The Government Accountability Office has called on the
Defense Logistics Agency to fully implement its information
security program.
It said that while DLA has made progress implementing key
elements of its program such as establishing a central
security management group and appointing a senior information
officer, that it has yet to fully implement other essential
elements.
The agency has yet to “consistently assess risks for its
information systems; sufficiently train employees who have
significant information security responsibilities or adequately
complete training plans; annually test and evaluate the
effectiveness of management and operational security controls
– and – sufficiently complete plans of action and milestones
for mitigating known information security deficiencies,”
according to GAO-06-31.
Further, it said DLA has not implemented a “fully effective”
process for accrediting and certifying information systems.
Information security employees have not consistently understood
their responsibilities and the agency has not maintained the
accuracy and completeness of data in its primary reporting
tool for overseeing the agency’s performance in implementing
key information security activities and controls, GAO said.