DOD Not Fully Compliant With CUI Cybersecurity Requirements, Auditor Says
The Department of Defense is not fully compliant with its cybersecurity requirements for controlled unclassified information, a government watchdog said.
According to the Government Accountability Office, CUI is information that, while not classified, is still sensitive and must be protected from public disclosure.
A review of the DOD’s 2,900 CUI systems showed that the department had varying levels of compliance across four major cybersecurity areas as of January, GAO said.
The four areas are the accurate categorization of CUI systems, the implementation of the Cybersecurity Maturity Model Certification program’s requirements, the implementation of controls for moderate confidentiality impact systems and the authorization of systems to operate on DOD networks.
The DOD scored lowest in the CMMC requirements area, with a 70 to 79 percent implementation rating. GAO said that the DOD is required to have 100 percent compliance.
GAO acknowledged that the DOD’s Office of the Chief Information Officer, which is responsible for department-wide CUI security, has taken steps to address the shortcoming.
In October 2021, OCIO issued a memorandum reminding DOD components to implement CUI requirements by March 2022. The office also monitored the components’ progress in meeting the deadline, according to the auditor.
GAO said it conducted the review because of the large amount of potentially vulnerable CUI on the DOD’s computer systems.
The agency noted that, in 2015, a phishing attack on the Joint Chiefs of Staff unclassified email servers caused an 11-day shutdown of the network.
The National Defense Authorization Act of 2021 also requires GAO to review a CUI security report submitted by the DOD submitted in June 2021.
Tags: audit CMMC Controlled Unclassified Information cybersecurity GAO Joint Chiefs of Staff NDAA