News
Regulation, Standards and Compliance
Reports

Some DOD contracts did not meet cybersecurity requirements, GAO finds

March 08, 2021
cybersecurity requirements

The U.S. Government Accountability Office (GAO) found instances of omitted cybersecurity requirements, acceptance criteria, or verification processes in the Department of Defense (DOD) program contracts. While the DOD and the military services have developed a range of policy and guidance documents to improve weapon systems cybersecurity, the guidance fails to specifically address how acquisition programs should include cybersecurity requirements, acceptance criteria, and verification processes in contracts.

A senior DOD official said standardizing cybersecurity requirements is difficult and the department needs to better communicate requirements and systems engineering to the users that will decide whether or not a cybersecurity risk is acceptable, according to a report released by the GAO.

The acquisition programs excluded requirements from contracts or did not clearly define requirements, the GAO report found. The government is less likely to get what it wants if it omits all or part of its cybersecurity requirements, putting the entire network at risk.

The DOD guidance stated that the essential requirements should be treated like other types of system requirements. The cybersecurity requirements should be defined in acquisition program contracts, and criteria should be established for accepting or rejecting the work, and for how the government will verify that requirements have been met, the GAO report said.

Recent data from IBM Security X-Force revealed that the public sector, including defense, public administration, and government-provided services, ranked as the sixth most attacked in 2020, receiving 7.9 percent of all attacks on the top ten industries.

The GAO report describes the extent to which DOD has, in fact, made progress in implementing cybersecurity for weapon systems during the development phase. It also accounted for the extent to which the DOD and the military services developed guidance for incorporating weapon systems cybersecurity requirements into contracts.

Among the four military services GAO reviewed, it found that only the Air Force issued service-wide guidance that describes how acquisition programs should define cybersecurity requirements and incorporate those requirements in contracts. The other services could benefit from a similar approach in developing their own guidance.

Since the GAO’s 2018 report, DOD has made progress incorporating cybersecurity into the acquisition process. At the macro level, additional cybersecurity guidance and resources helped to further ingrain cybersecurity practices into the DOD culture, the GAO report said. However, additional guidance has not addressed an area where programs struggled, such as how to translate cybersecurity concepts into detailed and specific cybersecurity requirements for contracts, on par with other system requirements.

The Air Force has taken positive actions to remedy this by developing internal guidance on how to incorporate program-specific cybersecurity requirements. The Army, Navy, and Marine Corps would benefit from a similar approach. Just as the Air Force leveraged and consolidated existing policies and guidance, the Army, Navy and Marine Corps have opportunities to adapt existing practices, such as those in the Air Force, to fit their respective acquisition community. Until these actions are taken, programs will continue to face cybersecurity risks and contracts may not include detailed and specific requirements.

DOD and each of the services has released detailed policies or guidance implementing a risk management framework (RMF), the GAO report finds. While DOD policies define weapon systems acquisition practices and objectives for cybersecurity, the services have a role in developing and issuing complementary guidance, as needed, for implementation within their service acquisition community.

The GAO makes three recommendations, one to the Army and two to the Navy, including suggestions that the agencies develop guidance for acquisition programs on how to incorporate tailored weapon systems cybersecurity requirements, acceptance criteria, and verification processes into contracts. Until these actions are taken, programs will continue to face cybersecurity risks and contracts may not include detailed and specific requirements.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience