The U.S. Government Accountability Office (GAO) found instances of omitted cybersecurity requirements, acceptance criteria, or verification processes in the Department of Defense (DOD) program contracts. While the DOD and the military services have developed a range of policy and guidance documents to improve weapon systems cybersecurity, the guidance fails to specifically address how acquisition programs should include cybersecurity requirements, acceptance criteria, and verification processes in contracts.
A senior DOD official said standardizing cybersecurity requirements is difficult and the department needs to better communicate requirements and systems engineering to the users that will decide whether or not a cybersecurity risk is acceptable, according to a report released by the GAO.
The acquisition programs excluded requirements from contracts or did not clearly define requirements, the GAO report found. The government is less likely to get what it wants if it omits all or part of its cybersecurity requirements, putting the entire network at risk.
The DOD guidance stated that the essential requirements should be treated like other types of system requirements. The cybersecurity requirements should be defined in acquisition program contracts, and criteria should be established for accepting or rejecting the work, and for how the government will verify that requirements have been met, the GAO report said.
Recent data from IBM Security X-Force revealed that the public sector, including defense, public administration, and government-provided services, ranked as the sixth most attacked in 2020, receiving 7.9 percent of all attacks on the top ten industries.
The GAO report describes the extent to which DOD has, in fact, made progress in implementing cybersecurity for weapon systems during the development phase. It also accounted for the extent to which the DOD and the military services developed guidance for incorporating weapon systems cybersecurity requirements into contracts.
Among the four military services GAO reviewed, it found that only the Air Force issued service-wide guidance that describes how acquisition programs should define cybersecurity requirements and incorporate those requirements in contracts. The other services could benefit from a similar approach in developing their own guidance.
Since the GAO’s 2018 report, DOD has made progress incorporating cybersecurity into the acquisition process. At the macro level, additional cybersecurity guidance and resources helped to further ingrain cybersecurity practices into the DOD culture, the GAO report said. However, additional guidance has not addressed an area where programs struggled, such as how to translate cybersecurity concepts into detailed and specific cybersecurity requirements for contracts, on par with other system requirements.
The Air Force has taken positive actions to remedy this by developing internal guidance on how to incorporate program-specific cybersecurity requirements. The Army, Navy, and Marine Corps would benefit from a similar approach. Just as the Air Force leveraged and consolidated existing policies and guidance, the Army, Navy and Marine Corps have opportunities to adapt existing practices, such as those in the Air Force, to fit their respective acquisition community. Until these actions are taken, programs will continue to face cybersecurity risks and contracts may not include detailed and specific requirements.
DOD and each of the services has released detailed policies or guidance implementing a risk management framework (RMF), the GAO report finds. While DOD policies define weapon systems acquisition practices and objectives for cybersecurity, the services have a role in developing and issuing complementary guidance, as needed, for implementation within their service acquisition community.
The GAO makes three recommendations, one to the Army and two to the Navy, including suggestions that the agencies develop guidance for acquisition programs on how to incorporate tailored weapon systems cybersecurity requirements, acceptance criteria, and verification processes into contracts. Until these actions are taken, programs will continue to face cybersecurity risks and contracts may not include detailed and specific requirements.