Cybersecurity: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene
“Cyber hygiene” is a set of practices for managing the most common and pervasive cybersecurity risks. The Department of Defense’s cyber hygiene is critical as threats to its information and networks increase.
DOD has had 3 cyber hygiene initiatives underway. These efforts are incomplete—or their status is unknown because no one is in charge of reporting on progress.
DOD has also developed lists of its adversaries’ most frequently used techniques, and practices to combat them. Yet, DOD doesn’t know the extent to which it’s using these practices.
We made 7 recommendations that would have DOD fully implement cyber hygiene practices.
Computer code, hack
What GAO Found
The Department of Defense (DOD) has not fully implemented three of its key initiatives and practices aimed at improving cyber hygiene. Carnegie-Mellon University defines cyber hygiene as a set of practices for managing the most common and pervasive cybersecurity risks. In discussions with GAO, DOD officials identified three department-wide cyber hygiene initiatives: the 2015 DOD Cybersecurity Culture and Compliance Initiative, the 2015 DOD Cyber Discipline Implementation Plan, and DOD's Cyber Awareness Challenge training.
The Culture and Compliance Initiative set forth 11 overall tasks expected to be completed in fiscal year 2016. It includes cyber education and training, integration of cyber into operational exercises, and needed recommendations on changes to cyber capabilities and authorities. However, seven of these tasks have not been fully implemented.
The Cyber Discipline plan has 17 tasks focused on removing preventable vulnerabilities from DOD's networks that could otherwise enable adversaries to compromise information and systems. Of these 17, the DOD Chief Information Officer is responsible for overseeing implementation of 10 tasks. While the Deputy Secretary set a goal of achieving 90 percent implementation of the 10 CIO tasks by the end of fiscal year 2018, four of the tasks have not been implemented. Further, the completion of the other seven tasks was unknown because no DOD entity has been designated to report on the progress.
The Cyber Awareness training is intended to help the DOD workforce maintain awareness of known and emerging cyber threats, and reinforce best practices to keep information and systems secure. However, selected components in the department do not know the extent to which users of its systems have completed this required training. GAO's review of 16 selected components identified six without information on system users that had not completed the required training, and eight without information on users whose network access had been revoked for not completing training.
Beyond the initiatives above, DOD has (1) developed lists of the techniques that adversaries use most frequently and pose significant risk to the department, and (2) identified practices to protect DOD networks and systems against these techniques. However, the department does not know the extent to which these practices have been implemented. The absence of this knowledge is due in part to no DOD component monitoring implementation, according to DOD officials. Overall, until DOD completes its cyber hygiene initiatives and ensures that cyber practices are implemented, the department will face an enhanced risk of successful attack.
While two recurring reports have provided updates to senior DOD leaders on cyber information on the Cyber Discipline plan implementation, department leadership has not regularly received information on the other two initiatives and on the extent to which cyber hygiene practices are being implemented. Such information would better position leaders to be aware of the cyber risks facing DOD and make more effective decisions to manage such risks.
Why GAO Did This Study
DOD has become increasingly reliant on information technology (IT) and risks have increased as cybersecurity threats evolve. Cybersecurity experts estimate that 90 percent of cyberattacks could be defeated by implementing basic cyber hygiene and sharing best practices, according to DOD's Principal Cyber Advisor.
Senate Report 115-262 includes a provision that GAO review DOD cyber hygiene. This report evaluates the extent to which 1) DOD has implemented key cyber hygiene initiatives and practices to protect DOD networks from key cyberattack techniques and 2) senior DOD leaders received information on the department's efforts to address these initiatives and cyber hygiene practices.
GAO reviewed documentation of DOD actions taken to implement three cyber hygiene initiatives and reviewed recurring reports provided to senior DOD leaders.
Recommendations
GAO is making seven recommendations to DOD, including that cyber hygiene initiatives be fully implemented, entities are designated to monitor component completion of tasks and cyber hygiene practices, and senior DOD leaders receive information on cyber hygiene initiatives and practices. Of the seven recommendations, DOD concurred with one, partially concurred with four, and did not concur with two. GAO continues to believe that all recommendations are warranted.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of the Secretary of Defense |
Priority Rec.
