An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

News | May 21, 2024

Press Release: Management Advisory: The DoD’s FY 2023 Compliance with the Federal Information Security Modernization Act of 2014 (Report No. DODIG-2024-084)

Inspector General Robert P. Storch announced today that the Department of Defense Office of Inspector General released the “Management Advisory: The DoD’s FY 2023 Compliance with the Federal Information Security Modernization Act of 2014.”  

The management advisory focuses on the DoD’s compliance with Federal Information Security Modernization Act of 2014 (FISMA).  FISMA requires that senior agency officials provide for the security of the information and information systems that support the operations and assets under their control, including assessing the risk and magnitude of the harm that could result from unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems.

“While the DoD generally had policies and procedures in place for the six Inspector General-assessed Federal Information Security Modernization Act metrics, there were significant gaps in compliance with applicable Federal and DoD guidance,” said IG Storch.  “Ensuring the consistent implementation of cybersecurity policies is vital for an effective cybersecurity program, as it mitigates the risk of successful cyberattacks, data breaches, and unauthorized disclosures of sensitive information.”

The DoD OIG found that the DoD generally had policies and procedures related to information security in the areas of supply chain risk management, data protection and privacy, and contingency planning; however, the DoD did not consistently comply with the National Institute of Standards and Technology (NIST) or DoD guidance when implementing those policies and procedures.  The DoD OIG also identified that the DoD Chief Information Officer (CIO) had not fully implemented the DoD’s cybersecurity policies and procedures to reflect updates outlined in the current NIST guidance.  Instead, the DoD Office of the CIO plans to require DoD Components to implement NIST updates in phases.  As a result, the DoD will not fully implement the updated NIST requirements until 2026, six years after the NIST issued the revision.

The DoD OIG made 12 recommendations to the DoD CIO, including to develop and implement a DoD-wide supply chain risk management strategy; ensure that DoD Components conduct privacy impact assessments, business impact analyses, and information system contingency plan testing; and establish a process to incorporate future NIST guidance revisions into the DoD’s cybersecurity-related policies and procedures in a timely manner. 

The DoD OIG will continue to monitor the DoD CIO’s progress toward fully implementing the recommendations, as we provide continuous oversight in this critical area.