GAO-21-278, DEFENSE CYBERSECURITY: Defense Logistics .

2y ago
18 Views
2 Downloads
1.01 MB
44 Pages
Last View : 2m ago
Last Download : 2m ago
Upload by : Xander Jaffe
Transcription

United States Government Accountability OfficeReport to the Committee on ArmedServices, House of RepresentativesJune 2021DEFENSECYBERSECURITYDefense LogisticsAgency Needs toAddress RiskManagementDeficiencies inInventory SystemsGAO-21-278

June 2021DEFENSE CYBERSECURITYDefense Logistics Agency Needs to Address RiskManagement Deficiencies in Inventory SystemsHighlights of GAO-21-278, a report to theCommittee on Armed Services, House ofRepresentativeshWhy GAO Did This StudyWhat GAO FoundIn November 2018 DOD’s SurvivableLogistics Task Force examined currentand emerging threats to DOD logistics,including cybersecurity threats. The taskforce concluded that DOD’s inventorymanagement systems were potentiallyvulnerable to cyberattacks, and that DODdid not have corrective action plans tomitigate the potential risks posed byassociated vulnerabilities.For six selected inventory management systems that support processes forprocuring, cataloging, distributing, and disposing of materiel, the DefenseLogistics Agency (DLA) fully addressed two of the Department of Defense’s(DOD) six cybersecurity risk management steps and partially addressed theother four. Specifically, the agency categorized the systems based on risk andestablished an implementation approach for security controls. However, it onlypartially addressed the four risk management steps of selecting, assessing,authorizing, and monitoring security controls (see figure).House Report 116-120, accompanying abill for the National Defense AuthorizationAct for Fiscal Year 2020, included aprovision for GAO to evaluate DOD’sefforts to manage cybersecurity risks tothe DOD supply chain. GAO’s reportdetermines the extent to which DLA hasimplemented risk management steps toaddress cybersecurity risks to itsinventory management systems.GAO selected six systems that DLAofficials deemed critical to inventorymanagement operations. GAO revieweddocuments, analyzed data, andinterviewed officials to determine whetherDLA fully addressed, partially addressed,or did not address DOD steps forcybersecurity risk management.What GAO RecommendsGAO is making five recommendations forDLA to address shortfalls in its criticalinventory management systems’adherence to DOD cybersecurity riskmanagement steps. DLA agreed with twoand partially agreed with threerecommendations. GAO continues tobelieve all its recommendations are stillwarranted.View GAO-21-278 report. For moreinformation, contact Diana Maurer at(202) 512-9627 or MaurerD@gao.govor Vijay A D’Souza at 202-512-6240 orDsouzav@gao.govExtent to Which the Defense Logistics Agency Addressed the Department of Defense’s RiskManagement Steps for Six Selected Inventory Management Systems Select security controls: DLA selected specific security controls, but it didnot develop system-level monitoring strategies to assess the effectiveness ofselected security controls for three of the six systems GAO assessed. DOD’s riskmanagement framework requires components to develop a system-specificmonitoring strategy during the security control selection step. Assess security controls: DLA assessed the security controls for the sixselected inventory management systems, but its assessment procedures lackedapprovals, as required. As a result, GAO found that DLA’s assessment planslacked essential details and missed opportunities for risk-based decisions. Authorize the system: DLA authorized the selected systems, but it did notreport complete and consistent security and risk assessment information tosupport decisions. GAO found that DLA had not established a process forprogram offices to review authorization documentation prior to submittingpackages to the authorizing official. Monitor security controls: DLA did not consistently monitor the remediation ofidentified security weaknesses across its six inventory management systems. Asa result, GAO found that 1,115 of the 1,627 corrective action plans (69 percent)for the six systems did not complete intended remediation within DLA’s requiredtime frame of 365 days or less--they were ongoing for an average of 485 days.Until DLA addresses the identified deficiencies, the agency’s management ofcyber risks for critical systems will be impeded and potentially pose risks to otherDOD systems that could be accessed if DLA’s systems are compromised.United States Government Accountability Office

