Connect with us

Hi, what are you looking for?


Management & Strategy

GAO Criticizes Pentagon Over Cyber Hygiene Efforts

A report published this week by the U.S. Government Accountability Office (GAO) shows that the Pentagon’s cyber hygiene initiatives have not been completed and in some cases no one is keeping track of their progress.

A report published this week by the U.S. Government Accountability Office (GAO) shows that the Pentagon’s cyber hygiene initiatives have not been completed and in some cases no one is keeping track of their progress.

The GAO has reviewed three of the Department of Defense’s initiatives aimed at improving the security of its networks, including the 2015 Cybersecurity Culture and Compliance Initiative, the 2015 Cyber Discipline Implementation Plan, and the Cyber Awareness Challenge training.

The Cybersecurity Culture and Compliance Initiative focuses on 11 tasks related to education and training, cyber exercises, and changes that should be made to capabilities, authorities and network architectures.

This initiative should have been completed in fiscal year 2016, but GAO found that seven of the tasks still have not been fully implemented.

The Cyber Discipline Implementation Plan includes 17 tasks focused on addressing vulnerabilities in DoD networks, and ten of them that are overseen by the DoD chief information officer should have been implemented by the end of fiscal 2018. However, four of them still haven’t been implemented and no one kept track of the progress of the remaining seven tasks.

The GAO’s review also identified issues with the Cyber Awareness project, whose goal is to ensure that the DoD workforce is up to date on cyber threats and best practices. Investigators found that some of the Pentagon’s components have not kept track of who completed the training.

The DoD has also compiled lists of attack techniques that could pose a significant risk to its networks, and identified practices for protecting systems against these techniques. However, Pentagon officials admitted that no one has monitored the implementation of these practices.

Advertisement. Scroll to continue reading.

“Overall, until DOD completes its cyber hygiene initiatives and ensures that cyber practices are implemented, the department will face an enhanced risk of successful attack,” the GAO said in its report.

The GAO has provided a series of recommendations for addressing the identified issues, but the Department of Defense only completely agrees with one of them.

Related: GAO Says Electric Grid Cybersecurity Risks Only Partially Assessed

Related: Facilities That Lost Data Center Status at Increased Risk of Cyberattacks

Related: TSA Lacks Cybersecurity Expertise to Manage Pipeline Security Program

Related: GAO Makes Recommendations to Improve Security of Taxpayer Data

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...