department of defense dod controls over information ppt

Results in Brief: DOD Controls Over What We Did ‘We performed the audit in esponse to a September 2, 2008, request by the then Deputy Secretary of Defense forthe DOD OIG to address con

Audit Report No D-2011-020 November 29, 2010

[nspector (General

United States Department 2⁄ˆDefense

Controls Over Information Placed on Publicly

essible Web Sites Require Better Execution

Additional Copies

‘To obtain additional copies ofthis report, vist the Web ste of the Department of Defense Inspector General at hip /iony dadig milaudiveepors or contact the Secondary Reports Distribution Unit at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932,

‘Suggestions for Audits

‘To suggest or request audits, contact the Office ofthe Deputy Inspector General for Auditing by phone (703) 04.9142 (DSN 664-9142), by fax (703) 604-8932, or by ml:

‘ODIG-AUD (ATTN: Audit Sugwestions) Department of Defense Inspector General

400 Army Navy Drive (Room 801) Arlington, VA 22202-4704

h ot | NA s| s2 nem

‘Acronyms and Abbreviations

AFIS [American Forees Information Service

DEPSECDEF Deputy Secretary of Defense

FOUO For Official Use Only

loss’ Inetageney Operations Security Support

TWRAC Joint Web Risk Assessment Cell

OPSEC ‘Operations Security

Pu Personally Kdentifiable Information

INSPECTOR GENERAL DEPARTMENT OF DEFENGE “400 ARMY Navy OFIVE ARUIGTON, VIRGINA 22200-<70¢

Novernber29, 2010 MEMORANDUM FOR ASSISTANT SECRETARY OF DEFENSE FOR NETWORKS

AND INFORMATION INTEGRATION/DOD CHIE INFORMATION OFFICER

ASSISTANT SECRETARY OF DEFENSE FOR PUBLIC AFFAIRS ASSISTANT SECRETARY OF THE AIR FORCE FOR

FINANCIAL MANAGEMENT AND COMPTROLLER

SUBJECT: DOD Conteols Over Information Placed on Publily Accessible Web Sites Requite

'Bstor Bxeeution (Report No, D-201 1-020)

‘We are providing tis report for your review and comment We considered management

‘comments ona deft ofthis eport when propating te final report, When sensitive information

on DOD publicly accessible Web sites is etioved by adversaties it places DOD personnel and missions at risk, We evalusted management of 436 public Web sites for their compliance with

‘mandatory content ad approval procedures and taining equiremens, We determined that DOD Web site administrators are uot properly managing their Web sites,

‘management comments ad suggestions on the dealt report, we revised Recomaiendation A.2 to better align with the impending Instruction We request thatthe Assistant Secretary of Defense {oe Networks and Information Integration/DOD Chief Information Oificee provide ational comments on the fieal report by December 22, 2010 See Recommendations Table on page ii of this report

possible, send a pa fle containing management comments to audros@dodig.mil Copies of

‘management comments must have the tual signature ofthe authorizing official We are unable (o aceept the /Signed symbol in place ofthe aetualsignatuce Tf you arrange to sed classified comments electronically, you must send them over the SECRET Internet Protoeol Router

Repost No D-2011-020 (Project No D2009.D000LB-0147.000) November 29, 2010

0c Results in Brief: DOD Controls Over

What We Did

‘We performed the audit in esponse to a September 2,

2008, request by the then Deputy Secretary of Defense

forthe DOD OIG to address concems that sensitive

information continues tobe found on DOD public Web

sites, We evaluated the management of 436 public

‘Web sites for their compliance with mandatory content

and approval procedures and taining requirements, We

also reviewed 3,211 DOD-identfied Web sites for

public accessibility

What We Found

DOD did not execute enforcement actions for

noncompliance with Web site policies and

procedures, and Components di not fully

Aisseminate required policies and procedures

‘governing publicly accessible Web sites Asa result,

‘sensitive information continues to be posted to DOD

public Web sites, puting DOD missions and

personnel at risk We found

‘+ 43 0f 73 DOD organizations failed 10 respond to

the Deputy Secretary of Defense requirement to

comfy their Web sites,

‘© Wob site administrators for 207 out of 436 public

Web sites of DOD Components failed t0

Jmplement proper content review and approval

procedures

‘+ 432 0f 470 DOD Web site administrators

reviewed did not receive the required Web

‘operations security traning,

DOD is not maintaining a Department-wide

inventory of all its public Web sites a required by

law, DOD stopped funding and discontinued its

central Web site inventory system in 2006, A total

‘of 791 Web sites identified by DOD in their

inventories as publicly accessible were actually

passwvord-protected or nonexistent, Furthermore,

individual organizations are not maintaining accurate

inventories of Web sites and cannot ensute that ll

{information posted on public Web sites has received

proper review

n Placed on Publicly Accessible Web Sites Require Better Execution

What We Recommend Among other recommendations, we recommend the

‘Assistant Secretary of Defense for Public Affairs [ASD (PA)] within 120 days develop and maintain a DOD inventory ofall publicly accessible Web sites

‘We recommend the Assistant Secretary of Defense for Networks and Information Integrtion/DOD (Chief Information Officer [ASD (NHV/ĐOD CO] within 120 days:

‘+ Requite heads of DOD Components to certify annually that a documented Web review and approval process has been developed and implemented

Require all Web administrators to receive the proper Web operations security taining, + Reguire Military Services to maintain an integrated registration system within the DOD's central registration system

Management Comments and Our

Response Commens fom he ASD QNI)DOD CIO, ASD (BÀ) Ar Fore Direcor Nguotke Services Oc, tnd Viee Detr, Defence Informaon Systems

‘Azeny DISA) generally seed wth and espended toaurfeeommentaions, However, he ASD {QIIYDOD C10's comment was only partially responsive

to Recommeniadan A2 We partly usel with the ASD (I) DOD C10 and vevsed Recommendation Ato better aig with the impending nstacton, We quest ha he ASD (N/DOD Cio prone atonal coments on Recommendation A2, We request nanagenen provide comments by Decenber 222010 Pease Ses the recommendations ble onthe back of is mức

Report No D-2011-020 (Project No D2009.D000LB-0147.000)

