Defense IG Highlights Ongoing Cybersecurity Risks, Open Recommendations

The Office of the Inspector General (OIG) at the Department of Defense (DoD) recently released a report summarizing the cybersecurity risk areas and open cybersecurity recommendations at the DoD, some of which have been on the books for a decade.

The scope of the DoD report covers unclassified and classified reports issued and testimonies made from the DoD oversight community and the Government Accountability Office (GAO) between July 1, 2017, and June 30, 2018.

The OIG set out to identify cybersecurity risk areas based on the five functions—Identify, Protect, Detect, Respond and Recover—of the National Institute of Standards and Technology (NIST) “Framework for Improving Critical Infrastructure Cybersecurity,” (a.k.a. the NIST Cybersecurity Framework), which is mandated for federal agencies.

The summary report also meets a requirement in the Federal Information Security Modernization Act of 2014 (FISMA) for each agency to conduct an annual independent evaluation to determine the effectiveness of their information security program and practices.

Challenges Implementing the NIST Cybersecurity Framework

Overall, the OIG found that the DoD needs to continue focusing on managing cybersecurity activities in four of the five Cybersecurity Framework functions of Identify, Protect, Detect, and Respond and primarily in the Framework categories of governance, asset management, information protection processes and procedures, identity management and access control, security continuous monitoring, detection processes, and communications.

As of the conclusion of fiscal year 2018 on September 30, 2018, the OIG identified that the DoD needs to take action to close 266 open DoD cybersecurity-related recommendations—255 unclassified and 11 classified—from reports dating back to FY 2008. The Identify and Protect functions are the two primary areas of focus for the open recommendations. The chart below shows the number of open cybersecurity-related recommendations by the fiscal year of the report in which they were included. Granted, the DoD has had little time to take action to close the recommendations issued in FY 2018, a point acknowledged by the OIG, so the emphasis may be better placed on the 115 recommendations that precede FY 2018.

Many of the details around existing risks were redacted in the report. (Why broadcast your known risks for adversaries to exploit?) However, areas of improvement identified by the OIG include asset management, information protection processes and procedures, identity management and access control, and security continuous monitoring.

That said, the OIG found that the DoD mostly need to focus on managing risks related to cybersecurity governance – the policies, procedures, and processes to manage and monitor the agency’s regulatory, legal, risk, environmental, and operational requirements – which accounted for the largest number of weaknesses the OIG identified in this year’s summary assessment.

Implications

The OIG’s emphasis on DoD cybersecurity governance is worthy of the contracting community’s attention in at least two ways. First, the DoD has always looked to the industrial base for expertise and experience in how to do things and cybersecurity is no different. Governance development presents ongoing opportunities for contracted support services across the government.

Second, cybersecurity governance reaches beyond the inner workings of an agency’s cybersecurity policies and operational procedures and processes. It impacts outsourcing requirements for security services like risk and vulnerability assessments as well as the skillsets required for cyber-workforce augmentation and training and development. Governance influences the operational environment and the contract requirements that drive the products and services an agency demands.