Information Security

The Defense Logistics Agency Needs to Fully Implement Its Security Program Gao ID: GAO-06-31 October 7, 2005

The Defense Logistics Agency's (DLA) mission is, in part, to provide food, fuel, medical supplies, clothing, spare parts for weapon systems, and construction materials to sustain military operations and combat readiness. To protect the information and information systems that support its mission, it is critical that DLA implement an effective information security program. GAO was asked to review the efficiency and effectiveness of DLA's operations, including its information security program. In response, GAO determined whether the agency had implemented an effective information security program.

Although DLA has made progress in implementing important elements of its information security program, including establishing a central security management group and appointing a senior information security officer to manage the program, it has not yet fully implemented other essential elements. For example, the agency did not consistently assess risks for its information systems; sufficiently train employees who have significant information security responsibilities or adequately complete training plans; annually test and evaluate the effectiveness of management and operational security controls; or sufficiently complete plans of action and milestones for mitigating known information security deficiencies. In addition, DLA has not implemented a fully effective certification and accreditation process for authorizing the operation of its information systems. Key reasons for these weaknesses are that responsibilities of information security employees were not consistently understood or communicated and DLA has not adequately maintained the accuracy and completeness of data contained in its primary reporting tool for overseeing the agency's performance in implementing key information security activities and controls. Until the agency addresses these weaknesses and fully implements an effective agency-wide information security program, it may not be able to protect the confidentiality, integrity, and availability of its information and information systems, and it may not have complete and accurate performance data for key information security practices and controls.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:


GAO-06-31, Information Security: The Defense Logistics Agency Needs to Fully Implement Its Security Program This is the accessible text file for GAO report number GAO-06-31 entitled 'Information Security: The Defense Logistics Agency Needs to Fully Implement Its Security Program' which was released on October 11, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: October 2005: Information Security: The Defense Logistics Agency Needs to Fully Implement Its Security Program: [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-31]: GAO Highlights: Highlights of GAO-06-31, a report to congressional committees: Why GAO Did This Study: The Defense Logistics Agency‘s (DLA) mission is, in part, to provide food, fuel, medical supplies, clothing, spare parts for weapon systems, and construction materials to sustain military operations and combat readiness. To protect the information and information systems that support its mission, it is critical that DLA implement an effective information security program. GAO was asked to review the efficiency and effectiveness of DLA‘s operations, including its information security program. In response, GAO determined whether the agency had implemented an effective information security program. What GAO Found: Although DLA has made progress in implementing important elements of its information security program, including establishing a central security management group and appointing a senior information security officer to manage the program, it has not yet fully implemented other essential elements. For example, the agency did not consistently assess risks for its information systems; sufficiently train employees who have significant information security responsibilities or adequately complete training plans; annually test and evaluate the effectiveness of management and operational security controls; or sufficiently complete plans of action and milestones for mitigating known information security deficiencies. The table below indicates with an ’X“ weaknesses in the implementation of key information security practices for the 10 DLA systems that GAO reviewed. Weaknesses in Information Security Practices and Controls: [See Table 1] In addition, DLA has not implemented a fully effective certification and accreditation process for authorizing the operation of its information systems. Key reasons for these weaknesses are that responsibilities of information security employees were not consistently understood or communicated and DLA has not adequately maintained the accuracy and completeness of data contained in its primary reporting tool for overseeing the agency‘s performance in implementing key information security activities and controls. Until the agency addresses these weaknesses and fully implements an effective agencywide information security program, it may not be able to protect the confidentiality, integrity, and availability of its information and information systems, and it may not have complete and accurate performance data for key information security practices and controls. What GAO Recommends: To assist DLA in fully implementing its security program, GAO is making recommendations to the Secretary of Defense to direct the DLA Director to take several actions to fully implement key information security practices and controls. In commenting on a draft of this report, the Department of Defense agreed with most of GAO‘s recommendations and described efforts to address them. However, the department disagreed with recommendations related to annual security testing and evaluation, verification of certification tasks, and the accuracy of performance data in DLA‘s reporting tool. www.gao.gov/cgi-bin/getrpt?GAO-06-31. To view the full product, including the scope and methodology, click on the link above. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: DLA Has Not Yet Fully Implemented Its Security Program: Conclusions: Recommendations for Executive Actions: Agency Comments and Our Evaluation: Appendixes: Appendix I: Scope and Methodology: Appendix II: Comments from the Department of Defense: Appendix III: GAO Contact and Staff Acknowledgments: Tables: Table 1: Weaknesses in Information Security Practices and Controls: Table 2: Percentage of DLA Locations and Systems Subjected to Program Reviews During the Last 3 Years: Figure: Figure 1: Simplified Overview of the Defense Logistics Agency's Information Assurance Management and Reporting Structure: Abbreviations: DOD: Department of Defense: DLA: Defense Logistics Agency: FISMA: Federal Information Security Management Act: NIST: National Institute of Standards and Technology: OMB: Office of Management and Budget: Letter October 7, 2005: The Honorable John Warner: Chairman: The Honorable Carl Levin: Ranking Minority Member: Committee on Armed Services: United States Senate: The Honorable Duncan L. Hunter: Chairman: The Honorable Ike Skelton: Ranking Minority Member: Committee on Armed Services: House of Representatives: Information security is a critical consideration for any organization that depends on information systems and computer networks to carry out its mission. It is especially important for government agencies, where maintaining the public's trust is essential. Federal agencies face increasing security risks from viruses, hackers, and others who seek to disrupt federal operations or obtain sensitive information that is stored in federal computers. In our reports to Congress since 1997-- most recently in January 2005[Footnote 1]--we have identified information security as a governmentwide high-risk issue. The Defense Logistics Agency (DLA) relies extensively on information systems in supporting America's military forces with food, fuel, medical supplies, clothing, spare parts for weapons systems, and construction materials. To protect the information and information systems that support its operations and assets, it is critical that DLA implement an effective information security program. Recognizing that the major underlying cause for the majority of information security problems in federal agencies is the lack of an effective information security program, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which set forth a comprehensive framework for ensuring the effectiveness of information security controls over the information resources that support federal operations and assets. The National Defense Authorization Act for Fiscal Year 2001 required us to review the efficiency and effectiveness of DLA's operations. In response to this mandate, we previously evaluated the effectiveness of information system general controls[Footnote 2] at one of DLA's critical business support units and reported significant findings, conclusions, and recommendations in a "limited official use only" report in