DOD lags in implementing the Cybersecurity Information Sharing Act
Congress passed landmark cybersecurity legislation in late 2015, but Pentagon agencies have a spotty record of implementation, according to a watchdog report.
Congress passed landmark cybersecurity legislation in late 2015, but the Pentagon hasn't done much to put the law in play, according to a watchdog report.
The Cybersecurity Information Sharing Act required Defense Department component agencies to come up with plans and procedures for sharing threat indicators with civilian and non-governmental entities.
A Nov. 8 report by the Department of Defense Office of Inspector General focused on CISA implementation by the National Security Agency, the Defense Information Systems Agency, Cyber Command and the DOD Cyber Crime Center, known as DC3.
The report concluded that the uneven and inconsistent implementation of CISA requirements was due to the lack of a DOD-wide policy from the CIO.
"As a result, the DOD limited its ability to gain a more complete understanding of cybersecurity threats since it did not fully leverage the collective knowledge and capabilities of sharing entities, or disseminate internally generated cyber threat indicators and defensive measures with other federal and non‑federal entities," the report stated.
DISA and Cyber Command lacked policies for sharing cyber threat indicators, while DC3 wasn't always checking on whether it was sharing cyber threat indicators with cleared private-sector personnel via the secret DIBNet-U portal that hosts information on Defense Industrial Base companies.
The report also mentioned that NSA can't receive cyber threat indicators or defensive measures via the Department of Homeland Security's Automated Information System "due to internal NSA storing procedures." AIS is a machine-to-machine capability that relies on structured data specifications and protocols for participants to share information.
The report has been redacted at key points, so the IG's exact recommendations for DISA, CyberCom, DC3 and NSA were not revealed. The report did indicate that so far the NSA has yet to respond and urged the agency to comment on the recommendations.
The report also recommended that the DOD CIO issue departmentwide policy to implement CISA requirements, including the requirement that defense agencies "document barriers to sharing cyber threat indicators and defensive measures and take appropriate actions to mitigate the identified barriers."
DOD Principal Deputy CIO Essye Miller agreed with the recommendations. Responses from DISA and Cyber Command were almost completely redacted.