DOD CIO lags in implementing cyber law


Congress passed landmark cybersecurity legislation in late 2015, but the Pentagon hasn't done much to put the law in play, according to a watchdog report.

The Cybersecurity Information Sharing Act required Defense Department component agencies to come up with plans and procedures for sharing threat indicators with civilian and non-governmental entities.

A Nov. 8 report by the Department of Defense Office of Inspector General focused on CISA implementation by the National Security Agency, the Defense Information Systems Agency, Cyber Command and the DOD Cyber Crime Center, known as DC3.

The report concluded that the uneven and inconsistent implementation of CISA requirements was due to the lack of a DOD-wide policy from the CIO.

"As a result, the DOD limited its ability to gain a more complete understanding of cybersecurity threats since it did not fully leverage the collective knowledge and capabilities of sharing entities, or disseminate internally generated cyber threat indicators and defensive measures with other federal and non‑federal entities," the report stated.

DISA and Cyber Command lacked policies for sharing cyber threat indicators, while DC3 wasn't always checking on whether it was sharing cyber threat indicators with cleared private-sector personnel via the secret DIBNet-U portal that hosts information on Defense Industrial Base companies.

The report also mentioned that NSA can't receive cyber threat indicators or defensive measures via the Department of Homeland Security's  Automated Information System "due to internal NSA storing procedures." AIS is a machine-to-machine capability that relies on structured data specifications and protocols for participants to share information.

The report has been redacted at key points, so the IG's exact recommendations for DISA, CyberCom, DC3 and NSA were not revealed. The report did indicate that so far the NSA has yet to respond and urged the agency to comment on the recommendations.

The report also recommended that the DOD CIO issue departmentwide policy to implement CISA requirements, including the requirement that defense agencies "document barriers to sharing cyber threat indicators and defensive measures and take appropriate actions to mitigate the identified barriers."

DOD Principal Deputy CIO Essye Miller agreed with the recommendations. Responses from DISA and Cyber Command were almost completely redacted.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.