United States General Accounting Office GAO Report to the Secretary of Defense August 1999 DOD INFORMATION SECURITY Serious Weaknesses Continue to Place Defense Operations at Risk GAO/AIMD-99-107 United States General Accounting Office Accounting and Information Washington, D.C. 20548 Management Division B-282190 Letter August 26, 1999 The Honorable William S. Cohen The Secretary of Defense Dear Mr. Secretary: The Department of Defense (DOD) relies on a vast and complex information infrastructure to support critical operations such as designing weapons, identifying and tracking enemy targets, paying soldiers, mobilizing reservists, and managing supplies. Indeed, its warfighting capability depends upon computer-based telecommunications networks and information systems. In recent years, numerous internal and external evaluations have identified weaknesses in information security that could seriously jeopardize DOD’s operations and compromise the confidentiality, integrity, or availability of sensitive information. This report summarizes the results of our latest review of information security at DOD. In May 1996, we reported that external attacks on DOD computer systems were a serious and growing threat.1 According to DOD officials, attackers had stolen, modified, and destroyed both data and software. They had installed "back doors" that circumvented normal system protection and allowed attackers unauthorized future access. They had shut down and crashed entire systems and networks. In September 1996, we issued a report, based on detailed analyses and testing of general computer controls, that identified pervasive vulnerabilities in DOD information systems.2 We had found that authorized users could also exploit the same vulnerabilities that made external attacks possible to commit fraud or other improper or malicious acts. In fact, 1 Information Security: Computer Attacks at Department of Defense Pose Increasing Risks (GAO/AIMD-96-84, May 22, 1996). 2 General computer controls are the policies and procedures that affect the overall security and effectiveness of computer systems and operations, as opposed to being unique to any specific computer program, office, or operation. General controls include the organizational structure, operating procedures, software security features, and physical protection designed to ensure that (1) access to computer systems and sensitive data is restricted to prevent unauthorized changes and disclosure, (2) only approved changes are made to computer programs, (3) back-up and recovery plans are adequate to continue essential operations in the event of an emergency, and (4) computer staff duties are properly segregated to reduce the risk of undetected errors or fraud. Leter Page 1 GAO/AIMD-99-107 DOD Information Security B-282190 knowledgeable insiders with malicious intentions could pose a more serious threat than outsiders since they may be more aware of system weaknesses and how to disguise inappropriate actions. Our report highlighted the lack of a comprehensive information security program and made numerous recommendations for corrective actions.3 Subsequent reviews of individual systems also have disclosed serious weaknesses in information security. For example, we reported in 1997 that our review of the actuarial application supporting DOD’s Military Retirement Trust Fund disclosed a lack of overall security administration and management governing access to Fund data files and other files storing sensitive information, such as social security numbers, pay rates, child and spousal abuse allegations, and medical test results.4 In another example, two cases in which employees embezzled nearly $1 million led to our 1998 review of Air Force’s vendor payment system. We identified a number of internal control weaknesses, including information security weaknesses, which leave the Air Force vulnerable to similar thefts.5 Tests conducted by the Joint Chiefs of Staff during the summer of 1997 demonstrated the continuing vulnerability of DOD and civilian networks to attack. Since then, DOD has acknowledged that it has continued to identify organized intrusions, indicating that such activities are an ongoing problem. Because of the risks that inadequate information security poses to DOD operations and the integrity of its data, we followed up on our previous reviews of DOD’s general computer controls.6 Our objective was to provide an update on the status of corrective actions DOD has taken to (1) address specific weaknesses identified in our 1996 reports, in particular the September 1996 report and (2) develop a comprehensive departmentwide information security program. 3 This report was designated Limited Official Use because of the sensitive information it contained. 4 Financial Management: Review of the Military Retirement Trust Fund's Actuarial Model and Related Computer Controls (GAO/AIMD-97-128, September 9, 1997). 5 Financial Management: Improvements Needed in Air Force Vendor Payment Systems and Controls (GAO/AIMD-98-274, September 28, 1998). 6 Information Security: Computer Attacks at Department of Defense Pose Increasing Risks (GAO/AIMD-96-84, May 22, 1996) and the September 1996 Limited Official Use report. Leter Page 2 GAO/AIMD-99-107 DOD Information Security B-282190 Results in Brief Serious weaknesses in DOD information security continue to provide both hackers and hundreds of thousands of authorized users the opportunity to modify, steal, inappropriately disclose, and destroy sensitive DOD data. These weaknesses impair DOD’s ability to (1) control physical and electronic access to its systems and data, (2) ensure that software running on its systems is properly authorized, tested, and functioning as intended, (3) limit employees’ ability to perform incompatible functions, and (4) resume operations in the event of a disaster. As a result, numerous Defense functions, including weapons and supercomputer research, logistics, finance, procurement, personnel management, military health, and payroll, have already been adversely affected by system attacks or fraud. Our current review found that some corrective actions have been initiated in response to the recommendations our 1996 reports made to address pervasive information security weaknesses in DOD. However, progress in correcting the specific control weaknesses identified during our previous reviews has been inconsistent across the various DOD components involved and weaknesses persist in every area of general controls. Accordingly, we reaffirm the recommendations made in our 1996 reports. The status of DOD actions to implement those recommendations is discussed later in this report. The DOD component activities we evaluated generally did not have effective processes for identifying and resolving information security weaknesses. However, the Defense Information Systems Agency (DISA), 7 which operates the Defense Megacenters (DMC), has established and is implementing a comprehensive security review process. DISA developed Standard Technical Implementation Guides (STIG), which prescribe clear and detailed standards for configuring its system software. 