2020-04-14
GAO Report: Department of Defense Needs to Renew Focus on Cyber Hygiene
A report from the US Government Accountability Office (GAO) says that the Department of Defense (DoD) has either abandoned or stopped keeping track of many of the cyber hygiene goals the agency set for itself in 2015. GAO makes seven recommendations for DoD, several of which focus on assigning responsibility for implementation of cyber hygiene tasks.
Editor's Note
One line in this 54-page report captures the glaring problem: "The department does not know the extent that cyber hygiene practices have been implemented to protect DOD networks from key cyberattack techniques." Importantly, DoD CIOs stated they did not know they were responsible for implementing and monitoring the key Cybersecurity Culture and Compliance Initiatives (DC3I). One reason for this: the report notes that in December 2016, the DoD moved responsibility for DC3I implementation and oversight from the US Cyber Command to the DoD CIO office as part of implementing the November 2014 DOD Directive 5144.02 that said the DoD CIO office had overall cybersecurity responsibility. While I think there has been a lot of progress at the DoD working levels, it looks like over the transition of Presidential administrations, the transition of responsibility for DoD cybersecurity at the top didn't happen.

John Pescatore
Read more in
Wired: The Pentagon Hasn't Fixed Basic Cybersecurity Blind Spots
Fifth Domain: Watchdog finds the Pentagon is behind on several cybersecurity initiatives
MeriTalk: GAO Rakes DoD Over Cyber Hygiene Implementation
GAO: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene (Highlights) (PDF)
GAO: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene (PDF)