Publicly Released: March 28, 2023
The objective of this audit was to determine the actions taken by the DoD to configure remote access software used to facilitate telework during the coronavirus disease–2019 (COVID-19) pandemic to protect DoD networks and systems from potential malicious activity. We also determined the extent to which the DoD implemented security controls to protect remote connections to its networks.
Remote access software allows personnel to access a computer or network from a geographical distance through an external network connection, such as the Internet. To facilitate telework, DoD personnel gained access to their organization’s networks using approved remote access software.
DoD policies require DoD Components to configure remote access software consistent with Federal and DoD cybersecurity policies, standards, and security controls. In addition, the Defense Information Systems Agency (DISA) publishes Security Requirement Guides and Security Technical Implementation Guides that provide guidance for configuring remote access software.
Network and system administrators for 7 of the 10 DoD Components that we assessed did not always implement all critical configuration settings and cybersecurity controls to reduce the risk of exposing DoD networks and systems to potential malicious activity.
If DoD Components do not consistently configure remote access software in accordance with Federal and DoD cybersecurity policies, standards, and security controls, malicious cyber actors could exploit vulnerable configuration settings; and compromise the confidentiality, integrity, and availability of DoD networks, systems, and data. I t i s important that officials responsible for authorizing the use of remote access software on DoD Component networks document an assessment of the impact to DoD employees, assets, and missions when DoD Components deviate from security requirements.
Among other recommendations, we recommend, that the Component Directors and Chief Information Officers implement the configurations controls identified in the report or formally accept the risks of not implementing the configuration settings. In addition, we recommend that the DISA Joint Service Provider Director direct network and system administrators to include mitigation timeframes for all vulnerabilities and develop plans of actions and milestones for all vulnerabilities not mitigated in a timely manner.
Management Comments and Our Response
Officials from the Marine Corps, Department of the Navy, U.S. Southern Command, and Defense Intelligence Agency, agreed with the recommendations and described actions planned and taken to resolve or close the recommendations. Comments from the Deputy Chief Information Officer for the Air Force and the Chief of the DISA Joint Service Provider Cyber Security Center partially addressed the specifics of the recommendations; therefore, we request additional comments from them within 30 days on the final report.
This report is a result of (Project No. D2022-D000CR-0043.000)