DOD IG: Unsecured classified access points put lives at risk
The military is struggling to secure access to its classified network, a new report says, and those weaknesses could “pose a risk to the life and safety of [Department of Defense] personnel.”
The Army, Navy and Air Force have not corrected identified issues regarding the security of SECRET Internet Protocol Router Network, or SIPRNet, access points at military bases across the country, according to the DOD’s inspector general.
In an unclassified but heavily redacted report released in March, the IG details the services’ continual struggles to protect SIPRNet access points with physical and logical safeguards. Logical safeguards are system-based functions like firewalls, tokens and permission settings that virtually limit access to designated users.
As far back as 2013, the DOD IG has been reviewing SIPRNet access point security across the services. In this latest review, officials have not corrected issues identified in early audits, such as ensuring “that approving officials maintained completed and approved user access forms because officials did not have a process to verify the accuracy and completeness of SIPRNET access forms.” They also didn’t ensure users had complete their annual security training.
These missteps, as well as others that are redacted “for official use only,” come with potentially heavy consequences.
“Because the SIPRNET supports classified war-fighting and planning applications, the problems we identified with the Army, Navy, and Air Force logical or physical security safeguards could pose a risk to the life and safety of DoD personnel, impact Military programs and operations, and lead to accidental or negligent exposure of classified information on the SIPRNET,” the report says.
According to the report, the DOD’s Office of the CIO “is still working to address the recommendations related to logical and physical security safeguards,” thus leaving the concerns unresolved.
Army officials told the IG they will deal with security gaps independently. Regarding the logical safeguards, the Office of the Army CIO will “review policy gaps and issue new policy within 1 year after the final report is issued.”