January 2004. As agreed with your offices, the objective for this review was to determine whether DLA has implemented an effective agencywide information security program. We performed our review at DLA facilities in the Washington, D.C. metropolitan area; Columbus, Ohio; and Denver, Colorado, from September 2004 to July 2005 in accordance with generally accepted government auditing standards. Details of our scope and methodology are contained in appendix I. Results in Brief: DLA has not yet fully implemented an effective agencywide information security program to protect the information and information systems that support its operations and assets. While DLA has implemented important elements of its information security program--including establishing a central security management group, appointing a senior information security officer to manage the program, and ensuring that employees and contractors receive information security awareness training--it has not yet fully implemented other elements of its program. Specifically, risks that could result from the unauthorized access, use, disclosure, or destruction of information or information systems were not consistently assessed; employees who had significant information security responsibilities did not receive sufficient training, and security training plans sometimes lacked key information; security testing and evaluation of management and operational controls were not annually performed; and plans of action and milestones for mitigating known information security deficiencies were not sufficiently completed. In addition, DLA has not implemented a fully effective certification[Footnote 3] and accreditation[Footnote 4] process for authorizing the operation of its information systems. Key reasons for these weaknesses are that the responsibilities of key information security employees were not consistently understood or communicated and DLA has not maintained the accuracy and completeness of the data contained in its central management database--the primary reporting tool for managing and overseeing the agency's performance in implementing key information security activities and controls. Until DLA addresses these weaknesses and fully implements an effective, agencywide information security program, it may not be able to protect the confidentiality, integrity, and availability of its information and information systems. To assist DLA in fully implementing its information security program, we are making recommendations to the Secretary of Defense to direct the DLA Director to take several actions to fully implement key information security practices and controls, including strengthening the process for certifying and accrediting information systems, and maintaining the accuracy and completeness of the data contained in DLA's primary reporting tool. In providing written comments on a draft of this report, the Deputy Under Secretary of Defense (Business Transformation) agreed with 7 of our 10 draft recommendations and described ongoing and planned efforts to address them. For the remaining recommendations, however, the Deputy Under Secretary gave reasons for the department's disagreement that did not address the intent of our recommendations. Accordingly, we have revised our draft recommendations to make our intent clear. Written comments from the Deputy Under Secretary of Defense (Business Transformation) are reprinted in appendix II. Background: The dramatic expansion in computer interconnectivity and the rapid increase in the use of the Internet are changing the way our government, the nation, and much of the world communicate and conduct business. Because of the concern about attacks from individuals and groups, protecting the computer systems that support critical operations and infrastructures has never been more important. These concerns are well founded for a number of reasons, such as escalating threats of computer security incidents, the ease of obtaining and using hacking tools, the steady advances in the sophistication and effectiveness of attack technology, and the emergence of new and more destructive attacks. According to experts from government and industry, during the first quarter of 2005, more than 600 new Internet security vulnerabilities were discovered, thereby placing organizations that use the Internet at risk. Computer-supported federal operations are likewise at risk. IBM recently reported that there were over 54 million attacks against government computers from January 2005 to June 2005.[Footnote 5] Without proper safeguards, there is risk that individuals and groups with malicious intent may intrude into inadequately protected systems and use this access to obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks. How well federal agencies are addressing these risks is a topic of increasing interest in both Congress and the executive branch. This is evidenced by recent hearings on information security intended to strengthen information security.[Footnote 6] DLA Is a Major Defense Supplier: DLA is an agency of the Department of Defense (DOD). As DOD's supply chain manager, DLA provides food, fuel, medical supplies, clothing, spare parts for weapon systems, and construction materials to sustain DOD military operations and combat readiness. To fulfill its mission, DLA relies extensively on interconnected computer systems to perform various functions, such as managing about 5.2 million supply items and processing about 54,000 requisition actions per day for goods and services. DLA employs about 22,575 civilian and military workers, located at about 500 field locations in 48 states and 28 countries. In accordance with DOD policy,[Footnote 7] DLA has developed an agencywide information security program to provide information security for its operations and assets. The DLA Director is responsible for ensuring the security of the information and information systems that support the agency's operations. In carrying out this responsibility, the Director has delegated to DLA's chief information officer the authority to ensure that the agency complies with FISMA and with other information security requirements. DLA's chief information officer has also designated a senior agency official to serve as Director of Information Assurance--the agency's senior information security officer--and to head the central security management group, commonly referred to as the information assurance program office. This group carries out specific responsibilities, including the following: * documenting and maintaining an agencywide security framework to assess the agency's security posture, identify vulnerabilities, and allocate resources; * establishing and managing security awareness and specialized professional security training for employees who have significant security responsibilities; * ensuring that all systems are certified and accredited in accordance with both federal and DOD processes; * providing personnel at headquarters and the DLA locations with guidance on, and assistance in preparing, system security authorization agreements--single source data packages for all information pertaining to the certification and accreditation of a system in order to, among other things, guide actions, document decisions, specify information security requirements, and maintain operational systems security; and: * ensuring that field site personnel accurately assess their locations' security postures. Information assurance managers at the various DLA locations directly report to the information technology chief at their location and are expected to assist the Director of Information Assurance by coordinating security activities, establishing and maintaining a repository for documenting and reporting system certification and accreditation activities, maintaining and updating system security authorization agreements, and notifying the designated approving authority[Footnote 8] of any changes that could affect system security. Information assurance officers at the various DLA locations assist the information assurance managers through the following activities: ensuring that appropriate information security controls are implemented for an information system, notifying the information assurance manager when system changes that might affect certification and accreditation are requested or planned, and conducting annual validation testing of systems. Figure 1 below shows a simplified overview of DLA's information assurance management and reporting structure. Figure 1: Simplified Overview of the Defense Logistics Agency's Information Assurance Management and Reporting Structure: [See PDF for image] [End of figure] Federal and Departmental Requirements Are to Guide DLA Information Security Activities: Congress enacted FISMA to strengthen the security of information and information systems within federal agencies. FISMA requires each agency to develop, document, and implement an agencywide information security program to protect the information and information systems that support the operations and assets of the agency--including those that are provided or managed by another agency, a contractor, or some other source. The program must include the following: * periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, modification, disruption, or destruction of information or information systems; * training of personnel who have significant responsibility for information security and security awareness training to educate personnel--including contractors and other users of the agency's information systems--about information security risks and their responsibilities to comply with the agency's security policies and procedures; * periodic testing and evaluation of the effectiveness of the agency's information security policies, procedures, and practices; and: * a process for planning, implementing, evaluating, and documenting plans of action and milestones that are taken to address any deficiencies in the agency's information security policies, procedures, and practices. To support agencies in conducting their information security programs, the National Institute of Standards and Technology (NIST) is publishing mandatory standards and guidelines for providing information security all agency operations, assets, and information systems other than national security systems.