Report | July 9, 2021

Audit of the Department of Defense’s Implementation of the Memorandums Between the Department of Defense and the Department of Homeland Security Regarding Cybersecurity and Cyberspace Operations (DODIG-2021-100)

Audit

Publicly Released: July 13, 2021

 

Objective

The objective of this audit was to determine whether the DoD planned and executed activities to implement the memorandums between the DoD and the Department of Homeland Security (DHS) regarding cybersecurity and cyberspace operations. We conducted this audit in coordination with the DHS Office of Inspector General, which conducted a concurrent audit on the DHS activities taken to implement the memorandums. The DHS Office of Inspector General expects to issue a final report in FY 2021 with findings and recommendations specific to the DHS.

 

Background

Since September 2010, the DoD and DHS have signed three interdepartmental memorandums to define the terms by which the DoD and DHS will collaborate to respond to and deter cyber threats to the United States and its critical infrastructure.

  • On September 27, 2010, the Secretaries of Defense and Homeland Security signed a memorandum to improve the coordination of each department’s respective efforts regarding U.S. cybersecurity.
  • On November 25, 2015, the DHS Deputy Under Secretary for Cybersecurity and Communications, National Security Agency (NSA) Deputy Director, and U.S. Cyber Command (USCYBERCOM) Deputy Commander signed a memorandum to develop and maintain a cyber action plan to implement requirements outlined in the 2010 memorandum.
  • On October 6, 2018, the Secretaries of Defense and Homeland Security signed a memorandum to clarify the roles and responsibilities between the DoD and DHS for enhancing the U.S. Government’s readiness to respond to cyber threats.

 

Findings

DoD officials planned and executed activities to implement the 2010 and 2015 memorandums between the DoD and the DHS regarding cybersecurity and cyberspace operations. Examples of activities planned and executed in accordance with the 2010 and 2015 memorandums include the following.

  • The NSA and USCYBERCOM worked with the DHS to develop the cyber action plan, which contained goals, objectives, roles and responsibilities, and action items.
  • The NSA formalized the process used to exchange cyber indicators from the cyber indications and warnings process between the NSA, USCYBERCOM, and the DHS.
  • USCYBERCOM developed a process for the DHS to request the DoD’s assistance to support domestic cybersecurity preparedness and incident response.
  • The NSA and USCYBERCOM participated in cyber exercises and provided input for after action reports with the DHS.

DoD officials also executed some activities to implement the 2018 memorandum, such as developing policy memorandums and participating in interagency meetings with DHS officials. However, the Cyber Protection and Defense Steering Group (CPD SG) has not developed an implementation plan with milestones and completion deadlines to ensure all activities to implement the 2018 memorandum are executed.

The co-chairs of the CPD SG stated that they did not develop an implementation plan because they did not intend for the 2018 memorandum to serve as a contractual agreement. Instead, the DoD CPD SG co-chairs stated the 2018 memorandum was developed to promote engagement between the DoD and DHS and define common areas of interest for collaboration.

Without an implementation plan that clearly defines roles and responsibilities and identifies milestones and completion dates, the DoD may not be able to sustain collaboration with the DHS in protecting the Nation’s critical infrastructure. Specific to the 2018 memorandum, the lack of an implementation plan could result in DoD officials not providing the level of assistance to the DHS needed for the DoD and the DHS to conduct joint operations to protect critical infrastructure; support state, local, tribal, and territorial governments; and jointly defend military and civilian networks from cyber threats. As stated previously, the DoD CPD SG co-chairs developed the 2018 memorandum to promote engagement between the DoD and the DHS and do not regard an implementation plan as necessary. However, if differences arise between the CPD SG co-chairs or as the membership changes, the lack of an implementation plan could hinder the level or timeliness of assistance requested and provided. In 2020, multiple Federal agencies and the private sector were compromised by malicious actors using a trusted source, SolarWinds Orion. Although the SolarWinds Orion compromise was not related to the lack of an implementation plan, the compromise continues to show the importance and criticality of the DoD’s and DHS’s ability to respond to any and all cyber threats, which would be significantly improved by implementing a plan to accomplish shared goals in the 2018 joint memorandum.

 

Recommendations

We recommend that the Deputy Secretary of Defense and the Chairman of the Joint Chiefs of Staff direct the DoD co-chairs of the Joint DoD-DHS CPD SG to work with the DHS co-chair to:

  • develop and approve plans of action and milestones for each line of effort; and
  • track activities executed and identify gaps that limit the DoD and DHS in fully implementing all lines of effort in the 2018 memorandum.

 

Management Comments

The Deputy Secretary of Defense agreed with the recommendations to develop plans of action and milestones for the 2018 memorandum’s lines of effort and track all collaborative activities related to protecting and defending critical infrastructure, gaps identified, and areas requiring improvements. The Vice Director of the Joint Staff, responding for the Chairman of the Joint Chiefs of Staff, disagreed with the recommendation to develop plans of action and milestones for the 2018 memorandum’s lines of effort and did not address the specifics of the other recommendation to track activities and identify gaps in fully implementing the 2018 memorandum. However, the Vice Director stated that the Joint Staff planned to convene the CPD SG and achieve interdepartmental consensus on the best way to address the DoD Office of Inspector General’s concerns. Therefore, we consider the planned actions by the Deputy Secretary of Defense and the Joint Staff sufficient to resolve the recommendations. We will close the recommendations once we verify that the action is complete.

 

This report is the result of Proj. No. D2019-D000CT-0176.000.