Defense Cybersecurity: Protecting Controlled Unclassified Information Systems

Defense Cybersecurity: Protecting Controlled Unclassified Information Systems


What GAO found

The Department of Defense (DOD) has reportedly implemented more than 70 percent of the four selected cybersecurity requirements for Unclassified Controlled Information Systems (CUI), based on analysis of GAO DOD reports (including a June 2021 report to Congress) and DOD risk management data. tools. These selected requirements include (1) classifying the impact of loss of confidentiality, integrity, and availability of individual systems as low, moderate, or high; (2) implement specific controls based in part on the level of impact of the system; and (3) authorize these systems to operate. As of January 2022, the scope of implementation varied for each of the four requirement areas. For example, implementation ranged from 70 to 79 percent for the cybersecurity maturity model certification program established by the DOD in 2020, while it was over 90 percent for systems authorization. to work (see table).

Implementation of the selected requirements for unclassified information systems controlled by the DOD, from January 2022

Implementation of the selected requirements for unclassified information systems controlled by the DOD, from January 2022

ADOD does not need to implement all 266 security controls. In some cases, a specific security check may not be applicable to a particular system because of its function. There are also some systems for which authorizing officers may need to implement security controls in addition to the 266 identified as having a moderate impact on confidentiality because of the type of information that is stored or transmitted in it. system.

As the department’s cybersecurity officer for CUI systems across the department, the Office of the Director of Information (CIO) of the DOD has taken recent action to address this area. Specifically, in October 2021 the CIO issued a memorandum on the implementation of controls for CUI systems. The note identified or reiterated the requirements that CUI systems must meet. These include requiring additional supply chain security controls and reiterating that all CUI systems have valid authorizations to operate. In addition, the CIO reminded system owners of the March 2022 deadline for all DOD CUI systems to implement the necessary controls and other requirements. The IOC Office has been monitoring the progress of the DOD components in meeting this deadline.

Why GAO did this study

DOD computer systems contain large amounts of sensitive data, including CUI, which can be vulnerable to cyber incidents. In 2015, a phishing attack on the unclassified e-mail servers of the Joint Chiefs of Staff caused an 11-day shutdown while cyber experts rebuilt the network. This affected the work of some 4,000 military and civilians.

In response to section 1742 of the William M. (Mac) Thornberry National Defense Authorization Act for fiscal year 2021, June 2021, the DOD submitted a report to Congress on CUI cybersecurity. The report discussed the extent to which the DOD had implemented selected cybersecurity requirements across the department. The act included a provision for GAO to review the DOD report, and GAO has continued to monitor the department’s subsequent progress.

This report describes 1) the state of implementation of the DOD components of the selected CUI cybersecurity requirements; and 2) actions taken by the DOD CIO to address the security of CUI systems.

The GAO review focused on the department’s approximately 2,900 CUI systems. GAO examined the cybersecurity requirements and relevant CUI data of the DOD information technology tools. In addition, GAO reviewed documentation such as relevant DOD cybersecurity policies and guidelines on monitoring the implementation of cybersecurity requirements, and interviewed DOD officials.

DOD provided technical feedback on a draft of this report, which GAO incorporated as appropriate.

For more information, contact Joseph Kirschbaum at (202) 512-9971 or kirschbaumj@gao.gov or Jennifer R. Franks at franksj@gao.gov or (404) 679-1831.





Source link

Related post

EDUCAUSE 2022: How Data Collection Can Improve Student and Faculty IT Support

EDUCAUSE 2022: How Data Collection Can Improve Student and…

At Indiana University, Gladdin said, to make life easier for students and faculty, they implemented a course template for the Canvas…
UGC, AICTE warn students against online PhD programmes offered by EdTech platforms | Latest News India

UGC, AICTE warn students against online PhD programmes offered…

The University Grants Commission (UGC) and the All India Council for Technical Education (AICTE) on Friday issued a joint advisory against…
UGC, AICTE warn students against online PhD programmes offered by EdTech platforms | Latest News India

UGC, AICTE warn students against online PhD programmes offered…

The University Grants Commission (UGC) and the All India Council for Technical Education (AICTE) on Friday issued a joint advisory against…

Leave a Reply

Your email address will not be published.