http://www.dodig.osd.mil/audit/reports/fy02/02129sum.htm

Department of Defense

Office of the Inspector General -- Audit

DoD Web Site Administration, Policies, and Practices -- Report No. D-2002-129(PDF)

Date: July 19, 2002



To obtain copies of Office of the Assistant Inspector General for Auditing Reports, contact the Secondary Reports Distribution Unit of the Analysis, Planning and Technical Support Directorate at (703) 604-8937 or FAX (703) 604-8932.


Who Should Read This Report and Why? Web site developers and administrators, public affairs officers, managers responsible for Web site content, and Web site users should read the reports in this series. Those involved with any aspect of a Web site will want to make sure that the content in their sites is up to date, accessible, tamper-proof, and yet user friendly. The content must also be a true reflection of the policies of the parent organization.

Background. This report is the third in a series that addresses Internet access, practices, and policies. Previous reports covered Web site administration at the Air Force and the Army. The Naval Audit Service issued a separate report based on the audit of Web-site administration at the Navy and the Marine Corps. The "DoD Web Site Administration Policy and Procedures," implemented December 7, 1998, and updated April 26, 2001, describes procedures for establishing, operating, and maintaining DoD unclassified Web sites. The Policy requires heads of DoD Components to establish a process to identify appropriate information for posting to Web sites and to ensure the review of all information placed on publicly accessible Web sites for security levels of sensitivity and other concerns before release. In addition, it requires the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence to ensure that DoD agencies and the Services comply with the Policy.

On February 12, 1999, the Deputy Secretary of Defense approved the Joint Web Risk Assessment Cell's Concept of Operations, a plan to use Reserve Components' assets to conduct ongoing security and threat assessments of Components' Web sites for inappropriate information. The Concept of Operations identifies the Defense Information Systems Agency as the executive agent for the Joint Web Risk Assessment Cell and requires the executive agent to develop an implementation plan, operating procedures, and a reporting mechanism.

Results. As of May 2002, 30 of the 200 disclosures on publicly accessible DoD Web sites that the JWRAC previously identified between April and September 2001 as inappropriate were still available for public viewing. As a result, DoD Web-site owners are not providing consistent levels of assurance that only appropriate information is posted on their publicly accessible Web sites. DoD must require DoD agencies and the Services to remove from public view Web pages that contain information identified as potentially inappropriate in the Joint Web Risk Assessment Cell reports. In addition, DoD must establish a mechanism that adjudicates disagreements between the Joint Web Risk Assessment Cell and Web-site owners on potentially inappropriate disclosures at Web sites. Further, DoD must publish and comply with the standard operating procedures of the Joint Web Risk Assessment Cell for discrepancy reporting and tracking, and maintain an up-to-date database of reported violations.

Management Comments. The Deputy Assistant Secretary of Defense (Security and Information Operations), who responded for the Assistant Secretary of Defense (Command, Control, Communications, and Intelligence), nonconcurred with the recommendation to suspend Web pages that contain potentially inappropriate information until resolution. She stated that Web site postings are based on operational security evaluations at the local commander level and, unless overturned by a higher authority, their decision is final. The Deputy Assistant Secretary partially concurred to establish a timely adjudication process. The Defense Information Systems Agency concurred with the recommendation to publish the Joint Web Risk Assessment Cell's Standard Operating Procedures for Discrepancy Reporting and Tracking and to establish a database system to track Web risk-assessment activities.

Management Actions. Of the 200 instances of information deemed inappropriate at DoD Web sites, 30 were still available to the general public in May 2002, almost 8 months after the Joint Web Risk Assessment Cell issued its September 2001 report that identified the information. It is evident by the number of occurrences that the review process for determining the appropriateness of data on Web pages has not been fully successful, and that the existing process and procedures for local commanders to address the content of information placed on their Web site are inadequate. Accordingly, information that may place DoD at an increased risk must be suspended until resolved through an adjudication process.




Return to Report Index

Any comments or suggestions should be sent to: auditnet@dodig.osd.mil