NSA gets middling grades in FISMA audit

The National Security Agency is lagging in all eight of the security areas set in the 2014 Federal Information Security Management Act, according to a new Inspector General report.

The latest report, which tallies and provides brief summaries of the office’s mostly classified work to Congress and the public, disclosed that the IG issued 13 reports and oversight memoranda between Oct. 1, 2018, and March 31, 2019.

Among that work was a 2018 review examining NSA’s FISMA compliance. According to the latest report, that review found medium-to-low levels of maturity for all eight of the security areas measured.

“The review found that there is room for improvement in all eight IT security areas,” auditors wrote.

One metric -- contingency planning -- received the lowest rating (Level One out of Five, meaning only ad hoc procedures are in place). Five other areas -- data protection and privacy, incident response, risk management, configuration management and continuous monitoring of agency networks -- received scores of two out of five, indicating NSA has defined requirements for these areas but haven’t consistently implemented them. No area received a rating higher than three.

The report also revealed a number of concerns with the way NSA has been implementing compliance controls for its foreign surveillance programs, including the fact that NSA is still holding onto “a small percentage” of signals intelligence beyond their legal and policy retention limits.

The spy agency restarted a contentious debate over its Call Detail Record metadata collection program when it announced last year that it had inadvertently retained hundreds of millions of call records beyond its legal authority. The agency blamed the overcollection on “technical irregularities” on the part of telecommunications service providers and said it was purging all records related to the program going back to 2015. Subsequent reports have indicated that the program is no longer active and that NSA officials may not push for its reauthorization.

However, that hasn’t been enough for some members of Congress and privacy activists who want the program permanently outlawed through statutory changes, and the latest report indicates that auditors were still able to find “a small number” of such records in data provided by NSA. The report found that NSA made a “mistaken assumption” by ignoring calculations that provided more specific retention requirements, and plans to update the agency’s retention policy have been delayed or don’t fully incorporate current law and policy.

The findings “reflect significant risks of noncompliance with legal and policy requirements for retention of SIGINT data,” including “established minimization procedures for NSA [signals intelligence] authorities, meaning that the deficiencies we identified have the potential to impact civil liberties and individual privacy,” according to the report. Auditors made 11 non-public recommendations for NSA to correct the problems.

In fact, control deficiencies were apparently prevalent throughout the agency and its programs, with auditors indicating that personnel resource constraints during the 2018 budget year “may have required NSA managers to prioritize certain internal controls” at the expense of others.”

In an attached letter to Congress, Inspector General Robert Storch said his office has implemented measures over the past year to ensure better accountability from intelligence leaders when it comes to addressing outstanding recommendations, citing a 15% drop in the total number of open recommendations the agency had yet to close and a 20% decline in open recommendations that are considered overdue. In both cases, the NSA still has a backlog of outstanding recommendations that number in the hundreds.

The NSA IG is currently conducting a number of other IT-related audits, including investigations looking into the NSA CIO’s authorities and whether the agency is effectively decommissioning old information systems.