Audit of Protection of DoD Controlled Unclassified Information on Contractor-Owned Networks and Systems

Date Issued

Thursday, July 25, 2019

Submitting OIG

Department of Defense OIG

Other Participating OIGs

Department of Defense OIG

Agencies Reviewed/Investigated

Department of Defense

Components

United States Transportation Command (USTRANSCOM)

United States Navy (USN)

United States Cyber Command (USCYBERCOM)

United States Army (USA)

United States Air Force (USAF)

OSD Director of Operational Test and Evaluation (DOT&E)

OSD Chief Information Officer (CIO)

Missile Defense Agency (MDA)

Defense Threat Reduction Agency (DTRA)

Defense Contract Management Agency (DCMA)

Report Number

DODIG-2019-105

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 2 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
D-2019-0105-D000CR-0001-0001.A1a	No	$0	$0
(U) Rec. A.1.a: The DoD OIG recommended that the DoD Chief Information Officer, in coordination with Defense Pricing and Contracting, implement or revise policy to require all systems and networks that maintain DoD information, including those owned by contractors that maintain DoD information, to use strong passwords that, at a minimum, meet DoD password length and complexity requirements.
D-2019-0105-D000CR-0001-0001.A1b	No	$0	$0
(U) Rec. A.1.b: The DoD OIG recommended that the DoD Chief Information Officer, in coordination with Defense Pricing and Contracting, implement or revise policy to require all systems and networks that maintain DoD information, including those owned by contractors that maintain DoD information, to configure their systems and networks to align with DoD requirements for locking after 15 minutes of inactivity and 3 unsuccessful logon attempts.