8 Also, DISA’s Security Readiness Review (SRR) process enables it to test DMC compliance with the STIGs and other DISA security standards, track the weaknesses identified by the testing, and monitor and report on efforts to 7 DISA is a major provider of telecommunications and computing services, supporting the military services and other Defense agencies on a fee-for-service basis. The Defense Services and other Defense agencies, however, continue to perform some data processing outside of the DMCs in data processing centers that are not subject to DISA’s security review process. 8 System software includes operating systems, utility software, program library systems, file maintenance software, security software, data communications systems, and database management systems. One set of system software may be used to support and control a number of user applications. Page 3 GAO/AIMD-99-107 DOD Information Security B-282190 correct them. Thus far, DISA has identified and resolved thousands of security weaknesses. At the end of our review, however, DISA was still developing guidance for configuring some of its system software and had not yet reviewed security over all of its systems. Moreover, some ongoing weaknesses were improperly reported as having been corrected because DISA has not always independently verified in a timely manner the corrective actions reported by its DMCs. To provide a comprehensive, departmentwide information security program, which our September 1996 report recommended, DOD announced in January 1998 its plans for a Defense-wide Information Assurance Program (DIAP)9 under the jurisdiction of the DOD Chief Information Officer (CIO). In February 1999, DOD’s CIO finalized the Implementation Plan for the DIAP that outlines organizational structure and responsibilities. The program is still being staffed; DIAP staff will be responsible for creating a DIAP concept of operations to address the program’s operational structure and processes. In December 1998, DOD also implemented the Joint Task Force for Computer Network Defense, which DOD expects will support the DIAP by monitoring DOD’s computer networks and defending against hacker attacks and other unauthorized access. DISA’s security oversight program and other models for information security management offer approaches that DOD could adapt and integrate into its departmentwide program to address threats to information security not covered by the Joint Task Force. Because DIAP and task force efforts are at an early stage of development, their ultimate effectiveness cannot yet be assessed. In order that the full potential of DISA’s security oversight program, the DIAP, and other DOD IA initiatives can be realized, we are recommending that (1) the SRR process be expanded to include timely and independent verification of the corrective actions reported by DMCs and (2) the DIAP define how its efforts will be coordinated with the Joint Task Force and other related initiatives. 9 DOD defines information assurance as information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. This includes capabilities to protect against, detect, and react to attacks. Page 4 GAO/AIMD-99-107 DOD Information Security B-282190 In commenting on a draft of this report, DOD officials stated that they generally concurred with the report and its recommendations. They said that this report adds credence to efforts to heighten awareness within the DOD community of the serious risks that accompany poor security practices in information systems. They noted that DOD is actively working to correct the deficiencies cited in the report and they believe it is making progress in reducing the risks to its information systems. Background The DOD information processing environment is large, complex, and decentralized. DOD has over 2.1 million computers, over 10,000 local area networks, and over 100 long-distance networks. Its tens of thousands of automated information systems run on a variety of systems, including mainframe, mid-tier, client-server, and personal computer-based systems. Security over these systems involves a number of functional areas. These include groups and individuals who use and own these systems, application developers, data center personnel (such as systems programmers, computer operators, and security managers), and others who come in contact with computer resources or data. The owners of application systems and data are those organizations or individuals responsible for specifying the level of security required for their operations and supporting information systems, determining who is given access to their computer applications, prioritizing critical application programs to be covered by disaster recovery plans, and protecting their own system passwords and equipment. Application developers are responsible for managing software application program changes, ensuring the integrity of the application, and designing security controls within these applications consistent with owner requirements. Data center personnel are responsible for computer operations, system software configuration and change management, controls over access to data and programs at the system level, and some aspects of disaster recovery. Managers of the facilities in which these activities take place are generally responsible to some extent for physical and environmental security. In DOD, responsibility for the security of an individual application, such as a payroll system or weapon system, and its related data, is typically shared by several organizations. Any DOD component may be the owner or user of an application. Application development may be done in-house by the user’s organization or by a central design activity (CDA) on a fee-for-service basis. All of the military services and many of the Defense agencies, Page 5 GAO/AIMD-99-107 DOD Information Security B-282190 including the Defense Finance and Accounting Service (DFAS) and the Defense Logistics Agency (DLA), have CDA components. DISA, through its DMCs, is a major provider of data processing services for DOD. However, data processing services may be provided by the military services and other DOD components or by a non-DOD service provider. Any of these DOD components may be a tenant on an installation owned or managed by another DOD component or government agency. In DISA’s case, for example, each DMC shares the responsibility for physical security with the host activity of the installation on which it is located. In DOD, not all responsibilities are clearly assigned, however. For example, while the data center is responsible for the security of the system software and the developer for application security, neither has explicit responsibility for the security and integrity of the interfaces between operating systems and applications. Objectives, Scope, and To determine the extent to which specific information security weaknesses identified in our September 1996 report had been corrected, we tested the Methodology effectiveness of corrective actions taken. Our testing was carried out in four DMCs, three CDAs, and two customer (i.e., end-user) activities.10 Our original review was an assessment of general computer controls, which affect the overall security and effectiveness of an organization’s computer systems and operations rather than being unique to a particular computer program, office, or operation. Our tests of corrective actions were limited to those areas in which we had previously documented specific weaknesses. We did not test controls that we had previously found to be operating effectively. Our audit program was based on our Federal Information System Controls Audit Manual.11 We also evaluated DISA’s processes for overseeing security in the DMCs. We compared the scope and content of their Security Technical Implementation Guides (STIG) for system software with each other and with external guidance. We documented their Security Readiness Review (SRR) process and its history, assessed the security of the SRR database, 10 We are not identifying the specific activities and installations in which our testing was conducted because of the sensitive nature of our findings. These were generally the same activities in which our original testing was conducted, although due to organizational changes, the unit responsible for a particular computer control had in some cases changed. 11 GAO/AIMD-12.19.6, January 1999. Page 6 GAO/AIMD-99-107 DOD Information Security B-282190 and quantified the results of SRRs performed to date. We also gathered evidence about the reliability of the SRR database by testing selected controls that were reported as SRR findings and subsequently reported as fixed. For assistance in testing corrective actions and evaluating DISA’s processes for overseeing security, we contracted with PricewaterhouseCoopers LLP. We determined the scope of the contractor's audit work, monitored its progress, and reviewed the related workpapers to ensure that the resulting findings were adequately supported. To determine the extent to which DOD had developed and implemented a departmentwide information security program, we examined the management and the implementation plans for the Defense-wide Information Assurance Program and monitored Defense’s progress through the end of our fieldwork. We also received briefings on the new Joint Task Force for Computer Network Defense and interviewed DOD officials to learn about departmentwide initiatives related to our recommendations. At each test location, we briefed management on the results of our fieldwork at that location. We also briefed DOD officials on the results of our fieldwork at all locations. We requested comments on a draft of this report from the Secretary of Defense or his designee. On July 16, officials of the Infrastructure and Information Assurance Directorate of the Office of the Secretary of Defense provided us with oral comments that are discussed in the “Agency Comments and Our Evaluation” section of our report. Our work was performed from October 1997 through February 1999 in accordance with generally accepted government auditing standards. Limited Progress in Our 1996 reports identified pervasive information security weaknesses in DOD and made recommendations for correcting them. While some Correcting General corrective actions had been initiated to address our recommendations, our Control Weaknesses current review found that weaknesses persisted in every area of general controls. Among the DOD components evaluated, only DISA had begun to establish a comprehensive process to identify and resolve information security weaknesses. DISA was issuing technical guidance to establish minimum standards for configuring system software and was implementing systematic entitywide inspections to monitor the effectiveness of computer Page 7 GAO/AIMD-99-107 DOD Information Security B-282190 controls. As a result, DISA had identified and resolved thousands of control weaknesses. Control Weaknesses Persist In our current review we found that significant DOD information security weaknesses in general computer controls persisted for all the components evaluated, including DISA. The following sections give examples illustrating the types of weaknesses we found in access controls, application software development and change controls, segregation of duties, system software controls, and service continuity controls. Access Controls Access controls limit or detect inappropriate access to computer data, programs, facilities, and equipment to protect these resources against unauthorized modification, disclosure, loss, or impairment. Access controls include physical protections, such as gates and guards, and logical controls, which are built into software to authenticate users (through passwords or other means) and to restrict their access to certain data, programs, transactions, or commands. DOD policy states that access to automated information systems should be restricted based on one's need-to-know. We found, however, that users were granted access to computer resources that exceeded what they required to carry out their job responsibilities, including sensitive system privileges for which they had no need. On one system, systems support personnel had the ability to change data in the system audit log. On three systems, we tested the accounts of 12 users having access to a command that would allow them to substitute an unauthorized data file for a legitimate file. Seven out of 12 did not have a need to use this command. We also found user accounts that had certain privileges—including sensitive security administration privileges— for which no evidence of authorization was available. Access authorization was poorly documented or undocumented for users at every site; management estimated that on one system more than 20,000 users were not authorized in writing. Periodic review of user access privileges and monitoring of security violations and the use of powerful commands, utilities, and changes to sensitive files and records (such as user access profiles) are essential to preventing and detecting unauthorized activity. However, we found at every location we visited that there was inadequate periodic review of user access privileges to ensure that those privileges continued to be appropriate. Also, while the logging of security violations and access to Page 8 GAO/AIMD-99-107 DOD Information Security B-282190 sensitive resources had improved, these audit logs were not being consistently reviewed. Similarly, we found that data processing customers were not updating users’ access levels to reflect changes in their access requirements or to cancel the access of terminated employees. Password management, though improved, was still weak in some areas. Users were not required to change their passwords often enough and in some cases were never required to change their passwords. Users were not prevented from using easily guessed passwords. These practices increase the risk that passwords will be guessed and systems will be compromised. User accountability was also weakened by the use of generic (group) user accounts, wherein a single account is used by two or more users, contrary to DISA standards. In the case of one generic user account having system privileges, not only was the password known to multiple users, but it was neither encrypted in the system nor required to be changed periodically. Application Software Application software development and change controls prevent Development and Change unauthorized programs or modifications to programs from being Controls implemented to ensure that the software functions as intended. Program change control policies and