Defense

IG: DISA needs a 3-year ATO for collaboration tool

Shutterstock image: global information exchange. 

The Defense Information Systems Agency is in compliance with software lifecycle management procedures for the Defense Collaboration Services, but DISA needs to issue a full authorization to operate, according to the Defense Department's inspector general.

According to the IG's report, allegations of violations of software development processes and potential security vulnerabilities were filed through the Defense Hotline in 2015. Many of the details on the security risks were redacted in the report.

The allegations claimed that vulnerabilities could allow "foreign intelligence and terrorists to gain access to the DCS and potentially classified information. The allegations included concerns that DISA officials were not following procedures or applying software lifecycle of the DCS."

The DOD IG stated that it could not substantiate the allegations filed through the Defense Hotline.

DCS is a DISA-designed web conference and chat system based on open source software. It facilitates global communication and information sharing over nonclassified and secret networks. It replaced the Defense Connect Online system that DISA determined in 2013 it could not continue to support under future budget estimates.

The DOD IG stated that in developing DCS, DISA properly defined software development requirements and performed an analysis of alternatives to Defense Connect Online. DISA also completed open source code reviews in accordance with DOD CIO best practices.

"Additionally, DISA officials established software management processes, performed operational software testing, and ensured software security in accordance with Federal and DOD guidance," stated the report.

Although the IG cleared DISA of the hotline allegations, the report stated that in May of 2016, the authorizing official granted only a one-year authorization to operate rather than a full three-year ATO.

"The authorizing official did not grant a 3-year ATO because he identified noncompliant controls with a high and very high level of risk that he required DISA to mitigate to an acceptable level of risk before he would grant a full 3-year ATO," stated the audit.

The IG recommended that DISA mitigate the risk for high and very high noncompliant controls. During the audit, the DCS program manager provided evidence of mitigation measures.

"We consider the DCS program manager's response to have addressed all specifics of the recommendation; therefore, the recommendation is resolved but remains open," stated the report.

The IG said it would close the recommendation once it receives a copy of the 2017 ATO that states the risks have been mitigated, and that the authorization runs three years.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.