GAO addresses cyber threats, calls for DOD to implement Cybersecurity Discipline Implementation Plan

In a report released by the U.S. Government Accountability Office (GAO) on Monday, the agency calls for the Department of Defense (DOD) to develop plans with scheduled completion dates to implement four tasks in the department’s Cybersecurity Discipline Implementation Plan that the DOD CIO oversees.

The GAO report identified last month that the DOD has 18 additional priority open recommendations, taking the total number to 84. The recommendations fall into eight areas that cover Navy readiness, cybersecurity and the information environment, healthcare, defense management, federal contracting, and financial management, among other things. 

The cybersecurity component calls for the implementation of nine recommendations that would assist DOD in addressing cyber and electromagnetic spectrum threats to U.S. national and economic security, which are increasing in frequency, scale, sophistication, and severity of impact, Gene L. Dodaro, Comptroller General of the United States, wrote in a letter to the Secretary of Defense and Deputy Secretary of Defense, earlier this month. 

“In particular, they would drive improvements in work roles, cyber hygiene, personnel vetting, and electromagnetic spectrum operations,” according to Dodaro. “For example, we recommended that DOD direct a component to monitor the extent to which practices are implemented to protect the department’s network from key cyberattack techniques,” he adds. 

Following up on its April 2020 report requiring the DOD to take decisive actions to improve cyber hygiene, the GAO lays down five commendations. First, it calls for the Secretary of Defense to ensure that the DOD Chief Information Officer (CIO) takes appropriate steps to ensure the implementation of the DOD Cybersecurity Culture and Compliance Initiative tasks. Additionally, the Secretary must ensure that DOD components develop plans with scheduled completion dates to implement four tasks in the department’s Cybersecurity Discipline Implementation Plan that the DOD CIO oversees.

The GAO report also said that the Secretary must ensure that the Deputy Secretary of Defense identifies a DOD component to oversee the implementation of the seven tasks in the Cybersecurity Discipline Implementation Plan that are not managed by the DOD CIO and report on progress implementing them. Furthermore, the report directs a component to monitor the extent to which practices are implemented to protect the department’s network from key cyberattack techniques.

The report said that the Secretary must ensure that the DOD CIO assesses the extent to which senior leaders have complete information to make risk-based decisions—and revise the recurring reports (or develop a new report) accordingly. For example, such information could include DOD’s progress in implementing cybersecurity practices identified in cyber hygiene initiatives and cyber hygiene practices to protect DOD networks from key cyberattack techniques.

The GAO report said that DOD partially concurred with the first, second, and fifth recommendations and did not concur with the third and fourth recommendations.

For the first recommendation, the report included status updates for seven of the 11 Cybersecurity Culture and Compliance Initiative tasks. “Based on the information provided, we determined that the seven tasks have not been implemented. For example, DOD has not fully implemented a task requiring that cybersecurity training briefs be developed for training leadership throughout the department,” the report adds. 

While U.S. Cyber Command developed two training briefs for DOD leadership, the briefs were not disseminated across DOD, according to DOD officials. As a result, DOD must complete all DOD Cybersecurity Culture and Compliance Initiative tasks to implement this recommendation fully. 

The DOD did not provide an update on actions taken to implement the second recommendation. However, the report says that DOD components still need to develop plans with scheduled completion dates for the four remaining Cybersecurity Discipline Implementation Plan tasks overseen by the DOD CIO. 

For the third recommendation, the department reported that it had completed the various Cybersecurity Discipline Implementation Plan tasks. However, to fully implement the third recommendation, DOD needs to identify a DOD component to oversee the seven tasks in the Cybersecurity Discipline Implementation Plan that are not governed by the CIO and report on their progress. 

The DOD did not provide an update on actions taken to implement the fourth recommendation. To implement this recommendation, DOD needs to direct a component to monitor the extent to which practices are implemented to protect the department’s network from key cyberattack techniques. 

For the fifth recommendation, DOD reported using three cybersecurity scorecards and that the DOD CIO reviews each of these to identify opportunities to provide leadership with complete information. “However, it is not clear which leaders within DOD components receive these reports. To implement this recommendation the CIO needs to complete its review of the scorecards, decide what actions related to providing cybersecurity information it will take as a result of the review, and follow through on those decisions,” the report says.

As of May this year, DOD had not provided an update on the status of these recommendations, GAO reports. “We maintain that implementing these recommendations would help secure DOD information and systems against malicious cyber activity,” it adds. 

Last August, the GAO identified 81 priority open recommendations for the DOD. Since then, DOD has implemented 12 recommendations, improving financial management, cybersecurity, and Navy readiness, among other areas. Additionally, GAO closed one priority recommendation related to DOD enterprise-wide business reform as unimplemented because the recommendation was no longer relevant.

The Congressional watchdog removed one priority recommendation related to headquarters resources and one priority recommendation related to acquisition programs because they no longer warranted priority attention. Thus, reducing the number of remaining priority open recommendations to 66.

Priority open recommendations are the GAO recommendations that warrant priority attention from heads of key departments or agencies. The adoption of these measures  could save large amounts of money, improve congressional and/or executive branch decision-making on major issues, eliminate mismanagement, fraud, and abuse, or ensure that programs comply with laws and funds are legally spent, among other benefits. 

The GAO report also called upon the Secretary of the Navy to develop guidance for acquisition programs on how to incorporate tailored weapon systems cybersecurity requirements, acceptance criteria, and verification processes into contracts. It also suggested that the Navy secretary should take steps to ensure the Marine Corps develops guidance for acquisition programs on how to incorporate tailored weapon systems cybersecurity requirements, acceptance criteria, and verification processes into contracts. 

The Navy concurred with the GAO’s recommendation to develop guidance for Navy acquisition programs and partially concurred with our recommendation to develop Marine Corps guidance, stating that a separate recommendation to the Marine Corps was unnecessary given that the Navy and Marine Corps operate under a single acquisition construct. 

Earlier this month, the GAO disclosed in a recent report that the DOD is developing systems able to incorporate multiple PNT sources simultaneously using an open systems approach to facilitate the ability to integrate new technologies. In addition, the report identified 11 efforts aimed at providing alternatives to GPS.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.