DOD’s Inconsistent Mitigation of Cyber Vulnerabilities Is a Waste, Pentagon’s Watchdog Says

Digital abstract Art/

Leadership promises to improve responsiveness to red-teaming efforts.

Top Defense Department officials agreed to revise a key document that would instruct department components to report their efforts to mitigate vulnerabilities cyber red teams bring to their attention, according to an inspector general report that finds the DOD’s current approach to be haphazard.   

“The Director for Joint Staff, responding for the Chairman of the Joint Chiefs of Staff, agreed to revise Chairman of the Joint Chiefs of Staff Instruction 6510.05 and Chairman of the Joint Chiefs of Staff Manual 6510.02 to include requirements for addressing DoD Cyber Red Team identified vulnerabilities and reporting actions taken to mitigate those vulnerabilities,” reads the March 13 report the IG’s office released Tuesday.

The report comes as the administration looks to improve its relationship with security researchers who voluntarily disclose vulnerabilities but want the government to be more responsive in fixing them. 

“Ensuring DoD Components mitigate vulnerabilities is essential to achieve a better return on investment,” the DOD IG wrote. 

The report is of a follow-up audit on a report from eight years ago. A summary of the 2012 report says: “DoD Cyber Red Teams did not effectively report the results of their assessments to the assessed organizations,” and focused on certifying the red teamers. 

But the prior, classified, report also noted “DoD Components did not effectively correct or mitigate Red Team-identified vulnerabilities and did not track or report the vulnerabilities on a plan of action and milestones as required by the Chairman of the Joint Chiefs of Staff Instruction 6510.01F,” according to a summary the DOD IG provided.

The March 13 report is more focused on a need for accountability of DOD components and recommends the department designate a single organization for managing the mitigation of vulnerabilities in a more strategic, risk-based way. 

“The DoD did not have an organization responsible for ensuring that DoD Components took action to manage vulnerabilities identified by DoD Cyber Red Teams and did not establish processes that held DoD Components responsible for mitigating those vulnerabilities,” the report reads.

The deputy to the principal cyber adviser, responding for the Secretary of Defense, agreed with all recommendations.

The deputy said the department would “leverage” provisions in the National Defense Authorization Act of 2020—sections 1660 and 1652—to implement the recommendations.

This would involve reviewing “the roles, responsibilities, and processes for adjudicating, disseminating, and monitoring DoD Cyber Red Team activities, and improv[ing] follow up and implementation actions to mitigate DoD Cyber Red Team findings affecting weapon systems, warfighting platforms, and defense critical infrastructure,” according to the deputy.