Defense

IG: DISA needs a 3-year ATO for collaboration tool

Shutterstock image: global information exchange. 

The Defense Information Systems Agency is in compliance with software lifecycle management procedures for the Defense Collaboration Services, but DISA needs to issue a full authorization to operate, according to the Defense Department's inspector general.

According to the IG's report, allegations of violations of software development processes and potential security vulnerabilities were filed through the Defense Hotline in 2015. Many of the details on the security risks were redacted in the report.

The allegations claimed that vulnerabilities could allow "foreign intelligence and terrorists to gain access to the DCS and potentially classified information. The allegations included concerns that DISA officials were not following procedures or applying software lifecycle of the DCS."

The DOD IG stated that it could not substantiate the allegations filed through the Defense Hotline.

DCS is a DISA-designed web conference and chat system based on open source software. It facilitates global communication and information sharing over nonclassified and secret networks. It replaced the Defense Connect Online system that DISA determined in 2013 it could not continue to support under future budget estimates.

The DOD IG stated that in developing DCS, DISA properly defined software development requirements and performed an analysis of alternatives to Defense Connect Online. DISA also completed open source code reviews in accordance with DOD CIO best practices.

"Additionally, DISA officials established software management processes, performed operational software testing, and ensured software security in accordance with Federal and DOD guidance," stated the report.

Although the IG cleared DISA of the hotline allegations, the report stated that in May of 2016, the authorizing official granted only a one-year authorization to operate rather than a full three-year ATO.

"The authorizing official did not grant a 3-year ATO because he identified noncompliant controls with a high and very high level of risk that he required DISA to mitigate to an acceptable level of risk before he would grant a full 3-year ATO," stated the audit.

The IG recommended that DISA mitigate the risk for high and very high noncompliant controls. During the audit, the DCS program manager provided evidence of mitigation measures.

"We consider the DCS program manager's response to have addressed all specifics of the recommendation; therefore, the recommendation is resolved but remains open," stated the report.

The IG said it would close the recommendation once it receives a copy of the 2017 ATO that states the risks have been mitigated, and that the authorization runs three years.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.