Whistleblower Protection: Analysis of DOD's Actions to Improve Case Timeliness and Safeguard Confidentiality
Fast Facts
People can report potential misconduct, fraud, and other wrongdoing involving DOD personnel to one of several DOD Inspector General offices. Those offices safeguard whistleblowers' personal information in order to protect them from retaliation—such as a demotion. Confidentiality can also encourage reporting.
Yet, we found that some of the guidance for the investigators doesn’t specify some key steps to protect confidentiality, and Inspector General offices have not fully restricted access to information to only those who need to know.
We made 12 recommendations to help protect whistleblowers and improve investigations.
DOD's Pentagon building.
Highlights
What GAO Found
The Department of Defense Office of Inspector General (DODIG) and military service offices of inspector general (IG) met some but not all fiscal year 2018 timeliness and quality goals for handling whistleblower complaints. For example, DODIG met its goals related to referring complaints to the appropriate agency within a certain number of days. All IGs also generally met goals related to the quality of investigations. However, about 85 percent of DODIG reprisal and senior official misconduct investigations exceeded statutory and internal timeliness goals. Further, military service IGs did not meet most goals for handling cases within prescribed timeframes. For example, the service IGs averaged between 17 and 84 days to notify DODIG of their receipt of whistleblower reprisal allegations, exceeding the 10-day goal. The IGs have various initiatives underway to improve timeliness, such as a Naval IG program to reduce timeframes for initial credibility determinations. However, additional actions could provide a more targeted approach to improving performance against unmet timeliness goals—such as for senior official misconduct investigations—and better assure whistleblowers that their cases will be handled expeditiously.
DODIG and the military service IGs have policies to protect whistleblower confidentiality, but some gaps exist. For example, DODIG guidance for protecting whistleblowers who report internal DODIG misconduct does not specify key steps investigators should take to protect confidentiality, such as not identifying complainants during interviews with case subjects. Also, Air Force, Naval, and Marine Corps IG guidance does not specify when whistleblower identities can be disclosed without consent. Without updated guidance, the IGs cannot ensure the consistent implementation of confidentiality protections.
The IGs have taken steps to safeguard whistleblower information in their information technology (IT) systems and applications, such as by restricting access to case information through unique user permissions and by taking actions to follow DOD's IT risk management process. However, between 2016 and 2018, employees in all of the IGs have been able to access sensitive whistleblower information without a need to know. For example, DODIG determined that numerous restricted whistleblower records in its document repository were accessible to DODIG personnel without a need to know. Similarly, the Air Force IG's application did not restrict users from other DOD components from viewing Air Force IG case descriptions and complainant identities, while the Army IG's application and the Naval IG's system did not restrict personnel within those IGs from viewing allegations or investigations involving other personnel within those IGs. Additionally, employees in Marine Corps IG offices were able to see whistleblower cases assigned to other IG offices without a need to know. While some actions have been taken to address these issues, additional steps are needed to restrict access to case information in order to mitigate ongoing risks to whistleblower confidentiality.
DODIG generally met key documentation requirements for the 125 cases it dismissed without investigation involving civilian DOD Presidential appointees with Senate confirmation.
Why GAO Did This Study
Safeguarding confidentiality to the maximum extent possible is essential for encouraging whistleblowers to report wrongdoing without fear of reprisal. In fiscal year 2018, DODIG received over 12,000 contacts from potential whistleblowers related to fraud, waste, abuse, employee misconduct, or other violations. The National Defense Authorization Act for Fiscal Year 2017 included a provision for GAO to review the integrity of DOD's whistleblower program. This report assesses the extent to which DODIG and the military service IGs (1) met and took steps to achieve key fiscal year 2018 timeliness and quality goals, (2) established processes to protect whistleblower confidentiality, and (3) are able to safeguard sensitive information necessary to handle whistleblower complaints. It also evaluates (4) the extent to which select cases involving certain senior DOD civilian officials met key requirements.
