DOD Information Security: Serious Weaknesses Continue to Place Defense Operations at Risk

Highlights

GAO updated its previous report on the security of the Department of Defense's (DOD) information systems, focusing on DOD's efforts to: (1) address specific weaknesses identified in GAO's 1996 reports; and (2) develop a comprehensive departmentwide information security program.

Recommendations

Recommendations for Executive Action

Agency Affected	Recommendation	Status
Department of Defense	To realize the full potential and maximize the effectiveness of DISA's security oversight program, the DIAP, and other DOD information assurance initiatives, the Secretary of Defense should direct the DISA Director to expand the Security Readiness Review process to include timely and independent verification of the corrective actions reported by DMCs or other responsible parties.	Closed – Implemented DISA has modified its procedures to include a check of the validity of SRR database entries and to note any incorrect entries or repeat findings as serious concerns to DMC facility directors. As a result, DISA has a more accurate assessment of its overall security posture.
Department of Defense	To realize the full potential and maximize the effectiveness of DISA's security oversight program, the DIAP, and other DOD information assurance initiatives, the Secretary of Defense should direct the DOD's Chief Information Officer to ensure that the Defense-wide Information Assurance Program defines how its efforts will be coordinated with the Joint Task Force and other related initiatives.	Closed – Not Implemented DOD is working on defining these interfaces and interactions. The Information Assurance Panel is establishing roles, responsibilities and coordination among IA initiatives. Minutes of the IAP meetings show that coordination is indeed taking place, despite a lack of formal endorsement of the IAP by its parent body -- the Military Communications Electronic Board (MCEB). GAO conducted a review of the DIAP in Report GAO-01-307 (Information Security: Progress and Challenges to an Effective Defense-Wide Information Assurance Program) and noted that DIAP had begun to address issues related to monitoring IA issues throughout the Department.

Full Report

Full Report (32 pages)

GAO Contacts

Robert (Bob) Dacey

Chief Accountant

Applied Research and Methods

daceyr@gao.gov

(202) 512-2700

Media Inquiries

Sarah Kaczmarek

Managing Director

Office of Public Affairs

kaczmareks@gao.gov

(202) 512-4800

Public Inquiries

Public Affairs

PublicAffairs@gao.gov

(202) 512-4800

Topics

Information Security

Computer crimesComputer fraudComputer securityConfidential communicationsData integrityInformation resources managementInformation securityInformation systemsInternal controlsSoftwareSoftware verification and validationSystem software