Cybersecurity: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene
Fast Facts
“Cyber hygiene” is a set of practices for managing the most common and pervasive cybersecurity risks. The Department of Defense’s cyber hygiene is critical as threats to its information and networks increase.
DOD has had 3 cyber hygiene initiatives underway. These efforts are incomplete—or their status is unknown because no one is in charge of reporting on progress.
DOD has also developed lists of its adversaries’ most frequently used techniques, and practices to combat them. Yet, DOD doesn’t know the extent to which it’s using these practices.
We made 7 recommendations that would have DOD fully implement cyber hygiene practices.
Computer code, hack
Highlights
What GAO Found
The Department of Defense (DOD) has not fully implemented three of its key initiatives and practices aimed at improving cyber hygiene. Carnegie-Mellon University defines cyber hygiene as a set of practices for managing the most common and pervasive cybersecurity risks. In discussions with GAO, DOD officials identified three department-wide cyber hygiene initiatives: the 2015 DOD Cybersecurity Culture and Compliance Initiative, the 2015 DOD Cyber Discipline Implementation Plan, and DOD's Cyber Awareness Challenge training.
The Culture and Compliance Initiative set forth 11 overall tasks expected to be completed in fiscal year 2016. It includes cyber education and training, integration of cyber into operational exercises, and needed recommendations on changes to cyber capabilities and authorities. However, seven of these tasks have not been fully implemented.
The Cyber Discipline plan has 17 tasks focused on removing preventable vulnerabilities from DOD's networks that could otherwise enable adversaries to compromise information and systems. Of these 17, the DOD Chief Information Officer is responsible for overseeing implementation of 10 tasks. While the Deputy Secretary set a goal of achieving 90 percent implementation of the 10 CIO tasks by the end of fiscal year 2018, four of the tasks have not been implemented. Further, the completion of the other seven tasks was unknown because no DOD entity has been designated to report on the progress.
The Cyber Awareness training is intended to help the DOD workforce maintain awareness of known and emerging cyber threats, and reinforce best practices to keep information and systems secure. However, selected components in the department do not know the extent to which users of its systems have completed this required training. GAO's review of 16 selected components identified six without information on system users that had not completed the required training, and eight without information on users whose network access had been revoked for not completing training.
Beyond the initiatives above, DOD has (1) developed lists of the techniques that adversaries use most frequently and pose significant risk to the department, and (2) identified practices to protect DOD networks and systems against these techniques. However, the department does not know the extent to which these practices have been implemented. The absence of this knowledge is due in part to no DOD component monitoring implementation, according to DOD officials. Overall, until DOD completes its cyber hygiene initiatives and ensures that cyber practices are implemented, the department will face an enhanced risk of successful attack.
While two recurring reports have provided updates to senior DOD leaders on cyber information on the Cyber Discipline plan implementation, department leadership has not regularly received information on the other two initiatives and on the extent to which cyber hygiene practices are being implemented. Such information would better position leaders to be aware of the cyber risks facing DOD and make more effective decisions to manage such risks.
Why GAO Did This Study
DOD has become increasingly reliant on information technology (IT) and risks have increased as cybersecurity threats evolve. Cybersecurity experts estimate that 90 percent of cyberattacks could be defeated by implementing basic cyber hygiene and sharing best practices, according to DOD's Principal Cyber Advisor.
Senate Report 115-262 includes a provision that GAO review DOD cyber hygiene. This report evaluates the extent to which 1) DOD has implemented key cyber hygiene initiatives and practices to protect DOD networks from key cyberattack techniques and 2) senior DOD leaders received information on the department's efforts to address these initiatives and cyber hygiene practices.
GAO reviewed documentation of DOD actions taken to implement three cyber hygiene initiatives and reviewed recurring reports provided to senior DOD leaders.
