The Government Accountability Office (GAO) has found that Department of Defense (DOD) programs do not always incorporate cybersecurity requirements into contract language.
Contractors are only responsible for meeting the terms written in a contract but some of the DOD contracts reviewed by GAO had no cybersecurity requirements when they were awarded, with only vague requirements added later.
DOD’s network of sophisticated, expensive weapon systems must work when needed, without being incapacitated by cyberattacks, yet GAO reported in 2018 that the Department was routinely finding cyber vulnerabilities late in its development process.
Last year, GAO identified gaps in DOD’s cyber hygiene and found a lack of unified approach, echoing concerns made a few weeks prior by the Office of Inspector General.
A Senate report accompanying the National Defense Authorization Act for Fiscal Year 2020 included a provision for GAO to review DOD’s implementation of cybersecurity for weapon systems in development.
Since the 2018 report, DOD has taken action to make its network of high-tech weapon systems less vulnerable to cyberattacks. In a new GAO report, published March 4, DOD and military service officials highlighted areas of progress, including increased access to expertise, enhanced cyber testing, and additional guidance. And GAO found that selected acquisition programs have conducted, or planned to conduct, more cybersecurity testing during development than past acquisition programs.
Contracting for cybersecurity requirements is crucial. Specifically, cybersecurity requirements should be defined in acquisition program contracts, and criteria should be established for accepting or rejecting the work and for how the government will verify that requirements have been met. However, GAO found examples of program contracts omitting cybersecurity requirements, acceptance criteria, or verification processes. For example, GAO found that contracts for three of the five programs did not include any cybersecurity requirements when they were awarded.
Contractors told GAO that it is common for requests for proposals to include generic statements regarding cybersecurity, such as, “be cyber resilient”. The contractors said such statements do not provide enough information to determine what the government wants or how to design a system.
During the review, a senior DOD official told GAO that standardizing cybersecurity requirements is difficult and the department needs to better communicate cybersecurity requirements and systems engineering to the users that will decide whether or not a cybersecurity risk is acceptable.
DOD and the military services have developed a range of policy and guidance documents to improve weapon systems cybersecurity, but GAO’s report noted that the guidance usually does not specifically address how acquisition programs should include cybersecurity requirements, acceptance criteria, and verification processes in contracts. Among the four military services GAO reviewed, only the Air Force has issued service-wide guidance that details how acquisition programs should define cybersecurity requirements and incorporate those requirements in contracts.
GAO is recommending that the Army, Navy, and Marine Corps provide guidance on how programs should incorporate tailored cybersecurity requirements into contracts. DOD has agreed with the substance of the recommendation.
One of DOD’s problems is that it continues to face long-term challenges developing cybersecurity expertise within its acquisition workforce and supporting roles. For example, DOD’s Office of the Director, Operational Test and Evaluation’s 2019 Annual Report states that there is a widening gap in capabilities between DOD’s cyber test teams and nation-state threats. The report further states that closing that gap will require a significant investment of resources. Several DOD officials within the Office of the Secretary of Defense-level organizations told GAO that there are still concerns with whether staff with the appropriate skills are sufficiently involved in key acquisition activities. For example, a senior official involved in developmental testing for cybersecurity said acquisition programs struggle to integrate experts with cybersecurity test engineering skills early in the design process, which would help improve test quality.
Meanwhile, officials from all five weapon system programs GAO met with said that they had adequate access to cybersecurity expertise despite some challenges hiring and retaining cybersecurity personnel.