What GAO Located
The Section of Defense (DOD) has described applying far more than 70 p.c of 4 selected cybersecurity specifications for controlled unclassified data (CUI) systems, centered on GAO’s examination of DOD reports (together with a June 2021 report to Congress) and facts from DOD’s hazard management tools. These picked demands consist of (1) categorizing the effects of loss of confidentiality, integrity, and availability of specific units as reduced, moderate, or substantial (2) utilizing precise controls based in element on the amount of method effects and (3) authorizing these methods to run. As of January 2022, the extent of implementation diversified for each of the 4 prerequisite spots. For example, implementation ranged from 70 to 79 p.c for the cybersecurity maturity design certification method DOD founded in 2020, whereas it was about 90 percent for authorization of programs to work (see table).
Implementation of Chosen Needs for DOD Controlled Unclassified Details Devices, as of January 2022
aDOD is not demanded to implement all 266 protection controls. In some scenarios, a unique security command might not be relevant to a unique procedure thanks to its operate. Also, there are some techniques for which the authorizing officers may perhaps need to have to put into action protection controls that are in addition to the 266 determined as average-influence for confidentiality because of the style of info that is stored or transmitted in that method.
As the official liable for department-broad cybersecurity of CUI systems, the DOD Workplace of the Chief Details Officer (CIO) has taken current motion to address this place. Especially, in Oct 2021 the CIO issued a memorandum on employing controls for CUI systems. The memo recognized or reiterated prerequisites that CUI programs must fulfill. These bundled demanding supplemental supply chain protection controls and reiterating that all CUI systems have legitimate authorizations to run. In addition, the CIO reminded method house owners of the March 2022 deadline for all DOD CUI programs to employ required controls and other specifications. The Business office of the CIO has been checking DOD components’ progress in conference this deadline.
Why GAO Did This Examine
DOD computer methods include vast amounts of sensitive info, which includes CUI that can be vulnerable to cyber incidents. In 2015, a phishing assault on the Joint Chiefs of Personnel unclassified e-mail servers resulted in an 11-day shutdown while cyber specialists rebuilt the network. This affected the function of about 4,000 navy and civilian personnel.
In response to Portion 1742 of the William M. (Mac) Thornberry Countrywide Defense Authorization Act for Fiscal Year 2021, in June 2021 DOD submitted a report to the Congress on cybersecurity of CUI. The report mentioned the extent to which DOD had applied chosen cybersecurity prerequisites across the division. The act included a provision for GAO to evaluation DOD’s report, and GAO has continued to monitor the department’s subsequent progress.
This report describes 1) the status of DOD components’ implementation of selected CUI cybersecurity necessities and 2) actions taken by DOD CIO to deal with the protection of CUI techniques.
GAO’s critique concentrated on the department’s somewhere around 2,900 CUI devices. GAO examined suitable CUI cybersecurity needs and info from DOD data know-how applications. Also, GAO analyzed documentation these as appropriate DOD cybersecurity guidelines and steerage on monitoring the implementation of cybersecurity needs, and interviewed DOD officials.
DOD offered technical responses on a draft of this report, which GAO integrated as appropriate.