Fast Facts

“Cyber hygiene” is a set of practices for managing the most common and pervasive cybersecurity risks. The Department of Defense’s cyber hygiene is critical as threats to its information and networks increase.

DOD has had 3 cyber hygiene initiatives underway. These efforts are incomplete—or their status is unknown because no one is in charge of reporting on progress.

DOD has also developed lists of its adversaries’ most frequently used techniques, and practices to combat them. Yet, DOD doesn’t know the extent to which it’s using these practices.

We made 7 recommendations that would have DOD fully implement cyber hygiene practices.

Computer code, hack

Computer code, hack

Skip to Highlights
Highlights

What GAO Found

The Department of Defense (DOD) has not fully implemented three of its key initiatives and practices aimed at improving cyber hygiene. Carnegie-Mellon University defines cyber hygiene as a set of practices for managing the most common and pervasive cybersecurity risks. In discussions with GAO, DOD officials identified three department-wide cyber hygiene initiatives: the 2015 DOD Cybersecurity Culture and Compliance Initiative, the 2015 DOD Cyber Discipline Implementation Plan, and DOD's Cyber Awareness Challenge training.

The Culture and Compliance Initiative set forth 11 overall tasks expected to be completed in fiscal year 2016. It includes cyber education and training, integration of cyber into operational exercises, and needed recommendations on changes to cyber capabilities and authorities. However, seven of these tasks have not been fully implemented.

The Cyber Discipline plan has 17 tasks focused on removing preventable vulnerabilities from DOD's networks that could otherwise enable adversaries to compromise information and systems. Of these 17, the DOD Chief Information Officer is responsible for overseeing implementation of 10 tasks. While the Deputy Secretary set a goal of achieving 90 percent implementation of the 10 CIO tasks by the end of fiscal year 2018, four of the tasks have not been implemented. Further, the completion of the other seven tasks was unknown because no DOD entity has been designated to report on the progress.

The Cyber Awareness training is intended to help the DOD workforce maintain awareness of known and emerging cyber threats, and reinforce best practices to keep information and systems secure. However, selected components in the department do not know the extent to which users of its systems have completed this required training. GAO's review of 16 selected components identified six without information on system users that had not completed the required training, and eight without information on users whose network access had been revoked for not completing training.

Beyond the initiatives above, DOD has (1) developed lists of the techniques that adversaries use most frequently and pose significant risk to the department, and (2) identified practices to protect DOD networks and systems against these techniques. However, the department does not know the extent to which these practices have been implemented. The absence of this knowledge is due in part to no DOD component monitoring implementation, according to DOD officials. Overall, until DOD completes its cyber hygiene initiatives and ensures that cyber practices are implemented, the department will face an enhanced risk of successful attack.

While two recurring reports have provided updates to senior DOD leaders on cyber information on the Cyber Discipline plan implementation, department leadership has not regularly received information on the other two initiatives and on the extent to which cyber hygiene practices are being implemented. Such information would better position leaders to be aware of the cyber risks facing DOD and make more effective decisions to manage such risks.

Why GAO Did This Study

DOD has become increasingly reliant on information technology (IT) and risks have increased as cybersecurity threats evolve. Cybersecurity experts estimate that 90 percent of cyberattacks could be defeated by implementing basic cyber hygiene and sharing best practices, according to DOD's Principal Cyber Advisor.

Senate Report 115-262 includes a provision that GAO review DOD cyber hygiene. This report evaluates the extent to which 1) DOD has implemented key cyber hygiene initiatives and practices to protect DOD networks from key cyberattack techniques and 2) senior DOD leaders received information on the department's efforts to address these initiatives and cyber hygiene practices.

GAO reviewed documentation of DOD actions taken to implement three cyber hygiene initiatives and reviewed recurring reports provided to senior DOD leaders.

Skip to Recommendations

Recommendations

GAO is making seven recommendations to DOD, including that cyber hygiene initiatives be fully implemented, entities are designated to monitor component completion of tasks and cyber hygiene practices, and senior DOD leaders receive information on cyber hygiene initiatives and practices. Of the seven recommendations, DOD concurred with one, partially concurred with four, and did not concur with two. GAO continues to believe that all recommendations are warranted.

