DLA critiqued for IT security failings
- By Patience Wait
- May 12, 2006
The Defense Department's inspector general has issued a report critical of the Defense Logistics Agency for shortcomings in implementing IT security controls.
, titled 'Review of the Information Security Operational Controls of the Defense Logistics Agency's Business Systems Modernization-Energy,' was released April 24 and follows an October 2005 Government Accountability Office report that reached many of the same conclusions.
The BSM-E (FAS) is a multifunctional, automated information system that provides a wealth of information'such as sale data collection, inventory control, finance and accounting, procurement, and facilities management'on the military's supply, use and purchase of fuels.
The audit found that the agency's chief information officer:
- had not ensured that Business Systems Modernization-Energy (Fuels Automated System) was fully certified and accredited;
- did not address all system security weaknesses in the plans of action and milestones;
- did not make sure that adequate user access controls were in place, such as procedures to grant access to new users or close the accounts of individuals who left DLA;
- failed to consistently provide users with annual security awareness training; and
- did not complete and test systemwide continuity of operations plans.
'This occurred because DLA did not adequately assign information assurance ' responsibilities and have an effective management control program for IA,' the IG's report stated. 'As a result, BSM-E (FAS) operated with vulnerabilities that present potential risks to the DLA and the DOD.'
The CIO's office at DLA 'nonconcurred' with 12 of 16 recommendations, the IG report stated, and was nonresponsive to 14 recommendations and only partially responsive to another two.
The DLA response 'contained inaccurate dates and incorrect citations of DOD policy,' the report concluded. The DLA 'is required to develop a plan of action and milestones for all programs and systems where an information security weakness has been identified.'
The report suggested that the CIO 'reconsider her position' and provide more information by May 24.