GAO Finds Significant Deficiencies in DoD's Cyber Incident Reporting Practices
In a November, 2022 to Congress, the Government Accountability Office (GAO) noted significant deficiencies in the Department of Defenses’ (DoD) cyber incident reporting practices.
Of concern from the GAO’s report (access here athttps://www.gao.gov/assets/gao-23-105084.pdf), titled, “DoD Cybersecurity - Enhanced Attention Needed to Ensure Cyber Incidents are Appropriately Reported and Shared”, are the following:
Despite the reduction in the number of incidents due to DOD efforts, weaknesses in reporting these incidents remain. For example, DOD’s system for reporting all incidents often contained incomplete information and DOD could not always demonstrate that they had notified appropriate leadership of relevant critical incidents.
The weaknesses in the implementation of the two processes are due to DOD not assigning an organization responsible for ensuring proper incident reporting and compliance with guidance, among other reasons.
Until DOD assigns such responsibility, DOD does not have assurance that its leadership has an accurate picture of the department’s cybersecurity posture.
In addition, DOD has not yet decided whether DIB cyber incidents detected by cybersecurity service providers should be shared with all relevant stakeholders, according to officials.
DOD guidance states that to protect the interests of national security, cyber incidents must be coordinated among and across DOD organizations and outside sources, such as DIB partners.
Until DOD examines whether this information should be shared with all relevant parties, there could be lost opportunities to identify system threats and improve system weaknesses.
The GAO report also offers up numerous examples of actual incidents that have occurred, and their significant impact to the DoD and federal contractors.
Per the report, GAO has made numerous recommendations, including that “...DOD assign responsibility for ensuring proper incident reporting, improve the sharing of DIB-related cyber incident information, and document when affected individuals are notified of a PII breach. DOD concurred with the recommendations.”
We are Arlington, a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®. Learn more at arlingtonintel.com.