Recommendations Table

‘Management Recommendations

Requiring Comment

‘Assistant Secretary of Defense A2a, A2b,A2e, ADA,

for Networks and Information | A2e

Integration/DOD Chief

Information Officer

‘Assistant Secretary of Defense

for Public AMairs

‘Seeretary ofthe Air Force

Director, Joint Web Risk

Bì

AS Ad

Finding A Weaknesses in DOD's Web Site Review and Approval Process

DOD Organizations” Cerieation of Publicly Accessible Web Sites Needs

Inconsistent Web Site Content Review and Approval Process 5 Web Site Administrators Lack Web Operations Security Training 8 Availability of Operations Security Training Courses 0

‘Web Risk Assessment Cell Continues to Find Sensitive Information on DOD Publicly Accessible Web Sites, lô Management Comments on the Finding and Our Response " Recommendations, Management Comments, and Our Response R Finding B DOD Lacks a Complete Inventory for Publicly Accessible Web Sites 15

DOD Did Not Maintain a Cental Web Site Inventory of All Publicly

Inventories of DOD Organizations’ Public Web Sites 16

Recommendations, Management Comments, and Our Response 20 Appendices

B Public Web Site Certification Compliance 36

C Interagency Operations Secutity Suppor Sta FY 2010 Training

Schule for Courses OPSE-1500 and OPSE-3800 2 Management Comments on te Finding and Our Response 3

E, Criteria for DOD Web Site Inventory 36 F_ Deputy Secretary of Defense Memorandum for Office of the

‘Management Comments

Assistant Secretary of Defense for Networks and Information Integration

DOD Chief Information Officer 39 Assistant Secretary of Defense for Public Affairs “

Defense Information Systems Auency (loin Web Risk Assessment Cell) 47

Asa result, the DOD Office ofthe Inspector General announced an audit of controls over {information contained on DOD publicly accessible Web sites The overall objective vas determine whether DOD Camponens ae in compliance with Web site security policy Specially, we determined whether DOD Components have controls ad processes in plave to ensure review and approval of all information posted to publicly accessible Web Sis before posting, We also determined whether personnel sponsible for review of information for Web posting have reeeived Web operations security (OPSEC) ting See Appendix A Tora discussion ofthe scope and methodology and prior audit covers

Background

DOD publicly accessible Web sites are unrestricted by password or public key

infiastractute user authorization and can be accessed diretly from the Internet by

members ofthe publi Due to extensive use of Web archiving tools, nce infomation is posted 10 publicly accessible Web sites, is captured and distributed throughout the

‘World Wide Web Preventing the disclosure of sensitive information requires proper review of hat information prior posting

On January L4, 2003, the then Seoretary of Defense issued a memorandunt to DOD

‘Components concerning dsetepancies in Web site OPSEC The memorandum directed heads of DOD Components to ensure Web ste owners rake responsibility fr all content posted to their oxwanizations’ Web sites It directed Web site owners 1 redouble teie eifons ro ensure that only the information necessary to accomplish thei missions he posted to publicly accessible Web sites This is especially ertca in light ofthe Al Qaeda traning manual recovered in Afuhanistan that, when translated, sates, “Using public sources openly’ and without resorting to illegal means, is possible to gather at Feast 80 pereent of information about the enemy

Joint Web Risk Assessment Cell

“The Joint Web Risk Assessment Cell JWRAC), a DEPSECDEF-chartered cell within the Defense Information Systems Agency is tesponsible for conducting OPSEC assessinents sand trend analyses of eontent and data on DOD publicly accessible Web sites, JWRAC reviews Web sites for compliance with existing DOD Web policy and directs remediation

‘ction to briag Web sites into compliance, The JWRAC perforins analyses of te data to determine any existing OPSEC risks that may pose an immediate or potential threat 10

warfighvers According to officials, IWRAC conducts analyses of organization Web sites

‘on at annual schedule and by request from DOD orsasizatens

Review of Internal Controls

We determined that intemal eontol weaknesses existed in DOD as defined by DOD Instruction 5010.40, “Managers” Internal Control (MIC) Prosram Procedures,”

Janusry 4,2006 DOD Components lacked processes for ensuring:

‘administrators of DOD publi Web sites implement proper content review

procedures

‘administrators of public Web Sie" receive the required Web OPSEC traning, and

‘= anaccorate inventory of DOD publicly accessible Web sites as required by public

la, the Office of Manauement and Budset, and DOD policy

Therefore, DOD does nat have reasonable assurance that all DOD Components are implementing controls For the review and approval of content pri to posting to DOD publicly accessible Web sites Also, DOD did not ensure Components were prevent the posting of sensitive andr Personally Mentifiable Information (PIK) on DOD publicly accessible Web sites,

recommendations in this report wll eerect DOD ergizations’falure to properly Feview and approve information placed on publicly aecessible Web sites and correct the Site registration deficiencies for DOD Serviees, agencies, and combatant commands We

‘will provide a copy ofthe repor to the senior officials responsible for inteanal coattals at the Army, Navy, Air Free, Marine Corps, and DOD agencies and other offices listed in Appendix A

speci an ng đụẽ he fanation pet posing on publ ascese Web

ding A Weaknesses in DOD's Web Site

Review and Approval Process

Many DOD organizations did net comply with DOD Web Site poliey and procedures for publicly accesible Web site content review and approval Specifically

* 0f73 DOD organizations identified, 43 (59 percent) did not ceriy, as required, that they have mandatory content review and approval procedures in place for information posted 0 publicly accessible Web sites

# OF436 publicly accessible Web sites reviewed, 207 (47 percent) did not have ddacumented review and approval procedures, oF existing procedures did not filly comply wth requirements

+ OF470 Web site administrate

required OPSEC taining

DOD's JWRAC has identified For Official Use Only (FOUO) information, PIL and Fimited-dstibaton information posted on DOD publicly accessible Web sites Improper postings inerease the risk of potentially hamfial disclosure of information related to DOD personnel and missions

Criteria for Web Site Administration

DOD's “Web Site Administration Policies and Procedures,” November 25, 1998, updated January 11,2002 (Web site administrative auidance),presribes the process for content review and approval of information tobe placed an DOD publicly accessible Web sites

