The Department of Defense should improve its reporting of cybersecurity incidents involving it and the nation’s defense industrial base, the U.S. Government Accountability Office said in a report issued Monday.
The GAO report said the Department of Defense and the defense industrial base are dependent on information systems to carry out their operations, but these systems continue to be the target of cyberattacks, with the DOD experiencing more than 12,000 cyber incidents since 2015.
But while the DOD has established two processes for managing cyber incidents, one for all incidents and one for critical incidents, it has not fully implemented either, it said.
Despite a reduction in the number of incidents from 3,880 in 2015 to 948 in 2021, reporting weaknesses remain, the study says. For instance, the system often contains incomplete information, and the DOD cannot always demonstrate it has notified appropriate leadership of relevant critical incidents.
This is in part because the DOD is not assigning an organization responsible for ensuring proper incident reporting and compliance with guidance, the report says.
The report’s recommendations include that the Secretary of Defense assign responsibility for overseeing cyber incident reporting and leadership notification and ensuring policy compliance.
In September, the GAO said in a report that the National Nuclear Security Administration and its contractors have not fully implemented recommended cybersecurity measures and oversight of subcontractors’ cybersecurity is “inconsistent.”