An IT system, which provides critical information to the President, Secretary of Defense, and other military leaders, received only a little more than half of the required security controls at seven sites, a Department of Defense Inspector General report shows.
The Global Command and Control System–Joint (GCCS-J) shows military operations across air, land, sea, space, and cyberspace and allows for leaders to plan, manage, and execute military operations across theaters.
At the seven sites reviewed, cybersecurity officials implemented only nine of the recommended 17 system security controls. Physical access control and account management were among the eight controls not being implemented at the sites.
“The site cybersecurity officials at all seven critical sites stated that they thought the Defense Information Systems Agency was responsible for implementing security controls for the GCCS-J,” the report states.
The report recommended appointing personnel to implement the security requirements, in line with previous instructions from the Chairman of the Joint Chiefs of Staff. According to the report’s response, verification has been provided that these required personnel have been appointed.
The report recommends that the system’s security controls are verified annually, following instructions from the Chairman of the Joint Chiefs of Staff. Those in charge of the system stated that the enforcement requirements are included in a draft interim policy memorandum, “GCCS-J Cybersecurity Instructions and Best Practices.”