‘This guidance requires heads of DOD Components and ather organizations to establish 3 conten review and approval proces forall information prior to posting on publicly accessible Web sites

DEPSECDEF Memorandum, "DOD Web Site Security Poliey Compliance,”

September 25, 2008, states that DOD organizations mest ensuce information placed on DOD publicly accessible Web sites is compliant with the DOD Web site administrative guidance Additionally, personnel tained in Web OPSEC must review information plaeed on DOD publicly accessible Web sites for secuity concems The DEPSECDEF Memorandum also requires DOD organizations to ether certify an established process for conteat review and approval or submit a plan of actions and milestones for

inplementing a content review and approval process, and o cet that individuals involved in the process have received Web OPSEC taining On August 6, 2006, the

‘Vice Chatman ofthe Joint Chiefs and the DEPSECDEF issued s joint message,

‘Information Security! Web Sites Alen,” that required all command OPSEC managers,

‘webmasters, and public affairs specialists who review information for Web posting 0 receive Web OPSEC training,

‘The Under Secretary of Defense for Intelligence is responsible for overseeing the DOD OPSEC program OPSEC reviews are cental to identifying and safeguarding eitical information Therefore, eiical information available on publicly accessible Web sites is

an OPSEC concern Duties of OPSEC managers are consistent with Web site

administrator responsibilities, which include identifying and protecting unclassified information that may individually or in the aggregate lead to compromise of classified information and sensitive aeivites

DOD Organizations’ Certification of Publicly Accessible Web Sites Needs Improvement

‘The September 25, 2008, DEPSECDEF Memorandum required DOD organizations 10 cemify the implementation of public Web sites content review and approval procedures or provide a plan of actions and milestones, We identified 73 DOD organizations that

‘operate DOD publicly accessible Web sites OF the 73 organizations, 4 filed to cestify

‘or submit a plan of actions and milestones as required by the DEPSECDEP

Memorandum Of the 32 organizations that submited a response, 10 submitted on oF before the revised January 20, 2009, due date and 22 submited ater Nine of 22 DOD

‘organizations submited Web site cerilications or provided a plan of actions and

milestones after being contacted by the audit team See Figure | below’ and

Eleven ofthe 32 DOD enganizations submitted responses that did not contain all the required information Same heads of DOD Components failed to certify review and approval procedures and taining for their subordinate organizations, other heads of DOD Components failed to speci to which subordinate organizations (agencies ang

‘organizations the cerliieuion pertained The remaining 21 organizations submitted responses that included all the required information for review and approval, raining, and plan of actions and milestones when necessary

Personnel trom the Office ofthe Assistant Secretary of Defense Networks and

Information Integration’DOD Chie Information Officer stated their intention isto revise the BOD Web site administrative euidance and reissue it as a DOD instrution to clarity 1nd provide more detailed procedures for Web site review andl approval, On

November 9, 2008, they provided adraft copy ofthe revision to the audit team, ‘The drat contains necessary Interetbased controls tha should assist with preventing,

Aissemination of inappropriate information over DOD Web-based applications

Inconsistent Web Site Content Review and Approval

information posted to publicly ‘Memorandum sent to all DOD

saecessible Web sits ‘Components (See Figure 2.) These policies require organizations to maintain

‘nsisfent processes ensuring the review and approval ofall information posted to

publicly accessible Web sites, Although severs! organizations established local policies

‘Incorporating DOD Web ste administrative guidance and the DEPSECDEE

‘Memorandum, they’ did not effetively enforce compliance with the policies,

Figure 2 DOD Organizations’ Compliance With Content

Review and Approval Policy

Army Site Visit Results

We interviewed 148 Army Web administrators responsible for managing 269 Army

public Web sites and determined that Army Medical Command public Web site managers complied with DOD Web site administrative guidance forthe 185 public Web sites they

‘managed Conversely, Web site managers for 84 other Army public Web sites were

‘noncompliant Specifically, managers for 50 of the 84 Websites lacked documented

review and approval procedures Managers forthe remaining 34 Web sites had content review and approval procedures, but the procedutes were inconsistent with the DOD

policy and failed to fully adress:

‘+ teview of sensitive information to include data labeled FOUO,

‘review of information i the auarevate; and

‘review of Pl for members of deployable units,

Anmy Regulation 25-1, “Army Knowledge Management and Information Technolo

December 4, 2008, requires public affairs ofices and other appropriate desiznees to

review and approve Web content before posting tothe Internet forthe general public and tense content meets requirements set forth in DOD Web site administrative guidance Although we found no PII on any ofthe Army public Web sites we reviewed, Army Web administrators responsible for 84 Web sites did not comply with DOD and Army policies and procedures for managing their Web sites

Navy and Marine Corps Site Visit Results

Secretary of the Navy Instruction 5720.47B, “Department ofthe Navy Policy for Content (of Publicly Accessible World Wide Web Sites,” December 28, 005, requires Navy and Marine Corps activities to maintain publicly accessible We sites tt (1) implement and administer a comprehensive Web ste management program, (2) develop local procedures

{or the approval of information posted on publicly accessible Web sites; and (3) ensure posted information meets requitemests st fost in DOD Web site adanistative

‘sensitive information to include data labeled FOUO as required by DOD policy information inthe aggregates and

Pl such as fmily member infor

vation, date and place of bint, and duty location

We found PIL on seven Nevy’public Web sites For example, one Web site contained individuals’ dates and places of birth, spouses’ names, residences, and dependents

names Aller we notified the managers of the noaconipliane, they removed the PIL from the even public Web sites we identitied

Marine Corps

We interviewed 17 Marine Cops Web site managers responsible for managing 38 pablic Web sites The content review and approval process foe Web site managers of 37 public Web sites did aot comply with DOD Web site administrative guidance, Thirty-seven public Web sites we reviewed provided content review and approval procedutes, but dhe procedures dil not fully address equitements for viewing

' sensitive information, to include data labeled FOUO as required by DOD poli information inthe aggregate: snd

«BH

We found PH on 12 Marine Cosps public Web sites, For example, the Web sites

‘contained individuals’ dates and places of birth, spauses’ nares residences, dependents hames, and other PIL After we notified the Marine Comps public Web site managers of the noncompliance, they removed PIL from 11 of the 12 public Web sites The Web

‘manager fr the remaining Wed ste eoalinues to evaluate the occurrence of PLL on that Web ste

Air Force Site Visit Results

All 14 Air Force public Weh sites we reviewed were managed and operated under thế Air Force Public Information Management System, Air Force publie Web site managers

‘oust sign a memorandum of understanding to aecess the Air Force Public Information Management System andl register their publie Web sles with the Air Foroe Publie Afiaies Agency Only 1 ofthe 14 public Air Fosce Web sites we reviewed ha established local plans, policies, and procedures for management of their Web sites as required by the ertorandum of understanding ‘The operating instruetions forthe Web site with

documented content management procedures were outdated and filed to fully address DOD Policy requirements for reviewing

‘sensitive information, to incinde data labeled FOUO as required by DOD policy,

*infaemation in the aggregate, snd

* PHL

Although we found no PIL on any of the 14 Air Force publie Web sites, content managers

fo the 13 public Web sites without documented local procedures provided inconsistent approaches to Web site content management Web site managers stated thatthe same individual could ereate, review, and approve content for public release, but some

‘managers separated the duties, Separation of duties isa fundamental principle of various regulatory mandates, sich as Sarbanes-Oxley and the Grama-Leach-Biliey Act

Air Horce Instruction 33-129, “Web Management and Internet Use,” Eebruary 3, 2095

‘efines the roles and responsibilities of personel maintaining Air Force public Web sites If designates the Secretary of the Air Force Office of Public Affairs to develop a feview process for posting information on publily accessible Web sites Further, Air Force lnstnation 38-101, “Public Affaits Policies and Procedures,” November 29, 2005, mandates a secusty and policy review to ens the material sroposed for public release through Web sites is aceurate, contains no classified material, and does not conflict with established Air Force, DOD, or US Government policy Near the completion of our suối, the Air Force issued Air Force Insiuction 35-107, “Public Web Communications,” October 21, 2009, and is currenly working to refine its uidanee

Other DOD Organization Site Visit Results

We interviewed public Web site managers from 12 Defense Auencies, § Office ofthe Secretary of Defense offices, and | combatant command, which in combination, are responsible for managing 73 DOD public Wed sites OF the 73 public Web sites

reviewed, 41 were compliant, and 32 were noncompliant with DOD Web site

suinfstative guidance Managers for 17 of the 32 Web sites lacked documented review and approval procedures Web site managers forthe remaining 15 Web sites provided content review and approval procedures dat filed to fully address the following process requirements for

‘+ overall review before posting unmarked (FOU) content,

slearance review

review of content for sensitivity and distribution/relesse controls;

sensitivity of information inthe aggrewste, and

required training and knowledge of personnel

Web Site Administrators Lack Web Operations Security Training

DOD oreanizatons led to ensure all DOD Web site administrators received the

required traning, and they implemented inconsistent procedures tht ome

‘eairements for Web OPSEC taining, On August 6,200, the Vice Chatman of the Tấn: Che and the Deputy Secretary of Defense sued a joint message, “Information

Security/Web Sites Alen.” The joint message requires all command OPSEC managers,

‘webmasters, and public afairs specialists who review information for Web posting

receive Web OPSEC training, The message does not speci the frequency ofthe

training Web OPSEC trainings eiical to ensuring the identification, proper contol, and proper posting of sensitive information to DOD public Web sites Appropriate Web OPSEC training enhances the ability of content review participants to perform essential Web site administration asks and manage the information in a responsible and secure

We found 452 of 470 DOD public Web site administrators did not complete required

Web OPSEC traning: broken down by Service, 147 of 148 Army, 74 of 75 Navy, 45 of

45 Air Force, 17 of 17 Marine Corps, and 169 of 185 other DOD organizations’ Web site administrators did not meet DOD OPSEC training requirements,

‘Web site administrators responsible for

DOD public Web ste administrators | content review and approval duties cited on- stated they were unaware of the Web | the-job training and knowledge acquired

OPSEC sraining requirement ‘over the yeas as adequate preparation for

‘executing the requited review and approval procedures Web site administrators ated they were unaware of the Web OPSEC

trdiing requirement Other Web site administrators pointed tothe lack of available Web COPSEC training classes and funding shortfalls that prechided travel to obtain required OPSEC training See Figure3

Availability of Operations Security Training Courses

‘The nterageney OPSEC Suppo St (10SS) sponsors Web OPSEC taining hr both clasroom and elearning curses Since Api 2007, the 1OSS has offered an ajunct, fact opin allowing Federal organizations to cenity personel to tach Web OPSEC Course a the local command level As of Decenber 209, no DOD ovgaizatons had token advantage ofthe opportunity cent edjuncl personne 1 teach Web OPSEC Courses ther espective DOD orgniations "The 1OSS repo tht they have sucient tesources co accommodate the demand forthe Web OPSEC traning fr ll agencies Appendix © provides a schedule of avaiable Web OPSEC courses

Management Oversight

Incentive to Comply With DOD Policy

Ultimately, DOD Web site administrators lack the incentive to ensure the implementetion

‘of proper Web site management procedures and internal controls For instance, there

\were no penalties for noncompliance with puilic Web ste guidance Management took

co agtien to determine if sensitive information was posted to DOD publi Web sites, In

ft, few Web site administrators were aware of te need fora documented process for accountability and authorization prior to posting, Most ofthe organizations dié not

‘stain records for tracking the posting of sensitive or personal informatio over the last

5 years IPsuch incidents should occur, organizations can withdraw the information rom

2 Web site; however, Web archiving tols ean sill retrieve the information

Dissemination of Guidance

DOD Web administrators stated thatthe DEPSECDEF Memorandum was not

tisseminated to their ofices A total of 168 Web administrators responsible for

‘managing [16 Web sites reported that they received nether the DEPSECDEF

“Memorandum nor ther Web site guidance and were unaware of the Web OPSEC

tesining certification requirement contained inthe guidance Inedesuately rained DOD Web site administrators had insufficient knowledge for assessny the nature of security risks associated with eviewing and approving information before posi

