DOD Cyber Incident Reporting Assessment Reveals Contractor Deficiencies
Published: November 17, 2022
A GAO review of Defense Department cyber incident reporting reveals shortcomings, including contractors missing the mark.
The FY 2021 National Defense Authorization Act (NDAA) included a provision for the U.S. Government Accountability Office (GAO) to review Department of Defense (DOD) cyber incident management.
GAO recently release a report in which they examine the extent to which DOD established and implemented a process to (1) report and notify leadership of cyber incidents, (2) report and share information about cyber incidents affecting the defense industrial base (DIB), and (3) notify affected individuals of a breach of personally identifiable information (PII).
Summary of Findings
GAO found a mixed bag of results. While DOD efforts to reduce the number of cyber incidents has shown positive results, their incident reporting processes have room for improvement. GAO’s three major findings are:
- Incomplete implementation. DOD established cyber incident reporting and notification processes but has not fully implemented them. DOD has established two processes for managing cyber incidents—one for all incidents and one for critical incidents. However, DOD has not fully implemented either of these processes. Among the reasons for weaknesses in the implementation is due to DOD not assigning an organization responsible for ensuring proper incident reporting and compliance.
- Incomplete Information. DOD has not fully established or implemented processes to report and share selected cyber incidents affecting the DIB. Therefore, the DOD does not have complete data on cyber incidents.
- Incomplete Documentation. DOD’s reported data breaches of PII have more than doubled since 2015 and DOD’s notification of affected individuals is unclear. The DOD does not document when it notifies individuals whose personal data is compromised in a cyber incident. Therefore, there is no record of effectiveness or completeness for PII breach notifications.
Defense Industrial Base, Take Heed
While GAO’s assessment focused primarily on the Defense Department, they also looked at related cyber incident reporting among DIB companies, given the high degree of interdependence of the DOD with their supporting contractors.
The Defense Federal Acquisition Regulation Supplement (DFARS) – specifically DFARS section 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting – requires DOD contractors to report cyber incidents affecting Controlled Unclassified Information (CUI) and other covered defense information to the DOD Cyber Crime Center (DC3) within 72 hours of discovery.
While GAO found that the DC3 followed its established process for receiving and notifying stakeholders of DIB-related cyber incidents, GAO also found that DIB companies did not always submit reports to DC3 with complete information or within the regulatory timeframes (emphasis added).
Examples from the report of DIB company cyber incident reporting shortfalls include:
- An estimated 20 percent of the incident reports provided no response or an unclear response as to whether DOD programs, platforms, or systems were involved in the incident.
- An estimated 21 percent of the mandatory incident reports received by DC3 indicated that it was unknown whether there was an impact to covered defense information.
- An estimated 55 percent of the incident reports indicated that an incident outcome—successful compromise or failed attempt—was unknown.
Here’s the point. Defense contracting companies – and all federal contractors – will continue to come under greater scrutiny for missing cybersecurity-related contractual requirements and federal regulations, and failure will have increasing consequences. This is a big part of the reason we are seeing the development of major contractor cybersecurity enforcement efforts, such as the DOD’s Cybersecurity Maturity Model Certification program and the Department of Justice’s Civil Cyber-Fraud Initiative (CCFI).
Federal contractors must get their internal cybersecurity processes up to snuff by federal standards and get their reporting and documentation capabilities adapted to meet federal regulations, or risk loss of business and/or penalties.