The Government Accountability Office (GAO) released a new report on Nov.14 that indicates that the Department of Defense (DoD) and Defense Industrial Base (DIB) need to enhance their work on sharing reports on cybersecurity incidents.
As part of a congressional provision, the report “reviewed relevant guidance, analyzed samples of cyber incident artifacts and cyber incident reports submitted by the DIB and privacy data breaches reported by DoD, and surveyed 24 DoD cyber security service providers,” stated the report.
The report also looks at the number of incidents from 2015 to 2021, and although the number of actual incidents has gone down due to DoD’s efforts to combat cybersecurity issues, there has still been problems with how cyber incidents are categorized in two manners.
“DoD’s system for reporting all incidents often contained incomplete information and DoD could not always demonstrate that they had notified appropriate leadership of relevant critical incidents,” states the report.
“The weaknesses in the implementation of the two processes are due to DoD not assigning an organization responsible for ensuring proper incident reporting and compliance with guidance, among other reasons,” the report says.
Another gap in the ability of DoD to track incidents is also due to the compartmentalization of information that might leave some of the important details of some cyber incidents blank.
“DoD guidance states that to protect the interests of national security, cyber incidents must be coordinated among and across DoD organizations and outside sources, such as DIB partners,” states the report.
Until DoD examines whether this information should be shared with all relevant parties, there could be lost opportunities to identify system threats and improve system weaknesses,” stated the report,” states the report.
The report concludes with giving the six following recommendations to combat this issue:
- The Secretary of Defense should ensure that the DoD CIO, Commander of CYBERCOM, and Commander of JFHQ-DODIN assign responsibility for overseeing cyber incident reporting and leadership notification, and ensuring policy compliance;
- The Secretary of Defense should ensure that the DoD CIO, Commander of CYBERCOM, and Commander of JFHQ-DODIN align policy and system requirements to enable DoD to have enterprise-wide visibility of cyber incident reporting to support tactical, strategic, and military strategies for response;
- The Secretary of Defense should ensure that the DoD CIO, Commander of CYBERCOM, and Commander of JFHQ-DODIN include in new guidance on incident reporting include detailed procedures for identifying, reporting, and notifying leadership of critical cyber incidents;
- The Secretary of Defense should ensure that the Commander of CYBERCOM—in coordination with DoD CIO and Directors of DC3 and DCSA—examines whether information on DIB-related cyber incidents handled by CSSPs is relevant to the missions of other DoD components, including DC3 and DCSA, and identifies when and with whom such information should be shared;
- The Secretary of Defense should ensure that the DoD CIO determines what actions need to be taken to encourage more complete and timely mandatory cyber incident reporting from DIB companies;
- The Secretary of Defense should ensure—through the Director of the Privacy, Civil Liberties, and Freedom of Information Directorate—that DoD components document instances where individuals affected by a privacy data breach were notified.
The DoD concurred with all the recommendations listed in the report.