Three U.S. combatant commands and the Defense Department’s IT support agency failed to follow cybersecurity protocols when handling classified mobile devices, according to a Defense Department Office of the Inspector General report released Monday.

The heavily redacted report, entitled the “Audit of Cybersecurity of DoD Classified Mobile Devices,” said U.S. European Command, two subcomponents of U.S. Special Operations Command and the Defense Information Systems Agency didn’t maintain an accurate inventory record of devices, a misstep that could leave sensitive information vulnerable to cyber threats.

“Security for DoD mobile devices is essential for safeguarding national security, protecting classified data, and ensuring the integrity of the DoD’s missions,” Pentagon Inspector General Robert P. Storch said in a release. “Securing these devices is not merely a technical priority; it’s a critical operational mandate that enables the DoD to fulfill its mission safely and effectively.”

The audit looked at 43 devices from the Defense Information Systems Agency, 21 devices from the U.S. European Command, four devices from the U.S. Special Operations Command Headquarters and five devices from the U.S. Special Operations Command Central.

The audit found that the organizations kept incomplete device records, which should include the name and defense agency of the user, type of device, serial number of device, phone number, classification of data stored on device and the conditions for when and how the device is to be used.

Those in charge of managing and tracking the devices came up short, the report found, partly due to their inability to handle the uptick in mobile device usage after the COVID-19 pandemic began in 2020, an event that forced many into a telework situation.

The report also found that the inventory records for the Defense Information Systems Agency and U.S. Special Operations Commands Headquarters in some cases had the wrong information for devices.

The DOD Office of Inspector General recommended the U.S. European Command and U.S. Special Operations Command immediately fix inventory records to reflect all classified mobile devices, revamp the classified mobile device program and its training and revisit the reason for each individual’s use of a classified device to determine if they need it, among other recommendations. Both agencies complied with the recommendation, according to the report.

The audit further called for the Defense Information Systems Agency to fix its inventory records and develop a new process for keeping accurate inventories. The agency responded that it would devise a way to keep its inventory records up to date.

The report also asked the Defense Department to nudge agencies under its umbrella to follow the report’s recommendations.

The DOD Office of Inspector General has made several pushes to address cybersecurity weaknesses, releasing a special report in March highlighting weak passwords and a bucking of multifactor authentications for Defense Department contractors. The report found that between 2018 to 2023 five audits revealed DOD officials were unable to properly check whether contractors were following cybersecurity requirements.

Riley Ceder is a reporter at Military Times, where he covers breaking news, criminal justice, investigations, and cyber. He previously worked as an investigative practicum student at The Washington Post, where he contributed to the Abused by the Badge investigation.

Read the full article here