Publicly Released: March 17, 2020
Objective
The objective of this followup audit was to determine whether DoD Cyber Red Teams and DoD Components took actions to correct problems identified in Report No. DODIG-2013-035, "Better Reporting and Certification Processes Can Improve Red Teams' Effectiveness," December 21, 2012. In addition, we determined whether DoD Cyber Red Teams supported operational testing and combatant command exercises to identify network vulnerabilities, threats, and other security weaknesses affecting DoD systems, networks, and facilities, and whether corrective actions were taken to address DoD Cyber Red Team findings. We also assessed risks affecting the ability of DoD Cyber Red Teams to support DoD missions and priorities.
Background
DoD Cyber Red Teams are independent, multi-disciplinary groups of DoD personnel that are certified, accredited, and authorized to identify vulnerabilities that impact the confidentiality, integrity, or availability of DoD systems and networks by portraying the tactics, techniques, and procedures of adversaries. The DoD uses DoD Cyber Red Teams to highlight vulnerabilities, improve joint cyberspace operations, and protect the DoD Information Network and DoD weapons systems from vulnerabilities and threats that affect the DoD's security posture. Unlike traditional vulnerabilities, such as misconfigured security settings and unpatched software, DoD Cyber Red Teams use known vulnerabilities, zero day attacks (attacks that exploit a previously unknown hardware, firmware, or software vulnerability), and other tactics an adversary may use to penetrate systems, networks, and facilities, and test the defense-in-depth strength (use of multiple barriers and layers of defenses to protect systems, networks, and organizations and responses taken to DoD Cyber Red Team actions. As of September 2019, the National Security Agency accredited 10 DoD Cyber Red Teams.
Summary of Prior Report
In our prior report, issued in December 2012, we determined that DoD Cyber Red Teams did not effectively report the results of their assessments to the assessed organizations; the Director, Operational Test and Evaluation; U.S. Cyber Command; the Joint Force Headquarters-DoD Information Network; and other DoD Cyber Red Teams. In addition, we found that the DoD Components did not effectively correct or mitigate Red Team-identified vulnerabilities and did not track or report the vulnerabilities on a plan of action and milestones as required by the Chairman of the Joint Chiefs of Staff Instruction 6510.01F. Furthermore, we found that the DoD Cyber Red Team certification and accreditation process did not effectively assess the skills of the DoD Cyber Red Teams and their ability to perform mission functions and meet training requirements.
Lastly, we recommended that U.S. Strategic Command and the National Security Agency perform their mission functions as part of the certification and accreditation process. The DoD Components agreed with all of the prior report's recommendations and agreed to take corrective actions.
Findings
For this followup audit, we determined that the DoD Components did not consistently mitigate or include unmitigated vulnerabilities identified in the prior audit and during this audit by DoD Cyber Red Teams during combatant command exercises, operational testing assessments, and agency-specific assessments in plans of action and milestones. Specifically, of the DoD Cyber Red Team-identified vulnerabilities that we assessed, DoD Components:
- mitigated vulnerabilities,
- did not mitigate vulnerabilities, and
- partially mitigated vulnerabilities.
The DoD Components did not consistently mitigate vulnerabilities or include unmitigated vulnerabilities in plans of action and milestones because they failed to assess the impact of the vulnerabilities to their mission, prioritize resources to implement risk mitigation solutions, or coordinate the results of DoD Cyber Red Team reports with applicable stakeholders addition, the DoD did not have an organization responsible for ensuring that DoD Components took action to manage vulnerabilities identified by DoD Cyber Red Teams and did not establish processes that held DoD Components responsible for mitigating those vulnerabilities.
Ensuring DoD Components mitigate vulnerabilities is essential to achieve a better return on investment.
In addition, we determined that the DoD did not establish a unified approach to support and prioritize DoD Cyber Red Team missions. Instead, the DoD Components implemented Component-specific approaches to staff, train, and develop tools for DoD Cyber Red Teams, and prioritize DoD Cyber Red Team missions. The DoD did not establish a unified approach because the DoD did not:
- assign an organization with responsibility to oversee and synchronize DoD Cyber Red Team activities based on DoD needs and priorities;
- assess the resources needed for each DoD Cyber Red Team and identify core requirements to staff and train them to meet DoD priorities; or
- develop baseline tools to perform assessments.
Without an enterprise-wide solution to staff, train, and develop tools for DoD Cyber Red Teams and prioritize their missions, DoD Cyber Red Teams have not met current mission requests and will not meet future requests because of the increased demands for DoD Cyber Red Team services. Until the DoD assigns an organization to assess DoD Cyber Red Team resources, it will be unable to determine the number of DoD Cyber Red Teams and staffing of each team to support mission needs, which will impact the DoD's ability to identify vulnerabilities and take corrective actions that limit malicious actors from compromising DoD operations.
