DOD Failing to Fix Critical Cybersecurity Gaps, Report Says – Source: www.databreachtoday.com

Governance & Risk Management
,
Government
,
Industry Specific

GAO: Department Lacks Cybersecurity Strategies for Major Business IT Programs

Chris Riotta (@chrisriotta) •
July 15, 2024    

The U.S. Department of Defense still hasn’t addressed a series of critical cybersecurity gaps in its information technology business programs – two years after a government watchdog agency first urged the department to develop security strategies for each program.

See Also: Reducing Complexity in Healthcare IT

DOD officials told the Government Accountability Office in June 2022 that they were addressing IT programs across the department that lacked cybersecurity strategies. But a new GAO report indicates that the DOD still hasn’t adopted an approved cybersecurity strategy for 10 of the department’s major IT business programs.

The GAO’s annual assessment of the Pentagon’s IT systems published Thursday says additional cybersecurity and reporting gaps exist across the department, including failures to track progress in software development and inadequate metrics for customer satisfaction. Program officials told the GAO they face significant challenges in establishing enhanced software development and cybersecurity processes, from leadership and staff turnover to unclear requirements and insufficient resources.

“DOD’s efforts to develop an action plan to address high-risk areas had stalled since 2021,” the report says, adding that the department’s efforts to modernize its business systems have been on the GAO’s high-risk list since 1995 “in part due to long-standing challenges that the department faces in meeting cost, schedule and performance commitments, including for its major IT programs.”

The Defense Department detailed “a revised approach” for ongoing efforts to address its high-risk areas for business systems modernization in September 2023, according to the report, but the department had not implemented 22 GAO recommendations as of March. Several programs within the department do not meet the minimum required operational performance metrics in their reporting to the Federal IT Dashboard, a publicly accessible platform that provides information on major federal IT investments, the GAO said.

The programs in question include critical IT investments, such as the DOD’s Defense Travel System, an electronic procurement system used by the U.S. Navy, a global combat support system for the U.S. Marine Corps, and a Naval Air Systems Command Aviation Logistics Environment platform. The DOD is also investing in modernizing IT business platforms such as the department’s healthcare management system and joint operational medicine information platform.

The GAO assesses the DOD’s IT systems annually to help the department identify security weaknesses and ensure compliance with federal cybersecurity standards. The Defense Department has spent – or planned to spend – an estimated $9.1 billion on IT business programs from fiscal year 2022 to 2024, according to the latest available data.

The DOD’s Office of the CIO acknowledged the continued challenges identified in the report and said the department is aiming to ensure full reporting by each program when it submits the fiscal year 2025 data.

The DOD did not immediately respond to a request for comment. Lawmakers urged the department to further pursue a multi-vendor technology strategy in June, just as the department announced plans to further invest in Microsoft products despite a series of high-profile cybersecurity incidents affecting the tech giant (see: Lawmakers Urge Pentagon to Diversify Cybersecurity Vendors).