IG critical of DOD IT

“Security Status for Systems Reported in DOD IT Databases”

The Defense Department poorly tracks information technology security and investments, causing the department, the Office of Management and Budget and Congress to make uninformed IT budget and policy decisions, according to DOD inspector general reports.

The military services and DOD agencies are not consistently reporting IT systems security data in two main databases. They include the IT Registry, which inventories DOD systems and provides their security status, and the IT Management Application, which contains DOD IT budget information, according to the “Security Status for Systems Reported in DOD IT Databases.” The IG released the report last month.

“Specifically, 120 of 148 IT systems (81 percent) reported in the fiscal year 2006 President’s Budget Capital Investment Reports did not match to reports on the same systems in the IT Registry, and 87 of 148 IT Registry reports (59 percent) were not internally consistent between the system mission criticality and the mission assurance category data elements,” the report states. The IG said the military services and department agencies also did not submit timely, accurate and complete IT certification and compliance statements to DOD’s chief information officer.

The IG recommended several steps to fix the problem, including using automatic data integrity tools in the databases and penalizing department CIOs who did not implement controls. The IG asked the DOD CIO to respond to the report by Jan. 27.

This was the second report in seven months that is critical of the information in DOD databases. The IG criticized the military services and department agencies in June 2005 for not adequately reporting IT investments to OMB in support of the fiscal 2006 DOD budget.