The Secretary of Defense should ensure that the DOD CIO takes appropriate steps to ensure implementation of the DC3I tasks. (Recommendation 1) |
DOD partially agreed with this recommendation. In its comments on our report, the department agreed that two of the seven tasks should be implemented but that the remaining five tasks were either implemented or have been overcome by events. However the department did not provide information demonstrating how tasks encouraging a cybersecurity culture had become overcome by events. Subsequently, between 2020 and 2023, the department issued three issuances that the DOD CIO's office believes implements one of the seven outstanding tasks-including DOD Directive 8140.01, DOD Instruction 8140.02, and DOD Manual 8140.03. With regard to the remaining tasks associated with this recommendation, the DOD CIO's office stated that it requested input about actions taken from U.S. Cyber Command, Joint Forces Headquarters-DOD Information Network, and the Joint Staff, but had not received a response in time for this report. We continue to believe that implementation of this recommendation is important. To fully implement this recommendation, DOD should complete the remaining tasks in the Cybersecurity Culture and Compliance Initiative.
|
| Office of the Secretary of Defense |
Priority Rec.
The Secretary of Defense should ensure that DOD components develop plans with scheduled completion dates to implement the four remaining CDIP tasks overseen by DOD CIO. (Recommendation 2) |
In 2020, DOD partially agreed with this recommendation. However, in January 2023, DOD CIO officials stated that the office no longer agrees with the recommendation and does not intend on taking any further action to implement it. As we stated in our 2020 report, we believe DOD should be taking action to implement the four tasks, as doing so would better position DOD to meet the Deputy Secretary of Defense's goal of removing preventable vulnerabilities from DOD's network. Such vulnerabilities could allow adversaries to compromise information and information systems.
|
| Office of the Secretary of Defense |
Priority Rec.
The Secretary of Defense should ensure that the Deputy Secretary of Defense identifies a DOD component to oversee the implementation of the seven CDIP tasks not overseen by DOD CIO and report on progress implementing them. (Recommendation 3) |
DOD did not agree with this recommendation when we issued our report, and the department reiterated this position in January 2023. We continue to believe that implementation of this recommendation is important, as several of these tasks are the same or similar to the cybersecurity standards that DOD plans to apply to certain defense contractors in future contract awards to protect DOD information that is stored or transits through their networks as a part of the Cybersecurity Maturity Model Certification framework. To fully implement this recommendation, DOD should identify a DOD component to oversee the seven tasks in the Cybersecurity Discipline Implementation Plan that are not overseen by the CIO and report on their progress. If the department implements this recommendation, it will have more assurance that it addresses cybersecurity vulnerabilities promptly and securely configures systems.
|
| Office of the Secretary of Defense | The Secretary of Defense should ensure that DOD components accurately monitor and report information on the extent that users have completed the Cyber Awareness Challenge training as well as the number of users whose access to the network was revoked because they have not completed the training. (Recommendation 4) |
DOD partially concurred with this recommendation. In particular, the department concurred that it should ensure components accurately report the number of users who have completed the training. However, it did not concur that components should report the number of users who have been denied access to the network because they have not completed the training. The department stated that a statistic showing this information would not be meaningful and would be burdensome to collect. In a July 2020 letter, the DOD CIO's office provided an update regarding the first component of our recommendation--ensuring that components accurately report the number of users who have completed the training. The letter stated that DOD proposed including the percent of users that successfully completed the training in the Cyber Hygiene Scorecard and that the department was coordinating to maximize the extent that they could collect the numerator and denominator to calculate this percent from existing databases. The department estimated that DOD would integrate data on cybersecurity awareness training completion in the Cyber Hygiene Scorecard by October 1, 2020. The letter also stated that a key corrective action was to collect data on current component-level approaches to collecting information on the extent that component personnel completed the cybersecurity awareness training. Regarding this corrective action, the letter indicated that DOD had identified that components track this training in widely varying ways. The letter also stated that DOD is reviewing the potential benefits and costs of an enterprise solution to this aspect of our recommendation based on the guidance in NIST SP 800-50. The letter estimated that DOD would complete this action by November 30, 2020. Regarding the second element of our recommendation-that components should report the number of users who have been denied access to the network because they have not completed the training-the DOD CIO's July 2020 letter continued to maintain the department's position that it did not concur with this element of our recommendation. In the letter, the DOD CIO's office stated that reporting the number of users who have been denied access to the network because they have not completed the training would not be meaningful but would be extremely burdensome to collect since network revocations can be for a variety of reasons and cross multiple networks and domains. A July 2021 DOD CIO update states that the CIO's office has collected monthly metrics on the extent that DOD components have completed the Cyber Awareness Challenge course and that it has followed up with components reporting unacceptable compliance rates. The report states that the CIO includes this metric in the Cyber Hygiene Scorecard as of April 2021. However, the department has not accurately monitored or reported the number of users whose access to DOD networks was revoked because they had not completed the training. The DOD report states that the DOD CIO conducted a department-wide survey in the second quarter of fiscal year 2021 to identify the number of users whose network access was revoked. However some components do not have the capability to use automated functions to identify the personnel whose access was revoked. As of September 2022, the department had not provided evidence that it had taken any additional action.
|
| Office of the Secretary of Defense | The Secretary of Defense should ensure that the DOD CIO ensures all DOD components, including DARPA, require their users to take the Cyber Awareness Challenge training developed by DISA. (Recommendation 5) |
DOD concurred with this recommendation. In a July 2020 letter, the DOD CIO's office stated that it would conduct a survey of DOD Components to identify any that are not using the approved training and direct them to convert their training. The letter also stated that DOD completed the survey in June 2020 and identified that DARPA was the only component that did not require its users to take the Cyber Awareness Challenge training developed by DISA. The letter further stated that DARPA has transitioned to requiring its personnel to take the approved cybersecurity training. A July 2021 DOD CIO report states that in addition to DARPA, NRO also was not using one of the two approved cyber hygiene training courses. The report states that DARPA had begun using the approved course since we issued our report and as a result of the CIO survey, NRO developed a plan to begin using one of the two approved courses. These actions implemented our recommendation.
|
| Office of the Secretary of Defense |
Priority Rec.
The Secretary of Defense should direct a component to monitor the extent to which practices are implemented to protect the department's network from key cyberattack techniques. (Recommendation 6) |
DOD did not agree with this recommendation in its comments on our report but subsequently revised its position in January 2023 to agreed with the recommendation. The office of the DOD CIO acknowledged that U.S. Cyber Command and one of its subordinate commands has operational responsibilities associated with DOD networks. We acknowledge that U.S. Cyber Command and its subordinate command have operational responsibilities (to include defensive cyber operations). We are also aware that the DOD CIO is responsible for all matters relating to cybersecurity. DOD CIO officials did not clarify whether any DOD official or component is monitoring the extent to which the department is implementing protective key cyberattack techniques. To implement this recommendation, DOD should direct a component to monitor the extent to which the department implements practices to protect the department's network from cyberattack techniques. Taking action to implement our recommendation would help address that gap.
|
| Office of the Secretary of Defense |
Priority Rec.
The Secretary of Defense should ensure that the DOD CIO assesses the extent to which senior leaders' have more complete information to make risk-based decisions—and revise the recurring reports (or develop a new report) accordingly. Such information could include DOD's progress on implementing (a) cybersecurity practices identified in cyber hygiene initiatives and (b) cyber hygiene practices to protect DOD networks from key cyberattack techniques. (Recommendation 7) |
DOD partially agreed with this recommendation, but in January 2023, it did not report taking any further action to implement it. To provide an update for our 2023 priority recommendation letter, DOD reported that the services, agencies, field activities, and combatant commands are required to provide input to one scorecard that measures cybersecurity across the department. However, the CIO's office did not discuss any efforts to assess whether senior leaders receive information to make risk-based decisions about the cyber hygiene issues we reported in 2020. To implement this recommendation, the CIO should assess the extent that senior leaders have information on DOD's progress implementing cyber hygiene initiatives and practices to protect DOD networks from key cyberattack techniques.
|