Skip to main content

DOD Training: U.S. Cyber Command and Services Should Take Actions to Maintain a Trained Cyber Mission Force

GAO-19-362 Published: Mar 06, 2019. Publicly Released: Mar 06, 2019.
Jump To:

Fast Facts

The Defense Department began developing a Cyber Mission Force (CMF) in 2013 to defend its information networks and bring cyber skills to the battlefield.

DOD's Cyber Command established training standards for CMF teams, which include people from across the military services. Now, DOD has begun to shift its focus from building to maintaining the CMF, and plans to transfer CMF training responsibilities to the services.

We found gaps in the plans for this transition. We made 8 recommendations to help ensure coordination between the services and DOD’s Cyber Command.

A member of the National Guard participates in a cyber training exercise in 2018.

A soldier in uniform in front of a computer screen.

A soldier in uniform in front of a computer screen.

Skip to Highlights

Highlights

What GAO Found

U.S. Cyber Command (CYBERCOM) has taken a number of steps—such as establishing consistent training standards—to develop its Cyber Mission Force (CMF) teams (see figure). To train CMF teams rapidly, CYBERCOM used existing resources where possible, such as the Navy's Joint Cyber Analysis Course and the National Security Agency's National Cryptologic School. As of November 2018, many of the 133 CMF teams that initially reported achieving full operational capability no longer had the full complement of trained personnel, and therefore did not meet CYBERCOM's readiness standards. This was caused by a number of factors, but CYBERCOM has since implemented new readiness procedures that emphasize readiness rather than achieving interim milestones, such as full operational capability.

Figure: Cyber Mission Force (CMF) Training Model Phases

Figure: Cyber Mission Force (CMF) Training Model Phases

DOD has begun to shift focus from building to maintaining a trained CMF. The department developed a transition plan for the CMF that transfers foundational (phase two) training responsibility to the services. However, the Army and Air Force do not have time frames for required validation of foundational courses to CYBERCOM standards. Further, services' plans do not include all CMF training requirements, such as the numbers of personnel that need to be trained. Also, CYBERCOM does not have a plan to establish required independent assessors to ensure the consistency of collective (phase three) CMF training.

Between 2013 and 2018, CMF personnel made approximately 700 requests for exemptions from training based on their experience, and about 85 percent of those applicants had at least one course exemption approved. However, GAO found that CYBERCOM has not established training task lists for foundational training courses. The services need these task lists to prepare appropriate course equivalency standards.

Why GAO Did This Study

Developing a skilled cyber workforce is imperative to DOD achieving its offensive and defensive missions, and in 2013 it began developing CMF teams to fulfill these missions. CYBERCOM announced that the first wave of 133 such teams achieved full operational capability in May 2018. House Report 115-200 includes a provision for GAO to assess DOD's current and planned state of cyber training.

GAO's report examines the extent to which DOD has (1) developed a trained CMF, (2) made plans to maintain a trained CMF, and (3) leveraged other cyber experience to meet training requirements for CMF personnel. To address these objectives, GAO reviewed DOD's cyber training standards, planning documents, and reports on CMF training; and interviewed DOD officials. This is an unclassified version of a For Official Use Only report that GAO previously issued.

