Fast Facts

The Department of Defense has struggled to ensure its weapons systems can withstand cyberattacks. Since we last reported, DOD has taken some positive steps toward that goal, like conducting more cyber testing.

But we found that DOD programs aren't always incorporating cybersecurity requirements into contract language. And contractors are only responsible for meeting the terms written in a contract. Some contracts we reviewed had no cybersecurity requirements when they were awarded, with vague requirements added later.

We recommended that DOD issue guidance on incorporating weapon systems cybersecurity requirements into contract language.

Two servicemembers in a server room.

Skip to Highlights
Highlights

What GAO Found

Since GAO's 2018 report, the Department of Defense (DOD) has taken action to make its network of high-tech weapon systems less vulnerable to cyberattacks. DOD and military service officials highlighted areas of progress, including increased access to expertise, enhanced cyber testing, and additional guidance. For example, GAO found that selected acquisition programs have conducted, or planned to conduct, more cybersecurity testing during development than past acquisition programs. It is important that DOD sustain its efforts as it works to improve weapon systems cybersecurity.

Contracting for cybersecurity requirements is key. DOD guidance states that these requirements should be treated like other types of system requirements and, more simply, “if it is not in the contract, do not expect to get it.” Specifically, cybersecurity requirements should be defined in acquisition program contracts, and criteria should be established for accepting or rejecting the work and for how the government will verify that requirements have been met. However, GAO found examples of program contracts omitting cybersecurity requirements, acceptance criteria, or verification processes. For example, GAO found that contracts for three of the five programs did not include any cybersecurity requirements when they were awarded. A senior DOD official said standardizing cybersecurity requirements is difficult and the department needs to better communicate cybersecurity requirements and systems engineering to the users that will decide whether or not a cybersecurity risk is acceptable.

Incorporating Cybersecurity in Contracts

Incorporating Cybersecurity in Contracts

DOD and the military services have developed a range of policy and guidance documents to improve weapon systems cybersecurity, but the guidance usually does not specifically address how acquisition programs should include cybersecurity requirements, acceptance criteria, and verification processes in contracts. Among the four military services GAO reviewed, only the Air Force has issued service-wide guidance that details how acquisition programs should define cybersecurity requirements and incorporate those requirements in contracts. The other services could benefit from a similar approach in developing their own guidance that helps ensure that DOD appropriately addresses cybersecurity requirements in contracts.

Why GAO Did This Study

DOD's network of sophisticated, expensive weapon systems must work when needed, without being incapacitated by cyberattacks. However, GAO reported in 2018 that DOD was routinely finding cyber vulnerabilities late in its development process.

A Senate report accompanying the National Defense Authorization Act for Fiscal Year 2020 included a provision for GAO to review DOD's implementation of cybersecurity for weapon systems in development. GAO's report addresses (1) the extent to which DOD has made progress in implementing cybersecurity for weapon systems during development, and (2) the extent to which DOD and the military services have developed guidance for incorporating weapon systems cybersecurity requirements into contracts.

GAO reviewed DOD and service guidance and policies related to cybersecurity for weapon systems in development, interviewed DOD and program officials, and reviewed supporting documentation for five acquisition programs. GAO also interviewed defense contractors about their experiences with weapon systems cybersecurity.

Skip to Recommendations

Recommendations

GAO is recommending that the Army, Navy, and Marine Corps provide guidance on how programs should incorporate tailored cybersecurity requirements into contracts. DOD concurred with two recommendations, and stated that the third—to the Marine Corps—should be merged with the one to the Navy. DOD's response aligns with the intent of the recommendation.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of the Army
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of the Army should develop guidance for acquisition programs on how to incorporate tailored weapon systems cybersecurity requirements, acceptance criteria, and verification processes into contracts. (Recommendation 1)
Open
The Army concurred with our recommendation. Because this report was recently published, DOD has had limited time to act on these recommendations. We will monitor DOD's efforts to implement these recommendations moving forward.
Department of the Navy
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of the Navy should develop guidance for acquisition programs on how to incorporate tailored weapon systems cybersecurity requirements, acceptance criteria, and verification processes into contracts. (Recommendation 2)
Open
The Navy concurred with our recommendation. Because this report was recently published, DOD has had limited time to act on these recommendations. We will monitor DOD's efforts to implement these recommendations moving forward.
Department of the Navy
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of the Navy should take steps to ensure the Marine Corps develops guidance for acquisition programs on how to incorporate tailored weapon systems cybersecurity requirements, acceptance criteria, and verification processes into contracts. (Recommendation 3)
Open
The Navy partially concurred with our recommendation, stating that a separate recommendation to the Marine Corps was unnecessary given that the Navy and Marine Corps operate under a single acquisition construct. We determined that separate recommendations to each component were appropriate because each maintains independent policies and guidance relevant to weapon systems cybersecurity. Because this report was recently published, DOD has had limited time to act on these recommendations. We will monitor DOD's efforts to implement these recommendations moving forward.

Full Report

GAO Contacts