Defense

IG: DOD checking the boxes on cyber policies

Shutterstock image (by Maksim Kabakou): pixelated shield, protection concept.

The Defense Department is largely in compliance with the Cybersecurity Act of 2015, but some issues remain, according to DOD’s inspector general.

In a newly released report, the Pentagon's watchdog said DOD "has policies, procedures, and practices related to logical access controls, including multifactor authentication; software and license inventories; monitoring and threat detection capabilities; and information security requirements for third-party service providers" as required by the law.

The act mandates such activities for systems that have access to personally identifiable information. It also required federal inspectors general to provide Congress with assessments of their agencies' compliance by Aug. 14, 2016.

DOD's IG characterized the report as an assessment rather than a full audit and did not include any recommendations that had not been made in previous audits. However, since fiscal 2013, seven audits concluded that DOD components "did not consistently follow logical access control requirements," the report states.

Some of the problems included failure to manage inactive accounts, missing system access requests, and a lack of unique usernames and passwords for shared or group accounts. The IG said that in general, access control weaknesses resulted from employees failing to follow existing policies rather than a lack of effective policies.

The report states that DOD components generally agreed to implement the corrective actions listed in previous audits.

In the latest report, the IG faulted DOD for not having a policy for conducting inventories of software licenses. Officials told the IG's office that they are developing agencywide inventory polices, but the report cites only three DOD components -- the Defense Information Systems Agency, the Air Force and the Navy -- that "issued policies and procedures on conducting software license inventories."

The government as a whole is in the midst of a push to gather information on existing software licenses with the ultimate goal of eliminating duplication and spending on unused software.

The DOD IG's assessment did not go into detail on the effectiveness of the policies, nor did the IG "independently verify, analyze or validate information provided from the DOD components" in response to a request for policy data. As a result, the assessment provides no analysis of whether DOD policies are accomplishing goals such as monitoring and detecting data exfiltration, ensuring security of third-party providers or tackling other security threats.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.