ContentsLetter1BackgroundDLA Fully Addressed Two of Six Key Risk Management Steps toAddress Cybersecurity Risks and Partially Addressed FourOthersConclusionRecommendations for Executive ActionAgency Comments510242525Appendix IObjective, Scope, and Methodology30Appendix IIComments from the Defense Logistics Agency35Appendix IIIGAO Contacts and Staff Acknowledgments39TablesTable 1: Defense Logistics Agency (DLA) Systems Assessed byGAO as Critical to Inventory Management OperationsTable 2: Extent to Which the Defense Logistics Agency Addressedthe Department of Defense’s Key Risk ManagementSteps for Six Selected Inventory Management SystemsTable 3: Assigned Impact Levels for the Six Selected DefenseLogistics Agency (DLA) Inventory Management SystemsTable 4: Number of Compliant and Non-compliant Controls, asIdentified by the Defense Logistics Agency’s ControlsAssessment, for Each of the Inventory ManagementSystemsTable 5: Selected Required Documents for a SecurityAuthorization Package for Defense Logistics Agency(DLA) Systems611121719FigureFigure 1: Overview of the Department of Defense’s (DOD)Cybersecurity Risk Management Framework forInformation Technology (IT) SystemsPage i9GAO-21-278 Defense Cybersecurity

ee on National Security System InstructionDefense Logistics AgencyDepartment of DefenseEnterprise Mission Assurance Support ServiceFederal Information Security Modernization Act of 2014Information TechnologyNational Institute of Standards and TechnologyRisk Management FrameworkThis is a work of the U.S. government and is not subject to copyright protection in theUnited States. The published product may be reproduced and distributed in its entiretywithout further permission from GAO. However, because this work may containcopyrighted images or other material, permission from the copyright holder may benecessary if you wish to reproduce this material separately.Page iiGAO-21-278 Defense Cybersecurity

Letter441 G St. N.W.Washington, DC 20548June 21, 2021The Honorable Adam SmithChairmanThe Honorable Mike RogersRanking MemberCommittee on Armed ServicesHouse of RepresentativesThe Department of Defense (DOD) supply chain is a global network thatprovides materiel, services, and equipment to DOD’s joint force. Effectiveand efficient supply chain management is critical for supporting thereadiness and capabilities of the warfighter and the overall success ofjoint operations. A key aspect of supply chain management is inventorymanagement—the process of determining requirements and procuring,managing, cataloging, distributing, overhauling, and disposing of materiel.The Defense Logistics Agency (DLA), a component of DOD, serves asthe nation’s combat logistics support agency. DLA and the militaryservices endeavor to provide logistics capabilities to deliver support to thewarfighter at the right place, time, and cost. The items that DLA acquires,stores, and distributes to the military services are mostly consumables—that is, items that are normally intended to be used up beyond recovery orrepair, such as food, fuel, and spare parts.To carry out the agency’s missions and account for its resources, DLArelies on information systems to access and manage supply chain,inventory, and other logistics data. As such, the security of these systemsand data is vital to public confidence and the nation’s safety, prosperity,and well-being. However, cyber-based intrusions and attacks on bothfederal and nonfederal systems have become not only more numerousand diverse, but also more damaging and disruptive. Moreover, the risksto systems supporting the federal government and the nation’s criticalinfrastructure are increasing. Insider threats from witting or unwittingemployees, escalating and emerging threats from around the globe, andthe emergence of new and more destructive attacks threaten toundermine our utilization of cyber information systems.In recognition of the growing threat, we designated information security asa government-wide high-risk area in 1997, and it has since remained onour high-risk list. In addition, we recently reported that although thefederal government has made some improvements in cybersecurity, itneeds to move with a greater sense of urgency to address four majorPage 1GAO-21-278 Defense Cybersecurity

