Upload File

audit of the dod's implementation of the cybersecurity

  • Home
  • Documents
  • Audit of the DoD's Implementation of the Cybersecurity
10
INSPECTOR GENERAL DEPARTMENT OF DEFENSE 4800 MARK CENTER DRIVE ALEXANDRIA, VIRGINIA 22350-1500 MEMORANDUM FOR DOD CHIEF INFORMATION OFFICER COMMANDER, U.S. CYBER COMMAND DIRECTOR, NATIONAL SECURITY AGENCY DIRECTOR, DEFENSE INFORMATION SYSTEMS AGENCY DIRECTOR, DEFENSE INTELLIGENCE AGENCY DIRECTOR, NATIONAL RECONNAISSANCE OFFICE DIRECTOR, NATIONAL GEOSPATIAL-INTELLIGENCE AGENCY DIRECTOR, DEFENSE SECURITY SERVICE DIRECTOR, DEFENSE CYBER CRIME CENTER December 7, 2018 SUBJECT: Audit ofDoD's Implementation of the Cybersecurity Information Sharing Act of 2015 (Project No. D2019-DOOOCP-0060.000) We plan to begin the subject audit in December 2018. We are conducting this audit as mandated by the Cybersecurity Information Sharing Act of2015 (CISA), section 107, "Oversight of Government Activities." CISA requires the Inspectors General of seven Federal entities-the Departments of Commerce, Defense, Energy, Homeland Security, Justice, and Treasury, and the Office of the Director of National Intelligence-to jointly report to Congress no later than 2 years after the enactment date of CISA, and once every 2 years thereafter, on the actions of the Executive branch of the U.S. Government to carry out the CISA requirements. As such, the objective of this joint project is to assess DoD' s actions taken to carry out the CISA requirements during 2017 and 2018 and to submit an unclassified, interagency report to Congress by December 2019 (attached). We will consider suggestions from management on additional or revised objectives. We will perform the audit at the Office of the DoD Chieflnformation Officer, U.S. Cyber Command, National Security Agency, Defense Information Systems Agency, Defense Intelligence Agency, National Reconnaissance Office, National Geospatial-Intelligence Agency, Defense Security Service, and Defense Cyber Crime Center. We may identify additional locations during the audit. Please provide us with a point of contact for the audit within 5 days of the date of this memorandum. The point of contact should be a Government employee-a GS-15, pay band equivalent, or the military equivalent. Send the contact's name, title, grade/pay band, phone number, and e-mail address to [email protected]. You can obtain information about the Department of Defense Office of Inspector General from DoD Directive 5106.01, "Inspector General of the Department of Defense (IG DoD)," April 20, 2012, as amended; DoD Instruction 7600.02, "Audit Policies," October 16, 2014, as amended; and DoD Instruction 7050.03, "Office of the Inspector General of the Department of Defense Access to Records and Information," March 22, 2013. Our website is www.dodig.mil.

Upload: others

Post on 24-Mar-2022

7 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Audit of the DoD's Implementation of the Cybersecurity

INSPECTOR GENERAL DEPARTMENT OF DEFENSE 4800 MARK CENTER DRIVE

ALEXANDRIA, VIRGINIA 22350-1500

MEMORANDUM FOR DOD CHIEF INFORMATION OFFICER COMMANDER, U.S. CYBER COMMAND DIRECTOR, NATIONAL SECURITY AGENCY DIRECTOR, DEFENSE INFORMATION SYSTEMS AGENCY DIRECTOR, DEFENSE INTELLIGENCE AGENCY DIRECTOR, NATIONAL RECONNAISSANCE OFFICE DIRECTOR, NATIONAL GEOSPATIAL-INTELLIGENCE AGENCY DIRECTOR, DEFENSE SECURITY SERVICE DIRECTOR, DEFENSE CYBER CRIME CENTER

December 7, 2018

SUBJECT: Audit ofDoD's Implementation of the Cybersecurity Information Sharing Act of 2015 (Project No. D2019-DOOOCP-0060.000)

We plan to begin the subject audit in December 2018. We are conducting this audit as mandated by the Cybersecurity Information Sharing Act of2015 (CISA), section 107, "Oversight of Government Activities." CISA requires the Inspectors General of seven Federal entities-the Departments of Commerce, Defense, Energy, Homeland Security, Justice, and Treasury, and the Office of the Director of National Intelligence-to jointly report to Congress no later than 2 years after the enactment date of CISA, and once every 2 years thereafter, on the actions of the Executive branch of the U.S. Government to carry out the CISA requirements. As such, the objective of this joint project is to assess DoD' s actions taken to carry out the CISA requirements during 2017 and 2018 and to submit an unclassified, interagency report to Congress by December 2019 (attached). We will consider suggestions from management on additional or revised objectives.

