Audit of Cyber Vulnerabilities Impacting Defense Critical Infrastructure

View Report

Date Issued

Friday, February 21, 2025

Submitting OIG

Department of Defense OIG

Agencies Reviewed/Investigated

Department of Defense

Report Number

DODIG-2025-071

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 4 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
D-2025-0071-D000CS-0001-0001.a	No	$0	$0
(U) Rec. 1.a: The DoD OIG recommended that the Secretary of the Navy direct the Assistant Secretary of the Navy for Energy, Installations, and Environment, in coordination with the Office of the Chief of Naval Operations, Shore Readiness Division; Commander, Navy Installations Command; Naval Facilities Engineering Command; and other Department of the Navy organizations as appropriate develop and implement processes that establish control system ownership and clearly define responsibilities for managing the risk associated with control system cybersecurity vulnerabilities in accordance with DoD and Navy.
D-2025-0071-D000CS-0001-0001.b	No	$0	$0
(U) Rec. 1.c: The DoD OIG recommended that the Secretary of the Navy direct the Assistant Secretary of the Navy for Energy, Installations, and Environment, in coordination with the Office of the Chief of Naval Operations, Shore Readiness Division; Commander, Navy Installations Command; Naval Facilities Engineering Command; and other Department of the Navy organizations as appropriate establish expectations for mitigating the unmitigated cybersecurity vulnerabilities identified during the Section 1650 assessments, require the Office of the Chief of Naval Operations to develop and document corrective action plans for unmitigated cybersecurity vulnerabilities, and hold the Commander, Navy Installations Command, Naval Facilities Engineering Command, and system owners accountable for not taking corrective actions.
D-2025-0071-D000CS-0001-0001.c	No	$0	$0
(U) Rec. 1.c: The DoD OIG recommended that the Secretary of the Navy direct the Assistant Secretary of the Navy for Energy, Installations, and Environment, in coordination with the Office of the Chief of Naval Operations, Shore Readiness Division; Commander, Navy Installations Command; Naval Facilities Engineering Command; and other Department of the Navy organizations as appropriate develop and implement processes with periodic reporting requirements to track the status of the cybersecurity vulnerabilities identified during the Section 1650 assessments.
D-2025-0071-D000CS-0001-0001.d	No	$0	$0
(U) Rec. 1.d: The DoD OIG recommended that the Secretary of the Navy direct the Assistant Secretary of the Navy for Energy, Installations, and Environment, in coordination with the Office of the Chief of Naval Operations, Shore Readiness Division; Commander, Navy Installations Command; Naval Facilities Engineering Command; and other Department of the Navy organizations as appropriate develop and implement processes for documenting corrective actions and retaining documentation of corrective actions to mitigate cybersecurity vulnerabilities identified during the Section 1650 assessments.