procedures include review and approval of application change requests, independent review and testing of program changes, documentation of program changes, and formal authorization to implement those changes, along with the access controls necessary to ensure that these objectives are met. We found that structured methodologies for designing, developing, and maintaining applications were inadequate or nonexistent. There was no requirement for users to document the planning and review of application changes and to test them to ensure that the system functioned as intended. Also, application programs were not adequately documented with a full description of the purpose and function of each module, which increases the risk that a developer making program changes will unknowingly subvert new or existing application controls. One fundamental technique of program change control is the use of two or more computer processing environments to segregate the test and development versions of application programs and data from the production resources (those versions approved and currently being used by the data processing customer). We found that application programmers, users, and computer operators had direct access to production resources, Page 9 GAO/AIMD-99-107 DOD Information Security B-282190 increasing the risk that unauthorized changes to production programs and data could be made and not detected. On one system, 74 user accounts had privileges enabling them to change program code without supervisory review and approval. This number had increased from the 37 users that we had documented in our earlier review. According to management, only four people should have this authority. On another system, nearly 300 programmers could alter production programs and data. Segregation of Duties Segregation of duties refers to the policies, procedures, and organizational structure that help to ensure that one individual cannot independently control all key aspects of a process or computer-related operation and thereby conduct unauthorized actions without detection. As an example, a computer programmer should not be allowed to independently write, test, and approve program changes. In the information processing environment, the duties and access capabilities of systems programmers, application programmers, security administrators, and end-users, for example, should generally be segregated from one another. Duties in the DOD computing environment were not adequately segregated. We found that personnel were still assigned both systems programming and security administration duties. These individuals could make unauthorized changes to programs and data while using their security privileges to disable the system’s capability to create an audit trail of those changes. Thus they could, for example, modify payroll records or shipping records to generate unauthorized payments or to misdirect inventory shipments and suppress the related system audit data to avoid detection. System Software System software controls limit and monitor access to the powerful programs and sensitive files associated with the computer systems operation. System software helps control and coordinate the input, processing, output, and data storage associated with all of the applications that run on the system. Some system software can change data and program code without creating an audit trail or can be used to modify or delete audit trails. Improperly configured or poorly maintained system software can be exploited to circumvent security controls to read, modify, or delete critical or sensitive data or programs. It can also be used to gain privileges to conduct unauthorized transactions or to circumvent edits or other controls built into application programs. For these reasons, system software vulnerabilities are a common target of hackers, both internal and external Page 10 GAO/AIMD-99-107 DOD Information Security B-282190 to the entity. As a result, most entities have a separate set of procedures for controlling system software. We found end-users had been given unnecessary (and in some cases unauthorized) access to system functions, tools, and data. For example, users could read system data files containing information useful to hackers. On four systems, users could view other users' output, which could include sensitive or confidential information. On one system, end-users had the capability to issue commands that would allow them to disrupt all processing on that system. As with other groups of users, the activities and access privileges of users with sensitive system privileges were not adequately monitored. We also found system software maintenance issues which create security exposures. For example, we found system libraries for privileged programs (i.e., programs that are allowed to perform powerful system functions) that contained the names of nonexistent programs. By creating a new program with the same name as one of these nonexistent members, a user could install malicious code with the authority to make changes to the operating system, the security software, and user programs or data and to delete audit logs. We found that one site was running a proprietary mainframe operating system and other system software products that were no longer supported by the vendor. Management informed us that such software was needed to support application programs that had not yet been upgraded to run on a current version of the operating system. This site was also running programs that were undocumented. These practices increase the risk that security vulnerabilities or other problems will not be detected or corrected. Service Continuity Controls Service continuity controls ensure that when unexpected events occur, critical operations continue without undue interruption and critical and sensitive data are protected. A well-documented plan for disaster recovery and continuity of operations, based upon an up-to-date risk analysis and periodic testing, is critical to ensure that an organization can continue to fulfill its mission while responding to natural disasters, accidents, or other major and minor interruptions in data processing. We found mission-related applications and the activities they support that are at risk because of inadequate planning for service continuity. Although DISA recommends nightly back-up of high-activity application data files, some information processing customers did not require that their application data be backed up frequently enough to ensure effective Page 11 GAO/AIMD-99-107 DOD Information Security B-282190 mission support after a service disruption. This increases the risk that some data cannot be restored, particularly as temporary data files may not exist at the time the full system back-up is done, which is typically once a week. Also, although DISA requires that back-up tapes be stored at least 25 miles, and preferably 100 miles, from the processing site, we noted that one DMC was storing back-up tapes only 14 miles from the data center without having obtained a waiver from DISA. This increases the risk that both the back-up tapes and the data center could be affected by the same emergency. We found that disaster recovery plans were incomplete and did not specify the order in which the