OCR of the Document

View the Document >>

Inspector General, Department of Defense, DoD Cybersecurity Weaknesses as Reported in Audit Reports Issued from August 1, 2016, Through July 31, 2016. December 13, 2016. Unclassified//For Official Use Only.

FOR OFFICIAL USE ONLY Report No DODIG-2017-034 I nspec tor Ge ne ral U S Department of Defense DECEMBER 13 2016 DoD Cybersecurity Weaknesses as Reported in Audit Reports Issued From August 1 2015 Through July 31 2016 I N T E G R I T Y  E F F I C I E N C Y  A C C O U N TA B I L I T Y  E X C E L L E N C E The document contains information that may be exempt from mandatory disclosure under the Freedom of Information Act FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY I N T E G R I T Y  E F F I C I E N C Y  A C C O U N TA B I L I T Y  E X C E L L E N C E Mission Our mission is to provide independent relevant and timely oversight of the Department of Defense that supports the warfighter promotes accountability integrity and efficiency advises the Secretary of Defense and Congress and informs the public Vision Our vision is to be a model oversight organization in the Federal Government by leading change speaking truth and promoting excellence—a diverse organization working together as one professional team recognized as leaders in our field F r a u d W a s t e A b u s e HOTLINE Department of Defense dodig mil hotline 8 0 0 4 2 4 9 0 9 8 For more information about whistleblower protection please see the inside back cover FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY Results in Brief DoD Cybersecurity Weaknesses as Reported in Audit Reports Issued From August 1 2015 Through July 31  2016 December 13 2016 Results cont’d Objective The DoD has prioritized funding its cyber strategy by investing a total of $6 7 billion in FY 2017 and a total of $34 6 billion over the Future Years Defense Program next five years The funds are intended to help the DoD continue to develop train and equip the Cyber Mission Force and make new technological investments to strengthen cyber defenses and capabilities While the DoD has prioritized funding its cyber strategy cybersecurity will continue to remain a significant management challenge As recent audit reports identify the DoD continues to struggle with ensuring that all aspects of its information security program are adequately implemented For example implementing secure information systems on major weapons systems throughout their lifecycle requires effective and continuous software assurance testing Inadequate software assurance testing on major weapons systems could be devastating to mission operations In addition although Homeland Security Presidential Directive 12 was issued in 2004 one audit report indicated that DoD Components are still not fully complying with the Directive The report identified the lack of compliance leaves national security and Privacy Act information vulnerable to compromise and places soldiers family members civilians and critical infrastructures at greater risk of an adverse incident occurring We summarized DoD and Government Accountability Office audit reports issued from August 1 2015 through July 31  2016 that contained findings on DoD cybersecurity weaknesses This report supports the DoD Office of Inspector General’s response to the requirements of Public Law 113‑283 section 3555 “Federal Information Security Modernization Act of 2014 ” December 18 2014 Results During the reporting period the DoD and the Government Accountability Office issued 21 unclassified reports that addressed a wide range of cybersecurity weaknesses within the DoD systems and networks Reports issued during the reporting period most frequently cited cybersecurity weaknesses in the categories of risk management identity and access management security and privacy training contractor systems and configuration management As of August 1 2015 unclassified audit reports identified in the previously issued cybersecurity summary reports contained 166 open cybersecurity-related recommendations From August 1 2015 through July 31 2016 DoD management closed 28 recommendations leaving 138 open cybersecurity-related recommendations that required management action Correcting cybersecurity weaknesses and maintaining adequate cybersecurity is critical as the DoD has become increasingly reliant on cyberspace to enable its military intelligence and business operations to perform the full spectrum of military operations Although the DoD has taken steps to increase cybersecurity over its systems networks and infrastructure significant challenges remain Visit us at www dodig mil FOR OFFICIAL USE ONLY DODIG-2017-034 Project No D2016-D000RB-0139 000 │ i FOR OFFICIAL USE ONLY Results in Brief DoD Cybersecurity Weaknesses as Reported in Audit Reports Issued From August 1 2015 Through July 31  2016 Recommendations In this summary report we identified recommendations from previously issued reports Therefore this report contains no new recommendations and is provided for information purposes only Management Comments and Our Response We did not issue a draft report because this report consolidates audit findings from audit reports issued from August 1 2015 through July 31 2016 No written response is required FOR OFFICIAL USE ONLY ii │ DODIG-2017-034 Project No D2016-D000RB-0139 000 FOR OFFICIAL USE ONLY INSPECTOR GENERAL DEPARTMENT OF DEFENSE 4800 MARK CENTER DRIVE ALEXANDRIA VIRGINIA 22350-1500 MEMORANDUM FOR DOD CHIEF INFORMATION OFFICER ASSISTANT SECRETARY OF THE AIR FORCE FINANCIAL MANAGEMENT AND COMPTROLLER NAVAL INSPECTOR GENERAL AUDITOR GENERAL DEPARTMENT OF THE ARMY MANAGING DIRECTOR INFORMATION TECHNOLOGY GOVERNMENT ACCOUNTABILITY OFFICE December 13 2016 SUBJECT DoD Cybersecurity Weaknesses as Reported in Audit Reports Issued From August 1  2015 Through July 31 2016 Report No  DODIG-2017-034 We are providing this summary report for your information and use Civil service and military personnel who develop operate or manage DoD information systems should read this report to be aware of identified cybersecurity challenges in the DoD information technology environment The overall objective was to summarize the DoD cybersecurity weaknesses identified in unclassified audit reports and testimonies issued by the DoD audit community and the Government Accountability Office from August 1 2015 through July 31 2016 During the reporting period the DoD audit community and the Government Accountability Office issued 21 unclassified reports addressing cybersecurity weaknesses within DoD systems and networks The report contains no recommendations for action however it does identify previously issued audit reports that contain open recommendations We did not issue a draft report and no written response is required We appreciate the courtesies extended to the staff Please direct questions to me at 703  699‑7331 DSN 499‑7331 Carol N Gorman Assistant Inspector General Readiness and Cyber Operations FOR OFFICIAL USE ONLY DODIG-2017-034 │ iii FOR OFFICIAL USE ONLY Contents Introduction Objective 1 Background 1 Results DoD Audit Community and GAO Identified DoD Cybersecurity Weaknesses 4 Cybersecurity Weaknesses Identified in Audit Reports 4 FISMA Metrics with the Most Frequently Reported Cybersecurity Weaknesses 5 DoD’s Progress to Implement