Defense

Watchdog: DOD needs to improve cybersecurity

 

According to a new summary of 21 different unclassified audits and reports, the Department of Defense has deficiencies in seven of eight critical cybersecurity metrics.

The cybersecurity summary by the DOD Office of Inspector General, dated Dec. 13, states that despite past warnings, the DOD continues to fall short in meeting Federal Information Security Modernization Act cybersecurity requirements.

The DOD OIG report is a digest of reports issued between Aug. 1, 2015 and Jul. 31, 2016. The DOD audit community and the General Accountability Office provided 61 different recommendations related to the FY 2016 IG FISMA metrics during that period.

Areas of recurrent weakness include identity management, access management, privacy training and configuration management.

"As recent audit reports identify, the DOD continues to face challenges in protecting and securing its networks, systems and infrastructure from cyber threats and increasing its overall cyber capabilities," reads the report. "One of the most important challenges is the continuous effort to protect the DOD's systems and networks from increasingly sophisticated cyber-attacks."

Specific examples cited include failing to require performance of software assurance countermeasures during weapons systems acquisition, improperly implementing project management resource tools and failing to review account access.

The report states that in addition to the 61 recommendations made during the reporting period, there were 166 unresolved cybersecurity recommendations as of Aug. 1, 2015, of which 28 were corrected during the following year.

The report states that a previous audit found DOD components are still not in full compliance with Homeland Security Presidential Directive 12, released in 2004, that outlines identification standards for federal employees and contractors.

"The report identified the lack of compliance leaves national security and Privacy Act information vulnerable to compromise and places soldiers, family members, civilians, and critical infrastructures at greater risk of an adverse incident occurring," OIG said.

"The DOD audit community and the GAO attributed their findings to the lack of clear guidance and noncompliance with Federal and DOD guidance and identified recommended actions to correct the cybersecurity weaknesses and improve DOD cybersecurity," the report states.

The report cautions that as the DOD increases its reliance on cyberspace "to enable its military, intelligence and business operations to perform the full spectrum of military operations," it's all the more critical for the department to address the cybersecurity weaknesses outlined in the report.

The report states that as it is a summary of previously issued audits, the OIG did not submit a draft to the DOD for comments.

The DOD did not respond to FCW's request for comments, and the OIG did not respond to FCW's query on whether the DOD had implemented any of the outstanding recommendations since the end of the reporting period on July 31.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


Featured

  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.