customer's applications (or the programs within a particular application) should be restored. This increases the risk that relatively trivial functions may be restored before those that are most critical to the user's mission. One plan assumed the availability of hardware which was not on-site and was still in the procurement process. Many DISA customers had not tested their recovery procedures or had not tested them under the conditions likely to prevail in the event of a disaster. These weaknesses increase the risk that the organization may fail in its mission or incur unnecessary expense as the result of a prolonged service interruption. Progress in Addressing Although each of the activities we evaluated had made some progress in Security Weaknesses Varied addressing the individual weaknesses identified in our 1996 report, only DISA was implementing a comprehensive process for identifying, tracking, Among DOD Organizations and resolving weaknesses within its jurisdiction. While implementation of this process was not yet complete, DISA had already identified and resolved thousands of specific control weaknesses. In 1994, DISA created a task force to assess the security posture of its DMCs. This task force created an inspection checklist and a database to capture, track, and analyze its findings. The task force conducted system reviews and physical/environmental reviews, which have evolved into DISA's Security Readiness Review (SRR) process. DISA has steadily increased the number of security reviews performed. By the end of November 1998, DISA had completed 542 SRRs, generated a total of 14,860 findings, and reported that 11,418 of these findings had been corrected. Page 12 GAO/AIMD-99-107 DOD Information Security B-282190 As DISA began implementing its SRR process, it also began drafting detailed technical guidance for individual systems, known as Security Technical Implementation Guides (STIG), which specify minimum standards for managing system software security. STIGs cover topics such as organizational relationships and responsibilities and the management processes and technical requirements needed to ensure hardware integrity, system software integrity, and data-level integrity. They define the requirements for interfacing the various components of system software and include such details as specific configuration options to be used, password management, testing requirements, and permissible levels of access to system resources. Most importantly, all DMC systems are subject to SRRs and DMC management is accountable for the findings generated. DISA officials and staff report that correcting SRR deficiencies is given a high priority because the status of SRR findings is a part of each DMC director's or commander's readiness report. DISA has published STIGs for most of its systems and expects to have performed SRRs of all its systems before the end of 1999. Additional action, however, is needed to improve DISA’s oversight of information security. For example, while the DISA inspector will generally verify any corrective action taken while he or she is still on-site, subsequent corrective actions are reported in the SRR database as having adequately addressed deficiencies even though the actions may not be verified until the next regularly scheduled inspection, which may be 15 to 36 months later. We found that this practice has resulted in some inaccuracies. We tested 55 deficiencies that were “accepted-as–fixed” in the SRR database and determined that about one-fourth had not been corrected. For example, several DMCs had reported that their system software configuration options had been changed to conform to DISA requirements, and the SRR database had been updated accordingly. However, our testing showed that the options in question were not in compliance with DISA standards. We did not attempt to determine whether these inconsistencies were the result of oversights, misrepresentations, or other factors. DISA officials agreed that more timely, independent verification of corrective actions is desirable and reported that they were exploring ways to address this issue. Other DOD components had not made similar progress in instituting an effective oversight process. The modest improvements that these components had made were the result of individual and isolated command or unit actions rather than comprehensive service, agency, or department actions. Page 13 GAO/AIMD-99-107 DOD Information Security B-282190 DOD Has Developed As stated in our executive guide on information security management, 12 a well-designed and well-managed information security program with But Not Yet senior-level support is essential for ensuring that an agency's controls are, Implemented a and continue to be, appropriate and effective. The program should establish a process and assign responsibilities for systematically Departmentwide (1) assessing risk, (2) developing and implementing effective security Information Security policies and related control techniques, (3) promoting user awareness of Program security issues, (4) monitoring the appropriateness and effectiveness of these policies and techniques, and (5) providing feedback to managers who may then make needed adjustments. It should also establish a central management focal point for information security. This focal point functions as a facilitator and a conduit for information. It may also be a central resource for activities such as security training. Such a program can provide senior officials a means of managing information security risks and the related costs rather than just reacting to individual incidents. In 1996, we reported that DOD lacked a departmentwide information security program to comprehensively address the general control weaknesses we had identified. We made a number of recommendations related to establishing such a program. DOD agreed with our recommendations and issued plans for the Defense-wide Information Assurance Program (DIAP), which is to provide the framework for a comprehensive information security program. It is too early to assess when, whether, or how effectively the provisions of the DIAP management and implementation plans will be implemented and coordinated with other related efforts or whether the DIAP will ultimately succeed in ensuring adequate information security throughout DOD. Earlier Recommendations The 10 recommendations in our September 1996 report to the Secretary of for Establishing a Defense, the DISA Director, and the CIOs of the military departments and other Defense agencies were aimed at Departmentwide Information Security • empowering the DOD CIO to establish a comprehensive, Program departmentwide information security program; • ensuring that security programs of the military departments and Defense agencies are consistent with the department program; and 12 Information Security Management: Learning From Leading Organizations (GAO/AIMD-98-68, May 1998). Page 14 GAO/AIMD-99-107 DOD Information Security B-282190 • periodically reporting on progress in improving controls over information security. DOD concurred with these recommendations and committed to resolving the issues and implementing the recommendations. The department has reported that corrective actions are in progress for each of