Defense Department Cyber Efforts:
More Detailed Guidance Needed to Ensure Military Services Develop Appropriate Cyberspace Capabilities
GAO-11-421: Published: May 20, 2011. Publicly Released: Jun 20, 2011.
The U.S. military depends heavily on computer networks, and potential adversaries see cyberwarfare as an opportunity to pose a significant threat at low cost---a few programmers could cripple an entire information system. The Department of Defense (DOD) created U.S. Cyber Command to counter cyber threats, and tasked the military services with providing support. GAO examined the extent to which DOD and U.S. Cyber Command have identified for the military services the (1) roles and responsibilities, (2) command and control relationships, and (3) mission requirements and capabilities to enable them to organize, train, and equip for cyberspace operations. GAO reviewed relevant plans, policies, and guidance, and interviewed key DOD and military service officials regarding cyberspace operations.
DOD and U.S. Cyber Command have made progress in identifying the roles and responsibilities of the organizations that support DOD cyberspace operations, but additional detail and clarity is needed. GAO's analysis of U.S. Cyber Command's November 2010 Concept of Operations showed that it generally meets joint guidance and maps out U.S. Cyber Command's organizational and operational relationships in general terms. However, greater specificity is needed as to the categories of personnel that can conduct various types of cyberspace operations in order for the military services to organize, train, and equip cyber forces. The services may use military, civilian government, and contractor personnel to conduct cyberspace operations, and U.S. Cyber Command's Concept of Operations describes general roles and responsibilities for cyberspace operations performed by U.S. Cyber Command's directorates, the military services, and the respective service components. However, service officials indicated that DOD guidance was insufficient to determine precisely what civilian activities are permissible for certain cyber activities, that DOD is still reviewing the appropriate roles for government civilians in this domain, and that the military services may be constrained by limits on their total number of uniformed personnel, among other things. Without the specific guidance, the services may in the future have difficulty in meeting personnel needs for certain types of cyber forces. U.S. Cyber Command's Concept of Operations generally describes the command and control relationships between U.S. Cyber Command and the geographic combatant commands, but additional specificity would enable the military services to better plan their support for DOD cyberspace operations. DOD guidance calls for command and control relationships to be identified in the planning process. The Concept of Operations recognizes that a majority of cyberspace operations will originate at the theater and local levels, placing them under the immediate control of the geographic combatant commanders and requiring U.S. Cyber Command to provide cyberspace operations support. However, officials from the four military services cited a need for additional specificity as to command and control relationships for cyberspace operations between U.S. Cyber Command and the geographic combatant commands, to enable them to provide forces to the appropriate command. DOD recognizes this challenge in command and control and is conducting exercises and studies to work toward its resolution. U.S. Cyber Command has made progress in operational planning for its missions but has not fully defined long-term mission requirements and desired capabilities to guide the services' efforts to recruit, train, and provide forces with appropriate skill sets. DOD guidance requires that combatant commanders provide mission requirements the services can use in plans to organize, train, and equip their forces. However, GAO determined that in the absence of detailed direction from U.S. Strategic Command, the services are using disparate, service-specific approaches to organize, train, and equip forces for cyberspace operations, and these approaches may not enable them to meet U.S. Cyber Command's mission needs. GAO recommends that DOD set a timeline to develop and publish specific guidance regarding U.S. Cyber Command and its service components' cyberspace operations, including: (1) categories of personnel that can conduct various cyberspace operations; (2) command and control relationships between U.S. Cyber Command and the geographic combatant commands; and (3) mission requirements and capabilities, including skill sets, the services must meet to provide longterm operational support to the command. DOD agreed with the recommendations.
Recommendations for Executive Action
Comments: As of July 2014, DOD is in the process of finalizing a DOD Directive on "Cyber Workforce Management," which it expects to be formally approved by the end of fiscal year 2014. DOD is also working on a complementary DOD Instruction establishing a lexicon for cyberspace workroles and the baseline set of knowledge, skills, and abilities for each workrole; this Instruction should be used to develop a series of cyberspace workforce qualification manuals. The DOD Instruction is expected to enter initial coordination within DOD in the second quarter of fiscal year 2015. The new qualification manuals, if finalized, are to replace the DOD's manual on "Information Assurance." DOD expects that they will have initial drafts of these manuals in calendar year 2015. In addition, the DOD is developing another DOD Instruction, which should assign responsibilities and provide procedures for the planning and coordination of DoD cyberspace training and provide an overarching training body, envisioned to be the Cyber Training and Advisory Council. DOD expects this Instruction to be formally approved by the end of calendar year 2014.
