Defense Cybersecurity:

Opportunities Exist for DOD to Share Cybersecurity Resources with Small Businesses

GAO-15-777: Published: Sep 24, 2015. Publicly Released: Sep 24, 2015.

Additional Materials:

Contact:

Joseph W. Kirschbaum
(202) 512-9971
kirschbaumj@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Department of Defense (DOD) Office of Small Business Programs (OSBP) has explored some options, such as online training videos, to integrate cybersecurity into its existing efforts; however, as of July 2015, the office had not identified and disseminated cybersecurity resources in its outreach and education efforts to defense small businesses. While DOD OSBP is not required to educate small businesses on cybersecurity, DOD OSBP officials acknowledged that cybersecurity is an important and timely issue for small businesses—and therefore the office is considering incorporating cybersecurity into its existing outreach and education efforts. During the review, GAO identified 15 existing federal cybersecurity resources that DOD OSBP could disseminate to defense small businesses.

Selected Examples of Cybersecurity Resources GAO Identified as Available to Defense Small Businesses

Resource

Implementing Agency

Program Overview

Cybersecurity e-Learning Courses

DOD Defense Security Service

Online courses related to cybersecurity topics such as risk management and phishing—that is, social engineering that uses authentic-looking, but fake, e-mails to request information from users or direct them to a fake website that requests information.

Cybersecurity for Small Business

U.S. Small Business Administration

Provides a 30 minute online program that covers cybersecurity concepts for small business.

Small Biz Cyber Planner 2.0

Federal Communications Commission

Provides guidance based on areas of risk self-identified by small businesses. The guidance includes links to additional cybersecurity resources for small businesses.

Source: GAO analysis of information from listed agencies. | GAO-15-777

While DOD OSBP officials recognized the importance of identifying and disseminating cybersecurity resources through outreach and education efforts to small businesses, they identified factors that had limited their progress in doing so. Specifically, they were not aware of existing cybersecurity resources, they had leadership turnover in the office, and the office was focused on developing a training curriculum for professionals who work with small businesses. While GAO recognizes that these factors could affect progress, federal government internal controls state that management should ensure there are adequate means of communicating with, and obtaining information from, external stakeholders who may have a significant impact on the agency's achieving its goals. DOD OSBP officials agreed that identifying and disseminating information about existing cybersecurity resources to defense small businesses could help small businesses be more aware of cybersecurity practices and cyber threats. In addition, by identifying and disseminating this information, DOD OSBP could help small businesses to protect their networks, thereby supporting the 2015 DOD Cyber Strategy goals of working with the private sector to help secure defense industrial base trade data and build layered cyber defenses.

Why GAO Did This Study

Small businesses, including those that conduct business with DOD, are vulnerable to cyber threats and may have fewer resources, such as robust cybersecurity systems, than larger businesses to counter cyber threats.

The Joint Explanatory Statement accompanying the National Defense Authorization Act for Fiscal Year 2015 included a provision that GAO assess DOD OSBP's outreach and education efforts to small businesses on cyber threats. This report addresses the extent to which DOD OSBP has integrated cybersecurity into its outreach and education efforts to defense small businesses. DOD OSBP's mission includes providing small business policy advice to the Office of the Secretary of Defense, and policy oversight to DOD military department and component small business offices.

To conduct this review, GAO analyzed documentation and interviewed officials from DOD OSBP about its cybersecurity outreach and education efforts. GAO also analyzed documentation and interviewed officials from nine organizations selected for their cybersecurity expertise to identify examples of cybersecurity outreach and education programs potentially available to defense small businesses.

What GAO Recommends

GAO recommends that DOD identify and disseminate cybersecurity resources to defense small businesses. DOD concurred with the recommendation and agreed to implement training events and education programs.

For more information, contact Joseph W. Kirschbaum at (202) 512-9971 or kirschbaumj@gao.gov.

Recommendation for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To better position defense small businesses in protecting information and networks from cyber threats, the Secretary of Defense should direct the Director of the DOD OSBP, as part of its existing outreach efforts, to identify and disseminate cybersecurity resources to defense small businesses.

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Apr 28, 2016

Apr 14, 2016

Apr 12, 2016

Mar 23, 2016

Dec 17, 2015

Nov 17, 2015

Oct 21, 2015

Sep 29, 2015

Sep 24, 2015

Looking for more? Browse all our products here