level for
classification, sensitivity, or need-to-know. Essentially, as DoD
assigns greater value to information (i.e., gives it a higher MAC or
Confidentiality Level) it protects against a greater assumed threat.
This is accomplished both by increasing the number of IA Controls and,
in appropriate cases, making the IA Controls more stringent as the
value of the information increases. This is not to say that Designated
Accrediting/Approving Authority (DAA) shouldn't be concerned about
special threat considerations but, as a general rule, if the IA
Controls for a particular MAC and confidentiality Level are properly
applied and tested, the system is adequately protected.
RECOMMENDATION 2: The GAO recommended that the Secretary of Defense
direct the DLA Director to implement key information security practices
and controls by: ensuring that training is provided for employees who
have significant responsibilities for information security. (p. 21/GAO
Draft Report):
DOD RESPONSE: Concur. DoD Directive 8570.1, Information Assurance (IA)
Training, Certification, and Workforce Management released in August
2004 directs training for all DoD affiliated individuals with
significant IA responsibilities. Draft DoD 8570.1-M, the manual that
provides detailed implementation guidance for IA training, is in the
final stage of coordination and will be released soon. Additionally,
the Director, DLA reports that in May 2004, the DLA Chief Information
Officer (CIO) was briefed on weaknesses in the area of IA skills and
qualifications. Prior to GAO's completion of this report the DLA IA
Program Office took steps to develop a Comprehensive IA Training
Program plan to include a work breakdown structure for IA functions, IA
tasks and skills qualification requirements, identification of sources
to provide DoD IA training requirements, and training metrics. DLA
recognized weaknesses and deficiencies in the area of IA training and
took proactive steps to address this problem. Copies of the afore-
mentioned briefing and Statement of Work regarding the IA training
program were provided to GAO.
RECOMMENDATION 3: The GAO recommended that the Secretary of Defense
direct the DLA Director to implement key information security practices
and controls by: ensuring that security training plans are updated and
maintained. (p. 22/GAO Draft Report):
DOD RESPONSE: Concur. See response to Recommendation #2, above.
RECOMMENDATION 4: The GAO recommended that the Secretary of Defense
direct the DLA Director to implement key information security practices
and controls by: having a dedicated individual responsible for
monitoring the agency's security training program. (p. 221 GAO Draft
Report):
DOD RESPONSE: Concur. DoD Directive 8500.1, "Information Assurance,"
October 24, 2002 requires that the Heads of DoD Components ensure that
IA awareness, training, education, and professionalization are provided
to all Component personnel commensurate with their respective
responsibilities for developing, using, operating, administering,
maintaining, and retiring DoD information systems. DoD Directive 8570.1
reinforces this guidance and DoD 8570.1-M will provide detailed
guidance on agencies' IA training programs.
RECOMMENDATION 5: The GAO recommended that the Secretary of Defense
direct the DLA Director to implement key information security practices
and controls by: ensuring the testing and evaluating of the
effectiveness of security controls for all systems annually. (p. 22/GAO
Draft Report):
DOD RESPONSE: Non-Concur. This recommendation would require all IA
controls for all systems be tested and evaluated every year, which
essentially amounts to annual recertification. The burden associated
with this level of test and evaluation is neither practical nor cost
effective. DLA's strategy for ensuring compliance with DoD IA controls
meet the requirements stipulated in E3.3.10 of DODI 8500.2 by requiring
a combination of self assessments, independent assessments and audits,
formal testing and certification activities, host and network
vulnerability or penetration testing, and IA program reviews. We
believe this strategy is sufficient to achieve appropriate test and
evaluation of security controls.
RECOMMENDATION 6: The GAO recommended that the Secretary of Defense
direct the DLA Director to implement key information security practices
and controls: by documenting and reporting complete plans of action and
milestones. (p. 22/GAO Draft Report):
DOD RESPONSE: Concur. The Assistant Secretary of Defense for Networks
and Information Integration/DoD Chief Information Officer (ASD NII/DoD
CIO) is finalizing for issuance, detailed interim mandatory guidance on
the preparation and submission of Plans of Actions and Milestones
(POA&M). That guidance will subsequently be incorporated into permanent
DoD policies, as appropriate. The DLA One Book currently requires POA&M
as part of the DLA security certification effort and will be modified
as necessary to comply with the new DoD policy when it is issued.
