We determined whether DoD Components reported accurate information technology system data in the SECRET Internet Protocol Router Network (SIPRNET) Information Technology Registry (SITR).
DoD guidance states that SITR is the authoritative classified inventory of the DoD’s mission-critical and mission-essential information technology systems. Mission-critical information technology systems are necessary to continue warfighter operations and direct mission support of warfighter operations, while mission-essential information technology systems are basic and necessary to accomplish an organization’s mission. As of March 2017, when we selected our nonstatistical sample, SITR contained information for 199 individual information technology systems across 13 DoD Components.
DoD Components did not report accurate or complete information technology system data in SITR for 31 of 32 information technology systems in our nonstatistical sample. This occurred because the DoD Chief Information Officer (CIO) did not have a process to notify information technology system users of inaccurate SITR data, require SITR training, or hold Component CIOs accountable for ensuring the accuracy and completeness of the data in SITR. As a result, the DoD cannot rely on SITR data for decision making as intended, which can affect stovepiped Component databases, mapping annual updates of the Business Enterprise Architecture, and making resource decisions; and the DoD may not be able to support its statutory compliance reporting designed to improve critical cybersecurity infrastructure.
Additionally, we determined that the DoD maintains similar information technology data in multiple repositories, including SITR, the DoD Information Technology Portfolio Repository (DITPR), the Enterprise Mission Assurance Support Service (eMASS), Xacta, and Archer. The eMASS, Xacta, and Archer repositories are cybersecurity management tools that are used to maintain the Risk Management Framework documentation needed to authorize information technology systems to operate on DoD networks.
Although the DoD uses the repositories to meet different requirements, the DoD has an opportunity for cost savings and efficiencies if it identifies a single enterprise solution to maintain Risk Management Framework documentation that can also be used to respond to statutory requirements such as those in the Federal Information Security Modernization Act.
As of September 2017, DoD Components had spent approximately $10 million for Xacta and Archer, systems that duplicate eMASS functionality. On March 26, 2018, the Secretary of Defense issued a memorandum, “Be Peerless Stewards of Taxpayers’ Dollars,” which requested a commitment from all the DoD to exercise financial accountability on every expenditure. Minimizing duplicative information technology repositories in favor of an enterprise Risk Management Framework solution is potentially a step towards meeting that commitment.
We recommend that the DoD CIO:
• establish a process to notify the information technology system users of data inaccuracies in SITR, give deadlines for corrections, and regularly follow up with DoD Components to ensure resolution;
• require SITR training for all SITR and information technology system users to increase awareness of SITR’s purpose, statutory requirements, and the importance of reporting accurate and complete data;
• establish a process that holds DoD Component CIOs accountable for the accuracy and completeness of the information technology system data in SITR;
• conduct a study to determine the most effective process and information technology repository for maintaining and reporting information technology data and eliminate any duplicate processes associated with the information technology repositories;
• require DoD Components to conduct and submit a business case analysis before selecting or renewing the use of a commercial Risk Management Framework accreditation and authorization tool rather than eMASS;
• develop a process to evaluate and approve DoD Components’ business case analysis for the use of a commercial Risk Management Framework accreditation and authorization tool rather than eMASS; and
• require all DoD Components to use eMASS when the DoD develops the capability for eMASS to maintain top secret information technology system data.
Management Actions Taken:
On July 14, 2017, the DoD CIO issued a memorandum that implements a quarterly review process for SITR. The memorandum also states that the DoD CIO will send the Component CIOs a report identifying specific records and fields in SITR that contain questionable data or are missing data. Furthermore, in January 2018 the DoD CIO initiated a training program for all SITR users. Available on the SITR website, the training defines the data that users are required to report in SITR and the importance of reporting accurate and complete data in SITR.
We consider the DoD CIO’s memorandum and the SITR training program to have addressed our recommendations pertaining to reporting complete and accurate data in SITR. Therefore, the recommendations are resolved, but will remain open. We will close the recommendations once we verify that the DoD CIO has reviewed Components’ data in SITR, notified them of any errors, provided milestones for corrections, and finalized a process to hold DoD Component CIOs accountable for the accuracy and completeness of the data in SITR. We will close the SITR training recommendation once we confirm the DoD CIO has required SITR users to take the training.
Management Comments and Our Response:
The Principal Deputy CIO, responding for the DoD CIO, disagreed with the recommendations pertaining to the DoD Components’ use of eMASS and eliminating duplicate processes for maintaining and reporting information technology system data. However, the Principal Deputy stated that the office of the DoD CIO has initiated a reform project to account for and reduce information technology repositories, optimize cost, and improve data efficiency. The Principal Deputy also stated that through the process, a core set of reference management framework tools will be established to support Component and enterprise requirements. Therefore, the recommendation to conduct a study to determine the most effective process and information technology repository for maintaining and reporting information technology data is resolved, and we will close the recommendation once we verify that an effective process has been identified and that duplicate processes have been eliminated.
The Principal Deputy CIO partially addressed the recommendations concerning the DoD Components’ use of business case analysis before selecting a commercial Risk Management Framework tool and did not address the recommendation to require the use of eMASS when it has the capability to maintain top secret information technology system data. Therefore, those recommendations remain unresolved.
This report is a result of Project No. D2017-D000RD-0134.000.