In a new report released Thursday, the U.S. Government Accountability Office (GAO) said the Department of Defense fails to communicate clear cybersecurity guidelines to contractors tasked with building systems for its weapons programs.
As part of its so called congressional watchdog duties, the GAO found that Defense Department weapons programs are failing to consistently incorporate cybersecurity requirements into contract language.
For instance, three out of five contracts reviewed by the GAO had no cybersecurity requirements written into the contract language when they were awarded, with only vague requirements added later. And out of the four military service branches, only the Air Force has a record of issuing service-wide guidance on cybersecurity requirements in contracts.
The GAO points out that the lack of clear cybersecurity guidance is problematic because defense contractors are only responsible for meeting terms that are written into a contract. In other words, if it's not in the contract, it's not getting built into the system.
As part of its recommendations, the GAO said that tailored cybersecurity requirements must be clearly defined in acquisition program contracts. The GAO also said the Defense Department should establish criteria for accepting or rejecting contracted work and for how the government will verify that requirements were met.
The Defense Department has a vast network of sophisticated weapons systems that need to withstand cyberattacks in order to function when required. But the DOD also has a documented history of finding mission critical security vulnerabilities within those programs due to what the GAO says is a lack of focus on weapon systems cybersecurity.
A GAO report from 2018 found that the DOD has historically focused its cybersecurity efforts on protecting networks and traditional IT systems. Since that report, the DOD has reportedly taken steps to make its network of high-tech weapon systems less vulnerable to cyberattacks.
"As we reported in 2018, DOD had not prioritized weapon systems cybersecurity until recently, and was still determining how best to address it during the acquisition process," the report stated. "The department had historically focused its cybersecurity efforts on protecting networks and traditional IT systems, but not weapon systems, and key acquisition and requirements policies did not focus on cybersecurity. As a result, DOD likely designed and built many systems without adequate cybersecurity."