DOD still falling short on cyber, IG says

cybersecurity (vs148/ 

The Defense Department has quite a bit of work to do to bring its cybersecurity up to standard, according to the inspector general's latest summary of past reports.

The IG did give credit when due, noting in the report that DOD had locked down some vulnerabilities. But the department has failed to fully implement the National Institute of Standards and Technology Cybersecurity Framework issued in April 2018, the summary states.

Most vulnerabilities, the IG wrote, were related to the "identify" and "protect" sections of the NIST framework that require an organization to develop organizational understanding to manage cybersecurity risk to systems, people, assets, data and capabilities and to implement safeguards for delivery of critical services, respectively. (Detect, Respond and Recover are the other three NIST framework components.)

"Recently issued cybersecurity reports indicate that the DoD still faces challenges in managing cybersecurity risk to its network," the IG wrote.

FCW has reached out to the Pentagon's CIO for comment.

The IG found that most weaknesses were related to governance or the "identify" part of the framework. Without it, the watchdog wrote, "DOD cannot ensure that it effectively identifies and manages cybersecurity risk as it continues to face a growing variety of cyber threats from adversaries, such as offensive cyberspace operations used to disrupt, degrade, or destroy targeted information systems."

The DOD IG conducted its review from July 1, 2017, through June 30, 2018, and issued its summary Jan. 9. As of Sept. 30, 2018, it said, 266 cybersecurity recommendations remained open, including some held over from 2009 and 2010.

"The DoD must also ensure that cybersecurity risks are effectively managed to safeguard its reliance on cyberspace to support its operations and implement proper controls and processes where weaknesses are identified to improve the overall cybersecurity," the IG wrote in its summary.

The report is part of the Federal Information Security Modernization Act's requirement to annually review effectiveness of a government organization's information security program and practices.

About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    OPM nominee plans focus on telework, IT, retirement

    Kiran Ahuja, a veteran of the Office of Personnel Management, told lawmakers that she thinks that the lack of consistent leadership in the top position at OPM has taken a toll on the ability of the agency to complete longer term IT modernization projects.

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

Stay Connected