The Government Accountability Office has revealed in a new report that the Defense Counterintelligence and Security Agency, which conducts background investigation operations for federal agencies, has not fully addressed the Department of Defense’s planning steps for cybersecurity risk management.
GAO said Thursday DCSA uses a combination of legacy information technology systems from the Office of Personnel Management and the new National Background Investigation Services systems, but it has not fully implemented privacy controls for the IT systems.
DCSA fully addressed 11 of the 16 tasks required to prepare the organization and its systems as part of DOD’s risk management framework. It partially addressed two and did not address three of the required tasks in this step.
GAO also found that while the agency has selected baseline security controls for its six systems categorized as high-impact risks, it used an outdated version of applicable guidance from the National Institute for Standards and Technology as the source for the control selections.
The government watchdog has outlined a set of recommendations for DCSA, including fully implementing risk management planning steps and selecting appropriate security controls using the updated NIST guidance.