Recommendations Reported in Previously Issued Cybersecurity Summary Reports 15 Summary 17 Appendixes Appendix A Scope and Methodology 19 Use of Computer-Processed Data 19 Prior Coverage 19 Appendix B Matrix of Cybersecurity Weaknesses Reported From August 1 2015 Through July 31 2016 21 Appendix C Audit Reports Issued From August 1 2015 Through July 31 2016 23 Appendix D Audit Reports From Prior Cybersecurity Summary Reports With Unresolved Recommendations 25 Glossary 30 Acronyms and Abbreviations 31 FOR OFFICIAL USE ONLY iv │ DODIG-2017-034 FOR OFFICIAL USE ONLY Introduction Introduction Objective We summarized DoD cybersecurity weaknesses identified in audit reports and testimonies issued by the DoD audit community1 and the Government Accountability Office  GAO between August 1 2015 through July 31 2016 See Appendix A for a discussion on the scope and methodology and prior coverage related to the objective Background This report is the 18th annual cybersecurity summary the DoD Office of Inspector General  DoD OIG has issued since January 1999 This report is a reference for identifying audit reports and testimonies that outline DoD cybersecurity weaknesses as related to Public Law 113‑283 section 3555 “Federal Information Security Modernization Act of 2014 FISMA ” December 18 2014 2 FISMA Requires Security Controls Over Federal Information Federal Government agencies have a responsibility to protect their information and information systems This responsibility is promulgated in FISMA which provides a comprehensive framework for ensuring the effectiveness of agency information security controls FISMA requires that each agency develop document and implement an agency-wide information security program to protect the information and information systems that support agency operations and assets FISMA also requires that each agency with an Inspector General IG appointed under the Inspector General Act of 1978 as amended independently evaluate the effectiveness of the agency’s information security program and practices Due to the size and number of DoD organizations a comprehensive annual evaluation of the DoD’s information security program for each of the FISMA metrics is not practical Instead the DoD OIG uses this summary of unclassified cybersecurity‑related audit reports and testimonies issued by the DoD audit community and the GAO during the reporting period to support the DoD OIG’s annual FISMA requirement 1 The DoD audit community consists of the DoD Office of Inspector General Army Audit Agency Naval Audit Service and Air Force Audit Agency 2 The Federal Information Security Modernization Act of 2014 amends the Federal Information Security Management Act of 2002 FOR OFFICIAL USE ONLY DODIG-2017-034 │ 1 FOR OFFICIAL USE ONLY Introduction Cybersecurity Weakness Categories In 2010 the Office of Management and Budget mandated that the Department of Homeland Security provide guidance and operational oversight for Federal agency FISMA reporting In accordance with that mandate the Department of Homeland Security has developed and issued annual FISMA reporting metrics for Federal agency IGs Chief Information Officers and the Senior Agency Officials for Privacy This year the Office of Management and Budget the Department of Homeland Security and the Council of the Inspectors General on Integrity and Efficiency established a joint working group to develop the FY 2016 IG FISMA reporting metrics The FY 2016 IG FISMA metrics are defined in “FY 2016 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V1 0 ” June 20 2016 The FY 2016 IG FISMA metrics are organized around the five information security functions outlined in the National Institute of Standards and Technology NIST Framework for Improving Critical Infrastructure Cybersecurity Cybersecurity Framework The five security functions are Identify Protect Detect Respond and Recover The Cybersecurity Framework provides agencies with a common structure for identifying and managing cybersecurity risks across the agency and provides IGs with guidance for assessing the maturity of the controls to address those risks Table 1 shows the eight FY 2016 IG FISMA reporting metrics and their alignment to the Cybersecurity Framework security functions Table 1 FY 2016 IG FISMA Reporting Metrics Cybersecurity Framework Security Functions Identify FY 2016 IG FISMA Reporting Metrics Risk Management Contractor Systems Configuration Management Protect Identity and Access Management Security and Privacy Training Detect Information Security Continuous Monitoring Respond Incident Response Recover Contingency Planning Based on their respective set of metrics the IGs Chief Information Officers and Senior Agency Officials for Privacy assess their agency information security controls and compile the results in a single FISMA assessment report to the Office of Management and Budget The annual reports are submitted electronically in CyberScope an automated platform for secure FISMA reporting FOR OFFICIAL USE ONLY 2 │ DODIG-2017-034 FOR OFFICIAL USE ONLY Introduction To respond to the FISMA requirements the DoD OIG categorizes the cybersecurity‑related audit report and testimony findings by cybersecurity weakness categories consistent with the eight FY 2016 IG FISMA reporting metrics See the Glossary for definitions of each cybersecurity weakness category DoD Cybersecurity Instructions and Directives The DoD has issued the following cybersecurity guidance which is consistent with the FISMA reporting metrics • DoD Instruction 8500 01 “Cybersecurity ” March 14 2014 establishes a DoD cybersecurity program to protect and defend DoD information and information technology  IT • DoD Instruction 8510 01 “Risk Management Framework  RMF for DoD Information Technology  IT ” March 12 2014 Incorporating Change 1 May 24  2016 establishes policy and assigns responsibility for executing and maintaining the DoD IT risk management framework This policy provides guidance for the transition from the DoD Information Assurance Certification and Accreditation Process to the risk management framework • DoD Instruction 8582 01 “Security of Unclassified DoD Information on Non-DoD Information Systems ” June 6 2012 establishes policy for securing unclassified information on non‑DoD information systems • DoD Instruction 8520 03 “Identity Authentication for Information Systems ” May 13 2011 establishes policy and prescribes procedures for implementing identity authentication of all entities to DoD information systems • DoD Directive 5400 11 “DoD Privacy Program ” October 29 2014 establishes policy for the respect and protection of an individual’s personal information and fundamental right to privacy • DoD Directive 8140 01 “Cyberspace Workforce Management ” August 11  2015 establishes specific workforce elements to align manage  and standardize cyberspace work roles baseline qualifications and training requirements FOR OFFICIAL USE ONLY DODIG-2017-034 │ 3 FOR OFFICIAL USE ONLY Results Results DoD Audit Community and GAO Identified DoD Cybersecurity Weaknesses From August 1 2015 through July 31 2016 the DoD audit community and the GAO issued 21 unclassified reports that identified a wide range of cybersecurity weaknesses within DoD systems and networks The reports identified issues in seven of the eight IG FISMA metrics