Department of Defense OIG Releases Report on Cybersecurity
Last week, the Office of the Inspector General (OIG) at the Department of Defense (DOD) released a brief assessing the steps the department took to address cybersecurity concerns between July 2017 and June 2018. The report concludes that while the department has followed through on some important recommendations for improving cyber security, more must still be done to protect the country against cyber threats.
The OIG assessed the results of 20 unclassified and 4 classified cybersecurity reports by the DOD oversight community and the Government Accountability Office (GAO) between 2017 and 2018.
The National Institute of Standards and Technology (NIST) created the NIST Cybersecurity Framework in 2017 to better assess and handle cyber security risks. As a result, NIST created a framework of five functions- identify, protect, deter, respond, and recover- to “provide a strategic view of the risk management lifecycle”, as the report explains.
Each of the five framework areas can be broken down into categories and subcategories which outline levels of risk and risk response.
In analyzing the aforementioned reports, the OIG found that the DOD has implemented 19 of the 159 recommendations made during the year in question.
The implemented recommendations allow the DOD to address concerns related to asset management, identity management, and secure, continuous monitoring. However, according to the OIG report, significant lapses in security remain in “governance, information protection processes and procedures, access control, detection processes, and communications."
The OIG found that a lack of proper governance has created a substantial back log in implementing recommendations.
The report notes, “Without proper governance, the DOD cannot assure that it effectively identifies and manages cybersecurity risk as it continues to face a growing variety of cyber threats from adversaries such as offensive cyberspace operations used to disrupt, degrade, or destroy targeted information system. The DOD must ensure that cybersecurity risks are effectively managed to safeguard its reliance on cyberspace to support its operations and implement proper controls and processes where weaknesses are identified to improve cybersecurity for the DOD.”
The DOD currently needs to take action on 266 open cybersecurity related recommendations- 255 unclassified and 11 classified- dating as far back as 2008.
Posted in Featured News