[Footnote 9] The standards and guidelines include, at a minimum, (1) standards to be used by all agencies to categorize their information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels, (2) guidelines recommending the types of information and information systems that are to be included in each category, and (3) minimum information security requirements for information and information systems in each category. In addition, DOD has developed and published various directives and instructions that comprise an information assurance policy framework that is intended to meet the information security requirements specified in FISMA and NIST standards and publications. This framework applies to all of DOD's systems--both national and non-national security systems--including those operated by or on behalf of DLA. DLA's policies and procedures for implementing its agency information security program are contained in DLA's One Book policy and agency handbook. DLA Has Not Yet Fully Implemented Its Security Program: DLA has implemented important elements of an information security program--including establishing a central security management group, appointing a senior information security officer to manage the program, and providing security awareness training for its employees. However, DLA has not yet fully implemented other essential elements of an effective information security program to protect the confidentiality, integrity, and availability of its information and information systems that support its mission. Collectively, these weaknesses place DLA's information and information systems at risk. Key underlying reasons for the weaknesses pertain to DLA's management and oversight of its security program. DLA Has Implemented Important Elements of Its Security Program: In carrying out their information security responsibilities, both the Chief Information Officer and the Director of Information Assurance have taken several steps to implement important elements of DLA's security program, including the following: * ensuring employees and contractors receive information security awareness training; * developing information security procedures and guidance for use in implementing the requirements of the program; * deploying information system security engineers to assist headquarters and field staff in implementing security policies and procedures consistently across the agency; * developing an agencywide management tool--known as the Comprehensive Information Assurance Knowledgebase--to centrally manage and report on key performance measures, such as the status of security training, plans of action and milestones, and certification and accreditation activities; and: * developing and implementing various automated information technology initiatives to assist information assurance managers and information assurance officers in improving DLA's security posture. Weaknesses Place DLA's Information and Information Systems at Risk: Weaknesses in information security practices and controls place DLA's information and information systems at risk. Our analysis of information security activities for selected systems at 10 DLA locations showed that the agency had not fully or consistently implemented important elements of its program. Specifically, risks that could result from the unauthorized access, use, disclosure, or destruction of information or information systems were not consistently assessed; employees who had significant information security responsibilities did not receive sufficient training, and security training plans were sometimes not adequately completed; testing and evaluation of the effectiveness of management and operational security controls were not adequately performed; and plans of action and milestones for mitigating known information security deficiencies were not sufficiently completed. Table 1 indicates with an "X" weaknesses in the implementation of key information security practices and controls for selected systems. Table 1: Weaknesses in Information Security Practices and Controls: DLA system[A]: 1; Risk assessment: Yes; Security training and awareness plan: No; Security test and evaluation: Yes; Plans of action and milestones: Yes. DLA system[A]: 2; Risk assessment: No; Security training and awareness plan: No; Security test and evaluation: No; Plans of action and milestones: Yes. DLA system[A]: 3; Risk assessment: Yes; Security training and awareness plan: Yes; Security test and evaluation: Yes; Plans of action and milestones: Yes. DLA system[A]: 4; Risk assessment: Yes; Security training and awareness plan: No; Security test and evaluation: Yes; Plans of action and milestones: Yes. DLA system[A]: 5; Risk assessment: Yes; Security training and awareness plan: No; Security test and evaluation: Yes; Plans of action and milestones: Yes. DLA system[A]: 6; Risk assessment: Yes; Security training and awareness plan: Yes; Security test and evaluation: Yes; Plans of action and milestones: Yes. DLA system[A]: 7; Risk assessment: Yes; Security training and awareness plan: No; Security test and evaluation: Yes; Plans of action and milestones: Yes. DLA system[A]: 8; Risk assessment: Yes; Security training and awareness plan: No; Security test and evaluation: Yes; Plans of action and milestones: Yes. DLA system[A]: 9; Risk assessment: Yes; Security training and awareness plan: No; Security test and evaluation: Yes; Plans of action and milestones: Yes. DLA system[A]: 10; Risk assessment: Yes; Security training and awareness plan: Yes; Security test and evaluation: Yes; Plans of action and milestones: Yes. Source: GAO analysis of information security documentation contained in system certification and accreditation packages. [A] The 10 systems selected consist of local area networks and Web sites that support a DLA location; production systems, such as those that form the bulk of the computing environment at a DLA location; or an information system that have been replicated with the same configuration and have been deployed at multiple locations. [End of table] DLA Did Not Assess Risks Consistently: FISMA requires that agencies' information security programs include periodic assessments of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency. Identifying and assessing information security risks are essential steps in order to determine what controls are required and what level of resources should be expended on these controls. NIST has developed guidance to help organizations protect their information and information systems by using security controls that are selected through a risk-based process. DOD established a set of baseline security controls[Footnote 10] for each of three mission assurance categories[Footnote 11] that determine what security controls should be implemented. These controls are adjusted based on an assessment of risk including specific threat information, vulnerabilities, and countermeasures relative to the system. Vulnerabilities that are not mitigated are referred to as residual risk. The designated approving authority considers the residual risks in determining whether to accredit a system. Such risk assessments, as part of the requirement to reaccredit systems, are to be performed prior to a significant change in processing, but at least every 3 years. Although DLA categorized its systems in accordance with DOD guidance, we found that it did not consistently assess the residual risk for 9 of the 10 systems we selected for review. For example: * nine did not use the established baseline security controls to assess the residual risk; * three did not clearly identify the threats, vulnerabilities, and countermeasures; * two did not state how the threats and vulnerabilities would affect the mission that the system supports; * one only referenced the security controls as the threat or vulnerability; and: * one had not been updated since 2001. Unless DLA performs risk assessments consistently and assesses them against the