Personnel Vetting: DOD Needs to Enhance Cybersecurity of Background Investigation Systems
Fast Facts
DOD's Defense Counterintelligence and Security Agency conducts background investigation operations for most federal agencies.
It does so through a combination of old IT systems previously owned by the Office of Personnel Management, and the new, not-fully-developed National Background Investigation Services IT system.
However, the agency hasn't fully followed DOD's planning steps for cybersecurity risk management, or fully implemented privacy controls for any of the IT systems involved.
We recommended, among other things, that DOD establish oversight processes to help ensure its IT systems are protected.
Highlights
What GAO Found
To conduct background investigations, the Department of Defense's (DOD) Defense Counterintelligence and Security Agency (DCSA) currently uses a combination of recently developed DOD National Background Investigation Services systems and legacy systems formerly owned by the Office of Personnel Management (OPM). In considering the cybersecurity risks of these systems, DCSA did not fully address all planning steps of DOD's risk management framework (see figure).
Extent to Which Defense Counterintelligence and Security Agency Addressed DOD's Planning-Related Risk Management Steps for Selected Background Investigation Systems as of December 2023 
Note: DOD's implementation-related Risk Management Steps are to (3) establish an implementation approach, (4) assess security controls, (5) authorize the systems, and (6) monitor security controls.
- Prepare the organization and systems: Of the 16 tasks required by this step in DOD's risk management framework, DCSA fully addressed 11, partially addressed two, and did not address three. For example, the agency has not fully defined and prioritized security and privacy requirements, nor has it performed organizational and system-level risk assessments.
- Categorize the systems: DCSA appropriately categorized the six reviewed systems as high impact risks .
- Select security controls: DCSA selected baseline security controls for the six systems but used an outdated version of government-wide guidance as the source for the control selections. Specifically, version five of applicable National Institute for Standards and Technology guidance was issued in 2020. However, DCSA continues to use version four. Among the changes in version five are two new categories of controls on personally identifiable information and supply chain management, raising the number of control categories from 18 to 20.
Regarding privacy, DCSA partially implemented controls on developing policies and procedures, delivering training, defining and reviewing the types of events to log, and assessing controls and risks. The agency lacks an oversight process to help ensure that appropriate privacy controls are fully implemented. Until DCSA establishes such an oversight process and fully implements privacy controls, it unnecessarily increases the risks of disclosure, alteration, or loss of sensitive information on its background investigation systems.
Why GAO Did This Study
In the wake of a 2015 OPM breach that compromised sensitive data on over 22 million federal employees and contractors, DCSA later assumed responsibility for conducting background investigation operations for most executive branch agencies.
House Report 117-118 includes a provision for GAO to evaluate the cybersecurity of DCSA's background investigation systems. GAO assessed the extent to which DCSA (1) planned for cybersecurity controls for selected background investigation systems and (2) implemented privacy controls for these systems.
GAO selected three DCSA systems and three OPM legacy systems critical to background investigation operations. GAO (1) reviewed policies, processes, and documentation for these systems and (2) interviewed agency officials regarding the planning and management of cybersecurity risks and selected privacy controls. GAO also has ongoing work assessing DCSA's implementation of technical controls for background investigation systems. It will be published in a future report with limited distribution.
Recommendations
GAO is making a total of 13 recommendations to DOD on fully implementing risk management planning steps, selecting appropriate security controls using current guidance, fully implementing privacy controls, and establishing oversight processes to help ensure required tasks and controls are implemented. DOD concurred with 12 of 13 recommendations and non-concurred with one. GAO maintains that all recommendations are warranted.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Defense | The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer identifies and documents all stages of the information life cycle for each information type the system processes, stores, or transmits. (Recommendation 1) |
DOD agreed with this recommendation with comment. In its written comments, DCSA acknowledged that the data flow and boundary artifacts for the National Background Investigation Services (NBIS) and legacy systems partially complied with the National Institute of Technology (NIST 800-53) Revision 5 requirements. They stated that the DCSA CIO and Chief Information Security Officer will integrate NBIS and legacy systems into its existing to ensure senior DCSA officials fully implement all recommended tasks to include those for privacy controls. to ensure senior DCSA officials fully implement all recommended tasks to include those for privacy controls. Further, DCSA stated it will audit documentation of NBIS/legacy systems external inventory/application services no later than August 30, 2024.
|
| Department of Defense | The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer fully defines, prioritizes, and documents security and privacy requirements. (Recommendation 2) |
DOD agreed with this recommendation. In fiscal year 2024, DCSA updated the privacy impact assessments (PIA) for the six select systems to address the deficiencies we identified in our original assessment. Specifically, the PIAs identified privacy requirements were applicable and included required signatures. This action helps ensure DCSA completes all requirement definition tasks in the prepare step of the Department of Defense's Risk Management Framework
|
| Department of Defense | The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer completes an organization-wide risk assessment and documents the results. (Recommendation 3) |
DOD agreed with this recommendation, with comment. In fiscal year 2024, DCSA established a process to provide a monthly status update on DCSA IT systems-including NBIS and legacy systems. The update includes authorization information, status of POA&Ms, progress in the RMF, and FISMA compliance status by system. This action helps ensure DCSA makes an informed determination of risks.