cybersecurity challenges and 10 associated critical actionscommensurate with the rapidly evolving and grave threats to the country. 1DOD has also recognized the growing threat to its logistics networks andinformation systems from adversaries and has established a Task Forceto examine current and emerging threats to DOD logistics, includingcybersecurity threats. 2 In November 2018 the Task Force concluded thatlogistics information systems—which include inventory managementsystems—were potentially vulnerable to cyberattacks, and DOD did nothave corrective action plans to mitigate the potential risks posed byassociated vulnerabilities.House Report 116-120, accompanying a bill for the National DefenseAuthorization Act for Fiscal Year 2020, includes a provision for us toevaluate DOD’s efforts to identify, address, and mitigate cybersecurityrisks to the DOD supply chain. 3 Our objective was to determine the extentto which DLA has implemented key risk management steps to addresscybersecurity risks to its inventory management systems.To address our objective, we selected six independent inventorymanagement systems, which DLA cybersecurity officials deemed criticalto their inventory management operations, to examine. We reviewedDOD’s instruction on cybersecurity risk management (also referred to asthe DOD risk management framework) 4 to identify six risk managementsteps. Next, we reviewed DLA’s cybersecurity policies and guidance, aswell as documentation on DLA’s authorization to operate these six1GAO,High-Risk Series: Federal Government Needs to Urgently Pursue Critical Actionsto Address Major Cybersecurity Challenges, GAO-21-288 (Washington, D.C.: Mar. 24,2021).2Departmentof Defense (DOD), Final Report of the Defense Science Board (DSB) TaskForce on Survivable Logistics, (November 2018).3H.R.Rep. No. 116-120, at 309-10 (2019).4DODInstruction 8510.01, Risk Management Framework (RMF) for DOD InformationTechnology (IT), (March 12, 2014) (incorporating Change 2, July 28, 2017). DOD revisedthis instruction in December 2020 but did not include any substantive changes to the stepsthat we evaluated at the system level. We did not use the updated version of this guidancein our review, because we focused on the agency’s risk management framework actionsfrom 2018 to 2019 system authorizations.Page 2GAO-21-278 Defense Cybersecurity

selected inventory management systems. 5 The six select systems wereauthorized between May 2018 and November 2019 and were the mostrecent authorizations to operate during our review, which began inSeptember 2019. 6In addition, we obtained and analyzed documents used by DLAcybersecurity officials to implement, oversee, and demonstratecompliance with risk management steps. 7 We also reviewed timelinessand risk data from DOD’s information technology (IT) tool for managingthe risk management framework—the Enterprise Mission AssuranceSupport Service, hereinafter referred to as eMASS—to assess the sixDLA program offices’ efforts to implement these risk management steps. 8To assess the reliability of data obtained from eMASS, we interviewedknowledgeable officials in the agency’s Cybersecurity Office and the sixsystem program offices about the quality control procedures used toensure the accuracy and completeness of the data. We also comparedthe data with other relevant documentation on each system’s securitycontrols. We found that most of the security control data we examinedwere sufficiently reliable for evaluating DLA’s risk management steps forthe selected inventory management systems. We note below wherediscrepancies in the data impacted the system program offices’ ability toaddress DOD’s risk management steps.We evaluated DLA’s documents and the eMASS data againstrequirements from the six risk management steps identified in (1) DOD’srisk management framework and supplemental risk guidance and (2)5Priorto an information system’s being allowed to operate on DOD’s information network,a senior organizational official must authorize operation of the system and explicitly acceptthe risk to organizational operations (including mission, functions, image, or reputation),organizational assets, individuals, other organizations, and the nation, based on theimplementation of an agreed-upon set of security controls. According to DOD guidance,every 3 years a senior organizational official must determine whether to re-authorize thesystem to remain operational on the network.6Wedo not name the six systems in relation to any assessment results. This informationis considered controlled unclassified information and cannot be publicly released.7Whereavailable, DLA provided system categorization results, system security plans,security assessment reports, authorizations to operate documentation, corrective actionplans, and the system-level continuous monitoring strategies as evidence of its efforts.8DLAuses the Enterprise Mission Assurance Support Service (eMASS), which ismanaged by the Defense Information Systems Agency, as its tool for supporting theimplementation of risk management framework steps.Page 3GAO-21-278 Defense Cybersecurity

