Publicly Released: March 31, 2021
The objective of this audit was to determine whether DoD Components maintained network protections during the coronavirus disease–2019 (COVID‑19) pandemic while the DoD workforce maximized the use of telework capabilities to ensure the continuity of DoD operations.
On March 11, 2020, the World Health Organization characterized the COVID‑19 outbreak as a pandemic. In response to the COVID‑19 pandemic, on March 27, 2020, the Secretary of Defense directed DoD Components to maximize telework to ensure the continuity of DoD operations. Most teleworkers remotely access agency networks using computing devices, such as laptops, tablets, and desktop computers from external locations other than the employee’s official worksite. Telework and remote access solutions must provide confidentiality, integrity, and availability of DoD data on an organization’s networks. DoD personnel can gain access to their organization’s network using approved technologies, such as a virtual private network (VPN) or a virtual desktop infrastructure.
In March 2020, the DoD established the DoD Telework Readiness Task Force, led by the DoD Chief Information Officer (CIO), to ensure DoD networks remain telework‑ready and secure to support DoD missions during the maximum telework period. The Task Force issued memorandums to DoD Components that provided best practices for ensuring cybersecurity when teleworking, such as guidance for maintaining the cybersecurity of DoD networks and using capabilities on DoD‑issued laptops to maximize the telework environment.
The DoD Components we assessed did not consistently implement required cybersecurity controls to protect DoD networks during maximum telework. Specifically,
- Army, Navy, and Air Force personnel teleworked without approved telework agreements or required telework training because, according to Component officials, some supervisors were unaware of the supervisor responsibilities for telework or were overwhelmed with other duties during the COVID‑19 pandemic.
Telework and remote access technologies require additional protection from malicious cyber actors because they receive higher exposure to external threats than technologies accessed by personnel physically located inside of the organization’s facilities. Because the DoD Components that we assessed did not fully implement security controls to maintain cybersecurity in a maximum telework environment as outlined in National Institute of Standards and Technology, and DoD policies and guidance, DoD Components are at a higher risk of becoming victims to cyber attacks that could threaten the safety of the warfighter and the security of the United States.
Among other recommendations, we recommend that the DoD CIO:
- direct the Defense Information Systems Agency to review the VPN Security Requirements Guide and add specific language, and
- direct the DoD Deputy CIO for Information Enterprise to implement security controls.
In addition, we recommend that the CIOs for:
- the Air Force develop and implement a plan; and
- the Navy direct the Commander, U.S. Fleet Cyber Command to identify mitigating efforts for preventing malicious cyber actors from exploiting inactive user accounts.
Management Comments and Our Response
The DoD CIO, disagreed with the recommendation to revise the VPN Security Requirements Guide, stating DISA concluded that adding language could have a negative impact on the organizations within the DoD. However, the DoD CIO did not provide additional information. Therefore, we cannot conclude it would, in fact, have a negative impact on DoD Components. The DoD CIO should provide additional comments describing how DISA determined that adding specific language to the VPN Security Requirements Guide could negatively impact organizations within the DoD.
The Commander, U.S. Fleet Cyber Command, reconsidered his decision with regard to Navy and Defense Information Systems Agency policies. Therefore, the recommendation is resolved but will remain open until the Commander provides documentation showing that network administrators configured group policies to disable or remove user accounts after inactivity.
Although the Navy CIO, agreed to identify the mitigating efforts for preventing malicious cyber actors from exploiting inactive user accounts, he did not identify the actions that the Commander, U.S. Fleet Cyber Command, would take to prevent the exploitation of inactive user accounts. Therefore, the recommendation is unresolved. The Navy CIO should provide additional comments describing how he will implement the recommendation.
The Air Force CIO agreed to develop, implement, and enforce a plan. The recommendation is resolved but will remain open until the Air Force CIO provides documentation showing that Air Force policies include a specific requirement.
This report is a result of Project No. D2020-D000CR-0119.000.