The Government Accountability Office (GAO) says the Department of Defense (DOD) has not fully implemented its key initiatives and practices aimed at improving cyber hygiene. Carnegie-Mellon University defines cyber hygiene as a set of practices for managing the most common and pervasive cybersecurity risks.
DOD has become increasingly reliant on information technology and risks invariably increase as cybersecurity threats evolve. DOD’s Principal Cyber Advisor sayst 90 percent of cyberattacks could be defeated by implementing basic cyber hygiene and sharing best practices.
GAO’s cyber hygiene review found DOD has developed lists of the techniques that adversaries use most frequently and pose significant risk to the department. The department has also identified practices to protect DOD networks and systems against these techniques, but does not know the extent to which these practices have been implemented. Officials told GAO that the absence of this knowledge is due in part to no DOD component monitoring implementation.
There does appear to be a lack of unified approach at DOD in terms of cyber defense. GAO’s report follows the DOD Inspector General’s (IG) March findings that the department has not consistently mitigated cyber vulnerabilities identified in a 2012 report. IG found that the department did not establish a unified approach to support and prioritize DOD Cyber Red Team missions. According to the March 17 report, “DOD components implemented component-specific approaches to staff, train and develop tools for DoD Cyber Red Teams, and prioritize DoD Cyber Red Team missions.”
In discussions with GAO, DOD officials identified three department-wide cyber hygiene initiatives, which are in varying states of implementation: the 2015 DOD Cybersecurity Culture and Compliance Initiative (DC3I), the 2015 DOD Cyber Discipline Implementation Plan (CDIP), and DOD’s Cyber Awareness Challenge training.
The Culture and Compliance Initiative set forth 11 overall tasks expected to be completed in fiscal year 2016. It includes cyber education and training, integration of cyber into operational exercises, and needed recommendations on changes to cyber capabilities and authorities. However, GAO’s review found that seven of these tasks have not been fully implemented.
The Cyber Discipline plan has 17 tasks focused on removing preventable vulnerabilities from DOD’s networks that could otherwise enable adversaries to compromise information and systems. Of these 17, the DOD Chief Information Officer is responsible for overseeing implementation of 10 tasks. While the Deputy Secretary set a goal of achieving 90 percent implementation of the 10 CIO tasks by the end of fiscal year 2018, GAO found four of the tasks have not been implemented. Further, the completion of the other seven tasks was unknown because no DOD entity has been designated to report on the progress.
The Cyber Awareness Challenge training is intended to help the DOD workforce maintain awareness of known and emerging cyber threats, and reinforce best practices to keep information and systems secure. GAO found that selected components in the department do not know the extent to which users of its systems have completed this required training. The review of 16 selected components identified six without information on system users that had not completed the required training, and eight without information on users whose network access had been revoked for not completing training.
GAO’s report notes that senior DOD leaders receive two recurring reports on the department’s cybersecurity posture that include information on one cyber hygiene initiative. The Cyber Hygiene Scorecard (Scorecard) is a report measuring compliance with DOD cybersecurity policies, procedures, standards and guidelines. The Cyber Landscape Report is a quarterly report that includes information highlighting cybersecurity risks to DOD networks, U.S. critical infrastructure, DOD weapon systems, the cloud, and DOD’s cyber workforce.
But GAO says these two recurring reports lack information about cyber hygiene practices to protect DOD networks from key cyberattack techniques. Specifically, neither the Scorecard nor the Cyber Landscape Report includes information on the extent that the DC3I and the Cyber Awareness Challenge training have been implemented. DOD officials told GAO that neither of the two recurring reports identifies key cyberattack techniques the department faces nor do they include information on the extent that the department has implemented cyber hygiene practices to protect DOD networks from these techniques.
GAO’s review found that senior DOD leaders are not receiving complete information in part because the DOD CIO has not assessed the extent that the missing information could improve senior leaders’ ability to make risk-based decisions. DOD officials told GAO that the DOD CIO has not revised the recurring reports or developed a new report in response to such an assessment. In response, DOD CIO officials said that they do not believe that senior DOD leaders need to be made aware of all cyber hygiene topics and that such information could sometimes be managed at lower echelons within the organization.
It is worth noting however that the DC3I memorandum requires information about its progress to be reported to senior leaders, and NIST guidance calls for similar reporting.
GAO made seven recommendations to DOD to address the shortcomings:
- Ensure implementation of the DC3I tasks.
- Develop plans with scheduled completion dates to implement the four remaining CDIP tasks overseen by DOD CIO.
- Identify a DOD component to oversee the implementation of the seven CDIP tasks not overseen by DOD CIO and report on progress implementing them.
- Accurately monitor and report information on the extent that users have completed the Cyber Awareness Challenge training as well as the number of users whose access to the network was revoked because they have not completed the training.
- Ensure all DOD components, including DARPA, require their users to take the Cyber Awareness Challenge training.
- Direct a component to monitor the extent to which practices are implemented to protect the department’s network from key cyberattack techniques.
- Assess the extent to which senior leaders’ have more complete information to make risk-based decisions—and revise the recurring reports (or develop a new report) accordingly.
DOD concurred with recommendation 5, and partially concurred with recommendations 1, 2, 4, and 7.
It did not agree that a DOD component should be identified to oversee the implementation of tasks not overseen by the CIO, claiming this would override recent efforts and focus instead on areas of lower risk. GAO maintains that its analysis of these tasks that DOD is not currently tracking progress on are consistent with basic cybersecurity standards established by DOD guidance and NIST— and which DOD is planning to apply to certain defense contractors in future contract awards to protect DOD information that is stored or transits through their networks as a part of the Cybersecurity Maturity Model Certification framework. For example, one task requires commanders and supervisors to ensure physical security of their network infrastructure devices, and this task aligns with general NIST guidance regarding physical access protections.
Finally, DOD did not concur with GAO’s sixth recommendation that a component monitor the extent of implementation of practices to protect the department’s network from key cyberattack techniques. The department’s response was redacted from the report due to it containing sensitive information.