In March 2020, the DoD established the DoD Telework Readiness Task Force, led by the DoD Chief Information Officer (CIO), to ensure DoD networks remain telework‑ready and secure to support DoD missions during the maximum telework period. The Task Force issued memorandums to DoD Components that provided best practices for ensuring cybersecurity when teleworking, such as guidance for maintaining the cybersecurity of DoD networks and using capabilities on DoD‑issued laptops to maximize the telework environment.
The DoD Components the Office of Inspector General assessed did not consistently implement required cybersecurity controls to protect DoD networks during maximum telework. Specifically,
- Army, Navy, and Air Force personnel teleworked without approved telework agreements or required telework training because, according to Component officials, some supervisors were unaware of the supervisor responsibilities for telework or were overwhelmed with other duties during the COVID‑19 pandemic.
Telework and remote access technologies require additional protection from malicious cyber actors because they receive higher exposure to external threats than technologies accessed by personnel physically located inside of the organization’s facilities. Because the DoD Components that OIG assessed did not fully implement security controls to maintain cybersecurity in a maximum telework environment as outlined in National Institute of Standards and Technology, and DoD policies and guidance, DoD Components are at a higher risk of becoming victims to cyber attacks that could threaten the safety of the warfighter and the security of the United States.
Among other recommendations, OIG recommend that the DoD CIO:
- direct the Defense Information Systems Agency to review the VPN Security Requirements Guide and add specific language, and
- direct the DoD Deputy CIO for Information Enterprise to implement security controls.
In addition, OIG recommend that the CIOs for:
- the Air Force develop and implement a plan; and
- the Navy direct the Commander, U.S. Fleet Cyber Command to identify mitigating efforts for preventing malicious cyber actors from exploiting inactive user accounts.
Management Comments and Our Response
The DoD CIO, disagreed with the recommendation to revise the VPN Security Requirements Guide, stating DISA concluded that adding language could have a negative impact on the organizations within the DoD. However, the DoD CIO did not provide additional information. Therefore, OIG cannot conclude it would, in fact, have a negative impact on DoD Components. The DoD CIO should provide additional comments describing how DISA determined that adding specific language to the VPN Security Requirements Guide could negatively impact organizations within the DoD.
The Commander, U.S. Fleet Cyber Command, reconsidered his decision with regard to Navy and Defense Information Systems Agency policies. Therefore, the recommendation is resolved but will remain open until the Commander provides documentation showing that network administrators configured group policies to disable or remove user accounts after inactivity.
Although the Navy CIO, agreed to identify the mitigating efforts for preventing malicious cyber actors from exploiting inactive user accounts, he did not identify the actions that the Commander, U.S. Fleet Cyber Command, would take to prevent the exploitation of inactive user accounts. Therefore, the recommendation is unresolved. The Navy CIO should provide additional comments describing how he will implement the recommendation.
The Air Force CIO agreed to develop, implement, and enforce a plan. The recommendation is resolved but will remain open until the Air Force CIO provides documentation showing that Air Force policies include a specific requirement.