The Department of Defense (DoD) has improved its cybersecurity efforts since 2018, but still lacks clear cybersecurity guidelines in acquisition program contracts, a recent Government Accountability Office (GAO) report said.
“GAO found examples of program contracts omitting cybersecurity requirements, acceptance criteria, or verification processes,” the report said. “For example, GAO found that contracts for three of the five programs did not include any cybersecurity requirements when they were awarded.”
According to the report, DoD guidance states that cybersecurity requirements should be treated as any other requirement and “if it is not in the contract, do not expect to get it.”
To combat the lack of cybersecurity guidelines, GAO recommended the secretary of the Army and Navy should both develop guidance on how to incorporate “cybersecurity requirements, acceptance criteria, and verification processes into contracts.” Additionally, the GAO recommended the secretary of the Navy ensure the Marine Corps develops its own cybersecurity guidance for acquisition programs.
DoD agreed with GAO’s recommendations for the Army and Navy and partially agreed with the recommendation specific to the Marine Corps “due to Marine Corps and Navy operating under the same acquisition policies in alignment with the adaptive acquisition framework,” Katie Arrington, DoD’s CISO for acquisition and sustainment said.
However, the report also noted that DoD’s cybersecurity efforts have improved since 2018, when GAO reported the DoD was “routinely finding cyber vulnerabilities late in its development process.”
Some areas of improvement for DoD included increased access to expertise, enhanced cyber testing, and additional guidance. GAO also found DoD was conducting more cybersecurity testing during development than it has in the past.