Publicly Released: February 1, 2023
Objective:
The objective of this summary report was to: (1) summarize unclassified and classified reports and testimonies regarding DoD cybersecurity that the DoD Office of Inspector General (OIG), the Government Accountability Office (GAO), and other DoD oversight organizations issued between July 1, 2020, and June 30, 2022, concerning DoD cybersecurity; (2) identify cybersecurity trends; and (3) provide a status of open DoD cybersecurity-related recommendations.
We issue this summary report biennially to identify DoD cybersecurity trends based on the National Institute of Standards and Technology (NIST), “Framework for Improving Critical Infrastructure Cybersecurity,” April 16, 2018 (NIST Cybersecurity Framework) for DoD management to review and consider implementing changes, as appropriate.
Background:
Federal agencies are required to use the NIST Cybersecurity Framework to manage their cybersecurity risk. The NIST Cybersecurity Framework consists of five functions—Identify, Protect, Detect, Respond, and Recover— representing high‑level cybersecurity activities that provide a strategic view of the risk management cycle for identifying, assessing, and responding to risk. In addition, the five functions include 23 associated categories, such as “Asset Management” or “Detection Process,” that provide desired cybersecurity outcomes.
Each of the 23 categories has up to 12 subcategories that further divide the categories into specific outcomes of technical and management activities, such as “data‑at‑rest is protected” or “notifications from detection systems are investigated.”
The DoD also uses the Risk Management Framework, which provides an integrated enterprise‑wide decision structure and is consistent with the principles established in the NIST Cybersecurity Framework, for managing cybersecurity risk and authorizing and connecting information systems.
Summary:
This year’s report summarizes the results of the 133 reports related to DoD cybersecurity—124 unclassified and 9 classified— and 7 congressional testimonies from the DoD OIG, GAO, and other DoD oversight organizations that were released from July 1, 2020, through June 30, 2022.
Over the past 6 years, the DoD OIG, GAO, and the other DoD oversight organizations have steadily increased cybersecurity‑related oversight. However, a large and growing percentage of these reports focused primarily on issues related to two of the five NIST Cybersecurity Framework functions—Identify and Protect. There was less oversight provided by the DoD OIG, GAO, and the other DoD oversight organizations of the three remaining NIST Cybersecurity Framework functions—Detect, Respond, and Recover.
The DoD cybersecurity reports issued from July 2020 through June 2022 identified significant challenges in the DoD’s management of cybersecurity risks to its systems and networks. The reports discussed DoD risks r elated to 20 of the 23 NIST Cybersecurity Framework categories. The majority of the weaknesses identified in the 133 reports we reviewed related to the categories of Governance (Identify function), Asset Management (Identify function), Identity Management, Authentication and Access Control (Protect function), and Information Protection Processes and Procedures (Protect function).
These risks existed because DoD officials did not establish and implement minimum standards and necessary controls in accordance with DoD guidance.
We determined that the DoD Components implemented corrective actions necessary to close 417 of the 895 cybersecurity‑related recommendations included in this summary report and prior summary reports. As of June 30, 2022, the DoD had 478 open cybersecurity‑related recommendations, dating as far back as 2012.
In addition to the 133 reports and 7 testimonies released since July 1, 2020, we also reviewed the notices of finding and recommendation (NFRs) issued to the DoD as part of the agency financial statement audits and attestations of 26 DoD reporting entities. The NFRs communicate to management identified weaknesses and inefficiencies in financial processes, their impact, the reason they exist, and recommendations on how to correct the weaknesses and inefficiencies. A s o f July 15, 2022, the DoD h ad 1,304 open information technology NFRs resulting from FY 2021 financial statement audits. We selected a nonstatistical sample of 44 NFRs and determined that they primarily identified weaknesses in the Protect and Identify functions of the NIST Cybersecurity Framework spanning 11 of the 23 NIST Cybersecurity Framework categories.
Although we are not making new recommendations to DoD management in this summary report, it is vital to the DoD’s overall cybersecurity posture that management implement timely and comprehensive corrective actions such as configuring security settings in accordance with security requirements and developing policies and procedures that promote implementing consistent security controls that address the open cybersecurity‑related recommendations.
These risks existed because DoD officials did not establish and implement minimum standards and necessary controls in accordance with DoD guidance.
We determined that the DoD Components implemented corrective actions necessary to close 417 of the 895 cybersecurity‑related recommendations included in this summary report and prior summary reports. As of June 30, 2022, the DoD had 478 open cybersecurity‑related recommendations, dating as far back as 2012.
In addition to the 133 reports and 7 testimonies released since July 1, 2020, we also reviewed the notices of finding and recommendation (NFRs) issued to the DoD as part of the agency financial statement audits and attestations of 26 DoD reporting entities. The NFRs communicate to management identified weaknesses and inefficiencies in financial processes, their impact, the reason they exist, and recommendations on how to correct the weaknesses and inefficiencies. A s o f July 15, 2022, the DoD h ad 1,304 open information technology NFRs resulting from FY 2021 financial statement audits. We selected a nonstatistical sample of 44 NFRs and determined that they primarily identified weaknesses in the Protect and Identify functions of the NIST Cybersecurity Framework spanning 11 of the 23 NIST Cybersecurity Framework categories.
Although we are not making new recommendations to DoD management in this summary report, it is vital to the DoD’s overall cybersecurity posture that management implement timely and comprehensive corrective actions such as configuring security settings in accordance with security requirements and developing policies and procedures that promote implementing consistent security controls that address the open cybersecurity‑related recommendations.