The Department of the Air Force has made progress in addressing cybersecurity vulnerabilities at installations designated as defense critical infrastructure, but staffing shortages and communication gaps left some high-risk vulnerabilities unresolved, according to a recent audit by the Department of Defense (DOD) Inspector General.
Under the Trump administration, the DOD was rebranded as the Department of War.
The audit assessed the Air Force’s progress in mitigating cybersecurity vulnerabilities at defense critical infrastructure sites as required by the fiscal year 2017 National Defense Authorization Act. The audit which assessed five military installations. It is the second in a series of audits examining the department’s efforts to evaluate and address cyber risks to critical infrastructure.
Specific cybersecurity vulnerabilities and technical details identified in the audit were redacted from the publicly released report.
Based on the publicly available version of the audit report, Air Force officials prioritized identified vulnerabilities, but did not mitigate some of them because all five installations lacked personnel with sufficient cyber expertise. Auditors also found that officials did not address some high-risk vulnerabilities at other installations because they misunderstood the scope of the assessments.
Auditors also found that most control system owners were not notified of vulnerabilities that could have been addressed to reduce known risks to defense critical infrastructure.
These unmitigated vulnerabilities could provide adversaries and malicious actors opportunities to disrupt critical missions and impair the Air Force’s ability to deploy, support, and sustain military forces worldwide, the report noted.
The OIG recommended immediate notification of vulnerabilities to relevant control system owners and development of a process to verify mitigations. The assistant deputy chief of staff for logistics, engineering, and force protection, responding on behalf of the director of civil engineers, agreed to address all recommendations.