Many of the Department of Defense’s (DOD) computer systems contain sensitive information that is unclassified but must be protected from public disclosure—known as Controlled Unclassified Information (CUI). CUI can be vulnerable to cyber attacks.
In 2015, a phishing attack on the Joint Chiefs of Staff unclassified email servers resulted in an 11-day shutdown while cyber experts rebuilt the network. This affected the work of roughly 4,000 military and civilian personnel.
The Government Accountability Office (GAO) recently analyzed DOD’s data and found that while the DOD components have taken actions to implement cybersecurity requirements for CUI systems, none of the components were fully compliant.
DOD has reported implementing more than 70 percent of four selected cybersecurity requirements for CUI systems, based on GAO’s analysis of DOD reports (including a June 2021 report to Congress) and data from DOD’s risk management tools. These selected requirements include categorizing the impact of loss of confidentiality, integrity, and availability of individual systems as low, moderate, or high; implementing specific controls based in part on the level of system impact; and authorizing these systems to operate.
GAO found that as of January 2022, the extent of implementation varied for each of the four requirement areas. For example, implementation ranged from 70 to 79 percent for the cybersecurity maturity model certification program DOD established in 2020, whereas it was over 90 percent for authorization of systems to operate.
DOD is not required to implement all 266 security controls. In some cases, a specific security control may not be applicable to a particular system due to its function. Also, there are some systems for which the authorizing officials may need to implement security controls that are in addition to the 266 identified as moderate-impact for confidentiality because of the type of information that is stored or transmitted in that system.
As the official responsible for department-wide cybersecurity of CUI systems, the DOD Office of the Chief Information Officer (CIO) has taken recent action to address this area. Specifically, in October 2021 the CIO issued a memorandum on implementing controls for CUI systems. The memo identified or reiterated requirements that CUI systems must meet. These included requiring additional supply chain security controls and reiterating that all CUI systems have valid authorizations to operate. In addition, the CIO reminded system owners of the March 2022 deadline for all DOD CUI systems to implement necessary controls and other requirements. The Office of the CIO has been monitoring DOD components’ progress in meeting this deadline.