We will perform the audit at the Office of the DoD Chieflnformation Officer, U.S. Cyber Command, National Security Agency, Defense Information Systems Agency, Defense Intelligence Agency, National Reconnaissance Office, National Geospatial-Intelligence Agency, Defense Security Service, and Defense Cyber Crime Center. We may identify additional locations during the audit.

Please provide us with a point of contact for the audit within 5 days of the date of this memorandum. The point of contact should be a Government employee-a GS-15, pay band equivalent, or the military equivalent. Send the contact's name, title, grade/pay band, phone number, and e-mail address to [email protected].

You can obtain information about the Department of Defense Office of Inspector General from DoD Directive 5106.01, "Inspector General of the Department of Defense (IG DoD)," April 20, 2012, as amended; DoD Instruction 7600.02, "Audit Policies," October 16, 2014, as amended; and DoD Instruction 7050.03, "Office of the Inspector General of the Department of Defense Access to Records and Information," March 22, 2013. Our website is www.dodig.mil.

Page 2: Audit of the DoD's Implementation of the Cybersecurity

Attachment: As stated

Carol N. Gorman Assistant Inspector General Cyberspace Operations

2

Page 3: Audit of the DoD's Implementation of the Cybersecurity

OFFICE OF THE INSPECTOR GENERAL OF THE INTELLIGENCE COMMUNITY

AUDIT DIVISION

WASHINGTON, DC 20511

Page 1 of 4

MEMORANDUM FOR: Distribution

SUBJECT: Assessment of and Joint Report on the Implementation of the Cybersecurity Information Sharing Act of 2015

The Inspectors General of the Departments of Commerce, Defense, Energy, Homeland Security, Justice, and Treasury, and the Intelligence Community will initiate a project to assess the actions taken over the prior, most recent, two-year period to carry out the requirements of Title 1 -Cybersecurity Information Sharing Act of2015 (CISA)1. As required by CISA-Section 107(b), Oversight of Government Activities - Biennial Report on Compliance-the inspectors general, in consultation with the Council oflnspectors General on Financial Oversight, will jointly submit an interagency report to Congress that includes an assessment of:

• The sufficiency of policies and procedures related to sharing cyber threat indicators within the Federal Government.

• Whether cyber threat indicators and defensive measures have been properly classified, as well as an accounting of the security clearances authorized for the purpose of sharing cyber threat indicators or defensive measures with the private sector.

• The appropriateness, adequacy, and timeliness of the actions taken to use and disseminate cyber threat indicators or defensive measures shared with the Federal Government.

• Specific aspects of cyber threat indicators or defensive measures that have been shared with the Federal Government, including:

o The number of cyber threat indicators or defensive measures shared using the capability implemented by the Department of Homeland Security [ Automated Indicator Sharing (AIS)].

o Instances in which any federal or non-federal entity shared information that was not directly related to a cybersecurity threat and contained personally identifiable information (PII).

1 The Consolidated Appropriations Act, 2016, Pub. L. No. 114-113, Div. N., 6 U.S.C. §§ 1501-1510.

Page 4: Audit of the DoD's Implementation of the Cybersecurity

SUBJECT: Assessment of and Joint Report on the Implementation of CISA Page 2 of 4

o The number of times, according to the Attorney General, that information shared under this title was used by a federal entity to prosecute an offense listed in CISA Section 105(d)(5)(A).

o The effect of sharing cyber threat indicators or defensive measures with the Federal Government on privacy and civil liberties of specific individuals, including the number of notices that were issued with respect to a failure to remove information not directly related to a cybersecurity threat that contained PII.

o The adequacy of steps taken by the Federal Government to reduce any adverse effect from activities carried out under this title on the privacy and civil liberties of U.S. persons.

• Barriers affecting the sharing of cyber threat indicators or defensive measures.

The objective of this project is to assess the actions taken to carry out CISA requirements during calendar years 2017 and 2018 and submit an unclassified, interagency report to Congress by December 2019.

Thank you for your continued support and cooperation on this effort.

