While [the Defense Counterintelligence and Security Agency] has taken steps to prepare for managing security risks to [the National Bureau of Investigations Services system] and legacy systems, the agency has not fully addressed key tasks in DOD's Risk Management Framework, largely due to a lack of an oversight process...performing risk assessments at both the organizational and system levels, and allocating security and privacy requirements to the appropriate systems.
After the Office of Personnel Management was hacked in 2015, responsibility for background investigations was shifted to DSCA. The move to the Pentagon was largely seen as a way to improve cybersecurity of federal workers' personal data and to replace old IT systems...leaving DCSA to rely on a mix of old and new IT.
For example, the agency didn't complete risk assessments across the organization or at the system level. Additionally, DCSA only partially implemented privacy controls, such as developing policies and procedures around access, incident tracking, and necessary security awareness training for the systems GAO evaluated.
The agency lacks an oversight process to help ensure that appropriate privacy controls are fully implemented...Until DCSA establishes such an oversight process and fully implements privacy controls, it unnecessarily increases the risks of disclosure, alteration.
Collection
[
|
...
]