As for the Pentagon’s implementing cybersecurity guidance, from cloud computing to cyber strategy and its broader security campaign, GAO said progress had varied over time. And in some cases it said the process for monitoring implementation of those programs “resulted in the closure of tasks before they were fully implemented.”

For example, the GAO pointed out that the Pentagon prematurely “closed a task that, among other things, would require completing cyber risk assessments on 136 weapon systems.”

Also, the GAO report found the department had closed a task for the department to assess cybersecurity for both current and future weapon systems. The DoD’s previous strategy required the department “to assess and initiate cybersecurity improvements for existing weapon systems” as well as to “mandate cybersecurity requirements for future weapon systems.”

That said, the GAO indicated that the DoD believes it is “on track” for the completion of the cyber-risk assessments by Dec. 31, 2019, but added that as of May of this year “the task was not complete.”

The GAO said one “significant compromise” years ago was traced to a DoD-owned laptop in the Middle East and an infected flash drive. It resulted in the spread of a “malicious code” throughout the classified and unclassified networks of the department.

“Addressing the gaps in DoD’s plans and timeframes for completing the remaining action will help DoD find and fix any root causes of cybersecurity breaches,” the GAO said. “Failure to implement this objective makes DoD vulnerable to cyber threats that may negatively affect mission readiness and could hinder mission accomplishment.”

Meantime, last week’s GAO report on the DoD’s guidance on Internet-capable devices and cybersecurity found that the existing policies and guidance that the department has issued “do not clearly address some security risk relating to IoT devices.”

Specifically, the GAO said the current policies and guidance are lacking as they relate to “certain DoD-acquired IoT devices, such as smart televisions in unsecure areas, and IoT device applications.”

Furthermore, the GAO said, “DoD policies and guidance on cybersecurity, operations security, information security, and physical security do not address IoT devices. Updates to DoD policies and guidance would likely enhance the safeguarding and securing of DoD information from IoT devices.”

Facebook Comments