If you have any questions on this project, you can reach the Office of the Inspector General of the Intelligence Community point of contact, Ms. Virginia Rogers at 571-204-8033 or [email protected].

2

Page 5: Audit of the DoD's Implementation of the Cybersecurity

FREDERICK MENY

SUBJECT: Assessment of and Joint Report on the Implementation of CISA

Frederick J. Meny Jr. Assistant Inspector General for Audit and Evaluation U.S. Department of Commerce Office of Inspector General

Jacqueline L. Wicecarver Deputy Inspector General for Audit Department of Defense Office of Inspector General

Sarah B. Nelson Assistant Inspector General for Technology, Financial, and Analytics Department of Energy Office of Inspector General

SONDRA F MCCAULEY

Sondra F. McCauley Assistant Inspector General for Audits Department of Homeland Security Office of Inspector General

Jason R. Malmstrom Assistant Inspector General for Audit Department of Justice Office of the Inspector General

Digitally signed by Deborah L. Harker -Deborah L. Harker Assistant Inspector General for Audit Department of the Treasury Office of Inspector General

Patti L. Maccini Assistant Inspector General for Audit Office of the Inspector General for the Intelligence Community

3

Date

11 .29.18 Date

12/4/2018

Date

Date

Date

Date

11/27/18 Date

Page 6: Audit of the DoD's Implementation of the Cybersecurity

SUBJECT: Assessment of and Joint Report on the Implementation of CISA

External Distribution:

Department of Commerce Department of Defense Department of Energy Department of Homeland Security Department of Justice Department of the Treasury Office of the Director of National Intelligence

4

Page 4 of 4

Page 7: Audit of the DoD's Implementation of the Cybersecurity

Page 1 of 4

OFFICE OF THE INSPECTOR GENERAL OF THE INTELLIGENCE COMMUNITY

AUDIT DIVISION

WASHINGTON, DC 20511

MEMORANDUM FOR: Distribution

SUBJECT: Assessment of and Joint Report on the Implementation of the Cybersecurity Information Sharing Act of 2015

The Inspectors General of the Departments of Commerce, Defense, Energy, Homeland Security, Justice, and Treasury, and the Intelligence Community will initiate a project to assess the actions taken over the prior, most recent, two-year period to carry out the requirements of Title 1 -Cybersecurity Information Sharing Act of2015 (CISA)1. As required by CISA-Section 107(b), Oversight of Government Activities - Biennial Report on Compliance-the inspectors general, in consultation with the Council oflnspectors General on Financial Oversight, will jointly submit an interagency report to Congress that includes an assessment of:

• The sufficiency of policies and procedures related to sharing cyber threat indicators within the Federal Government.

• Whether cyber threat indicators and defensive measures have been properly classified, as well as an accounting of the security clearances authorized for the purpose of sharing cyber threat indicators or defensive measures with the private sector.

• The appropriateness, adequacy, and timeliness of the actions taken to use and disseminate cyber threat indicators or defensive measures shared with the Federal Government.

• Specific aspects of cyber threat indicators or defensive measures that have been shared with the Federal Government, including:

o The number of cyber threat indicators or defensive measures shared using the capability implemented by the Department of Homeland Security [ Automated Indicator Sharing (AIS)].

o Instances in which any federal or non-federal entity shared information that was not directly related to a cybersecurity threat and contained personally identifiable information (PII).

1 The Consolidated Appropriations Act, 2016, Pub. L. No. 114-113, Div. N., 6 U.S.C. §§ 1501-1510.

Page 8: Audit of the DoD's Implementation of the Cybersecurity

Page 2 of 4

Page 9: Audit of the DoD's Implementation of the Cybersecurity

FREDERICK MENY

Page 3 of 4SUBJECT: Assessment of and Joint Report on the Implementation of CISA

Frederick J. Meny Jr. Assistant Inspector General for Audit and Evaluation U.S. Department of Commerce Office of Inspector General

Jacqueline L. Wicecarver Deputy Inspector General for Audit Department of Defense Office of Inspector General

Sarah B. Nelson Assistant Inspector General for Technology, Financial, and Analytics Department of Energy Office of Inspector General

SONDRA F MCCAULEY

Sondra F. McCauley Assistant Inspector General for Audits Department of Homeland Security Office of Inspector General

Jason R. Malmstrom Assistant Inspector General for Audit Department of Justice Office of the Inspector General

Digitally signed by Deborah L. Harker -Deborah L. Harker Assistant Inspector General for Audit Department of the Treasury Office of Inspector General