GAO assessed fiscal year 2018 IG performance data, surveyed all 108 DODIG employees who directly handle whistleblower complaints, reviewed IT security controls, and analyzed all 125 cases involving civilian DOD Presidential appointees with Senate confirmation dismissed by DODIG in fiscal years 2013-2017.
Recommendations
GAO is making 12 recommendations, including that the IGs take additional actions to improve timeliness, develop additional procedures to protect whistleblower confidentiality, and take steps to further limit IG employee access to sensitive whistleblower information. DOD concurred with all of the recommendations.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Defense | The DOD Inspector General should coordinate with the IGs of the military services to take additional actions to improve performance against unmet timeliness goals. This includes steps to improve performance of senior official misconduct investigations and military service reprisal intakes, and to resolve disagreement on notifications. (Recommendation 1) |
The DOD Inspector General concurred with this recommendation, and in December 2019 reported to the Chairs of the Senate and House Armed Services Committees that DOD and the military service Inspectors General had convened a working group to coordinate performance improvement on unmet timeliness goals. According to the IG, the working group's recommendations are being incorporated into uniform standards for reprisal investigations that were expected to be finalized in the second quarter of fiscal year 2020. In January 2022, DODIG provided GAO with evidence of actions it took in October 2021 to implement part of this recommendation. Specifically, DODIG issued guidance informing military service IGs to promptly notify DODIG of receiving all allegations of reprisal or restriction. This guidance clarifies conditions under which military service IGs can close complaints without DODIG consultation, which would improve reprisal intake timeliness and resolve disagreement on notifications. To fully implement this recommendation, DODIG needs to provide evidence of actions taken to improve timeliness for senior official misconduct investigations. In December 2022, DODIG officials told us that a new DOD instruction for senior official misconduct investigations, which will address timeliness, is expected to be complete in September 2024. As of August 2024, this recommendation remains open pending update from DODIG.
|
Department of Defense | The DOD Inspector General should issue formal guidance documenting procedures for protecting the confidentiality of whistleblowers throughout its internal misconduct investigation process. (Recommendation 2) |
The DOD Inspector General concurred with this recommendation. In October 2019, the Director of the Office of Professional Responsibility (OPR) issued a memorandum with specific guidance for OPR personnel on protecting confidential information during misconduct investigations. For example, the guidance instructs OPR investigators to use a dedicated office that permits confidential meetings for conversations and document review. The same month, DODIG General Counsel issued a memorandum setting forth procedures for referring allegations of wrongdoing to the Council of the Inspectors General on Integrity and Efficiency (CIGIE) Integrity Committee and controlling access to related records. In January 2020, DODIG issued a new instruction that revises and updates policies, procedures, and responsibilities for OPR, including the protection of whistleblower confidentiality. By developing guidance that incorporates procedures to protect confidentiality and documents how to maintain whistleblower confidentiality throughout the CIGIE referral process, DODIG has gained reasonable assurance that its process for investigating internal misconduct allegations can fully protect the confidentiality of whistleblowers.
|
Department of Defense | The Air Force Inspector General should establish procedures to fully reflect and implement DOD policy on the protection of whistleblower confidentiality. (Recommendation 3) |
The Air Force Inspector General concurred with this recommendation and, in January 2024, updated Department of the Air Force Instruction 90-301 to address specific conditions under which information disclosures may be made without complainant consent, such as emergency situations and situations where the recipient authority has jurisdiction over the matter. By updating its instruction, the Air Force Inspector General is supporting more consistent implementation of confidentiality protections within its office.
