Cybersecurity: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene

Fast Facts

“Cyber hygiene” is a set of practices for managing the most common and pervasive cybersecurity risks. The Department of Defense’s cyber hygiene is critical as threats to its information and networks increase.

DOD has had 3 cyber hygiene initiatives underway. These efforts are incomplete—or their status is unknown because no one is in charge of reporting on progress.

DOD has also developed lists of its adversaries’ most frequently used techniques, and practices to combat them. Yet, DOD doesn’t know the extent to which it’s using these practices.

We made 7 recommendations that would have DOD fully implement cyber hygiene practices.

Computer code, hack

Highlights

What GAO Found

The Department of Defense (DOD) has not fully implemented three of its key initiatives and practices aimed at improving cyber hygiene. Carnegie-Mellon University defines cyber hygiene as a set of practices for managing the most common and pervasive cybersecurity risks. In discussions with GAO, DOD officials identified three department-wide cyber hygiene initiatives: the 2015 DOD Cybersecurity Culture and Compliance Initiative, the 2015 DOD Cyber Discipline Implementation Plan, and DOD's Cyber Awareness Challenge training.

The Culture and Compliance Initiative set forth 11 overall tasks expected to be completed in fiscal year 2016. It includes cyber education and training, integration of cyber into operational exercises, and needed recommendations on changes to cyber capabilities and authorities. However, seven of these tasks have not been fully implemented.

The Cyber Discipline plan has 17 tasks focused on removing preventable vulnerabilities from DOD's networks that could otherwise enable adversaries to compromise information and systems. Of these 17, the DOD Chief Information Officer is responsible for overseeing implementation of 10 tasks. While the Deputy Secretary set a goal of achieving 90 percent implementation of the 10 CIO tasks by the end of fiscal year 2018, four of the tasks have not been implemented. Further, the completion of the other seven tasks was unknown because no DOD entity has been designated to report on the progress.

The Cyber Awareness training is intended to help the DOD workforce maintain awareness of known and emerging cyber threats, and reinforce best practices to keep information and systems secure. However, selected components in the department do not know the extent to which users of its systems have completed this required training. GAO's review of 16 selected components identified six without information on system users that had not completed the required training, and eight without information on users whose network access had been revoked for not completing training.

Beyond the initiatives above, DOD has (1) developed lists of the techniques that adversaries use most frequently and pose significant risk to the department, and (2) identified practices to protect DOD networks and systems against these techniques. However, the department does not know the extent to which these practices have been implemented. The absence of this knowledge is due in part to no DOD component monitoring implementation, according to DOD officials. Overall, until DOD completes its cyber hygiene initiatives and ensures that cyber practices are implemented, the department will face an enhanced risk of successful attack.

While two recurring reports have provided updates to senior DOD leaders on cyber information on the Cyber Discipline plan implementation, department leadership has not regularly received information on the other two initiatives and on the extent to which cyber hygiene practices are being implemented. Such information would better position leaders to be aware of the cyber risks facing DOD and make more effective decisions to manage such risks.

Why GAO Did This Study

DOD has become increasingly reliant on information technology (IT) and risks have increased as cybersecurity threats evolve. Cybersecurity experts estimate that 90 percent of cyberattacks could be defeated by implementing basic cyber hygiene and sharing best practices, according to DOD's Principal Cyber Advisor.

Senate Report 115-262 includes a provision that GAO review DOD cyber hygiene. This report evaluates the extent to which 1) DOD has implemented key cyber hygiene initiatives and practices to protect DOD networks from key cyberattack techniques and 2) senior DOD leaders received information on the department's efforts to address these initiatives and cyber hygiene practices.

GAO reviewed documentation of DOD actions taken to implement three cyber hygiene initiatives and reviewed recurring reports provided to senior DOD leaders.

Recommendations

GAO is making seven recommendations to DOD, including that cyber hygiene initiatives be fully implemented, entities are designated to monitor component completion of tasks and cyber hygiene practices, and senior DOD leaders receive information on cyber hygiene initiatives and practices. Of the seven recommendations, DOD concurred with one, partially concurred with four, and did not concur with two. GAO continues to believe that all recommendations are warranted.

Recommendations for Executive Action

Agency Affected	Recommendation	Status
Office of the Secretary of Defense	Priority Rec. The Secretary of Defense should ensure that the DOD CIO takes appropriate steps to ensure implementation of the DC3I tasks. (Recommendation 1)	Open The DOD CIO's office partially concurred with this recommendation and stated that the department should complete two of the seven tasks from the DOD Cybersecurity Culture and Compliance Initiative (DC3I) that DOD had not completed: tasks two and six. At the time, DOD stated that these two tasks were the only two still actively being pursued and that the remaining five incomplete tasks were either implemented or had been overcome by events. DOD did not provide evidence that these five tasks had been implemented or elaborate on why it thought they had been overcome by events. A July 2020 letter from the DOD CIO's office amended the position the office took in March 2020, and stated that just one of the seven incomplete tasks should continue to be implemented, task two, and it no longer stated that it would continue to implement task six. Task two from the DC3I requires DOD to direct the appropriate stakeholders to develop educational and training requirements for cyber providers. Regarding this task, DOD CIO stated in its July 2020 letter, that the office was in the process of drafting a manual that would address cyber workforce education and training requirements. DOD CIO stated that the new manual, DOD Manual 8140.01, will replace DOD Manual 8570.01 and that the office expects to publish the manual between August and December 2021. The DOD CIO letter also stated that the office is in the process of issuing two related publications but did not specify how those were responsive to our recommendation. While issuing the manual would be a positive step, the DOD CIO's office did not provide any information in its July 2020 letter about how and when the requirements in the manual for cyber workforce education and training would be implemented. Task six from the DC3I requires DOD to develop a resourcing plan to support scheduled inspections and no-notices spot check. Regarding this task, DOD CIO's July 2020 letter stated that U.S. Cyber Command indicated setting a completion date for completing this task was inappropriate because the task would continue to evolve due to an ever evolving environment, including the pandemic response which has added teleworking as a cybersecurity issue. While the letter indicated that setting a goal date for completing this task was inappropriate, the letter did not explain why the department would not continue to to pursue implementing this task. Further, in its July 2020 letter, the DOD CIO's office did not provide an update on the five additional DC3I tasks that DOD has not yet implemented, reiterating the position it took in its written response to our report, that the remaining five tasks have been overcome by events. In a February 2021, update the DOD CIO's office told us that DODD 8140.01 was published on Oct. 5, 2020. The directive outlines various responsibilities related to task two from the DC3I including that various component heads are responsible for developing training and education standards for DOD personnel who work in the cyber domain. The office also told us that the DODIPS was reviewing a draft of DODI 8140.AB for its legal sufficiently and that it was due to be completed by August 27, 2021. DOD CIO also told us that DODIPS is also reviewing DODM 8140.AC and is in the legal objection review stage as with a deadline of Feb. 12, 2021. In a July 2021 report, DOD's CIO office provided an update on the status of its actions to implement the recommendations in this report. The report provided an update on each of the seven tasks that the department had not implemented. However, the department had not fully implemented any of the tasks. As September 2022, the department had not provided evidence that it had taken any additional action.
Office of the Secretary of Defense	Priority Rec. The Secretary of Defense should ensure that DOD components develop plans with scheduled completion dates to implement the four remaining CDIP tasks overseen by DOD CIO. (Recommendation 2)	Open The Department of Defense partially concurred with this recommendation. A July 2020 letter from the DOD CIO's office stated that the specific relevant CDIP tasks were identified only in classified communications between GAO and DOD and they are considering these matters further. In a July 2021 report, DOD's CIO office provided an update on the status of its actions to implement our recommendations. However, the report did not provide an update on any actions it had taken in response to this recommendation. As September 2022, the department had not provided evidence that it had taken any additional action.
Office of the Secretary of Defense	Priority Rec. The Secretary of Defense should ensure that the Deputy Secretary of Defense identifies a DOD component to oversee the implementation of the seven CDIP tasks not overseen by DOD CIO and report on progress implementing them. (Recommendation 3)	Open The Department of Defense did not concur with this recommendation. A July 2020 letter from the DOD CIO's office stated that "the cyber landscape is constantly evolving with changes in technology, threats, and vulnerabilities. This requires DOD to reassess its cybersecurity priorities. Since the CDIP's approval in 2015, the Department has issued new or updated versions of the National Defense Strategy, DOD Cyber Strategy, Digital Modernization Strategy, DOD Cloud Strategy, Artificial Intelligence Strategy, and DoD Cybersecurity Risk Reduction Strategy, and a classified Top 10 Scorecard which provides the DSD with a quarterly assessment of the Department's cybersecurity risk reduction progress in these areas. To require that all of this new strategic direction and prioritization be overridden to monitor compliance with lower risk areas that the DOD identified almost five years ago will frustrate the Department's efforts to keep pace with the changing tactics, techniques, and procedures of our adversaries and the evolving changes in technology." In February 2021, the DOD CIO's office stated that the CIO's office will not pursue implementing this recommendation because the department did not concur with it. In the July 2021 report on the status of DOD actions in response to our recommendations, the DOD's CIO office describes various requirements that the department asserts complete all of the various CDIP tasks. However, some of these tasks require ongoing monitoring by an entity within the department if they are to be implemented . For example, task 10 calls on commanders and supervisors to ensure all servers and network infrastructure devices are compliant with all current patch releases, which is an ongoing task. However, the report does not identify a DOD component to oversee the implementation of these tasks. As September 2022, the department had not provided evidence that it had taken any additional action.
Office of the Secretary of Defense	The Secretary of Defense should ensure that DOD components accurately monitor and report information on the extent that users have completed the Cyber Awareness Challenge training as well as the number of users whose access to the network was revoked because they have not completed the training. (Recommendation 4)	Open – Partially Addressed DOD partially concurred with this recommendation. In particular, the department concurred that it should ensure components accurately report the number of users who have completed the training. However, it did not concur that components should report the number of users who have been denied access to the network because they have not completed the training. The department stated that a statistic showing this information would not be meaningful and would be burdensome to collect. In a July 2020 letter, the DOD CIO's office provided an update regarding the first component of our recommendation--ensuring that components accurately report the number of users who have completed the training. The letter stated that DOD proposed including the percent of users that successfully completed the training in the Cyber Hygiene Scorecard and that the department was coordinating to maximize the extent that they could collect the numerator and denominator to calculate this percent from existing databases. The department estimated that DOD would integrate data on cybersecurity awareness training completion in the Cyber Hygiene Scorecard by October 1, 2020. The letter also stated that a key corrective action was to collect data on current component-level approaches to collecting information on the extent that component personnel completed the cybersecurity awareness training. Regarding this corrective action, the letter indicated that DOD had identified that components track this training in widely varying ways. The letter also stated that DOD is reviewing the potential benefits and costs of an enterprise solution to this aspect of our recommendation based on the guidance in NIST SP 800-50. The letter estimated that DOD would complete this action by November 30, 2020. Regarding the second element of our recommendation-that components should report the number of users who have been denied access to the network because they have not completed the training-the DOD CIO's July 2020 letter continued to maintain the department's position that it did not concur with this element of our recommendation. In the letter, the DOD CIO's office stated that reporting the number of users who have been denied access to the network because they have not completed the training would not be meaningful but would be extremely burdensome to collect since network revocations can be for a variety of reasons and cross multiple networks and domains. A July 2021 DOD CIO update states that the CIO's office has collected monthly metrics on the extent that DOD components have completed the Cyber Awareness Challenge course and that it has followed up with components reporting unacceptable compliance rates. The report states that the CIO includes this metric in the Cyber Hygiene Scorecard as of April 2021. However, the department has not accurately monitored or reported the number of users whose access to DOD networks was revoked because they had not completed the training. The DOD report states that the DOD CIO conducted a department-wide survey in the second quarter of fiscal year 2021 to identify the number of users whose network access was revoked. However some components do not have the capability to use automated functions to identify the personnel whose access was revoked. As September 2022, the department had not provided evidence that it had taken any additional action.
Office of the Secretary of Defense	The Secretary of Defense should ensure that the DOD CIO ensures all DOD components, including DARPA, require their users to take the Cyber Awareness Challenge training developed by DISA. (Recommendation 5)	Closed – Implemented DOD concurred with this recommendation. In a July 2020 letter, the DOD CIO's office stated that it would conduct a survey of DOD Components to identify any that are not using the approved training and direct them to convert their training. The letter also stated that DOD completed the survey in June 2020 and identified that DARPA was the only component that did not require its users to take the Cyber Awareness Challenge training developed by DISA. The letter further stated that DARPA has transitioned to requiring its personnel to take the approved cybersecurity training. A July 2021 DOD CIO report states that in addition to DARPA, NRO also was not using one of the two approved cyber hygiene training courses. The report states that DARPA had begun using the approved course since we issued our report and as a result of the CIO survey, NRO developed a plan to begin using one of the two approved courses. These actions implemented our recommendation.
Office of the Secretary of Defense	Priority Rec. The Secretary of Defense should direct a component to monitor the extent to which practices are implemented to protect the department's network from key cyberattack techniques. (Recommendation 6)	Open The Department of Defense did not concur with this recommendation. In a July 2020 letter, the DOD CIO's office stated that the department would provide a more specific rationale for its position in a classified response. In a February 2021 update, the DOD CIO's office stated that the department will not pursue any efforts to implement this recommendation because GAO terminated the classified portion of this engagement and the CIO's office needed additional clarification from GAO on the recommendation. The classified communications GAO previously conducted with DOD adequately convey the scope and detail of required action. As September 2022, the department had not provided evidence that it had taken any additional action. We continue to work with DOD to assess any plans for addressing this recommendation.
Office of the Secretary of Defense	Priority Rec. The Secretary of Defense should ensure that the DOD CIO assesses the extent to which senior leaders' have more complete information to make risk-based decisions—and revise the recurring reports (or develop a new report) accordingly. Such information could include DOD's progress on implementing (a) cybersecurity practices identified in cyber hygiene initiatives and (b) cyber hygiene practices to protect DOD networks from key cyberattack techniques. (Recommendation 7)	Open – Partially Addressed The Department of Defense partially concurred with this recommendation. A July 2020 letter from the DOD CIO's office stated that it will revise the recurring reports by merging the Cyber Hygiene and Top 10 Scorecards to further assist senior leader decision-making by correlating the data in both scorecards. The letter estimated that merger would be be completed by 1 Oct 2020. The letter identified three corrective actions the department planned to take in response to this recommendation. First it stated that DOD would demonstrate an interim merger of scorecard capabilities and the letter stated that DOD completed this action in May 2020. Second, the letter also stated that DOD would "move code to SIPRNet to add classified headings and data" and that this action would be completed by July 2020. Third, the letter stated that DOD would "moved code to production" by the end of September 2020. The July 2020 letter also stated that DOD did not concur that it would ensure that senior leaders have complete information to make risk based decisions because the letter stated that doing so would not be feasible. The letter stated that risk is a function of multiple variables and these variables are continually evolving and that timely, relevant, and correlated information is the best that can be expected. It also stated that DOD will continue to strive to provide senior leaders with the most comprehensive information feasible to assist them in making risk-based decisions. In its February 2021 update, the DOD CIO's office did not provide an update on any actions taken in response to this recommendation. A July 2021 CIO update states that DOD uses three cybersecurity scorecards: the cyber hygiene scorecard, the top 10 scorecard, and the Network Cybersecurity Accountability Scorecard . The report also states that the DOD CIO is reviewing each of these to identify potential opportunities to consolidate data collection processes. We continue to work with DOD to identify actions it has taken or plans to take to implement this recommendation.