Patti L. Maccini Assistant Inspector General for Audit Office of the Inspector General for the Intelligence Community

3

Date

11 .29.18 Date

12/4/2018

Date

Date

Date

Date

11/27/18 Date

Page 10: Audit of the DoD's Implementation of the Cybersecurity

Page 4 of 4


NSIAD-97-37 Contract Management: Fixing DOD's Payment

GAO-03-493T Human Capital: DOD's Civilian Personnel

Cybersecurity and the role of internal audit: An urgent ... · Cybersecurity and the role of internal audit An urgent call to action 2 Deloitte Advisory has identified a three-pronged

European Cybersecurity Audit Assurance Program Res Eng 0914

FINANCIAL MANAGEMENT: DOD's Approach to Financial Control Over

Chief Audit Execs speak out: Cybersecurity & risk management

KPMG Internal Audit: Top 10 key risks in 2015aechile.cl/.../2015/04/top-10-considerations-internal-audit-2015.pdf · KPMG Internal Audit: ... organization’s cybersecurity process

CYBERSECURITY INTEGRITY AUDIT - Canon Global

An Audit Report on Cybersecurity at the Texas Medical Board · An Audit Report on Cybersecurity at the Texas Medical Board SAO Report No. 20-031 ii provisions of Texas Government

Pharma Cybersecurity Risk Management and Audit

2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity

Final presentation january iia cybersecurity securing your 2016 audit plan

DoD's Multidisciplinary University Research Initiative

LABEL FRANCE CYBERSECURITY · label france cybersecurity catalogue 2016 des offres labellisÉes gouvernance, traÇabilitÉ et audit / gestion des identitÉs et des accÈs sÉcuritÉ

Audit of the DoD's Preparation for Natural Disasters · disaster is any hurricane, tornado, storm, flood, high water, tidal wave, tsunami, earthquake, volcanic eruption, mudslide,

GAO-11-240R DOD's 2010 Comprehensive Inventory Management

Report No. DODIG-2021-098: Audit of the Cybersecurity of

Audit of the Department of the Treasury's Cybersecurity

Final Audit Report - Audit of NARA's CyberSecurity Risk ... · cybersecurity risk management protections to adequately identify, prioritize, and manage cyber risks. This is especially

Cybersecurity Challenges Protecting DoD's Unclassified ... · • Program information: Data about acquisition , personnel, planning, requirements, design, test data, and support data

Cybersecurity: The changing role of audit committee and internal audit

"Tomorrow's Needs, Yesterday's Technology" – DoD's

Cybersecurity It Audit Services Gt April2012

Cybersecurity Audit - Fort Worth, Texas

An Audit Report on Cybersecurity at the School for the DeafAn Audit Report on Cybersecurity at the School for the Deaf SAO Report No. 19-031 February 2019 This audit was conducted

CYBERSECURITY INTEGRITY AUDIT - Canon Inc. › rs › 206-CLL-191 › images › ... · 2020-06-07 · The Cybersecurity Integrity Audit is an integral component of our 5 Pillar Security

Internal audit of cybersecurity Presentation to the ... · PDF fileInternal audit of cybersecurity Presentation to the Atlanta IIA ... information security and privacy to address a

The Role of Audit Analysis in CyberSecurity

An Audit Report on Cybersecurity at the School for the Deaf

Rebalancing Cybersecurity Risk, Compliance & Audit · • The NIST Cybersecurity Framework was created to provide a uniform standard that government, businesses and auditors can use

Energy Company Boards, Cybersecurity, and Governance ... Collect… · Utilities Report Cyber Incidents to Energy Department ... Cybersecurity and the Audit ... Department of Energy

DoD Supplier’s Journey to Cybersecurity Compliance€¦ · company significantly accelerated its cybersecurity compliance journey and addressed virtually all of the the DoD's required

CYBERSECURITY - Center for Audit Quality€¦ · cybersecurity risk oversight learn more about other incremental offerings from CPA firms. One example is the cybersecurity risk management

GAO-17-512, Defense Cybersecurity: DOD's … States Government Accountability Office Highlights of GAO-17-512, a report to congressional committees August 2017 DEFENSE CYBERSECURITY

CyberseCurity - IIA Indonesiaiia-indonesia.org/wp-content/uploads/Majalah-IA-Agustus-2015.compressed.pdf · CyberseCurity Boards are turning to internal audit for assurance on the