The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

DoD's Data Access Program Needs Oversight, Evaluation

by Chris Brook on Wednesday March 25, 2020

Contact Us
Free Demo
Chat

The Department of Defense and its research facilities could be taking more steps to ensure steps around data protection are taken when sharing sensitive data, a federal audit revealed.

A recent government watchdog study found that several research centers, critical to carrying out work on behalf of the Department of Defense, could be doing a better job ensuring data protection measures are adhered to.

Federally Funded Research and Development Centers (FFRDC) - there are 42 of them across the U.S. - typically receive access to data belonging to Department of Defense contractors via DoD personnel, government databases, or via contractors themselves.

This information sharing is outlined through FFRDC disclosure agreements - a process put in motion by a three-year DoD pilot program started in December 2017. The pilot was designed to reduce the burden on FFRDCs when it comes to seeking permission from contractors directly but not all of the parties are following the rules of the program to a 'T'.

According to a Government Accountability Office (GAO) report earlier this month, both the DOD and FFRDCs have some work to do. The GAO, a legislative branch government agency for the U.S. Congress, is viewed by many as the federal government's auditor.

The GAO said for one the DoD should ensure that protections are in place to prevent improper disclosure across the board and ensure the protections are followed - something the department hasn't done.

“Ensuring comprehensive reporting and implementing a well-developed evaluation plan will help DOD understand and articulate the benefits the department has accrued because of FFRDC’s access to sensitive data,” read GAO’s report, “Improved Oversight and Evaluation Needed for DOD's Data Access Pilot Program,” (.PDF) released earlier this month.

The GAO has six recommendations that the DoD has already agreed with when it comes to ensuring the pilot is fulfilled securely.

The recommendations, detailed below, largely tie back to ensuring data protection efforts are taken and that plans to identify and evaluate the pilot program are put in place:

  • Recommendation 1: The Under Secretary of Defense for Research and Engineering should direct the Laboratories and Personnel Office to take steps to ensure that the details of the pilot program’s data protections are incorporated into the existing agreements.
  • Recommendation 2: The Under Secretary of Defense for Research and Engineering should direct the Laboratories and Personnel Office to take steps to ensure that the FFRDCs and sponsors are implementing the pilot program’s protections for sensitive data.
  • Recommendation 3: The Under Secretary of Defense for Research and Engineering should direct the Laboratories and Personnel Office to establish a monitoring and oversight mechanism to ensure that primary sponsors submit complete information on pilot projects, as required by DOD’s guidance for the pilot program.
  • Recommendation 4: The Under Secretary of Defense for Research and Engineering should direct the Laboratories and Personnel Office to develop a plan that outlines the methodology by which DOD will assess the pilot and how and when information collected will be analyzed to evaluate the pilot program.
  • Recommendation 5: The Under Secretary of Defense for Research and Engineering should direct the Laboratories and Personnel Office to develop a plan to identify and evaluate lessons learned from the pilot program.
  • Recommendation 6: The Under Secretary of Defense for Research and Engineering should direct the Laboratories and Personnel Office to develop a plan for obtaining input from stakeholders on the pilot program.

In addition to these recommendations, the GAO stressed that FFRDCs should provide training around to address the handling of proprietary information and the legal obligation not to disclose that information to anyone outside of the government, implement, maintain a financial disclosure program, and make sure parent organizations implement a process to report unauthorized disclosures of pilot-accessed data that are violations under the Trade Secrets Act.

According to GAO's report, the DoD may use FFRDCs to carry out work associated with the performance of government functions or simply related to maintaining control of the department's missions and operations. Often times FFRDCs provide help with financial analyses, policy development, acquisition planning, source selection, and contract management - work that requires data from arms within the department.  

It's worth noting that not every FFRDC is participating in the pilot; only six - the National Defense Research Institute, the Systems and Analyses Center, Project AIR FORCE, Arroyo Center, National Security Engineering Center, and the Software Engineering Institute - are enrolled.

The FFRDC report is the second IT-related report the GAO has released this month for the Department of Defense.

In a report from the beginning of March, (PDF) the watchdog said the DoD was lagging behind when it came to implementing its recommendations to improve business systems management within the department. The GAO's recommendations in that report not yet implemented included integrating its business and information technology architectures, ensuring that portfolio assessments are conducted in key areas, and to develop a skill inventory, needs assessment, gap analysis, and plan to address identified gaps.

Tags: Government

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.