Skip to main content

Office of the Secretary of Defense

Jump To:

Recent Reports

View More Reports

Open Recommendations (26 total)

Military Lodging: DOD Should Provide Congress with More Information on Army's Privatization and Better Guidance to the Military Services

GAO-21-214
Show
1 Open Recommendations
Agency Affected Recommendation Status
Office of the Secretary of Defense The Secretary of Defense should ensure that the Assistant Secretary of Defense for Sustainment provides additional key information from the Army about the PAL program in its annual Military Housing Privatization Initiative program reports to Congress, including the status of improvements to its facilities, timeframes for completing improvements, and any significant changes to the development plan. (Recommendation 1)
Open
DOD concurred with this recommendation. In March 2022, the Assistant Secretary of Defense for Energy, Installations and Environment (ASD(EI&E)) submitted the Fiscal Year 2019 MHPI report to Congress. This report included some additional information about the PAL program. However, it did not include the information we recommended, such as the timeframe for completing improvements. In November 2023, officials indicated that the forthcoming Fiscal Year 2020 MHPI report will include the additional information we recommended. We will continue to monitor DOD's efforts to address this recommendation and will update the status of this recommendation once the Fiscal Year 2020 MHPI report has been issued and we have an opportunity to review its content.

Military Lodging: DOD Should Provide Congress with More Information on Army's Privatization and Better Guidance to the Military Services

GAO-21-214
Show
2 Open Recommendations
Agency Affected Recommendation Status
Office of the Secretary of Defense The Secretary of Defense should ensure that the Under Secretary of Defense for Personnel and Readiness and the Assistant Secretary of Defense for Sustainment, in collaboration with the military services, establish consistent methodologies and clearly define the data that the military services are to report to the Office of the Secretary of the Defense on their respective lodging programs. (Recommendation 3)
Open
DOD concurred with this recommendation. In March 2022, DOD stated that the Under Secretary of Defense for Personnel and Readiness and ASD(EI&E), were working to complete this requirement in collaboration with the military services, and that the estimated completion date was September 2023 but, as of November 2023, we have not received an update on this effort. We will continue to monitor the department's efforts to address this recommendation and will update its status as more information becomes available.
Office of the Secretary of Defense The Secretary of Defense should ensure that the Under Secretary of Defense for Personnel and Readiness, in collaboration with the Assistant Secretary of Defense for Sustainment, assesses by military service the extent to which DOD servicemembers and civilian employees are inappropriately using off-base lodging for official travel and why it is occurring, and develop a plan to address any issues identified. (Recommendation 4)
Open
DOD concurred with this recommendation. In March 2022, DOD stated that the Under Secretary of Defense for Personnel and Readiness was completing the recommended assessment and plan in collaboration with ASD(EI&E) and that the estimated completion date was December 2022. However, as of November 2023, we have not received an update on this effort. We will continue to monitor the department's efforts to address this recommendation and will update its status as more information becomes available.

Cybersecurity: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene

GAO-20-241
Show
1 Open Recommendations
1 Priority
Agency Affected Recommendation Status
Office of the Secretary of Defense
Priority Rec.
The Secretary of Defense should ensure that DOD components develop plans with scheduled completion dates to implement the four remaining CDIP tasks overseen by DOD CIO. (Recommendation 2)
Open
DOD officials told us that the department does not plan to implement the recommendation because it has moved on from the Cybersecurity Discipline Implementation Plan. While the department stated that it has moved on from the plan, the office of the DOD CIO recognizes the value of the tasks and continues to monitor DOD component's progress in implementing them. According to DOD documentation, the components have made some progress as of April 2024, but have not achieved the performance goal for these tasks. To fully implement this recommendation, DOD should ensure that components develop plans with scheduled completion dates to implement the four remaining Cybersecurity Discipline Implementation Plan tasks--or their equivalents--overseen by DOD CIO

