The Government Accountability Office (GAO) said in a new report issued today that it has delivered another 18 recommendations to the Defense Department (DoD) to improve operations across a range of agency functions, and also provided an update showing some DoD progress on outstanding cybersecurity-related recommendations.
In an annual update to its open priority recommendations report to DoD, GAO said it counts 84 open recommendations that DoD still needs to take action on. The updated list includes 18 new recommendations over the past year, and accounts for DoD implementing 12 priority recommendations since last year.
Cyber Recs Closed
The steps that DoD took to implement those 12 recommendations, GAO said, led to “improvements in financial management, cybersecurity, and Navy readiness,” among others.
On the cybersecurity front, GAO said that DoD’s completed actions on previous recommendations include action by U.S. Cyber Command to develop “standard operating procedures and other documentation that provides the services with information to understand how many personnel they require for each team and the training needed to maintain the size and capacity of the cyber mission force teams.”
GAO also said that the Army Office of the Chief Systems Engineer took action on a 2021 GAO recommendation by publishing guidance to help implement a systems engineering process to improve cyber resilience and survivability. “The guidance included planning considerations and tasks to inform procurement and contracting as well as an implementation process to determine the appropriate cyber requirements for each acquisition program,” GAO said.
GAO’s remaining open recommendations to DoD include a wide spectrum of areas:
- Acquisitions and contract management;
- Rebuilding readiness and force structure;
- Financial management;
- Driving enterprise-wide business reform;
- Cybersecurity and the information environment;
- Health care;
- Preventing sexual harassment; and
- Strengthening diversity, equity, and inclusion within DOD.
“DOD’s continued attention to these issues could lead to further improvements in the department’s operations,” GAO said.
Further Cyber Hygiene Progress Sought
GAO also ran down ongoing progress – or lack thereof – that DoD is making on a broad recommendation it gave DoD in April 2020 to improve cyber hygiene. The latest status on several related recommendations since then includes:
- Some progress on completing tasks in DoD’s cybersecurity culture and compliance initiative, but more work needed including development of training briefs for leadership;
- DoD still needs to develop plans with scheduled completion dates for four remaining Cybersecurity Discipline Implementation Plan (CDIP) tasks overseen by the agency’s chief information officer (CIO);
- For the CDIP, DoD still needs to identify a component to oversee tasks in the plan that are not overseen by the CIO, and report on progress; and
- DoD still needs to direct a component to monitor the extent to which practices are implemented to protect the department’s network from key cyberattack techniques.