Security is only as strong as the weakest link in the chain, so even organizations with the most well-thought-out security programs can be jeopardized if their partners' security practices are lax. This is true of the Department of Defense as well its Defense Security Service, which monitors the information-security programs of more than 11,000 contractors, "cannot identify systemic vulnerabilities and make corrective changes to reduce the risk of information compromise" from contractors.

So concludes the General Accounting Office (GAO) in a recent Senate-requested review titled DOD Cannot Provide Adequate Assurances That Its Oversight Ensures the Protection of Classified Information. The report notes that when a contractor notifies DSS of a possible compromise of classified information, DSS is supposed to determine if the compromise did indeed occur "and to notify the affected government agency so it can assess any damage" and work to mitigate the effects of the compromise. The GAO analyzed 93 reported incidents and found that in 39 cases, "DSS made no determinations regarding the compromise," and in many of the other cases its determinations "were not consistent with established criteria."

Not so, says Carol A. Haave, deputy under secretary of defense, counterintelligence and security, who wrote a response excoriating the auditors for not understanding the DSS's "oversight role or how they perform their oversight mission." Haave calls the report "a disservice to personnel in industry and government who oversee the protection of classified information," and, she concludes, it "is misleading to Congress."

@ The GAO report, which includes Haave's response, is at SM Online.