Recommendations

GAO is making eight recommendations, including that the Army and Air Force identify time frames for validating foundational CMF courses; the military services develop CMF training plans with specific personnel requirements; CYBERCOM develop and document a plan establishing independent assessors to evaluate training; and CYBERCOM establish the training tasks covered by foundational training courses and convey them to the services. DOD concurred with the recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status Sort descending
Department of Defense
Priority Rec.
The Secretary of the Air Force should ensure that Air Forces Cyber coordinate with CYBERCOM to develop a plan that comprehensively assesses and identifies specific CMF training requirements for phases two (foundational), three (collective), and four (sustainment), in order to maintain the appropriate sizing and deployment of personnel across the Air Force's CMF teams. (Recommendation 5)
Closed – Implemented
DOD agreed with the recommendation. In April of 2022, DOD updated us on the status of actions they have taken. In February 2020 U.S. Cyber Command developed the Cyber Mission Force Readiness Reporting Standard Operating Procedures to accompany the February 2018 Cyber Mission Force Training and Readiness Manual. These two documents provide the services with enough information to understand how many personnel they require for each team and what classes they would have to put those personnel through to maintain the size and capacity of the cyber mission force teams. As U.S. Cyber Command and the military services continue to advance in these areas, they should now be able to develop detailed plans that specifically identify personnel requirements for several years out so that they can sustain and grow the Cyber Mission Force teams in the future. Taken together, these actions meet the intent of our recommendation.
Department of Defense
Priority Rec.
The Commandant of the Marine Corps should ensure that Marine Corps Forces Cyberspace coordinate with CYBERCOM to develop a plan that comprehensively assesses and identifies specific CMF training requirements for phases two (foundational), three (collective), and four (sustainment), in order to maintain the appropriate sizing and deployment of personnel across the Marine Corps' CMF teams. (Recommendation 6)
Closed – Implemented
DOD agreed with the recommendation. In April of 2022, DOD updated us on the status of actions they have taken. In February 2020 U.S. Cyber Command developed the Cyber Mission Force Readiness Reporting Standard Operating Procedures to accompany the February 2018 Cyber Mission Force Training and Readiness Manual. These two documents provide the services with enough information to understand how many personnel they require for each team and what classes they would have to put those personnel through to maintain the size and capacity of the cyber mission force teams. As U.S. Cyber Command and the military services continue to advance in these areas, they should now be able to develop detailed plans that specifically identify personnel requirements for several years out so that they can sustain and grow the Cyber Mission Force teams in the future. Taken together, these actions meet the intent of our recommendation.
Department of Defense The Secretary of Defense should ensure that the commander of CYBERCOM develops and documents a plan for establishing independent assessors to evaluate CMF phase three collective training certification events. (Recommendation 7)
Closed – Implemented
DOD agreed with the recommendation. DOD updated us in April 2022 on actions it has taken. DOD produced several documents that help standardize the assessment of phase three collective training, specifically the Cyber Guard and Cyber Flag Assessments guides and the Cyber Mission Force Training and Readiness Manual Addendum used to evaluate Cyber Protection Teams. Along with the Training and readiness Manuals for the other teams, these documents provide enough guidance to evaluators to understand what is required of the team to be certified. This meets the intent of our recommendation.
Department of Defense The Secretary of Defense should ensure that the commander of CYBERCOM establishes and disseminates the master training task lists covered by each phase two foundational training course and convey them to the military services, in accordance with the CMF Training Transition Plan. (Recommendation 8)
Closed – Implemented
DOD agreed with the recommendation. According to a key official from DOD the master training task list was incorporated into Cyber Training Manual 7-0.1, which contains the Joint Cyberspace Training and Certification Standards. The military services are required to use this information to develop the courses. This action met the intent of our recommendation.
Department of Defense The Secretary of Defense should ensure that the Army, in coordination with CYBERCOM and the National Cryptologic School, where appropriate, establish a time frame to validate all of the phase two foundational training courses for which it is responsible. (Recommendation 1)
Closed – Implemented
DOD agreed with the recommendation. DOD updated us in April 2022 on the status of the courses that are used for phase two foundational training of the Cyber Mission Force. One of the milestones listed in DOD's guidance is when the training courses have been or will be validated. This action meets the intent of our recommendation.
Department of Defense The Secretary of Defense should ensure that the Air Force, in coordination with CYBERCOM and the National Cryptologic School, where appropriate, establish a time frame to validate all of the phase two foundational training courses for which it is responsible. (Recommendation 2)
Closed – Implemented
DOD agreed with the recommendation. DOD updated us in April 2022 on the status of the courses that are used for phase two foundational training of the Cyber Mission Force. One of the milestones listed in DOD's guidance is when the training courses have been or will be validated. This action meets the intent of our recommendation.
Department of Defense
Priority Rec.
The Secretary of the Army should ensure that Army Cyber Command coordinate with CYBERCOM to develop a plan that comprehensively assesses and identifies specific CMF training requirements for phases two (foundational), three (collective), and four (sustainment), in order to maintain the appropriate sizing and deployment of personnel across the Army's CMF teams. (Recommendation 3)
Closed – Implemented
DOD agreed with the recommendation. In April of 2022, DOD updated us on the status of actions they have taken. In February 2020 U.S. Cyber Command developed the Cyber Mission Force Readiness Reporting Standard Operating Procedures to accompany the February 2018 Cyber Mission Force Training and Readiness Manual. These two documents provide the services with enough information to understand how many personnel they require for each team and what classes they would have to put those personnel through to maintain the size and capacity of the cyber mission force teams. As U.S. Cyber Command and the military services continue to advance in these areas, they should now be able to develop detailed plans that specifically identify personnel requirements for several years out so that they can sustain and grow the Cyber Mission Force teams in the future. Taken together, these actions meet the intent of our recommendation.
Department of Defense
Priority Rec.
The Secretary of the Navy should ensure that Fleet Cyber Command coordinate with CYBERCOM to develop a plan that comprehensively assesses and identifies specific CMF training requirements for phases three (collective) and four (sustainment) in order to maintain the appropriate sizing and deployment of personnel across the Navy's CMF teams. (Recommendation 4)
Closed – Implemented
DOD agreed with the recommendation. In April of 2022, DOD updated us on the status of actions they have taken. In February 2020 U.S. Cyber Command developed the Cyber Mission Force Readiness Reporting Standard Operating Procedures to accompany the February 2018 Cyber Mission Force Training and Readiness Manual. These two documents provide the services with enough information to understand how many personnel they require for each team and what classes they would have to put those personnel through to maintain the size and capacity of the cyber mission force teams. As U.S. Cyber Command and the military services continue to advance in these areas, they should now be able to develop detailed plans that specifically identify personnel requirements for several years out so that they can sustain and grow the Cyber Mission Force teams in the future. Taken together, these actions meet the intent of our recommendation.

Full Report

Office of Public Affairs

Topics

CybersecurityCyberspaceInternal controlsJoint trainingMilitary forcesMilitary readinessMilitary trainingNational securityTraining programsNational Guard