DoD lacks ‘Key’ security measures for their Weapons program

Governmental organizations continue to play catch up when it comes to cybersecurity, in a world that has already moved into the next technological wave. Weapons program at DoD are falling short when it comes to incorporating cyber-security measures, points out a Watchdog report.

While the department has introduced a range of policies aimed at tighter security, it still lacks guidance regarding Contracts for procuring weapons.

The division, with a history of poor layout and insufficient auditing measure, is responsible to awards contracts to manufacturers big or small to provide weapons. Billions of dollars are spent for weapons every year by the government, and according to U.S Government Accountability Office about 60% of the contracted included zero requirements when it comes to cyber security measure.

GAO, is an agency acting for congress, and acts as third party auditor for the Federal Organizations. It has previously noted that “inclusion of cybersecurity measures in the contracts is a key” and henceforth under the auditing norms, it isn’t non-compliance the requirement is not mentioned in the guidance/stipulation. Henceforth, as recommended by GAO, cybersecurity measures should be included in the contract acquisition requirements and the agreements. Thus ensuring compliance.

The cybersecurity requirements, although few, are not sufficient. The requirements alike any other norms should be clearly mentioned, terms that are satisfactory to the agency i.e DoD, and acceptance and rejecting criteria, also how DoD will verify the requirements periodically and how to overcome any deficiencies.

Another issue is that the contracts do not identify measures for verifying that security requirements are met.

“For example, one of the programs had a cybersecurity strategy that identified the [risk-management framework] RMF categorization and described how the program would select security controls,” according to the GAO’s report. “However, when the contract was awarded, it did not include cybersecurity requirements in the statement of work, the system specification or the contract deliverables.”

Brandon Hoffman, CISO at Netenrich, said it is “stunning” that at this point, cybersecurity requirements are largely not part of the government’s weapons-systems contracts.

“It is equally hard to consider why cybersecurity would not be critical to the acquisition of a weapons system,” Hoffman told Threatpost. “Thinking about the potential damage that could be done with unauthorized access to networks related to weapons systems, for actual human life or the loss of IP/military advantage, these contracts should absolutely have strict cyber-requirements”.

Moving forward, the GAO made three recommendations: Each suggesting that the Army, Navy and Marine Corps provide better guidance on how programs should incorporate tailored cybersecurity requirements into contracts.

“DoD concurred with two recommendations, and stated that the third — to the Marine Corps — should be merged with the one to the Navy,” according to the GAO. “DoD’s response aligns with the intent of the recommendation.”

Government cybersecurity measures have been under scrutiny, particularly over the past few months after the sprawling SolarWinds cyberespionage campaign hit various U.S. government agencies and others hard.