appropriate set of controls, it will not have assurance that it has implemented appropriate controls that cost-effectively reduce risk to an acceptable level. Employees Did Not Receive Sufficient Training and Security Training Plans Were Sometimes Incomplete: FISMA mandates that all federal employees and contractors who are involved in the use of agency information systems be provided training in information security awareness and that agency heads ensure that employees with significant information security responsibilities are provided sufficient training with respect to such responsibilities. An effective information security program should promote awareness and provide training so that employees who use computer resources in their day-to-day operations understand security risks and their roles in implementing related policies and controls to mitigate those risks. DOD guidance requires that individuals receive the necessary training to ensure that they are capable of conducting their security duties and that each component establish and implement information assurance training and professional certification programs. DOD also requires that security awareness and training plans be documented for each system as part of the certification and accreditation process. These security training plans specify that training for individuals associated with a system's operation be appropriate to an individual's level and area of responsibility. This training should provide information about the security policy governing the information being processed, as well as potential threats and the nature of the appropriate countermeasures. DLA provided annual security awareness training for employees and contractors for whom it was appropriate. However, employees with significant information security responsibilities did not receive sufficient training. For example, of the 17 information assurance managers and information assurance officers located where we reviewed selected systems: * eleven reported having received some form of training, although eight of them had received training on only one of their security responsibilities--developing security documentation; * six reported never having received any security training; and: * two reported having received no security training for 2 or more years. Further, security training and awareness plans for 3 of the 10 systems we reviewed were either not system-specific or lacked detailed information. For example, training plans for 2 systems did not specify, for each level and area of responsibility, the system operations appropriate for a given user. The third lacked detailed information about training objectives, goals, and requirements. A key reason for these weaknesses is that the individual responsible for monitoring the agency's security training program had other significant responsibilities and was not able to effectively ensure that employees received the required training. As a result, DLA does not have assurance that employees with significant security responsibilities are equipped with the knowledge and skills they need to understand information security risks and their roles and responsibilities in implementing related policies and controls to mitigate those risks. Security Testing and Evaluation of Management and Operational Controls Were Not Annually Performed: Another key element that FISMA requires of an information security program is periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, to be performed with a frequency based on risk, but not less than annually. FISMA requires that such testing and evaluation activities shall include the management, operational, and technical controls[Footnote 12] of every system identified in an agency's information systems inventory.[Footnote 13] DOD policy requires periodic reviews of operational systems at predefined intervals.[Footnote 14] Such reviews include testing and evaluating the technical implementation of the security design of a system and ascertaining that security software, hardware, and firmware features affecting the confidentiality, integrity, availability, and accountability of information and information systems have been implemented and documented. The results of testing and evaluation of security controls are to be used in the decision-making process for authorizing systems to operate. Further, DLA's One Book policy requires information assurance managers and information assurance officers to use the security test and evaluations as the method for validating the adequacy of management, operational, and technical controls, at least annually. DLA did not annually test and evaluate the management and operational security controls of its systems. According to DLA officials, vulnerability scans[Footnote 15] and information assurance program reviews[Footnote 16] collectively satisfied the annual requirement for testing and evaluating management, operational, and technical controls. However, the combination of the vulnerability scans and the program reviews did not satisfy the annual requirement. Although DLA generally assessed technical controls by conducting annual vulnerability scans on its systems, it did not annually assess the management and operational controls for each of its systems. While the program reviews are intended to satisfy the requirement for testing and evaluating the management and operational controls, DLA does not conduct these reviews annually on every system. For example, less than half of DLA's locations and systems have undergone program reviews in the last 3 years, as shown in table 2. Table 2: Percentage of DLA Locations and Systems Subjected to Program Reviews During the Last 3 Years: System category: Vital to operations; Percent: 43%. System category: Important in support of military forces; Percent: 26%. System category: Necessary for day-to-day operations; Percent: 8%. Source: GAO analysis of DLA data. [End of table] Until DLA tests and evaluates management and operational controls annually, critical systems may contain vulnerabilities that have not been identified or appropriately considered in decisions to authorize systems to operate. Moreover, DLA may not be able to ensure the confidentiality, integrity, and availability of the sensitive data that its systems process, store, and transmit. Plans of Action and Milestones Were Incomplete: FISMA requires each agency to develop a process for planning, implementing, evaluating, and documenting remedial action plans to address any deficiencies in its information security policies, procedures, and practices. Developing effective corrective action plans is key to ensuring that remedial action is taken to address significant deficiencies. The Office of Management and Budget (OMB) requires agency chief information officers to document and report all agency information assurance weaknesses and remedial actions in plans of action and milestones. The plans should list each security weakness and the tasks, resources, milestones, and scheduled completion dates for remedying each weakness. The plans of action and milestones associated with the 10 systems we selected for review were incomplete. For example: * none of the plans clearly documented and reported the nature of the weakness being addressed; * seven did not identify the start or completion dates for addressing the weakness; * none specified the resources necessary to complete the action plan; * nine did not list the risk associated with the security weakness; * six were not based on the correct set of baseline security controls; and: * one plan contained steps to identify vulnerabilities rather than the steps required to remedy vulnerabilities. A key reason for these weaknesses is that information assurance managers and information assurance officers reported that they did not understand the requirements for reporting system security vulnerabilities because DLA had not provided specific criteria or instructions on what--or how--to document and report plans of action and milestones for system deficiencies. Having reliable plans of action and milestones is not only vital to ensuring that DLA's information and information systems receive adequate protection, but it is also important for accurately managing and reporting progress on them. Without reliable plans, DLA does not have assurance that all information security weaknesses have been reported and that corrective actions will be taken to appropriately address the weaknesses. Certification and Accreditation Process Was Not Fully Effective for Authorizing Systems: OMB requires that agencies establish a certification and accreditation process for formally authorizing systems to operate. Certification and accreditation is the requirement that agency management officials formally authorize their information systems to process information, thereby accepting the risk associated with their operation. This management authorization (accreditation) is to be supported by a formal technical evaluation (certification) of the management, operational, and technical controls established in an information system's security plan. The accreditation decision results in (1) a