Watchdog: DOD needs to improve cybersecurity
- By Sean D. Carberry
- Dec 15, 2016
According to a new summary of 21 different unclassified audits and reports, the Department of Defense has deficiencies in seven of eight critical cybersecurity metrics.
The cybersecurity summary by the DOD Office of Inspector General, dated Dec. 13, states that despite past warnings, the DOD continues to fall short in meeting Federal Information Security Modernization Act cybersecurity requirements.
The DOD OIG report is a digest of reports issued between Aug. 1, 2015 and Jul. 31, 2016. The DOD audit community and the General Accountability Office provided 61 different recommendations related to the FY 2016 IG FISMA metrics during that period.
Areas of recurrent weakness include identity management, access management, privacy training and configuration management.
"As recent audit reports identify, the DOD continues to face challenges in protecting and securing its networks, systems and infrastructure from cyber threats and increasing its overall cyber capabilities," reads the report. "One of the most important challenges is the continuous effort to protect the DOD's systems and networks from increasingly sophisticated cyber-attacks."
Specific examples cited include failing to require performance of software assurance countermeasures during weapons systems acquisition, improperly implementing project management resource tools and failing to review account access.
The report states that in addition to the 61 recommendations made during the reporting period, there were 166 unresolved cybersecurity recommendations as of Aug. 1, 2015, of which 28 were corrected during the following year.
The report states that a previous audit found DOD components are still not in full compliance with Homeland Security Presidential Directive 12, released in 2004, that outlines identification standards for federal employees and contractors.
"The report identified the lack of compliance leaves national security and Privacy Act information vulnerable to compromise and places soldiers, family members, civilians, and critical infrastructures at greater risk of an adverse incident occurring," OIG said.
"The DOD audit community and the GAO attributed their findings to the lack of clear guidance and noncompliance with Federal and DOD guidance and identified recommended actions to correct the cybersecurity weaknesses and improve DOD cybersecurity," the report states.
The report cautions that as the DOD increases its reliance on cyberspace "to enable its military, intelligence and business operations to perform the full spectrum of military operations," it's all the more critical for the department to address the cybersecurity weaknesses outlined in the report.
The report states that as it is a summary of previously issued audits, the OIG did not submit a draft to the DOD for comments.
The DOD did not respond to FCW's request for comments, and the OIG did not respond to FCW's query on whether the DOD had implemented any of the outstanding recommendations since the end of the reporting period on July 31.
Sean Carberry is an FCW staff writer covering defense, cybersecurity and intelligence. Prior to joining FCW, he was Kabul Correspondent for NPR, and also served as an international producer for NPR covering the war in Libya and the Arab Spring. He has reported from more than two-dozen countries including Iraq, Yemen, DRC, and South Sudan. In addition to numerous public radio programs, he has reported for Reuters, PBS NewsHour, The Diplomat, and The Atlantic.
Carberry earned a Master of Public Administration from the Harvard Kennedy School, and has a B.A. in Urban Studies from Lehigh University.