An Office of Inspector General (OIG) report for the National Security Agency (NSA) found that while the agency has made progress in establishing the full scope of CIO authorities within the agency, the defined authorities and responsibilities of the position remain ambiguous.
The OIG report says the agency needs to do a better job with the CIO position to effectively meet the Clinger-Cohen Act of 1996 (CCA) and Office of Management and Budget (OMB) M-11-29 obligations. Additional action is also needed to “ensure the CIO has the requisite oversight of and decision rights for all Agency IT,” the report says.
The ambiguous role of the NSA CIO is due to a number of factors, the report states, including “dual hatting of authorities, failure to include the CIO role in Agency organization charts, and Agency communications that reinforced the CIO’s authorities primarily for the information security component of CCA and OMB M-11-29.”
OIG has made four recommendations for NSA to improve in the CIO area, one of which the agency has already acted on. The other three recommendations have actions planned by agency management.
In other areas, OIG reported on an audit by the Cybersecurity and Technology Branch to determine if NSA’s Corporate Authorization Service (CASPORT) is secure, resilient, and operationally effective. CASPORT – which provides authorization attributes and access control services to enterprise programs and projects within NSA – has been widely implemented across the agency. OIG made 12 recommendations to assist in the operational integrity of CASPORT, and all of those recommendations have been closed after sufficient action was taken.