Logical and Physical Access Controls at Missile …

1 INTEGRITY EFFICIENCY ACCOUNTABILITY EXCELLENCEI nspector General Department of DefenseLogical and Physical Access Controls at Missile Defense Agency Contractor LocationsMARCH 29, 2018 Report No. DODIG-2018-094 INTEGRITY EFFICIENCY ACCOUNTABILITY EXCELLENCEM issionOur mission is to provide independent, relevant, and timely oversight of the Department of Defense that supports the warfighter; promotes accountability, integrity, and efficiency; advises the Secretary of Defense and Congress; and informs the vision is to be a model oversight organization in the Federal Government by leading change, speaking truth, and promoting excellence-a diverse organization, working together as one professional team, recognized as leaders in our | of DefenseFraud, Waste, & AbuseFor more information about whistleblower protection, please see the inside back (Project No.)

2 IResults in BriefLogical and Physical Access Controls at Missile Defense Agency Contractor LocationsObjectiveWe determined whether Missile Defense Agency (MDA) contractors implemented security Controls and processes to protect classified and unclassified ballistic Missile defense system (BMDS) technical information from internal and external threats. This audit focused on security Controls at seven MDA contractor conducted this audit in response to a congressional requirement to audit the Controls in place to protect classified and unclassified ballistic Missile defense technical information , whether managed by cleared Defense contractors or by the Government. This is the first of two audits to determine whether the MDA effectively protects BMDS technical information from unauthorized Access and April 14, 2016, the MDA Director provided testimony to the House armed services Subcommittee on Strategic Forces expressing concern about the potential threat to systems containing BMDS technical information , especially technical information present on cleared Defense contractors systems.

3 A cleared Defense contractor is a private company that is given clearance by the DoD to Access , receive, or store classified information for the purpose of bidding for a contract or conducting activities in support of any DoD program. The MDA Director stated that cleared Defense contractors may be subject to cyber attacks that allow unauthorized individuals to obtain Access to controlled technical 29, 2018 FindingsThe seven MDA contractors that we audited did not consistently implement security Controls and processes to protect classified and unclassified BMDS technical Specifically, system and network administrators at the seven contractors that managed BMDS technical information on their classified and unclassified networks did not consistently implement system security Controls in accordance with Federal and DoD requirements for safeguarding Defense information .

4 Specifically, we identified issues with: the use of multifactor authentication to Access networks; password configurations; the assessment of risk to information systems and assets; identifying and mitigating network and system vulnerabilities; overseeing network and boundary protection services provided by a third-party company; transferring controlled technical information to personal electronic devices, such as home computers; restricting the use of removable media; configuring systems to automatically lock; granting system Access ; and maintaining and reviewing system activity system security Controls were ineffective because the MDA did not oversee the contractors current or planned actions to protect BMDS technical information on classified and unclassified networks and systems before contract award or during the contract period of performance.

5 If the MDA does not verify and monitor compliance with Defense 1 For this report, we use the term contractor to mean private entities or individual DODIG-2018-094 (Project No. )Results in BriefLogical and Physical Access Controls at Missile Defense Agency Contractor LocationsFederal Acquisition Regulation Supplement (DFARS) and National Industrial Security Program Operating Manual requirements, contractors could inadvertently disclose critical technical details of the DoD s BMDS components to adversaries and allow them to potentially circumvent the BMDS capabilities, leaving the United States vulnerable to deadly Missile recommend, among other recommendations, that the MDA Director for Acquisition: Establish a separate technical evaluation factor in the source selection process to evaluate whether an offeror s approach to securing its networks and systems complied with DFARS clause Include penalty clauses in awarded contracts to levy monetary sanctions on contractors that fail to implement Physical and Logical security Controls for protecting classified and unclassified BMDS technical information .