full authorization to operate,[Footnote 17] (2) an interim authorization to operate,[Footnote 18] or (3) no authorization to operate. DOD instructions[Footnote 19] and DLA's agency handbook provides guidance on the certification and accreditation process. According to DLA officials, the agency has implemented the practice of issuing authorization to operate decisions on a "time-limited" basis-- regardless if certification tasks have been completed because of concern that OMB might not support funding for systems that received an interim authorization to operate decision. However, OMB, DOD, and DLA policies and procedures do not allow for the practice of issuing "time- limited" authorizations; they require interim authorization to operate decisions when all certification tasks have not been completed. To illustrate, the designated approving authority for one of the ten systems we reviewed changed the system's status from an interim authorization to operate to a "time-limited" authorization to operate even though several action items for such authorization had not been met, and this type of authorization is not allowed under current guidance. For example, information assurance personnel had not updated the security plan or completed a risk assessment. Unless DLA complies with the requirements for issuing accreditation decisions, it will not have assurance that its information systems are operating as intended and meeting security requirements. In addition, DLA did not effectively implement controls to verify the completion of certification tasks. As designed and implemented, DLA divides the responsibilities of the system certifier among the information assurance personnel at its locations and a central review team within the information assurance program office. To help ensure quality over the certification process, the central review team established a DLA quality review checklist to verify the certification tasks performed by the information assurance personnel. However, under the current process, the central review team did not interview information assurance personnel at the locations or conduct on-site visits to verify that certification tasks were performed. Instead, the central review team relies on documentation submitted to them by the information assurance personnel who performed the certification tasks. However, this documentation was not always adequate. For example, the checklist contained questions about whether physical access controls were adequate to protect all facilities housing user workstations, but for the central review team to verify such a task, either an on-site inspection or a diagram of the facility or other documentation to demonstrate the physical access controls in place would have been needed. As a result, the certification process may not provide the authorizing official with objective or sufficient information that is necessary to make credible, risk-based decisions on whether to place an information system into operation. Improvements Are Needed in Managing and Overseeing the Security Program: Key underlying reasons for the weaknesses in DLA's information security program were that the responsibilities of information assurance managers and information assurance officers were not consistently understood or communicated across the 10 DLA locations we reviewed and the information assurance program office did not maintain the accuracy and completeness of the data contained in the agency's primary reporting tool for managing and overseeing the agencywide information security program. The information assurance program office--as the agency's central security management group for managing and overseeing the security program--is responsible for providing overall security policy and guidance, along with oversight to ensure information assurance managers and information assurance officers adequately perform or execute required information security activities such as those related to performing risk assessments, satisfying security training requirements, testing and evaluating the effectiveness of controls, documenting and reporting plans of action and milestones, and certifying and accrediting systems. Although the information assurance program office developed information security policies and procedures, it did not maintain them to ensure information assurance personnel had current and sufficient documentation to carry out their responsibilities. For example, of the 17 information assurance managers and information assurance officers at the 10 locations we reviewed: * nine were unaware of the requirement for security training specific to an employee's information security responsibilities; and: * three were unaware of the requirement to perform annual self assessments, while ten others had varying understandings of how this requirement was to be met. In addition, data on key information security activities contained in the primary reporting tool were inaccurate or incomplete. For example, * for a year, the information assurance program office had not entered weaknesses that had been identified during information assurance program reviews into the primary reporting tool; * information assurance personnel at DLA locations used personal discretion for determining whether or not to report a system deficiency to the information assurance program office for entry and compilation in the primary reporting tool, thereby potentially underreporting agency level plans of action and milestones; and: * information assurance personnel at both headquarters and the DLA locations did not consistently enter key performance metrics related to plans of action and milestones and security training, thereby potentially underreporting important information used to gauge the health of the security program. A key reason for these weaknesses was that DLA had no documentation on the system design or its intended use and, therefore, had no instructional material to guide users. As a result, the data in the primary reporting tool were not reliable or effective for reporting metrics to DOD and OMB for FISMA evaluation reporting. Moreover, because the key information had not been entered into the database, the agency did not readily have all the information about the deficiencies of its program and, therefore, did not have complete information about the security posture of its program. DLA senior officials recognize that the agency's primary reporting tool has not been effectively implemented and used to manage and oversee the security program. Therefore, the agency developed an ad hoc process of data calls to the DLA locations to aggregate the performance data. However, continuation of this ad hoc process will likely not provide the reliable data needed to consistently satisfy FISMA reporting requirements. Until agencywide policies and procedures are sufficiently documented and implemented and are consistently understood and used across the agency, DLA's ability to protect the information and information systems that support its mission will be limited. Conclusions: DLA has not fully implemented its agencywide information security program, thereby jeopardizing the confidentiality, integrity, and availability of the information and information systems that it relies on to accomplish its mission. Specifically, DLA has not consistently implemented important information security practices and controls, including consistently assessing risk; ensuring that training is provided for employees who have significant responsibilities for information security, and that security training plans are updated and maintained; annually testing and evaluating the effectiveness of management, operational and technical controls; documenting and reporting complete plans of action and milestones; implementing a fully effective certification and accreditation process; and maintaining the accuracy and completeness of the data contained in the primary reporting tool. Although DLA's efforts in developing and implementing its information security program have merit, it has not taken all the necessary steps to ensure the security of the information and information systems that support its operations. Ensuring that the agency implements key information security practices and controls requires top management support and leadership and consistent and effective management oversight and monitoring. Until DLA takes steps to address these weaknesses and fully implements its information security program, it will have limited assurance that agency operations and assets are adequately protected. Recommendations for Executive Actions: To assist DLA in fully implementing its information security program, we are making recommendations to the Secretary of Defense to direct the DLA Director to implement key information security practices and controls by: * consistently assessing risks that could result from the unauthorized access, use, disclosure or destruction of information and information; * ensuring that training is provided for employees who have significant responsibilities for information security; * ensuring that security training plans are updated and maintained; * ensuring