DOD Organization Internal Reviews

DOD organizations filed to conduct intemal reviews to ensue thet DOD Web ste

administrators were implementing content review and approval procedures as required Organizations’ management control plans did not include controls forthe review of Web site content review and approval procedures, The absence of internal reviews increases the poteatial for posting inappropriate conten

Web Risk Assessment Cell Continues to Find Sensitive Information on DOD Publicly Accessible Web Sites

OD approved the establishment ofthe SWRAC on Febniary 12, 1989 ts mission isto provide anslyses of Web site rsk and operations security From 2007 thzough 2009,

w

SWRAC identified sensitive information poste to multiple DOD publicly accessible Web sites For example, improper posting of sensitive information related to 702 FOUO documents, 241 occurrences of PI including social security numbers, and 1,124 postinys

oF information designated as “or limited distribution”

All DOD Components that have established publicly aecessible Web sites are responsible for ensuring that the information published on these sites does aot compromise national security or plage DOD personnel at isk BOD Component heads are required to enforee the application of comprehensive risk management procedures ensuring that mission benofis gained by using the Web are balanced against the potential security and privacy risks created when agsrezated DOD information is mare readily accessible over the World Wide Web

Service Web Risk Assessment Cells

‘The Amy, Navy, and Marine Comps established Web risk assessment cells to conduct, assessinenis af their publicly accessible Web sites, notify commands of Web site

Violations, and ensure compliance with DOD policy requirements The Air Fore is discussing establishing a Web risk assessment cell, ut has not seta firm date by which to rake a decision, Given the continued findings of Sensitive information pasted to DOD public Web sites and the current inaccuracies of Services’ Web site inventories, the Ai Force should move forward without further delay and establish Wab risk assessment cell ro assess risk and compliance with DOD OPSEC and privacy requirements for its public Web sites

Upon establishment of DOD central Web site reaistraton system, personne workiny ia Service Web risk assessment cells should routinely search fr unceuistered DOD Webs sites This practice would identify unregistered sites tha should be blocked until they are registered

‘or n0 proper training DOD organizations failed to submit and submitted incomplete Web site ceifications, DOD failed to implement a followup process to verify

Components compliance with the Web site certification reporting requirement, Proper implementation and strengthening of Web site policies will reduce the risk of posting sensitive information to DOD public Web sites and detrimental impacts to DOD missions and personnel

Management Comments on the Finding and Our

Response

Please see Appendix D for complete management comments and audit responses on the finding

Recommendations, Management Comments, and Our Response

Revised Recommendation

Reconimendation A.2 has been revised in response to comments fom the Assistant Secretary of Dofense for Networks and Information Integration DOD Chie? Information Officer's and Vice Director, Defense Information Systems Agency, to better align with the impending issuance of DOD Instruction 830 sa

Al We recommend the Assistant Secretary of Defense for Networks and

Information IntegrationDOD Chief Information Officer re-emphasize to all DOD Components the DOD Web Site Administration Policy and Procedures

requirements to develop review and approval procedures for information posted to publicly accessible Web sites

‘& Management, and the Under Secretary of Defense for Intelligence, respectively, reemphiasize and fully describe eurent review, clearance, and authorization policies and procedures inthe forthcoming DOD Insiuetion 8430 aa, "DoD Internet Services and Intemet-Dased Capabilities,

Our Response

{he Deputy Chief Information Officer's comments are esponsive and moet the intent of

‘our recommendations No further comments are required

A.2 We recommend the Assistant Secretary of Defense for Networks and

Information IntegratiowDOD Chief Information Officer, within 120 days, develop and issue a DOD Instruction that requires heads of DOD Components to annually assess and doc ature, DOD Internet services and use of Internet-

1ce with applicable policies and procedures to include,

at minimum, that

8, Documented review and a

‘Web sites and copies of the documer

clos,

All Web site administrators have received the proper Web OPSÍ

al processes are implemented for all publie tow are fled with the DOD Compone

of actions and milestones tothe responsible head of DOD Component for all public Web sites that have not

implemented a documented content review and approval process, and for those personnel who have not received the proper Web OPSEC training;

« Joint and Service Web risk assessment cells conduct routine searches for

‘unregistered DOD Web sites

Assistant Secretary of Defense for Networks and Information Integration/DOD Chief Information Officer Comments

‘The Deputy Chief Information Officer, responding forthe Assistant Secretary of Defense for Networks and Information nteyratiow DOD Chief Information Officer, agreed with the original recommendation stating tht the annual poliey compliance assessment and eorrective ation willbe mandated inthe impending DOD Instruction 8430 aa Ta sadition, the Deputy Chief Information Officer suggested that the recommendtion be revised fo better align with the lnscuction and provide a more ecient process

Our Response

‘The Deputy Chie Information Officer's comments are partially responsive Due to the revisions, we revised recommendation A 2 to include svagestions from the Deputy Chiet Information Officer and the Vice Director, Defense Information Systems Agency, We request the Assistant Secretary of Defense for Networks and Information

Intesration DOD Chiet Information Ofiter provide comments for recommendations A2a,A2b,A2¢,A2dand A2e

|A.3 We recommend the Assistant Secretary of Defense for Networks and

Information IntegratiowDOD Chief Information Officer develop en

procedures for noncompliance with the annual eertiication requi

Assistant Secretary of Defense for Networks and Information Integration/DOD Chief Information Officer Comments

The Deputy Chie Information Officer, responding forthe Assistant Secretar of Defense

fo Netwosks and Information lnewation DOD Chiet tnfemation Ofiet, agrees The fortheoming DOD Iistrution 8450 a8 mandates that Web sites snd associated processes comply th the iastuction

Our Response

“The Deputy Chief Information Officers comments ae partially responsive

Management comments do not adress the development of enforcement actions for non compliance with annual assessment requitements However, management comments and suigzestions for Recommendation A 2 establish an annual Web ste assessment

requirement that, if not complied with, will result in DOD Web sites being shut down oF disconnected No further comments are required

AA, We recommend the Director Joint Web Risk Assessment Cell expand

distribution ofits annual OPSEC aud threat assessment reports on DOD public Web sites to the Assistant Secretary of Defense for Networks and Informatio

