IG: DISA needs a 3-year ATO for collaboration tool

The Defense Information Systems Agency is in compliance with software lifecycle management procedures for the Defense Collaboration Services, but DISA needs to issue a full authorization to operate, according to the Defense Department's inspector general.

According to the IG's report, allegations of violations of software development processes and potential security vulnerabilities were filed through the Defense Hotline in 2015. Many of the details on the security risks were redacted in the report.

The allegations claimed that vulnerabilities could allow "foreign intelligence and terrorists to gain access to the DCS and potentially classified information. The allegations included concerns that DISA officials were not following procedures or applying software lifecycle of the DCS."

The DOD IG stated that it could not substantiate the allegations filed through the Defense Hotline.

DCS is a DISA-designed web conference and chat system based on open source software. It facilitates global communication and information sharing over nonclassified and secret networks. It replaced the Defense Connect Online system that DISA determined in 2013 it could not continue to support under future budget estimates.

The DOD IG stated that in developing DCS, DISA properly defined software development requirements and performed an analysis of alternatives to Defense Connect Online. DISA also completed open source code reviews in accordance with DOD CIO best practices.

"Additionally, DISA officials established software management processes, performed operational software testing, and ensured software security in accordance with Federal and DOD guidance," stated the report.

Although the IG cleared DISA of the hotline allegations, the report stated that in May of 2016, the authorizing official granted only a one-year authorization to operate rather than a full three-year ATO.

"The authorizing official did not grant a 3-year ATO because he identified noncompliant controls with a high and very high level of risk that he required DISA to mitigate to an acceptable level of risk before he would grant a full 3-year ATO," stated the audit.

The IG recommended that DISA mitigate the risk for high and very high noncompliant controls. During the audit, the DCS program manager provided evidence of mitigation measures.

"We consider the DCS program manager's response to have addressed all specifics of the recommendation; therefore, the recommendation is resolved but remains open," stated the report.

The IG said it would close the recommendation once it receives a copy of the 2017 ATO that states the risks have been mitigated, and that the authorization runs three years.