Department of Defense Policy and Oversight Report Assessment: On the Use of Non-Department of Defense Controlled Electronic Messaging Systems for Official Business

Key Chapter Title List

1. Executive Summary
2. Recommendations, Management Comments, and Our Response
3. Introduction
4. Objectives
5. Findings
6. Summary of DoD Policies Related to Sharing Information on Non-DoD Controlled Electronic Messaging Systems Concerning Classification, Declassification, and DoD Personnel
7. DoD Reiterates Its Policies; However, Personnel Have Not Consistently Complied with Federal Law and DoD Policy Regarding Electronic Messages and Record Retention
8. DoD Has Not Fully Implemented DoD OIG Recommendations on the Use of Non-DoD Controlled Electronic Messaging Systems
9. Violations of DoD Policy and Incomplete Implementation of Report Recommendations Exacerbate Security Risks
10. Recommendations, Management Comments, and Our Response
11. Appendix A: Scope and Methodology
12. Appendix B: Report Recommendation Status
13. Appendix C: Summary of DoD Policies and Processes for Controlled Unclassified Information, Classification, and Declassification
14. Appendix D: Chronological Summary of DoD Electronic Messaging System Policies and Guidance

Document Introduction

This report was prepared in response to a request from the Chairman and Ranking Member of the U.S. Senate Committee on Armed Services on March 26, 2025. It aims to assess Department of Defense (DoD) policies regarding the sharing of sensitive and classified information by government officials and employees on non-government networks and electronic applications, review its classification and declassification policies and processes, and provide recommendations on identified potential issues. The core of the report is a systematic review and summary of problems revealed in seven DoD Office of Inspector General (OIG) reports issued between 2021 and 2024, with improvement recommendations based on this foundation. It should be noted that the facts and circumstances of the specific incident that prompted this review request (involving the Secretary of Defense's use of the Signal application for official business) were addressed by a separate, independent DoD OIG report.

The report clearly states that, according to multiple DoD policies and communication requirements, its policy framework includes the following key provisions: requiring clear marking of declassified information and identification of the declassification authority; prohibiting the use of non-DoD controlled electronic messaging systems in principle (allowed only under limited exceptions), and explicitly prohibiting their use for convenience or perceived security; requiring DoD personnel to protect non-public DoD information; and requiring DoD personnel to comply with federal law for retaining official records. However, this report's review of the seven prior reports found instances where DoD personnel failed to comply with policies on information and operations security, electronic message use, and record retention. For example, one assessment found that during the initial period of large-scale telework in the COVID-19 pandemic, due to inadequate preparation by some DoD components, some teleworking personnel reported using unauthorized video conferencing applications, personal laptops, and mobile phones to complete their work. Furthermore, of the 48 recommendations contained in the seven reports summarized, 22 remained unimplemented at the time of this review.

These instances of non-compliance and delays in implementing recommendations have directly led to the accumulation and exacerbation of security risks. The use of non-DoD controlled electronic messaging systems by DoD personnel could jeopardize DoD operations or missions. Although DoD policy clearly states that if such systems are used, relevant personnel must transfer records to a DoD recordkeeping system within 20 days of sending the information, there are gaps in actual implementation. This discrepancy between policy and practice constitutes a significant information security and operations security vulnerability.

Based on the above findings, the report makes four specific recommendations to the DoD Chief Information Officer (CIO). Three of these recommendations (including: providing a DoD-controllable capability that meets the needs for compliant information sharing internally, externally, across classification levels, and on mobile devices; requiring customized training for DoD political appointees, general/flag officers, and senior civilian executives on how to use mobile devices and applications compliantly; and clarifying and standardizing the waiver process within DoD electronic messaging policy) have received responses from the official performing the duties of the DoD CIO and are considered resolved, pending the provision of implementation evidence for closure. Another recommendation regarding adding information on the impacts and risks of using non-DoD controlled electronic messaging services to annual cybersecurity training currently has management disagreement and is unresolved. Simultaneously, the report recommends that the Office of the Under Secretary of Defense for Intelligence and Security conduct a DoD-wide assessment to determine the prevalence and associated risks of personnel using non-DoD controlled electronic messaging systems for official business and submit the results to the CIO. This recommendation has only received partial agreement, with plans for a more limited risk assessment, which does not fully meet the intent of the recommendation and is therefore also unresolved.

This assessment strictly adhered to the established scope and methodology, reviewing relevant policy documents, prior reports, and computer-processed data. It aims to provide evidence-based decision support to DoD leadership to strengthen information security management, ensure effective policy implementation, and mitigate systemic risks arising from the improper use of communication technologies.