The Defense Department and Armed Forces have made progress the past few years in several areas to improve the cyber security of weapon systems but weaknesses remain, and in acquisition programs reviewed during a recent government audit, cyber security requirements didn't exist or weren't clear in contracts.
"The government is less likely to get what it wants if it omits all or part of its cybersecurity requirements," the Government Accountability Office (GAO) says in a report issued March 4.
Of five acquisition programs reviewed–a radar, an anti-jammer, a ship, a ground vehicle, and a missile–three didn't have cyber security requirements at the time of award and three were modified post-award to add requirements, says the 40-page report, Weapon Systems Cybersecurity: Guidance Would Help DoD Programs Better Communicate Requirements to Contractors (GAO-21-179).
None of the programs reviewed included acceptance criteria in contracts for meeting cyber security requirements in terms of performance-based requirements.
"Officials from one program office said they attempted to use performance-based requirements, but could not agree to terms with the contractor," GAO says. "DoD and contractor officials said that many contract requirements focus on cybersecurity controls the system must have as opposed to desired outcomes such as preventing unauthorized users from accessing the system. However, as we have previously reported, the application of controls does not mean that the system is secure."
Additional concerns raised in the report include a complete lack of demonstrating how contracted cyber security requirements would be met, inserting cyber requirements in a contract is challenging and that programs would benefit from better department-level guidance about acceptable risks, and the military services with the exception of the Air Force don't provide guidance on cyber security requirements.
"Army regulation, updated with major revisions in 2019, directs senior leaders to integrate cybersecurity in acquisitions and to ensure that contracts include specific requirements to provide cybersecurity for Army IT, including weapon systems," GAO says. "However, the regulation provides no further detail on how to do so."
Progress in recent years has been made in four areas, including "greater access to cyber expertise, increased use of cyber assessments, better tailoring of security controls, and additional cybersecurity guidance," the report says.
GAO cites a 2019 report by the DoD Office of the Director, Operational Test and Evaluation "that there is a widening gap in capabilities between DoD's cyber test teams and nation-state threats," but notes that the program officials interviewed in its audit said "they had adequate access to cybersecurity expertise despite some challenges hiring and retaining cybersecurity personnel."
A 2018 report by the GAO highlighted a lack of cyber security assessments of weapon systems at the time, and then when problems were discovered it was late in development when it is more costly to fix. The new report says that all the programs reviewed had done or were planning to do cyber security assessments throughout the acquisition process, including during various stages of testing.
"The increased use of cybersecurity assessments is a positive development and may help programs identify vulnerabilities earlier," GAO says. "However, the existence of the assessments alone does not guarantee better outcomes. For example, we previously found that in some systems, the same vulnerabilities were found in multiple rounds of testing, and had gone unaddressed after they were first discovered."