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of the Secretary of Defense
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Defense should ensure that the DOD CIO takes appropriate steps to ensure implementation of the DC3I tasks. (Recommendation 1)
Open
In its March 2020 written comments, the DOD CIO's office partially concurred with this recommendation and stated that the department should complete two of the seven tasks from the DOD Cybersecurity Culture and Compliance Initiative (DC3I) that DOD had not completed: tasks two and six. At the time, DOD stated that these two tasks were the only two still actively being pursued and that the remaining five incomplete tasks were either implemented or had been overcome by events. DOD did not provide evidence that these five tasks had been implemented or elaborate on why it thought they had been overcome by events. A July 2020 letter from the DOD CIO's office amended the position the office took in March 2020, and stated that just one of the seven incomplete tasks should continue to be implemented, task two, and it no longer stated that it would continue to implement task six. Task two from the DC3I requires DOD to direct the appropriate stakeholders to develop educational and training requirements for cyber providers. Regarding this task, DOD CIO stated in its July 2020 letter, that the office was in the process of drafting a manual that would address cyber workforce education and training requirements. DOD CIO stated that the new manual, DOD Manual 8140.01, will replace DOD Manual 8570.01 and that the office expects to publish the manual between August and December 2021. The DOD CIO letter also stated that the office is in the process of issuing two related publications but did not specify how those were responsive to our recommendation. While issuing the manual would be a positive step, the DOD CIO's office did not provide any information in its July 2020 letter about how and when the requirements in the manual for cyber workforce education and training would be implemented. Task six from the DC3I requires DOD to develop a resourcing plan to support scheduled inspections and no-notices spot check. Regarding this task, DOD CIO's July 2020 letter stated that U.S. Cyber Command indicated setting a completion date for completing this task was inappropriate because the task would continue to evolve due to an ever evolving environment, including the pandemic response which has added teleworking as a cybersecurity issue. While the letter indicated that setting a goal date for completing this task was inappropriate, the letter did not explain why the department would not continue to to pursue implementing this task. Further, in its July 2020 letter, the DOD CIO's office did not provide an update on the five additional DC3I tasks that DOD has not yet implemented, reiterating the position it took in its written response to our report, that the remaining five tasks have been overcome by events. In a February 2021, update the DOD CIO's office told us that DODD 8140.01 was published on Oct. 5, 2020. The directive outlines various responsibilities related to task two from the DC3I including that various component heads are responsible for developing training and education standards for DOD personnel who work in the cyber domain. The office also told us that the DODIPS was reviewing a draft of DODI 8140.AB for its legal sufficiently and that it was due to be completed by August 27, 2021. DOD CIO also told us that DODIPS is also reviewing DODM 8140.AC and is in the legal objection review stage as with a deadline of Feb. 12, 2021.
Office of the Secretary of Defense
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Defense should ensure that DOD components develop plans with scheduled completion dates to implement the four remaining CDIP tasks overseen by DOD CIO. (Recommendation 2)
Open
The Department of Defense partially concurred with this recommendation. A July 2020 letter from the DOD CIO's office stated that the specific relevant CDIP tasks were identified only in classified communications between GAO and DOD and they are considering these matters further.
Office of the Secretary of Defense
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Defense should ensure that the Deputy Secretary of Defense identifies a DOD component to oversee the implementation of the seven CDIP tasks not overseen by DOD CIO and report on progress implementing them. (Recommendation 3)
Open
The Department of Defense did not concur with this recommendation. A July 2020 letter from the DOD CIO's office stated that "the cyber landscape is constantly evolving with changes in technology, threats, and vulnerabilities. This requires DOD to reassess its cybersecurity priorities. Since the CDIP's approval in 2015, the Department has issued new or updated versions of the National Defense Strategy, DOD Cyber Strategy, Digital Modernization Strategy, DOD Cloud Strategy, Artificial Intelligence Strategy, and DoD Cybersecurity Risk Reduction Strategy, and a classified Top 10 Scorecard which provides the DSD with a quarterly assessment of the Department's cybersecurity risk reduction progress in these areas. To require that all of this new strategic direction and prioritization be overridden to monitor compliance with lower risk areas that the DOD identified almost five years ago will frustrate the Department's efforts to keep pace with the changing tactics, techniques, and procedures of our adversaries and the evolving changes in technology." In February 2021, the DOD CIO's office stated that the CIO's office will not pursue implementing this recommendation because the department did not concur with it.
Office of the Secretary of Defense The Secretary of Defense should ensure that DOD components accurately monitor and report information on the extent that users have completed the Cyber Awareness Challenge training as well as the number of users whose access to the network was revoked because they have not completed the training. (Recommendation 4)
Open
