Vague contract language hampers cybersecurity for weapons systems, GAO says

The cybersecurity of the Defense Department's weapons systems may hinge on clear contract requirements, according to a recent report.

The Government Accountability Office found that missing or vague cybersecurity requirements in acquisitions contracts for weapons systems often led to DOD getting a system that didn't meet its security needs, according to a report released on March 4.

"The government is less likely to get what it wants if it omits all or part of its cybersecurity requirements," W. William Russell, GAO director for contracting and national security acquisitions, wrote in the report.

GAO evaluated five programs across the Army, Air Force, Navy and Marine Corps and found that three of the five programs reviewed didn't have cybersecurity requirements in their contracts when awarded, but modified after the fact to include them.

Additionally, those late additions were inconsistent or with vague references for a system to be "cyber resilient" or comply with the DOD's risk management framework as opposed to detailed requirements.

"Such statements do not provide enough information to determine what the government wants or how to design a system," contractors told the GAO.

The review comes as the DOD and broader federal government wrestle with the effects of the SolarWinds hack and increased cyberattacks on its systems as more personnel work remotely.

In 2018, GAO found that several weapons systems had fundamental security vulnerabilities that allowed testers to gain full access using simple tools and techniques. There was also concern that DOD was largely unaware of the total number of vulnerabilities affecting its weapons systems -- especially as they age and move into sustainment.

Since its last review, the GAO said it found that the DOD had conducted, or plans to, more cybersecurity testing during development compared to past acquisitions, but some program contracts didn't list cybersecurity requirements or verification processes.

The GAO noted that DOD should continue its efforts and incorporate cybersecurity throughout a program's development and lifecycle, specifically suggesting the Army, Navy, and Marine Corps issue guidance that specifies how to weave in and tailor cybersecurity requirements into contracts.

While the cyber guidance DOD has issued in recent years has helped "ingrain cybersecurity practices into the DOD culture," the report states, such guidance hasn't addressed how programs can "effectively translate cybersecurity concepts into detailed and specific cybersecurity requirements for contracts, on par with other system requirements."

The cybersecurity of the Defense Department's weapons systems may hinge on clear contract requirements, according to a recent report.

The Government Accountability Office found that missing or vague cybersecurity requirements in acquisitions contracts for weapons systems often led to DOD getting a system that didn't meet its security needs, according to a report released on March 4.

"The government is less likely to get what it wants if it omits all or part of its cybersecurity requirements," W. William Russell, GAO director for contracting and national security acquisitions, wrote in the report.

GAO evaluated five programs across the Army, Air Force, Navy and Marine Corps and found that three of the five programs reviewed didn't have cybersecurity requirements in their contracts when awarded, but modified after the fact to include them.

Additionally, those late additions were inconsistent or with vague references for a system to be "cyber resilient" or comply with the DOD's risk management framework as opposed to detailed requirements.

"Such statements do not provide enough information to determine what the government wants or how to design a system," contractors told the GAO.

The review comes as the DOD and broader federal government wrestle with the effects of the SolarWinds hack and increased cyberattacks on its systems as more personnel work remotely.

In 2018, GAO found that several weapons systems had fundamental security vulnerabilities that allowed testers to gain full access using simple tools and techniques. There was also concern that DOD was largely unaware of the total number of vulnerabilities affecting its weapons systems -- especially as they age and move into sustainment.

Since its last review, the GAO said it found that the DOD had conducted, or plans to, more cybersecurity testing during development compared to past acquisitions, but some program contracts didn't list cybersecurity requirements or verification processes.

The GAO noted that DOD should continue its efforts and incorporate cybersecurity throughout a program's development and lifecycle, specifically suggesting the Army, Navy, and Marine Corps issue guidance that specifies how to weave in and tailor cybersecurity requirements into contracts.

While the cyber guidance DOD has issued in recent years has helped "ingrain cybersecurity practices into the DOD culture," the report states, such guidance hasn't addressed how programs can "effectively translate cybersecurity concepts into detailed and specific cybersecurity requirements for contracts, on par with other system requirements."