March 26, 2013 —
What We Did
Our objective was to determine whether the Department of the Army had an effective cybersecurity program that identified and mitigated risks surrounding commercial mobile devices (CMDs) and removable media.
Specifically, at the sites visited, we verified whether Army officials appropriately tracked, configured, and sanitized CMDs. Additionally, we determined whether the Army used authorized removable media on its network.
What We Found
The Army Chief Information Officer (CIO) did not implement an effective cybersecurity program for CMDs. Specifically, the Army CIO did not appropriately track CMDs and was unaware of more than 14,000 CMDs used throughout the Army. Additionally, at the sites visited, the Army CIO did not:
ensure that Commands configured CMDs to protect stored information. The CIOs at United States Military Academy (USMA) and United States Army Corps of Engineers (USACE) Engineer Research and Development Center (ERDC) did not use a mobile device management application to configure all CMDs to protect stored information. require CMDs to be properly sanitized. CIOs at USMA and USACE ERDC did not have the capability to remotely wipe data stored on CMDs that were transferred, lost, stolen, or damaged. control CMDs used as removable media. The CIOs at USMA and USACE ERDC allowed users to store sensitive data on CMDs that acted as removable media. require training and use agreements specific to CMDs. The CIOs at USMA and USACE ERDC did not train CMD users and require users to sign user agreements. These actions occurred because the Army CIO did not develop clear and comprehensive policy for CMDs purchased under pilot and non-pilot programs. In addition, the Army CIO inappropriately concluded that CMDs were not connecting to Army networks and storing sensitive information. As a result, critical information assurance controls were not appropriately applied, which left the Army networks more vulnerable to cybersecurity attacks and leakage of sensitive data.
What We Recommend
The Army CIO should develop clear and comprehensive policy to include requirements for reporting and tracking all CMDs. In addition, the Army CIO should extend existing information assurance requirements to the use of all CMDs.
Management Comments and Our Response
The Director, Army CIO Cybersecurity Directorate provided comments on behalf of the Army CIO, and agreed with the report recommendations, but the comments on Recommendations 1 and 2 were nonresponsive. We request comments in response to the final report by April 25, 2013.
This report is a result of Project No. D2012-D000LC-0147.000.