The Government Accountability Office (GAO) has called on the Defense Logistics Agency (DLA) to act on its recommendations to address deficiencies in the implementation of risk management steps in order to mitigate cybersecurity risks facing its inventory management systems.
GAO recommended that DLA update its standard operating procedures to require program offices to come up with a system-specific monitoring strategy that is consistent with the Department of Defense’s risk management framework and related National Institute of Standards and Technology (NIST) guidance, according to a report published Monday.
The head of DLA should also implement an approval process for system assessment plans and direct the cybersecurity office to create a process for program offices to evaluate the completeness and consistency of authorization documentation prior to the submission of the plans to the designated official for review.
The congressional watchdog made the recommendations after it found that DLA only partially addressed four of DOD’s six risk management steps for six selected systems for inventory management. Those steps are selecting security controls, authorizing the system, assessing and monitoring security controls.
“Until DLA addresses the identified deficiencies, the agency's management of cyber risks for critical systems will be impeded and potentially pose risks to other DOD systems that could be accessed if DLA's systems are compromised,” the report reads.