New GAO Report on Cyber Hygiene in DoD
The Government Accountability Office (GAO) yesterday released a new report entitled “Cybersecurity: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene (GAO-20-241)”, accompanied by a six minute overview podcast entitled “DoD’s Cyber Hygiene” available at the same website.
According to the GAO report, “Cyber hygiene” is a set of practices for managing the most common and pervasive cybersecurity risks. The Department of Defense’s cyber hygiene is critical as threats to its information and networks increase. These efforts are incomplete—or their status is unknown because no one is in charge of reporting on progress.”
The GAO also indicated that “the Department of Defense (DOD) has not fully implemented three of its key initiatives and practices aimed at improving cyber hygiene. Carnegie-Mellon University defines cyber hygiene as a set of practices for managing the most common and pervasive cybersecurity risks. In discussions with GAO, DOD officials identified three department-wide cyber hygiene initiatives: the 2015 DOD Cybersecurity Culture and Compliance Initiative, the 2015 DOD Cyber Discipline Implementation Plan, and DOD's Cyber Awareness Challenge training.”
GAO concluded that “DOD has also developed lists of its adversaries’ most frequently used techniques, and practices to combat them. Yet, DOD doesn’t know the extent to which it’s using these practices….GAO is making seven recommendations to DOD, including that cyber hygiene initiatives be fully implemented, entities are designated to monitor component completion of tasks and cyber hygiene practices, and senior DOD leaders receive information on cyber hygiene initiatives and practices.”
As a side note, in addition to the widely available DoD Cybersecurity Awareness training, DAU offers a range of cybersecurity training opportunities for members of the defense acquisition workforce, including CLE 074 Cybersecurity Throughout DoD Acquisition and CLE 080 Supply Chain Risk Management (SCRM) for Information and Communications Technology (ICT).