Management Advisory: The DoD’s FY 2023 Compliance with Federal Information Security Modernization Act of 2014

View Report

Date Issued

Thursday, May 23, 2024

Submitting OIG

Department of Defense OIG

Other Participating OIGs

Department of Defense OIG

Agencies Reviewed/Investigated

Department of Defense

Report Number

DODIG-2024-084

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 5 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
D-2024-0084-D000CP-0001-0001.a	No	$0	$0
(U) Rec. 1.a: The DoD OIG recommended that the DoD Chief Information Officer develop, in coordination with the Under Secretary of Defense for Research and Engineering and the Under Secretary of Defense for Acquisition and Sustainment, a DoD?wide Supply Chain Risk Management strategy as required by the National Institute of Standards and Technology guidance.
D-2024-0084-D000CP-0001-0001.b	No	$0	$0
(U) Rec. 1.b: The DoD OIG recommended that the DoD Chief Information Officer develop, in coordination with the Under Secretary of Defense for Research and Engineering and the Under Secretary of Defense for Acquisition and Sustainment, policies and procedures implementing the DoD-wide Supply Chain Risk Management strategy as required by the National Institute of Standards and Technology guidance, including organizational-wide tools and techniques that allow DoD Components to consistently and effectively manage risks associated with using external providers.
D-2024-0084-D000CP-0001-0001.c	No	$0	$0
(U) Rec. 1.c: The DoD OIG recommended that the DoD Chief Information Officer determine when DoD Components should complete a privacy impact assessment for information systems and ensure that all DoD guidance, including DoD Instruction 5400.16, "DoD Privacy Impact Assessment (PIA) Guidance," July 14, 2015, Incorporating Change 1, August 11, 2017, and the DoD Risk Management Framework Knowledge Service guidance, aligns with that determination.
D-2024-0084-D000CP-0001-0001.d	No	$0	$0
(U) Rec. 1.d: The DoD OIG recommended that the DoD Chief Information Officer direct DoD Components, in coordination with the Chief Information Security Officers, Chief Information Officers, and Authorizing Officials, to require that officials conduct privacy impact assessments for all non-national security systems and update the Enterprise Mission Assurance Support Service, or its equivalent system, as required by DoD guidance.
D-2024-0084-D000CP-0001-0001.e	No	$0	$0
(U) Rec. 1.e: The DoD OIG recommended that the DoD Chief Information Officer implement a process, in coordination with the DoD Component Chief Information Security Officers, Chief Information Officers, and Authorizing Officials, such as periodic Enterprise Mission Assurance Support Service reviews, to ensure that officials complete privacy impact assessments for all non-national security systems and update the Enterprise Mission Assurance Support Service, or its equivalent system, as required by DoD guidance.