Personnel Vetting: DOD Needs to Enhance Cybersecurity of Background Investigation Systems
Fast Facts
DOD's Defense Counterintelligence and Security Agency conducts background investigation operations for most federal agencies.
It does so through a combination of old IT systems previously owned by the Office of Personnel Management, and the new, not-fully-developed National Background Investigation Services IT system.
However, the agency hasn't fully followed DOD's planning steps for cybersecurity risk management, or fully implemented privacy controls for any of the IT systems involved.
We recommended, among other things, that DOD establish oversight processes to help ensure its IT systems are protected.
Highlights
What GAO Found
To conduct background investigations, the Department of Defense's (DOD) Defense Counterintelligence and Security Agency (DCSA) currently uses a combination of recently developed DOD National Background Investigation Services systems and legacy systems formerly owned by the Office of Personnel Management (OPM). In considering the cybersecurity risks of these systems, DCSA did not fully address all planning steps of DOD's risk management framework (see figure).
Extent to Which Defense Counterintelligence and Security Agency Addressed DOD's Planning-Related Risk Management Steps for Selected Background Investigation Systems as of December 2023 
Note: DOD's implementation-related Risk Management Steps are to (3) establish an implementation approach, (4) assess security controls, (5) authorize the systems, and (6) monitor security controls.
- Prepare the organization and systems: Of the 16 tasks required by this step in DOD's risk management framework, DCSA fully addressed 11, partially addressed two, and did not address three. For example, the agency has not fully defined and prioritized security and privacy requirements, nor has it performed organizational and system-level risk assessments.
- Categorize the systems: DCSA appropriately categorized the six reviewed systems as high impact risks .
- Select security controls: DCSA selected baseline security controls for the six systems but used an outdated version of government-wide guidance as the source for the control selections. Specifically, version five of applicable National Institute for Standards and Technology guidance was issued in 2020. However, DCSA continues to use version four. Among the changes in version five are two new categories of controls on personally identifiable information and supply chain management, raising the number of control categories from 18 to 20.
Regarding privacy, DCSA partially implemented controls on developing policies and procedures, delivering training, defining and reviewing the types of events to log, and assessing controls and risks. The agency lacks an oversight process to help ensure that appropriate privacy controls are fully implemented. Until DCSA establishes such an oversight process and fully implements privacy controls, it unnecessarily increases the risks of disclosure, alteration, or loss of sensitive information on its background investigation systems.
Why GAO Did This Study
In the wake of a 2015 OPM breach that compromised sensitive data on over 22 million federal employees and contractors, DCSA later assumed responsibility for conducting background investigation operations for most executive branch agencies.
House Report 117-118 includes a provision for GAO to evaluate the cybersecurity of DCSA's background investigation systems. GAO assessed the extent to which DCSA (1) planned for cybersecurity controls for selected background investigation systems and (2) implemented privacy controls for these systems.
GAO selected three DCSA systems and three OPM legacy systems critical to background investigation operations. GAO (1) reviewed policies, processes, and documentation for these systems and (2) interviewed agency officials regarding the planning and management of cybersecurity risks and selected privacy controls. GAO also has ongoing work assessing DCSA's implementation of technical controls for background investigation systems. It will be published in a future report with limited distribution.
Recommendations
GAO is making a total of 13 recommendations to DOD on fully implementing risk management planning steps, selecting appropriate security controls using current guidance, fully implementing privacy controls, and establishing oversight processes to help ensure required tasks and controls are implemented. DOD concurred with 12 of 13 recommendations and non-concurred with one. GAO maintains that all recommendations are warranted.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Defense | The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer identifies and documents all stages of the information life cycle for each information type the system processes, stores, or transmits. (Recommendation 1) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Defense | The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer fully defines, prioritizes, and documents security and privacy requirements. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Defense | The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer completes an organization-wide risk assessment and documents the results. (Recommendation 3) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Defense | The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer completes system-level risk assessments and documents the results. (Recommendation 4) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Defense | The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer allocates security and privacy requirements to the system and to the environment in which the system operates and documents the results. (Recommendation 5) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Defense | The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer establishes an oversight process to ensure senior officials complete all tasks in the risk management framework's prepare step. (Recommendation 6) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Defense | The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer updates the selected security control baselines for NBIS and legacy systems to correspond with the current version of NIST Special Publication 800-53 after DOD updates the relevant guidance. (Recommendation 7) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Defense | The Secretary of Defense should ensure DOD's Chief Information Officer updates the department's policies and procedures related to the Risk Management Framework to use the current version of NIST Special Publication 800-53. (Recommendation 8) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Defense | The Secretary of Defense should direct DCSA's Chief Information Officer to ensure the agency's policies and procedures include key information and are reviewed and updated as required. (Recommendation 9) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Defense | The Secretary of Defense should direct DCSA's Chief Information Officer to ensure all security training and certifications for its system users are current. (Recommendation 10) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Defense | The Secretary of Defense should direct DCSA's Chief Information Officer to ensure the agency establishes a rationale for why the selected event types can support incident investigations and defines a frequency for reviewing and updating which types of events are to be logged. (Recommendation 11) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Defense | The Secretary of Defense, in coordination with the DCSA Director, should ensure that control assessment plans are documented and that assessments align with these plans. (Recommendation 12) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Defense | The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer establishes an oversight process to ensure senior DCSA officials fully implement the recommended tasks for the required privacy controls. (Recommendation 13) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|