WASHINGTON — The U.S. Defense Department struggles to outline cybersecurity requirements in contracts for weapon systems, though the agency made important strides to improve those platforms’ cyber protections, a congressional watchdog announced Thursday.
A report on five major weapon platforms across the military services found better security measures than in 2018, when the Government Accountability Office’s last review said cybersecurity practices for the weapons were inadequate.
Still, the GAO found security gaps in the acquisition process, with three of five programs reviewed lacking any cybersecurity requirements in their contract awards. The Air Force was the only service with broad guidance to define cybersecurity requirements and incorporate them in contracts.
The findings come as the federal government grapples with the fallout from a security breach through an IT contractor that raised concerns about potential access to sensitive systems and possible supply chain security weaknesses.
The watchdog reviewed five weapons systems: a radar program, an anti-jammer, a ship, a ground vehicle and a missile. Four areas had improvement in the last three years. Programs reported that they had greater access to cyber expertise, completed more cyber assessments, used additional cybersecurity guidance, and improved tailoring of cyber requirements to mission needs.
“Officials from these acquisition programs reported having a greater focus on and more resources committed to cybersecurity in several areas, including greater access to cyber expertise and increased use of cyber assessments,” the report said.
Senior officials also noted progress with security controls and guidance.
“While it is too soon to determine whether these efforts will lead to more secure systems, they are further evidence of DOD’s commitment to improving weapon systems cybersecurity,” the report stated.
For the contract process, the GAO said the other military branches could benefit from an approach similar to the Air Force, outlining service-wide cybersecurity requirements for acquisitions.
The watchdog recommended the Army, Navy and Marines “develop guidance for acquisition programs on how to incorporate tailored weapon systems cybersecurity requirements, acceptance criteria, and verification processes into contracts.”
Overall, DoD acquisition programs developed new policies and guidance documents to improve weapons systems’ cybersecurity, the GAO found. However, some programs didn’t clearly define cybersecurity activities that would lead to acceptance or rejection of the system. Some didn’t outline how the department would verify cybersecurity requirements.
Officials interviewed by the GAO said that “effectively” contracting for cybersecurity is a challenge for acquisition programs. One senior DOD official told the watchdog that “standardizing cybersecurity requirements is difficult and the department needs to better communicate cybersecurity requirements and systems engineering to the users that will decide whether or not a cybersecurity risk is acceptable.”
Another official said the “lack of clear performance criteria for cybersecurity requirements creates challenges for understanding and implementing better security.”
The Defense Department agreed with the GAO’s recommendation for the Army and Navy, while partially concurring with the idea for the Marine Corps, stating that the Marines and Navy should merge their efforts because they operate under the same acquisition structure.
“Ultimately, DOD’s success in improving weapon systems cybersecurity depends on the extent to which the military services and acquisition community execute these changes to produce better outcomes in their programs,” the GAO wrote.
In one effort to improve weapons’ cyber safeguards, the Defense Innovation Unit, the Pentagon’s Silicon Valley arm, is developing a system with cybersecurity company ForAllSecure to continuously probe platforms for vulnerabilities. The company started working on its testing platform, called Mayhem, after the 2018 GAO report.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.