Pentagon Isn't Following the Cyber Steps It Asks from Suppliers, GAO Says

The Defense Department shows a lack of follow-through on basic cyber hygiene initiatives it launched in recent years despite standing up an accountability program with related standards for its vendors, the Government Accountability Office said in a recent report. 

“Our analysis of the seven tasks that DOD is not currently tracking progress on are consistent with basic cybersecurity standards established by DOD guidance and [the National Institute of Standards and Technology]—and which DOD is planning to apply to certain defense contractors in future contract awards to protect DOD information that is stored or transits through their networks as a part of the Cybersecurity Maturity Model Certification framework,” GAO wrote in a report to congressional committees it released Monday.

GAO made seven recommendations based on its examination of DOD’s implementation of basic cyber practices, particularly around three initiatives: the 2015 DOD Cybersecurity Culture and Compliance Initiative, the 2015 DOD Cyber Discipline Implementation Plan, and DOD's Cyber Awareness Challenge training. 

The recommendations mainly addressed the department’s failure to designate specific components to track the progress of the initiatives toward putting accountability measures in place.

Related: Stop Hiding Vulnerabilities Found By Red Teams, Joint Staff to Tell Military

Related: Energy Dept. Has Thousands of 'Critical' Cyber Security Gaps, Auditors Say

Related: Small Contractors Struggle to Meet Cyber Security Standards, Pentagon Finds

“Selected components in the department do not know the extent to which users of its systems have completed” required training, for example, GAO wrote, noting department officials also couldn’t say how many workers were denied access to systems due to a lack of training.

DOD concurred with GAO’s recommendation that all DOD components require training developed by the Defense Information Systems Agency. But the department only partially concurred with four recommendations—including one that senior DOD leaders should have “more complete” information on the implementation of cybersecurity practices—and disagreed with two.

GAO’s mention of the CMMC came under its recommendation that the Pentagon identify a DOD component to oversee the implementation of seven tasks outlined in the Cybersecurity Discipline Implementation Plan, and report progress on them.

The tasks included actions such as commanders and supervisors ensuring hyperlinks are disabled in Outlook email clients and that there is alignment to a Computer Network Defense Service Provider with “properly exercised and documented” cyber incident response plans.

Industry has long resisted cybersecurity rules by arguing for a need to remain flexible in the face of a rapidly evolving threat.

In his response to the GAO, Defense Department Chief Information Officer Dana Deasy—who served as CIO of JP Morgan Chase before coming to Defense—took the same approach.

“DOD non-concurs with recommendation 3,” he wrote, noting that DOD has since rolled out a new cyber strategy and that the recommendation “will frustrate the Department’s efforts to keep pace with the changing tactics, techniques and procedures of our adversaries and the evolving changes in technology.”

That’s where GAO stood its ground, pointing out that the tasks it recommends tracking are the very ones the DOD will require prospective contractors to obtain certifications for under the CMMC.

“We disagree that implementing our recommendation would override the department’s recent efforts,” GAO wrote. “In fact, implementing the seven tasks would align with one of the 2018 DOD Cyber Strategy’s objectives to ‘secure DOD information and systems against malicious cyber activity.’

While the GAO agreed DOD should reassess cybersecurity priorities in light of changes in technologies, threats and vulnerabilities, it said the department “did not provide evidence during the audit or in responding to the draft report that the department had assessed the CDIP tasks required by the Deputy Secretary of Defense in 2015.” 

“Specifically, the department has not determined whether they remain valid or aligned with the current cybersecurity threat environment,” GAO wrote.

GAO specifically highlighted that the tasks in question are covered in NIST guidance on physical security, external information systems and incident response, in addition to DOD’s own requirements for protecting its information network. 

“If the Deputy Secretary of Defense does not implement this recommendation, the department will have less assurance that cybersecurity vulnerabilities are being addressed in a timely manner and systems are being securely configured,” GAO concluded.