Evaluation of DoD Policy and Oversight Reports Related to Using Non–DoD-Controlled Electronic Messaging Systems to Conduct Official Business (Report No. DODIG-2026-022)

/ Published Dec. 2, 2025

DEC
2
2026

Report No.: DODIG-2026-022
Report Type: Evaluation
Component: Evaluation

What We Did:

The objective of this evaluation was to summarize DoD policies and previous DoD Office of Inspector General oversight reports published from March 2021 through October 2024 related to the use of unclassified networks and non–DoD-controlled electronic messaging systems to discuss sensitive and classified information.

What We Found:

We found that DoD policy provides specific processes and procedures for classifying, declassifying, and protecting controlled and classified information. Specifically, DoD policy: (1) requires declassification markings and instructions and identification of who authorized the declassification of classified information; (2) prohibits the use of non–DoD-controlled electronic messaging systems, with limited exceptions, and directly prohibits using them for convenience or because of perceived security; (3) requires DoD personnel to protect nonpublic DoD information; and (4) requires DoD personnel to comply with Federal law to retain official records.

 

What We Recommend:

Recommendation 1

We recommend that the DoD Chief Information Officer:

a. (U) Source and maintain DoD-controlled capabilities that meet the DoD’s operational needs to share information across the DoD and U.S. Government and with foreign partners. The capabilities should include the ability to communicate on DoD-approved and non-DoD personnel mobile devices, collaborate in group environments, and share unclassified, controlled, and classified information; have a user-friendly interface; and comply with DoD and government-wide requirements to protect information and preserve official records.

b. (U) Establish and implement, in coordination with the Under Secretary of Defense for Intelligence and Security and Director of Administration and Management, a training requirement in DoD policy for DoD political appointees, general officers, flag officers, and members of the Senior Executive Service to take a tailored training with a knowledge assessment that addresses the unique needs of senior leaders and includes the content areas spelled out in DODIG-2023-041 Recommendation 2.d and its sub-elements.

c. (U) Clearly define the criteria, process, and personnel authorized to grant a waiver to the DoD’s prohibition against using non–DoD-controlled electronic messaging services to conduct official business in DoD Instruction 8170.01, “Online Information Management and Electronic Messaging,” and related policies.

d. (U) Update the annual DoD-wide cyber training to include information about the impacts of unauthorized disclosures on non-government applications and risks of using non–DoD-controlled electronic messaging services.

Recommendation 2

We recommend that the Under Secretary of Defense for Intelligence and Security:

a. Conduct an Office of the Secretary of Defense- and DoD-wide assessment to identify the extent of DoD personnel using non–DoD-controlled electronic messaging services to conduct official business and associated risks.

b. Provide the findings and any recommendations of the assessment in Recommendation 2.a to the DoD Chief Information Officer to help inform the requirements for the capability described in Recommendation 1.a.