[ISN] IG critical of DOD IT

[InfoSec News]

http://www.fcw.com/article91937-01-11-06-Web

By Frank Tiboni
Jan. 11, 2006 

The Defense Department poorly tracks information technology security 
and investments, causing the department, the Office of Management and 
Budget and Congress to make uninformed IT budget and policy decisions, 
according to DOD inspector general reports.

The military services and DOD agencies are not consistently reporting 
IT systems security data in two main databases. They include the IT 
Registry, which inventories DOD systems and provides their security 
status, and the IT Management Application, which contains DOD IT 
budget information, according to the "Security Status for Systems 
Reported in DOD IT Databases," The IG released the report last month.

"Specifically, 120 of 148 IT systems (81 percent) reported in the 
fiscal year 2006 President's Budget Capital Investment Reports did not 
match to reports on the same systems in the IT Registry, and 87 of 148 
IT Registry reports (59 percent) were not internally consistent 
between the system mission criticality and the mission assurance 
category data elements," the report states. The IG said the military 
services and department agencies also did not submit timely, accurate 
and complete IT certification and compliance statements to DOD's chief 
information officer.

The IG recommended several steps to fix the problem, including using 
automatic data integrity tools in the databases and penalizing 
department CIOs who did not implement controls. The IG asked the DOD 
CIO to respond to the report by Jan. 27.

This was the second report in seven months that is critical of the 
information in DOD databases. The IG criticized the military services 
and department agencies in June 2005 for not adequately reporting IT 
investments to OMB in support of the fiscal 2006 DOD budget.