IG Reminds DOD of Access Control Weakness

Jesse A. Hyatt/DOD

DOD IG opted to describe, not assess, the department's cyber policies.

The Defense Department inspector general reiterated a few shortcomings in the department’s cybersecurity stance as part of a review mandated by the 2015 Cybersecurity Act.

The legislation required federal inspectors general to report on the policies, procedures and practices for securing computer networks and IT systems with emphasis on five key areas: logical access control policies and practices; use of multifactor authentication; software inventory; threat prevention; and contractor oversight.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The DOD IG report offered summaries, not assessments, of the policies the department has in place to address all five areas.

It also rehashed flaws in logical access controls it found in previous audits. Problems included incomplete system access forms and inactive accounts hanging around after established timetables. The IG report said the vulnerabilities persist “because personnel did not follow existing policy.”

Some components have policies for managing software license inventories, but no agencywide policy exists, the report said. The DOD Office of the CIO said it is working on one.