The Department of Defense has not consistently mitigated cyber vulnerabilities identified in a 2012 report, according to the department’s inspector general.
The DoD IG issued a follow-on report to its 2012 report, issued March 13 and made public March 17, that determined cyber red teams didn’t report the results of assessments to organizations and components didn’t effectively correct or mitigate the identified vulnerabilities.
The new report discovered that components didn’t consistently mitigate or include unmitigated vulnerabilities identified in the prior audit and during this audit by red teams during combatant command exercises, operational testing assessments and agency-specific assessments in plans of action and milestones.
“Ensuring DoD Components mitigate vulnerabilities is essential to achieve a better return on investment,” the report stated. “In addition, we determined that the DoD did not establish a unified approach to support and prioritize DoD Cyber Red Team missions. Instead, the DoD Components implemented Component-specific approaches to staff, train and develop tools for DoD Cyber Red Teams, and prioritize DoD Cyber Red Team missions.”
The report found that DoD didn’t establish a unified approach because it didn’t assign an organization with responsibility to oversee and synchronize red team activity based on priorities, it didn’t assess the resources needed for each red team and identify requirements to train them to meet priorities and it didn’t develop baseline tools to perform assessments.
“Without an enterprisewide solution to staff, train and develop tools for DoD Cyber Red Teams and prioritize their missions, DoD Cyber Red Teams have not met current mission requests and will not meet future requests because of the increased demands for DoD Cyber Red Team services,” the report said. “Until the DoD assigns an organization to assess DoD Cyber Red Team resources, it will be unable to determine the number of DoD Cyber Red Teams and staffing of each team to support mission needs, which will impact the Do D’s ability to identify vulnerabilities and take corrective actions that limit malicious actors from compromising DoD operations.”
The DoD IG issued seven recommendations the secretary of defense assign an organization responsibility for. They include:
- Review and assess red team reports for systemic vulnerabilities and coordinate the development and implementation of enterprise solutions to mitigate them;
- Ensure components develop and implement a risk-based process to assess the impact of identified vulnerabilities and prioritize funding for corrective actions for high-risk vulnerabilities;
- Ensure components develop and implement processes for providing reports with red team findings and recommendations to organizations with responsibility for corrective actions;
- Develop processes and procedures to oversee red team activities, including synchronizing and prioritizing red team missions, to ensure activities align with priorities;
- Perform a joint DoD-wide mission-impact analysis to determine the number of red teams, minimum staffing levels of each team, the composition of the staffing levels needed to meet current and future mission requests;
- Assess and identify a baseline of core and specialized training standards, based on the three red team roles that team staff must meet for the team to be certified and accredited; and
- Identify and develop baseline tools needed by red teams to perform missions.