Management Advisory Regarding the Air Force’s Compliance with the Federal Information Security Modernization Act of 2014

View Report

Date Issued

Wednesday, October 12, 2022

Submitting OIG

Department of Defense OIG

Other Participating OIGs

Department of Defense OIG

Agencies Reviewed/Investigated

Department of Defense

Components

United States Air Force (USAF)

Report Number

DODIG-2023-003

Report Type

Other

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 5 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
D-2023-0003-D000CP-0001-0001.a	No	$0	$0
(U) Rec. 1.a: The DoD OIG recommend that the Air Force Chief Information Officer direct the system owners, in coordination with the Air Force Chief Information Security Officer and Authorizing Officials, to identify and mitigate all very high, high, and moderate weaknesses identified in plans of action and milestones that exceed the 30-day and 90-day mitigation requirement as required by Air Force guidance, and prioritize any weaknesses identified in the Cybersecurity and Infrastructure Security Agency's known exploited vulnerabilities catalog.
D-2023-0003-D000CP-0001-0001.b	No	$0	$0
(U) Rec. 1.b: The DoD OIG recommend that the Air Force Chief Information Officer establish controls, in coordination with the Air Force Chief Information Security Officer and Authorizing Officials, to ensure that system owners mitigated weaknesses identified in plan of action and milestones by their scheduled completion dates and in accordance with the timelines established in Air Force guidance.
D-2023-0003-D000CP-0001-0001.c	No	$0	$0
(U) Rec. 1.c: The DoD OIG recommend that the Air Force Chief Information Officer update Air Force Instruction 33?332, "Air Force Privacy and Civil Liberties Program," March 10, 2020 (updated on May 12, 2020), in coordination with the Air Force Privacy Officer, to align with the June 2021 DoD Data Breach Response Plan, including the changes to the breach reporting process.
D-2023-0003-D000CP-0001-0002.a	No	$0	$0
(U) Rec. 2.a: The DoD OIG recommend that the Air Force Chief Privacy Officer establish controls to ensure that Air Force privacy officials are timely reporting breaches in accordance with the Air Force Instruction 33?332, "Air Force Privacy and Civil Liberties Program," March 10, 2020 (updated on May 12, 2020).
D-2023-0003-D000CP-0001-0002.b	No	$0	$0
(U) Rec. 2.b: The DoD OIG recommend that the Air Force Chief Privacy Officer ensure that all Air Force personnel receive annual privacy training that addresses all the key elements required by Air Force Instruction 33?332, "Air Force Privacy and Civil Liberties Program," March 10, 2020 (updated on May 12, 2020).