The Pentagon company that vets federal staff hasn’t labored arduous sufficient to guard its IT techniques and the delicate personnel knowledge they retailer, based on a watchdog report.
“Whereas [the Defense Counterintelligence and Security Agency] has taken steps to organize for managing safety dangers to [the National Bureau of Investigations Services system] and legacy techniques, the company has not absolutely addressed key duties in DOD’s Danger Administration Framework, largely as a consequence of an absence of an oversight course of,” the report mentioned. “These key duties embrace figuring out all phases of the data life cycle, defining and prioritizing safety and privateness necessities, performing danger assessments at each the organizational and system ranges, and allocating safety and privateness necessities to the suitable techniques.”
After the Workplace of Personnel Administration was hacked in 2015, accountability for background investigations was shifted to DSCA. The transfer to the Pentagon was largely seen as a means to enhance cybersecurity of federal staff’ private knowledge and to exchange previous IT techniques. However the effort to construct the brand new Nationwide Bureau of Investigations Companies system stays unfinished, leaving DCSA to depend on a mixture of previous and new IT.
A June 20 report by the Authorities Accountability Workplace discovered that DCSA failed to handle 5 of 16 cyber-risk-management steps.
For instance, the company didn’t full danger assessments throughout the group or on the system stage.
Moreover, DCSA solely partially carried out privateness controls, corresponding to growing insurance policies and procedures round entry, incident monitoring, and crucial safety consciousness coaching for the techniques GAO evaluated.
“The company lacks an oversight course of to assist be certain that acceptable privateness controls are absolutely carried out,” the report states. “Till DCSA establishes such an oversight course of and absolutely implements privateness controls, it unnecessarily will increase the dangers of disclosure, alteration, or lack of delicate info on its background investigation techniques.”
DCSA plans to eliminate all previous background investigations techniques later this 12 months, based on the report.
GAO issued 13 suggestions, together with creating extra oversight to make sure all required duties and controls are accomplished.
The Pentagon agreed with all however one advice: to have the Protection Division’s chief info officer replace its danger administration insurance policies to incorporate the newest IT requirements for safety and privateness controls from the Nationwide Institutes of Requirements and Know-how.
In its response, the Pentagon requested the GAO take away the advice as “current departmental coverage enforces the NIST Pub 800-53 and DOD CIO was outdoors the scope of this audit.”
The GAO stands by all of its suggestions, based on the report.