Objective
We determined whether DoD Components implemented security controls and processes at DoD facilities to protect ballistic missile defense system (BMDS) technical information on classified networks from insider and external cyber threats.
We conducted this audit in response to a congressional requirement to audit the controls in place to protect BMDS technical information, whether managed by cleared Defense contractors, or by the Government. Cleared contractors are entities granted clearance by the DoD to access, obtain, or store classified information, to bid on contracts, or conduct activities in support of DoD programs.
We analyzed only classified networks because BMDS technical information was not managed on unclassified networks. The classified networks processed, stored, and transmitted both classified and unclassified BMDS technical information. This is the second of two audits to determine whether the DoD protected BMDS technical information from unauthorized access and disclosure. On March 29, 2018, we issued a report on the effectiveness of logical and physical access controls in place to protect BMDS technical information at Missile Defense Agency (MDA) contractor locations. The report identified systemic weaknesses at the contractor locations concerning network access, vulnerability management, and the review of system audit logs.
Background
On April 14, 2016, the MDA Director provided testimony to the House Armed Services Subcommittee on Strategic Forces expressing concern about the potential threat to systems containing BMDS technical information. Examples of technical information include, but are not limited to, military or space research and engineering data, engineering drawings, algorithms, specifications, technical reports, and source codes.
Findings
We determined that officials did not consistently implement security controls and processes to protect BMDS technical information. Specifically, network administrators and data center managers did not:
- require the use of multifactor authentication to access BMDS technical information;
- identify and mitigate known network vulnerabilities at three of the five Components visited;
- protect and monitor classified data stored on removable media;
- encrypt BMDS technical information transmission;
- implement intrusion detection capabilities on classified network; and
- require written justification as a condition to obtain and elevate system access for users.
In addition, facility security officers did not consistently implement physical security controls to limit unauthorized access to facilities that managed BMDS technical information.
Security control weaknesses existed because officials did not consistently verify the effectiveness of implemented security controls and assess the impact of missing security controls. Without well-defined, effectively implemented system security and physical access controls, the MDA and its business partners may disclose critical details that compromise the integrity, confidentiality, and availability of BMDS technical information. The disclosure of technical details could allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to deadly missile attacks. Increasing threats of long-range missile attacks from adversaries requires the effective implementation of system security controls to help reduce the number of exploitable weaknesses that attackers could use to exfiltrate BMDS technical information.
Recommendations
We recommend the development and implementation of a plan to correct the systemic weaknesses identified in this report at facilities that manage BMDS technical information related to, among other issues:
- using multifactor authentication;
- mitigating vulnerabilities in a timely manner;
- protecting data on removable media; and
- implementing intrusion detection capabilities.
We also recommend, among other actions:
- enforce the use of multifactor authentication to access systems that process, store, and transmit BMDS technical information or obtain a waiver from using multifactor authentication from the DoD Chief Information Officer;
- develop plans and take appropriate and timely steps to mitigate known vulnerabilities;
- encrypt BMDS technical information stored on removable media; and
- assess gaps in physical security coverage and install security cameras to monitor personnel movements throughout facilities.
In addition, we recommend that the Chief Information Officer enforce the use of multifactor authentication to access systems that process, store, and transmit BMDS technical information or obtain a waiver from using multifactor authentication; and implement intrusion detection capabilities on networks that maintain BMDS technical information. Furthermore, we recommend that the Chief Information Officer develop and implement procedures to secure server racks and control server rack keys; and maintain access request forms that include written justification to support the need for access to networks and systems that contain BMDS technical information.
Lastly, we recommend that the Chief Information Officers:
- encrypt BMDS technical information stored on removable media;
- develop and implement a process to identify individuals who are authorized to use removable media as well as procedures to monitor the type and volume of data transferred to and from removable media; and
- assess gaps in security coverage and install security cameras to monitor personnel movements throughout their facilities.
Chief Information Officers did not provide comments on the draft report. Therefore, we request comments on the final report from the Director, Commanding General, Commander, and Chief Information Officers.
This report is a result of Project No. D2018-D000CR-0106.000.