(U) Audit of the DOD's Use of Cybersecurity Reciprocity Within the Risk Management Framework Process [Redacted] [open pdf - 11MB]
From the Objective: "(U) The objective of this audit was to determine whether DoD Components leveraged cybersecurity reciprocity to reduce redundant test and assessment efforts when authorizing information technology through the Risk Management Framework (RMF) process. This audit was conducted concurrently with audits conducted by the Military Department audit agencies: U.S. Army Audit Agency (AAA), Naval Audit Service (NAS), and Air Force Audit Agency (AFAA). (U) The AAA, NAS, and AFAA audits focused on the use of reciprocity within their respective Military Departments, whereas our audit focused on the use of reciprocity by a combatant command (U.S. Transportation Command), two Defense agencies (Defense Health Agency, and Defense Logistics Agency), and a DoD field activity (Defense Human Resources Activity). Each audit agency conducted their audits and issued their reports and recommendations separately. The results of the Military Department audit agencies are summarized in Appendix B."
Department of Defense, Office of Inspector General, Report No. DODIG-2022-041