We determined whether the DoD took actions to implement the Cybersecurity Information Sharing Act of 2015 (CISA) requirements. Specifically, we assessed whether selected DoD Components:
- had sufficient policies and procedures in place for sharing cyber threat indicators or defensive measures with Federal and non-Federal entities;
- verified the status of security clearances for private sector individuals authorized to share cyber threat indicators or defensive measures with the DoD;
- shared cyber threat indicators or defensive measures in a timely manner and removed irrelevant personally identifiable information (PII) when sharing the information with Federal and non-Federal entities; and
- assessed and mitigated barriers to sharing cyber threat indicators and defensive measures with Federal and non-Federal entities.
To accomplish our objective, we reviewed the policies and procedures in place for sharing both unclassified and classified cyber threat indicators and defensive measures and verified whether those policies and procedures were still current. We also reviewed select unclassified cyber threat indicators and defensive measures that were shared within the DoD, the Department of Homeland Security, and with private entities during 2016 to determine whether DoD officials complied with established policies and procedures as well as the CISA requirements. We obtained this information from four DoD Components—the National Security Agency (NSA), Defense Information Systems Agency (DISA), DoD Cyber Crime Center (DC3), and U.S. Cyber Command (USCYBERCOM).
On December 18, 2015, the President signed CISA into law. According to Federal guidance, Congress designed CISA to encourage public and private sector entities to share cyber threat indicators and defensive measures while protecting classified information, intelligence sources and methods, and privacy.
The DoD took limited actions to implement the CISA requirements for sharing cyber threat indicators and defensive measures within the DoD and with other Federal and non-Federal entities. For example, the NSA and DC3 developed agency-level policies and procedures for sharing cyber threat indicators or defensive measures. The NSA, DISA, and DC3 timely shared cyber threat indicators or defensive measures within the DoD and with other Federal and non- Federal entities, and ensured that cyber threat indicator or defensive measure reports shared did not include irrelevant PII. However, none of the four DoD Components reviewed implemented all of the CISA requirements.
- DISA and USCYBERCOM did not have agency-level policies and procedures for sharing cyber threat indicators and defensive measures with Federal and non-Federal entities, as required by CISA.
- DC3 did not verify whether 5 out of 32 nonstatistically sampled private sector individuals had an active security clearance before sharing cyber threat indicators and defensive measures in the Defense Industrial Base Network-Unclassified system. As a result, DC3 personnel removed 429 users from the system during the course of our audit.
We determined that the four DoD Components did not implement all of the CISA requirements because the DoD Chief Information Officer (CIO) did not issue a DoD‑wide policy on CISA implementation or require that the DoD Components comply with the CISA requirements. As a result, the DoD limited its ability to gain a more complete understanding of cybersecurity threats since it did not fully leverage the collective knowledge and capabilities of sharing entities, or disseminate internally generated cyber threat indicators and defensive measures with other Federal and non‑Federal entities. Using the shared information, entities can improve their security posture by identifying affected systems, implementing protective measures, and responding to and recovering from incidents. This is critical because cyber attackers continually adapt their tactics, techniques, and procedures to evade detection, circumvent security controls, and exploit new vulnerabilities.
We recommend that the DoD CIO, in coordination with the Under Secretary of Defense for Policy, issue DoD-wide policy on CISA implementation, including a requirement for the DoD Components to document barriers to sharing cyber threat indicators and defensive measures and take appropriate actions to mitigate the identified barriers.
Management Comments and Our Response:
The Principal Deputy CIO, responding on behalf of the CIO, agreed to coordinate with the Under Secretary of Defense for Policy to issue DoD-Wide policy on the CISA implementation. Therefore, those recommendations are resolved and will be closed once we verify that the agreed upon actions are implemented.
The Directors for the NSA and DC3 did not provide comments. Therefore, we request comments to the final report from the Directors of NSA, and DC3.
This report is a result of Project No. D2017-D000RB-0094.000.