Unclear NSA CIO Role Puts the Agency’s IT at Risk, IG Says

Daniel J. Macy/Shutterstock.com

Auditors report the position is not even in the agency’s organizational chart.

The National Security Agency’s chief information officer may be unsure of what they’re supposed to be doing with attention being pulled disproportionately toward cybersecurity issues, according to the agency’s inspector general. 

“The Agency’s CIO role is ambiguous, without clearly defined authorities and responsibilities,” the OIG wrote in the semi-annual report released Thursday, which otherwise gives NSA a pat on the back for implementing its recommendations.

The IG audited the agency for compliance with Clinger-Cohen Act of 1996 and an Office of Management and Budget memorandum, documents that describe the CIO role and responsibilities for budget, program and workforce management as well as overseeing information security.

Examining the implementation of an enterprise IT architecture program and the CIO’s placement within the NSA’s management structure, the IG said the agency and the CIO “made substantial progress,” but there were a few attention-grabbing reasons they noted as contributing to shortfalls. 

These were “dual hatting the functions of the CIO with those of an NSA Directorate, a lack of documentation for the delegation of authorities, failure to include the CIO role in agency organization charts, and agency communications that reinforced the CIO’s authorities primarily for the information security component.”

“The CIO has the requisite oversight of and decision rights for all Agency IT,” the IG explains, noting, “The issues identified in this audit increase the risk that the agency ...may not be maximizing its effectiveness and efficiency in designing, investing in, acquiring, managing, and maintaining the full range of its IT.”

The report said the IG made four recommendations to address the issue, and that the NSA has sufficiently addressed one of those, with actions planned to implement the other three. 

In general, though, the IG reports the NSA’s overdue recommendations for the period of April through September represented 59% of the total number of open recommendations, which was the lowest percentage of open recommendations that were overdue over the past four semi-annual reports. 

“This reflects significant progress, but there is still substantial work to be done,” according to the latest report.

The OIG is now evaluating NSA’s implementation of the Federal Information Security Modernization Act of 2014. That audit will focus specifically on assessing the agency’s information security practices.