Weapon Systems Cybersecurity: Guidance Would Help DOD Programs Better Communicate Requirements to Contractors
Fast Facts
The Department of Defense has struggled to ensure its weapons systems can withstand cyberattacks. Since we last reported, DOD has taken some positive steps toward that goal, like conducting more cyber testing.
But we found that DOD programs aren't always incorporating cybersecurity requirements into contract language. And contractors are only responsible for meeting the terms written in a contract. Some contracts we reviewed had no cybersecurity requirements when they were awarded, with vague requirements added later.
We recommended that DOD issue guidance on incorporating weapon systems cybersecurity requirements into contract language.
Highlights
What GAO Found
Since GAO's 2018 report, the Department of Defense (DOD) has taken action to make its network of high-tech weapon systems less vulnerable to cyberattacks. DOD and military service officials highlighted areas of progress, including increased access to expertise, enhanced cyber testing, and additional guidance. For example, GAO found that selected acquisition programs have conducted, or planned to conduct, more cybersecurity testing during development than past acquisition programs. It is important that DOD sustain its efforts as it works to improve weapon systems cybersecurity.
Contracting for cybersecurity requirements is key. DOD guidance states that these requirements should be treated like other types of system requirements and, more simply, “if it is not in the contract, do not expect to get it.” Specifically, cybersecurity requirements should be defined in acquisition program contracts, and criteria should be established for accepting or rejecting the work and for how the government will verify that requirements have been met. However, GAO found examples of program contracts omitting cybersecurity requirements, acceptance criteria, or verification processes. For example, GAO found that contracts for three of the five programs did not include any cybersecurity requirements when they were awarded. A senior DOD official said standardizing cybersecurity requirements is difficult and the department needs to better communicate cybersecurity requirements and systems engineering to the users that will decide whether or not a cybersecurity risk is acceptable.
Incorporating Cybersecurity in Contracts
DOD and the military services have developed a range of policy and guidance documents to improve weapon systems cybersecurity, but the guidance usually does not specifically address how acquisition programs should include cybersecurity requirements, acceptance criteria, and verification processes in contracts. Among the four military services GAO reviewed, only the Air Force has issued service-wide guidance that details how acquisition programs should define cybersecurity requirements and incorporate those requirements in contracts. The other services could benefit from a similar approach in developing their own guidance that helps ensure that DOD appropriately addresses cybersecurity requirements in contracts.
Why GAO Did This Study
DOD's network of sophisticated, expensive weapon systems must work when needed, without being incapacitated by cyberattacks. However, GAO reported in 2018 that DOD was routinely finding cyber vulnerabilities late in its development process.
A Senate report accompanying the National Defense Authorization Act for Fiscal Year 2020 included a provision for GAO to review DOD's implementation of cybersecurity for weapon systems in development. GAO's report addresses (1) the extent to which DOD has made progress in implementing cybersecurity for weapon systems during development, and (2) the extent to which DOD and the military services have developed guidance for incorporating weapon systems cybersecurity requirements into contracts.
GAO reviewed DOD and service guidance and policies related to cybersecurity for weapon systems in development, interviewed DOD and program officials, and reviewed supporting documentation for five acquisition programs. GAO also interviewed defense contractors about their experiences with weapon systems cybersecurity.
Recommendations
GAO is recommending that the Army, Navy, and Marine Corps provide guidance on how programs should incorporate tailored cybersecurity requirements into contracts. DOD concurred with two recommendations, and stated that the third—to the Marine Corps—should be merged with the one to the Navy. DOD's response aligns with the intent of the recommendation.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of the Army |
Priority Rec.
The Secretary of the Army should develop guidance for acquisition programs on how to incorporate tailored weapon systems cybersecurity requirements, acceptance criteria, and verification processes into contracts. (Recommendation 1) |
Closed – Implemented
The Army concurred with our recommendation. In March 2022, the Army Office of the Chief Systems Engineer published guidance to help acquisition decision authorities and program managers implement a systems engineering process to improve cyber resilience and survivability. The guidance includes planning considerations and tasks to inform procurement and contracting as well as an implementation process to determine the appropriate cyber requirements for each acquisition program.
|
| Department of the Navy |
Priority Rec.
The Secretary of the Navy should develop guidance for acquisition programs on how to incorporate tailored weapon systems cybersecurity requirements, acceptance criteria, and verification processes into contracts. (Recommendation 2) |
Open
The Navy concurred with our recommendation. In April 2022, the Navy issued an updated instruction governing the Department's program acquisition and sustainment policies and procedures. The instruction includes a new enclosure on cybersecurity requirements, which reinforces the importance of cybersecurity as a design and systems engineering consideration throughout the program lifecycle. However, the instruction does not address contracting for cybersecurity requirements. In February 2023, Navy officials stated that they were developing a new instruction on technology and program protection management, which will include more specific language related to contracting for cybersecurity requirements. Officials stated that they expect to finalize the new instruction by December 2023.
|
| Department of the Navy |
Priority Rec.
The Secretary of the Navy should take steps to ensure the Marine Corps develops guidance for acquisition programs on how to incorporate tailored weapon systems cybersecurity requirements, acceptance criteria, and verification processes into contracts. (Recommendation 3) |
Open
The Navy partially concurred with our recommendation, stating that a separate recommendation to the Marine Corps was unnecessary given that the Navy and Marine Corps operate under a single acquisition construct. We determined that separate recommendations to each component were appropriate because each maintains independent policies and guidance relevant to weapon systems cybersecurity. In April 2022, the Navy issued an updated instruction governing the Department's program acquisition and sustainment policies and procedures. The instruction includes a new enclosure on cybersecurity requirements, which reinforces the importance of cybersecurity as a design and systems engineering consideration throughout the program lifecycle. However, the instruction does not address contracting for cybersecurity requirements. In February 2023, Navy officials stated that they were developing a new instruction on technology and program protection management, which will include more specific language related to contracting for cybersecurity requirements. Officials stated that they expect to finalize the new instruction by December 2023.
|