Objective
Our objective was to (1) summarize unclassified and classified reports issued and testimonies made from the DoD oversight community and the Government Accountability Office (GAO) between July 1, 2017, and June 30, 2018, that included DoD cybersecurity issues; (2) identify cybersecurity risk areas for DoD management to address based on the five functions of the National Institute of Standards and Technology (NIST), “Framework for Improving Critical Infrastructure Cybersecurity,” April 16, 2018 (Cybersecurity Framework); and (3) identify the open DoD cybersecurity recommendations.
This summary report also addresses the Federal Information Security Modernization Act of 2014 (FISMA) requirement to provide an annual independent evaluation of the agency’s information security program by using the identified findings to support the responses made in our assessment.
Background
On February 12, 2013, the President issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.” Executive Order 13636 calls for the development of a voluntary cybersecurity framework for Federal and non-Federal entities that provides a prioritized, flexible, repeatable, performance-based, and cost effective approach to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. The resulting NIST Cybersecurity Framework was established through collaboration between the Government and private sector entities. The framework has five functions, representing high-level cybersecurity activities that provide a strategic view of the risk management lifecycle—Identify, Protect, Detect, Respond, and Recover. On May 11, 2017, the President mandated that Federal agencies use the NIST Cybersecurity Framework to manage their cybersecurity risks by issuing Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”
FISMA requires that each Federal agency conduct an annual independent evaluation to determine the effectiveness of the agency’s information security program and practices. For an agency with an Inspector General (IG) appointed under the IG Act of 1978, that IG, or an independent external auditor designated by that IG, must conduct the annual independent evaluation and report the results to the agency Chief Information Officer by October 31st of each year. The evaluation may be based in whole or in part on an audit, evaluation, or report relating to agency programs or practices. The IG must report the results of the annual independent evaluation to the Office of Management and Budget.
We used this summary report to develop the annual DoD OIG independent evaluation and to meet the reporting requirement, which we communicated to the DoD Chief Information Officer on October 31, 2018.
Summary
We found that DoD Components implemented many of the agreed-upon corrective actions necessary to improve system weaknesses identified in issued reports summarized in our FY 2017 cybersecurity summary report; however, recently issued cybersecurity reports indicate that the DoD still faces challenges in managing cybersecurity risk to its network. Additionally, as of September 30, 2018, there were 266 open cybersecurity‑related recommendations, dating as far back as 2008.
This year’s summary includes the results of 20 unclassified and 4 classified reports issued by the DoD oversight community and GAO between July 1, 2017, and June 30, 2018, relating to DoD cybersecurity. We did not identify any testimonies made by the DoD oversight community and GAO relating to DoD cybersecurity during this period.
The unclassified reports identified improvements in the asset management, information protection processes and procedures, identity management and access control, and security continuous monitoring. We also determined that the DoD has taken action to strengthen its cybersecurity posture by implementing actions to address 19 of the 159 recommendations made in those reports.
However, the DoD needs to continue focusing on managing cybersecurity risks related to governance, asset management, information protection processes and procedures, identity management and access control, security continuous monitoring, detection processes, and communications. The largest number of weaknesses identified in this year’s summary were related to governance, which allows an organization to inform its management of cybersecurity risk through the policies, procedures, and processes to manage and monitor the organizations regulatory, legal, risk, environmental, and operational requirements.
Without proper governance, the DoD cannot ensure that it effectively identifies and manages cybersecurity risk as it continues to face a growing variety of cyber threats from adversaries, such as offensive cyberspace operations used to disrupt, degrade, or destroy targeted information systems. The DoD must also ensure that cybersecurity risks are effectively managed to safeguard its reliance on cyberspace to support its operations and implement proper controls and processes where weaknesses are identified to improve the overall cybersecurity.
This report is a result of Project No. D2018-D000CP-0150.000.