Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Defense Department Continuously Challenged on Cybersecurity

A recently published report from the United States Department of Defense (DoD) Inspector General shows that, while the Department has improved its security posture, it still faces challenges in managing cybersecurity.

A recently published report from the United States Department of Defense (DoD) Inspector General shows that, while the Department has improved its security posture, it still faces challenges in managing cybersecurity.

The report represents a summary of 20 unclassified and 4 classified reports issued by the DoD oversight community and the Government Accountability Office (GAO) between July 1, 2017, and June 30, 2018 (the summary work was made between May 2018 and December 2018).

Also addressing the Federal Information Security Modernization Act of 2014 (FISMA) requirement for an annual evaluation of the agency’s information security program, the report aims to identify cybersecurity risk areas for DoD management based on the NIST Cybersecurity Framework, as well as to identify open DoD cybersecurity recommendations.

The report (PDF) reveals that DoD Components implemented some corrective actions to improve system weaknesses identified by reports summarized in the cybersecurity summary report issued at the end of 2017, but also points out that DoD still faces cybersecurity challenges. 

Of the 159 recommendations made in the summarized unclassified reports, the DoD has taken action to address only 19. Of the 175 recommendations the DoD oversight community and the GAO made between July 1, 2017, and June 30, 2018, 151 remained open as of September 30, 2018.

Furthermore, as of September 30, 2018, there were 266 open cybersecurity‑related recommendations (255 unclassified and 11 classified), some dating as far back as 2008, the report reveals.

“[T]he DoD needs to continue focusing on managing cybersecurity risks related to governance, asset management, information protection processes and procedures, identity management and access control, security continuous monitoring, detection processes, and communications,” the report also reads. 

This year, governance led in terms of number of identified weaknesses, and the report points out that DoD cannot ensure it can effectively identify and manage cybersecurity risk without proper governance. According to the report, the DoD continuously faces growing cyber threats and must ensure effective management of cybersecurity risks. 

“The DoD depends on cyberspace to support its operations and, therefore, must be able to secure its networks against attack or recover quickly if security measures fail. Cybersecurity risk management comprises the full range of activities undertaken to protect information and information technology from cyber threats such as unauthorized access and loss of data,” the report points out.

Related: DoD Lacks Visibility into Software Inventories, Audit Finds

RelatedData on U.S. Missile Defense System Lacks Adequate Protections, DoD Says

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem