GAO Flags Inadequate Cybersecurity Measures in DOD’s Weapon Programs
The report specifically looked at the cyber posture of a radar program, an anti-jammer, a ship, a ground vehicle and a missile.
GAO found that while these programs demonstrated better security measures over the past three years, there were still some security gaps in their acquisition process, C4ISRNET reported.
The government watchdog reported that three of the five programs had no cybersecurity requirements in their contract awards at all.
To cover these security gaps, GAO recommended that other military branches adopt the Air Force’s approach of outlining service-wide cybersecurity requirements for acquisitions.
The Army, Navy and Marine Corps were specifically advised to develop guidance for acquisition programs in order to incorporate tailored weapon systems cybersecurity requirements, acceptance criteria and verification processes into contracts.
The DOD partially agreed with the recommendation, noting that it would be better for the Marine Corps and the Navy to merge their efforts since they operate under the same acquisition structure.
GAO also reported that DOD failed to define ways for verifying cybersecurity requirements in some of the programs. Certain programs also need to clearly define cybersecurity activities that would lead to the acceptance or rejection of a system.
In terms of improvements, GAO noted that the programs now had greater access to cyber expertise. The programs also showed better use of cyber assessments and additional cybersecurity guidance.
Tags: C4ISRNET cybersecurity cybersecurity requirements Department of Defense DoD GAO Government Accountability Office weapon contracts