The DoD audit community and the GAO provided 61 recommendations related to the FY 2016 IG FISMA metrics to correct cybersecurity weaknesses Cybersecurity Weaknesses Identified in Audit Reports This report summarizes the cybersecurity weaknesses identified in DoD audit community and GAO reports as they relate to the FY 2016 IG FISMA metrics Table 2 shows the number of cybersecurity weaknesses related to the FY 2016 IG FISMA reporting metrics identified in the 21 reports Table 2 Cybersecurity Weaknesses Reported From August 1 2015 Through July 31 2016 GAO DoD OIG Military Departments Total Risk Management 1 4 8 13 Identity and Access Management 0 1 4 5 Security and Privacy Training 0 0 5 5 Contractor Systems 2 1 1 4 Contingency Planning 0 0 3 3 Configuration Management 0 1 2 3 Incident Response 1 0 1 2 Information Security Continuous Monitoring 0 0 0 0 FISMA Reporting Metrics Note Totals do not equal the number of reports and testimonies identified because one report may cover several FISMA reporting metrics FOR OFFICIAL USE ONLY 4 │ DODIG-2017-034 FOR OFFICIAL USE ONLY Results FISMA Metrics with the Most Frequently Reported Cybersecurity Weaknesses In summarizing this year’s 21 audit reports we found that the cyber weaknesses most frequently cited populated the FISMA metrics’ categories of risk management identity and access management security and privacy training contractor systems and configuration management The following report sections include examples from one or more of the 21 audit reports and describe how the cyber weaknesses negatively impact the DoD’s cybersecurity mission See Appendix B for a matrix of reports listed by their specific cybersecurity weaknesses and Appendix C for a list of reports summarized in this report Risk Management Risk management for IT is the process of managing threats to organizational operations organizational assets other organizations individuals and the United States that result from operating an information system Risk management performance of a risk assessment • implementation of a risk mitigation strategy and • employment of techniques and procedures for the continuous monitoring of the information system’s security The DoD audit community and the GAO reported risk management weaknesses in 13 reports and made 24 recommendations Examples of those weaknesses are contained in the following two reports DoD Did Not Require Performance of Software Assurance Countermeasures DoD OIG Report No DODIG-2016-082 “DoD Needs to Require Performance of Software Assurance Countermeasures During Major Weapons Systems Acquisitions ” April 29 2016 identified that Littoral Combat Ship – Mission Modules program office officials did not ensure all software assurance countermeasures3 detailed in the Program Protection Plan PPP were fully performed during software development In July 2011 the Principal Deputy Under Secretary of Defense for Acquisition Technology and Logistics USD AT L issued a policy memorandum requiring all acquisition programs to develop a PPP to describe the program’s critical areas the related threats and vulnerabilities and a plan to apply countermeasures to reduce associated risks The PPP specifically includes software assurance countermeasures designed to reduce risk by verifying software functions as intended 3 Software assurance countermeasures are activities to counter adversarial threats that may target software FOR OFFICIAL USE ONLY DODIG-2017-034 │ 5 FOR OFFICIAL USE ONLY Results According to the report DoD policy did not require programs to perform all software assurance countermeasures contained in the PPP and the DoD did not issue implementing procedures to ensure countermeasures were consistently applied across major acquisition There was programs As a result there was an increased risk that an increased the Littoral Combat Ship – Mission Modules software risk that contained vulnerabilities that if exploited could software contained vulnerabilities that prevent the Littoral Combat Ship from performing could prevent the its mission Littoral Combat Ship from performing The DoD OIG recommended that the USD AT L its mission develop and issue policy to require that program offices implement applicable software assurance countermeasures contained in their PPP According to the report the Acting Deputy Assistant Secretary of Defense for Systems Engineering responding for the USD AT L disagreed with the recommendation and stated that the recommended action was already completed with the reissuance of DoD Instruction 5000 02 The DoD OIG responded that while DoD Instruction 5000 02 was identified as the baseline software assurance policy it does not contain implementation requirements The DoD OIG also recommended that the USD AT L develop and issue procedures to guide consistent application of software assurance countermeasures in PPPs While the Acting Deputy agreed with the recommendation the DoD OIG responded that the Acting Deputy did not address the specifics of the recommendation The DoD OIG requested that the USD AT L provide additional comments on both recommendations In subsequent correspondence USD AT L personnel stated that revisions to existing software were planned for completion in December 2016 Army Personnel Did Not Properly Manage Risks Associated with Task Critical Assets FOUO 4 FOR OFFICIAL USE ONLY 6 │ DODIG-2017-034 FOR OFFICIAL USE ONLY Results FOUO   FOUO FOUO Identity and Access Management Identity and access management includes the processes technologies and policies for managing digital identities and controlling how identities can be used to access resources The DoD audit community and the GAO reported identity and access management weaknesses in 5 reports and made 26 recommendations Examples of those weaknesses are contained in the following two reports 5 FOR OFFICIAL USE ONLY DODIG-2017-034 │ 7 FOR OFFICIAL USE ONLY Results Air Force Personnel Did Not Review Account Access Air Force Audit Agency Report No F2016-0002-O10000 “Purchase Request Process System – Application Controls ” March 30 2016 identified that Purchase Request Process System PRPS program personnel did not effectively implement application control requirements necessary to achieve audit readiness For example PRPS personnel did not periodically review account access to ensure continued appropriateness as required which allowed 510 out of 2 867 users with no requirement for access to have active accounts Access controls limit or detect inappropriate access to computer resources thereby protecting them from unauthorized modification loss and or disclosure PRPS program personnel did not periodically review account access to ensure continued appropriateness as required because PRPS program management personnel did not implement the NIST Risk Management Framework Instead PRPS program personnel followed the pre-2014 DoD 8500-series policies that did not reflect current Federal regulations for application-level general business process interface and data management controls As a result PRPS application control discrepancies cast doubt on the reliability of operational mission data used to generate purchase instruments Additionally audit costs and substantive testing sample sizes will increase if independent public accountants cannot rely on the system of internal controls supporting Air Force financial statements The Air Force Audit Agency recommended that the Commander Air Force Materiel Command implement internal control procedures to verify consistent and accurate compliance with Federal NIST system control standards detailed in DoD Instruction 8510 01 The Commander Air Force Materiel Command agreed and stated that the Air Force Materiel Command will develop a plan to modify PRPS to comply with Federal NIST standards including risk management framework implementation in accordance with DoD Instruction 8510 01 Additionally the Commander stated that the plan would include the implementation of internal control procedures to verify consistent and accurate compliance with the Federal NIST system control standards detailed in DoD Instruction 8510 01 FOR OFFICIAL USE ONLY 8 │ DODIG-2017-034 FOR OFFICIAL USE ONLY Results Army Activities Did Not Comply with Homeland Security Presidential Directive 12 FOUO • FOUO • FOUO • FOUO • FOUO FOUO FOUO • FOUO • FOUO FOUO   • FOUO FOR OFFICIAL USE ONLY DODIG-2017-034 │ 9 FOR OFFICIAL USE ONLY Results FOUO FOUO Security and Privacy Training Security and privacy training includes the formal activities products and services intended to create or enhance the security knowledge or skills of personnel responsible for IT operations The DoD audit community and the GAO reported security and privacy training weaknesses in five reports and made eight recommendations Examples of those weaknesses are contained in the following two reports Navy Medical Providers Need to Improve Technical Safeguards for Personally Identifiable Information and Protected Health Information FOUO FOR OFFICIAL USE ONLY 10 │ DODIG-2017-034 FOR OFFICIAL USE ONLY Results FOUO   FOUO   d FOUO FOUO Army Portfolio Management Solution Contains Unreliable Data Army Audit Agency Report No A-2016-0062-IET “Data Reliability in the Army Portfolio Management Solution ” March 22 2016 examined the Army Portfolio Management Solution APMS the Army’s authoritative data source for information assurance and IT investments to verify that the system had reliable data for senior leaders to make informed decisions The report identified that data in APMS was not reliable despite having data fields to meet DoD and congressional requirements for IT portfolio management Consequently senior leaders used ineffective and inefficient methods to collect IT information The Army Audit Agency reviewed 17 data fields related to portfolio management funding and information assurance and determined that all fields had inaccuracies or incomplete and illogical responses FOR OFFICIAL USE ONLY DODIG-2017-034 │ 11 FOR OFFICIAL USE ONLY Results The report stated that this occurred because • users manually entered required data into APMS instead of leveraging interoperability with existing systems having the required data that was more definitive • guidance did not clearly define data elements or specific sources from which to obtain data to avoid varying interpretations of information requirements • training was not available to give users a clear understanding of the purpose and or use of the data gathered and • controls were not effective to identify and remedy illogical or incomplete answers to data fields As a result the Chief Information Officer G-6 mission area IT portfolio managers and commanders did not have reliable visibility over the Army’s IT portfolio or network security and they risked reporting inaccurate information to the DoD and Congress Additionally Army leaders could not leverage the big data analytical capability inherent in APMS due to the incomplete unreliable conditions that existed The report recommended that the Chief Information Officer G-6 develop training in the APMS so that system owners understand new guidance new tools and the purpose and or use of the data gathered The Chief Information Officer G-6 agreed with the recommendation and stated that the office will publish an update to the APMS manual that would define the consumers and purpose of the data in APMS Contractor Systems Contractor systems are information systems owned or operated by entities on behalf of the Federal Government including systems that reside in the public cloud The systems must meet the security requirements for all systems that process or store Federal Government information The DoD audit community and the GAO reported contractor system weaknesses in four reports and made three recommendations An example of this weakness is contained in the following report Air Force Communications Equipment Lacked Technical Support FOUO FOR OFFICIAL USE ONLY 12 │ DODIG-2017-034 FOR OFFICIAL USE ONLY Results FOUO The inability to maintain consistent satellite connectivity occurred because headquarters AFRC personnel did not establish a standard process to ensure technical support for communications equipment   AFRC personnel did not continue a technical support contract for communications equipment and could not resolve operational problems due to the lack of proprietary technical expertise Instead of continuing a previous technical support contract for communications equipment AFRC headquarters personnel employed a SharePoint site to allow unit personnel to compare technical problems and troubleshoot solutions among themselves However this method could not resolve all operational problems due to the lack of proprietary technical expertise For example 5 of the 12 AFRC units were still reporting problems that required technical expertise during the support contract lapse FOUO The Air Force Audit Agency recommended that the Air Force Reserve officials direct AFRC personnel to implement a standard process to ensure continued technical support for communications equipment The Air Force Reserve officials agreed with the finding and recommendation and stated that AFRC A6 re‑established a technical support contract and that both contracting and plans and programs experts have integrated metrics for tracking the status of the support contract Configuration Management Configuration management is a collection of activities focused on establishing and maintaining the integrity of IT products and information systems through control of processes for initializing changing and monitoring the configurations of those products and systems throughout the system development life cycle The DoD audit community and the GAO reported configuration management weaknesses in three reports and made four recommendations An example of this weakness is contained in the following report FOR OFFICIAL USE ONLY DODIG-2017-034 │ 13 FOR OFFICIAL USE ONLY Results Air Force Project Management Resource Tools Were Not Properly Implemented Air Force Audit Agency Report No F2016-0001-O10000 “Project Management Resource Tools-General Controls ” March 30 2016 identified that Project Management Resource Tools PMRT personnel did not effectively implement security management configuration management and contingency planning general controls The Assistant Secretary of the Air Force Acquisition provides the funding and personnel to maintain and deploy the PMRT A service-level agreement between the Acquisition Integration Acquisition Information Division and the Army Project Director Acquisition Logistics and Technology Enterprise Systems and Services ALTESS