An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

Report | Jan. 12, 2023

Evaluation of Cybersecurity Controls on the DoD’s Secure Unclassified Network (DODIG-2023-044)

Evaluations

Publicly Released: January 17, 2023

Objective

The objective of this evaluation was to determine whether the DoD developed, implemented, maintained, and updated security and governance controls to protect the Secure Unclassified Network (SUNet), and the data and technologies that reside on it, from internal and external threats.

Background

SUNet is a secure unclassified DoD system. The Irregular Warfare Technical Support Directorate (IWTSD), under the Assistant Secretary of Defense (Special Operations and Low-Intensity Conflict), developed SUNet to address the DoD’s need for a secure unclassified information platform to support rapid innovation; research, development, testing, and evaluation; combined operational missions; and information sharing between mission partners. Although the IWTSD owns and accredits SUNet, a private contractor manages the system.

SUNet allows the DoD, other U.S. Government agencies, and their partners, including academia, research, and foreign partners, to communicate, share, analyze, and disseminate information in near-real-time.

Finding

We found that the IWTSD reviewed and assessed SUNet cybersecurity controls in accordance with Risk Management Framework requirements and the Authority to Operate renewal process. However, the IWTSD was unable to directly monitor, manage, or prioritize the execution of SUNet cybersecurity and information activities.

In addition, SUNet did not have dedicated programmatic funding to support enterprise requirements, and there was no designated entity obligated to fund enterprise requirements or budget shortfalls. Instead, SUNet relied on just‑in‑time funding from mission partners to continue operations. Furthermore, the contractor-designed funding model did not fully cover enterprise requirements or costs.

Recommendations

We made recommendations for the Executive Director of the Army Contracting Command (ACC), Aberdeen Proving Ground, Adelphi Contracting Division, along with the requiring activities, to conduct a review of the PWS to determine whether it should be revised; to clarify how enterprise funding needs are determined and applied to SUNet; and to determine whether a representative from the IWTSD should serve as an assistant or alternate COR on the SUNet infrastructure contract.

Management Comments and Our Response

After reviewing management comments, we revised and redirected one recommendation. Three recommendations, made to the Assistant Secretary of Defense (Special Operations and Low-Intensity Conflict), the Director of the ARL, and the Executive Director of the ACC, are resolved but open. We will close these recommendations when we receive and review supporting documentation for actions taken and the results of the planned reviews. The Under Secretary of Defense (Comptroller)/Chief Financial Officer did not respond to the recommendation made to that office in the report. Therefore, the recommendation is unresolved. We request that the Under Secretary provide comments on the final report.