Security controls for Department of Defense networks and systems containing Ballistic Missile Defense System (BMDS) technical information on classified networks were not implemented, according to a new report from the DoD Inspector General. The IG visited five of the 104 DoD facilities around the world that manage BMDS technical information and identified numerous internal control weaknesses to networks and systems.
“We determined that officials from the did not consistently implement security controls and processes to protect BMDS technical information,” the IG report states. “The report identified systemic weaknesses at the contractor locations concerning network access, vulnerability management, and the review of system audit logs.”
On April 14, 2016, then-Missile Defense Agency Director Vice Adm. James Syring testified before the House Armed Services Subcommittee on Strategic Forces, expressing concern about the potential threat to systems containing BMDS technical information. Consequently, the fiscal year 2017 National Defense Authorization Act directed the DoD IG to conduct the audit.
The audit found network administrators and data center managers did not:
- Require the use of multi-factor authentication to access BMDS technical information
- Identify and mitigate known network vulnerabilities at three of the five components visited
- Lock server racks
- Protect and monitor classified data stored on removable media
- Encrypt BMDS technical information
- Implement intrusion detection capabilities on classified network