DLA’s related standard operating procedures. 9 In addition, we evaluatedDLA’s efforts against certain guidance identified in the National Institute ofStandards and Technology’s (NIST) 10 and from the Committee onNational Security System Instruction (CNSSI) No. 1253, 11 because DOD’sinstruction directs DLA to also comply with these documents. Wesupplemented our analysis of documents and observations byinterviewing officials in DLA’s Cybersecurity Office and the six systemprogram offices about their efforts to assess, document, and reviewsecurity controls for their respective systems. We then madedeterminations about the extent to which each system’s program officehad fully addressed, partially addressed, or did not address all aspects ofthe required tasks for the risk management step, based on thedocumentation and data provided.This report does not address the extent to which DLA and the selectedsystems’ countermeasures are able to successfully prevent certaincyberattacks. Rather, it focuses on DLA’s efforts to manage thecybersecurity of these six systems through a risk management frameworkthat is intended to help managers make informed decisions about cyberthreats, and to prioritize mitigations and responses to threats in the mostcost-effective manner.We have included key concept boxes throughout the report to assist thereader’s understanding of cybersecurity terminology. These concepts arenot formal definitions of these terms but are based on our analysis of9DODInstruction 8510.01; DOD, Program Managers Guidebook for Integrating theCybersecurity Risk Management Framework (RMF) into the System Acquisition Lifecycle,(September 2015 Version 1); Defense Logistics Agency, Standard Operating Procedure,8510.01-01, DLA Risk Management Framework (RMF) (Sept. 25, 2018).10National Institute of Standards and Technology (NIST) Special Publication 800-53A,Assessing Security and Privacy Controls in Federal Information Systems andOrganizations, Revision 4 (December 2014).11Committee on National Security Systems Instruction (CNSSI) No. 1253, SecurityCategorization and Control Selection for National Security Systems (Mar. 27, 2014).Although the six systems in this report are critical to DLA operations, these systems arenot national security systems. Nevertheless, DOD Instruction 8510.01 requires thatprograms for all systems categorize and select controls—the first two steps in the DODrisk management framework—in accordance with guidance from the Committee onNational Security Systems Instruction (CNSSI) No. 1253. This guidance builds on and is acompanion document to NIST guidance relevant to categorization and selection.Page 4GAO-21-278 Defense Cybersecurity

various publications from CNSS, DOD, and DLA, and NIST publications. 12DOD uses various sources to define its cybersecurity terms, includingCNSS and NIST publications. 13We conducted this performance audit from September 2019 to June 2021in accordance with generally accepted government auditing standards.Those standards require that we plan and perform the audit to obtainsufficient, appropriate evidence to provide a reasonable basis for ourfindings and conclusions based on our audit objectives. We believe thatthe evidence obtained provides a reasonable basis for our findings andconclusions based on our audit objectives. We discuss our scope andmethodology in more detail in appendix I.BackgroundDOD’s supply chain is a global network that provides materiel, services,and equipment to U.S. military forces. Inventory management is theprocess of determining requirements and acquiring, managing,cataloging, distributing, overhauling, and disposing of materiel.Management and oversight of DOD’s inventory are a responsibilityshared among the Under Secretary of Defense for Acquisition andSustainment, DLA, and the military services. Specifically, DLA acquires,stores, and distributes mostly consumable items—those that are normallyexpended or intended to be used up beyond recovery or repair—andprovides these items to the military services when requisitioned in supportof approximately 2,400 weapon systems. 1412Forexample, National Institute of Standards and Technology (NIST), Risk ManagementFramework for Information Systems and Organizations, Special Publication 800-37,Revision 2 (Gaithersburg, Md.: December 2018); Committee on National SecuritySystems Instruction (CNSSI) No. 1253, Security Categorization and Control Selection forNational Security Systems (Mar. 27, 2014); DOD Instruction 8510.01; DOD, ProgramManagers Guidebook for Integrating the Cybersecurity Risk Management Framework(RMF) into the System Acquisition Lifecycle, Office of the Under Secretary of Defense forAcquisition, Technology and Logistics (September 2015 Version 1); and Defense LogisticsAgency, Standard Operating Procedure, 8510.01-01, DLA Risk Management Framework(RMF) (Sept. 25, 2018).13Forexample. National Institute of Standards and Technology (NIST), Glossary, May2021, https://csrc.nist.gov/glossary; and Committee on National Security SystemsInstruction (CNSSI) No. 4009, Committee on National Security Systems (CNSS) Glossary(April 6, 2015). For a more complete list of cybersecurity terms, see DOD 8510.01.14Foradditional information on DLA’s inventory management steps see GAO, DefenseInventory: Actions Needed to Improve the Defense Logistics Agency’s InventoryManagement, GAO-14-495 (Washington, D.C.: June 19, 2014)Page 5GAO-21-278 Defense Cybersecurity

