Defense

IG: DISA needs a 3-year ATO for collaboration tool

Shutterstock image: global information exchange. 

The Defense Information Systems Agency is in compliance with software lifecycle management procedures for the Defense Collaboration Services, but DISA needs to issue a full authorization to operate, according to the Defense Department's inspector general.

According to the IG's report, allegations of violations of software development processes and potential security vulnerabilities were filed through the Defense Hotline in 2015. Many of the details on the security risks were redacted in the report.

The allegations claimed that vulnerabilities could allow "foreign intelligence and terrorists to gain access to the DCS and potentially classified information. The allegations included concerns that DISA officials were not following procedures or applying software lifecycle of the DCS."

The DOD IG stated that it could not substantiate the allegations filed through the Defense Hotline.

DCS is a DISA-designed web conference and chat system based on open source software. It facilitates global communication and information sharing over nonclassified and secret networks. It replaced the Defense Connect Online system that DISA determined in 2013 it could not continue to support under future budget estimates.

The DOD IG stated that in developing DCS, DISA properly defined software development requirements and performed an analysis of alternatives to Defense Connect Online. DISA also completed open source code reviews in accordance with DOD CIO best practices.

"Additionally, DISA officials established software management processes, performed operational software testing, and ensured software security in accordance with Federal and DOD guidance," stated the report.

Although the IG cleared DISA of the hotline allegations, the report stated that in May of 2016, the authorizing official granted only a one-year authorization to operate rather than a full three-year ATO.

"The authorizing official did not grant a 3-year ATO because he identified noncompliant controls with a high and very high level of risk that he required DISA to mitigate to an acceptable level of risk before he would grant a full 3-year ATO," stated the audit.

The IG recommended that DISA mitigate the risk for high and very high noncompliant controls. During the audit, the DCS program manager provided evidence of mitigation measures.

"We consider the DCS program manager's response to have addressed all specifics of the recommendation; therefore, the recommendation is resolved but remains open," stated the report.

The IG said it would close the recommendation once it receives a copy of the 2017 ATO that states the risks have been mitigated, and that the authorization runs three years.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.