Defense Department Cyber Efforts:
More Detailed Guidance Needed to Ensure Military Services Develop Appropriate Cyberspace Capabilities
GAO-11-421: Published: May 20, 2011. Publicly Released: Jun 20, 2011.
The U.S. military depends heavily on computer networks, and potential adversaries see cyberwarfare as an opportunity to pose a significant threat at low cost---a few programmers could cripple an entire information system. The Department of Defense (DOD) created U.S. Cyber Command to counter cyber threats, and tasked the military services with providing support. GAO examined the extent to which DOD and U.S. Cyber Command have identified for the military services the (1) roles and responsibilities, (2) command and control relationships, and (3) mission requirements and capabilities to enable them to organize, train, and equip for cyberspace operations. GAO reviewed relevant plans, policies, and guidance, and interviewed key DOD and military service officials regarding cyberspace operations.
DOD and U.S. Cyber Command have made progress in identifying the roles and responsibilities of the organizations that support DOD cyberspace operations, but additional detail and clarity is needed. GAO's analysis of U.S. Cyber Command's November 2010 Concept of Operations showed that it generally meets joint guidance and maps out U.S. Cyber Command's organizational and operational relationships in general terms. However, greater specificity is needed as to the categories of personnel that can conduct various types of cyberspace operations in order for the military services to organize, train, and equip cyber forces. The services may use military, civilian government, and contractor personnel to conduct cyberspace operations, and U.S. Cyber Command's Concept of Operations describes general roles and responsibilities for cyberspace operations performed by U.S. Cyber Command's directorates, the military services, and the respective service components. However, service officials indicated that DOD guidance was insufficient to determine precisely what civilian activities are permissible for certain cyber activities, that DOD is still reviewing the appropriate roles for government civilians in this domain, and that the military services may be constrained by limits on their total number of uniformed personnel, among other things. Without the specific guidance, the services may in the future have difficulty in meeting personnel needs for certain types of cyber forces. U.S. Cyber Command's Concept of Operations generally describes the command and control relationships between U.S. Cyber Command and the geographic combatant commands, but additional specificity would enable the military services to better plan their support for DOD cyberspace operations. DOD guidance calls for command and control relationships to be identified in the planning process. The Concept of Operations recognizes that a majority of cyberspace operations will originate at the theater and local levels, placing them under the immediate control of the geographic combatant commanders and requiring U.S. Cyber Command to provide cyberspace operations support. However, officials from the four military services cited a need for additional specificity as to command and control relationships for cyberspace operations between U.S. Cyber Command and the geographic combatant commands, to enable them to provide forces to the appropriate command. DOD recognizes this challenge in command and control and is conducting exercises and studies to work toward its resolution. U.S. Cyber Command has made progress in operational planning for its missions but has not fully defined long-term mission requirements and desired capabilities to guide the services' efforts to recruit, train, and provide forces with appropriate skill sets. DOD guidance requires that combatant commanders provide mission requirements the services can use in plans to organize, train, and equip their forces. However, GAO determined that in the absence of detailed direction from U.S. Strategic Command, the services are using disparate, service-specific approaches to organize, train, and equip forces for cyberspace operations, and these approaches may not enable them to meet U.S. Cyber Command's mission needs. GAO recommends that DOD set a timeline to develop and publish specific guidance regarding U.S. Cyber Command and its service components' cyberspace operations, including: (1) categories of personnel that can conduct various cyberspace operations; (2) command and control relationships between U.S. Cyber Command and the geographic combatant commands; and (3) mission requirements and capabilities, including skill sets, the services must meet to provide longterm operational support to the command. DOD agreed with the recommendations.
Recommendations for Executive Action
Status: Closed - Not Implemented
Comments: As of October 2017, DOD has not completed the DODI (see below) which would address the recommendation. As of May 2016, DOD finalized DOD Directive 8140.01 Cyber Workforce Management, which provides overarching policy guidance for the DOD cyber workforce and directs development of implementing policies. The directive however does not provide detailed guidance on personnel categories performing cyberspace operations. Additionally, DOD is in the process of finalizing DOD Instruction (DODI) 8140.aa Cyberspace Workforce Identification, Tracking, and Reporting--which is to establish DOD cyber workforce policy and procedures, assign responsibilities, and provide direction for the identification and tracking of DOD cyber workforce positions and personnel. DOD must revise the draft DoDI 8140.aa to make it compliant with federal cyber workforce identification and coding requirements within the "Federal Cybersecurity Workforce Assessment Act of 2015" (Division N, Title III, Sections 301 - 305 of PL 114-113). DOD is coordinating with the Office of Personnel Management and the National Institute of Standards and Technology to develop the federal cyber workforce coding structure all federal agencies must follow. The department projects this DODI will be published in 2017. Lastly, the department is to begin drafting DOD cyberspace workforce qualification manuals--one for each element of the cyber workforce--to replace DOD 8570.01-M Information Assurance Workforce Improvement Program and to address the full spectrum of the cyber workforce. To support this effort, DOD has identified draft criteria for establishing standards and requirements for DOD cyber workforce qualifications. The DOD Cyber Workforce Qualifications Working Group is to leverage these criteria to begin establishing qualifications. These findings will be included in the new qualification manuals, and these manuals are intended to provide the DOD cyber workforce with a skills maturity model for career progression. Until the publication of these workforce qualification manuals, DOD 8570.01-M will remain in effect to govern qualification requirements for the information assurance (cybersecurity) workforce. DOD did not project a timeframe for the new manuals' completion.
Recommendation: To assist the military services in fulfilling their responsibilities to organize, train, and equip cyber forces, the Secretary of Defense should set a timeline and direct the Under Secretary of Defense for Policy and the Under Secretary of Defense for Personnel and Readiness, in consultation with the DOD Office of General Counsel, to develop and publish detailed policies and guidance pertaining to categories of personnel that can conduct the various forms of cyberspace operations.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: DOD has taken a number of actions in response to this recommendation. In May 2012, the Joint Staff obtained Secretary of Defense approval on its Transitional Cyberspace Operations Command and Control Concept of Operations (CONOPS). As directed in the Concept of Operations, the Combatant Commands implemented the transitional command and control model and over the following year, the Joint Staff partnered with the U.S. Strategic Command, the U.S. Cyber Command, other Combatant Commands, Services and DoD Agencies to evaluate the transitional model and develop a more enduring cyberspace operations command and control framework. In June 2013, the Chairman issued the "Execute Order to Implement Cyberspace Operations Command and Control Framework," which builds upon the transitional concept specifying command relationships among cyberspace entities across DOD. In July 2014, Cyber Command published version 4.1 of its Cyber Force Concept of Operations and Employment, including an annex on the command and control of Cyber Mission Forces. The annex details more specific guidance on the supporting and supported relationships between Cyber Command and the combatant commands. In November 2014, the Chairman of the Joint Chiefs of Staff also issued a modification to its June 2013 Execute Order establishing a new Joint Force Headquarters DOD Information Network to direct and execute global network operations and Defensive Cyber Operations. Cyber Command also published a Concept of Operations in October 2014 for the DOD Information Network, which outlines specific guidance on the command and control relationships between Cyber Command and the combatant commands.
Recommendation: To assist the military services in fulfilling their responsibilities to organize, train, and equip cyber forces, the Secretary of Defense should set a timeline and direct the Chairman of the Joint Chiefs of Staff to develop and publish authoritative and specific guidance regarding the supporting and supported command and control relationships between U.S. Cyber Command and the geographic combatant commands for cyberspace operations.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: DOD has taken a number of actions to address this recommendation. As of July 2015, U.S. Cyber Command has developed joint training and assessment standards for individual and collective training specific to its Cyber Mission Force teams across three primary documents. These documents provide specific guidance on and assist the Services in identifying the necessary mission requirements and skill sets of its personnel assigned to Cyber Mission Force teams and are as follows: 1) Joint Cyberspace Training and Certification Standards which encompasses standardized joint procedures, guidelines, and standards for individual, staff, and collective training across all four phases of the Joint Training System. The standards document was signed in November 2014. 2) Cyber Mission Force Training Pipeline Version 2.2 - the training pipeline outlines the required and optional training courses for each cyber position. 3)Cyber Command Training and Readiness Manual - the document is a unit-based manual, in which each unit chapter contains applicable individual, sub-element, and collective training standards. The manual serves as a tool for Cyber Command to oversee a sustainment training program, ensuring continued proficiency and readiness of forces to complete cyber missions; it also intends to ensure training remains focused on mission accomplishment and that training and readiness reporting is tied to Cyber Mission Force mission essential tasks. Version 2.8 of this manual was published in February 2015.
Recommendation: To assist the military services in fulfilling their responsibilities to organize, train, and equip cyber forces, the Secretary of Defense should set a timeline and direct the Commander, U.S. Strategic Command, in conjunction with U.S. Cyber Command, to develop and publish authoritative and specific guidance regarding the mission requirements and capabilities, including skill sets, that the services should meet to provide long-term operational support to U.S. Cyber Command.
Agency Affected: Department of Defense