Publicly Released: July 31, 2023
Objective
The objective of this audit was to determine whether the DoD managed and accounted for the Public Key Infrastructure (PKI) tokens used to access the Secret Internet Protocol Router Network (SIPRNet) in accordance with Federal and DoD Guidance. We performed this audit in response to a request from the Acting Director of Operational Test and Evaluation (DOT&E) and to address the allegation submitted to the DoD Hotline.
Background
The DoD PKI refers to the framework and services needed to issue, maintain, and revoke public key certificates. A public key certificate is a trusted digital identity used to identify users and devices when communicating over networks, and it is typically encoded on a token. In 1999, the National Security Agency was assigned Program Management Office (PMO) responsibilities for the DoD PKI Program. Since December 2012, the DoD has used SIPRNet tokens to access the SIPRNet. The DoD uses two SIPRNet tokens—SafeNet and Second Source Tokens—that support similar functionality but are produced by different manufacturers. The DoD PKI PMO manages SafeNet token orders while the Defense Manpower Data Center (DMDC) manages Second Source Token orders for DoD Components. DoD Components are responsible for managing SIPRNet tokens throughout their life cycle once they receive them.
Finding
Before April 2022, DoD PKI PMO and DMDC officials did not effectively manage orders, storage, or delivery of SIPRNet tokens, resulting in inaccurate token inventories. DoD PKI PMO and DMDC officials did not have accountability of SIPRNet tokens because inventory procedures were ineffective or nonexistent. However, in March and April 2022, the DoD PKI PMO implemented additional controls over the token ordering, storage, and delivery processes and a quarterly reconciliation process to improve accountability of SIPRNet tokens.
In addition, the DMDC did not have financial records, such as invoices and Military Interdepartmental Purchase Requests, to support any SIPRNet token purchases made in 2017, and it could only partially support token purchases made during 2018 through 2020. However, the DMDC provided financial records supporting all token purchases made in 2021.
DMDC did not maintain complete financial records because the DMDC personnel responsible for SIPRNet token orders did not have a repository to transfer any information or upload documents. In November 2022, the DMDC updated its procedures to require DMDC personnel to store all financial records for SIPRNet token orders in a central repository. However, DMDC officials began working with DoD Components to collect and store financial documentation to support FY 2021 token purchases while updating the November 2022 procedures.
Inaccurate token inventories resulted in the DoD Components purchasing tokens that they may not have needed. Implementing more stringent controls for managing SIPRNet tokens and maintaining accurate financial records, such as those implemented by the DoD PKI PMO and the DMDC during our audit, improve accountability, enable the DoD to trace tokens to specific purchases, reduce unnecessary expenditures for tokens that may not be needed, and improve financial reporting.
Because the DoD PKI PMO and the DMDC took corrective actions during the audit, we did not make recommendations in this report.
This report is a result of Project No. D2022-D000CS-0120.000