provides network server hosting services for the production and operation of the PMRT The agreement assigned physical environmental and network protection maintenance of the operating system software on the servers and backup support responsibilities to ALTESS However PMRT personnel remained responsible for all other general controls including configuration management PMRT personnel did not effectively implement security management configuration management and contingency planning general controls because PMRT personnel did not initiate efforts to implement the requirements of the NIST Risk Management Framework and other Federal and DoD requirements   Instead PMRT personnel followed expiring policy that did not reflect directed Federal regulations for general controls Additionally PMRT personnel did not establish ALTESS service-level agreement requirements to follow mandatory Federal standards for security-focused configuration management Specifically ALTESS personnel operated under a 2009 memorandum6 that did not incorporate security-focused configuration management as required by the NIST As a result PMRT general control weaknesses cast doubt on the reliability of operation and financial data supporting the status of over 700 Air Force Acquisition projects and programs valued at over $40 billion In addition if independent public accountants cannot rely on the system of internal controls supporting Air Force financial statements independent auditors will have to increase substantive testing sample sizes and increase the cost of audit accordingly 6 ALTESS memorandum 25-111 “Change Management Process ” February 27 2009 FOR OFFICIAL USE ONLY 14 │ DODIG-2017-034 FOR OFFICIAL USE ONLY Results The Air Force Audit Agency recommended that the Assistant Secretary of the Air Force Acquisition direct the Acquisition Integration Acquisition Capability Division to implement Federal NIST system control standards detailed in DoD Instruction 8510 01 and a 2013 memorandum from the Assistant Secretary of the Air Force Financial Management and Comptroller 7 This would include all applicable security management configuration management and contingency planning controls Additionally the Air Force Audit Agency recommended that the Assistant Secretary of the Air Force Acquisition direct the Acquisition Integration Acquisition Capability Division to modify the ALTESS service-level agreement to require compliance with Federal NIST standards as detailed in DoD Instruction 8510 01 including development of a configuration management plan in accordance with NIST 8 Management officials from the Assistant Secretary of the Air Force Acquisition agreed with the audit results and recommendations and stated that the Assistant Secretary of the Air Force Acquisition will direct the Acquisition Integration Acquisition Capability Division to implement Federal NIST system control standards and direct the Acquisition Integration Acquisition Capability Division to modify the ALTESS service-level agreement DoD’s Progress to Implement Recommendations Reported in Previously Issued Cybersecurity Summary Reports As of August 1 2015 audit reports included in the previously issued cybersecurity summary reports contained 166 unresolved cybersecurity‑related recommendations From August 1 2015 through July 31 2016 DoD management closed 28 of those recommendations leaving 138 unresolved cybersecurity‑related recommendations that required management action See the Figure for the issue date of reports containing the remaining 138 unresolved cybersecurity‑related recommendations See Appendix D for a list of the reports containing unresolved recommendations 7 Assistant Secretary of the Air Force Financial Management and Comptroller memorandum “Information Technology – Financial Controls and Accounting Conformance Guidance ” May 31 2013 8 NIST Special Publication 800-128 “Guide for Developing Security Plans for Federal Information Systems ” February 2006 FOR OFFICIAL USE ONLY DODIG-2017-034 │ 15 FOR OFFICIAL USE ONLY Results Figure Issue Date of Reports Containing Unresolved Recommendations Related to Cybersecurity Weaknesses GAO DoDIG 2012 2013 AAA NAS AFAA 40 Number of Cybersecurity-Related Unresolved Recommendations 35 30 25 20 15 10 5 0 2006 2007 2008 2009 2010 2011 2014 2015 Issue Date of Reports with Unresolved Cybersecurity-Related Recommendations Cybersecurity Weaknesses Identified in Unresolved Recommendations The most common cybersecurity weaknesses identified in the 138 unresolved recommendations relate to risk management identity and access management and contingency planning Table 3 identifies the cybersecurity weaknesses as they relate to the unresolved recommendations FOR OFFICIAL USE ONLY 16 │ DODIG-2017-034 FOR OFFICIAL USE ONLY Results Table 3 Cybersecurity Weaknesses Identified in Unresolved Recommendations GAO DoD OIG Military Departments Total Risk Management 3 20 54 77 Identity and Access Management 0 15 40 55 Contingency Planning 4 18 26 48 Configuration Management 2 9 17 28 Information Security Continuous Monitoring 0 4 14 18 Security and Privacy Training 0 4 6 10 Incident Response 0 3 3 6 Contractor Systems 0 3 0 3 FISMA Reporting Metrics Note Totals do not equal the number of reports and testimonies identified because one report may cover several IG FISMA metrics Summary The DoD has prioritized funding its cyber strategy by investing a total of $6 7 billion in FY 2017 and a total of $34 6 billion over the Future Years Defense Program next five years The funds are intended to help the DoD continue to develop train and equip the Cyber Mission Force and make new technological investments to strengthen cyber defenses and capabilities While the DoD has prioritized funding its cyber strategy cybersecurity will continue to remain a significant management challenge As recent audit reports identify the DoD continues to face challenges in protecting and securing its networks systems and infrastructure from cyber threats and increasing its overall cyber capabilities One of the most important challenges is the continuous effort to protect the DoD’s systems and networks from increasingly sophisticated cyber-attacks The DoD audit community and the GAO issued 21 unclassified reports from August 1 2015 through July 31 2016 that identified cybersecurity weaknesses in one or more of the FY 2016 IG FISMA reporting metrics The 21 reports demonstrated that the DoD continues to struggle with ensuring that all aspects of its information security program are adequately implemented For example implementing secure information systems on major weapons systems throughout their lifecycle requires effective and continuous software assurance testing Inadequate software assurance testing on major weapons systems could be devastating to mission operations In addition although Homeland Security FOR OFFICIAL USE ONLY DODIG-2017-034 │ 17 FOR OFFICIAL USE ONLY Results Presidential Directive 12 was issued in 2004 one audit report indicated that DoD Components are still not fully complying with the Directive The report identified the lack of compliance leaves national security and Privacy Act information vulnerable to compromise and places soldiers family members civilians and critical infrastructures at greater risk of an adverse incident occurring The DoD audit