appropriate monitoring of the agency's security training program; * ensuring that annual security test and evaluation activities include management, operational, and technical controls of every information system in DLA's inventory; * documenting and reporting complete plans of action and milestones; * establishing specific guidance or instructions to information assurance managers and information assurance officers on what--or how- -to document and report plans of action and milestones for system deficiencies; * discontinuing the practice of issuing "time-limited" authorization to operate accreditation decisions when certification tasks have not been completed; * ensuring that the DLA central review team verifies that certification tasks have been completed; and: * maintaining the accuracy and completeness of the data contained in the agency's primary reporting tool for recording, tracking, and reporting performance metrics on information security practices and controls. Agency Comments and Our Evaluation: In providing written comments on a draft of this report (reprinted in app. II), the Deputy Under Secretary of Defense (Business Transformation) concurred with most of our recommendations and described ongoing and planned efforts to address them. Specifically, he stated that DLA has taken several actions to fully implement an effective agencywide information security program, including publishing a DOD manual that will soon be released to provide detailed guidance on training for employees who have significant information security responsibility. He also stated that DLA is issuing an interim mandatory guide that will soon be released to assist users in documenting and preparing plans of action and milestones, and reinforcing policy requirements for making accreditation decisions. The Deputy Under Secretary of Defense disagreed with our draft recommendation to ensure the testing and evaluation of the effectiveness of security controls for all systems annually. He stated that this recommendation would require all information assurance controls for all systems be tested and evaluated every year, which essentially amounts to annual recertification. The department further stated that the level of test and evaluation is neither practical nor cost-effective and that the combination of DLA's assessments, tests, and reviews allow them to ensure compliance of their controls in accordance with DOD Instruction 8500.2. The intent of our draft recommendation was not to require that all information assurance controls for all systems be tested and evaluated annually. Rather, the intent of our draft recommendation, consistent with FISMA requirements, was to ensure that DLA's annual security test and evaluation activities include management, operational, and technical controls of every information system in its inventory. As stated in our report, while DLA generally assessed technical controls annually of every system in its inventory, it did not annually test and evaluate management and operational controls of those systems. We agree that testing and evaluating all controls for every system annually may not be cost-effective. However, unless DLA's annual testing and evaluation activities include management and operational controls, as well as the technical controls of its systems, it may not be able to ensure the confidentiality, integrity, and availability of its information and information systems. Accordingly, we have clarified our recommendation to state that the Secretary of Defense direct the DLA Director to ensure that annual security test and evaluation activities include management, operational, and technical controls of every information system in DLA's inventory. The Deputy Under Secretary of Defense also disagreed with our draft recommendation to document procedures for performing certification responsibilities that include specific responsibilities related to using the checklist. He stated that the Secretary of Defense provided sufficient direction to agency directors on the certification and accreditation process through DOD Instruction 5200.40, and that additional guidelines on the certification and accreditation process are provided in DOD 8510.1-M. He further stated that DOD 8510.1-M contains a "minimum activities checklist" that all DOD Components are expected to follow when conducting certifications and that DLA's information assurance One Book policy includes roles and responsibilities for performing security certification and accreditation. Our draft recommendation refers to the DLA quality review checklist used by the agency's central review team to verify completion of certification tasks, not to the DOD "minimum activities checklist" described in DOD 8510.1-M. Unless certification tasks performed by information assurance personnel at the various DLA locations have been verified, the authorizing official may not have objective or sufficient information that is necessary to make credible, risk-based decisions on whether to place an information system into operation. Accordingly, we have clarified our recommendation to state that the Secretary of Defense direct the DLA Director to ensure that the DLA central review team verifies that certification tasks have been completed. The Deputy Under Secretary of Defense also disagreed with our draft recommendation to update and maintain the agency's primary reporting tool for recording, tracking, and reporting performance metrics on information security practices and controls. He stated that the primary reporting tool was developed and maintained by DLA and that responsibility for updating and sustaining the tool was transferred to an internal application development team for continued maintenance and support. He also stated that DLA initiated implementation of enterprise standard DOD solutions that will replace the functionality currently provided by the agency reporting tool and that sustainment of the tool would not be cost effective or efficient. The intent of our draft recommendation was to update and maintain the accuracy and completeness of data entered into DLA's primary reporting tool, not the application programs. While DLA has several initiatives underway at various stages of development and implementation that are intended to introduce new functionality or replace some of the existing functionality in the agency reporting tool, none of these initiatives have been fully implemented throughout the agency. If DLA continues to use a tool for managing and overseeing its information assurance program, the fundamental practice of having accurate and complete data- -whether in the current tool or in a future tool--is important to ensure the data are reliable for reporting performance metrics on key information security practices and controls to DOD and OMB for FISMA evaluation reporting. Accordingly, we have clarified our recommendation to state that the Secretary of Defense direct the DLA Director to maintain the accuracy and completeness of the data contained in the agency's primary reporting tool for recording, tracking, and reporting performance metrics on information security practices and controls. We are sending copies of this report to the Deputy Under Secretary of Defense (Business Transformation); Assistant Secretary of Defense, Networks and Information Integration; DLA Director; officials within DLA's Information Operations and Information Assurance office; and the Acting DOD Inspector General. We will also make copies available to others upon request. In addition, this report will be available at no charge on the GAO Web site at [Hyperlink, http://www.gao.gov]. If you have any questions regarding this report, please contact me at (202) 512-6244 or by e-mail at [Hyperlink, wilshuseng@gao.gov]. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix III. Signed by: Gregory C. Wilshusen: Director, Information Security Issues: [End of section] Appendixes: Appendix I: Scope and Methodology: To determine whether the Defense Logistics Agency (DLA) had implemented an effective agencywide information security program, we reviewed the Department of Defense (DOD) and agencywide information security policies, directives, instructions, and handbooks. We also evaluated DLA's agencywide tool--the Comprehensive Information Assurance Knowledgebase--for aggregating the agency's performance data on information security activities that are required by the Federal Information Security Management Act of 2002 (FISMA), such as the number and percentage of risk assessments performed, employees with significant information security responsibilities that received training to perform their duties, and weaknesses for which the agency had plans of action and milestones. To gain insight into DLA's certification and accreditation process, we reviewed the agency's methods and practices for identifying vulnerabilities and risks and the process for certifying systems and making accreditation decisions. We assessed whether DLA's information security program was consistent with relevant DOD policies and procedures, as well as with the requirements of FISMA, applicable Office of Management and Budget (OMB) policies,[Footnote 20] and National Institute of Standards and Technology (NIST) guidance. We also assessed whether selected information security plans and documents related to risk assessments, testing and evaluation, and plans of action and milestones were current and complete. To accomplish this, we non-randomly selected 10 sensitive but unclassified systems.