|
Department of Defense | The Marine Corps Inspector General should establish procedures to fully reflect and implement DOD policy on the protection of whistleblower confidentiality. (Recommendation 4) |
The Marine Corps Inspector General (IGMC) concurred with this recommendation. In June 2022, IGMC provided GAO guidance dated July 2019, which prohibits IGMC from disclosing the identity of any complainant without their consent. Relatedly, in January 2022, the DOD Inspector General provided GAO a copy of an IGMC Assistance Division Internal memo, dated March 2019, which provides guidance to IGMC officials handling cases in which complainants request to remain anonymous and confidential, and instructs officials to redact any identifying information from a complaint when referred if the complainant does not provide consent to make such a disclosure. Finally, in May 2022, IGMC provided GAO with a 2019 user manual for its new complaint database, which describes internal controls to ensure complainant identities are properly safeguarded. By updating guidance and database functionality that protects complainant confidentiality, the Marine Corps Inspector General has helped ensure the consistent implementation of confidentiality protections within the Marine Corps IG and therefore addressed the intent of our recommendation.
|
Department of Defense | The Naval Inspector General should establish procedures to fully reflect and implement DOD policy on the protection of whistleblower confidentiality. (Recommendation 5) |
The Naval Inspector General concurred with this recommendation. In February 2020, the Naval IG issued a policy memorandum that establishes the Naval IG Enterprise Hotline complainant confidentiality policy. The confidentiality policy addresses DOD Instruction 7050.01 requirements related to complainant identity disclosures without consent. Specifically, the policy memorandum states that complainant identity could be disclosed if (1) the complainant has made it known outside of the IG that they submitted the complaint, (2) the Naval IG Hotline Director determines the disclosure is unavoidable to address the matters raised by the complainant, or (3) disclosure is required to address an emergency situation. In addition, the policy states that complainants are to sign a confidentiality waiver to deny or grant consent for the Naval IG hotline to disclose their identity outside the Naval IG on a need-to-know basis. Subsequently, in September 2021, the Naval IG updated its Hotline standard operating procedure to require that reports of investigation referred to command for corrective action be redacted prior to referral. By issuing this confidentiality policy and updating its Hotline standard operating procedure, the Naval IG is better able to ensure consistent implementation of confidentiality protections within its office. As of April 2022, we have closed this recommendation as implemented.
|
Department of Defense | The DOD Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access to sensitive whistleblower information in the current case management system and associated document repository is limited to information that is necessary to accomplish assigned tasks. (Recommendation 6) |
The DOD Inspector General concurred with this recommendation. In September 2019, DODIG drafted, but did not finalize or approve, two draft standard operating procedures - one for reviewing user access in DODIG's document management repository and another for removing access to user case management system accounts assigned to former employees. In September 2022, DODIG informed us that a new enterprise case management system replaced its prior case management system in July 2021. As a result, interim actions to secure access to the previous case management system and associated repository could no longer be taken. Although the standard operating procedures were not fully implemented, DODIG has demonstrated that interim actions were considered, thereby meeting the intent of our recommendation.
|
Department of Defense | The DOD Inspector General should coordinate with the IGs of the military services to develop a plan to fully restrict case access in the future whistleblower enterprise case management system so that user access is limited to information necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 7) |
The DOD Inspector General concurred with this recommendation, and in December 2019 reported to the Chairs of the Senate and House Armed Services Committees that the future whistleblower case management system would incorporate design limits providing for access to information only by personnel necessary to accomplish assigned tasks in accordance with organizational missions and business functions. In September 2022, DODIG provided documentation reflecting the D-CATSe system access model. The model combines business units, role-based security, and record-based security to establish access controls and segregate information within and across organizations based on business needs. By implementing a model to restrict user access to cases in D-CATSe, DODIG has met the intent of our recommendation and strengthened the confidentiality and integrity of sensitive whistleblower information.
