First-Ever Unclassified NSA OIG Report Sheds Light on IT Deficiencies

The National Security Agency’s (NSA) Office of Inspector General (OIG) has for the first time released its semi-annual report to Congress as an unclassified document, and in the process shed light on IT deficiencies at the agency.

The report, released Wednesday and covering the period of October 1, 2017 to March 31, 2018, highlights multiple audits that found numerous issues in the governance of NSA’s IT infrastructure and its subsequent ability to mitigate cybersecurity risk.

While the individual audit documents remain shielded from the public on the classified OIG website, the semi-annual report from NSA Inspector General Robert Storch summarizes their findings and raises some concern over a few different areas of NSA’s IT compliance.

An audit of NSA’s compliance with the Federal Information Security Modernization Act (FISMA) of 2014 found two issues with the effectiveness of NSA’s information security program, including that “NSA had no authoritative system inventory and had not yet implemented the most current Federal security guidance.”

OIG called these two issues “fundamental information technology (IT) deficiencies that limit both OIG’s and NSA’s ability to assess Agency compliance with FISMA IT security requirements.”

A separate audit of NSA’s management and utilization of software licenses found that “process deficiencies” could mean that the agency “may not be able to fully determine its risk for unauthorized use of COTS [commercial off the shelf] software licenses.”

Inappropriate tracking of in-use software licenses also prevented OIG from determining if there were cost redundancies. “In FY2016, the Agency spent nearly $1 billion on COTS software licenses and maintenance; however, due to software data deficiencies, we were unable to accurately determine whether the COTS software licenses were being utilized in a cost-effective manner,” OIG said.

The report also addressed OIG’s audit of NSA’s implementation of the Risk Management Framework, finding multiple issues and issuing six recommendations to correct them. OIG reviewed a random sample of 70 IT systems at NSA “and found that Agency authorization decisions for systems lacked supporting documentation, system controls were insufficient, and RMF roles are improperly staffed.”

The issues could impact NSA’s ability to conduct appropriate risk assessments and security authorizations for its IT systems, OIG concluded.

OIG also said it is conducting an ongoing audit to determine whether NSA’s CIO is being granted the proper authorities through the Clinger-Cohen Act of 1996 and other requirements from the Office of Management and Budget. “The audit will assess processes for IT governance, enterprise architecture, program management, information security, and workforce management to ensure that the CIO is executing his responsibilities in these areas,” OIG said.

Recent