Army CIO must improve security for commercial mobile devices, says IG
The Army CIO has failed so far to implement an effective cybersecurity program for commercial mobile devices (CMDs), and until the service does so its networks will remain vulnerable to cyberattack and possible leaks of sensitive data, according to a report from the Defense Department’s Inspector General.
The DOD IG study sought to determine whether the Army had an effective cybersecurity program that was capable of identifying and mitigating risks around CMDs and removable media. During site inspections, IG officials sought to verify whether Army officials were properly tracking, configuring and sanitizing CMDs.
In the course of its investigation, the DOD found that the Army CIO had failed to appropriately track CMDs and that the office apparently was unaware of more than 14,000 CMDs used throughout the service, DOD IG officials said in the report.
The problems surfaced in large part because the Army CIO did not develop clear and comprehensive policy for CMDs bought through pilot and nonpilot programs, the DOD IG said. Moreover, the Army CIO inappropriately assumed that CMDs were not connecting to Army networks and storing sensitive information. The failings results in increased vulnerability to cyberattacks and leaks of sensitive data, the DOD IG said.
The DOD IG also uncovered a number of other problems associated with effective cybersecurity for CMDs. One of these problems is that the Army CIO did not properly ensure that Army commands configured CMDs to protect stored information. Specifically, the CIOs of the U.S. Military Academy and the U.S. Army Corps of Engineer Research and Development Center did not use mobile device management applications to configure CMDs to protect stored information.
Other cybersecurity snags involved the Army CIO’s failure to properly sanitize CMDs, control CMDs used as removable media, and require training and use agreements specific to CMDs.
To remedy the situation, the Army CIO should develop clear and comprehensive policy to include requirements for reporting an tracking all CMDs, as well as extend existing information assurance requirements to the use of all CMDs.
The Army took issue with the findings and asserted that it had published guidance for commands and organizations participating in pilot programs. In its response to the DOD IG findings, the Director of the Army CIO Cybersecurity Directorate pointed out that the service established a SharePoint Portal through which all Army organizations entering into CMD pilot programs were required to register and provide project documentation.
Furthermore, Army officials maintain that they are able to account for every CMD assigned to the Army by accessing the Defense Information Systems Agency CONUS property management system. The Army has routinely accessed the system as part of the ongoing DISA Mobile Pilot program, the director said.
The Army also published guidance in 2011 that directed service organizations to register each pilot and document senior approval, the Director of the Army CIO Cybersecurity Directorate said in its response.
However, the DOD IG countered that the Army did not define what constitutes a CMD pilot program, and therefore some Army commands failed to report and configure CMDs appropriately.