community and the GAO attributed their findings to the lack of clear guidance and noncompliance with Federal and DoD guidance and identified recommended actions to correct the cybersecurity weaknesses and improve DoD cybersecurity However some of the recommendations are similar to recommendations cited in prior Cybersecurity Weaknesses Summary Reports Therefore not only must DoD Components take action in response to the report recommendations the Components must also maintain the actions taken to decrease the risk of repeat findings Correcting cybersecurity weaknesses and maintaining adequate cybersecurity is critical as the DoD has become increasingly reliant on cyberspace to enable its military intelligence and business operations to perform the full spectrum of military operations Since 2013 the Director of National Intelligence has identified cyber threats as the top strategic global threat facing the United States In addition the GAO has identified cybersecurity of Federal information systems and networks as a high-risk area because all sectors of the Government—energy transportation systems communications financial services and defense of the homeland—are dependent on information systems and electronic data to perform operations and to process maintain and report essential information FOR OFFICIAL USE ONLY 18 │ DODIG-2017-034 FOR OFFICIAL USE ONLY Appendixes Appendix A Scope and Methodology We conducted this summary work from May 2016 through November 2016 We followed generally accepted government auditing standards except for the standards of planning and evidence because the report summarizes previously released reports This summary report supports the DoD OIG response to the requirements of Public Law 113‑283 section 3555 “Federal Information Security Modernization Act of 2014 ” December 18 2014 This report summarizes the DoD cybersecurity weaknesses identified in 21 unclassified reports that the DoD audit community and the GAO issued from August 1 2015 through July 31 2016 To prepare this summary we reviewed the websites of the GAO and each DoD Component audit organization and requested reports discussing cybersecurity weaknesses We did not review the supporting documentation for any of the reports This summary report does not contain recommendations because the summarized reports contained recommendations related to the cybersecurity weaknesses identified Use of Computer-Processed Data We did not use computer-processed data to perform this audit Prior Coverage During the last 5 years the DoD OIG issued five reports summarizing cybersecurity weaknesses identified in 150 audit reports and testimonies issued by the DoD audit community and the GAO Unrestricted DoD OIG reports can be accessed at http www dodig mil pubs index cfm The following reports are For Official Use Only  FOUO and can be obtained through the Freedom of Information Act Requestor Service website at https www dodig mil foia submitfoia html DoD OIG Report No  DODIG‑2015‑180 “DoD Cybersecurity Weaknesses as Reported in Audit Reports Issued From August 1 2014 Through July 31 2015 ” September 25 2015 Report is FOUO Report No  DODIG‑2014‑126 “DoD Cybersecurity Weaknesses as Reported in Audit Reports Issued From August 1 2013 Through July 31 2014 ” September 26 2014 Report is FOUO FOR OFFICIAL USE ONLY DODIG-2017-034 │ 19 FOR OFFICIAL USE ONLY Appendixes Report No  DODIG‑2013‑141 “DoD Information Assurance Weakness as Reported by Audit Reports Issued From August 1 2012 Through July 31 2013 ” September 30  2013 Report is FOUO Report No  DODIG‑2012‑145 “DoD Information Assurance Weaknesses as Reported by Audit Reports Issued From August 1 2011 Through July 31 2012 ” September 27 2012 Report is FOUO Report No  D‑2011‑114 “Summary of Information Assurance Weaknesses as Reported by Audit Reports Issued From August 1 2010 Through July 31 2011 ” September 30 2011 FOR OFFICIAL USE ONLY 20 │ DODIG-2017-034 FOR OFFICIAL USE ONLY Appendixes Appendix B Matrix of Cybersecurity Weaknesses Reported From August 1 2015 Through July 31 2016 Security and Privacy Training Risk Management Information Security Continuous Monitoring Incident Response Identity and Access Management Contractor Systems Contingency Planning Agency Report No Configuration Management FY 2016 IG FISMA Metrics Government Accountability Office GAO-16-332 X GAO-16-325 X GAO-16-79 X X DoD Inspector General DODIG-2016-089 X DODIG-2016-082 X DODIG-2016-068 X X DODIG-2016-054 DODIG-2016-038 X X X Army Audit Agency A-2016-0116-IET A-2016-0088-IET X X A-2016-0062-IET A-2016-0043-IEP X A-2016-0011-IET A-2016-0001-IEP X X X X X X Naval Audit Service N2016-0038 X N2016-0035 N2016-0013 X X X X FOR OFFICIAL USE ONLY DODIG-2017-034 │ 21 FOR OFFICIAL USE ONLY Appendixes Matrix of Cybersecurity Weaknesses Reported From August 1 2015 Through July 31 2016 cont’d Security and Privacy Training Risk Management Information Security Continuous Monitoring Incident Response Identity and Access Management Contractor Systems Contingency Planning Agency Report No Configuration Management FY 2016 IG FISMA Metrics Air Force Audit Agency F2016-0001-O10000 X X F2016-0002-O10000 X X F2015-0007-O40000 X X X X X F2015-0011-O10000 Total X 3 3 4 5 2 0 13 5 Note Totals do not equal the number of reports and testimonies identified because one report may cover several IG FISMA metrics FOR OFFICIAL USE ONLY 22 │ DODIG-2017-034 FOR OFFICIAL USE ONLY Appendixes Appendix C Audit Reports Issued From August 1 2015 Through July 31 2016 Unrestricted GAO reports can be accessed at http www gao gov Unrestricted Army Audit Agency reports can be accessed at https www aaa army mil Naval Audit Service reports and Air Force Audit Agency reports are unavailable over the Internet Unrestricted DoD OIG reports can be accessed at http www dodig mil pubs index cfm GAO Report No  GAO‑16-332 “Civil Support DoD Needs to Clarify Its Roles and Responsibilities for Defense Support of Civil Authorities During Cyber Incidents ” April 2016 Report No  GAO‑16-325 “Cloud Computing Agencies Need to Incorporate Key Practices to Ensure Effective Performance ” April 2016 Report No  GAO‑16-79 “Critical Infrastructure Protection Sector-Specific Agencies Need to Better Measure Cybersecurity Progress ” November 2015 DoD OIG Report No DODIG-2016-089 “Followup Audit Audit Recommendations From Report No DODIG-2013-109 Were Not Fully Implemented but Controls Were in Place to Prevent Unauthorized Access to Robert C Byrd and Greenup Locks and Dams ” May 10 2016 Report is FOUO Report No  DODIG‑2016-082 “DoD Needs to Require Performance of Software Assurance Countermeasures During Major Weapon System Acquisitions ” April 29  2016 Report is FOUO Report No  DODIG‑2016-068 “DoD’s Efforts to Consolidate Data Centers Need Improvement ” March 29 2016 Report No  DODIG‑2016-054 “Navy Controls for Invoice Receipt Acceptance and Property Transfer System Need Improvement ” February 25 2016 Report No  DODIG‑2016-038 “DoD Needs an Effective Process to Identify Cloud Computing Service Contracts ” December 28 2015 FOR OFFICIAL USE ONLY DODIG-2017-034 │ 23 FOR OFFICIAL USE ONLY Appendixes Army Audit Agency Report No  A‑2016-0116-IET “Audit of the Defense Research and Engineering Network Security ” July 27 2016 Report is FOUO Report No  A‑2016-0088-IET “Followup Audit of