IG: DOD's computers vulnerable

The Defense Department is acquiring information systems that may not have adequate or cost-effective security and its increasing use of multilevel security technology lacks coordination and oversight according to an audit by the DOD Office of the Inspector General.

The lack of security and coordination could give unauthorized users access to DOD's classified information. While most classified information is stored on networks not open to the Internet multilevel security technology increasingly allows the flow of information between classified and unclassified networks according to the IG.

DOD's growing dependence on this complex infrastructure "heightens concern about the vulnerability of electronic threats to the Defense Information Infrastructure " the report states.

The report recommends several ways to address concerns about the inconsistent use of multilevel security technology and DOD's overall management of security policy for acquiring automated information systems.

DOD must install and monitor the use of multilevel security technology to prevent unauthorized access to classified information the report states. However no specific guidance exists on developing and installing multilevel security technology according to the audit which took place April through November of 1996.

Several DOD programs - including the Reserve Component Automation System the Joint Component Automated Logistics System and the Sustaining Base Information Services - have since dropped the security requirement or failed to determine how to achieve multilevel security.

The report also calls for the assistant secretary of Defense for command control communications and intelligence (ASD C3I) to establish security policies and procedures unique to information systems. The ASD C3I also should develop a "sensitivity labeling standard" for data storage and processing to be used throughout DOD.

The DOD Multilevel Security Program Office should have the authority and resources to coordinate all multilevel security initiatives the report concluded. From fiscal 1990 through fiscal 1996 the program office received less than $12 million to develop and install multilevel security applications.

A spokeswoman for the ASD C3I said that a letter dated May 19 from former ASD C3I Emmett Paige Jr. stated that it was the office's response to the audit report. In that letter Paige agreed with the finding that multilevel security requirements are not fully defined because DOD's policies are outdated and fragmented. The spokeswoman said ASD C3I officials would have no further comment until Aug. 11 when the IG's office requests a final response from the ASD C3I.

A new directive regarding security requirements for information systems will be released in October according to the letter.

Also DOD officials are reviewing a new labeling policy which should be released soon the letter stated.Christopher Klaus founder and chief technology officer of Atlanta-based Internet Security Systems Inc. said many more government agencies are abandoning long-standing policies of sheltering classified documents from any network that could be accessed from outside the agency.

"There's more and more classified stuff getting connected in some way to the Internet " Klaus said. "I'm not quite sure if there's any formal policy that would require them to take the necessary steps to be secure."Part of DOD's problems in implementing multilevel security may stem from the lack of demand for the operating systems in the commercial world. John Pescatore senior consultant with Trusted Information Systems Inc. Glenwood Md. said much of the commercial world spurned the use of trusted operating systems that support multilevel security because of prohibitive costs so they chose to use firewalls instead to guard the perimeters of systems.

As a result DOD finds itself without commercial options of multilevel operating systems that it can afford."If your requirements are different than the mass market then you have to pay for it. [DOD's] approach to try to get it built into the operating system is not going to work unless they pay for it " Pescatore said.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.