Overview of DLA InventoryManagement SystemsThe six DLA information systems we assessed are critical to the agency’sinventory management operations. These systems support themanagement of supply, transportation, and fuel data. Table 1 describesthe six selected systems and shows the date of authorization for whicheach received approval or authorization to operate on the DOD network.Table 1: Defense Logistics Agency (DLA) Systems Assessed by GAO as Critical to Inventory Management OperationsSystemDescriptionDate of AuthorizationBase Level Support Application/FuelsManager DefenseProvides information on fuel consumption atforward-deployed locations and can assist abase commander in making decisionsregarding energy use on the base.September 2019Defense Automatic Addressing SystemMaintains, for military activities, federalagencies, and contractors, the “activityaddress codes”—that is, the codes used toprovide a uniform method for controllinggovernment assets and recording the receiptand disposition of property.February 2019Distribution Standard SystemManages functional business processes ofDLA’s warehouse operations, to includereceiving, storage, packing, shipping,inventory inspection, and workloadmanagement.October 2018Federal Logistics Information SystemCatalogs the national stock numbers assigned June 2018to items that are repeatedly acquired,purchased, stocked, stored, issued, and usedthroughout the federal supply system.Hazardous Material Management SystemProvides information about who receivedhazardous materials; which and how muchthey received; and when, where, and how thematerials were used.November 2019Wide Area Workflow E-Business SuiteProvides means for electronic submission,acceptance, and processing of invoices andreceiving reports, and for matching them withcontracts to authorize payment.May 2018Source: GAO analysis of DLA information. GAO-21-278Cybersecurity RiskManagementFor DLA, as for all government organizations, cybersecurity is a keyelement in maintaining public trust. Inadequately protected systems poserisks to the protection of information, privacy, and military operations. Aswe have previously reported, unintentional, or non-adversarial, threatsources include equipment failures, software coding errors, or theaccidental actions of employees (human errors). Systems are alsovulnerable to individuals or groups with malicious intent who couldunlawfully access the systems to obtain sensitive information, disruptPage 6GAO-21-278 Defense Cybersecurity

operations, or launch attacks against other computer systems andnetworks.Key ConceptCommon terminology for cybersecurity riskmanagement can include: A cyber vulnerability is a weakness in aninformation system that could be exploitedor otherwise affected by a threat. A cybersecurity threat is anything that canpotentially harm a system, eitherintentionally or unintentionally.A cybersecurity risk assessment is ameasurement of the potential effect posed bya threat (intent and capabilities), avulnerability (inherent or introduced) to athreat, and potential consequences (fixable orfatal).Source: GAO analysis of NIST information. GAO-21-278Key ConceptSecurity controls are safeguards orcountermeasures to protect the confidentiality,integrity, and availability of a system and itsinformation. For example, the system ownermay add encryption as a safeguard to protectconfidentiality by transforming information sothat only authorized users are able to read it,and may protect integrity by providing thesafeguard of an electronic signature that canbe used to check for unauthorized changes tothe file. System owners can also back up dataroutinely as a countermeasure to help ensureavailability in the event of a disruption orfailure.Source: GAO analysis of NIST information. GAO-21-278Cybersecurity risk management comprises a full range of activitiesundertaken to protect IT and data from unauthorized access and othercyber threats; maintain awareness of cyber threats; detect anomalies andincidents adversely affecting IT and data; and mitigate the impact of,respond to, and recover from incidents.Federal law and guidance specify requirements for protecting federalinformation and information systems. The Federal Information SecurityModernization Act of 2014 (FISMA) requires executive branch agenciesto develop, document, and implement agency-wide programs to providesecurity for the information and information systems that support theiroperations and assets. 15 NIST is tasked with the mission of developing,for systems other than those for national security, standards andguidelines to be used by all agencies to establish minimum cybersecurityrequirements for information and information systems based on theirrespective levels of cybersecurity risk. 16 Accordingly, NIST developed arisk management framework of standards and guidelines for agencies tofollow when developing information security programs.DOD’s Office of the Chief Information Officer has also established aseries of policies, procedures, and guidance to defend its informationsystems and computer networks from unauthorized or malicious activityand ensure their security. For example, DOD Instruction 8510.01, RiskManagement Framework (RMF) for DOD Information Technology (IT),describes the department’s requirements for executing and maintainingthe risk management framework for its IT systems. 17 The cybersecurityrequirements outlined in DOD’s framework are intended to be consistentwith NIST standards and guidelines and consist of six steps: (1)categorizing the system’s impact level; (2) selecting security controls; (3)implementing security controls; (4) assessing security controls; (5)authorizing the system to operate; and (6) monitoring the efficacy of15The Federal Information Security Modernization Act of 2014, Pub. L. No. 113-283,2014), updated and largely superseded the Federal Information Security Management Actof 2002, Pub. L. No. 107-347(2002). As used in this report, FISMA refers to therequirements in the 2014 law.1615U.S.C. § 278g-3(a) and (b).17DODPage 7Instruction 8510.01.GAO-21-278 Defense Cybersecurity

controls on an ongoing basis. 18 Figure 1 shows an overview of thisframework and describes its six steps. These steps are to be typicallyimplemented in a cyclical approach when seeking authorization for a newor unauthorized system. Once authorized to operate, a system must bereassessed and reauthorized every 3 years.18NIST SP 800-37, Risk Management Framework for Information Systems andOrganizations, Revision 2 (December 2018) adds an additional “Prepare” step in order toestablish the context and priorities for managing security and privacy risk at both theorganizational level and the system level. The current DOD Risk Management Frameworkdoes not include this step, although DOD officials told us that they are updating DODInstruction 8510.01 in order to do so. As such, we did not include this step in our review.Page 8GAO-21-278 Defense Cybersecurity

Figure 1: Overview of the Department of Defense’s (DOD) Cybersecurity Risk Management Framework for InformationTechnology (IT) SystemsNote: While the risk management framework steps are listed in sequential order in the figure, thesteps can be carried out in a nonsequential order. Organizations executing the risk managementframework for the first time for a system or set of common controls typically carry out the steps insequential order. However, there could be many points in the risk management process where thereis a need to diverge from the sequential order due to the type of system, risk decisions made bysenior leadership, or changes in risk or in system functionality, or to allow for iterative cycles betweentasks or revisiting of tasks (e.g., during agile development).aCommittee on National Security Systems Instruction (CNSSI) No. 1253, Security Categorization andControl Selection for National Security Systems (March 27, 2014).The DOD framework—issued in March 2014—replaced the DODInformation Assurance Certification and Accreditation Process andmanages the life-cycle cybersecurity risk to DOD IT. In 2017, DLA issuedguidance to the new risk management framework. Management andoversight of the DLA cybersecurity risk management framework programare a responsibility of DLA’s Cybersecurity Office. Specifically, the DLAPage 9GAO-21-278 Defense Cybersecurity

Cybersecurity Office establishes the policy for DLA cybersecuritymanagement and manages the risk management framework process,among other things. In September 2018, the DLA Cybersecurity Officeestablished a standard operating procedure to govern its programs inconducting, implementing, and maintaining the DOD risk managementframework. 19DLA Fully AddressedTwo of Six Key RiskManagement Steps toAddressCybersecurity Risksand PartiallyAddressed FourOthersDLA fully addressed two of the six key risk management steps bycategorizing the systems based on risk and implementing securitycontrols for each of the six selected systems. However, the agency onlypartially addressed the other four risk management steps of selectingsecurity controls, assessing, authorizing, and monitoring for each of thesix selected systems. Table 2 summarizes our assessment of the extentto which DLA addressed each step based on documents and datasupporting the authorization of the six selected systems.19DLAStandard Operating Procedure 8510.01-01.Page 10GAO-21-278 Defense Cybersecurity

