GAO to DLA: Fully implement security plan
New report cites DOD agency for inconsistent risk assessment, inadequate training.
The Defense Logistics Agency (DLA) has made progress protecting its data and systems. But it can significantly improve information assurance by fully implementing its security program, according to a new Government Accountability Office report.
DLA has established a central security management group and appointed a senior information security officer. However, the agency did not consistently assess risks to its data and systems and adequately train network security managers and employees, according to the GAO report “Information Security: The Defense Logistics Agency Needs to Fully Implement Its Security Program” released Oct. 7.
GAO said DLA implemented parts of its information assurance program. They included conducting awareness training, developing security procedures for new systems, sending security systems engineers to assist agency staffs with new procedures, tracking security performance and installing new technologies systems to monitor vulnerabilities.
But GAO said DLA has not instituted all elements of its program. Of 10 systems reviewed, for example, only one followed Defense Department guidelines in assessing and addressing vulnerabilities. And of 17 information assurance managers interviewed, six said they never received security training.
GAO recommended that DLA take 10 steps to fully implement its information security program. They included consistently assessing risks that could result from hackings and providing security training for employees who oversee critical systems.
Paul Brinkley, deputy undersecretary of Defense for business transformation, agreed with seven of them. He said DOD will soon release detailed guidelines for information assurance training. However, he disagreed with three of the recommendations, including one that asks the department to ensure that it annually tests and evaluates security controls for all systems.
“The burden associated with this level of test and evaluation is neither practical nor cost effective,” Brinkley said in a letter attached to the report.
DLA operates systems that buy, track and deliver food, fuel, clothing, medical supplies, construction materials and spare parts for weapon systems. Many of those logistics systems are considered unclassified but sensitive, so they do not get secured as stringently as the military’s intelligence and command and control systems.
NEXT STORY: White hat, gray hat, black hat