Pentagon background-check systems at risk of hacking, GAO says

DSCA illustration

DSCA illustration Defense Counterintelligence and Security Agency

The Defense Counterintelligence and Security Agency didn’t fully implement DOD’s cybersecurity process, a new report finds.

The Pentagon agency that vets federal employees hasn’t worked hard enough to protect its IT systems and the sensitive personnel data they store, according to a watchdog report.

“While [the Defense Counterintelligence and Security Agency] has taken steps to prepare for managing security risks to [the National Background Investigation Services system] and legacy systems, the agency has not fully addressed key tasks in DOD’s Risk Management Framework, largely due to a lack of an oversight process,” the report said. “These key tasks include identifying all stages of the information life cycle, defining and prioritizing security and privacy requirements, performing risk assessments at both the organizational and system levels, and allocating security and privacy requirements to the appropriate systems.”

After the Office of Personnel Management was hacked in 2015, responsibility for background investigations was shifted to DSCA. The move to the Pentagon was largely seen as a way to improve cybersecurity of federal workers’ personal data and to replace old IT systems. But the effort to build the new National Bureau of Investigations Services system remains unfinished, leaving DCSA to rely on a mix of old and new IT.

A June 20 report by the Government Accountability Office found that DCSA failed to address five of 16 cyber-risk-management steps. 

For example, the agency didn’t complete risk assessments across the organization or at the system level. 

Additionally, DCSA only partially implemented privacy controls, such as developing policies and procedures around access, incident tracking, and necessary security awareness training for the systems GAO evaluated. 

“The agency lacks an oversight process to help ensure that appropriate privacy controls are fully implemented,” the report states. “Until DCSA establishes such an oversight process and fully implements privacy controls, it unnecessarily increases the risks of disclosure, alteration, or loss of sensitive information on its background investigation systems.”

DCSA plans to get rid of all old background investigations systems later this year, according to the report. 

GAO issued 13 recommendations, including creating more oversight to ensure all required tasks and controls are completed. 

The Pentagon agreed with all but one recommendation: to have the Defense Department’s chief information officer update its risk management policies to include the latest IT standards for security and privacy controls from the National Institutes of Standards and Technology. 

In its response, the Pentagon requested the GAO remove the recommendation as “existing departmental policy enforces the NIST Pub 800-53 and DOD CIO was outside the scope of this audit.” 

The GAO stands by all of its recommendations, according to the report.