GAO Report: DoD Needs to Improve Cyber Hygiene
This week, the Government Accountability Office ("GAO") published a report finding that the Department of Defense ("DoD") has "not fully implemented three of its key initiatives and practices aimed at improving cyber hygiene."
GAO conducted this study, in part, because DoD has become "increasingly reliant on information technology (IT) and risks have increased as cybersecurity threats evolve." GAO found that some 90% of cyberattacks could be avoided or defeated through basic cyber hygiene, which is defined as a "set of practices for managing the most common and pervasive cybersecurity risks."
In addition to finding, broadly, that DoD is has not implemented three of its key cyber initiatives––the 2015 DOD Cybersecurity Culture and Compliance Initiative ("DC3I"), the 2015 DOD Cyber Discipline Implementation Plan ("CDIP"), and DOD's Cyber Awareness Challenge training––GAO specifically found:
(1) the DOD CIO and DOD components have not implemented seven of the 11 DC3I tasks due in fiscal year 2016;
(2) DOD has implemented six of 10 CDIP tasks that the DOD CIO oversees and does not know the extent that seven other CDIP tasks are implemented; and
(3) DOD did not know the extent to which users for selected components completed the Cyber Awareness Challenge training in 2018 and one component did not use the required training. In addition, the department does not know the extent that cyber hygiene practices to protect its networks from key cyberattack techniques have been implemented.
The report is dense and highlights many of the issues that DoD should consider in its fight toward securing its IT infrastructure. To that end, GAO made seven recommendations that not only are "designated to monitor component completion of tasks and cyber hygiene practices" but also are designed to ensure that senior leadership receives information on DoD's cyber hygiene initiatives and cyber practices. Notably, of the seven recommendations, "DOD concurred with one, partially concurred with four, and did not concur with two."
. . .
