DOD CIO lags in implementing cyber law


Congress passed landmark cybersecurity legislation in late 2015, but the Pentagon hasn't done much to put the law in play, according to a watchdog report.

The Cybersecurity Information Sharing Act required Defense Department component agencies to come up with plans and procedures for sharing threat indicators with civilian and non-governmental entities.

A Nov. 8 report by the Department of Defense Office of Inspector General focused on CISA implementation by the National Security Agency, the Defense Information Systems Agency, Cyber Command and the DOD Cyber Crime Center, known as DC3.

The report concluded that the uneven and inconsistent implementation of CISA requirements was due to the lack of a DOD-wide policy from the CIO.

"As a result, the DOD limited its ability to gain a more complete understanding of cybersecurity threats since it did not fully leverage the collective knowledge and capabilities of sharing entities, or disseminate internally generated cyber threat indicators and defensive measures with other federal and non‑federal entities," the report stated.

DISA and Cyber Command lacked policies for sharing cyber threat indicators, while DC3 wasn't always checking on whether it was sharing cyber threat indicators with cleared private-sector personnel via the secret DIBNet-U portal that hosts information on Defense Industrial Base companies.

The report also mentioned that NSA can't receive cyber threat indicators or defensive measures via the Department of Homeland Security's  Automated Information System "due to internal NSA storing procedures." AIS is a machine-to-machine capability that relies on structured data specifications and protocols for participants to share information.

The report has been redacted at key points, so the IG's exact recommendations for DISA, CyberCom, DC3 and NSA were not revealed. The report did indicate that so far the NSA has yet to respond and urged the agency to comment on the recommendations.

The report also recommended that the DOD CIO issue departmentwide policy to implement CISA requirements, including the requirement that defense agencies "document barriers to sharing cyber threat indicators and defensive measures and take appropriate actions to mitigate the identified barriers."

DOD Principal Deputy CIO Essye Miller agreed with the recommendations. Responses from DISA and Cyber Command were almost completely redacted.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.