Elevated Privileges ” May 3 2016 Report No  A‑2016-0062-IET “Data Reliability in the Army Portfolio Management Solution ” March 22 2016 Report No  A‑2016-0043-IEP “Army Tier 2 and Tier 3 Critical Infrastructure Risk Management Program ” February 25 2016 Report is FOUO Report No  A‑2016-0011-IET “Audit of Nontactical Mobile Applications ” December 1 2015 Report No  A‑2016-0001-IEP “Uncleared Contractor Credentialing and Installation Access Controls ” October 16 2015 Report is FOUO Naval Audit Service Report No  N2016-0038 “Approval of Marine Corps Travel Vouchers in the Defense Travel System ” June 30 2016 Report is FOUO Report No  N2016-0035 “Defense Travel System Approving Officials’ Approval of Travel Vouchers at Norfolk Naval Shipyard ” June 2 2016 Report is FOUO Report No  N2016-0013 “Managing Personally Identifiable Information at Naval Medical Center Portsmouth and Naval Hospital Jacksonville ” December 29 2015 Report is FOUO Air Force Audit Agency Report No  F2016-0001-O10000 “Project Management Resource Tools-General Controls ” March 30 2016 Report No F2016-0002-O10000 “Purchase Request Process System – Application Controls ” March 30 2016 Report No F2015-0007-O40000 “Selected Aspects of Air Force Reserve Command Cyberspace Career Field Management ” September 4 2015 Report is FOUO Report No  F2015-0011-O10000 “Command and Control Platform Information Technology Security ” September 4 2015 FOR OFFICIAL USE ONLY 24 │ DODIG-2017-034 FOR OFFICIAL USE ONLY Appendixes Appendix D Audit Reports From Prior Cybersecurity Summary Reports With Unresolved Recommendations As of August 1 2015 previously identified audit reports contained 166 unresolved cybersecurity‑related recommendations During the reporting period of August 1  2015 through July 31 2016 management resolved 28 recommendations leaving 138 unresolved cybersecurity‑related recommendations These 138 unresolved recommendations are contained in the 59 audit reports listed in this Appendix The list of reports with unresolved recommendations was compiled based on information the DoD audit community and the GAO provided in August 2016 and may be incomplete because of the extent of information maintained in their respective followup systems Unrestricted GAO reports can be accessed at http www gao gov Unrestricted Army Audit Agency reports can be accessed at https www aaa army mil Naval Audit Service reports and Air Force Audit Agency reports are unavailable over the Internet Unrestricted DoD OIG reports can be accessed at http www dodig mil pubs index cfm GAO Report No GAO-15-544 “Insider Threats DoD Should Strengthen Management and Guidance to Protect Classified Information and Systems ” June 2015 Report No  GAO‑14‑404SU “Defense Cybersecurity DoD Needs to Better Plan for Continuity of Operations in a Degraded Cyber Environment and Provide Increased Oversight ” April 2014 Report is FOUO Report No  GAO‑14‑182 “Defense Logistics Actions Needed to Improve Department‑Wide Management of Conventional Ammunition Inventory ” March 2014 Report No  GAO‑12‑992 “VA and DoD Health Care Department‑Level Actions Needed to Assess Collaboration Performance Address Barriers and Identify Opportunities ” September 2012 Report No  GAO‑11‑421 “Defense Department Cyber Efforts More Detailed Guidance Needed to Ensure Military Services Develop Appropriate Cyberspace Capabilities ” May 2011 FOR OFFICIAL USE ONLY DODIG-2017-034 │ 25 FOR OFFICIAL USE ONLY Appendixes DoD OIG Report No  DODIG‑2015‑102 “Additional Actions Needed to Effectively Reconcile Navy’s Fund Balance With Treasury Account ” April 3 2015 Report No  DODIG‑2015‑045 “DoD Cloud Computing Strategy Needs Implementation Plan and Detailed Waiver Process ” December 4 2014 Report No  DODIG‑2015‑044 “DoD Needs to Reinitiate Migration to Internet Protocol Version 6 ” December 1 2014 Report is FOUO Report No  DODIG‑2015‑008 “Followup Audit Enterprise Blood Management System Not Ready for Full Deployment ” October 23 2014 Report No  DODIG‑2014‑066 “Logistic Modernization Program System Not Configured to Support Statement of Budgetary Resources ” May 5 2014 Report No  DODIG‑2014‑037 “Systemic Weaknesses Leave Civil Works Infrastructure Vulnerable to Physical and Cyber Attacks ” February 10 2014 Report is FOUO Report No  DODIG‑2013‑142 “DoD Evaluation of Over‑Classification of National Security Information ” September 30 2013 Report No  DODIG‑2013‑134 “Navy Commercial Access Control System Did Not Effectively Mitigate Access Control Risks ” September 16 2013 Report is FOUO Report No  DODIG‑2013‑130 “Army Needs to Improve Controls and Audit Trails for the General Fund Enterprise Business System Acquire‑to‑Retire Business Process ” September 13 2013 Report No  DODIG‑2013‑072 “Data Loss Prevention Strategy Needed for the Case Adjudication Tracking System ” April 24 2013 Report is FOUO Report No  DODIG‑2013‑036 “Improvements are Needed to Strengthen Security Posture of USACE Civil Works Critical Infrastructure and Industrial Control Systems in the Northwestern Division ” January 14 2013 Report is FOUO Report No  DODIG‑2012‑122 “DoD Should Procure Compliant Physical Access Control Systems to Reduce the Risk of Unauthorized Access ” August 29 2012 Report is FOUO Report No  D‑2012‑090 “Improvements Needed to Strengthen the Defense Enrollment Eligibility Reporting System Security Posture ” May 22 2012 Report is FOUO Report No  D‑2012‑050 “Improvements Needed With Host‑Based Intrusion Detection Systems ” February 3 2012 Report is FOUO FOR OFFICIAL USE ONLY 26 │ DODIG-2017-034 FOR OFFICIAL USE ONLY Appendixes Army Audit Agency Report No  A‑2013‑0130‑FMR “Miscellaneous Pay Process General Fund Enterprise Business System ” July 31 2013 Naval Audit Service Report No N2015-0027 “Followup on Naval Audit Service Report N2012‑0009 “Personally Identifiable Information and Department of the Navy Data on Unencrypted Computer Hard Drives Released from Department of the Navy Control ” July 23 2015 Report is FOUO Report No N2015-0026 “Management Controls of Navy Corporate Data ” July 16  2015 FOUO Report No  N2014‑0029 “Internal Controls for Overtime Benefits Received at Norfolk Naval Shipyard and Portsmouth Naval Shipyard ” July 1 2014 Report is FOUO Report No  N2014‑0022 “Fleet Gapped Critical Billets ” May 20 2014 Report is FOUO Report No  N2014-0021 “Cyberspace Information Technology Skill Sets for Active Duty Military Personnel at Selected Navy Commands ” May 19 2014 Report is FOUO Report No  N2013‑0050 “Long‑Term Temporary Duty Orders for Marine Corps Reserves Performing Duty within the Continental United States and Hawaii ” September 30 2013 Report is FOUO Report No  N2012‑0070 “Navy Compliance with Department of Defense Information Assurance Certification and Accreditation Process ” September 28 2012 Report is FOUO Report No  N2011‑0046 “Followup of Management of Personally Identifiable Information at Marine Corps Recruiting Command ” July 29 2011 Report is FOUO Report No  N2008‑0023 “Information Security within the Marine Corps ” February 20 2008 FOR OFFICIAL USE ONLY DODIG-2017-034 │ 27 FOR OFFICIAL USE ONLY Appendixes Air Force Audit Agency Report No F2015-0010-O10000 “Depot Maintenance and Production System-Time and Attendance Application Controls ” April 2 2015 Report No F2015-0009-O10000 “Stock Control System Application