A Pentagon inspector general report, released on May 29, found that former directors of the Defense Digital Service (DDS) improperly granted waivers to use IT tools and services unauthorized by department policies.
Starting in 2015, two former DDS directors exceeded their authority by allowing the use of unauthorized digital service tools, such as cloud-based software development platforms and collaboration software, to store, process, and transmit controlled unclassified information.
DDS, part of the Chief Digital and Artificial Intelligence Office (CDAO), aims to integrate new digital technologies across the Pentagon. According to its January 2017 charter, DDS directors can request waivers to DoD policies that might hinder their projects. However, these waivers must first be approved by the DoD components that issued the policies.
The watchdog discovered that DDS and other DoD officials bypassed proper procedures, ignoring cybersecurity requirements from seven DoD policies, which increased the risk of compromising DoD information.
The inspector general's report also highlighted the unauthorized use of a redacted “text messaging application” for official discussions involving controlled unclassified information. A June 2021 report revealed that the DDS director at the time violated department policy by using and promoting the encrypted messaging app Signal.
According to DDS’s legal counsel, the use of self-granted waivers began with the organization's inaugural head, setting a precedent for subsequent directors. The OIG found that the continuation of this practice was partly due to the Office of the Secretary of Defense's failure to establish effective internal controls to ensure proper use of these authorities.
The audit reviewed ten DDS engagements with DoD components to enhance their digital services. Due to inadequate record-keeping by DDS officials, the inspector general could not determine whether five of these efforts met their goals.
The OIG made 15 recommendations, including the development of a clear waiver process by the Chief Digital and Artificial Intelligence Officer and an assessment of all hardware, software, cloud services, networks, and other tools used by DDS since 2015 for compliance with DoD cybersecurity requirements. The CDAO agreed with these recommendations, though the Washington Headquarters Services, tasked with guiding DDS on developing a records management program, disagreed with the OIG's recommendation to ensure the establishment of management plans for the components it collaborates with.
Read the IG report here.