Cybersecurity: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene

GAO-20-241
Show
5 Open Recommendations
4 Priority
Agency Affected Recommendation Status
Office of the Secretary of Defense
Priority Rec.
The Secretary of Defense should direct a component to monitor the extent to which practices are implemented to protect the department's network from key cyberattack techniques. (Recommendation 6)
Open
DOD has not taken any action to implement the recommendation. The Office of the DOD CIO stated that U.S. Cyber Command and one of its subordinate commands has operational responsibilities associated with DOD networks. However, DOD CIO officials did not clarify whether any DOD official or component is monitoring the extent to which the department is implementing cyber hygiene practices to prevent key cyberattack techniques. To implement this recommendation, DOD should direct a component to monitor the extent to which the department implements cyber hygiene practices to protect its network from key cyberattack techniques.
Office of the Secretary of Defense
Priority Rec.
The Secretary of Defense should ensure that the Deputy Secretary of Defense identifies a DOD component to oversee the implementation of the seven CDIP tasks not overseen by DOD CIO and report on progress implementing them. (Recommendation 3)
Open
DOD has not taken any action to implement the recommendation as of April 2024. We believe that implementing this recommendation is important, as several of these tasks are the same as or similar to the cybersecurity standards that DOD plans to require defense contractors to comply with as a part of the Cybersecurity Maturity Model Certification framework. To fully implement this recommendation, DOD should identify a DOD component to oversee the seven tasks in the Cybersecurity Discipline Implementation Plan that are not overseen by the CIO and report on their progress.
Office of the Secretary of Defense
Priority Rec.
The Secretary of Defense should ensure that the DOD CIO takes appropriate steps to ensure implementation of the DC3I tasks. (Recommendation 1)
Open
DOD has taken some action to implement the first recommendation. For example, U.S. Cyber Command and DOD CIO are working together to develop Joint Cyberspace Training and Certification Standards for cybersecurity service providers. However, as of April 2024, DOD has not implemented the seven tasks in the Cybersecurity Culture and Compliance Initiative. To fully implement this recommendation, DOD should implement the remaining tasks in the initiative or take action to improve cybersecurity culture and compliance across the department.
Office of the Secretary of Defense
Priority Rec.
The Secretary of Defense should ensure that the DOD CIO assesses the extent to which senior leaders' have more complete information to make risk-based decisions—and revise the recurring reports (or develop a new report) accordingly. Such information could include DOD's progress on implementing (a) cybersecurity practices identified in cyber hygiene initiatives and (b) cyber hygiene practices to protect DOD networks from key cyberattack techniques. (Recommendation 7)
Open – Partially Addressed
DOD has taken some action to implement the recommendation. In particular, DOD officials told us that the department merged existing reporting requirements to develop the Cybersecurity Hardening Scorecard. According to documentation we reviewed, this scorecard measures the department's tiered and prioritized initiatives for cyber maintenance, operations, and key programs for reducing overall cybersecurity risk. However, the April 2024 version of this scorecard did not include information on (a) cybersecurity practices identified in the DOD cyber hygiene initiatives or (b) cyber hygiene practices to protect DOD networks from key cyberattack techniques. To implement this recommendation, the CIO should assess the extent to which senior leaders have information on these two topics and revise the recurring reports or develop a new report accordingly.
Office of the Secretary of Defense The Secretary of Defense should ensure that DOD components accurately monitor and report information on the extent that users have completed the Cyber Awareness Challenge training as well as the number of users whose access to the network was revoked because they have not completed the training. (Recommendation 4)
Open – Partially Addressed
DOD partially concurred with this recommendation. In particular, the department concurred that it should ensure components accurately report the number of users who have completed the training. However, it did not concur that components should report the number of users who have been denied access to the network because they have not completed the training. The department stated that a statistic showing this information would not be meaningful and would be burdensome to collect. In a July 2020 letter, the DOD CIO's office provided an update regarding the first component of our recommendation--ensuring that components accurately report the number of users who have completed the training. The letter stated that DOD proposed including the percent of users that successfully completed the training in the Cyber Hygiene Scorecard and that the department was coordinating to maximize the extent that they could collect the numerator and denominator to calculate this percent from existing databases. The department estimated that DOD would integrate data on cybersecurity awareness training completion in the Cyber Hygiene Scorecard by October 1, 2020. The letter also stated that a key corrective action was to collect data on current component-level approaches to collecting information on the extent that component personnel completed the cybersecurity awareness training. Regarding this corrective action, the letter indicated that DOD had identified that components track this training in widely varying ways. The letter also stated that DOD is reviewing the potential benefits and costs of an enterprise solution to this aspect of our recommendation based on the guidance in NIST SP 800-50. The letter estimated that DOD would complete this action by November 30, 2020. Regarding the second element of our recommendation-that components should report the number of users who have been denied access to the network because they have not completed the training-the DOD CIO's July 2020 letter continued to maintain the department's position that it did not concur with this element of our recommendation. In the letter, the DOD CIO's office stated that reporting the number of users who have been denied access to the network because they have not completed the training would not be meaningful but would be extremely burdensome to collect since network revocations can be for a variety of reasons and cross multiple networks and domains. A July 2021 DOD CIO update states that the CIO's office has collected monthly metrics on the extent that DOD components have completed the Cyber Awareness Challenge course and that it has followed up with components reporting unacceptable compliance rates. The report states that the CIO includes this metric in the Cyber Hygiene Scorecard as of April 2021. However, the department has not accurately monitored or reported the number of users whose access to DOD networks was revoked because they had not completed the training. The DOD report states that the DOD CIO conducted a department-wide survey in the second quarter of fiscal year 2021 to identify the number of users whose network access was revoked. However some components do not have the capability to use automated functions to identify the personnel whose access was revoked. As of June 2024, the department had not provided evidence that it had taken any additional action.

Defense Nuclear Enterprise: Systems Face Sustainment Challenges, and Actions Are Needed to Effectively Monitor Efforts to Improve the Enterprise

GAO-20-296
Show
1 Open Recommendations
Agency Affected Recommendation Status
Office of the Secretary of Defense The Secretary of Defense should ensure that the Under Secretary of Defense for Acquisition and Sustainment updates the applicable guidance for methods of tracking and evaluating progress on implementation of the recommendations of the 2015 NC3 report, requiring DOD components to keep information—including metrics for measuring progress and outcomes as well as any revised time frames that may extend out more than 1 year—complete and current. (Recommendation 2)
Open
DOD concurred with our recommendation and stated that the DOD Chief Information Officer and, as appropriate, the Under Secretary of Defense for Acquisition and Sustainment as the NC3 capability portfolio manager, will update the applicable guidance to ensure that metrics, time frames, and other information associated with planned actions are kept up to date and complete. Subsequently, the office responsible for this recommendation was changed to the Office of the Under Secretary of Defense for Acquisition and Sustainment when the Under Secretary of Defense for Acquisition and Sustainment was designated the NC3 enterprise capability portfolio manager. As of November 2023, DOD has not issued updated applicable guidance for the recommendations of the 2015 NC3 report.
View More Recommendations