The Pentagon has made progress improving its IT systems in recent years, but it still faces about 266 outstanding cybersecurity-related recommendations from past watchdog reports that it must address.
These findings come as part of a Jan. 9 inspector general summary of Department of Defense cybersecurity audits issued in fiscal 2018 regarding its compliance with the National Institute of Standards and Technology’s Cybersecurity Framework. Generally, the report found that “DoD Components implemented many of the agreed-upon corrective actions necessary to improve system weaknesses” from the prior year’s report.
That said, the department “still faces challenges in managing cybersecurity risk to its network,” the report finds, pointing to the 266 existing recommendations from past departmentwide reports as of Sept. 30, 2018, including 151 from fiscal 2018 alone. Some of oldest weaknesses date as far back as 2008.
The Pentagon has made some progress on the overall number, however. As of the report’s publication, of the 151 open recommendations DOD received in 2018 and that remained at the close of the fiscal year, 112 have been resolved, according to the IG. That means military managers have “agreed to implement” the recommendations but haven’t yet completed them, an IG spokesperson confirmed to FedScoop. On the other hand, there are 39 unresolved recommendations from that bunch that the department either disagreed with or for which it provided “alternative corrective actions.”
The biggest pain point identified in the report is DOD’s struggle with IT governance.
“Without proper governance, the DoD cannot assure that it effectively identifies and manages cybersecurity risk as it continues to face a growing variety of cyber threats from adversaries such as offensive cyberspace operations used to disrupt, degrade, or destroy targeted information systems,” the Pentagon IG writes. “The DoD must ensure that cybersecurity risks are effectively managed to safeguard its reliance on cyberspace to support its operations and implement proper controls and processes where weaknesses are identified to improve cybersecurity for the DoD.”
The summary report goes on to dive into each of the five function areas under the NIST Cybersecurity Framework: identify, protect, detect, respond and recover.
“As the DoD continues to face a growing variety of cyber threats from adversaries, such as offensive cyberspace operations used to disrupt, degrade, or destroy targeted information systems, the DoD must ensure that cybersecurity risks are effectively managed to safeguard its reliance on cyberspace to support its operations,” the summary says.