HomeReportsAll DoD OIG Reports

Followup to DODIG-2018-068, “Evaluation of Oversight of Privileged Users Within the Army’s Intelligence Component” DODIG-2019-097

Evaluations

PRINT  |  E-MAIL

Publicly released: June 25, 2019 (Redacted RIB only)

Objective

We determined whether the U.S. Army Intelligence and Security Command (INSCOM) implemented the recommendations to improve controls overJoint Worldwide Intelligence Communications System (JWICS) privileged users in response to Report No. DODIG-2018-068, “Evaluation of Oversight of Privileged Users Within the Army's Intelligence Component,” January 30, 2018.

Background

The report included two recommendations to address the deficiencies identified during evaluation. Recommendation 1 was issued commander of U.S. Army cyber command complete and execute "User Activity Monitoring Program Concept Operations," 2 issues INSCOM chief staff four sub-parts. Specifically, we recommended that INSCOM:

a. Complete and execute INSCOM Policy 6-3 to define the authorities, program oversight and governance, and to ensure a cybersecurity audit process is in place prior to the transfer of user activity monitoring responsibilities to U.S. Army Cyber Command;
 

b. Enhance controls and processes to ensure that all records in Army Training and Certification Tracking System (ATCTS) are complete, accurate, and properly reviewed to comply with DoD instructions and Army regulations;
 

c. Review privileged users, enter all missing records into ATCTS, and correct all errors in ATCTS records; and
 

d. Revalidate all privileged users to ensure that access is commensurate with current mission requirements, and promptly revoke privileged access from any user who no longer requires such access.

The Commander of U.S. Army Cyber Command and the INSCOM Chief of Staff agreed to take actions to close the two recommendations in Report No. DODIG-2018-068. We considered Recommendation 1 to U.S. Army Cyber Command resolved, and Recommendations 2.a and 2.b to INSCOM closed prior to initiating this followup.

Finding

We determined that INSCOM’s actions to implement Recommendations 2.c and 2.d did not improve controls over ATCTS records and privileged users.

Recommendations

We recommend that the INSCOM Chief of Staff:

  • Develop a plan for ATCTS managers to conduct quarterly reviews of privileged users as required by DoD and Army guidance.
     
  • Develop tools that capture all information required in training and nomination records, and report accurate information matching the records in ATCTS to verify privileged user compliance with DoD and Army guidance.

Management Comments and Our Response

The INSCOM Chief of Staff agreed with our recommendations. INSCOM distributed “INSCOM ATCTS Tactics, Techniques and Procedures” and examples of each required ATCTS form detailing actions. INSCOM stated that ATCTS managers will perform joint quarterly reviews and daily ATCTS profile management. INSCOM also developed ATCTS training and has scheduled training sessions to ensure that ATCTS managers across the command are aware of their roles, responsibilities, and requirements as ATCTS managers in accordance with established guidance. In addition, INSCOM revised the current privileged user compliance dashboard to accurately reflect ATCTS documentation and quarterly review compliance across the command. The Ground Intelligence Support Activity-Bragg developed an online tool, the pilot for which was planned to commence on June 1, 2019, to standardize the System Authorization Access Request, Acceptable Use Policy and Privileged Access Agreement for the command. The web portal tool will maintain a repository of all INSCOM and non-INSCOM JWICS account documentation in Ground Intelligence Support Activity-Bragg.

Comments from the INSCOM Chief of Staff addressed the specifics of the recommendations; therefore, the recommendations are resolved, but will remain open. We will close the recommendations once we verify that ATCTS managers are conducting quarterly reviews of privileged users as required, that the online web portal is operational, and that the revised dashboard accurately reflects privileged user compliance.