Priya Patel
TLDR:
- The Department of Defense needs to enhance the cybersecurity of its background investigation systems.
- The Government Accountability Office (GAO) found that the Defense Counterintelligence and Security Agency (DCSA) did not fully address all planning steps within the DOD’s risk management framework.
The Government Accountability Office (GAO) published a report this week highlighting the need for the Department of Defense (DOD) to improve the cybersecurity of its background investigation systems. The report focused on the Defense Counterintelligence and Security Agency (DCSA) and its use of legacy Office of Personnel Management (OPM) IT systems alongside new National Background Investigation Services (NBIS) systems. The GAO found that the DCSA did not adequately prepare the organization or its systems to manage security and privacy risks, leaving several key tasks unaddressed. The report made 13 recommendations to enhance cybersecurity measures, including updating security control baselines, completing risk assessments, and ensuring all security training for system users is up to date.
While the DOD concurred with most of the recommendations, it disagreed with one related to policy enforcement. The report concluded that the DCSA lacks an oversight process to ensure appropriate privacy controls are fully implemented, increasing the risk of sensitive information disclosure. The full report can be accessed here.
