A recent audit conducted by the Defense Department’s Office of the Inspector General unveiled serious lapses in cybersecurity protocols concerning classified mobile devices within three U.S. combatant commands and the Defense Department’s IT support agency.
Titled “Audit of Cybersecurity of DoD Classified Mobile Devices,” the report was released to the public on Monday.
Audit Findings
The audit directed its attention toward the management of mobile devices used by the U.S. European Command, two branches of the U.S. Special Operations Command, and the Defense Information Systems Agency (DISA).
It found that these organizations had not maintained adequate inventory records for their devices, a troubling oversight that could potentially expose sensitive information to cyber threats.
Robert P. Storch, the Pentagon Inspector General, stressed the importance of securing mobile devices used by the Department of Defense, positing that such security measures are not merely technicalities but vital operations essential for safeguarding classified information and maintaining national security.
Examining a total of 73 mobile devices—43 from DISA, 21 from the European Command, as well as others from the U.S. Special Operations Command Headquarters and U.S. Special Operations Command Central—the audit revealed significant gaps in inventory documentation.
Critical information like user identities, device types, serial numbers, phone numbers, and even the classification levels of the data stored were notably absent.
Contributing Factors
The report pointed to the surge in mobile device usage due to the COVID-19 pandemic’s telework requirements in 2020 as a contributing factor to this disorganization.
Additionally, the inventory records for DISA and the U.S. Special Operations Command Headquarters were riddled with inaccuracies, leading to improper cataloging of devices.
In response to these findings, the Inspector General urged both the U.S. European Command and U.S. Special Operations Command to promptly update their inventory records, ensuring they accurately capture all classified mobile devices.
The report also called for a thorough review of the classified mobile device program, enhanced training, and an evaluation of access needs regarding classified devices.
Both commands have confirmed their commitment to implementing these recommendations.
Next Steps
DISA, for its part, was advised to correct its inventory errors and to establish a robust process for record-keeping.
In light of the audit, DISA pledged to create a reliable system to uphold accurate inventory tracking moving forward.
Moreover, the report emphasized the necessity for the Defense Department to motivate its various branches to adopt the audit’s recommendations actively.
Past investigations by the DOD Office of the Inspector General have concentrated on addressing cybersecurity vulnerabilities within the department.
A notable report published in March discussed issues like weak password practices and noncompliance with multifactor authentication among DOD contractors.
Between 2018 and 2023, a series of audits revealed that officials struggled to verify whether contractors adhered to cybersecurity standards.
Source: Militarytimes