RECOMMENDATION 7: The GAO recommended that the Secretary of Defense
direct the DLA Director to implement key information security practices
and controls by: establishing specific guidance or instructions to
information assurance officers on what or how to document and report
plans of action and milestones for system deficiencies. (p. 22/GAO
Draft Report):
DOD RESPONSE: Concur. See response to Recommendation # 6, above.
RECOMMENDATION 8: The GAO recommended that the Secretary of Defense
direct the DLA Director to implement key information security practices
and controls by: discontinuing the practice of issuing "time-limited"
authorization to operate accreditation decision. (p. 221 GAO Draft
Report):
DOD RESPONSE: Concur. The interim POA&M guidance discussed in the
response to Recommendation #6 above establishes criteria that preclude
issuance of a "time limited" ATO when an IATO is appropriate. This
policy direction will be reinforced by a new DoD instruction on
certification and accreditation that will be issued this calendar year.
RECOMMENDATION 9: The GAO recommended that the Secretary of Defense
direct the DLA Director to implement key information security practices
and controls by: documenting procedures for performing certification
responsibilities that include specific responsibilities related to
using the checklist. (p. 221 GAO Draft Report):
DOD RESPONSE: Non-Concur. The Secretary of Defense provided sufficient
direction to Agency Directors through Department of Defense Instruction
(DoDI) 5200.40, "DoD Information Technology Certification and
Accreditation Process (DITSCAP)," December 30, 1997. This directive
establishes the basis for performing security certification and
accreditation throughout the Department of Defense. Additional
guidelines on the process are provided in DoD 8510.1-M, "DOD
Information Technology Security Certification and Accreditation Process
(DITSCAP) Application Manual," July 2000. The manual does contain a
minimum activities checklist that all DoD Components are expected to
follow when conducting certifications. Agency Directors have managerial
latitude to ensure compliance with DoD issued Policy. DLA IA Management
and Operational Control One Book Chapters do include roles and
responsibilities for performing security certification and
accreditation in accordance with above references.
RECOMMENDATION 10: The GAO recommended that the Secretary of Defense
direct the DLA Director to implement key information security practices
and controls by: updating and maintaining the agency's primary
reporting tool for recording, tracking, and reporting performance
metrics on information security practices and controls. (p. 22/GAO
Draft Report):
DOD RESPONSE: Non-Concur. The Agency's current reporting tool, CIAK, is
a Government Off the Shelf (COTS) capability developed and maintained
by DLA. Prior to this Audit, responsibility for update and sustainment
of the CIAK tool was transferred to an internal application development
team for upgrade to facilitate continued supportability of this locally
developed tool. In the interim DLA initiated implementation of
enterprise standard DoD solutions (i.e., Vulnerability Management
System, eMASS, eRetina, and Hercules) that will replace the
functionality currently provided by CIAK. Sustainment of a COTS tool is
not considered cost effective or efficient. GAO was briefed on the
status of these initiatives.
[End of section]
Appendix III: GAO Contact and Staff Acknowledgments:
GAO Contact:
Gregory C. Wilshusen (202) 512-6244:
Staff Acknowledgments:
In addition to the individual named above, Jenniffer Wilson, Assistant
Director, Barbara Collier, Joanne Fiorino, Sharon Kittrell, Frank
Maguire, John Ortiz, and Chuck Roney made key contributions to this
report.
(310542):
FOOTNOTES
[1] GAO, High Risk Series: An Update, GAO-05-207 (Washington, D.C.:
January 2005).
[2] Information system general controls affect the overall
effectiveness and security of computer operations as opposed to being
unique to any specific computer application. These controls include
security management, operating procedures, software security features,
and physical protection designed to ensure that access to data is
appropriately restricted, computer security functions are segregated,
only authorized changes to computer programs are made, and backup and
recovery plans are adequate to ensure the continuity of essential
operations.
[3] Certification is a comprehensive evaluation of security controls
that provides the necessary information for a designated approving
authority to formally declare that a system is approved to operate at
an acceptable level of risk.
