Fast Facts

The Defense Department began developing a Cyber Mission Force (CMF) in 2013 to defend its information networks and bring cyber skills to the battlefield.

DOD's Cyber Command established training standards for CMF teams, which include people from across the military services. Now, DOD has begun to shift its focus from building to maintaining the CMF, and plans to transfer CMF training responsibilities to the services.

We found gaps in the plans for this transition. We made 8 recommendations to help ensure coordination between the services and DOD’s Cyber Command.

A member of the National Guard participates in a cyber training exercise in 2018.

A soldier in uniform in front of a computer screen.

A soldier in uniform in front of a computer screen.

Skip to Highlights
Highlights

What GAO Found

U.S. Cyber Command (CYBERCOM) has taken a number of steps—such as establishing consistent training standards—to develop its Cyber Mission Force (CMF) teams (see figure). To train CMF teams rapidly, CYBERCOM used existing resources where possible, such as the Navy's Joint Cyber Analysis Course and the National Security Agency's National Cryptologic School. As of November 2018, many of the 133 CMF teams that initially reported achieving full operational capability no longer had the full complement of trained personnel, and therefore did not meet CYBERCOM's readiness standards. This was caused by a number of factors, but CYBERCOM has since implemented new readiness procedures that emphasize readiness rather than achieving interim milestones, such as full operational capability.

Figure: Cyber Mission Force (CMF) Training Model Phases

Figure: Cyber Mission Force (CMF) Training Model Phases

DOD has begun to shift focus from building to maintaining a trained CMF. The department developed a transition plan for the CMF that transfers foundational (phase two) training responsibility to the services. However, the Army and Air Force do not have time frames for required validation of foundational courses to CYBERCOM standards. Further, services' plans do not include all CMF training requirements, such as the numbers of personnel that need to be trained. Also, CYBERCOM does not have a plan to establish required independent assessors to ensure the consistency of collective (phase three) CMF training.

Between 2013 and 2018, CMF personnel made approximately 700 requests for exemptions from training based on their experience, and about 85 percent of those applicants had at least one course exemption approved. However, GAO found that CYBERCOM has not established training task lists for foundational training courses. The services need these task lists to prepare appropriate course equivalency standards.

Why GAO Did This Study

Developing a skilled cyber workforce is imperative to DOD achieving its offensive and defensive missions, and in 2013 it began developing CMF teams to fulfill these missions. CYBERCOM announced that the first wave of 133 such teams achieved full operational capability in May 2018. House Report 115-200 includes a provision for GAO to assess DOD's current and planned state of cyber training.

GAO's report examines the extent to which DOD has (1) developed a trained CMF, (2) made plans to maintain a trained CMF, and (3) leveraged other cyber experience to meet training requirements for CMF personnel. To address these objectives, GAO reviewed DOD's cyber training standards, planning documents, and reports on CMF training; and interviewed DOD officials. This is an unclassified version of a For Official Use Only report that GAO previously issued.

