According to a report released this week by the Government Accountability Office, the Department of Defence ( DOD ) must improve the cybersecurity of their background investigation systems.
This report explains the way that the Defense Counterintelligence, and Security Agency (DCSA), of DOD, conducts background investigations for federal agencies, using legacy OPM IT systems (Office of Personnel Management), alongside new National Background Investigation Services systems (NBIS), which are still not fully developed.
GAO selected six systems to be reviewed during the audit. Each system is critical to background investigations operations.
The GAO found the DCSA had not addressed all planning steps within DOD’s risk management framework. They did not fully prepare their organization or systems to manage security risks and privacy risks. Five of the 16 tasks required were either incomplete or unattended.
The report states that all six systems selected for review were classified appropriately by DCSA. They used an outdated version government-wide guidance to select baseline security controls.
In response to the GAO’s report, the GAO made thirteen recommendations, advising both the Secretary of Defense and the DCSA director to:
-
Ensure that the Chief Information Officer of DCSA (CIO), identifies and documents the stages of the life cycle information for all types of information processed, stored and sent through the system.
-
Make sure the CIO documents, prioritizes, and fully defines security and privacy requirements.
-
Ensure CIO conducts a risk assessment of the entire organization and documents results.
-
Ensure CIO performs system-level risks assessments and documents results.
-
Document the results of the CIO’s allocation of security and privacy requirements for the system, and the environment where the system operates.
-
Assure that the CIO creates a process of oversight to ensure that senior officials complete all tasks within the ‘prepare step’ of the risk management framework.
-
Ensure CIO updates the selected security controls baselines for NBIS systems and legacy systems in accordance with the current version NIST Special Publication 800-53.
-
Ensure CIO update the department’s policies, procedures and risk management framework to use the latest version of NIST Special Publication 80053.
-
Direct the DCSA CIO that all policies and procedures of the agency should include key information, and be reviewed and updated as needed.
-
Direct CIO to ensure that all security training and certifications are current for system users.
-
Direct CIO that the agency should establish a rationale as to why the event types selected can support incident investigation, and define a frequency of reviewing/updating the types of events that need to be logged.
-
Assure that the control assessment plans have been documented and that the assessments are aligned with these plans.
-
Ensure CIO establishes a monitoring process to ensure that senior DCSA officials implement the recommended tasks in full.
DOD agreed with all but one recommendation, noting that “existing Departmental policies enforce the NIST Pub 800-53, and DoD CIO is outside the scope of the audit.”
The GOA concluded the DCSA lacked an oversight process that would help ensure that appropriate privacy controls were fully implemented. They asserted that the risk of disclosure or alteration of sensitive information in its background investigation systems will increase unnecessarily as long as it remains this way.