Recommendations
We recommend that the Secretary of Defense assign an organization with responsibility to, among other actions:
- review and assess DoD Cyber Red Team reports for systemic vulnerabilities and coordinate the development and implementation of enterprise solutions to mitigate those vulnerabilities;
- ensure DoD Components develop and implement a risk-based process to assess the impact of DoD Cyber Red Team-identified vulnerabilities and prioritize funding for corrective actions for high-risk vulnerabilities;
- ensure DoD Components develop and implement processes for providing reports with DoD Cyber Red Team findings and recommendations to organizations with responsibility for corrective actions;
- develop processes and procedures to oversee DoD Cyber Red Team activities, including synchronizing and prioritizing DoD Cyber Red Team missions, to ensure these activities align with DoD priorities;
- perform a joint DoD-wide mission-impact analysis to determine the number of DoD Cyber Red Teams, minimum staffing levels of each team, the composition of the staffing levels needed to meet current and future DoD Cyber Red Team mission requests;
- assess and identify a baseline of core and specialized training standards, based on the three DoD Cyber Red Team roles that DoD Cyber Red Team staff must meet for the team to be certified and accredited; and
- identify and develop baseline tools needed by DoD Cyber Red Teams to perform missions.
We recommend that the Chairman of the Joint Chiefs of Staff revise Chairman of the Joint Chiefs of Staff Instruction 6510.05 and Chairman of the Joint Chiefs of Staff Manual 6510.02 to include requirements for addressing DoD Cyber Red Team-identified vulnerabilities and reporting actions taken to mitigate those vulnerabilities.
Furthermore, we recommend that the Commanders for U.S. Strategic Command and U.S. Southern Command, Program Manager Advance Amphibious Assault for the Amphibious Combat Vehicle; and Director for the Defense Forensics and Biometric Agency assess and prioritize the risk of each unmitigated vulnerability identified in the Red Team assessments, take immediate actions to mitigate high-risk vulnerabilities, and if unable to immediately mitigate the vulnerabilities, include them on a command-approved plan of action and milestones.
Management Comments and Our Response
This report contains 14 recommendations addressed to the Secretary of Defense, Chairman of the Joint Chiefs of Staff, Commanders for U.S. Southern Command and U.S. Strategic Command, Program Manager Advanced Amphibious Assault for the Amphibious Combat Vehicle, and the Director for the Defense Forensics and Biometric Agency. Of the 14 recommendations, 13 are resolved but will remain open until further actions are taken, and 1 was closed. Below is a description of management comments to the 14 recommendations.
The Deputy to the Principal Cyber Advisor, responding for the Secretary of Defense, agreed with all recommendations. The Deputy stated that the DoD would leverage the results of assessments required by Sections 1660 and 1652 of the National Defense Authorization Act for FY 2020 to review the roles, responsibilities, and processes for adjudicating, disseminating, and monitoring DoD Cyber Red Team activities and improve follow up and implementation actions to mitigate DoD Cyber Red Team findings affecting weapon systems, warfighting platforms, and defense critical infrastructure.
The Director for Joint Staff, responding for the Chairman of the Joint Chiefs of Staff, agreed to revise Chairman of the Joint Chiefs of Staff Instruction 6510.05 and Chairman of the joint Chiefs of Staff Manual 6510.02 to include requirements for addressing DoD Cyber Red Team identified vulnerabilities and reporting actions taken to mitigate those vulnerabilities.
The U.S. Southern Command's Director for the Communication Systems Directorate, responding for the Commander for U.S. Southern Command, agreed with the recommendation and provided configuration screenshots, policies, and procedures to support mitigation efforts for 19 of the 41 vulnerabilities identified in this report.
The Director for Command, Control, Communications, and Computers Systems, responding for the Commander for U.S. Strategic Command, agreed with the recommendation to mitigate vulnerabilities identified in this report.
The Deputy Program Manager Advanced Amphibious Assault for the Amphibious Combat Vehicle 1.1, responding for the Program Manager Advanced Amphibious Assault, agreed to develop a plan of action and milestones for unmitigated vulnerabilities by February 29, 2020.
The Deputy Provost Marshall General for the Army, responding for the Director for the Defense Forensic and Biometric Agency, neither agreed nor disagreed with the recommendation, but provided documentation that supported wireless scanning occurred regularly. Therefore, the recommendation is closed.
This report is a result of Project No. D2019-0000CR-007.5.000.