The Air Force Gets Dinged for Inconsistent Cybersecurity Practices

A review by the Department of Defense Office of Inspector General (DoD OIG) of the Air Force’s compliance with the Federal Information Security Modernization Act of 2014 (FISMA) revealed some inconsistencies in how the service is following its own established policies and procedures, leading the IOG to issue a recent management advisory to AF officials for remediation.

The DoD IG assessed whether the Air Force met the requirements outlined in the FY 2021 IG FISMA Reporting Metrics for 5 of the 66 metrics to determine whether the Air Force issued policies and procedures related to the metric and whether they implemented those policies and procedures.

The five metrics assessed were (emphasis added):

• Risk Management (Metric #8) – To what extent has the organization ensured that plans of action and milestones (POA&Ms) are utilized for effectively mitigating security weaknesses?
• Data Protection and Privacy (Metric #38) – To what extent has the organization developed and implemented a Data Breach Response Plan, as appropriate, to respond to privacy events?
• Data Protection and Privacy (Metric #39) – To what extent does the organization ensure that privacy awareness training is provided to all individuals, including role?based privacy training?
• Security Training (Metric #44) – To what extent does the organization ensure that security awareness training is provided to all system users and is tailored based on its mission, risk environment, and types of information systems?
• Information Security Continuous Monitoring (Metric #49) – How mature are the organization's processes for performing ongoing information system assessments, granting system authorizations, including developing and maintaining system security plans, and monitoring system security controls?

Findings Reveal Inconsistent Cyber Policy Implementation

The DoD IG found that although the Air Force had policies and procedures in place for the five metrics they reviewed, the Air Force did not consistently implement the policies and procedures for four of the five metrics (emphasis added). While the Air Force tracked user completion of annual cybersecurity awareness training (Metric #44), for the remaining four metrics, the Air Force did not:

• Track and monitor the mitigation of system security weaknesses identified in POA&Ms within established timeframes (Metric #8)
• Report privacy related breaches within established timeframes (Metric #38)
• Ensure that privacy awareness training addressed all key elements required by Air Force guidance (Metric #39)
• Ensure that all systems had an authorization to operate (ATO) as required to be on the Air Force network (Metric #49)

Recommended Actions

The DoD IG made the following recommendations for the appropriate Air Force officials (emphasis added):

• Vulnerability Mitigation – Direct the system owners to identify and mitigate all very high, high, and moderate weaknesses that exceed the 30?day and 90?day mitigation requirement as required by Air Force guidance; prioritize any weaknesses identified in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog; and establish controls to ensure that system owners mitigated weaknesses by their scheduled completion dates and in accordance with the timelines established in Air Force guidance.
• Privacy – Update “Air Force Privacy and Civil Liberties Program” instructions to align with the June 2021 DoD Data Breach Response Plan, including the changes to the breach reporting process. Second, ensure that all Air Force personnel receive annual privacy training that addresses all the key elements required by the program instructions. Third, establish controls to ensure that Air Force privacy officials are timely reporting breaches in accordance with the program.
• Authorization to Operate (ATO) – Direct Authorizing Officials to ensure that the remaining unclassified systems have a valid ATO in accordance with DoD and Air Force guidance. Second, establish controls to ensure that the information system owners obtain and maintain ATOs for their systems as required by DoD and Air Force guidance and prior to placing them on the Air Force network.

Air Force Actions

The Air Force concurred with the IG’s recommendations, promising to update its privacy guidance, POA&M Guidebook, and Organizational Risk Tolerance Baseline governing vulnerability mitigation by March 30, 2023. Given these actions, the DoD IG considers these recommendations resolved, but they will remain open until the Air Force submits documentation showing that the agreed?upon actions are complete.

Regarding ATOs, the Air Force Chief Information Security Officer (CISO) has established a process to direct that unclassified systems have a valid ATO, in accordance with DoD and Air Force guidance. In June 2022, the Air Force updated its process for obtaining an ATO before placing an information system on the Air Force network while implementing an incremental ATO approach. Given these actions, the DoD IG considers these recommendations closed with no further actions required.