Pentagon’s Cyber Mission Force Needs Better Training Plan

Sailors stand watch in the Fleet Operations Center at the headquarters of U.S. Fleet Cyber Command, a component of U.S. Cyber Command.

Sailors stand watch in the Fleet Operations Center at the headquarters of U.S. Fleet Cyber Command, a component of U.S. Cyber Command. Samuel Souvannason/U.S. Navy

A government watchdog found flaws in the Defense Department’s transition from building its Cyber Mission Force to maintaining it.

The Defense Department’s cyber warrior teams are struggling to maintain readiness, according to a congressional auditor.

In 2013, the Defense Department began a years-long process to stand up 133 Cyber Mission Force teams of military personnel with elite cyber training to defend critical information networks.

The department reached full operating capability before its deadline, but a Government Accountability Office audit released Wednesday found the Cyber Mission Force began experiencing training and readiness issues last year.

“As of November 2018, many of the 133 CMF teams that initially reported achieving full operational capability no longer had the full complement of trained personnel, and therefore did not meet Cyber Command’s readiness standards,” the audit said.

The audit states U.S. Cyber Command responded by beefing up its readiness procedures as the Defense Department shifted “focus from building to maintaining a trained CMF,” outsourcing foundational training responsibility to the armed services. However, GAO identified several flaws in the Pentagon’s shift in training procedures, namely that armed services’ plans are short on specifics.

For example, the Army and Air Force “do not have time frames for required validation of foundational courses” to Cyber Command’s standards.

“Further, services' plans do not include all CMF training requirements, such as the numbers of personnel that need to be trained,” the audit states. “Also, Cyber Command does not have a plan to establish required independent assessors to ensure the consistency of collective CMF training.”

The audit also found that from 2013 to 2018, CMF personnel made 700 exemption requests from training based on their previous experience, with 85 percent of those personnel receiving at least one course exemption. Yet the audit states Cyber Command “has not established training task lists for foundational training courses,” suggesting a haphazard approach to granting course exemptions.

“The services need these task lists to prepare appropriate course equivalency standards,” the audit states.

To remedy training and readiness issues, GAO made eight recommendations. They include the Army and Air Force identifying time frames for validating foundational CMF courses and that military services develop CMF training plans with specific personnel requirements. The Defense Department agreed with all eight recommendations.