A new Government Accountability Office (GAO) report found the Missile Defense Agency (MDA) conducted none of its planned operational cybersecurity assessments in fiscal year 2020 as it moves to change its cybersecurity test planning efforts.

While the report, Missile Defense: Fiscal Year 2020 Delivery and Testing Progressed, but Annual Goals Unmet, said MDA has improved its cybersecurity planning and testing efforts in recent years, “it did not conduct any of its planned operational cybersecurity assessments needed to assess vulnerabilities in fiscal year 2020.”

MDA planned 17 of these operational assessments: 13 element-level cooperative assessments and four adversarial assessments covering various MDA systems. The report said 11 of the tests were designed to assess Increment 5 and six to assess Increment 6. Increment 5 is the currently deployed missile defense capabilities while Increment 6 are future capabilities in development.

GAO said operational cybersecurity testing consists of a cooperative vulnerability and penetration assessment (CVPA) and adversarial assessment (AA). The CVPA provides initial information about system resilience in an operational situation, which is then used to develop the AA. The AA then characterizes the operational effects caused by threat-representative cyberattacks and the effectiveness of defensive capabilities. 

According to the report, MDA officials said the agency did not conduct these assessments because they felt the information obtained in the tests was not needed, since all fiscal year 2020 Operational Capability Baseline decisions that reload on the information had already been completed.

Moreover, during FY ‘20 MDA started to restructure its cybersecurity test planning efforts to align with its March 2019 four-phase cybersecurity test concept of operations. Under this concept, phases one and two entail requirements setting and cyber test planning and then phases three and four consist of test execution and analysis and then reporting of results. 

“Moving forward, cyber tests will be planned and documented in the test baseline using the same process as flight and ground tests. For example, under the new approach, internal and external stakeholder input will inform cyber test requirements, which in turn will drive cyber test design and execution of testing for each capability increment,” the report said.

MDA officials told GAO this new approach will improve cyber system requirements while also streamlining cyber test planning, resource allocation, and results analysis.

However, GAO said “it is too soon to know how effective the new approach will be until it is fully implemented. The lack of testing during fiscal year 2020 coupled with persistent testing shortcomings over the last 3 years are representative of a broader MDA cybersecurity development issue.”

The report said it reported in July 2020 that MDA conducted its largest combined cooperative cyber assessment in FY ‘19 and the first operational adversarial assessment, “but failed to meet its fiscal year 2019 testing goals.”

GAO previously reported the agency failed to complete cybersecurity testing for capabilities delivered in 2017 and 2018 “and did not address deficiencies from prior year’s shortfalls.”

This report also said in 2020 the DoD Director of Operational Test and Evaluation (DOT&E) assessed the completed MDA cybersecurity testing contained limitations and its results were insufficient for Increments 4, 5, and 5A operational assessments.

According to the Ballistic Missile Defense System (BMDS) Operational Test Agency (OTA), while cyber operational testing began in 2017, some elements of the system “have not received any cyber operational testing to date, while others have only received partial testing of cyber defensive postures,” GAO continued.

GAO reported DOT&E and BMDS OTA made recommendations to address MDA cyber testing shortfalls and said more element-level testing is needed to identify and address cybersecurity vulnerabilities for both currently deployed capability increments and planned future capability.

“However, program documentation does not indicate any planned cybersecurity testing for already delivered increments. Consequently, continued testing, as DOT&E and the BMDS OTA recommends, is critical to identify and address vulnerabilities that could result in disruption of operations by an adversary for MDA and its missile defense system,” the report added.

The MDA programs that had initial planned 2020 cybersecurity tests include the Aegis Ballistic Missile Defense system, Army Navy/Transportable Radar Surveillance and Control Model 2, the Command, Control Battle Management and Communications, Ground-based Midcourse Defense, Long Range Discrimination Radar, Sea-Based X-Band Radar, and the Terminal High Altitude Area Defense.