A new watchdog report found that the Department of Defense’s (DoD) networks remain vulnerable three years after military services misconfigured remote access software.
During the COVID-19 pandemic, the DoD had to respond quickly to facilitate telework capabilities as staffers were forced to work from home. DoD personnel gained access to their organization’s networks using approved remote access software.
But while DoD policies require DoD components to configure remote access software consistent with Federal and DoD cybersecurity policies and security controls, this was not the case.
A report from the DoD Office of Inspector General (IG) found that network and system administrators for seven of 10 DoD components did not always implement all the critical configuration settings and cybersecurity controls it needed.
Officials responsible for authorizing the use of remote access software on DoD component networks must document an assessment of the impact on DoD employees, assets, and missions when DoD components deviate from security requirements, the report states.
“If DoD components do not consistently configure remote access software per Federal and DoD cybersecurity policies, standards, and security controls, malicious cyber actors could exploit vulnerable configuration settings; and compromise the confidentiality, integrity, and availability of DoD networks, systems, and data,” according to the report.
Among its recommendations, the IG recommends specific implementation controls, as well as timelines to develop plans of action and milestones for the risk areas that still need to be addressed.
In addition, the IG recommends that the Defense Information Systems Agency (DISA) – which already publishes the Security Requirement Guides and Security Technical Implementation Guides that guide configuring remote access software – direct network and system administrators to include mitigation timeframes for all vulnerabilities and develop plans of actions and milestones for all vulnerabilities not mitigated promptly.
Officials from the Marine Corps, Department of the Navy, U.S. Southern Command, and Defense Intelligence Agency, agreed with the recommendations and described actions planned and taken to resolve or close the recommendations.
The IG has requested additional comments within 30 days of the report from the deputy chief information officer for the Air Force and the chief of the DISA Joint Service Provider Cyber Security Center who partially addressed the specifics of the recommendations.