Recommendations
GAO is making seven recommendations to DOD, including that cyber hygiene initiatives be fully implemented, entities are designated to monitor component completion of tasks and cyber hygiene practices, and senior DOD leaders receive information on cyber hygiene initiatives and practices. Of the seven recommendations, DOD concurred with one, partially concurred with four, and did not concur with two. GAO continues to believe that all recommendations are warranted.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of the Secretary of Defense |
Priority Rec.
The Secretary of Defense should ensure that the DOD CIO takes appropriate steps to ensure implementation of the DC3I tasks. (Recommendation 1) |
DOD has taken some action to implement the first recommendation. For example, U.S. Cyber Command and DOD CIO are working together to develop Joint Cyberspace Training and Certification Standards for cybersecurity service providers. However, as of April 2024, DOD has not implemented the seven tasks in the Cybersecurity Culture and Compliance Initiative. To fully implement this recommendation, DOD should implement the remaining tasks in the initiative or take action to improve cybersecurity culture and compliance across the department.
|
| Office of the Secretary of Defense |
Priority Rec.
The Secretary of Defense should ensure that DOD components develop plans with scheduled completion dates to implement the four remaining CDIP tasks overseen by DOD CIO. (Recommendation 2) |
DOD officials told us that the department does not plan to implement the recommendation because it has moved on from the Cybersecurity Discipline Implementation Plan. While the department stated that it has moved on from the plan, the office of the DOD CIO recognizes the value of the tasks and continues to monitor DOD component's progress in implementing them. According to DOD documentation, the components have made some progress as of April 2024, but have not achieved the performance goal for these tasks. To fully implement this recommendation, DOD should ensure that components develop plans with scheduled completion dates to implement the four remaining Cybersecurity Discipline Implementation Plan tasks--or their equivalents--overseen by DOD CIO
|
| Office of the Secretary of Defense |
Priority Rec.
The Secretary of Defense should ensure that the Deputy Secretary of Defense identifies a DOD component to oversee the implementation of the seven CDIP tasks not overseen by DOD CIO and report on progress implementing them. (Recommendation 3) |
DOD has not taken any action to implement the recommendation as of April 2024. We believe that implementing this recommendation is important, as several of these tasks are the same as or similar to the cybersecurity standards that DOD plans to require defense contractors to comply with as a part of the Cybersecurity Maturity Model Certification framework. To fully implement this recommendation, DOD should identify a DOD component to oversee the seven tasks in the Cybersecurity Discipline Implementation Plan that are not overseen by the CIO and report on their progress.
|
| Office of the Secretary of Defense | The Secretary of Defense should ensure that DOD components accurately monitor and report information on the extent that users have completed the Cyber Awareness Challenge training as well as the number of users whose access to the network was revoked because they have not completed the training. (Recommendation 4) |
DOD partially concurred with this recommendation. In particular, the department concurred that it should ensure components accurately report the number of users who have completed the training. However, it did not concur that components should report the number of users who have been denied access to the network because they have not completed the training. The department stated that a statistic showing this information would not be meaningful and would be burdensome to collect. In a July 2020 letter, the DOD CIO's office provided an update regarding the first component of our recommendation--ensuring that components accurately report the number of users who have completed the training. The letter stated that DOD proposed including the percent of users that successfully completed the training in the Cyber Hygiene Scorecard and that the department was coordinating to maximize the extent that they could collect the numerator and denominator to calculate this percent from existing databases. The department estimated that DOD would integrate data on cybersecurity awareness training completion in the Cyber Hygiene Scorecard by October 1, 2020. The letter also stated that a key corrective action was to collect data on current component-level approaches to collecting information on the extent that component personnel completed the cybersecurity awareness training. Regarding this corrective action, the letter indicated that DOD had identified that components track this training in widely varying ways. The letter also stated that DOD is reviewing the potential benefits and costs of an enterprise solution to this aspect of our recommendation based on the guidance in NIST SP 800-50. The letter estimated that DOD would complete this action by November 30, 2020. Regarding the second element of our recommendation-that components should report the number of users who have been denied access to the network because they have not completed the training-the DOD CIO's July 2020 letter continued to maintain the department's position that it did not concur with this element of our recommendation. In the letter, the DOD CIO's office stated that reporting the number of users who have been denied access to the network because they have not completed the training would not be meaningful but would be extremely burdensome to collect since network revocations can be for a variety of reasons and cross multiple networks and domains. A July 2021 DOD CIO update states that the CIO's office has collected monthly metrics on the extent that DOD components have completed the Cyber Awareness Challenge course and that it has followed up with components reporting unacceptable compliance rates. The report states that the CIO includes this metric in the Cyber Hygiene Scorecard as of April 2021. However, the department has not accurately monitored or reported the number of users whose access to DOD networks was revoked because they had not completed the training. The DOD report states that the DOD CIO conducted a department-wide survey in the second quarter of fiscal year 2021 to identify the number of users whose network access was revoked. However some components do not have the capability to use automated functions to identify the personnel whose access was revoked. As of June 2024, the department had not provided evidence that it had taken any additional action.
|
| Office of the Secretary of Defense | The Secretary of Defense should ensure that the DOD CIO ensures all DOD components, including DARPA, require their users to take the Cyber Awareness Challenge training developed by DISA. (Recommendation 5) |
DOD concurred with this recommendation. In a July 2020 letter, the DOD CIO's office stated that it would conduct a survey of DOD Components to identify any that are not using the approved training and direct them to convert their training. The letter also stated that DOD completed the survey in June 2020 and identified that DARPA was the only component that did not require its users to take the Cyber Awareness Challenge training developed by DISA. The letter further stated that DARPA has transitioned to requiring its personnel to take the approved cybersecurity training. A July 2021 DOD CIO report states that in addition to DARPA, NRO also was not using one of the two approved cyber hygiene training courses. The report states that DARPA had begun using the approved course since we issued our report and as a result of the CIO survey, NRO developed a plan to begin using one of the two approved courses. These actions implemented our recommendation.
|
| Office of the Secretary of Defense |
Priority Rec.
The Secretary of Defense should direct a component to monitor the extent to which practices are implemented to protect the department's network from key cyberattack techniques. (Recommendation 6) |
DOD has not taken any action to implement the recommendation. The Office of the DOD CIO stated that U.S. Cyber Command and one of its subordinate commands has operational responsibilities associated with DOD networks. However, DOD CIO officials did not clarify whether any DOD official or component is monitoring the extent to which the department is implementing cyber hygiene practices to prevent key cyberattack techniques. To implement this recommendation, DOD should direct a component to monitor the extent to which the department implements cyber hygiene practices to protect its network from key cyberattack techniques.
|
| Office of the Secretary of Defense |
Priority Rec.
The Secretary of Defense should ensure that the DOD CIO assesses the extent to which senior leaders' have more complete information to make risk-based decisions—and revise the recurring reports (or develop a new report) accordingly. Such information could include DOD's progress on implementing (a) cybersecurity practices identified in cyber hygiene initiatives and (b) cyber hygiene practices to protect DOD networks from key cyberattack techniques. (Recommendation 7) |
DOD has taken some action to implement the recommendation. In particular, DOD officials told us that the department merged existing reporting requirements to develop the Cybersecurity Hardening Scorecard. According to documentation we reviewed, this scorecard measures the department's tiered and prioritized initiatives for cyber maintenance, operations, and key programs for reducing overall cybersecurity risk. However, the April 2024 version of this scorecard did not include information on (a) cybersecurity practices identified in the DOD cyber hygiene initiatives or (b) cyber hygiene practices to protect DOD networks from key cyberattack techniques. To implement this recommendation, the CIO should assess the extent to which senior leaders have information on these two topics and revise the recurring reports or develop a new report accordingly.
|