The Defense Department shows a lack of follow-through on basic cyber hygiene initiatives it launched in recent years despite standing up an accountability program with related standards for its vendors, the Government Accountability Office said in a recent report.
“Our analysis of the seven tasks that DOD is not currently tracking progress on are consistent with basic cybersecurity standards established by DOD guidance and [the National Institute of Standards and Technology]—and which DOD is planning to apply to certain defense contractors in future contract awards to protect DOD information that is stored or transits through their networks as a part of the Cybersecurity Maturity Model Certification framework,” GAO wrote in a report to congressional committees it released Monday.
GAO made seven recommendations based on its examination of DOD’s implementation of basic cyber practices, particularly around three initiatives: the 2015 DOD Cybersecurity Culture and Compliance Initiative, the 2015 DOD Cyber Discipline Implementation Plan, and DOD's Cyber Awareness Challenge training.
The recommendations mainly addressed the department’s failure to designate specific components to track the progress of the initiatives toward putting accountability measures in place.
“Selected components in the department do not know the extent to which users of its systems have completed” required training, for example, GAO wrote, noting department officials also couldn’t say how many workers were denied access to systems due to a lack of training.
DOD concurred with GAO’s recommendation that all DOD components require training developed by the Defense Information Systems Agency. But the department only partially concurred with four recommendations—including one that senior DOD leaders should have “more complete” information on the implementation of cybersecurity practices—and disagreed with two.
GAO’s mention of the CMMC ..
Support the originator by clicking the read the rest link below.
