Skip to main content

National Guard: Effective Management Processes Needed for Wide-Area Network

GAO-02-959 Published: Sep 24, 2002. Publicly Released: Sep 24, 2002.
Jump To:
Skip to Highlights

Highlights

The Fiscal Year 2002 Defense Authorization Act required GAO to review GuardNet, the National Guard's wide-area network, which is used to support various Defense applications and was used to support homeland security activities after the terrorist attacks of September 11th. GAO was asked to determine the current and potential requirements for GuardNet and the effectiveness of the processes for managing the network's requirements, configuration, and security.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense To strengthen the National Guard Bureau's (NGB) management of GuardNet and reduce the risks associated with federal, state, and local governments relying on it to perform mission critical functions, the Secretary of Defense should direct the Secretary of the Army to ensure that GuardNet management is given the priority attention and resources commensurate with the criticality and importance of the network's current and potential uses. To this end, the Secretary, through the Secretary of the Army, should direct the NGB Chief to immediately (1) develop a complete and comprehensive inventory of network user organizations; (2) fully disclose to these users all known network management weaknesses and security vulnerabilities; (3) advise these users to take appropriate steps to ensure that their respective needs for reliable and secure network services are met; and (4) fully disclose, in a controlled manner, all known network management weaknesses and security vulnerabilities to all known potential network users, particularly potential homeland security-related users at the federal, state, and local government levels.
Closed – Implemented
According to NGB, it has identified all GuardNet user organizations and has signed memoranda of agreement (MOA), which gives these organizations the authority to connect to and use GuardNet. These MOAs are contained within GuardNet's system security authorization agreement (SSAA), which documents the network's weaknesses and vulnerabilities. According to NGB, all network users are provided online access (through the National Guard's web portal, Guard Knowledge Online) to the SSAA, thereby enabling them to remain aware of any security concerns. In addition, the MOAs also identify security actions and policies that the users must comply with to ensure continued and reliable network services. Finally, NGB officials indicated that the SSAA would be provided to potential network users, including homeland security-related users, once those users have received initial approval to use the network.
Department of the Army The Secretary of the Army should direct the NGB Chief to ensure that near-term changes to the network are limited to those needed to address already identified performance and security problems.
Closed – Implemented
NGB provided a list of all change requests approved since GAO issued its report. GAO's review of a random sample of these approved system change requests showed that the changes appeared to be limited to those required to address performance and security issues. In its January 2004 quarterly report, the bureau stated that GuardNet's configuration was under control and that the bureau considered this recommendation to be met.
National Guard Bureau During this period of limited network change, the Chief of NGB should develop an authoritative and comprehensive baseline understanding of GuardNet's requirements, configuration, and security posture.
Closed – Implemented
In fiscal year 2003, NGB contracted with Mitretek to perform a study of GuardNet's requirements, configuration, and security posture. The contractor completed this study and issued reports that, according to NGB, provided a comprehensive baseline of the network's requirements, configuration, and security posture. GAO's review of the contractor's report shows that it does provide a high-level understanding of the network's requirements, configuration, and security posture.
Department of the Army The Secretary of the Army should direct the NGB Chief to correct each network management process weakness discussed in this report. More specifically, the NGB Chief should develop management process improvement plans for requirements management, configuration management, and security management. Each of these plans, at a minimum, should specify measurable goals and objectives, assign roles and responsibilities, involve network users, and identify work tasks, implementation schedules, and resource needs. In addition, the requirements management improvement plan should provide for establishing a process that includes (1) developing a requirements management plan, (2) involving network users in developing and changing requirements, (3) developing requirements management baseline documentation, such as a mission needs statement and an operational requirements document, and (4) establishing controls for assessing and approving proposed changes to the baseline.
Closed – Implemented
NGB has (1) developed a requirements management plan, (2) established a requirements management process that involves network users, and (3) established controls for assessing and approving proposed changes to the baseline. In its January 2004 quarterly report, the bureau stated that it had developed a requirements baseline document and that it planned to use recently acquired software to document any changes from the baseline.
Department of the Army The Secretary of the Army should direct the NGB Chief to correct each network management process weakness discussed in this report. More specifically, the NGB Chief should develop management process improvement plans for requirements management, configuration management, and security management. Each of these plans, at a minimum, should specify measurable goals and objectives, assign roles and responsibilities, involve network users, and identify work tasks, implementation schedules, and resource needs. In addition, the configuration management improvement plan should provide for establishing a process that includes (1) identifying and documenting the network's components/subcomponents (hardware and software), (2) creating a baseline configuration (development, test, and production environments) of these component parts, (3) controlling changes to these configuration baselines through a formal change process that allows only the NGB-AIS Configuration Control Board to approve changes to GuardNet, (4) ensuring that network documentation remains current to enable accurate reporting of changes as the network evolves, and (5) periodically auditing to ensure that the documentation is complete and accurate.
Closed – Implemented
NGB has established a formal change process that involves users and ensures that network documentation is updated. NGB has also established an audit process to ensure that documentation is complete and accurate. According to NGB, it has established a process for identifying and documenting the network's components and it has created a baseline configuration of the network.
Department of the Army The Secretary of the Army should direct the NGB Chief to correct each network management process weakness discussed in this report. More specifically, the NGB Chief should develop management process improvement plans for requirements management, configuration management, and security management. Each of these plans, at a minimum, should specify measurable goals and objectives, assign roles and responsibilities, involve network users, and identify work tasks, implementation schedules, and resource needs. In addition, the security management improvement plan should provide for establishing a process that includes (1) assessing risks to determine security needs, (2) implementing needed controls in accordance with applicable policy and guidance, (3) monitoring existing controls to ensure that they are operating as intended, and (4) ensuring that the network is certified and accredited in accordance with Department of Defense policy.
Closed – Implemented
NGB has established a process for implementing security controls. Specifically, NGB has (1) assessed risks to determine security needs, (2) established a monitoring function and performed security penetration tests to evaluate existing controls, and (3) certified and accredited the network. According to NGB, it has implemented needed controls to address security needs, which was the basis for certification and accreditation.
National Guard Bureau Until these recommendations are fully implemented, the NGB Chief should report to the Secretary of the Army and advise the Director of the White House's Office of Homeland Security, on a quarterly basis, on NGB's progress in implementing each of these recommendations and the associated reliability and security risks faced by GuardNet users in the interim.
Closed – Implemented
NGB issued several quarterly reports to the Secretary of the Army on the status of NGB's efforts to address GAO's recommendations--the final report was issued in January 2004. According to NGB, it did not provide progress reports to the Office of Homeland Security because a decision had not been made regarding GuardNet's role, if any, in homeland security. However, NGB stated that any authorized homeland security-related users would have access to the network's SSAA, which provides information on the network's associated capabilities and security limitations and concerns.

Full Report

Office of Public Affairs

Topics

Computer networksFirewallsComputer securityEmergency preparednessHomeland securityInformation resources managementInformation systemsInternal controlsNational GuardSystems management