|
Department of Defense | The DOD Inspector General should enhance its process for periodically reviewing whistleblower case management system and document repository user privileges by including steps to ensure that such privileges remain valid after system updates, as appropriate. (Recommendation 8) |
The DOD Inspector General concurred with this recommendation. In response, between September 2022 and September 2024, the DOD Office of Inspector General (DODIG) provided GAO documentation to support that its new case management system, D-CATSe, has security measures in place to ensure that only users with a need to know can access the system and document repository and that user privileges are validated after system updates. For example, DODIG provided documentation showing that D-CATSe is a CAC-enabled application that uses an individual's credentials to validate their identity prior to accessing the application or document repository. According to IG officials, DODIG personnel use this information to create and delete accounts when new users join and existing users depart the DODIG. In addition, DODIG enhanced its existing quarterly review and validation process by implementing an automatic verification in D-CATSe to ensure access rights to both D-CATSe and the document repository are maintained after system updates. By implementing a process to ensure user privileges remain valid after system updates, DODIG has strengthened its ability to control user accounts and prevent unauthorized access to sensitive whistleblower records without a need to know.
|
Department of Defense | The Air Force Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access for users of existing applications is limited to information that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 9) |
The Air Force Inspector General concurred with this recommendation. In June 2022, Air Force IG provided GAO with documentation of actions it took in August 2020 to implement this recommendation. Specifically, the Air force IG made system updates to its case management system to (1) ensure users within a directorate cannot view complaints or investigations within a different directorate; (2) allow administrators to exclude visibility of a case by individual users listed as the subject in the complaint or have a relationship with the complainant, including both IG employees and contractors; and (3) systematically track whether or not complainants gave consent for their identity to be released outside of the IG. Taken together, these system updates restrict other DOD component IGs and contractors from viewing case descriptions and complainant identities for cases belonging to the Air Force IG or cases involving contractor employees. By restricting access to whistleblower information, the Air Force IG has mitigated risks to whistleblower confidentiality by reducing the potential for unauthorized employee access of whistleblower records.
|
Department of Defense | The Army Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access for users of existing applications is limited to information that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 10) |
The Army Inspector General concurred with this recommendation, and in August 2020 Army IG provided GAO with evidence of actions it took in September 2019 to implement this recommendation. Specifically, Army IG updated code in its case management system to prevent any IG user from accessing any case where the user is or has been a subject or suspect of an IG investigation. The system code was also updated to ensure only specific Army IG officials with a need to know have access to allegations involving IG staff. By updating its case management system to restrict access to sensitive information for officials without a need to know, Army IG is reducing the potential for unauthorized employee access of whistleblower records.
|
Department of Defense | The Marine Corps Inspector General should develop a plan to ensure that its redesigned whistleblower case management application restricts user access to information based on what is needed to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 11) |
The Marine Corps Inspector General concurred with this recommendation. In May 2022, Marine Corps IG told GAO that in August 2019 it created a user manual for their new complaint database - the Inspector General Case Action Manager (IGCAM). The IGCAM user manual demonstrates that the Marine Corps IG have created user roles that limit access to records, and Command IGs can only view, edit, and access records within their own Command IG and not from other Command IGs. In August 2022, the office of the Marine Corps IG conducted a functional check of IGCAM to test the application's data integrity when processing multiple search requests simultaneously. The functional check confirmed that maintains data integrity when multiple search requests occur at the same time from different users. By implementing a new database with access control functionality and updating user roles, the Marine Corps IG has met the intent of our recommendation and thereby better ensured the confidentiality and integrity of sensitive whistleblower information on a continuing basis.
|
Department of Defense | The Naval Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access for users of existing applications is limited to information that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 12) |
The Naval Inspector General concurred with this recommendation, and in May 2022 provided GAO with evidence of actions it took in November 2019 to implement this recommendation. Specifically, Naval IG revised its database access control policy to reflect the concept of least privilege, wherein users are granted the least number of privileges necessary to perform assigned tasks. Among other things, this policy states that when creating user accounts in the case management system, the Naval IG should identify the business purpose for system access and grant users the least number of privileges necessary to perform assigned tasks. In addition, the policy requires that user accounts be disabled after 30 days of inactivity in order to prevent unauthorized system use. By updating its policy to restrict access to only individuals with a need to know, the Naval IG has mitigated existing risks to whistleblower confidentiality by reducing the potential for unauthorized employee access to whistleblower records.
|