DOD Must Enhance Cyber Incident Reporting and Sharing, Watchdog Says

Although the Defense Department has taken steps in recent years to successfully mitigate cybersecurity threats to the military’s information systems, it must do a better job of managing and fully implementing its incident sharing processes, according to a report released by the Government Accountability Office on Monday. 

Congress requested that GAO conduct an assessment of DOD’s “cyber incident management efforts” in a House report that accompanied the fiscal year 2021 National Defense Authorization Act. 

The mandated review, which was conducted from March 2021 to November 2022, surveyed 24 cybersecurity service providers—or CSSPs—that “provide cybersecurity services to DOD components.” GAO then analyzed the cyber incidents that the CSSPs identified on their networks from 2015 through 2021 and were included in DOD’s Joint Incident Management System—or JIMS—which serves as DOD’s official repository of documented cyber incidents. 

“According to data in JIMS, DOD CSSPs reported 12,077 cyber incidents affecting their networks from calendar years 2015 through 2021,” the report said. “Over this period, the incidents reported by CSSPs declined from a high of 3,880 in 2015 to 948 in 2021.”

GAO attributed the reduction in reported cyber incidents to “an increase in the department’s deployment of defense mechanisms during this time period,” noting that DOD has established two processes—”one for all incidents and one for critical incidents”—to help streamline its reporting and management efforts. Despite the decrease in reported cyber incidents, however, GAO found that DOD “has not fully implemented either process,” and that the department “lacks an accountable organization and consistent guidance to ensure complete and updated reporting of all cyber incidents.”

GAO’s review found that 91% of the JIMS cyber incident reports submitted during the analyzed time period “did not include information on the discovery date of the incident, hindering DOD’s ability to determine whether incidents were reported in JIMS in a timely manner.” Another 68% of the reports “did not include information on an incident’s delivery vector, limiting DOD’s ability to identify trends in the prevalence of various threats affecting its networks.”

“In addition to incomplete incident information, CSSPs also did not consistently notify DOD leadership of incidents that had a detrimental impact on DOD’s ability to perform its mission or availability of its networks,” the report added. “Specifically, CSSPs did not have evidence that they notified the appropriate leadership for an estimated 47 percent of the incidents they reported in calendar years 2015 through 2020.”

GAO also found that DOD “has not yet decided” whether detected cyber incidents affecting the nation’s defense industry base—which the report said “includes entities outside the federal government that provide goods or services critical to meeting U.S. military requirements”—should be shared “with all relevant stakeholders.”

“DOD guidance states that to protect the interests of national security, cyber incidents must be coordinated among and across DOD organizations and outside sources, such as [defense industry base] partners,” the report said. “Until DOD examines whether this information should be shared with all relevant parties, there could be lost opportunities to identify system threats and improve system weaknesses.”

GAO also found that reported data breaches involving personally identifiable information—or PII—“have increased by 104 percent from calendar years 2015 through 2021.” While the report noted that DOD “has established a process for determining whether to notify individuals of a breach of their personally identifiable information,” it found that the department has also “not consistently documented risk assessments or notifications of affected individuals.”

“Without documenting the notification, there is no way to verify that DOD actually informed individuals that their privacy data was potentially compromised, which could leave some affected individuals more exposed than others to identity theft,” the report noted.

GAO issued six recommendations to DOD, including that the department “assign responsibility for ensuring proper incident reporting, improve the sharing of DIB-related cyber incident information and document when affected individuals are notified of a PII breach.” DOD concurred with all six of GAO’s recommendations.