Report | Dec. 11, 2020

Summary of Reports Issued Regarding Department of Defense Cybersecurity From July 1, 2019, Through June 30, 2020 (DODIG-2021-034)

Audit

Publicly Released: December 15, 2020

Objective

The objective of this summary report was to: (1) summarize unclassified and classified reports and testimonies regarding DoD cybersecurity that the DoD Office of Inspector General (OIG), the Government Accountability Office (GAO), and other DoD oversight organizations issued from July 1, 2019 through June 30, 2020 concerning DoD cybersecurity; (2) identify cybersecurity trends; and (3) identify the open DoD cybersecurity-related recommendations.

We issue this summary report to identify DoD cybersecurity trends based on the National Institute of Standards and Technology (NIST), “Framework for Improving Critical Infrastructure Cybersecurity,” April 16, 2018 (NIST Cybersecurity Framework) for DoD management to review and consider implementing changes, as appropriate.

 

Background

Federal agencies are required to use the NIST Cybersecurity Framework to manage their cybersecurity risk. The NIST Cybersecurity Framework consists of five functions—Identify, Protect, Detect, Respond, and Recover—representing high-level cybersecurity activities that provide a strategic view of the risk management cycle for identifying, assessing, and responding to risk. In addition, the five functions include 23 associated categories, such as “Asset Management” or “Detection Process,” that provide desired cybersecurity outcomes. Each of the categories has up to 12 subcategories that further divide the categories into specific outcomes of technical and management activities, such as “data-at-rest is protected” or “notifications from detection systems are investigated.”

The DoD also uses the Risk Management Framework which provides an integrated enterprise-wide decision structure for managing cybersecurity risk for DoD information technologies.

 

Summary

This year’s report summarizes the results of the 44 DoD cybersecurity-related reports issued—33 unclassified and 11 classified—by the DoD OIG, GAO, and the other DoD oversight organizations from July 1, 2019, through June 30, 2020. We did not identify any testimonies made by the DoD oversight community or GAO regarding DoD cybersecurity risks during this period.

Despite the improvements made by the DoD over the past year, recently issued cybersecurity reports demonstrated that the DoD continued to face significant challenges in managing cybersecurity risks to its systems and networks. For example, the DoD has made improvements regarding the NIST Cybersecurity Framework categories of Risk Management Strategy (Identify function) and Communications (Respond function) by utilizing Risk Management Framework processes and sharing cybersecurity information with stakeholders. However, risks remain in managing the DoD’s cybersecurity activities regarding 20 of the 23 NIST Cybersecurity Framework categories. The majority of the risks and weaknesses identified in the 44 reports we reviewed related to the categories of Governance (Identify function), Identity Management and Access Control (Protect function), Risk Assessment (Identify function), and the Information Protection Processes and Procedures (Protect function).

These risks generally occurred because DoD officials did not establish policies and procedures to implement standards or effectively implement the necessary controls in accordance with DoD guidance. For example, the DoD did not:

•  know the extent that practices to protect DoD networks from key cyber attack techniques
   were implemented because DoD Components did not establish procedures to monitor
   implementation of key initiatives;

• establish internal controls to validate whether organizations with oversight responsibilities
   enforced information technology asset management policy, identified and monitored excess
   information technology hardware asset inventories, or managed the re-distribution of excess
   information technology hardware inventories; or

• implement cybersecurity measures and document system security parameters in accordance
  with DoD guidance and maintained outdated cybersecurity documentation such as an
  outdated Plan of Action and Milestones.

Furthermore, we determined that the DoD Components implemented corrective actions necessary to close 197 of 656 cybersecurity-related recommendations from issued reports included in this summary report and prior summary reports. However, as of August 2020, the DoD had 459 cybersecurity-related recommendations open, dating back to 2011.

In addition to the 44 reports issued from July 1, 2019 through June 30, 2020, we also reviewed the notices of findings and recommendations issued to the DoD as part of the agency financial statement audits. As of July 1, 2020, the DoD had 1,710 open information technology notices of findings and recommendations (NFRs) as a result of the FY 2019 and FY 2020 financial statement audits. The notices of findings and recommendations identified weaknesses regarding the (1) Identity Management and Access Control and (2) Information Protection Processes and Procedures categories under the Protect function of the NIST Cybersecurity Framework.

Although we are not making new recommendations to DoD management in this summary report, it is vital to the DoD’s overall cybersecurity posture that management implement timely and comprehensive corrective actions that address the open cybersecurity-related recommendations. Implementing corrective actions is necessary because DoD adversaries such as Russia, China, Iran, and North Korea; terrorist groups; hacktivists; and other malicious actors can exploit cybersecurity vulnerabilities to gain unauthorized access to systems and networks and use sensitive and classified information to collect intelligence, target DoD critical infrastructure, manipulate information, and conduct cyber attacks.

This report is the result of Proj. No. D2020-D000CT-0077.000