An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

Report | Nov. 30, 2022

Management Advisory: The DoD’s Compliance with Privacy Act Training Requirements Pursuant to the Federal Information Security Modernization Act of 2014 (DODIG-2023-033)


Publicly Released: December 1, 2022

The purpose of this management advisory is to provide DoD leadership with a DoD Office of Inspector General (DoD OIG) finding and recommendation specific to requirements in the Federal Information Security Modernization Act of 2014 (FISMA) relating to training on the Privacy Act of 1974, as amended (Privacy Act). We identified this finding during our FY 2021 review of the DoD’s compliance with FISMA (Project No. D2021‑D000CP‑0034.000), which we announced on November 18, 2020. We conducted the work on this project with integrity, objectivity, and independence, as required by the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Federal Offices of Inspector General.

FISMA requires Federal agencies to develop, document, and implement an agency‑wide program to provide security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, a contractor, or other sources. FISMA also requires Federal agency Inspectors General (IGs), or an independent external auditor designated by that IG, to conduct an annual independent review on the effectiveness of the agency’s information security program and practices. IGs must submit their annual results to the Office of Management and Budget and the Department of Homeland Security.

As part of our FY 2021 independent review, we assessed selected portions of the DoD’s Privacy Act training program and practices. We submitted the results of the overall effectiveness of the DoD’s information security program and practices to the Office of Management and Budget and the Department of Homeland Security on October 28, 2021. We are issuing this advisory to report the results specific to DoD privacy training and to issue a recommendation for corrective action.

We provided a draft copy of this management advisory to DoD management and requested written comments on the recommendation. We considered management’s comments on the draft when preparing the final advisory. These comments are included in the management advisory.

This management advisory contains one recommendation that we considered resolved. Therefore, as discussed in the Recommendation, Management Comments, and Our Response section, the recommendation remains open until documentation is submitted showing that the agreed‑upon actions are complete. Once we verify that the actions are complete, we will close the recommendation.