Report | Aug. 15, 2016

DoD's Policies, Procedures, and Practices for Information Security Management of Covered Systems (Redacted) DODIG-2016-123


We summarized DoD’s policies, procedures, and practices related to implementing logical access controls, conducting software inventories, implementing information security management, and monitoring and detecting data exfiltration and other cyber threats. We also assessed whether DoD Components followed logical access control policies, procedures, and practices. The DoD Office of Inspector General prepared this report in response to the requirements of the Cybersecurity Act of 2015, section 406, December 18, 2015.


The DoD has policies, procedures, and practices related to logical access controls, including multifactor authentication;1 software and license inventories; monitoring and threat detection capabilities; and information security requirements for third‑party service providers. In summary:

  • The DoD issued logical access policies, including policies requiring the use of multifactor authentication. In addition, DoD network and system owners issued procedures for implementing logical access controls using the National Institute of Standards and Technology catalog of system and privacy controls. However, the DoD audit community identified instances of DoD Components not following logical access control requirements.
  • The DoD issued policies that require system owners to conduct inventories of software. However, the DoD did not have policy for conducting software license inventories. Officials with the DoD Office of the Chief Information Officer stated that they are establishing an agencywide policy for conducting software license inventories in response to a 2014 recommendation in a Government Accountability Office report. Although DoD did not have an agencywide policy, three DoD Components had policies for conducting inventories for software licenses.
  • The DoD uses nine capabilities for monitoring and detecting threats and data exfiltration. This includes the use of firewalls, host-based security systems, intrusion detection systems, intrusion prevention systems, and network analysis tools. All nine DoD Components reported using capabilities to monitor its networks and systems to detect threats and data exfiltration.
  • The DoD issued policies that require DoD Components to ensure third-party service providers implement information security management practices such as conducting software inventories and deploying threat monitoring and detection capabilities.


In this report, we identify recommendations from previous audits. Therefore, this report contains no new recommendations and is provided for information purposes only.

Management Comments

Because the report does not contain new recommendations, we did not request management comments.

1 Authentication is the process of verifying the identity of a user or verifying the source and integrity of data. The Act defines multifactor authentication as the use of not fewer than two authentication factors, such as:

  • something known to the user, such as a password or personal identification number;
  • an access device provided to the user, such as a cryptographic identification device or token; or
  • a unique biometric characteristic of the user, such as fingerprints or face recognition.