The Defense Department can and should do more to help defense small businesses protect their networks from cyber threats, according to a report from the Government Accountability Office (GAO) released Thursday.
Although the department’s Office of Small Business Programs (OSBP) has explored some options like online training videos to integrate cybersecurity into its efforts, “as of July 2015, the office had not identified and disseminated cybersecurity resources in its outreach and education efforts to defense small businesses,” the report said.
While OSBP understood the importance of disseminating cybersecurity resources to small businesses, it identified limiting factors including not being aware of cybersecurity resources, leadership turnover, and an office focus on developing a training curriculum for professionals who work with small businesses, the GAO said.
Although the report acknowledges these factors could affect progress, it highlighted that government internal controls state management should ensure there are adequate means of communicating with and obtaining information from external stakeholders who may have a significant impact on the agency achieving its goals. Communicating with defense small businesses on cybersecurity qualifies under the internal controls.
Furthermore, by disseminating cybersecurity information, the OSBP would be supporting the 2015 DOD Cyber Strategy goals of working with companies to help secure defense industrial base trade data and build layered cyber defenses, the report said.
The GAO specifically recommended the Secretary of Defense direct the Director of OSBP to identify and disseminate cybersecurity resources to defense small businesses as part of its existing outreach efforts.
GAO identified 15 existing federal cybersecurity outreach and education resources the office could leverage for these defense small businesses. These include the department’s Defense Security Service online cybersecurity training programs available to the public; the U.S. Small Business Administration’s learning center that provides a 30-minute online program that covers cybersecurity concepts for small businesses; the Department of Homeland Security (in coordination with the National Cyber Security Alliance and the Anti-Phising Working Group) public cyber awareness resources including videos and tip sheets; and the Federal Communications Commission’s (FCC) planning tool, called FCC Small Biz Cyber Planner 2.0, that provides guidance to small businesses on developing their cybersecurity plans.
“By identifying and disseminating information about existing cybersecurity resources to defense small businesses, these businesses may be made more aware of cybersecurity practices and cyber threats, thereby potentially assisting them in protecting their networks against cyber exploits,” the report said.
Using the resources already developed by Defense Department components and other federal agencies, like those noted in the report, “DoD OSBP will be able to spend more time focusing on other priorities such as developing the training curriculum,” GAO said.
The report includes written comments from the department that concurs with the office’s recommendations