DLA critiqued for IT security failings

The Defense Department's inspector general has issued a report critical of the Defense Logistics Agency for shortcomings in implementing IT security controls.

The report, titled 'Review of the Information Security Operational Controls of the Defense Logistics Agency's Business Systems Modernization-Energy,' was released April 24 and follows an October 2005 Government Accountability Office report that reached many of the same conclusions.

The BSM-E (FAS) is a multifunctional, automated information system that provides a wealth of information'such as sale data collection, inventory control, finance and accounting, procurement, and facilities management'on the military's supply, use and purchase of fuels.

The audit found that the agency's chief information officer:
  • had not ensured that Business Systems Modernization-Energy (Fuels Automated System) was fully certified and accredited;
  • did not address all system security weaknesses in the plans of action and milestones;
  • did not make sure that adequate user access controls were in place, such as procedures to grant access to new users or close the accounts of individuals who left DLA;
  • failed to consistently provide users with annual security awareness training; and
  • did not complete and test systemwide continuity of operations plans.

'This occurred because DLA did not adequately assign information assurance ' responsibilities and have an effective management control program for IA,' the IG's report stated. 'As a result, BSM-E (FAS) operated with vulnerabilities that present potential risks to the DLA and the DOD.'

The CIO's office at DLA 'nonconcurred' with 12 of 16 recommendations, the IG report stated, and was nonresponsive to 14 recommendations and only partially responsive to another two.

The DLA response 'contained inaccurate dates and incorrect citations of DOD policy,' the report concluded. The DLA 'is required to develop a plan of action and milestones for all programs and systems where an information security weakness has been identified.'

The report suggested that the CIO 'reconsider her position' and provide more information by May 24.


  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected