Despite the Defense Department’s ongoing efforts to build networked weapon systems heavily dependent on software and information technologies, the military service branches have not all issued clear guidance describing how acquisition officials should incorporate cybersecurity requirements into contracts for these systems.
Of the four services, the Air Force is the only branch to have issued servicewide guidance for defining and incorporating cybersecurity requirements into contracts, according to a recent Government Accountability Office audit. The report builds on another audit from 2018 when GAO found DOD was in the early stages of understanding how to apply cybersecurity to weapon systems.
While DOD has made improvements in this area since 2018—for example, by ensuring programs have access to adequate cyber expertise, increasing the use of cybersecurity assessments, and releasing more guidance—the agency is still learning how to contract for cybersecurity in weapon systems, according to the audit.
“Current military service guidance, except for the Air Force, does not address how acquisition programs should contract for weapon systems cybersecurity requirements, acceptance criteria, and verification, which DOD and program officials told GAO would be helpful,” the audit reads.
GAO did not include the Cybersecurity Maturity Model Certification program, or CMMC, which requires defense contractors to undergo audits by independent third parties overseen by an accreditation body to validate the security of their systems, in this review. CMMC will not apply to all contracts until 2025.
The audit was released in a time of heightened cyber concerns after the SolarWinds intrusion, which affected multiple federal agencies. In force service develop cybersecurity requirements weapon systems contracts