these recommendations. The full text of the recommendations appears in appendix I. Departmentwide At the time of our current review, DOD was developing but had not yet Information Security implemented a departmentwide security program in response to the recommendations in our earlier reports. On January 30, 1998, the Deputy Program Being Developed Secretary of Defense approved the Defense-wide Information Assurance Program (DIAP) and distributed a DIAP management plan to senior DOD officials. The Implementation Plan for the DIAP, which was finalized on February 12, 1999, describes at a high level the program’s goals, objectives, and organizational structure. DIAP staff will be responsible for creating a DIAP concept of operations to address the program’s operational structure and processes. The program is still being staffed. The DIAP integrates component information assurance (IA) activities into a single program under the DOD CIO, combining centralized oversight with decentralized execution. The DIAP staff will carry out the planning, programming, budgeting, and review of all IA activities throughout DOD. All IA investments and expenditures will be reported as part of the DIAP budget beginning in fiscal year 2000. DOD components will be responsible for carrying out their portions of the DIAP annual plan and for reporting on their activities to the Director of Information Assurance, who in turn reports to the DOD CIO. DIAP planning documents, which incorporate at a high level most of the best practices associated with successful information security management, indicate that DOD recognizes and is attempting to establish the departmentwide management structure needed to manage the complex information security risks associated with its heavy reliance on interconnected computer systems. For example, because the DIAP is an integrated program under the DOD CIO, it provides a central focal point for identifying risks affecting multiple Defense components and coordinating the selection, funding, and implementation of appropriate mitigating controls. Page 15 GAO/AIMD-99-107 DOD Information Security B-282190 The DIAP also establishes a Senior DIAP Steering Group composed of representatives from the services, Joint Staff, National Security Agency, and DISA. Thus, it involves senior management officials responsible for mission-related operations and assets as well as technical security specialists to help ensure that the related information security risks are fully understood and that an appropriate level of resources is provided to mitigate them. DIAP plans call for development of performance measures and an annual IA operational assessment, both prerequisites for effective feedback and reporting. They also call for an annual review of DIAP goals and related service and Defense agency plans, which is important to identify new risks, threats, and countermeasures to ensure that controls remain appropriate and effective. As DOD develops operating policies and procedures to support the DIAP, it can draw upon the existing information security guidance and best practices being used by other organizations, which define basic elements needed to provide effective feedback on information security controls. For example, our Federal Information System Controls Audit Manual defines information system control objectives and provides a framework for assessing the effectiveness of those controls. Similarly, DISA’s SRR and STIG compliance process provides a model for testing to determine if controls are functioning as intended, monitoring compliance, and tracking and reporting weaknesses identified during testing for resolution and review by senior management. In December 1998, a newly-created Joint Task Force for Computer Network Defense began coordinating and directing the defense of DOD computer systems and networks against strategic attack. Its functions include (1) situation monitoring and assessment, (2) directing DOD actions to stop attacks, contain damage, restore functionality, and provide feedback to users, (3) coordinating DOD defensive actions with other government agencies and private organizations as appropriate, (4) participation in joint training exercises, and (5) development of contingency plans and techniques. The Joint Task Force supports the DIAP by providing the monitoring tools to identify hostile attacks to DOD systems through its networks. However, the DIAP does not yet adequately address the vulnerabilities that make such attacks possible or the threats to information security that cannot be detected through network monitoring. The latter include (1) environmental threats, such as natural disasters or accidents, (2) the unauthorized activities (such as espionage, sabotage, or embezzlement) of Page 16 GAO/AIMD-99-107 DOD Information Security B-282190 authorized users, programmers, or terminated employees who still have system access due to lax security management, and (3) data loss or corruption following a service interruption, due to poor back-up and contingency planning. DOD believes the DIAP and task force initiatives will address the computer control weaknesses noted in our previous reports and our current review. However, it is too early to determine how the provisions in the DIAP plans will be implemented or how the Joint Task Force and other operational efforts yet to be developed will be coordinated with it. Thus, we were unable to assess whether these efforts will ultimately be successful in ensuring adequate information security throughout DOD. We will monitor the implementation of the DIAP as part of our oversight of DOD information security. Conclusions Departmentwide, DOD has made limited progress in correcting the general control weaknesses we reported in 1996. As a result, these weaknesses persist across every area of general controls. However, DISA has developed technical standards and is implementing a Security Readiness Review process that provides a model for information security management throughout its DMCs. DISA has not fully implemented this information security program and still needs to address certain shortcomings. Specifically, the quality of data in its SRR database could be improved through more timely independent verification of corrective actions by the DMCs or other parties. The DIAP implementation plan provides the framework for a departmentwide information security program. However, because DOD has not yet implemented DIAP, we cannot yet determine whether it will ultimately succeed in ensuring adequate security throughout the department. Close coordination between the DIAP, the Joint Task Force, and other operational efforts will be crucial to comprehensively addressing DOD’s information security weaknesses. DISA’s program and other models for information security management offer approaches that DOD could adapt and integrate into its departmentwide program. Recommendations In addition to reaffirming the recommendations in our 1996 reports, we recommend that, to realize the full potential and maximize the Page 17 GAO/AIMD-99-107 DOD Information Security B-282190 effectiveness of DISA’s security oversight program, the DIAP, and other DOD IA initiatives, the Secretary of Defense take the following actions. • Direct the DISA Director to expand