WASHINGTON — The Department of Defense is making significant progress locking down sensitive networks amid cyber challenges from foreign adversaries bent on gaining access to intel, a report from a federal watchdog shows.
The department as of January recorded compliance at 70% or higher in implementing four select protections for controlled unclassified information, which may include data tied to critical technologies or the development and operation of weapons and defense infrastructure, according to the Government Accountability Office.
Pentagon networks store massive amounts of data and are under constant threat of attack from competitors such as Russia, China, Iran and North Korea. Russia’s assault on Ukraine is adding to concerns about U.S. cybersecurity, as federal officials and other experts warn of Moscow’s malicious cyber history and reach in the digital domain. A breach of CUI systems, and the widespread dissemination or theft of the information, could pose real risks to U.S. security.
“Safeguarding federal computer systems has been a longstanding concern,” the GAO wrote in a May 19 memo to congressional committees. “Underscoring the importance of this issue, we have included cybersecurity on our high-risk list since 1997.”
The accountability office’s evaluation, published Thursday, found that while no entity was fully compliant with key CUI cybersecurity requirements, the Pentagon is moving in the right direction. The GAO from May 2021 to May 2022 focused on some 2,900 CUI systems, most of which are owned by the Army, Air Force, Navy, Marine Corps and the Defense Health Agency.
The official responsible for department-wide security of CUI systems is the chief information officer, currently John Sherman. The GAO in its report said the information office “has taken recent action to address” the issues and noted the department has kept tabs on progress.
The GAO audit included no formal recommendations or fixes for the Pentagon to pursue. Sherman in a pre-publication letter in late April acknowledged the watchdog’s analysis and stood by his office’s work.
“As noted within the report, the Department has taken action to work with DoD components to ensure implementation of the appropriate security measures for CUI systems,” Sherman wrote.
Colin Demarest is a reporter at C4ISRNET, where he covers military networks, cyber and IT. Colin previously covered the Department of Energy and its National Nuclear Security Administration — namely Cold War cleanup and nuclear weapons development — for a daily newspaper in South Carolina. Colin is also an award-winning photographer.