The Department of Defense’s Inspector General took the agency to task in a Nov. 8 report that says four DoD components failed to fully implement the 2015 Cybersecurity Information Sharing Act (CISA) which aims to encourage sharing of cybersecurity threat data between the government and the private sector.
The IG found that the four DoD components – the National Security Agency (NSA), the Defense Information Systems Agency (DISA), the DoD Cyber Crime Center (DC3), and U.S. Cyber Command – each took substantial steps to implement the CISA provisions, but none did so completely.
For example, the IG reported that DISA and Cyber Command did not have “agency-level policies and procedures” for sharing cyber threat indicators and defensive measures with Federal and non-Federal entities, and that DC3 did not always verify whether private sector individuals had active security clearances before sharing threat indicators and defensive measures in the Defense Industrial Base Network-Unclassified System. In the latter instance, the IG said DC3 removed 429 users from the system during the course of the IG audit.
The IG placed blame for incomplete CISA implementation squarely on the DoD CIO, saying the component organizations “did not implement all of the CISA requirements because the DoD Chief Information Officer (CIO) did not issue a DoD?wide policy on CISA implementation or require that the DoD Components comply with the CISA requirements.”
“As a result, the DoD limited its ability to gain a more complete understanding of cybersecurity threats since it did not fully leverage the collective knowledge and capabilities of sharing entities, or disseminate internally generated cyber threat indicators and defensive measures with other Federal and non?Federal entities,” the IG said.
“Using the shared information, entities can improve their security posture by identifying affected systems, implementing protective measures, and responding to and recovering from incidents,” the IG said. “This is critical because cyber attackers continually adapt their tactics, techniques, and procedures to evade detection, circumvent security controls, and exploit new vulnerabilities.”
As a result of the IG audit, DoD’s principal deputy CIO has agreed to coordinate with the under secretary of Defense for Policy to issue DoD-wide policy on CISA implementation. The IG said it is still seeking comments from the directors of NSA and DC3 on the IG report.