Monitoring and Funding Concerns Could Undermine DOD’s Secure Unclassified Network, IG Says

A lack of streamlined oversight controls and funding needed to monitor and manage cybersecurity activities across the Department of Defense’s Secure Unclassified Network—or SUNet—could undermine the system’s overall effectiveness, according to a report publicly released by the agency’s Office of Inspector General on Jan. 12. 

The unclassified OIG report, which is partially redacted, reviewed the security and privacy controls surrounding SUNet, which it referred to as “an unclassified, secure information platform that allows the user to communicate, analyze and share information between defense, interagency and foreign partners.”

OIG said it conducted the evaluation “to determine whether the DOD developed, implemented, maintained and updated security and governance controls to protect the Secure Unclassified Network, and the data and technologies that reside on it, from internal and external threats.”

The report said that the Irregular Warfare Technical Support Directorate, or IWTSD—which developed SUNet and is tasked with identifying and developing capabilities that DOD can use to conduct irregular warfare activities—”reviewed and assessed the DOD’s Secure Unclassified Network cybersecurity controls, in accordance with the Risk Management Framework requirements and the Authority to Operate renewal process,” but that the directorate “was unable to directly monitor and manage the execution of cybersecurity and information activities.” 

The report noted that a private contractor manages SUNet, while the IWTSD is responsible for owning and accrediting the system. OIG said that, because of the contractor’s role in managing SUNet, the directorate “had limited ability to ensure that the contractor prioritized cybersecurity activities,” and was not responsible for directly managing or monitoring the system’s cybersecurity activities. OIG said this was further exacerbated by the fact that the contracting officer’s representative was responsible for “direct monitoring of contractor performance.” 

Additionally, OIG said that the “inability to prioritize cybersecurity activities, lack of direct monitoring and funding shortfalls” presented additional monitoring concerns. The lack of funding needed to enforce security and privacy controls for SUNet, in particular, was cited in the report as a particular source of concern when it came to the overall viability of the system. The majority of the report’s section on the system’s funding was redacted, although OIG noted that SUNet relied, in part, “on just-in-time funding from mission partners to continue operations, which included Coronavirus Aid, Relief and Economic Security (CARES) Act funds.”

“Without secure funding for the enterprise requirements and full support for [Authority to Operate] requirements and maintenance, SUNet and the mission-essential activities that are enabled by SUNet are at risk of termination due to non-compliance with cybersecurity requirements,” the report warned. 

OIG offered four recommendations in the report, including that DOD conduct a review to determine whether the contract with the vendor overseeing SUNet “should be revised to clearly support the Secure Unclassified Network’s cybersecurity requirements and authority to operate.” 

Additionally, the report called for a review to determine whether an IWTSD representative or similar official “should be the assistant or alternate contracting officer’s representative on the SUNet infrastructure contract,” and a review to determine whether CARES Act funds were used appropriately to support the system. OIG also asked DOD to review “the long-term strategy for the management, resourcing and oversight of the Secure Unclassified Network.”

OIG said it considered three of its recommendations resolved, but added that the recommendation to review the use of CARES Act funds to support SUNet remained open.