The Department of Defense (DoD) has taken steps to fully implement cybersecurity requirements for controlled unclassified information (CUI), however, none of the DoD components were fully compliant on that front as of January 2022, according to a recent Government Accountability Office (GAO) report.
DoD has reported the implementation of more than 70 percent of four cybersecurity requirements for CUI systems, according to a GAO report. Although, as of Jan. 2022, the extent of implementation varied for each of the four requirement areas.
According to GAO, DoD is working toward achieving 100 percent compliance in three of the four categories: categorize systems accurately, implement 266 security controls, and authorize systems to operate on DoD’s network.
“As the official responsible for department-wide cybersecurity of CUI systems, the DoD Office of the Chief Information Officer (CIO) has taken recent action to address this area,” wrote GAO.
The DoD CIO issued a memorandum in October 2021 on implementing controls for CUI systems, and it identified and reiterated requirements that CUI systems must meet. The CIO also reminded system owners of the March 2022 deadline for all DoD CUI systems to implement necessary controls and requirements.
“The Department is pleased to note GAO’s extensive review and acknowledgement of the DoD Chief Information Officer’s efforts to strive for security compliance within the Department’s CUI systems,” wrote DoD CIO John Sherman in response to GAO’s findings. “As noted within the report, the Department has taken action to work with DoD Components to ensure implementation of the appropriate security measures for CUI systems.”