Relevant links are at the bottom of this post.
According to a new summary of 21 different unclassified audits and reports, the Department of Defense has deficiencies in seven of eight critical cybersecurity metrics.
The cybersecurity summary by the DOD Office of Inspector General, dated Dec. 13, states that despite past warnings, the DOD continues to fall short in meeting Federal Information Security Modernization Act cybersecurity requirements.
The DOD OIG report is a digest of reports issued between Aug. 1, 2015 and Jul. 31, 2016. The DOD audit community and the General Accountability Office provided 61 different recommendations related to the FY 2016 IG FISMA metrics during that period.
Areas of recurrent weakness include identity management, access management, privacy training and configuration management.
“As recent audit reports identify, the DOD continues to face challenges in protecting and securing its networks, systems and infrastructure from cyber threats and increasing its overall cyber capabilities,” reads the report. “One of the most important challenges is the continuous effort to protect the DOD’s systems and networks from increasingly sophisticated cyber-attacks.”
Specific examples cited include failing to require performance of software assurance countermeasures during weapons systems acquisition, improperly implementing project management resource tools and failing to review account access.
The report states that a previous audit found DOD components are still not in full compliance with Homeland Security Presidential Directive 12, released in 2004, that outlines identification standards for federal employees and contractors.
“The report identified the lack of compliance leaves national security and Privacy Act information vulnerable to compromise and places soldiers, family members, civilians, and critical infrastructures at greater risk of an adverse incident occurring,” OIG said.
“The DOD audit community and the GAO attributed their findings to the lack of clear guidance and noncompliance with Federal and DOD guidance and identified recommended actions to correct the cybersecurity weaknesses and improve DOD cybersecurity,” the report states.
The report cautions that as the DOD increases its reliance on cyberspace “to enable its military, intelligence and business operations to perform the full spectrum of military operations,” it’s all the more critical for the department to address the cybersecurity weaknesses outlined in the report.
The report states that as it is a summary of previously issued audits, the OIG did not submit a draft to the DOD for comments.
The DOD did not respond to FCW’s request for comments, and the OIG did not respond to FCW’s query on whether the DOD had implemented any of the outstanding recommendations since the end of the reporting period on July 31.