The Department of Defense is facing criticism over its handling of background check data.
A report from the Pentagon’s Government Accountability Office (GAO) took the department to task for what it deemed to be inadequate security protections for the system agencies use to perform background checks.
In the report, originally posted by NextGov, the GAO found that the Pentagon systems suffered from both a lack of proper oversight and organization as well as a failure to keep its systems updated and in compliance with current government standards. As a result, the information gathered during background checks could be vulnerable to access by outside attackers.
“To conduct background investigations, the Department of Defense’s (DOD) Defense Counterintelligence and Security Agency (DCSA) currently uses a combination of recently developed DOD National Background Investigation Services systems and legacy systems formerly owned by the Office of Personnel Management (OPM).
“In considering the cybersecurity risks of these systems, DCSA did not fully address all planning steps of DOD’s risk management framework," the report states.
Among the issues spotted by investigators were failures to enforce employee training mandates, a lack of proper handling of activity logs, and a lack of privacy control settings for the background check systems the DOD was using.
In other cases, it was found that the systems themselves used to perform background checks were operating on dated security policy frameworks that have since been replaced.
As a result, the investigators claim that many of those systems could be prone to attacks that would result in the exposure of personal data for background check subjects.
To remedy the issues, the GAO recommended that the DCSA overhauls its security policy enforcement and training programs as well as impose more rigorous controls on its logging practices and implementation of controls on user access to personal data.
“Until DCSA’s CIO establishes an oversight process to ensure the tasks in DOD’s Risk Management Framework’s prepare step are fully addressed, the agency’s leadership will be less able to identify, prioritize, and mitigate privacy and security risks, and important background investigation systems could be underprotected,” the report concluded.
This is not the first time the US government has been taken to task by its own internal investigators for its security shortcomings.
Since the disastrous 2015 OPM data breach, government agencies have been conducting a series of deep-dive investigations into the security practices of its agencies and, in many cases, those reports have returned damning results.
