The Defense Department’s Secure Unclassified Network (SUNet) is not compliant with cybersecurity requirements due to a lack of proper monitoring and management, according to a Jan. 12 report from the agency’s internal watchdog.
The 50-page report by DoD’s Office of the Inspector General (OIG) also found that SUNet lacks dedicated funding, which it said places the system “at risk of termination due to non?compliance with cybersecurity requirements.”
DoD is acting to address those problems, the OIG said.
The partially redacted report reviews the security and privacy controls surrounding SUNet. The network “allows the DoD, other U.S. Government agencies, and their partners, including academia, research, and foreign partners, to communicate, share, analyze, and disseminate information in near-real-time,” the report says.
“The objective of this evaluation was to determine whether the DoD developed, implemented, maintained, and updated security and governance controls to protect SUNet, and the data and technologies that reside on it, from internal and external threats,” OIG wrote.
The agency watchdog began evaluating SUNet in February 2022 at the Irregular Warfare Technical Support Directorate (IWTSD) – which owns and accredits SUNet. A private contractor manages the system.
Because of the contractor’s role in managing SUNet, the OIG said that IWTSD “was unable to directly monitor, manage, or prioritize the execution of SUNet cybersecurity and information activities” and “had limited ability to ensure that the contractor prioritized cybersecurity.”
Additionally, the report found that the system lacked “dedicated programmatic funding to support enterprise requirements and there was no designated entity obligated to fund enterprise requirements.”
The lack of funding needed to enforce security and privacy controls for SUNet was a particular source of concern when it came to the overall viability of the system. OIG noted that SUNet relied, in part, “on just-in-time funding from mission partners to continue operations, which included Coronavirus Aid, Relief and Economic Security (CARES) Act funds.”
OIG offered four recommendations to DoD in the report:
- Conduct a review to determine whether the contract with the vendor overseeing SUNet should be revised to clearly support cybersecurity requirements;
- Conduct a review to determine whether an IWTSD representative or similar official should be the assistant or alternate contracting officer’s representative on the SUNet contract;
- Conduct a review to determine whether CARES Act funds were used appropriately to support the system; and
- Conduct a review of the long-term strategy for the management, resourcing, and oversight of SUNet.
OIG said three of its recommendations are resolved but remain open, while the recommendation to review the use of CARES Act funds did not receive a response from DoD.