Audit of DoD Actions Taken to Implement Cybersecurity Protections Over Remote Access Software in the Coronavirus Disease–2019 Telework Environment

Date Issued

Friday, March 24, 2023

Submitting OIG

Department of Defense OIG

Other Participating OIGs

Department of Defense OIG

Agencies Reviewed/Investigated

Department of Defense

Components

United States Strategic Command (USSTRATCOM)

United States Southern Command (USSOUTHCOM)

United States Navy (USN)

United States Marine Corps (USMC)

United States Air Force (USAF)

Department of Defense Education Activity (DODEA)

Defense Intelligence Agency (DIA)

Defense Information Systems Agency (DISA)

Defense Contract Management Agency (DCMA)

Report Number

DODIG-2023-057

Report Type

Audit

Special Projects

Pandemic

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 2 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
D-2023-0057-D000CR-0001-0002.A2a	No	$0	$0
(U) Rec. A.2.a: The DoD OIG recommended that the Chief Information Officer of the Department of the Air Force revise its policy to align with the Windows 10 Security Technical Implementation Guide requirement for disabling inactive user accounts after no more than 35 days.
D-2023-0057-D000CR-0001-0002.A2b	No	$0	$0
(U) Rec. A.2.b: The DoD OIG recommended that the Chief Information Officer of the Department of the Air Force direct network and system administrators to disable inactive user accounts after no more than 35 days of inactivity in accordance with the Windows 10 Security Technical Implementation Guide, develop compensating controls, or formally accept the risk of not disabling the inactive user accounts.