The Department of Defence (DOD) needs to enhance the cybersecurity of its background investigation systems, according to a report published this week by the Government Accountability Office (GAO).
The report explains how the DOD’s Defense Counterintelligence and Security Agency (DCSA) conducts background investigation operations for federal agencies using legacy OPM (Office of Personnel Management) IT systems, alongside new National Background Investigation Services (NBIS) systems, which are not fully developed.
Six systems were chosen by the GAO for review during the audit. Each critical to background investigation operations.
The GAO found that the DCSA did not fully address all planning steps within DOD’s risk management framework. Specifically, they did not fully prepare the organization or its systems to manage security and privacy risks, leaving five of 16 required tasks either partially completed or entirely unaddressed.
Of the six systems chosen for review, all were appropriately categorized by DCSA, says the report. However, they used an outdated version of government-wide guidance as the source for selecting baseline security controls.
In response, GAO made 13 recommendations, advising the Secretary of Defense, alongside the DCSA Director to:
- Ensure the DCSA Chief Information Officer (CIO) identifies and documents all stages of the information life cycle for all information types processed, stored and transmitted through the system.
- Ensure CIO fully defines, prioritizes and documents security and privacy requirements.
- Ensure CIO completes an organization-wide risk assessment and documents the results.
- Ensure CIO completes system-level risk assessments and documents the results.
- Ensure CIO allocates security and privacy requirements to the system and to the environment in which the system operates, documenting the results.
- Ensure CIO establishes an oversight process to ensure senior officials complete all tasks in the risk management framework’s ‘prepare’ step.
- Ensure CIO updates the selected security control baselines for NBIS and legacy systems to correspond with the current version of NIST Special Publication 800-53.
- Ensure CIO updates the department’s policies and procedures related to the Risk Management Framework to use the current version of NIST Special Publication 800-53.
- Direct DCSA CIO to ensure the agency’s policies and procedures include key information and are reviewed and updated as required.
- Direct CIO to ensure all security training and certifications for its system users are current.
- Direct CIO to ensure the agency establishes a rationale for why the selected event types can support incident investigations, defining a frequency for reviewing/updating types of events to be logged.
- Ensure that control assessment plans are documented and that assessments align with these plans.
- Ensure CIO establishes an oversight process to ensure senior DCSA officials fully implement the recommended tasks for the required privacy controls.
DOD concurred with all but one of the 13 recommendations, choosing not to agree with recommendation number eight, noting in its reply that “existing Departmental policy enforces the NIST Pub 800-53 and DoD CIO was outside the scope of this audit.”
The GOA concluded that the DCSA lacks an oversight process to help ensure appropriate privacy controls are fully implemented, asserting that the risk of disclosure, alteration, or loss of sensitive information on its background investigation systems increases unnecessarily, as long as this remains the case.