|
| Department of Defense | The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer completes system-level risk assessments and documents the results. (Recommendation 4) |
DOD agreed with this recommendation, with comment. In its written response, DCSA stated it will integrate NBIS/legacy systems into its existing oversight processes, including execution of the Cybersecurity Product Evaluations (CPE) process to perform initial risk assessments no later than October 2024. The CPE process is a structured product vetting effort developed to ensure all products being considered for inclusion in DCSA networks are properly and uniformly analyzed for compliance with DOD and DCSA security regulations.
|
| Department of Defense | The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer allocates security and privacy requirements to the system and to the environment in which the system operates and documents the results. (Recommendation 5) |
DOD agreed with this recommendation, with comment. In its written comments, DCSA stated it would conduct a comprehensive review of NBIS/legacy systems control postures no later than July 2024. Additionally, DCSA noted they have a coordinated a concerted effort to begin the administrative and technical transition of the automated system of record eMASS to accommodate the migration from Revision 4 controls to the Revision 5 control set.
|
| Department of Defense | The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer establishes an oversight process to ensure senior officials complete all tasks in the risk management framework's prepare step. (Recommendation 6) |
DOD agreed with this recommendation, with comment. In its written comments, DCSA stated it would address the remaining incomplete tasks in the risk management framework's prepare step, no later than March 30, 2025.
|
| Department of Defense | The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer updates the selected security control baselines for NBIS and legacy systems to correspond with the current version of NIST Special Publication 800-53 after DOD updates the relevant guidance. (Recommendation 7) |
DOD agreed with this recommendation, with comment. In it written comments, DCSA reiterated its plan to conduct a comprehensive review of NBIS/legacy systems control postures no later than July 2024.
|
| Department of Defense | The Secretary of Defense should ensure DOD's Chief Information Officer updates the department's policies and procedures related to the Risk Management Framework to use the current version of NIST Special Publication 800-53. (Recommendation 8) |
DOD did not agree with this recommendation; however, we continue to believe the recommendation is warranted. DOD issued a memo in October 2023 announcing the department's adoption and transition timeline to NIST Special Publication 800-53 Revision 5. According to the memo, systems that have a current authorization decision should develop a strategy and schedule for the transition that must not exceed the system re-authorization timeline of every three years. The six background investigation systems we selected each received approval or authorization to operate on the DOD network between July 2023 and November 2023. Thus, these six systems will need to establish strategies and schedules within three years of their authorization dates. DOD needs to provide documentation of DCSA's strategy and schedule for implementing these additional controls.
|
| Department of Defense | The Secretary of Defense should direct DCSA's Chief Information Officer to ensure the agency's policies and procedures include key information and are reviewed and updated as required. (Recommendation 9) |
DOD agreed with this recommendation, with comment. In its written comments, DCSA described plans to update its policies and procedures by October 2024.
|
| Department of Defense | The Secretary of Defense should direct DCSA's Chief Information Officer to ensure all security training and certifications for its system users are current. (Recommendation 10) |
DOD agreed with this recommendation, with comment. In its written comments, DCSA described plans to revalidate training compliance for all system users by June 2024.
|
| Department of Defense | The Secretary of Defense should direct DCSA's Chief Information Officer to ensure the agency establishes a rationale for why the selected event types can support incident investigations and defines a frequency for reviewing and updating which types of events are to be logged. (Recommendation 11) |
DOD agreed with this recommendation, with comment. In its written comments, DCSA described plans to implement DCSA's Security Operations Center Integration Strategy in phases ending in September 2024.
|
| Department of Defense | The Secretary of Defense, in coordination with the DCSA Director, should ensure that control assessment plans are documented and that assessments align with these plans. (Recommendation 12) |
DOD agreed with this recommendation, with comment. In its written comments, DCSA described plans to consolidate existing NBIS/legacy systems documentation into a formal Security Assessment Plan by September 2024.
|
| Department of Defense | The Secretary of Defense, in coordination with the DCSA Director, should ensure DCSA's Chief Information Officer establishes an oversight process to ensure senior DCSA officials fully implement the recommended tasks for the required privacy controls. (Recommendation 13) |
DOD agreed with this recommendation, with comment. In fiscal year 2024, DCSA established a process to provide a monthly status update on DCSA IT systems-including NBIS and legacy systems. Additionally, DCSA developed a risk evaluation process to evaluate the overall cybersecurity risk posture, among other things. Lastly, DCSA updated the appointments of personnel assigned to the roles of Information System Owner (ISO). The ISO's primary responsibility is to implement the RMF and execute all RMF activities, among other things. These actions help ensure senior DCSA officials fully implement all recommended tasks to include those for privacy controls.
|