Former Defense Digital Service, or DDS, directors improperly granted waivers to use IT tools and services unauthorized by department policies, the Pentagon inspector general found.
Beginning in 2015, two former DDS directors “exceeded their authority and granted waivers of multiple DOD policies to enable the DDS to use unauthorized digital service tools, including cloud‑based software development platforms and collaboration software, to store, process and transmit controlled unclassified information,” according to a report publicly released on May 29.
DDS is a component of the Chief Digital and Artificial Intelligence Office, or CDAO, which works to add new digital technologies across the Pentagon. Its charter, issued in January 2017, allows the organization’s directors to “request waivers to DOD policies that would otherwise impede DDS engagements,” although the officials were directed to first “request and receive approval for the waivers from the DOD components that issued the policies.”
Without following the proper procedures, the watchdog found, DDS and other DOD officials “were able to disregard the cybersecurity requirements of seven DOD policies,” which “exposed DOD information to additional cybersecurity risk and increased the risk of compromise.”
The Office of the Inspector General noted that this included the approval of a redacted “text messaging application” for official discussions regarding the storage and processing of controlled unclassified information on DOD systems. A June 2021 report by the OIG found that DDS’s then-director violated the department’s policy by using and encouraging the use of the encrypted messaging app Signal.
DDS’s legal council told the watchdog that the directors’ use of the self-granted waivers “was essentially established by precedent” when the organization’s inaugural head issued the first such waiver. The OIG added that the continued use of these waivers occurred because the Office of the Secretary of Defense “did not establish effective internal controls to ensure that the DDS director exercised their authorities as intended.”
The audit also randomly reviewed 10 DDS “engagements” — work with DOD components to improve their digital services — to determine whether they met their intended purposes.
While the selected engagements were redacted in the public report, the watchdog said it was unable to determine whether five of the organization’s efforts achieved their goals “because DDS officials did not maintain adequate and proper records of the purpose, work completed and results of those engagements.”
OIG made 15 recommendations in its report, including calling for the Chief Digital and Artificial Intelligence Officer to develop a clear waiver process for the agency’s components and for CDAO to “assess the hardware, software, cloud services, networks and any other tools used by the DDS since 2015 to ensure compliance with DOD cybersecurity requirements.”
CDAO concurred with the watchdog’s recommendations, although the Washington Headquarters Services — which was tasked with providing DDS guidance on the development of a records management program — disagreed with OIG’s recommendation that it ensure the components it works with have established management plans.
Read the full article here