Defense Logistics Unit Has Weak Security, GAO Says

Cites inadequate training, lack of system testing

The Defense Logistics Agency isn't fully protecting its information systems, according to a report released last week by the Government Accountability Office.

The DLA is responsible for providing goods such as food, fuel, medical supplies and spare parts for weapon systems to the U.S. Department of Defense. In its report, the GAO said the logistics agency has made some progress in implementing key elements of its information security program but needs to do more.

The report credited the DLA for establishing a central security management group and appointing a senior information security officer. But the GAO said the agency has failed to consistently assess the security risks that could result from unauthorized access to its systems and the improper use, disclosure or destruction of data.

In addition, employees responsible for the DLA's information security program haven't received enough training; annual security testing and evaluation of management and operational controls haven't been done; and plans to mitigate known IT deficiencies haven't been completed, according to the GAO.

Until the DLA addresses the security management and oversight weaknesses and implements an effective agencywide IT security program, it may not be able to protect the confidentiality, integrity and availability of its systems and data.

Recommendations Made

The GAO, which completed a 10-month audit of DLA facilities in July, outlined 10 steps that the agency should take to improve its security practices and controls.

The recommendations include a call for the DLA to ensure that workers who are involved in IT security get adequate training and that the training program be monitored by agency officials and updated as needed.

In a written response to the GAO, Paul Brinkley, deputy undersecretary of defense for business transformation, agreed with most of the recommendations and said the DLA is working to address them. For example, Brinkley wrote that the DLA plans to distribute a Defense Department manual with detailed guidance on security training.

However, Defense Department officials disagreed with three of the recommendations, including the need to annually test the effectiveness of security controls for all systems. Brinkley said that doing so would amount to annual recertification and is neither practical nor cost-effective.

The GAO countered that it doesn't expect the DLA to test all of its information-assurance controls annually. But it said that it does want to ensure that the testing efforts include management, operational and technical controls for every system in the agency's inventory, as required by the Federal Information Systems Management Act.

Copyright © 2005 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon