Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

GAO criticizes Defense Logistics Agency’s cyber risk management

Reprints
cyber

The Department of Defense’s Defense Logistics Agency has only partially taken critical cybersecurity risk management steps in its inventory management operations, the U.S. Government Accountability Office said in a report released Monday.

The report said the agency has not fully addressed risk management issues involving selecting, assessing, authorizing and monitoring security controls.

In November 2018 the DOD’s Survival Logistics Task Force concluded that the department’s inventory management systems were potentially vulnerable to cyberattacks and that it did not have corrective action plans to mitigate the potential risk.

A U.S. House of Representatives report that accompanied a bill for the National Defense Authorization Act for fiscal year 2020 included a provision for the GAO to evaluate the DOD’s efforts to manage cybersecurity risks to the DOD supply chain.

The GAO report said the DLA assessed specific security controls but did not develop system-level monitoring strategies for three of the six systems the GAO assessed; its assessment procedures lacked required approvals; it did not report complete and consistent security and risk assessment information to support decisions; and it did not consistently monitor the remediation of identified security weaknesses across its six inventory management systems.

The report recommends the Defense Secretary ensure that the DLA’s director requires program officers develop a system-specific monitoring strategy; reviews and implements an assessment plan approval process; directs the DLA cybersecurity office to establish a process for program offices to review the consistency and completeness of authorization documentation before submitting the package to officials; revises and implements the agency’s process for obtaining waivers that accept identified ongoing risk; and includes required information such as residual risk levels in corrective action plans.

The GAO said in a report issued in May that cyber insurance’s continued availability and affordability “remains uncertain.”