One thing you can say about the Defense Department’s cybersecurity efforts, they sure get a lot of oversight. The DoD office of inspector general reviewed 44 recent reports from various sources seeking to see how they all added up. For more, Federal Drive with Tom Temin turned to DoD’s assistant IG for audit of the cyberspace operations directorate, Carol Gorman.
Insight by Kodak Alaris: Practitioners provide insight into how states and the IT industry are dealing with Real ID in this exclusive executive briefing.
Tom Temin: Ms. Gorman, good to have you on.
Carol Gorman: Well thank you. I appreciate the opportunity to discuss our report.
Tom Temin: Alright, give us a quick summary. There’s 44 reports that have come in in just a short timeframe. Tell us about these reports. Where’d they come from and what did they generally do and say?
Carol Gorman: Sure. Some of the report was issued in December 2020 and it summarizes the results of the 44 cybersecurity related reports that were issued not only by the DoD OIG, but we also include the other DoD oversight organizations, such as the Government Accountability Office, and the military service audit agencies. The report, in addition to summarizing the results of those 44 reports, we also include and highlight open cybersecurity related recommendations, both that were carried forward from the prior year, plus new recommendations issued through the end of the reporting period, which was June 30 2020.
Tom Temin: And there are a lot of recommendations, right? This isn’t five or six things they need to do, but there’s pretty good volume there, correct?
Carol Gorman: Yes. During the reporting period, there were 656 total open recommendations of which the department closed 197 during that period. For example, they closed a number of the recommendations from one of our FY 2019 reports on the on the Navy concerning the process to verify that its contractors were requiring them to use multifactor authentication.
Tom Temin: So about one in seven, one in six, of the recommendations in that time period, they actually got accomplished.
Carol Gorman: Right. And at the end of the time period there was 459 recommendations that remained open, and the majority of which are from reports issued in 2019 and 2020. But there are some that are older, the oldest, I believe, goes back to 2011. We actually include an aging chart in the report that shows in columns how old the recommendations are.
Tom Temin: And let me ask this, are there any recommendations that gets so old that they become irrelevant or obsolete, maybe because of changing technologies, or they replaced that system in the meantime?
Carol Gorman: That does happen at times, but the oversight organizations follow up continuously on these recommendations so if that were to happen it should fall off the list. So these are primarily recommendations that we’re still discussing corrective action with the department.
Tom Temin: And do these recommendations and these open ticket items, I guess you could call them, do they cluster in any particular area of DoD such as one of the armed services or one of the agencies? Are they pretty much across the board?
Carol Gorman: There across the board with respect to the oversight organizations. We do group the recommendations and the findings from the reports that we discuss into categories. So the categories are different controls that are enacted within the DoD to protect data, to protect the systems and the networks. And generally, the findings and the recommendations are grouped primarily in the same category. So for example, governance had the most reports, the most recommendations fell within that category.
Tom Temin: Sure. And we should point out too, and correct me if I’m wrong, though, that these recommendations do map back eventually to the NIST cybersecurity framework functions and categories.
Carol Gorman: Yes, it does. And that’s what the categories I was talking about with governance. And so there’s 23 categories within the NIST framework. And so we do group those, our findings and our recommendations within those 23 categories because it gives us a better reflection to the department and to us as well on where the deficiencies are.
Tom Temin: There’s a statement I wanted to ask you about in there, and I think you’ve started to address this. These risks generally occurred because DoD officials did not establish policies and procedures to implement standards or effectively implement the necessary controls in accordance with DoD guidance. That sounds like the governance question and kind of reminds me of what they say about swimming pools and children — if everybody’s watching, nobody’s watching.
Carol Gorman: Right. I think the main takeaway is that the department continues to be challenged implementing some of the basic cybersecurity controls, which would be policies and procedures across the department. And historically in previous reports we’ve found that the department officials have not followed those established policies and procedures and issued implementing guidance to meet minimum cybersecurity standards or taking the necessary actions to remediate or mitigate risks and vulnerabilities.
Tom Temin: And so did you have recommendations in your report summarizing all this or simply to say, hey get after these 459 open ticket items.
Carol Gorman: That’s what we do. We don’t issue new recommendations in our summaries. Instead, we bring up how many of the recommendations are continued to be open over the past couple of years and and during the reporting period.
Tom Temin: And by the way also, this report covers classified and unclassified systems too.
Carol Gorman: Yes, we we actually have a classified annex that we issue separately, and we do that so that we can issue the the bigger unclassified portion of the report on our webpage,
Tom Temin: And what is the DoD reaction to this report, because coming from the inspectors general’s office, it has some weight?
Carol Gorman: Right. And this is the 20th year I believe that we’ve issued an annual report summarizing the cybersecurity findings and recommendations. And I’m going to date myself here, but back when we issued hardcopy reports, we did get a lot of interaction because we would issue 30 reports to the department and what would happen is that other officials within the department would find out about it and we’d actually get directly contacted and said can we have another 10 copies of the report. So with it now being on our website, we don’t get that direct interaction because anyone can go pick up a copy of the report and print it out or read it online. But I would say that the feedback we got in the past was that they use our report to give some indication of best practices, lessons learned and issues to highlight, when in their particular part of the organization, whether we included them as one of the oddities or not in any of the reports.
Tom Temin: And one of the issues that DoD also struggles with is financial statements and financial management. This is our crossover between their financial systems, their ability to manage those and their cybersecurity challenges.
Carol Gorman: So one of the additions to the cybersecurity summary report, and this is our second time to do so, is to also identify the number of outstanding information technology related recommendations that are made in conjunction with the annual audits of the DoD financial statements. So those recommendations are specific to the adequacy of the data used to support the DoD financial statements, which of course is critical to the reporting process. We don’t necessarily track when those are closed, we just report how many recommendations were associated with the previous year’s financial statements and their notices of findings and recommendations. But bottom line is the lack of effective controls over the financial systems can impact the DoD financial management process, as well as increase overall risk to the DoD network.
Tom Temin: Summarizing all of this, looking at the open recommendations, the age of some of them and the fact that they’re scattered across — is it your impression that DoD has some fairly urgent work to do in buttoning up cybersecurity?
Carol Gorman: Well, cybersecurity continues to evolve and bad actors continue to evolve their methods. And so yes, important to close and take corrective actions on the 479 remaining open recommendations. One of the other things that we see and that we can benefit from on this report is we also can see what we’ve spent the most time auditing, and it can identify some gaps in coverage. So we use it as well to help formulate our follow on audit planning process so that we can cover some of these categories that haven’t been covered in the recent past.
Tom Temin: Carol Gorman is Assistant Inspector General for the Audit of Cyberspace Operations Directorate at the Defense Department Office of the Inspector General. Thanks so much for joining me.
Carol Gorman: You’re welcome, thank you.