[4] Accreditation is the authorization of an information system to
process, store, or transmit information that provides a form of quality
control. The accreditation decision is to be based on the
implementation of an agreed-upon set of management, operational, and
technical controls for a system and is supported by a comprehensive
evaluation or certification of these security controls that provides
the necessary information for a designated approving authority to
formally declare that a system is approved to operate.
[5] IBM, Security Threats and Attack Trends Report: January 2005 to
June 2005.
[6] GAO, Critical Infrastructure Protection: Challenges in Addressing
Cybersecurity, GAO-05-827T (Washington, D.C.: July 19, 2005); GAO,
Internet Protocol Version 6: Federal Agencies Need to Plan for
Transition and Manage Security Risks, GAO-05-845T (Washington, D.C.:
June 29, 2005); and GAO, Information Security: Continued Efforts Needed
to Sustain Progress in Implementing Statutory Requirements, GAO-05-483T
(Washington, D.C.: April 7, 2005).
[7] DOD Directive 8500.1, Information Assurance (Washington, D.C.:
October 2002); and DOD Instruction 8500.2, Information Assurance
Implementation, (Washington, D.C.: February 2003).
[8] A designated approving authority is a senior management official or
executive with the authority to formally assume responsibility for
operating an information system at an acceptable level of risk to
agency operations, assets, or individuals.
[9] 44 U.S.C. 3542(b)(2).
[10] DOD Instruction 5200.40, DOD Information Technology Security
Certification and Accreditation Process (December 30, 1997); DOD 8510.1-
M, DOD Information Technology Security Certification and Accreditation
Process Application Manual (July 31, 2000); and DOD Instruction 8500.1,
Information Assurance (October 24, 2002).
[11] Mission assurance category (MAC) I are systems designated as vital
to the operational readiness or mission effectiveness and their loss
would be unacceptable. MAC II are systems designated as important in
the support of deployed or contingency forces and their loss are
unacceptable. MAC III are systems designated as necessary for the
conduct of day-to-day business and their loss could be tolerated or
overcome without significant impact.
[12] Management controls focus on the management of the system and the
risk of harm to a system. Operational controls address security
methods, implemented and executed by people (as opposed to systems), to
improve the security of a particular system or group of systems. They
often require technical or specialized expertise and often rely on
management activities as well as technical controls. Technical controls
focus on security controls that the computer system executes. These
controls can provide automated protection for unauthorized access or
misuse, facilitate detection of security violations, and support
security requirements for applications and data.
[13] Section U.S.C. 3544(b)(5).
[14] DOD Instruction 5200.40, December 30, 1997.
[15] Vulnerability scans assess certain technical controls, such as
vulnerable services, and are conducted annually to identify the
weaknesses of computing systems in order to determine whether and where
a system can be exploited and/or threatened.
[16] Information assurance program reviews are generally conducted on a
3-year cycle to evaluate the effectiveness of management, operational,
and technical controls agencywide through assessment of security
program management certification and accreditation information, network
security policies and practices, vulnerability assessment, compliance
and configuration, and incident response reporting and handling.
[17] A full authorization to operate means a system has been properly
certified and accredited and any significant vulnerability identified
either has been or is actively in the process of being effectively
mitigated.
[18] An interim authorization to operate provides a limited
authorization to operate the information system under specific terms
and conditions and acknowledges greater risk to the agency for a
specified, limited time.
[19] DOD Instruction 5200.40, DOD Information Technology Security
Certification and Accreditation Process (December 30, 1997); DOD 8510.1-
M, DOD Information Technology Security Certification and Accreditation
Process Application Manual (July 31, 2000); and DOD Instruction 8500.1,
Information Assurance (October 24, 2002).
[20] Office of Management and Budget, Circular A-130, Appendix III,
Security of Federal Automated Information Resources (Washington, D.C.:
Nov. 28, 2000).
[21] The system security authorization agreement is a single source
data package for all information pertaining to the certification and
accreditation of a particular site or system to, among other things,
guide actions, document decisions, specify information security
requirements, and maintain operational systems security.
[22] A type system security authorization agreement is developed when
an information system has been replicated with the same configuration
and has been deployed at multiple locations.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
