Missile Defense Agency

MDA Adopting New Cybersecurity Testing Approach, GAO Says

The Missile Defense Agency has begun implementing a new approach to improving cyber system requirements while streamlining test planning, according to the Government Accountability Office.

MDA officials said the new approach replaces the 17 planned cybersecurity operational assessments that it decided to cancel for fiscal year 2020. The new method needs to be fully implemented before its effectiveness can be evaluated, GAO said in a Jan. 28 report.

The watchdog noted that MDA had failed to conduct assessments since 2017 to discover cybersecurity weaknesses and potential attack routes. GAO said the shortcoming is “representative of a broader MDA cybersecurity development issue.”

The scrapped assessments included element-level cooperative assessments, which are concerned with a systems’ resilience during operations, and adversarial assessments, which are related to the operational impact of potential cyber attacks.

Agency officials explained that the information that would have been gained from the planned tests was not needed.

MDA conducted its largest combined cooperative cyber assessment in fiscal year 2019 but failed to meet its testing goals, GAO added.

For future assessments, MDA said it will use the same process it uses for flight and ground tests. Stakeholders will provide input to inform the cyber test requirements, which will drive the testing for each new capability, MDA said.

GAO said it did not make any recommendations in the report, adding that it has provided a draft to the Department of Defense.

The report also included information on MDA’s progress in delivering missile interceptors for individual systems, conducting planned flight tests and implementing a new ground testing approach.