A Defense Department Inspector General (IG) report released Dec. 14 said officials are not consistently implementing security controls to protect ballistic missile defense system (BMDS) technical information.
The IG found officials at unspecified agencies “did not consistently implement security controls and processes to protect BMDS technical information.”
The report, Security Controls at DoD Facilities for Protecting Ballistic Missile Defense System Technical Information, specifically cited managers not doing these security key activities:
- requiring the use of multifactor authentication to access BMDS technical information;
- identifying and mitigating known network vulnerabilities at several visited locations;
- locking server racks;
- protecting and monitoring the type and volume of classified data stored on removable media;
- enforcing the use of encryption for some information;
- implementing intrusion detection capabilities; and
- requiring written justification as a condition to obtain and elevate system access privileges.
The report also found facility security officials failed to consistently implement physical security controls to limit unauthorized access to unnamed facilities that managed this kind of technical information.
The IG underscored that “without well-defined, effectively implemented system security and physical access controls, the MDA and its business partners, [redacted], may disclose critical data that compromise the integrity, confidentiality, and availability of BMDS technical information.”
If the technical details not properly protected in the report are revealed to adversaries, they could circumvent BMDS capabilities.
“The increased threat of long-range missile attacks from U.S. adversaries requires the effective implementation of system security controls to help reduce the number of exploitable weaknesses that malicious actors could use to exfiltrate classified and unclassified technical information,” the report said.
The IG said these weaknesses existed because officials did not consistently verify the effectiveness of implemented security controls or assess the impact of missing security controls.
The report recommended the proper DoD entities develop and implement a plan to correct the systemic weaknesses identified at facilities that manage this missile defense technical information.
It specifically recommended DoD enforce the use of multifactor authentication to access systems that process, store, and transmit technical information; develop plans and take steps to mitigate known vulnerabilities; encrypt BMDS information stored on removable media; and assess gaps in physical security and install security cameras to monitor personnel movement in facilities.
It also recommended the Chief Information Officer enforce the use of multifactor authentication to access systems that systems that store, transmit, and process technical BMDS data, implement intrusion detection capabilities on these networks, and implement procedures to secure server racks and control rack keys.
This report was the result of an IG audit conducted from February through October 2018 in accordance with generally accepted government auditing standards. The public report did not name locations the IG team visited, but cites five sites and five internal organizations.