Audit criticizes DOD’s IT contingency plans

Inspector general's office warns that the apparent lack of a comprehensive IT systems contingency planning policy at DOD could hinder warfighting operations.

Mission-critical information systems operated and maintained by the Defense Department may be unable to sustain warfighter operations during a disruptive or catastrophic event, according to DOD’s Office of Inspector General. In a Feb. 5 memo, Robert Prinzbach, acting assistant IG for readiness and operations support, criticized the apparent lack of a comprehensive information technology systems contingency planning policy at DOD. Prinzbach based his warning on a 2007 audit of DOD’s mission-critical IT systems that found 264, or 61 percent, lacked contingency plans or the people responsible for those systems could not provide evidence of such plans. The audit also found that 358 systems, or 82 percent, had contingency plans that people had not tested or whose owners could not show auditors evidence of testing. In addition, the audit reported that people provided incorrect testing information for 410, or 94 percent, of DOD’s 436 mission-critical IT systems. Auditors found the inaccurate information in DOD’s Information Technology Portfolio Repository (DITPR), an unclassified database of record for reporting on the security status of the department's information systems. People had also entered incorrect contingency plan information for 37, or 8 percent, of mission-critical IT systems. Chief information officers of all DOD component organizations are required to use the DITPR database to report on their inventory of IT systems and certify annually that their organization’s DITPR entries are complete and accurate. DITPR includes information on contingency plans and whether system owners have developed and tested those plans, the audit report said. Because of database inaccuracies, DOD provided erroneous information to Congress and the Office of Management and Budget about the department's ability to quickly restore mission-critical IT services after an emergency or disruption in operations,  the report stated. The report recommends that the Office of the Assistant Secretary of Defense for Networks and Information Integration and DOD Chief Information Officer create a comprehensive policy for contingency planning to replace existing fragmented policies, which are incomplete and confusing in some cases. The audit report recommends that DOD’s CIO require that all the department's organizations adhere to IT contingency planning guidelines developed by the National Institute of Standards and Technology or issue a comprehensive policy for contingency planning. NIST’s guidelines are in NIST Special Publication 800-34. The report also recommends that DOD’s CIO develop a training program for contingency planning for all the department's organizations to ensure that everyone responsible for mission-critical IT systems knows how to prepare and test contingency plans.