Skip to main content

Defense Department Cyber Efforts: More Detailed Guidance Needed to Ensure Military Services Develop Appropriate Cyberspace Capabilities

GAO-11-421 Published: May 20, 2011. Publicly Released: Jun 20, 2011.
Jump To:
Skip to Highlights

Highlights

The U.S. military depends heavily on computer networks, and potential adversaries see cyberwarfare as an opportunity to pose a significant threat at low cost---a few programmers could cripple an entire information system. The Department of Defense (DOD) created U.S. Cyber Command to counter cyber threats, and tasked the military services with providing support. GAO examined the extent to which DOD and U.S. Cyber Command have identified for the military services the (1) roles and responsibilities, (2) command and control relationships, and (3) mission requirements and capabilities to enable them to organize, train, and equip for cyberspace operations. GAO reviewed relevant plans, policies, and guidance, and interviewed key DOD and military service officials regarding cyberspace operations.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense To assist the military services in fulfilling their responsibilities to organize, train, and equip cyber forces, the Secretary of Defense should set a timeline and direct the Under Secretary of Defense for Policy and the Under Secretary of Defense for Personnel and Readiness, in consultation with the DOD Office of General Counsel, to develop and publish detailed policies and guidance pertaining to categories of personnel that can conduct the various forms of cyberspace operations.
Closed – Not Implemented
As of October 2017, DOD has not completed the DODI (see below) which would address the recommendation. As of May 2016, DOD finalized DOD Directive 8140.01 Cyber Workforce Management, which provides overarching policy guidance for the DOD cyber workforce and directs development of implementing policies. The directive however does not provide detailed guidance on personnel categories performing cyberspace operations. Additionally, DOD is in the process of finalizing DOD Instruction (DODI) 8140.aa Cyberspace Workforce Identification, Tracking, and Reporting--which is to establish DOD cyber workforce policy and procedures, assign responsibilities, and provide direction for the identification and tracking of DOD cyber workforce positions and personnel. DOD must revise the draft DoDI 8140.aa to make it compliant with federal cyber workforce identification and coding requirements within the "Federal Cybersecurity Workforce Assessment Act of 2015" (Division N, Title III, Sections 301 - 305 of PL 114-113). DOD is coordinating with the Office of Personnel Management and the National Institute of Standards and Technology to develop the federal cyber workforce coding structure all federal agencies must follow. The department projects this DODI will be published in 2017. Lastly, the department is to begin drafting DOD cyberspace workforce qualification manuals--one for each element of the cyber workforce--to replace DOD 8570.01-M Information Assurance Workforce Improvement Program and to address the full spectrum of the cyber workforce. To support this effort, DOD has identified draft criteria for establishing standards and requirements for DOD cyber workforce qualifications. The DOD Cyber Workforce Qualifications Working Group is to leverage these criteria to begin establishing qualifications. These findings will be included in the new qualification manuals, and these manuals are intended to provide the DOD cyber workforce with a skills maturity model for career progression. Until the publication of these workforce qualification manuals, DOD 8570.01-M will remain in effect to govern qualification requirements for the information assurance (cybersecurity) workforce. DOD did not project a timeframe for the new manuals' completion.
Department of Defense To assist the military services in fulfilling their responsibilities to organize, train, and equip cyber forces, the Secretary of Defense should set a timeline and direct the Chairman of the Joint Chiefs of Staff to develop and publish authoritative and specific guidance regarding the supporting and supported command and control relationships between U.S. Cyber Command and the geographic combatant commands for cyberspace operations.
Closed – Implemented
DOD has taken a number of actions in response to this recommendation. In May 2012, the Joint Staff obtained Secretary of Defense approval on its Transitional Cyberspace Operations Command and Control Concept of Operations (CONOPS). As directed in the Concept of Operations, the Combatant Commands implemented the transitional command and control model and over the following year, the Joint Staff partnered with the U.S. Strategic Command, the U.S. Cyber Command, other Combatant Commands, Services and DoD Agencies to evaluate the transitional model and develop a more enduring cyberspace operations command and control framework. In June 2013, the Chairman issued the "Execute Order to Implement Cyberspace Operations Command and Control Framework," which builds upon the transitional concept specifying command relationships among cyberspace entities across DOD. In July 2014, Cyber Command published version 4.1 of its Cyber Force Concept of Operations and Employment, including an annex on the command and control of Cyber Mission Forces. The annex details more specific guidance on the supporting and supported relationships between Cyber Command and the combatant commands. In November 2014, the Chairman of the Joint Chiefs of Staff also issued a modification to its June 2013 Execute Order establishing a new Joint Force Headquarters DOD Information Network to direct and execute global network operations and Defensive Cyber Operations. Cyber Command also published a Concept of Operations in October 2014 for the DOD Information Network, which outlines specific guidance on the command and control relationships between Cyber Command and the combatant commands.
Department of Defense To assist the military services in fulfilling their responsibilities to organize, train, and equip cyber forces, the Secretary of Defense should set a timeline and direct the Commander, U.S. Strategic Command, in conjunction with U.S. Cyber Command, to develop and publish authoritative and specific guidance regarding the mission requirements and capabilities, including skill sets, that the services should meet to provide long-term operational support to U.S. Cyber Command.
Closed – Implemented
DOD has taken a number of actions to address this recommendation. As of July 2015, U.S. Cyber Command has developed joint training and assessment standards for individual and collective training specific to its Cyber Mission Force teams across three primary documents. These documents provide specific guidance on and assist the Services in identifying the necessary mission requirements and skill sets of its personnel assigned to Cyber Mission Force teams and are as follows: 1) Joint Cyberspace Training and Certification Standards which encompasses standardized joint procedures, guidelines, and standards for individual, staff, and collective training across all four phases of the Joint Training System. The standards document was signed in November 2014. 2) Cyber Mission Force Training Pipeline Version 2.2 - the training pipeline outlines the required and optional training courses for each cyber position. 3)Cyber Command Training and Readiness Manual - the document is a unit-based manual, in which each unit chapter contains applicable individual, sub-element, and collective training standards. The manual serves as a tool for Cyber Command to oversee a sustainment training program, ensuring continued proficiency and readiness of forces to complete cyber missions; it also intends to ensure training remains focused on mission accomplishment and that training and readiness reporting is tied to Cyber Mission Force mission essential tasks. Version 2.8 of this manual was published in February 2015.

Full Report

Office of Public Affairs

Topics

Classified defense informationComputer networksConcept of operationsDefense capabilitiesDefense contingency planningMilitary cost controlMilitary operationsMilitary trainingNational defense operationsCyberspace operations