Audit Reveals Mishandling of Classified Mobile Devices by Combatant Commands

Key Takeaways

Three U.S. combatant commands and the Defense Department’s IT agency failed to adhere to cybersecurity protocols for classified mobile devices.
The audit revealed incomplete inventory records, which could expose sensitive information to cyber threats.
The report made several recommendations for improving device management and cybersecurity practices across various agencies.

Audit Findings on Cybersecurity Protocol Violations

A recent audit by the Defense Department’s Office of the Inspector General (OIG) has uncovered significant lapses in cybersecurity protocols regarding classified mobile devices at three U.S. combatant commands and the Defense Information Systems Agency. The report, titled “Audit of Cybersecurity of DoD Classified Mobile Devices,” highlights deficiencies in how these organizations manage their classified devices, potentially compromising sensitive information.

The audit assessed 43 devices from the Defense Information Systems Agency, along with devices from the U.S. European Command and the U.S. Special Operations Command. Findings indicated that these organizations failed to maintain accurate and complete inventory records for their devices. Key missing information includes user identification, device type, serial numbers, phone numbers, data classification, and guidelines for usage. In the wake of the COVID-19 pandemic, the increase in remote work significantly strained their device management capabilities.

Robert P. Storch, the Pentagon Inspector General, emphasized the criticality of securing these mobile devices to ensure national security and the integrity of the Department of Defense’s (DoD) missions. He stated, “Securing these devices is not merely a technical priority; it’s a critical operational mandate.”

Problems identified in the audit included incorrect information in inventory records maintained by both the Defense Information Systems Agency and the U.S. Special Operations Command. These inaccuracies could result in inadequate oversight of classified devices and the risk of exposure to cyber threats.

To address these gaps, the OIG has recommended specific measures. Both U.S. European Command and U.S. Special Operations Command are required to rectify their inventory logs to accurately reflect all classified mobile devices and to re-evaluate the necessity of each individual’s access to such devices. They are also advised to overhaul their classified mobile device programs and enhance training for personnel involved in device management. According to the report, both commands have agreed to comply with these recommendations.

Moreover, the audit suggests that the Defense Information Systems Agency establish a systematic approach for maintaining accurate inventory records moving forward. The agency confirmed it would develop a strategy to improve its tracking and documentation processes.

The broader implications of this report highlight ongoing cybersecurity concerns within the DoD. Previous audits have pointed to systemic weaknesses, with a special report released in March addressing issues like outdated passwords and inadequate enforcement of multifactor authentication among Defense Department contractors. Collectively, these audits from 2018 to 2023 indicate that DoD officials have struggled to effectively monitor compliance with cybersecurity standards, posing risks not just to classified information but to overall national security.

In response to these growing concerns, the OIG continues to urge agency leaders within the DoD to adopt the recommendations laid out in various cybersecurity reports to enhance their operational resilience in the face of growing cyber threats.

The content above is a summary. For more details, see the source article.