Table 2: Extent to Which the Defense Logistics Agency Addressed the Department of Defense’s Key Risk Management Stepsfor Six Selected Inventory Management SystemsKey risk management stepsGAO assessment1.Categorize system 2.Select security controls3.Establish implementation approach4.Assess security controls 5.Authorize system6.Monitor security controls Legend: Fully addressed - Indicates that all parts of the risk management step were fully addressed for the six selected systems. Partially addressed - Indicates that some, but not all, aspects of the risk management step were addressed for the six selected systems. Not addressed - Indicates that none of the aspects of the risk management step were addressed for the six selected systems.Source: GAO analysis of Defense Logistics Agency data and Department of Defense’s risk management framework. GAO-21-278DLA Categorized the SixSelected Systems andEstablished an Approachto Implement SecurityControlsDLA Categorized the SystemsFor the six selected inventory management systems, DLA programoffices fully addressed the key risk management step of systemcategorization. DLA programs are required to categorize their informationsystems in accordance with CNSSI No. 1253. 20 Furthermore, DLAprogr

selected security controls for three of the six systems GAO assessed. DOD’s risk . GAO as Critical to Inventory Management Operations 6 Table 2: Extent to Which the Defense Logistics Agency Addressed . We did not use the updated version of this guidance in our review, because we focu

Related Documents:

Defense Advanced Research Projects Agency. Defense Commissary Agency. Defense Contract Audit Agency. Defense Contract Management Agency * Defense Finance and Accounting Service. Defense Health Agency * Defense Information Systems Agency * Defense Intelligence Agency * Defense Legal Services Agency. Defense Logistics Agency * Defense POW/MIA .

Brownie Cybersecurity Explore cybersecurity by earning these three badges! Badge 1: Cybersecurity Basics Badge 2: Cybersecurity Safeguards Badge 3: Cybersecurity Investigator This Cybersecurity badge booklet for girls provides the badge requirements, background information, and fun facts about cybersecurity for all three Brownie

Guidance Would Help DOD Programs Better Communicate Requirements to Contractors . What GAO Found . Since GAO's 2018 report, the Department of Defense (DOD) has taken action to . and more effective than trying to add, or bolt on, cybersecurity protections late in the development cycle or after a system is fielded. Moreover, because

Mar 01, 2018 · ISO 27799-2008 7.11 ISO/IEC 27002:2005 14.1.2 ISO/IEC 27002:2013 17.1.1 MARS-E v2 PM-8 NIST Cybersecurity Framework ID.BE-2 NIST Cybersecurity Framework ID.BE-4 NIST Cybersecurity Framework ID.RA-3 NIST Cybersecurity Framework ID.RA-4 NIST Cybersecurity Framework ID.RA-5 NIST Cybersecurity Framework ID.RM-3 NIST SP 800-53

CSCC Domains and Structure Main Domains and Subdomains Figure (1) below shows the main domains and subdomains of CSCC. Appendix (A) shows relationship between the CSCC and ECC. Cybersecurity Risk Management 1-1 Cybersecurity Strategy 1-2 1- Cybersecurity Governance Periodical Cybersecurity Review and Audit 1-4 Cybersecurity in Information Technology

Research, Development, Test and Evaluation, Defense-Wide Defense Advanced Research Projects Agency Volume 1 Missile Defense Agency Volume 2 . Defense Contract Management Agency Volume 5 Defense Threat Reduction Agency Volume 5 The Joint Staff Volume 5 Defense Information Systems Agency Volume 5 Defense Technical Information Center Volume 5 .

programs in unfunded priorities lists provided to the defense committees. Congress ultimately decided to fund the procurement of additional quantities . View GAO-22-105966. For more information, contact Shelby S. Oakley at (202) 512-4841 or OakleyS@gao.gov. Why GAO Did This Study Congressional conferees expressed concern that recent budget requests

Anatomi dan Histologi Ginjal Iguana Hijau (Iguana iguana) Setelah Pemberian Pakan Bayam Merah (Amaranthus tricolor L.). Di bawah bimbingan DWI KESUMA SARI dan FIKA YULIZA PURBA. Bayam merah merupakan tumbuhan yang mengandung beberapa zat gizi antara lain protein, lemak, karbohidrat, kalium, zat besi, dan vitamin. Di sisi lain, bayam merah juga memiliki kandungan oksalat dan purin yang bersifat .