GAO: Defense Department Isn’t Doing Enough to Protect Sensitive Information

Paul Shirk/U.S. Air Force

Federal cybersecurity has been on the Government Accountability Office’s High Risk list since 1997.

Defense Department IT systems were not fully compliant in any of four major cybersecurity requirement areas for controlled unclassified information systems as of January 2022, according to an audit released May 19 by the Government Accountability Office.

Controlled unclassified information, or CUI, is less sensitive than secret or top-secret classified information, but still contains data—like personally identifiable information or business practices—that could be detrimental if disclosed publicly. DOD mandates full cybersecurity requirement implementation for components, but implementation rates generally ranged from 70% to 90%.  DOD operates approximately 2,900 CUI systems across its enterprise.

“We analyzed DOD's data and found that while the DOD components have taken actions to implement cybersecurity requirements for CUI systems, none of the components were fully compliant,” the audit states. “DOD requires 100% compliance.”

The audit examined implementation rates across four DOD CUI requirement areas. Implementation ranged from 70-79% for DOD’s Cybersecurity Maturity Model Certification program established in 2020, from 80-89% for categorizing DOD CUI systems accurately; from 80-89% for implementing 266 controls for moderate confidential impact systems, and 90% or more in authorizing systems to operate on DOD networks.

Auditors noted the DOD Office of the Chief Information Officer, the official responsible for department-wide cybersecurity of CUI systems, has taken action to address these areas. In October 2021, DOD OCIO issued a memo reiterating requirements CUI systems must meet, and included new requirements on supply chain security controls. The DOD OCIO issued a follow-up memorandum in March 2022 reminding officials to implement those controls.