Publicly Released: June 15, 2020
The objective of this summary report was to: (1) summarize unclassified and classified reports issued and testimony provided to Congress regarding DoD cybersecurity by the DoD Office of Inspector General, the Government Accountability Office, and the other DoD oversight organizations between July 1, 2018, and June 30, 2019; (2) identify cybersecurity risk areas based on the summarized reports and testimonies, and (3) identify the open DoD cybersecurity‑related recommendations. We issue this summary report annually to identify cybersecurity risk areas, based on the National Institute of Standards and Technology (NIST), “Framework for Improving Critical Infrastructure Cybersecurity,” April 16, 2018, (NIST Cybersecurity Framework), for DoD management to review and consider when implementing changes to improve cybersecurity.
On February 12, 2013, the President issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” which requires NIST to develop a voluntary cybersecurity framework that provides a prioritized, flexible, repeatable, performance‑based, and cost‑effective approach to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
On May 11, 2017, the President issued Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which requires Federal agencies use the NIST Cybersecurity Framework to manage their cybersecurity risks. NIST originally released the NIST Cybersecurity Framework on February 12, 2014, and revised it on April 16, 2018. The NIST Cybersecurity Framework has five functions—Identify, Protect, Detect, Respond, and Recover—representing high‑level cybersecurity activities that provide a strategic view of the risk management life cycle for identifying, assessing, and responding to risk. For example, the cybersecurity activities for the Identify function include “managing cybersecurity risk to systems, people, assets, data, and capabilities.” In addition, the five NIST Cybersecurity Framework functions include 23 associated categories that provide desired cybersecurity outcomes such as “Asset Management” or the “Detection Process.” Each of the 23 categories has up to 12 subcategories that further divide the categories into specific outcomes of technical or management activities such as “data at rest is protected” or “notifications from detection systems are investigated.”
The DoD has also issued guidance that provides an integrated enterprise‑wide decision structure for managing cybersecurity risk. This risk management process is mandatory for managing all the DoD information technologies and is consistent with the principles established by NIST.
We determined that the DoD Components implemented corrective actions necessary to close 200 of the 530 cybersecurity‑related recommendations from issued reports included in this summary report and our prior summary reports. Those corrective actions are intended to mitigate or remediate risks and weaknesses to the DoD systems and networks. However, as of September 30, 2019, the DoD had 330 cybersecurity‑related recommendations that remained open, dating back to 2011.
This year’s report summarizes the results of the 46 DoD cybersecurity‑related reports issued—33 unclassified and 13 classified—and the content of three testimonies made by the DoD Office Of Inspector General, Government Accountability Office, and the other DoD oversight organizations from July 1, 2018, through June 30, 2019.
Although we include the number of classified reports issued in our discussion of the NIST Cybersecurity Framework functions and categories in this summary, we did not issue classified appendixes summarizing the specific findings and results of those reports due to impact of the coronavirus disease–2019 on classified processing requirements.
We also determined that despite numerous improvements made by the DoD over the past year, recently issued cybersecurity reports demonstrate that the it continues to face significant challenges in managing cybersecurity risks to its systems and networks. For example, the DoD has made improvements related to the NIST Cybersecurity Framework categories of Governance (Identify function), Identity Management and Access Controls (Protect function), and Awareness and Training (Protect function) by issuing new or revised cybersecurity policies and procedures. However, significant risks remain in managing the DoD’s cybersecurity activities related to most of the NIST Cybersecurity Framework categories (18 of the 23). The majority of the identified risks and weaknesses relate to the categories of Governance (Identify function), Asset Management (Identify function), Risk Assessment (Identify function), Information Protection Processes and Procedures (Protect function), Awareness and Training (Protect function), and Identity Management and Access Control (Protect function).
These risks generally occurred because the DoD either did not establish policies and procedures to implement minimum standards or they did not effectively implement the necessary controls in accordance with DoD and Federal guidance. For example, the DoD did not:
- establish policies and procedures to implement the minimum insider threat standards or requirements related to the Cybersecurity Information Sharing Act of 2014;
- provide oversight of its cyber workforce to ensure consistent implementation of training standards or the proper implementation of system security controls;
- follow established procedures to mitigate or remediate DoD weapon system vulnerabilities or ensure that data were properly removed from removable electronic media such as thumb drives; or
- implement a process to identify the DoD cyber workforce vacancies or rationalize software applications.
Although we are not making new recommendations to the DoD management in this summary report, it is vital to the DoD’s overall cybersecurity posture that management implement in a timely manner comprehensive corrective actions that addresses the open cybersecurity‑related recommendations. DoD adversaries such as Russia, China, Iran, and North Korea; terrorist groups; hacktivists; and other independent malicious actors can exploit these cybersecurity vulnerabilities to gain unauthorized access to systems and networks and use sensitive and classified information to collect intelligence, target the DoD critical infrastructures, manipulate information, and conduct cyber attacks. Therefore, the DoD must ensure that it periodically identifies and manages its cybersecurity‑related risks appropriately, has a skilled workforce capable of conducting necessary cyber missions, and implements processes to monitor and protect the DoD Information Network.
Additionally, during the FY 2018 and FY 2019 DoD financial statement audits, the DoD Office of Inspector General and independent public accounting firms’ auditors identified the need for the DoD to develop and implement more effective internal controls for 247 information technology systems that process transactions for financial reporting, including controls to manage user accounts, monitor user activities, and secure the systems that process financial transactions that are reported on financial statements. A significant function of financial statement audits is reviewing information technology and cyber security. In FY 2019, auditors reported that the DoD and 13 of its Components had a material weakness related to their financial management systems, as well as their information technology environments.
As of December 31, 2019, the DoD had more than 1,500 open information technology notices of findings and recommendations (NFR) as a result of the FY 2018 and FY 2019 financial statement audits. We determined that some of these NFRs identified weaknesses relating to the NIST Cybersecurity Framework. The majority of the NFRs reviewed related directly to the concepts covered in the Protect function of the NIST Cybersecurity Framework, including the categories of Identity Management and Access Control, Information Protection Processes and Procedures, Protective Technology, and Data Security. For example, the auditors identified that the DoD did not:
- appropriately restrict access rights and responsibilities according to segregation of duties policy (Identity Management and Access Control category);
- terminate user access in a timely manner when users left the organization (Identity Management and Access Control category);
- implement controls to identify unintentional or unauthorized changes made to applications, databases, or data (Information Protection Processes and Procedures category); or
- perform reconciliations between systems to verify the completeness and accuracy of data being transferred (Data Security).
Ineffective system controls can result in significant risk to the DoD assets. For example, payments and collections could be lost, stolen, or duplicated as a result of weak information technology controls. Implementing the recommended actions included in these NFRs will better enable the DoD to improve its overall reliance on the accuracy and completeness of financial‑data. In addition, improving internal controls for information technology systems that process financial transactions can improve not only financial management but also the overall cybersecurity of the DOD Information Network and better assist in protecting against and rapidly responding to cyber threats across its various networks and systems.
This report is a result of Project No. D2019-D000CP-0086.000.