Defense Digital Service directors tapped unauthorized tech without proper waivers, watchdog finds

Former Defense Digital Service directors improperly granted waivers to use IT tools and services that were not allowed by the Pentagon’s existing policies, according to a recent audit conducted by the Department of Defense’s Office of the Inspector General. 

The OIG’s report, publicly released on May 29, came after the watchdog’s hotline received a tip in January 2023 that officials with the Chief Digital and Artificial Intelligence Office, or CDAO, had granted themselves waivers to use unauthorized technologies. DDS is a component of the CDAO that works to onboard new digital technologies across the Pentagon. 

The audit found that two former DDS directors “exceeded their authority and granted waivers of multiple DOD policies to enable the DDS to use unauthorized digital service tools, including cloud‑based software development platforms and collaboration software, to store, process and transmit controlled unclassified information.” The watchdog said the unauthorized use of these tools first began in 2015. 

The DDS charter, issued in January 2017, allowed the organization’s directors to “request waivers to DOD policies that would otherwise impede DDS engagements,” although the officials were directed to first “request and receive approval for the waivers from the DOD components that issued the policies.”

Without following the proper procedures, the watchdog found that DDS and other DOD officials “were able to disregard the cybersecurity requirements of seven DOD policies,” which it said “exposed DOD information to additional cybersecurity risk and increased the risk of compromise.” 

The OIG noted that this included the approval of a redacted “text messaging application” for official discussions regarding the storage and processing of controlled unclassified information on DOD systems. A previous report issued by DOD’s OIG in June 2021 found that DDS’s director at the time violated the department’s policy by using and encouraging the use of the encrypted messaging app Signal. 

DDS’s legal council told the watchdog that the directors’ use of the self-granted waivers “was essentially established by precedent” when the organization’s inaugural head issued the first such waiver. The OIG added that the continued use of these waivers occurred because the Office of the Secretary of Defense “did not establish effective internal controls to ensure that the DDS director exercised their authorities as intended.” 

The audit also randomly reviewed 10 DDS “engagements” — work with DOD components to improve their digital services — to determine whether they met their intended purposes.

While the selected engagements were redacted in the public report, the watchdog said it was unable to determine whether five of the organization’s efforts achieved their goals “because DDS officials did not maintain adequate and proper records of the purpose, work completed and results of those engagements.”

OIG made 15 recommendations in its report, including calling for the Chief Digital and Artificial Intelligence Officer to develop a clear waiver process for the agency’s components and for CDAO to “assess the hardware, software, cloud services, networks and any other tools used by the DDS since 2015 to ensure compliance with DOD cybersecurity requirements.”

CDAO concurred with the watchdog’s recommendations, although the Washington Headquarters Services — which was tasked with providing DDS guidance on the development of a records management program — disagreed with OIG’s recommendation that it ensure the components it works with have established management plans.