the Security Readiness Review process to include timely and independent verification of the corrective actions reported by DMCs or other responsible parties. • Direct the DOD CIO to ensure that the Defense-wide Information Assurance Program defines how its efforts will be coordinated with the Joint Task Force and other related initiatives. Agency Comments and DOD officials generally concurred with the report and our recommendations, noting that this report adds credence to efforts to Our Evaluation heighten awareness within the DOD community of the serious risks that accompany poor security practices in information systems. They stated that the department is actively working to correct the deficiencies cited in the report and that they believe it is making progress in reducing the risks to its information systems. They also noted that the task is large and many corrective actions are underway, and affirmed that the continued development of the DIAP and other efforts will strengthen the department’s information security posture. With regard to our recommendation concerning DISA’s verification of corrective actions, DOD officials acknowledged problems with the accuracy of reported fixes at Defense Megacenters. They advised us that DISA has since modified its procedures to include a specific check of the validity of entries made on previously documented Security Readiness Reviews. According to DISA, the revised procedures call for incorrect entries and repeat findings to be noted as serious concerns to DMC facility directors. Regarding our recommendation concerning coordination of the DIAP with the Joint Task Force and related initiatives, DOD officials affirmed that the DIAP and other initiatives in the department—such as the Joint Task Force for Computer Network Defense (JTF-CND)—will address the computer control weaknesses cited in our report and recognized that efforts must be coordinated between the DIAP and those other initiatives. They pointed out that the DIAP has established close working relationships with the military services, agencies, Joint Staff, and other elements within DOD, including the newly established JTF-CND. They noted that an implementation plan is being prepared that aligns JTF-CND under the Page 18 GAO/AIMD-99-107 DOD Information Security B-282190 Commander-in-Chief, United States Space Command, and that the DIAP has participated in the working groups to create this plan. Lastly, they referred to two other DOD initiatives assessing (1) the threat to information systems posed by insiders and (2) the training of DOD information technology employees. They noted that these studies are expected to result in recommendations related to the training of system administrators and the controls over their access to information systems that, when implemented, should yield significant improvements to the security of DOD information systems. This report contains recommendations to you. The head of a federal agency is required by 31 U. S. C. 720 to submit a written statement on actions taken on these recommendations to the Senate Committee on Governmental Affairs and the House Committee on Government Reform within 60 days of the date of this report. You must also send a written statement to the House and Senate Committees on Appropriations with the agencies’ first request for appropriations made over 60 days after the date of this report. We are sending copies of this report to Senator Fred Thompson, Senator Joseph Lieberman, Representative Floyd Spence, Representative Ike Skelton, Representative Dan Burton, Representative Henry A. Waxman, Representative C.W. Bill Young, and Representative John P. Murtha in their capacities as Chair or Ranking Minority Member of Senate and House Committees and Subcommittees. We are also sending copies of this report to Mr. Arthur L. Money, Senior Civilian Official for the Office of the Assistant Secretary of Defense (Command, Control, Communications and Intelligence) and DOD Chief Information Officer, and Lieutenant General David J. Kelley, Director, Defense Information Systems Agency. Copies will also be made available to others upon request. Page 19 GAO/AIMD-99-107 DOD Information Security B-282190 If you or your office have any questions concerning this report, please contact me or Les Thompson, Assistant Director, at (202) 512-3789. Individuals making key contributions to this report are listed in appendix II. Sincerely yours, Robert F. Dacey Director, Consolidated Audit and Computer Security Issues Page 20 GAO/AIMD-99-107 DOD Information Security Page 21 GAO/AIMD-99-107 DOD Information Security Contents Letter 1 Appendix I 24 Recommendations Made in GAO/AIMD-96-144 Appendix II 26 GAO Contacts and Staff Acknowledgements Related GAO Products 27 Abbreviations CDA Central Design Activity CIO Chief Information Officer DFAS Defense Finance and Accounting Service DIAP Defense-wide Information Assurance Program DISA Defense Information Systems Agency DLA Defense Logistics Agency DMC Defense Megacenter DOD Department of Defense IA information assurance JTF-CND Joint Task Force for Computer Network Defense SA Security Administor SRR Security Readiness Review STIG Security Technical Implementation Guide Page 22 GAO/AIMD-99-107 DOD Information Security Page 23 GAO/AIMD-99-107 DOD Information Security Appendix I Recommendations Made in GAO/AIMD-96-144 AppenIx di DOD has reported that corrective actions are in progress for each of the recommendations below. While none are fully completed, DOD believes that its corrective actions will address all of our recommendations, primarily through the DIAP. As noted in this report, it is too early to determine how the provisions in the DIAP will be implemented and, thus, whether these corrective actions will effectively address our recommendations. . I We recommend that the Secretary of Defense assign clear responsibility and accountability within the Office of the Secretary of Defense, the military services, and the Defense agencies for ensuring the successful implementation of an information security program that includes, for example, departmentwide policies for preventing, detecting, and responding to hacker attacks on Defense information systems. II We further recommend that you direct the DOD CIO to develop and implement a comprehensive DOD-wide computer security management program that includes the hacker prevention policies we previously recommended as well as • establishing a risk-based control program to assess computer security in DOD computer systems, • developing and implementing effective security policies and related control techniques, and • reporting to DOD managers on security issues impacting their information processing systems. III We also recommend that you direct the Deputy Secretary of Defense to ensure that the duties established for the military departments' and Defense agencies' CIOs include reporting on ongoing computer security efforts and activities to the DOD CIO for review, assessment, and appropriate action to ensure proper coordination and an integrated information technology structure within the Department. IV Further, you should direct the DOD CIO to review and assess the specific deficiencies noted and establish a process to address them. V In addition, we recommend