Recommendation: To assist the military services in fulfilling their responsibilities to organize, train, and equip cyber forces, the Secretary of Defense should set a timeline and direct the Under Secretary of Defense for Policy and the Under Secretary of Defense for Personnel and Readiness, in consultation with the DOD Office of General Counsel, to develop and publish detailed policies and guidance pertaining to categories of personnel that can conduct the various forms of cyberspace operations.
Agency Affected: Department of Defense
Comments: DOD reported that, on 1 May 2012, the Joint Staff obtained Secretary of Defense (SecDef) approval on its Transitional Cyberspace Operations Command and Control (C2) Concept of Operations (CONOPS). As directed in the CONOPS, the Combatant Commands implemented the transitional C2 model and over the following year, the Joint Staff partnered with the U.S. Strategic Command, the U.S. Cyber Command (USCYBERCOM), other Combatant Commands (CCMD), Services and DoD Agencies to evaluate the transitional C2 model and develop a more enduring cyberspace operations C2 framework. The SecDef approved the Joint Chiefs of Staff recommendation and, on 21 June 2013, the CJCS issued the "Execute Order to Implement Cyberspace Operations Command and Control (C2) Framework," which builds upon the transitional CONOPS specifying command relationships among cyberspace entities across the CCMDs, USCYBERCOM, and the Services. However, the DOD acknowledges that it is taking an iterative approach toward normalizing C2 of the cyberspace operational domain and that the Joint Staff must return to the Joint Chiefs of Staff in the summer of 2015 after completing some follow-on tasks relating to this framework. DOD is taking ongoing actions--some classified--in response to this recommendation, and GAO will monitor and assess the outcome of these actions in 2015.
Recommendation: To assist the military services in fulfilling their responsibilities to organize, train, and equip cyber forces, the Secretary of Defense should set a timeline and direct the Chairman of the Joint Chiefs of Staff to develop and publish authoritative and specific guidance regarding the supporting and supported command and control relationships between U.S. Cyber Command and the geographic combatant commands for cyberspace operations.
Agency Affected: Department of Defense
Comments: As of July 2014, U.S. Cyber Command (CYBERCOM) has developed joint training standards for individual and collective training specific to its Cyber Mission Force (CMF) teams across three primary documents, which are in the process of being updated. These documents should assist the Services in identifying the necessary mission requirements and skill sets of its personnel assigned to CMF teams and are as follows: 1) Joint Cyberspace Training and Certification Standards (JCT&CS)- The JCT&CS identifies the unique knowledge, skills, and abilities for each workrole/position in the CYBERCOM's cyber workforce and the CMF teams. It is expected to be updated by the end of calendar year 2014. 2) CMF Training Pipeline Version 2.1 - Training Pipeline Version 2.1 outlines the optimal path to achieving the knowledge, skills, and abilities which satisfy the "common" joint standard outlined in JCT&CS. The pipeline is designed to prepare CMF personnel to perform mission tasks while providing operational support to the command. DOD expects version 2.1 to be finalized in fiscal year 2014. 3)CYBERCOM Training and Readiness Manual - This manual provides the tasks, conditions, and standards required to demonstrate individual and collective proficiency for CMF teams. The manual was designed to provide the collective training standards for personnel that have been formed into sub-elements and teams. DOD expects to complete version 2.2 of this manual in the third quarter of fiscal year 2014. Given the close linkage and overlap between these activities and DOD's planned Directive and Instruction on cyberspace workforce management associated with recommendation one, this recommendation will be left open until documents discussed above are updated and DOD's planned Directive and Instruction on cyberspace workforce management associated with recommendation one are formally approved.
Recommendation: To assist the military services in fulfilling their responsibilities to organize, train, and equip cyber forces, the Secretary of Defense should set a timeline and direct the Commander, U.S. Strategic Command, in conjunction with U.S. Cyber Command, to develop and publish authoritative and specific guidance regarding the mission requirements and capabilities, including skill sets, that the services should meet to provide long-term operational support to U.S. Cyber Command.
Agency Affected: Department of Defense