Defense Cybersecurity:

DOD's Monitoring of Progress in Implementing Cyber Strategies Can Be Strengthened

GAO-17-512: Published: Aug 1, 2017. Publicly Released: Aug 1, 2017.

Additional Materials:

Contact:

Joseph W. Kirschbaum
(202) 512-9971
kirschbaumj@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Officials from Department of Defense (DOD) components identified advantages and disadvantages of the “dual-hat” leadership of the National Security Agency (NSA)/Central Security Service (CSS) and Cyber Command (CYBERCOM) (see table). Also, DOD and congressional committees have identified actions that could mitigate risks associated with ending the dual-hat leadership arrangement, such as formalizing agreements between NSA/CSS and CYBERCOM to ensure continued collaboration, and developing a persistent cyber training environment to provide a realistic, on-demand training capability. As of April 2017, DOD had not determined whether it would end the dual-hat leadership arrangement.

Table: Advantages and Disadvantages of the Dual-Hat Leadership Arrangement, as Reported by Department of Defense (DOD) Officials

Advantages

Disadvantages

Improved coordination and collaboration between NSA/CSS and CYBERCOM

Concern that Cyber Command (CYBERCOM) priorities may receive preference over other commands' priorities with respect to National Security Agency (NSA)/Central Security Service (CSS) support

Faster decision-making

Increased potential of NSA/CSS operations and tools being exposed

Efficiency of resources

 

 

Too broad of a span of control that potentially limits effective leadership

Increases tension between NSA/CSS and CYBERCOM staff who are responsible for military and/or intelligence operation tasks that are not always mutually achievable

Enables sharing of resources between NSA/CSS and CYBERCOM resulting in resource allocation that is not always easily understood by personnel

Source: GAO analysis of DOD information. | GAO-17-512

DOD's progress in implementing key cybersecurity guidance—the DOD Cloud Computing Strategy, The DOD Cyber Strategy, and the DOD Cybersecurity Campaign—has varied. DOD has implemented the cybersecurity elements of the DOD Cloud Computing Strategy and has made progress in implementing The DOD Cyber Strategy and DOD Cybersecurity Campaign. However, DOD's process for monitoring implementation of The DOD Cyber Strategy has resulted in the closure of tasks before they were fully implemented; for example, DOD closed a task that, among other things, would require completing cyber risk assessments on 136 weapon systems. Officials acknowledged they are on track to complete the assessments by December 31, 2019, but as of May 2017, the task was not complete. Unless DOD modifies its process for deciding whether a task identified in its Cyber Strategy is implemented, it may not be able to achieve outcomes articulated in the strategy. Also, DOD lacks a timeframe and process for monitoring implementation of the DOD Cybersecurity Campaign objective to transition to commander-driven operational risk assessments for cybersecurity readiness. Unless DOD improves the monitoring of its key cyber strategies, it is unknown when DOD will achieve cybersecurity compliance.

Why GAO Did This Study

DOD acknowledges that malicious cyber intrusions of its networks have negatively affected its information technology systems, and that adversaries are gaining capability over time. In 2010, the President re-designated the director of the NSA as CYBERCOM's commander, establishing a dual-hat leadership arrangement for these agencies with critical cybersecurity responsibilities.

House Reports 114-537 and 114-573 both included provisions for GAO to assess DOD's management of its cybersecurity enterprise. This report, among other things, examines (1) DOD officials' perspectives on the advantages and disadvantages of the dual-hat leadership arrangement of NSA/CSS and CYBERCOM, and actions that could mitigate risks if the leadership arrangement ends, and (2) the extent to which DOD has implemented key strategic cybersecurity guidance. GAO analyzed DOD cybersecurity strategies, guidance, and information and interviewed cognizant DOD officials.

What GAO Recommends

GAO recommends that DOD take the following two actions: (1) modify its criteria for closing tasks from The DOD Cyber Strategy; and (2) establish a timeframe and monitoring for implementing an objective of the DOD Cybersecurity Campaign to transition to commander-driven operational risk assessments for cybersecurity readiness. DOD partially concurred with these recommendations and identified actions it plans to take. If implemented, GAO believes these actions would satisfy the intent of the recommendations.

For more information, contact Joseph W. Kirschbaum at (202) 512-9971 or kirschbaumj@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To ensure that DOD implements the tasks and objectives of key cybersecurity guidance to strengthen its cybersecurity posture, the Secretary of Defense should direct the Principal Cyber Advisor to modify the criteria for closing tasks from The DOD Cyber Strategy to reflect whether tasks have been implemented, and to re-evaluate tasks that have been previously determined to be completed to ensure that they meet the modified criteria.

    Agency Affected: Department of Defense

  2. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To ensure that DOD implements the tasks and objectives of key cybersecurity guidance to strengthen its cybersecurity posture, the Secretary of Defense should direct the Commander of CYBERCOM, in coordination with the Under Secretary of Defense for Acquisition, Technology, and Logistics and DOD Chief Information Officer, to establish a timeframe and monitor implementation of the DOD Cybersecurity Campaign objective to develop cybersecurity readiness assessments to help ensure accountability.

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Aug 16, 2017

Aug 15, 2017

Aug 14, 2017

Aug 10, 2017

Aug 9, 2017

Aug 8, 2017

Aug 7, 2017

Aug 1, 2017

Jul 31, 2017

Jul 27, 2017

Looking for more? Browse all our products here