DOD Chief Information Officer and the Office of the Under Secretary

‘of Defense for Intelligence,

Defense Information Systems Agency Comments

‘The Vice Director, Defense Information Systems Avency agreed The Vice Director sated thatthe Joins Web Risk Assessment Cell wil expand the distribution ofits annual OPSEC sad thteat assessments report on DOD public Web sites ro the Assisant

Secretary of Defense for Networks and Information Integration’DOD Chief Information Officer and the Office ofthe Linder Secretary of Defense for Tnelivence

Our Response

‘The Vice Director's comments are responsive and meet the intent of eur

recommendations No frther comments ae required

A.S We recommend the Secretary of the Air Force within 90 days develop a process

to review OPSEC threat and vulnerability risks for all its publie Web sites

Secretary of the Air Force Comments

“The Director of Network Services Office of Information Dominance and Chie

Information Offier, responding forthe Secretary ofthe Ait Force, agreed The Ditector stated the Air Force Telecommunications Monitonng Assessment Program will be uilized 10 eonduet OPSEC vulnerability assessments fr release of information tothe public via

Intemetnse Capabilities Additionally, policy is being developed within AFI 10-701 Operations Security (OPSEC), to address the lack of Ais Force directive regarding OPSEC eviews conducted prot w releasing information, as well as ining for sonnel reviewing

‘information,

Our Response

‘The Director of Network Services Office of Information Dominance and Chie

Information Officers comments are responsive and meet the intent of our

recommendations No further comments ae requied

Finding B DOD Lacks a Complete Inventory

for Publicly Accessible Web Sites

DOD did not comply with requirements to maintain a central Web site registration system This ocurred because after the disestablishment ofthe office of primary

esponsibility unde the 2005 Base Realignment and Closure process, the responsibilty to

‘operate and maintain a cena registration system was not reassigned In addition,

althouzh the Military Services and other DOD organizations had Web site inventory

‘Systems, the systems were not accurate or current Without an aecate inventory system, DOD orwanizations cannot account forthe proper management ofall DOD's publicly accessible Web sites or reduce the ssk of posting personaly identiiabie, FOUO, and cother sensitive infomation to DOD publicly accessible Web sites

Criteria for DOD Web Site Inventory

ablic Law 104-13, "Paper Resiction Act of 1995," Chapter 35, Section 3506 requires cach agency to maintain a curent and complete investory ofits information resources {including Web sites) to Fulfil the requirements ofthe Goverament Information Locator Service Furr, Section 3511 requizes each azeney to establish and maintain is own {information focatr sevice asa eemponent of, and to support the eperation of, the

Goverment Information Losator Service Publie Law 107-347, 107th Congress,

Government Act of 2002," December 17, 2002, amended Publie Law 104-13 to require heads of Federal agencies to prepare and maintain an inventory of information resourees, including publi Web sites

Office of Management and Budget policy requires apencies to establish a public Web sie inventory Office of Management and Budget Circular A-130, "Management of Federal Information Resources,” lates that azenefes must establish and maintain inventories of all ageney faformation dissemination products’ by implementing a management system Also, Office of Management and Buslger M-05-04, “Policies for Federal Agency Public Web Sites.” December 17 2004, requires agencies to establish ané maintain inventories for information dissemination produes, including public Web sites,

DOD Web site administrative suidance requires the Assistant Secretary of Defense for Public Affairs to provide and maintain a central Web site registration system Military Services must establish and maintain their own regisvation systems and integrate thei systems within the DOD's central system, To that end, the Army, Navy, Air Fozee, and Marine Corps each have an individual policy and individual instructions requiring Web Ste registration,

* ter Office of Mnagsoit sa Badge! Cc A130, thee insfnaalon dsm prot uel reser of pt fom or hrs dsenased yaa age} Wt able

DOD Web site administrative guidance requites the Assistant Seotetary of Defense for

‘Networks and Infosmation Inteyratiow DOD Chief Information Offices to approve and publish DOD instructions to guide, diect, or help Web site atvities, and coordinate

‘using guidance for requirements addressing information security on the Web,

DOD Did Not Maintain a Central Web Site Inventory of All Publicly Accessible Web Sites

The DOD did not comply with requirements to maintain an inventory ofall DOD public Web sites, Oitice of Management and Budget policies that implement the provisions of Public Laws 104-13 and 197-347 require agencies to prepare and maintain aa inventory

of information resources to include publicly accessible Web sites, DOD implemented

‘hese OMB policies through its DOD Web site administrative guidance,

In 1998, DOD issued the Web site administrative guidance requiring the Assistant

Secretary of Defense for Public Affairs to establish and maintain @ DOD eentral Web site registration ystem In Novernber 2000, the American Forces Information Service (APIS), under the authority ofthe Assistant Secretary of Defense for Public Airs, receive the responsibilty to maintain the DOD eentral Web site registration system In

FY 2000, AFIS besa funding the Defense Technical Information Center to operate the DOD cestral Web site epistration systern In 2005, when the Defense Techical

Information Center needed to update and redesign the system, AFIS discontinued its finding Asa result, the Defense Techaical Information Center terminated the operation ofthe central Web site registration system

1 2006, ter the registration system was shut down, AFIS egan a review ofthe Wed site registration system requirements with the intention of issuing a plan of action by mid folate April 2006 However, AFIS never completed the review In October 2008, AFIS was disestablished under the 2005 Base Realignment and Closure process, In January

2008, the Defense Media Activity was established under the authority of the Assistant Scoretary of Defense for Public Affairs AFIS functions, personnel, Funding, and

associated resources were transferred tothe Detense Media Activity However,

esponsibility fr the requirement ro operate a central Web site registration system was fot reassigned,

Inventories of DOD Organizations’ Public Web Sites

Military Services and other DOD organizations’ Web site inventories were inaceurate snd ungeliable Without an accurate and reliable inventory the risk of posting personally

“dentifable, FOUO, and other sensitive information on publicly accessible Web sites will continue 10 be a concern

