A follow-up audit by the Department of Defense (DoD) Office of Inspector General (OIG) on corrective actions taken by DoD regarding its Cyber Red Teams found that it did not consistently mitigate or include unmitigated vulnerabilities identified in the prior audit or during this audit.
The mitigated and unmitigated vulnerabilities identified by OIG include those that occur “during combatant command exercises, operational testing assessments, and agency-specific assessments in plans of action and milestones.”
OIG states that the DoD Cyber Red Teams didn’t consistently mitigate vulnerabilities for the following reasons:
- DoD did not assess the impact of those vulnerabilities to their mission;
- It failed to prioritize resources to implement risk mitigation solutions;
- It failed to coordinate results of its reporting with applicable stakeholders;
- DoD did not have an organization responsible for ensuring that DoD Components acted on managing vulnerabilities identified by the Cyber Red Teams; and
- Didn’t establish a process to hold DoD Components responsible for mitigating vulnerabilities.
“Until the DoD assigns an organization to assess DoD Cyber Red Team resources, it will be unable to determine the number of DoD Cyber Red Teams and staffing of each team to support mission needs, which will impact the DoD’s ability to identify vulnerabilities and take corrective actions that limit malicious actors from compromising DoD operations,” the report said.
OIG made seven recommendations to the Secretary of Defense, including:
- Reviewing and assessing DoD Cyber Red Team reports for “for systemic vulnerabilities and coordinate the development and implementation of enterprise solutions to mitigate those vulnerabilities;”
- Have DoD components develop and implement processes for providing reports with findings and recommendations to organizations with responsibility for corrective actions;
- Develop and implement processes to assess the impact of identified vulnerabilities and prioritize funding for correcting high-risk vulnerabilities;
- Ensure the development of processes and procedures for overseeing DoD Cyber Red Team activities;
- Conduct DoD-wide mission-impact analysis to determine the number of Cyber Red Teams, minimum staffing levels of those teams, and composition of the staffing levels to meet mission requests;
- Identify a baseline of core and specialized training standards based on the three Cyber Red Team roles that its staff must meet to be certified and accredited; and
- Develop baseline tools needed to perform missions by DoD Cyber Red Teams.