that the DISA Director, the CIOs of the military departments, and the CIOs of the other Defense agencies submit their policies and procedures to improve general computer controls to the DOD CIO for review, assessment, and appropriate action to ensure a comprehensive security approach is operational throughout the Department. Such policies and procedures should • limit computer system access authorizations to only those who need access to perform their work responsibilities, and are periodically reviewed to ensure their continued need; • require sensitive data files and critical production programs to be identified and successful and unsuccessful access to them to be monitored; • strengthen security software standards in critical areas, such as by preventing the reuse of passwords and ensuring that security software is implemented and maintained in accordance with the standards; • control physical security at computer facilities; and • provide for completing and testing disaster recovery plans. Page 24 GAO/AIMD-99-107 DOD Information Security Appendix I Recommendations Made in GAO/AIMD-96-144 VI To ensure that general computer controls are improved at the DMCs, we recommend that the DOD CIO direct the DISA Director to develop and implement a comprehensive computer security program at the DMCs, consistent with the DOD-wide program, that includes the elements outlined in this report. These elements encompass • policies and procedures to ensure that access to DMC computer facilities is appropriately granted and periodically reviewed, • clearly defined roles and responsibilities of DMC employees, information system security officers, and security managers, and • security oversight at each DMC to monitor, measure, test, and report on the ongoing effectiveness of computer system, network, and process controls. VII In addition, we recommend that the CIOs of the military departments and the Defense agencies submit plans for coordinating with DISA to improve computer controls affecting DMC operations to the DOD CIO for review, assessment, and appropriate actions. Greater cooperation is necessary, for example, to • determine who is given access to computer systems applications, • identify critical computer systems applications to be covered by disaster recovery plans, and • ensure that locally designed software application program changes are in accordance with prescribed policies and procedures. VIII Also, the DISA Director and the CIOs of the military departments and Defense agencies should provide their plans to the DOD CIO, for review, assessment, and appropriate action to ensure that computer system security reviews are performed as part of future transfers of computer systems to the DMCs. IX Further, the DOD CIO should monitor implementation of those plans. X Finally, to strengthen DOD's computer security program in a coordinated and timely manner, we recommend that you • direct the DOD CIO to monitor and to periodically report on the status of the actions taken to improve computer security throughout DOD and • ensure that the DOD CIO has the necessary authority to ensure that there are adequate computer security controls throughout DOD, including the military departments and Defense agencies. Page 25 GAO/AIMD-99-107 DOD Information Security Appendix II GAO Contacts and Staff Acknowledgements AppeInx Idi GAO Contacts C. Les Thompson, (202) 512-3789 Robert F. Dacey, (202) 512-3317 Acknowledgments In addition to those named above, Sharon Kittrell, Jean Boltz, Edward Glagola, Linda Sellevaag, Gary Austin, and Walter Opaska made key contributions to this report. Page 26 GAO/AIMD-99-107 DOD Information Security Related GAO Products Major Management Challenges and Program Risks: Department of Defense (GAO/OCG-99-4, January 1999). Information Security: Strengthened Management Needed to Protect Critical Federal Operations and Assets (GAO/T-AIMD-98-312, September 23, 1998). Financial Management: Improvements Needed in Air Force Vendor Payment Systems and Controls (GAO/T-AIMD-98-308, September 28, 1998). Information Security: Serious Weaknesses Place Critical Federal Operations and Assets at Risk (GAO/AIMD-98-92, September 23, 1998). Defense Computers: Year 2000 Computer Problems Put Navy Operations at Risk (GAO/AIMD-98-150, June 30, 1998). Defense Computers: Army Needs to Greatly Strengthen Its Year 2000 Program (GAO/AIMD-98-53, May 29, 1998). Executive Guide: Information Security Management: Learning From Leading Organizations (GAO/AIMD-96-68, May 1998). Defense Computers: Year 2000 Computer Problems Threaten DOD Operations (GAO/AIMD-98-72, April 30, 1998). Department of Defense: Financial Audits Highlight Continuing Challenges to Correct Serious Financial Management Problems (GAO/T-AIMD/NSIAD-98-158, April 16, 1998). Defense Computers: Air Force Needs to Strengthen Year 2000 Oversight (GAO/AIMD-98-35, January 16, 1998). Federal Management Issues (GAO/OCG-98-1R, January 9, 1998). Defense IRM: Poor Implementation of Management Controls Has Put Migration Strategy at Risk (GAO/AIMD-98-5, October 20, 1997). Defense Computers: LSSC Needs to Confront Significant Year 2000 Issues (GAO/AIMD-97-149, September 26, 1997). Leter Page 27 GAO/AIMD-99-107 DOD Information Security Financial Management: Review of the Military Retirement Trust Fund's Actuarial Model and Related Computer Controls (GAO/AIMD-97-128, September 9, 1997). Defense Computers: Improvements to DOD Systems Inventory Needed for Year 2000 Effort (GAO/AIMD-97-112, August 13, 1997). Defense Computers: Issues Confronting DLA in Addressing Year 2000 Problems (GAO/AIMD-97-106, August 12, 1997). Defense Computers: DFAS Faces Challenges in Solving the Year 2000 Problem (GAO/AIMD-97-117, August 11, 1997). Defense Financial Management: Immature Software Development Processes at Indianapolis Increase Risk (GAO/AIMD-97-41, June 6, 1997). Defense IRM: Investments at Risk for DOD Computer Centers (GAO/AIMD-97-39, April 4, 1997). High-Risk Series: Defense Financial Management (GAO/HR-97-3, February 1, 1997). High-Risk Series: Information Management and Technology (GAO/HR-97-9, February 1, 1997). Financial Management: DOD Inventory of Financial Management Systems Is Incomplete (GAO/AIMD-97-29, January 31, 1997). Information Security: Computer Hacker Information Available on the Internet (GAO/T-AIMD-96-108, June 5, 1996). Information Security: Computer Attacks at Department of Defense Pose Increasing Risks (GAO/AIMD-96-84, May 22, 1996). Information Security: Computer Attacks at Department of Defense Pose Increasing Risks (GAO/T-AIMD-96-92, May 22, 1996). Defense Industrial Security: Weaknesses in U.S. Security Arrangements With Foreign-Owned Defense Contractors (GAO/NSIAD-96-64, February 20, 1996). (919159) Leter Page 28 GAO/AIMD-99-107 DOD Information Security Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary, VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with “info” in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. GI00 Official Business Penalty for Private Use $300 Address Correction Requested
DOD Information Security: Serious Weaknesses Continue to Place Defense Operations at Risk
Published by the Government Accountability Office on 1999-08-26.
Below is a raw (and likely hideous) rendition of the original report. (PDF)