Skip to Recommendations

Recommendations

GAO is making eight recommendations, including that the Army and Air Force identify time frames for validating foundational CMF courses; the military services develop CMF training plans with specific personnel requirements; CYBERCOM develop and document a plan establishing independent assessors to evaluate training; and CYBERCOM establish the training tasks covered by foundational training courses and convey them to the services. DOD concurred with the recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense 1. The Secretary of Defense should ensure that the Army, in coordination with CYBERCOM and the National Cryptologic School, where appropriate, establish a time frame to validate all of the phase two foundational training courses for which it is responsible. (Recommendation 1)
Open
DOD agreed with the recommendation. According to a DOD status report on implementing the recommendations for GAO-19-362 that was provided to us in February 2021, the Army noted that it has made progress validating phase two foundational training and further progress is dependent upon U.S. Cyber Command releasing a master task list.
Department of Defense 2. The Secretary of Defense should ensure that the Air Force, in coordination with CYBERCOM and the National Cryptologic School, where appropriate, establish a time frame to validate all of the phase two foundational training courses for which it is responsible. (Recommendation 2)
Open
DOD agreed with the recommendation. According to a DOD status report on implementing the recommendations for GAO-19-362 that was provided to us in February 2021, the Air Force has made progress validating phase two foundational training and believe it will take until 2022 to complete corrective actions due to restructuring of the Cyber Mission Forces.
Department of Defense
Priority Rec.
This is a priority recommendation.
3. The Secretary of the Army should ensure that Army Cyber Command coordinate with CYBERCOM to develop a plan that comprehensively assesses and identifies specific CMF training requirements for phases two (foundational), three (collective), and four (sustainment), in order to maintain the appropriate sizing and deployment of personnel across the Army's CMF teams. (Recommendation 3)
Open
DOD agreed with the recommendation. According to a DOD status report on implementing the recommendations for GAO-19-362 that was provided to us in February 2021, the Army's implementation of this recommendation is dependent upon U.S. Cyber Command establishing master training task lists which drive the training. In December 2020, Army Cyber command indicated that it would likely take until October 2021 to complete these tasks.
Department of Defense
Priority Rec.
This is a priority recommendation.
4. The Secretary of the Navy should ensure that Fleet Cyber Command coordinate with CYBERCOM to develop a plan that comprehensively assesses and identifies specific CMF training requirements for phases three (collective) and four (sustainment) in order to maintain the appropriate sizing and deployment of personnel across the Navy's CMF teams. (Recommendation 4)
Open
DOD agreed with the recommendation. According to a DOD status report on implementing the recommendations for GAO-19-362 that was provided to us in February 2021, the Navy's timeline to identify the specific training requirements for Cyber Mission Force training is dependent upon U.S. Cyber Command releasing a Master Task List. Navy anticipates completing its training requirmeent development by October 31, 2021.
Department of Defense
Priority Rec.
This is a priority recommendation.
5. The Secretary of the Air Force should ensure that Air Forces Cyber coordinate with CYBERCOM to develop a plan that comprehensively assesses and identifies specific CMF training requirements for phases two (foundational), three (collective), and four (sustainment), in order to maintain the appropriate sizing and deployment of personnel across the Air Force's CMF teams. (Recommendation 5)
Open
DOD agreed with our recommendation. According to a DOD status report on implementing the recommendations for GAO-19-362 that was provided to us in February 2021, the Air Force's timeline to develop a training plan is contingent upon the completion of U.S. Cyber Command releasing a Master Task List. The Air Force anticipates that it will take until 2022 to develop training plans for its phase 2, 3, and 4 training requirements.
Department of Defense
Priority Rec.
This is a priority recommendation.
6. The Commandant of the Marine Corps should ensure that Marine Corps Forces Cyberspace coordinate with CYBERCOM to develop a plan that comprehensively assesses and identifies specific CMF training requirements for phases two (foundational), three (collective), and four (sustainment), in order to maintain the appropriate sizing and deployment of personnel across the Marine Corps' CMF teams. (Recommendation 6)
Open
DOD agreed with our recommendation. According to a DOD status report on implementing the recommendations for GAO-19-362 that was provided to us in February 2021, the Marine Corps's phase 2 foundational training is reliant upon National Security Agency. The Marine Corps is unable to deliver this training outside of National Security Agency accesses and processes, they believe a Marine Corps solution will be in place in 2021. Additionally, the Marine Corps plans to accomplish phase 3 (collective) and phase 4 (sustainment) training via the Persistent Cyber Training Environment beginning in 2021.
Department of Defense 7. The Secretary of Defense should ensure that the commander of CYBERCOM develops and documents a plan for establishing independent assessors to evaluate CMF phase three collective training certification events. (Recommendation 7)
Open
DOD agreed with our recommendation. According to a DOD status report on implementing the recommendations for GAO-19-362 that was provided to us in February 2020, U.S. Cyber Command established procedures for assessing teams participating in Joint Exercise Program collective training events. These procedures include the use of highly skilled and independent assessors from deployable training teams and other units to conduct standard assessments using U.S. Cyber Command criteria. DOD reports that the command has captured lessons learned from these procedures and will promulgate a command-wide instruction to further standardize assessments across the force and guide the development of automated assessments conducted with the Persistent Cyber Training Environment. DOD further reports that the procedures described above were first used in the CYBERFLAG 19-1 exercise in June 2019. We are in the process of obtaining documentation from that exercise to verify these procedures.
Department of Defense 8. The Secretary of Defense should ensure that the commander of CYBERCOM establishes and disseminates the master training task lists covered by each phase two foundational training course and convey them to the military services, in accordance with the CMF Training Transition Plan. (Recommendation 8)
Open
DOD agreed with our recommendation. According to a DOD status report on implementing the recommendations for GAO-19-362 that was provided to us in February 2020, U.S. Cyber Command will complete this task in September 2020. DOD reports that U.S. Cyber Command has established and made individual training standards available through the Joint Cyber Training and Certification Standards to all services prior to the training transition in October 2018. In October 2019, DOD approved a new organizational structure and new Mission Essential Tasks for Cyber Protection Teams. The training standards were updated and provided to the services, who are using them to validate and develop Joint Curriculum. DOD is currently reviewing a U.S. Cyber Command proposal for the organization and mission essential tasks for Cyber Mission Teams and Cyber Support Teams. Pending DOD approval, U.S. Cyber Command will update and publish revisions to the individual training standards.

Full Report

GAO Contacts