The Military Services and other DOD organizations (see Appendix A) provided lists totaling 3,211 publicly accessible Web sites, however, after testing the list of Web sites,

fr public accessibility, we determined that 791 25 percont) were not publicly accessible Spoctially, the lists contained password-proected and non-operational Web sites When we tested the contact information associated withthe public Web site, we found

‘many ofthe points of contact were outdated After contacting Web site managers, we found an additional $1 publicly accessible Web sites which were not included in

Components inventory list See Table 1

‘Table 1 Number of Public Web Sites Reported and Verified

Army Site Visit Results

A September 2007 Amy Audit Ageney Report found that since 2005, the Army did not have central Web site revistration repository for its public Web sites, even thouah it hhad anticipated establishing a cenral Web site registration system forall Army Web sites

by November 2007 We confirmed that the Army had not established an inventory system for public Web sites In order to respond to the DEPSECDEF Memorandum issued to DOD Components on September 25, 2008, the Office ofthe Army Chief Information Offces'Go issued an All Army Action data call, dated December 8, 2008, for Army public Web sites The data call required Army commands and agencies to submit a list of their public Web sites and Web site personnel information by February 4, 2009,

‘We requested alist of Army public Web sites, and on March 31, 2009, the Office ofthe Army Chief Information Officer/G-6 provided an inventory lst of 1,111 public Web sites, that was derived from the All Army Action data call, We tested all 1,111 Web sites for public accessibility and found $20 (29 percent) that were not publicly accessible The Inventory listing included password-protected and non-operational Web sites We also tested Web site inventory point-of-contact information and found much of it was outdated because Web site administrators did not update Web site contact information when personnel changes occurred

For the Army sites we visited, the inventory list showed 249 Web sites During our site visits, we verified tht all 249 Web sites were publicly accessible However, we found an additional 20 Web sites not listed by the Army sites we visited

‘The Asset and Vulnerability Tracking Resource System, designated on March 12, 2009, asthe revistration system forall Army public Web sites, was not designed to provide an accurate inventory of Army public Web sites We received a Web site inventor list

„

based on an Asset and Vulnerability Tracking Resource system report dated

June 15,2009, the system inventory repor listed 1,938 public and private Web sites We requested a separate ist of publicly accessible Web sites onl, and were tld that because

‘Web sites, ath public and private, were not propery labeled when entered into the system, an accurate report listing for public Web sites only was unavailable For the

‘Asset and Vulnerability Tracking Resource System list of public Web sites to be

integrated with a DOD central registration system, the Amy system must be able to distinguish between public and al other Web sites, which it doesnot do

Results of Navy, Air Force, and Marine Corps Site Visits

Navy, Air Force, and Marine Corps policies require all publicly accessible Web sites to

be registered in their respective registration systems Secretary of the Navy Instruction

3720 47B, “Department of The Navy Policy For Content of Publicly Accessible World Wide Web Sites,” December 28, 2005, mandates registration of Navy Web sites in the Naval Web Site Registration System and Marine Corps Web sites inthe Marine Corps Web Site Registration Database, The Air Force Policy Memorandum “Public Web Site Registration,” May 2, 2007, tequitesrexistation of Air Force public Web sites in the Air Force Public Information Management System,

We tested the Navy, Air Force, and Marine Corps Web site registration system

inventories for accuracy and currency We requested alist of public Web sites and were provided Web site inventory lists derived from each ofthe three Services’ registration systems:

' Forthe listing of 710 Navy-provided Web sites, we Found 63 sites (9 percent) were not publicly accessible

‘© Forthe listing of 311 Air Force-provided Web sites, we found 26 sites (8 percent) were not publicly accessible

+ _ Forthe listing of $02 Marine Corps-provided Web sites, we Found 166 sites (33, Percent) were not publicly accessible

‘The Navy, Air Forte, and Marine Corps Web site lists included passwonl-protected and

‘non-operational Web sites Poin-of-contact information was outdated because Web site

‘administrators did not update contact information when personnel changes occurred

In addition, for the Navy sites we visited, the inventory list showed 25 Web sites During

‘ur site visits, we verified that ll 25 Web sites were publicly accessible, and we found an additional 17 Websites not listed on the Navy inventory For the Marine Corps sites we Visited, the inventory ist showed 24 Web sites During our site visits, we verified that all

24 Web sites were publicly accessible; however, we found an additional 14 Web sites not listed on the Matine Corps inventory One possible explanation for some of the

inaccuracies inthe Marine Corp listing may be attributed tothe curent effort to migrate all Marine Corps public Web sites tothe new Web site, ww.marines.ni Internal

‘control guidance for the Navy, Air Force, and Marine Corps didnot mandate review of | each Service's public Websites

Other DOD Organization Site Visit Results

We reviewed Web ste reyistration practices and requirements for 12 DOD agencies, § oflices of the Olfice of the Secretary of Defense, and | combatant command We

reaquested public Web site inventory lists from these DOD oruanizations which provided lists containing $77 Web sites We tested all 77 Web sites for public scoessbility and {determined that 216 (37 percent) were not publicly accessible The 216 Web sites

included password-prerected and non-aperational Web sites

Although DOD Web site administrative guidance requires the Military Services to

establish and maimain a Web site Fepstation system, the eequitement does not extend to DOD agencies and the offices of the Secretary of Defense However, the Web site tegigraion requirement shovld extend to DOD organizations such asthe Defense

LLowisties Agency and the Defense ntormation Systems Agency whieh operate multiple public Web sites DOD should establish a threshold requirement far non-Service DOD

‘organizations such as the Defense Information Systems Ageney and Defense Losties Agency to establish and maintain a public Web site registration system hased on the rhuraber of public Web sites they operate Web ste administrators reported they were unaware of any Federal or DOD policy requiring them to register their public Web sites futside of their ofees,

products Defense gov Web site in August

2040, ‘he activity had wot issued a DOD-wide notification

ofthe new registration capability 28 of August 30, 2010 Implementation of the Web site Fezistation application provides a capability for DOD Web site managers to register their public Web sites However, completion ofthe registration application does not

completely fulfill she requirements of public law and Federal policy to maintain a current and Complete inventory of information dissemination products Acitonally the

application does not fully comply with DOD policy wich requires all Service

registration systems to integrate with the DOD seyisttation system

nizations were not publicly accessible Without an accurate inventory, DOD organizations cannot account forthe proper management ofall ofits publicly

accessible Web sites to reduce the risk of posting personally identifiable, FOUO, and other sensitive infomation to DOD publicly accessible Web sites