[Footnote 21] The 10 systems came from 10 different DLA locations and included 3 systems, 4 sites, and 3 types.[Footnote 22] We selected these systems to maximize variety in criticality and geographic locations. We also conducted telephone interviews with 17 information assurance managers and information assurance officers from the 10 locations in order to gain insight into their understanding of FISMA requirements, relevant OMB policies, NIST guidance, and agencywide and DOD policies and procedures.: We performed our review at DLA Headquarters, located at Ft. Belvoir, Virginia; DLA Supply Center, located at Columbus, Ohio; and DLA's Business Processing Center, located at Denver, Colorado, from September 2004 to July 2005, in accordance with generally accepted government auditing standards. [End of section] Appendix II: Comments from the Department of Defense: OFFICE OF THE UNDER SECRETARY OF DEFENSE: 3000 DEFENSE PENTAGON: ACQUISITION, TECHNOLOGY AND LOGISTICS: WASHINGTON, DC 20301-3000: SEP 21 2005: Mr. Gregory C. Wilshusen: Director, Information Security Issues: U.S. Government Accountability Office: 441 G Street, N. W. Washington, D.C. 20548: Dear Mr. Wilshusen: This is the Department of Defense (DoD) response to the Government Accountability Office (GAO) Draft Report, GAO-05-901, INFORMATION SECURITY: The Defense Logistics Agency Need to Fully Implement Its Security Program, dated August 19, 2005, (GAO Code 310542). The Department has DoD instructions that comply with four of the ten recommendations and is preparing to issue detailed interim mandatory guidance for three additional recommendations. However, we non-concur with the remaining three recommendations. Our response to all ten GAO recommendations is enclosed. We appreciate the opportunity to provide comments on the draft report and look forward to on-going engagement and discussion with the GAO in the area of Information Security. Sincerely, Signed by: Paul Brinkley, Deputy Under Secretary of Defense, (Business Transformation): Enclosure: As Stated: GAO DRAFT REPORT - DATED AUGUST 19, 2005: GAO CODE 310542/GAO-05-901: "INFORMATION SECURITY: THE DEFENSE LOGISTICS AGENCY NEEDS TO FULLY IMPLEMENT ITS SECURITY PROGRAM": DEPARTMENT OF DEFENSE COMMENTS TO THE RECOMMENDATIONS: RECOMMENDATION 1: The GAO recommended that the Secretary of Defense direct the DLA Director to implement key information security practices and controls by: consistently assessing risks that could result from the unauthorized access, use, disclosure or destruction of information and information. (p. 21/GAO Draft Report): DOD RESPONSE: Concur. Department of Defense Instruction (DoDI) 8500.2 directs all services and agencies to assess risks that could result from the unauthorized access, use, disclosure or destruction of information and information. Experience has shown that identifying specific threats to individual information systems can be a difficult, expensive, time consuming task that often ultimately relies on subjective judgment. DoDI 8500.2 uses the baseline sets of IA Controls to mitigate risk based on the value of the information protected. This value is as expressed in terms of Mission Assurance Category (MAC) for availability and integrity capabilities Confidentiality Level for classification, sensitivity, or need-to-know. Essentially, as DoD assigns greater value to information (i.e., gives it a higher MAC or Confidentiality Level) it protects against a greater assumed threat. This is accomplished both by increasing the number of IA Controls and, in appropriate cases, making the IA Controls more stringent as the value of the information increases. This is not to say that Designated Accrediting/Approving Authority (DAA) shouldn't be concerned about special threat considerations but, as a general rule, if the IA Controls for a particular MAC and confidentiality Level are properly applied and tested, the system is adequately protected. RECOMMENDATION 2: The GAO recommended that the Secretary of Defense direct the DLA Director to implement key information security practices and controls by: ensuring that training is provided for employees who have significant responsibilities for information security. (p. 21/GAO Draft Report): DOD RESPONSE: Concur. DoD Directive 8570.1, Information Assurance (IA) Training, Certification, and Workforce Management released in August 2004 directs training for all DoD affiliated individuals with significant IA responsibilities. Draft DoD 8570.1-M, the manual that provides detailed implementation guidance for IA training, is in the final stage of coordination and will be released soon. Additionally, the Director, DLA reports that in May 2004, the DLA Chief Information Officer (CIO) was briefed on weaknesses in the area of IA skills and qualifications. Prior to GAO's completion of this report the DLA IA Program Office took steps to develop a Comprehensive IA Training Program plan to include a work breakdown structure for IA functions, IA tasks and skills qualification requirements, identification of sources to provide DoD IA training requirements, and training metrics. DLA recognized weaknesses and deficiencies in the area of IA training and took proactive steps to address this problem. Copies of the afore- mentioned briefing and Statement of Work regarding the IA training program were provided to GAO. RECOMMENDATION 3: The GAO recommended that the Secretary of Defense direct the DLA Director to implement key information security practices and controls by: ensuring that security training plans are updated and maintained. (p. 22/GAO Draft Report): DOD RESPONSE: Concur. See response to Recommendation #2, above. RECOMMENDATION 4: The GAO recommended that the Secretary of Defense direct the DLA Director to implement key information security practices and controls by: having a dedicated individual responsible for monitoring the agency's security training program. (p. 221 GAO Draft Report): DOD RESPONSE: Concur. DoD Directive 8500.1, "Information Assurance," October 24, 2002 requires that the Heads of DoD Components ensure that IA awareness, training, education, and professionalization are provided to all Component personnel commensurate with their respective responsibilities for developing, using, operating, administering, maintaining, and retiring DoD information systems. DoD Directive 8570.1 reinforces this guidance and DoD 8570.1-M will provide detailed guidance on agencies' IA training programs. RECOMMENDATION 5: The GAO recommended that the Secretary of Defense direct the DLA Director to implement key information security practices and controls by: ensuring the testing and evaluating of the effectiveness of security controls for all systems annually. (p. 22/GAO Draft Report): DOD RESPONSE: Non-Concur. This recommendation would require all IA controls for all systems be tested and evaluated every year, which essentially amounts to annual recertification. The burden associated with this level of test and evaluation is neither practical nor cost effective. DLA's strategy for ensuring compliance with DoD IA controls meet the requirements stipulated in E3.3.10 of DODI 8500.2 by requiring a combination of self assessments, independent assessments and audits, formal testing and certification activities, host and network vulnerability or penetration testing, and IA program reviews. We believe this strategy is sufficient to achieve appropriate test and evaluation of security controls. RECOMMENDATION 6: The GAO recommended that the Secretary of Defense direct the DLA Director to implement key information security practices and controls: by documenting and reporting complete plans of action and milestones. (p. 22/GAO Draft Report): DOD RESPONSE: Concur. The Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer (ASD NII/DoD CIO) is finalizing for issuance, detailed interim mandatory guidance on the preparation and submission of Plans of Actions and Milestones (POA&M). That guidance will subsequently be incorporated into permanent DoD policies, as appropriate. The DLA One Book currently requires POA&M as part of the DLA security certification effort and will be modified as necessary to comply with the new DoD policy when it is issued. RECOMMENDATION 7: The GAO recommended that the Secretary of Defense direct the DLA Director to implement key information security practices and controls by: establishing specific guidance or instructions to information assurance officers on what or how to document and report plans of action and milestones for system deficiencies. (p. 22/GAO Draft Report): DOD RESPONSE: Concur. See response to Recommendation # 6, above. RECOMMENDATION 8: The GAO recommended that the Secretary of Defense direct the DLA Director to implement key information security practices and controls by: discontinuing the practice of issuing "time-limited" authorization to operate accreditation decision. (p. 221 GAO Draft Report): DOD RESPONSE: Concur. The interim POA&M guidance discussed in the response to Recommendation #6 above establishes criteria that preclude issuance of a "time limited" ATO when an IATO is appropriate. This policy direction will be reinforced by a new DoD instruction on certification and accreditation that will be issued this calendar year. RECOMMENDATION 9: The GAO recommended that the Secretary of Defense direct the DLA Director to implement key information security practices and controls by: documenting procedures for performing certification responsibilities that include specific responsibilities related to using the checklist. (p. 221 GAO Draft Report): DOD RESPONSE: Non-Concur. The Secretary of Defense provided sufficient direction to Agency Directors through Department of Defense Instruction (DoDI) 5200.40, "DoD Information Technology Certification and Accreditation Process (DITSCAP)," December 30, 1997. This directive establishes the basis for performing security certification and accreditation throughout the Department of Defense. Additional guidelines on the process are provided in DoD 8510.1-M, "DOD Information Technology Security Certification and Accreditation Process (DITSCAP) Application Manual," July 2000. The manual does contain a minimum activities checklist that all DoD Components are expected to follow when conducting certifications. Agency Directors have managerial latitude to ensure compliance with DoD issued Policy. DLA IA Management and Operational Control One Book Chapters do include roles and responsibilities for performing security certification and accreditation in accordance with above references. RECOMMENDATION 10: The GAO recommended that the Secretary of Defense direct the DLA Director to implement key information security practices and controls by: updating and maintaining the agency's primary reporting tool for recording, tracking, and reporting performance metrics on information security practices and controls. (p. 22/GAO Draft Report): DOD RESPONSE: Non-Concur. The Agency's current reporting tool, CIAK, is a Government Off the Shelf (COTS) capability developed and maintained by DLA. Prior to this Audit, responsibility for update and sustainment of the CIAK tool was transferred to an internal application development team for upgrade to facilitate continued supportability of this locally developed tool. In the interim DLA initiated implementation of enterprise standard DoD solutions (i.e., Vulnerability Management System, eMASS, eRetina, and Hercules) that will replace the functionality currently provided by CIAK. Sustainment of a COTS tool is not considered cost effective or efficient. GAO was briefed on the status of these initiatives. [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Gregory C. Wilshusen (202) 512-6244: Staff Acknowledgments: In addition to the individual named above, Jenniffer Wilson, Assistant Director, Barbara Collier, Joanne Fiorino, Sharon Kittrell, Frank Maguire, John Ortiz, and Chuck Roney made key contributions to this report. (310542): FOOTNOTES [1] GAO, High Risk Series: An Update, GAO-05-207 (Washington, D.C.: January 2005). [2] Information system general controls affect the overall effectiveness and security of computer operations as opposed to being unique to any specific computer application. These controls include security management, operating procedures, software security features, and physical protection designed to ensure that access to data is appropriately restricted, computer security functions are segregated, only authorized changes to computer programs are made, and backup and recovery plans are adequate to ensure the continuity of essential operations. [3] Certification is a comprehensive evaluation of security controls that provides the necessary information for a designated approving authority to formally declare that a system is approved to operate at an acceptable level of risk. [4] Accreditation is the authorization of an information system to process, store, or transmit information that provides a form of quality control. The accreditation decision is to be based on the implementation of an agreed-upon set of management, operational, and technical controls for a system and is supported by a comprehensive evaluation or certification of these security controls that provides the necessary information for a designated approving authority to formally declare that a system is approved to operate. [5] IBM, Security Threats and Attack Trends Report: January 2005 to June 2005. [6] GAO, Critical Infrastructure Protection: Challenges in Addressing Cybersecurity, GAO-05-827T (Washington, D.C.: July 19, 2005); GAO, Internet Protocol Version 6: Federal Agencies Need to Plan for Transition and Manage Security Risks, GAO-05-845T (Washington, D.C.: June 29, 2005); and GAO, Information Security: Continued Efforts Needed to Sustain Progress in Implementing Statutory Requirements, GAO-05-483T (Washington, D.C.: April 7, 2005). [7] DOD Directive 8500.1, Information Assurance (Washington, D.C.: October 2002); and DOD Instruction 8500.2, Information Assurance Implementation, (Washington, D.C.: February 2003). [8] A designated approving authority is a senior management official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations, assets, or individuals. [9] 44 U.S.C. 3542(b)(2). [10] DOD Instruction 5200.40, DOD Information Technology Security Certification and Accreditation Process (December 30, 1997); DOD 8510.1- M, DOD Information Technology Security Certification and Accreditation Process Application Manual (July 31, 2000); and DOD Instruction 8500.1, Information Assurance (October 24, 2002). [11] Mission assurance category (MAC) I are systems designated as vital to the operational readiness or mission effectiveness and their loss would be unacceptable. MAC II are systems designated as important in the support of deployed or contingency forces and their loss are unacceptable. MAC III are systems designated as necessary for the conduct of day-to-day business and their loss could be tolerated or overcome without significant impact. [12] Management controls focus on the management of the system and the risk of harm to a system. Operational controls address security methods, implemented and executed by people (as opposed to systems), to improve the security of a particular system or group of systems. They often require technical or specialized expertise and often rely on management activities as well as technical controls. Technical controls focus on security controls that the computer system executes. These controls can provide automated protection for unauthorized access or misuse, facilitate detection of security violations, and support security requirements for applications and data. [13] Section U.S.C. 3544(b)(5). [14] DOD Instruction 5200.40, December 30, 1997. [15] Vulnerability scans assess certain technical controls, such as vulnerable services, and are conducted annually to identify the weaknesses of computing systems in order to determine whether and where a system can be exploited and/or threatened. [16] Information assurance program reviews are generally conducted on a 3-year cycle to evaluate the effectiveness of management, operational, and technical controls agencywide through assessment of security program management certification and accreditation information, network security policies and practices, vulnerability assessment, compliance and configuration, and incident response reporting and handling. [17] A full authorization to operate means a system has been properly certified and accredited and any significant vulnerability identified either has been or is actively in the process of being effectively mitigated. [18] An interim authorization to operate provides a limited authorization to operate the information system under specific terms and conditions and acknowledges greater risk to the agency for a specified, limited time. [19] DOD Instruction 5200.40, DOD Information Technology Security Certification and Accreditation Process (December 30, 1997); DOD 8510.1- M, DOD Information Technology Security Certification and Accreditation Process Application Manual (July 31, 2000); and DOD Instruction 8500.1, Information Assurance (October 24, 2002). [20] Office of Management and Budget, Circular A-130, Appendix III, Security of Federal Automated Information Resources (Washington, D.C.: Nov. 28, 2000). [21] The system security authorization agreement is a single source data package for all information pertaining to the certification and accreditation of a particular site or system to, among other things, guide actions, document decisions, specify information security requirements, and maintain operational systems security. [22] A type system security authorization agreement is developed when an information system has been replicated with the same configuration and has been deployed at multiple locations. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548:

The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.