Publicly Released: June 8, 2023
Objective
The objective of this audit was to determine whether the DoD’s increased use of collaboration tools to facilitate telework during the coronavirus disease–2019 pandemic exposed DoD networks and systems to potential malicious activity. We also determined the extent to which the DoD implemented security controls and configuration settings to protect DoD networks when using collaboration tools.
Background
Collaboration tools include applications that allow employees to conduct meetings and work together virtually regardless of their physical location. Organizations use collaboration tools to boost productivity and connect users while teleworking. In April 2020, to support increased telework during the pandemic, the DoD Chief Information Officer (CIO) directed DoD Components to use collaboration tools provided by the Defense Information Systems Agency (DISA). If the enterprise tools did not fully meet the needs of DoD Components, the DoD could use alternative tools, or submit a tool to the DoD CIO and U.S. Cyber Command for approval.
Findings
Four of the nine DoD Components that we assessed did not complete required steps outlined in a DoD Instruction before deploying collaboration tools on Component networks. Additionally, network and system administrators for four of the nine DoD Components we assessed did not ensure that all critical configuration settings or cybersecurity controls were implemented to reduce the risk of exposing DoD networks and systems to potential malicious activity.
These issues occurred because DoD Component administrators incorrectly believed that the assessment and authorization performed by the Federal Risk Authorization and Management Program, and provisional authorization to operate issued by DISA, negated the need for the required reciprocity steps and that the configuration controls for the collaboration tools already aligned with the applicable cybersecurity requirements.
Operating collaboration tools without required cybersecurity controls increases the risk that malicious cyber actors could exploit vulnerable configuration settings and cybersecurity controls, compromising information shared using these collaboration tools.
Recommendations
We made 13 recommendations to address the findings in this report. Among other recommendations, we recommend that the DoD CIO issue guidance that specifically states that deploying a collaboration tool with a provisional authorization does not eliminate the need to perform the required cybersecurity reciprocity process. In addition, we recommend that the Components ensure their collaboration tools comply with DoD instructions and configure, or renegotiate changes with the vendor to configure, their tools to meet DoD requirements.
Management Comments and Our Response
Officials from the Defense Finance and Accounting Service, Defense Logistics Agency, and Defense Threat Reduction Agency agreed with the recommendations and described actions planned and taken to resolve or close the recommendations. Comments from the DoD CIO partially addressed the recommendations and the Army Cyber Command did not respond to a recommendation; therefore, the recommendations are unresolved. We request additional comments within 30 days.
This report is a result of Project No. D2022-D000CR-0038.000.