Recommendations, Management Comments, and Our Response

B.1 We recommend the Assistant Seeretary of Defense for Public Affairs identity the system that will maintain the inventory ofall DOD publicly accesible Websites and notify all Components of thee requirements to register publicly accesible Web Sites within 120 days

Assistant Secretary of Defense for Public Affairs Comments The Deputy Assistant Secretary of Defense For Outreach and Social Media, responding forthe Assistant Secretary of Defense for Public Affairs, agreed The Deputy Assistant Secretary of Defense for Outreach and Social Media stated that the registration

requirements are published in the existing “Web Site Administration Policies and

Procedures,” and these requirements willbe reissued inthe impending DOD Instruction

£8430.aa, “DOD Internet Services and Internet-Based Capabilities”

Our Response

The Deputy Assistant Secretary of Defense for Outreach and Social Media comments are responsive and meet the intent ofthe recommendation, No further comments are

required

B.2 We recommend the Assistant Seeretary of Defense for Networks and

Information Integration/DOD Chief Information Officer:

"steal oficial presenoesdfined ty dra DOD Inston KIÊN a: dene n DOD Iosneton S413 condted an Inman expaliis ep Combat lob fas ats, Command on Fsshook Chasm of the oa Chics Salon vite,

b Detelop and implement policies to enforce the registration of all DOD Publicly acessible Web sites

Assistant Secretary of Defense for Networks and Information Integration/DOD Chief Information Officer Comments

‘The Deputy Chief Information Officer, responding forthe Assistant Secretary of Defense for Networks and Information Integration DOD Chief Information Officer, agreed The impending DOD Instruction $430.aa mandates that Web sites be registered, Additionally comments for Recommendations A., establishes that Web sites not brought into

compliance withthe instruction wll be shut down or disconnected

¢ Require DOD Component Chief Information Officers to mai

integrated with the re-established DOD-wide public Web site registration system

Assistant Secretary of Defense for Networks and Information Integration/DOD Chief Information Officer Comments

‘The Deputy Chief Information Officer, responding forthe Assistant Secretary of Defense for Networks and Information Integration.DOD Chief Information Officer, agreed The Deputy Chief Information Officer stated the impending DOD Instruction 8430.28 assians DOD Component Chiet Information Offices the responsibilty to advise the Assistant Secretary of Defense for Networks and Information Intgration/DOD Chie Information Officer and ensue that the policies forthe use of DOD Intemet services and Inernet- based capabilities issued by Assistant Secretary of Defense for Networks and Information Integration DOD Chief Information Officer are implemented within the Component The instruction will also establish the requirement to reuister the Internet addresses and contaet information forall DOD Internet services extemal official presence and other official uses in the registration and inventory system(s) hosted by Assistant Secretary of Defense for Public Affairs on Defense gov

4 Establish a minimum threshold based on the number of publicly accessible Web sites managed by non-Service DOD organizations requiring the organizations

to establish and maintain an integrated Web site registration system

systems to meet ter specifi needs, but policy should not require te establishment of potentially redundant systems The impending DOD Instruction 8430.aa has been

‘modified to require the Assistant Secretary of Defense for Public Affair t host and

‘operate a registration system) for te addtesses oŸpublie DOD Web sitet and external official presence thats capable ef producing individual Component inventories The instruction also requires thatthe CIOs ensure that the Components inventory of public Web sites and esteinal official presence is maintained once reistration and inventory system(s) hosted and operated by the Assistant Secretary of Defense for Public AMais

of public DOD Websites and extemal oficial presence that is capable of producing individual Component inventories No futher comments are required

Appendix A Scope and Methodology

‘We conducted this performance audit from February 2009 through August 2010 in accordance with generally cepted government auditing standards The standards require that we plan and perform the audit to abtain suiciest,appropeiste evidence 10 provide a reasonable basis for our findings and conclusions based on our audit objectives

We belive that he evidence obtained provides a reasonable bass fr our findings and conclusions based on our audit objectives,

We evaluated the implementation of the DOD Web Site Administation Policies and Procedures; Deputy Secretary of Defense Memorandum; and Information Security/Web site Alert We interviewed personnel and obtained intormation from the Military

Senices, 12 Defense Auencies, 5 Secretary of Defense offices, and | Combatant

Command; 1 include the Defense Logistics Agency, Defense Information Systems Agency, Defense Technical Information Center, Defense Contract Audit Agency,

Defense Threat Reduction Agency, Defense Media Activity, TRICARE Managessent Activity, Defense Finance and Accounting Service, Defense Prisoner of War/Missi Personnel Office, Notional Geospatial-Intllizence Ayency, Defense Advanced Research Project Agency, National Security Ageney, Office ofthe General Counsel, Assistant Secretary of Defense for Public Affairs, Assistant Secretary of Defense For Network and Information Intesration/DOD Chief Information Officer, Under Secretary of DeFense fot Acquisitions, Technology, and Louistes, Secretary of Defense Chief Information Officer and US Strategic Command, and Public AMfais Officers and Web administrators with the Departments ofthe Army, Navy, Ait Fovve, and Mavine Corps

Army Medical Department Center and School, Fort Sam Houston, Texas

Aniay Medical Command, Fert Sam Houston, Texas

US Army Garrison, For Sam Houston, Texss

US Army Nom, Fort Sam Houston, Texas

USS Army South, Fort Sam Heuston, Texas

Navy Region Southwest Morale, Welfare, and Reereaion, Sen Diego, California Commander Navy Region Southwest, San Diewo, California

Helicopter Maritime Suike Squadron Four One, Naval Air Station Nosh Island, San Diego, California

‘© Helicopter Anti-Submarine Squadron Light Four Five, Naval Air Station North Island, San Diego, California

* Commander Helicopter Maritime Strike Wing, US Pacific Fleet, Naval Air Station Nort Island, San Diewo, California

‘Helicopter Sea Combat Squadron Two One, Naval Air Station Nonh Island, San Dieyo, California