The Government Accountability Office (GAO) said in a new report today that the Federal government’s primary personnel investigative agency needs to put in place improved cybersecurity oversight processes to mitigate security risks posed by its outdated and developing IT systems.
The new GAO report focuses on the Defense Department’s (DoD) Defense Counterintelligence and Security Agency (DCSA), which is responsible for conducting background investigations for most Federal agencies.
DCSA, the report says, is using a mix of legacy IT systems formerly owned by the Office of Personnel Management (OPM) along with newer but still-in-development DoD National Background Investigation Services systems.
“However, the agency hasn’t fully followed DOD’s planning steps for cybersecurity risk management, or fully implemented privacy controls for any of the IT systems involved,” GAO said.
The watchdog agency is recommending, among other steps, that “DOD establish oversight processes to help ensure” that DCSA systems are protected.
“In considering the cybersecurity risks of these systems, DCSA did not fully address all planning steps of DoD’s risk management framework,” the report states.
DoD’s Risk Management Framework Steps including steps to prepare the organization and systems, categorize the systems, select security controls, establish an implementation approach, assess security controls, authorize the systems, and monitor security controls.
According to the report, “[DCSA] has appropriately classified all six reviewed systems as high impact risks” but has yet to “define and prioritize security and privacy requirements or conduct organizational and system-level risk assessments.”
GAO also found that DCSA, in selecting security controls, “used outdated government-wide guidance.”
Additionally, DCSA “partially implemented controls on developing policies and procedures, delivering training, defining and reviewing the types of events to log, and assessing controls and risks” and as a result “unnecessarily increases the risks of disclosure, alteration, or loss of sensitive information on its background investigation systems,” according to the Federal watchdog.
GAO made a total of 13 recommendations to DoD on fully implementing DoD’s risk management planning steps, selecting appropriate security controls using current guidance, fully implementing privacy controls, and establishing oversight processes to help ensure required tasks and controls are implemented.
DoD concurred with 12 of 13 recommendations and did not with the remaining one.
The Pentagon disagreed with GAO’s recommendation that the “DoD’s Chief Information Officer should update the department’s policies and procedures related to the Risk Management Framework to use the current version of NIST Special Publication 800-53,” which is an information security standard that provides a catalog of privacy and security controls for information systems.
In its response, DoD claimed that “existing Departmental policy enforces the NIST Special Publication 800-53” and that DoD’s Chief Information Officer was “outside the scope of this audit.”
GAO maintains that all of its recommendations are warranted.