DOD partially concurred with this recommendation. In particular, the department concurred that it should ensure components accurately report the number of users who have completed the training. However, it did not concur that components should report the number of users who have been denied access to the network because they have not completed the training. The department stated that a statistic showing this information would not be meaningful and would be burdensome to collect. In a July 2020 letter, the DOD CIO's office provided an update regarding the first component of our recommendation--ensuring that components accurately report the number of users who have completed the training. The letter stated that DOD proposed including the percent of users that successfully completed the training in the Cyber Hygiene Scorecard and that the department was coordinating to maximize the extent that they could collect the numerator and denominator to calculate this percent from existing databases. The department estimated that DOD would integrate data on cybersecurity awareness training completion in the Cyber Hygiene Scorecard by October 1, 2020. The letter also stated that a key corrective action was to collect data on current component-level approaches to collecting information on the extent that component personnel completed the cybersecurity awareness training. Regarding this corrective action, the letter indicated that DOD had identified that components track this training in widely varying ways. The letter also stated that DOD is reviewing the potential benefits and costs of an enterprise solution to this aspect of our recommendation based on the guidance in NIST SP 800-50. The letter estimated that DOD would complete this action by November 30, 2020. Regarding the second element of our recommendation-that components should report the number of users who have been denied access to the network because they have not completed the training-the DOD CIO's July 2020 letter continued to maintain the department's position that it did not concur with this element of our recommendation. In the letter, the DOD CIO's office stated that reporting the number of users who have been denied access to the network because they have not completed the training would not be meaningful but would be extremely burdensome to collect since network revocations can be for a variety of reasons and cross multiple networks and domains. In a February 2021 update on the status of the recommendations in this report, DOD did not provide information on the status of any efforts related to this recommendation including efforts that the department had discussed in its July 2020 letter that it planned to take.
Office of the Secretary of Defense The Secretary of Defense should ensure that the DOD CIO ensures all DOD components, including DARPA, require their users to take the Cyber Awareness Challenge training developed by DISA. (Recommendation 5)
Open
DOD concurred with this recommendation. In a July 2020 letter, the DOD CIO's office stated that it would conduct a survey of DOD Components to identify any that are not using the approved training and direct them to convert their training. The letter also stated that DOD completed the survey in June 2020 and identified that DARPA was the only component that did not require its users to take the Cyber Awareness Challenge training developed by DISA. The letter further stated that DARPA has transitioned to requiring its personnel to take the approved cybersecurity training.
Office of the Secretary of Defense
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Defense should direct a component to monitor the extent to which practices are implemented to protect the department's network from key cyberattack techniques. (Recommendation 6)
Open
The Department of Defense did not concur with this recommendation. In a July 2020 letter, the DOD CIO's office stated that the department would provide a more specific rationale for its position in a classified response. In a February 2021 update, the DOD CIO's office stated that the department will not pursue any efforts to implement this recommendation because GAO terminated the classified portion of this engagement and the CIO's office needed additional clarification from GAO on the recommendation. The classified communications GAO previously conducted with DOD adequately convey the scope and detail of required action. We continue to work with DOD to assess any plans for addressing this recommendation.
Office of the Secretary of Defense
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Defense should ensure that the DOD CIO assesses the extent to which senior leaders' have more complete information to make risk-based decisions—and revise the recurring reports (or develop a new report) accordingly. Such information could include DOD's progress on implementing (a) cybersecurity practices identified in cyber hygiene initiatives and (b) cyber hygiene practices to protect DOD networks from key cyberattack techniques. (Recommendation 7)
Open
The Department of Defense partially concurred with this recommendation. A July 2020 letter from the DOD CIO's office stated that DOD concurred that it will revise the recurring reports by merging the Cyber Hygiene and Top 10 Scorecards to further assist senior leader decision-making by correlating the data in both scorecards. The letter estimated that merger would be be completed by 1 Oct 2020. The letter identified three corrective actions the department planned to take in response to this recommendation. First it stated that DOD would demonstrate an interim merger of scorecard capabilities and the letter stated that DOD completed this action in May 2020. Second, the letter also stated that DOD would "move code to SIPRNet to add classified headings and data" and that this action would be completed by July 2020. Third, the letter stated that DOD would "moved code to production" by the end of September 2020. The July 2020 letter also stated that DOD did not concur that it would ensure that senior leaders have complete information to make risk based decisions because the letter stated that doing so would not be feasible. The letter stated that risk is a function of multiple variables and these variables are continually evolving and that timely, relevant, and correlated information is the best that can be expected. It also stated that DOD will continue to strive to provide senior leaders with the most comprehensive information feasible to assist them in making risk-based decisions. In its February 2021 update, the DOD CIO's office did not provide an update on any actions taken in response to this recommendation.

Full Report

GAO Contacts