Information Security:

The Defense Logistics Agency Needs to Fully Implement Its Security Program

GAO-06-31: Published: Oct 7, 2005. Publicly Released: Oct 7, 2005.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Defense Logistics Agency's (DLA) mission is, in part, to provide food, fuel, medical supplies, clothing, spare parts for weapon systems, and construction materials to sustain military operations and combat readiness. To protect the information and information systems that support its mission, it is critical that DLA implement an effective information security program. GAO was asked to review the efficiency and effectiveness of DLA's operations, including its information security program. In response, GAO determined whether the agency had implemented an effective information security program.

Although DLA has made progress in implementing important elements of its information security program, including establishing a central security management group and appointing a senior information security officer to manage the program, it has not yet fully implemented other essential elements. For example, the agency did not consistently assess risks for its information systems; sufficiently train employees who have significant information security responsibilities or adequately complete training plans; annually test and evaluate the effectiveness of management and operational security controls; or sufficiently complete plans of action and milestones for mitigating known information security deficiencies. In addition, DLA has not implemented a fully effective certification and accreditation process for authorizing the operation of its information systems. Key reasons for these weaknesses are that responsibilities of information security employees were not consistently understood or communicated and DLA has not adequately maintained the accuracy and completeness of data contained in its primary reporting tool for overseeing the agency's performance in implementing key information security activities and controls. Until the agency addresses these weaknesses and fully implements an effective agency-wide information security program, it may not be able to protect the confidentiality, integrity, and availability of its information and information systems, and it may not have complete and accurate performance data for key information security practices and controls.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has implemented a risk-assessment process that consistently addresses potential risks to the agency's information and information resources.

    Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by consistently assessing risks that could result from the unauthorized access, use, disclosure or destruction of information and information.

    Agency Affected: Department of Defense

  2. Status: Closed - Implemented

    Comments: GAO verified as of September 2008 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has issued policy on providing appropriate training for staff with information assurance duties, and is tracking the progress of its implementation.

    Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring that training is provided for employees who have significant responsibilities for information security.

    Agency Affected: Department of Defense

  3. Status: Closed - Implemented

    Comments: GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has implemented procedures to ensure that security training plans are updated and maintained.

    Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring that security training plans are updated and maintained.

    Agency Affected: Department of Defense

  4. Status: Closed - Implemented

    Comments: GAO verified as of September 2008 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has instituted a process for tracking the annual security awareness training that all staff receive, and for tracking the specialized training that staff with significant information security roles receive as well as any certifications that they may acquire.

    Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring appropriate monitoring of the agency's security training program.

    Agency Affected: Department of Defense

  5. Status: Closed - Implemented

    Comments: GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has procedures in place to ensure that annual security test and evaluation activities include assessments of management, operational, and technical controls of every information system in DLA's inventory.

    Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring that annual security test and evaluation activities include management, operational, and technical controls of every information system in DLA's inventory.

    Agency Affected: Department of Defense

  6. Status: Closed - Implemented

    Comments: GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has implemented a process to document and report complete plans of action and milestones.

    Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by documenting and reporting complete plans of action and milestones.

    Agency Affected: Department of Defense

  7. Status: Closed - Implemented

    Comments: GAO verified as of September 2008 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has issued a template and process description for plans of action and milestones.

    Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by establishing specific guidance or instructions to information assurance managers and information assurance officers on what--or how--to document and report plans of action and milestones for system deficiencies.

    Agency Affected: Department of Defense

  8. Status: Closed - Implemented

    Comments: GAO verified as of September 2008 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) issued "interim authorization to operate" (IATO) decisions when certification tasks were not completed. This IATO designation is in accordance with DLA, Defense, and Office of Management and Budget policies.

    Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by discontinuing the practice of issuing "time-limited" authorization to operate accreditation decisions when certification tasks have not been completed.

    Agency Affected: Department of Defense

  9. Status: Closed - Implemented

    Comments: GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has instituted annual reviews of certification tasks by a central review team, which verifies that these tasks are performed correctly and are completed.

    Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring that the DLA central review team verifies that certification tasks have been completed.

    Agency Affected: Department of Defense

  10. Status: Closed - Implemented

    Comments: GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has implemented procedures to ensure the accuracy and completeness of the data in the agency's primary reporting tool for recording, tracking, and reporting performance metrics on DLA's information security practices and controls.

    Recommendation: To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by maintaining the accuracy and completeness of the data contained in the agency's primary reporting tool for recording, tracking, and reporting performance metrics on information security practices and controls.

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Looking for more? Browse all our products here