Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Air Force Only Service to Develop Cybersecurity Requirements for Weapon Systems Contracts, GAO Says

The audit found the Defense Department has improved weapon systems cybersecurity in recent years, but detailed requirements must make it into contracts.

Despite the Defense Department’s ongoing efforts to build networked weapon systems heavily dependent on software and information technologies, the military service branches have not all issued clear guidance describing how acquisition officials should incorporate cybersecurity requirements into contracts for these systems.  

Of the four services, the Air Force is the only branch to have issued servicewide guidance for defining and incorporating cybersecurity requirements into contracts, according to a recent Government Accountability Office audit. The report builds on another audit from 2018 when GAO found DOD was in the early stages of understanding how to apply cybersecurity to weapon systems. 

While DOD has made improvements in this area since 2018—for example, by ensuring programs have access to adequate cyber expertise, increasing the use of cybersecurity assessments, and releasing more guidance—the agency is still learning how to contract for cybersecurity in weapon systems, according to the audit. 

“Current military service guidance, except for the Air Force, does not address how acquisition programs should contract for weapon systems cybersecurity requirements, acceptance criteria, and verification, which DOD and program officials told GAO would be helpful,” the audit reads. 

GAO did not include the Cybersecurity Maturity Model Certification program, or CMMC, which requires defense contractors to undergo audits by independent third parties overseen by an accreditation body to validate the security of their systems, in this review. CMMC will not apply to all contracts until 2025

The audit was released in a time of heightened cyber concerns after the SolarWinds intrusion, which affected multiple federal agencies. In a Friday webinar, House Armed Services Committee Chair Rep. Adam Smith, D-Wash., emphasized the importance of securing information systems and command and control.

“We cannot have the single points of failure, we have to be able to protect those systems,” Smith said. 

GAO reviewed five programs for the audit: a radar, an anti-jammer, a ship, a ground vehicle, and a missile. The focus of the audit was on weapon systems that include platform IT, which the report defined as hardware and software for real-time mission performance of special-purpose systems. 

The acquisition programs reviewed lacked cybersecurity requirements, or at least clear cybersecurity requirements, in contracts, according to the audit. Three of the five programs had no cybersecurity requirements in the contracts whatsoever when they were awarded. 

Even after contracts were modified post-award, some only included generic instruction to comply with DOD policy. 

“Contractors we spoke to said it is common for requests for proposals to include generic statements regarding cybersecurity, such as, ‘be cyber resilient,’or, ‘comply with [risk management framework],’” the audit reads. “The contractors said such statements do not provide enough information to determine what the government wants or how to design a system.”

None of the five contracts defined how cybersecurity requirements would be verified at the time of the award, either. Officials also said contracts usually focus on the controls programs must have rather than on establishing performance-based requirements geared toward achieving desired outcomes. 

The Air Force’s System Program Protection and Systems Security Engineering Guidebook, created by the Cyber Resiliency Office for Weapons Systems, or CROWS, was the bright spot of the audit. The guidebook consolidates DOD and Air Force guidance into a single, detailed document complete with suggestions for implementation, according to the audit. 

GAO recommended the other service branches develop cybersecurity requirements guidance for acquisition programs like the guidebook. DOD concurred with the recommendations for the Army and the Navy and asked the Marine Corps to be considered under the recommendation for the Navy. 

Advertisement. Scroll to continue reading.

Source: https://www.nextgov.com/cybersecurity/2021/03/air-force-only-service-develop-cybersecurity-requirements-weapon-systems-contracts-gao-says/172547/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

A top Defense Department official described the private sector as “absolutely essential” in implementing the agency’s new cyber strategy. A top Defense Department official...

Cyber Security

The agency is utilizing a relaunched cybersecurity coordination center and additional programs to significantly ramp up interactions with key partners, a top official said....

Cyber Security

How a cornerstone cybersecurity program has evolved from information collection to active defense. The Cybersecurity and Infrastructure Security Agency has used its Continuous Diagnostics...

Cyber Security

The nation’s cyber defense agency is building onto White House efforts to secure schools’ systems nationwide with the help of major education software companies....

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO