The Pentagon is behind on implementing several basic cyber hygiene initiatives, according to a new Government Accountability Office report, leaving the department more vulnerable to pervasive cyber threats.
GAO has recommended the department fully adopt basic cyber hygiene tasks included across three prior programs, such as addressing its lack of a central component to monitor the department’s use of best practices for protecting its networks.
“Overall, until DoD completes its cyber hygiene initiatives and ensures that cyber practices are implemented, the department will face an enhanced risk of successful attack,” GAO officials wrote. “The department does not know the extent that cyber hygiene practices have been implemented to protect DoD networks from key cyberattack techniques. By directing a component to monitor the extent to which practices to protect DoD’s networks are implemented, DoD would be better positioned to ensure that its networks are secure and decrease potential risks to military operations, critical functions, and information assurance.”
The three initiatives where the Pentagon has yet to fully implement best practices are the 2015 DoD Cybersecurity Culture and Compliance Initiative (DC3I), the 2015 DoD Cyber Discipline Implementation Plan (CDIP), and DoD’s Cyber Awareness Challenge training program.
For DC31, the department has to fully complete seven of the program’s 11 overall tasks, which was to cover cyber education and training, integration of cyber into operational exercises and changes to cyber authorities.
The GAO noted that several DoD organizations had yet to receive mandated cyber training briefs from U.S. Cyber Command regarding new cyber security information.
The CDIP plan laid out 17 tasks focused on removing preventable vulnerabilities from DoD networks, 10 of which the department’s CIO was responsible for implementing.
“While the Deputy Secretary set a goal of achieving 90 percent implementation of the 10 CIO tasks by the end of fiscal year 2018, four of the tasks have not been implemented,” the GAO wrote. “Further, the completion of the other seven tasks was unknown because no DoD entity has been designated to report on the progress.”
The reported also noted that select DoD components are unable to identify how many users have completed the required Cyber Awareness training program.
“GAO’s review of 16 selected components identified six without information on system users that had not completed the required training, and eight without information on users whose network access had been revoked for not completing training,” officials wrote.
The Pentagon concurred with just one of GAO’s seven recommendations in the report, agreeing that all components should be responsible for completing the Cyber Awareness training.