We summarized DoD and Government Accountability Office audit reports issued from August 1, 2015, through July 31, 2016, that contained findings on DoD cybersecurity weaknesses. This report supports the DoD Office of Inspector General’s response to the requirements of Public Law 113-283, section 3555, “Federal Information Security Modernization Act of 2014,” December 18, 2014.
During the reporting period, the DoD and the Government Accountability Office issued 21 unclassified reports that addressed a wide range of cybersecurity weaknesses within the DoD systems and networks. Reports issued during the reporting period most frequently cited cybersecurity weaknesses in the categories of risk management, identity and access management, security and privacy training, contractor systems, and configuration management.
As of August 1, 2015, unclassified audit reports identified in the previously issued cybersecurity summary reports contained 166 open cybersecurity-related recommendations. From August 1, 2015, through July 31, 2016, DoD management closed 28 recommendations, leaving 138 open cybersecurity-related recommendations that required management action.
The DoD has prioritized funding its cyber strategy by investing a total of $6.7 billion in FY 2017 and a total of $34.6 billion over the Future Years Defense Program (next five years). The funds are intended to help the DoD continue to develop, train, and equip the Cyber Mission Force, and make new technological investments to strengthen cyber defenses and capabilities. While the DoD has prioritized funding its cyber strategy, cybersecurity will continue to remain a significant management challenge. As recent audit reports identify, the DoD continues to struggle with ensuring that all aspects of its information security program are adequately implemented. For example, implementing secure information systems on major weapons systems throughout their lifecycle requires effective and continuous software assurance testing. Inadequate software assurance testing on major weapons systems could be devastating to mission operations. In addition, although Homeland Security Presidential Directive 12 was issued in 2004, one audit report indicated that DoD Components are still not fully complying with the Directive. The report identified the lack of compliance leaves national security and Privacy Act information vulnerable to compromise and places soldiers, family members, civilians, and critical infrastructures at greater risk of an adverse incident occurring.
Correcting cybersecurity weaknesses and maintaining adequate cybersecurity is critical, as the DoD has become increasingly reliant on cyberspace to enable its military, intelligence, and business operations to perform the full spectrum of military operations. Although the DoD has taken steps to increase cybersecurity over its systems, networks, and infrastructure, significant challenges remain.
In this summary report, we identified recommendations from previously issued reports. Therefore, this report contains no new recommendations and is provided for information purposes only.
Management Comments and Our Response:
We did not issue a draft report because this report consolidates audit findings from audit reports issued from August 1, 2015, through July 31, 2016. No written response is required.
This report is a result of Project No. D2016-D000RB-0139.000.