6 Provide oversight to ensure that contractors comply with the National Institute of Standards and Technology requirements for protecting controlled unclassified information throughout the lifecycle of the contract. Management Comments and Our ResponseThe MDA Director partially agreed with our finding and recommendations, stating that he disagreed that the MDA plays a role in the contractors inability to effectively protect BMDS technical information . However, the Under Secretary of Defense, Acquisition, Technology, and Logistics issued a memorandum related to the implementation of DFARS clause that states if an agency determines that oversight related to security requirements is necessary, they may add requirements to the terms of the contract. The significant weaknesses identified in this report support the need for the MDA to oversee the contractors compliance with DFARS clause and National Institute of Standards and Technology requirements to ensure that the BMDS technical information maintained on contractor systems is protected against unauthorized Access and disclosure.

7 Therefore, the MDA Director should provide comments describing how the MDA plans to provide oversight of contractors to ensure compliance with DFARS clause and National Institute of Standards and Technology requirements for protecting BMDS technical the MDA Director agreed with three recommendations, the comments did not address the specifics of the recommendations to: submit system security plans and associated plans of action and milestones to verify compliance with DFARS clause ; establish a separate technical evaluation factor in the source selection process; and take corrective actions against contractors that fail to meet Federal and DoD requirements for protecting classified and addition, the MDA Director disagreed with recommendations to: conduct risk assessments; include penalty clauses in awarded contracts; and provide oversight to ensure that the MDA Director did not address the specifics of three recommendations and disagreed with three others, the recommendations are unresolved.

8 Please see the Recommendations Table on the next (cont d)DODIG-2018-094 iiiRecommendations TableManagementRecommendations UnresolvedRecommendations ResolvedRecommendations ClosedDirector for Acquisition, Missile Defense Agency1, 2, 3, 4, 5, 6 NoneNonePlease provide Management Comments by April 30, : The following categories are used to describe agency management s comments to individual recommendations. Unresolved Management has not agreed to implement the recommendation or has not proposed actions that will address the recommendation. Resolved Management agreed to implement the recommendation or has proposed actions that will address the underlying finding that generated the recommendation. Closed OIG verified that the agreed upon corrective actions were vMarch 29, 2018 MEMORANDUM FOR UNDER SECRETARY OF DEFENSE FOR ACQUISITION, TECHNOLOGY, AND LOGISTICS DIRECTOR, Missile DEFENSE AGENCYSUBJECT: Logical and Physical Access Controls at Missile Defense Agency Contractor Locations (Report No.)

9 DODIG-2018-094)We are providing this report for your review and comment. We conducted this audit in accordance with generally accepted government auditing Instruction requires that recommendations be resolved promptly. Comments from the MDA Director did not address the recommendations. Therefore, we request additional comments on Recommendations 1, 2, 3, 4, 5, and 6. Please send a PDF file containing your comments to by April 30, 2018. Copies of your comments must have the actual signature of the authorizing official for your organization. We cannot accept the /Signed/ symbol in place of the actual signature. If you arrange to send classified comments electronically, you must send them over the SECRET Internet Protocol Router Network (SIPRNET).We appreciate the courtesies extended to the staff.

10 Please direct questions to me at (703) 699-7331 (DSN 499-7331).Carol N. GormanAssistant Inspector GeneralCyberspace OperationsINSPECTOR GENERALDEPARTMENT OF DEFENSE4800 MARK CENTER DRIVEALEXANDRIA, VIRGINIA 22350-1500vi DODIG-2018-094 ContentsIntroductionObjective ..1 Background ..1 Review of Internal Controls ..3 FindingContractor Security Controls for Networks and Systems Containing Ballistic Missile Defense System information Were Not Consistently Implemented ..4 Contractors Did Not Implement Effective System Security Controls to Protect BMDS technical Did Not Assess Contractors Actions for Protecting information ..18 Increased Risk of Unauthorized Disclosure of BMDS Classified and Unclassified technical Comments to the Finding and Our Response ..21 Recommendations, Management Comments, and Our Response.