Report | Dec. 3, 2021

Audit of the DoD’s Use of Cybersecurity Reciprocity Within the Risk Management Framework Process (DODIG-2022-041)

Audit

Publicly Released: December 7, 2021

 

Objective

The objective of this audit was to determine whether DoD Components leveraged cybersecurity reciprocity to reduce redundant test and assessment efforts when authorizing information technology through the Risk Management Framework (RMF) process. This audit was conducted concurrently with audits conducted by the Military Department audit agencies: U.S. Army Audit Agency (AAA), Naval Audit Service (NAS), and Air Force Audit Agency (AFAA).

The AAA, NAS, and AFAA audits focused on the use of reciprocity within their respective Military Departments, whereas our audit focused on the use of reciprocity by a combatant command (U.S. Transportation Command), two Defense agencies (Defense Health Agency, and Defense Logistics Agency), and a DoD field activity (Defense Human Resources Activity). Each audit agency conducted their audits and issued their reports and recommendations separately. The results of the Military Department audit agencies are summarized in Appendix B.

 

Background

In March 2014, the DoD began transitioning to a new approach for authorizing the operations of its information systems known as the RMF process. The RMF process is a disciplined and structured process that combines system security and risk management activities into the system development lifecycle. One benefit of the RMF process is the ability to leverage reciprocity, which reduces time and work resources spent on redundant tests, assessments, and documentation efforts.

Reciprocity is an agreement to accept and reuse another organization’s (internal or external to the DoD) security assessments to share information and thereby reduce associated costs in time and resources for authorizing information technology systems to operate on the DoD Information Network. The DoD Chief Information Officer (CIO) requires DoD Components to leverage reciprocity when authorizing systems through the RMF process. Leveraging reciprocity enables the DoD to more rapidly deliver secure systems to DoD Components, while reducing process inefficiencies and system authorization costs. For this report, we determined whether DoD Components leveraged reciprocity by reviewing their actions for:

  • making systems and authorization documentation available to other DoD Components in the DoD’s RMF compliance tool (Enterprise Mission Assurance Support Service);
  • appointing reciprocity users that can review existing system authorization documentation across all DoD versions of the Enterprise Mission Assurance Support Service (eMASS); and
  • identifying and authorizing common controls to be used by all systems within the component.

 

Finding

The U.S. Transportation Command and the Defense Health Agency (DHA) leveraged reciprocity while authorizing their systems through the RMF process; however, the Defense Logistics Agency (DLA) and Defense Human Resources Activity (DHRA) did not. Specifically:

  • DLA cybersecurity officials did not make their systems and authorization documentation available in eMASS for reciprocity across the DoD. In addition, DLA cybersecurity officials did not appoint eMASS reciprocity users to obtain and review existing systems and authorization documentation. This occurred because they concluded that their systems had unique missions, and were relevant only to DLA personnel. Therefore, DLA cybersecurity officials incorrectly determined their systems were not subject to DoD reciprocity requirements. 
  • DLA cybersecurity officials did not authorize all Tier 2 common controls to be used by DLA systems because they did not consider the DoD’s RMF and reciprocity policy and implementation guidance to be a priority.
  • DHRA cybersecurity officials also did not appoint reciprocity users to obtain and review existing systems and authorization documentation, and identify and authorize all Tier 2 common controls to be used by DHRA systems. This occurred because the DHRA was undergoing a reorganization, and the DHRA Director had yet to assign and document cybersecurity roles and responsibilities for implementing RMF and reciprocity requirements.

In addition, the DoD CIO did not implement processes necessary to oversee DoD Components’ compliance with DoD reciprocity guidance. Instead, the DoD CIO relied on DoD Components to manage the system authorization process and use reciprocity to maximize the reuse of testing and assessments results developed during prior system authorizations.

The DoD’s requirement to leverage reciprocity enables the DoD to rapidly deliver secure systems to DoD Components while reducing process inefficiencies and system authorization costs. Unless DoD Components fully leverage RMF reciprocity, the associated benefits may not be fully realized, including cost savings. [REDACTED]

The DoD could achieve even greater cost savings and efficiencies if all DoD Components maximized the use of reciprocity when authorizing their systems through RMF. DoD Components can increase reciprocity by making systems and authorization documentation available to other DoD Components in eMASS, appointing eMASS reciprocity users, and identifying and authorizing common controls.

 

Management Actions Taken

During the audit, DLA and DHRA cybersecurity officials took corrective actions to leverage reciprocity when authorizing systems through the RMF process. On April 14, 2021, DLA cybersecurity officials [REDACTED] and authorization documentation available in eMASS. In addition, on April 21, 2020, DLA cybersecurity officials issued a reciprocity memorandum appointing three reciprocity users, and on January 8, 2021, the DLA Authorizing Official granted an authorization to operate for the DLA Tier 2 common controls package.

On September 14, 2020, a DHRA cybersecurity official issued a reciprocity memorandum appointing eight reciprocity users. Additionally, on May 14, 2021, the DHRA Authorizing Official granted an authorization to operate for the DHRA Tier 2 common controls package. Furthermore, DHRA cybersecurity officials developed six standard operating procedures defining roles and responsibilities, and steps necessary to authorize the DHRA systems through the RMF process.

We consider the actions taken by DLA and DHRA cybersecurity officials to have addressed the issues identified during this audit. Therefore, this report does not include recommendations for the DLA and DHRA.

 

Recommendations

We recommend that the DoD CIO:

  • update the eMASS system registration process, in coordination with the eMASS Program Manager, to require DoD Component system program managers to select a valid justification for exemption when a system is not made available for reciprocity use;
  • revise existing guidance or issue new guidance that requires system program managers to certify that reciprocity was considered before authorizing and reauthorizing systems; and
  • review the AAA, NAS, and AFAA reports on reciprocity, and discuss findings and actions taken by each Military Service at an RMF Technical Advisory Group meeting.
     

Management Comments and Our Response

The Principal Director to the Deputy CIO for Resources and Analysis, Performing the Duties of the DoD CIO, agreed with the recommendations. We will close the recommendations once we verify that the agreed upon actions are complete.

 

This report is the result of Proj. No. D2018-D000CS-0199.000.