Information Security: The Defense Logistics Agency Needs to Fully Implement Its Security Program
GAO-06-31
Published: Oct 07, 2005. Publicly Released: Oct 07, 2005.
Skip to Highlights
Highlights
The Defense Logistics Agency's (DLA) mission is, in part, to provide food, fuel, medical supplies, clothing, spare parts for weapon systems, and construction materials to sustain military operations and combat readiness. To protect the information and information systems that support its mission, it is critical that DLA implement an effective information security program. GAO was asked to review the efficiency and effectiveness of DLA's operations, including its information security program. In response, GAO determined whether the agency had implemented an effective information security program.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Defense | To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by consistently assessing risks that could result from the unauthorized access, use, disclosure or destruction of information and information. |
GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has implemented a risk-assessment process that consistently addresses potential risks to the agency's information and information resources.
|
| Department of Defense | To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring that training is provided for employees who have significant responsibilities for information security. |
GAO verified as of September 2008 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has issued policy on providing appropriate training for staff with information assurance duties, and is tracking the progress of its implementation.
|
| Department of Defense | To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring that security training plans are updated and maintained. |
GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has implemented procedures to ensure that security training plans are updated and maintained.
|
| Department of Defense | To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring appropriate monitoring of the agency's security training program. |
GAO verified as of September 2008 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has instituted a process for tracking the annual security awareness training that all staff receive, and for tracking the specialized training that staff with significant information security roles receive as well as any certifications that they may acquire.
|
| Department of Defense | To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring that annual security test and evaluation activities include management, operational, and technical controls of every information system in DLA's inventory. |
GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has procedures in place to ensure that annual security test and evaluation activities include assessments of management, operational, and technical controls of every information system in DLA's inventory.
|
| Department of Defense | To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by documenting and reporting complete plans of action and milestones. |
GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has implemented a process to document and report complete plans of action and milestones.
|
| Department of Defense | To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by establishing specific guidance or instructions to information assurance managers and information assurance officers on what--or how--to document and report plans of action and milestones for system deficiencies. |
GAO verified as of September 2008 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has issued a template and process description for plans of action and milestones.
|
| Department of Defense | To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by discontinuing the practice of issuing "time-limited" authorization to operate accreditation decisions when certification tasks have not been completed. |
GAO verified as of September 2008 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) issued "interim authorization to operate" (IATO) decisions when certification tasks were not completed. This IATO designation is in accordance with DLA, Defense, and Office of Management and Budget policies.
|
| Department of Defense | To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by ensuring that the DLA central review team verifies that certification tasks have been completed. |
GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has instituted annual reviews of certification tasks by a central review team, which verifies that these tasks are performed correctly and are completed.
|
| Department of Defense | To assist DLA in implementing its information security program, the Secretary of Defense should direct the DLA director to implement key information security practices and controls by maintaining the accuracy and completeness of the data contained in the agency's primary reporting tool for recording, tracking, and reporting performance metrics on information security practices and controls. |
GAO verified as of March 2009 that, in response to GAO's recommendation, the Defense Logistics Agency (DLA) has implemented procedures to ensure the accuracy and completeness of the data in the agency's primary reporting tool for recording, tracking, and reporting performance metrics on DLA's information security practices and controls.
|
Full Report
GAO Contacts
Public Inquiries
Topics
Agency missionsInformation resources managementInformation securityInformation security officersInformation security managementInformation systemsInformation systems accreditationPerformance measuresProgram evaluationInformation assurance