The Government Accountability Office (GAO) found in a new report that while the Department of Defense (DoD) has taken some risk management actions to better defend its inventory management systems against cyber threats, it should take additional steps to make them more secure.
Back in 2018, a DoD task force found that the Pentagon’s management systems – which are run by the Defense Logistics Agency (DLA) – were potentially vulnerable to attack.
Subsequently, DLA was given six risk management steps to address those shortcomings, and a GAO review that DLA had fully addressed two of those six steps, and only partially addressed the other four.
“Specifically, the agency categorized the systems based on risk and established an implementation approach for security controls,” wrote GAO in its new report. “However, it only partially addressed the four risk management steps of selecting, assessing, authorizing, and monitoring security controls.”
The four remaining risk management steps that need to be fully addressed include: select security controls; assess security controls; authorize the system; and monitor security controls. Until identified deficiencies are addressed, GAO said, DoD’s “management of cyber risks for critical systems will be impeded and potentially pose risks to other DoD systems that could be accessed if DLA’s systems are compromised.”
Among the five recommendations that GAO made for DLA to implement include:
- Revise its standard operating procedures to require program offices to develop a system-specific monitoring strategy consistent with DoD’s risk management framework and relevant NIST guidance;
- Revise and implement an assessment plan approval process to ensure a designated authorizing official reviews and approves system assessment plans prior to a system assessment;
- Establish a process for program offices to review the consistency and completeness of authorization documentation prior to submitting the package to designated authorizing officials;
- Revise and implement DLA’s process for obtaining waivers that accept identified ongoing risk; and
- Ensure the DLA Director includes required information in corrective action plans.
DLA partially concurred with the first three recommendations and fully concurred with the last two.