Controls ” April 2 2015 Report No F2015-0008-O10000 “Military Personnel Data System Application Controls ” March 10 2015 Report No F2015-0007-O10000 “Standard Procurement System Application Controls ” March 10 2015 Report No F2015-0006-O10000 “Commanders Resource Integration System Application Controls ” March 10 2015 Report No F2015-0005-O10000 “Contract Writing System Application Controls ” March 10 2015 Report No F2015-0004-O10000 “Automated Contract Preparation System Application Controls ” March 10 2015 Report No F2015-0001-O1000 “Cargo Movement Operations System Application Controls ” December 15 2014 Report No  F2014‑0004‑O10000 “Memorandum Report of Audit F2014‑0004‑O10000 Automated Contract Preparation System General and Application‑Level General Controls ” November 1 2013 Report No  F2014‑0003‑O10000 “Memorandum Report of Audit F2014‑0003‑O10000 Integrated Logistics System‑Supply Application Controls ” November 1 2013 Report No  F2014‑0005‑O10000 “Standard Procurement System General and Selected Application Controls ” December 3 2013 Report No  F2013‑00016‑O40000 “Memorandum Report of Audit F2013‑0016‑O40000 Reserve Travel System – Phase 1 General and Selected Application Controls ” September 5 2013 Report No F2013-0005-O10000 “Enterprise Information Protection Capability ” October 26 2012 Report No  F2013‑0003‑L20000 “Serialized Parts Configuration Management ” April 1 2013 Report No  F2013-0011-O10000 “Memorandum Report of Audit F2013‑0011‑O10000 Integrated Missile Database System Application Controls ” January 15 2013 FOR OFFICIAL USE ONLY 28 │ DODIG-2017-034 FOR OFFICIAL USE ONLY Appendixes Report No  F2013‑0009‑O10000 “Memorandum Report of Audit F2013‑0009‑O10000 Reliability Availability Maintainability Support System for Electronic Combat Pods‑Application Controls ” January 3 2013 Report No  F2013‑0007‑O10000 “Memorandum Report of Audit F2013‑0007‑O10000 Financial Inventory Accounting and Billing System Application Controls ” November 20 2012 Report No  F2013‑0003‑O10000 “Memorandum Report of Audit F2013‑0003‑O10000 Reliability and Maintainability Information System Application Controls ” October 22  2012 Report No  F2012‑0009‑FB2000 “Memorandum Report of Audit F2012‑0009‑FB2000 Automated Funds Management General Controls ” June 26 2012 Report No  F2012‑0006‑FB2000 “Memorandum Report of Audit F2012‑0006‑FB2000 Positive Inventory Control Fusion - Application Controls ” April 12 2012 Report No  F2012‑0005‑FB2000 “Memorandum Report of Audit F2012‑0005‑FB2000 Automated Funds Management Application Controls ” April 4 2012 Report No  F2012‑0003‑FB4000 “System Vulnerability Detection and Mitigation ” February 16 2012 Report No  F2012‑0003‑FB2000 “Defense Enterprise Accounting and Management System Selected System Controls ” January 17 2012 Report No  F2012‑0002‑FB4000 “Air National Guard Information Systems Security ” January 11 2012 Report No  F2011‑0004‑FB4000 “Computer Network Incident Response and Reporting ” April 20 2011 Report No  F2010‑0009‑FB2000 “Implementation of Chief Financial Officer Compliance Tracking for Financial Systems ” July 28 2010 Report No  F2010‑0005‑FB4000 “Publicly Accessible Air Force Web Sites ” May 14  2010 Report No  F2009‑0007‑FD4000 “Personnel Security Clearances ” May 8 2009 Report No  F2009‑0004‑FB2000 “Defense Enterprise Accounting and Management System Controls ” February 20 2009 Report No  F2006‑0006‑FB2000 “Controls for the Wholesale and Retail Receiving and Shipping System ” May 19 2006 FOR OFFICIAL USE ONLY DODIG-2017-034 │ 29 FOR OFFICIAL USE ONLY Glossary Glossary Configuration Management the management of security features and assurances through control of changes made to hardware software firmware documentation test test fixtures and test documentation throughout the life cycle of an information system Contingency Planning the process of preparing for emergency response backup operations and post-disaster recovery of an information system to ensure the availability of critical resources and to facilitate the continuity of operations in an emergency Contractor Systems agency systems operated on the agency’s behalf by contractors or other entities including agency systems and services residing in a cloud external to the agency Identity and Access Management the processes technologies and policies for managing digital identities and controlling how identities can be used to access resources Incident Response the mitigation of violations of security policies and recommended practices also referred to as incident handling Information Security Continuous Monitoring maintaining ongoing awareness of information security vulnerabilities and threats to support organizational risk management decisions Risk Management the process of managing threats to organizational operations including mission functions image and reputation organizational assets individuals other organization and the Nation resulting from information system operations and includes • the performance of a risk assessment • the implementation of a risk mitigation strategy • employment of techniques and procedures for the continuous monitoring of the information system’s security state and • documenting of the overall risk management program Security and Privacy Training formal activities products and services intended to create or enhance the security knowledge or skills of persons or raise their level of performance motivation or operations FOR OFFICIAL USE ONLY 30 │ DODIG-2017-034 FOR OFFICIAL USE ONLY Acronyms and Abbreviations Acronyms and Abbreviations AFRC ALTESS APMS CAC CIRM FISMA GAO IT NHJAX NIST NMCP PHI PII PMRT PPP PRPS SMADS TCA USD AT L Air Force Reserve Command Acquisition Logistics and Technology Enterprise Systems and Services Army Portfolio Management Solution Common Access Card Critical Infrastructure Risk Management Federal Information Security Modernization Act Government Accountability Office Information Technology Naval Hospital Jacksonville National Institute of Standards and Technology Naval Medical Center Portsmouth Protected Health Information Personally Identifiable Information Project Management Resource Tools Program Protection Plan Purchase Request Process System Strategic Mission Assurance Data System Task Critical Asset Under Secretary of Defense for Acquisition Technology and Logistics FOR OFFICIAL USE ONLY DODIG-2017-034 │ 31 FOR OFFICIAL USE ONLY Whistleblower Protection U S Department of Defense The Whistleblower Protection Ombudsman’s role is to educate agency employees about prohibitions on retaliation and employees’ rights and remedies available for reprisal The DoD Hotline Director is the designated ombudsman For more information please visit the Whistleblower webpage at www dodig mil programs whistleblower For more information about DoD IG reports or activities please contact us Congressional Liaison congressional@dodig mil 703 604 8324 Media Contact public affairs@dodig mil 703 604 8324 For Report Notifications www dodig mil pubs email_update cfm Twitter www twitter com DoD_IG DoD Hotline www dodig mil hotline FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY D E PA R T M E N T O F D E F E N S E │ I N S P E C T O R G E N E R A L 4800 Mark Center Drive Alexandria VA 22350-1500 www dodig mil Defense Hotline 1 800 424 9098 FOR OFFICIAL USE ONLY