The U.S. Defense Department struggles to outline cybersecurity requirements in contracts for weapon systems, though the agency made important strides to improve those platforms’ cyber protections, a congressional watchdog announced Thursday.
In a new report released On Thursday, the U.S. Government Accountability Office (GAO) said the Department of Defense fails to communicate clear cybersecurity guidelines to contractors tasked with building systems for its weapons programs.
A report on five major weapon platforms across the military services found better security measures than in 2018, when the Government Accountability Office’s last review said cybersecurity practices for the weapons were inadequate.
As part of its so called congressional watchdog duties, the GAO found that Defense Department weapons programs are failing to consistently incorporate cybersecurity requirements into contract language.
Still, the GAO found security gaps in the acquisition process, with three of five programs reviewed lacking any cybersecurity requirements in their contract awards. The Air Force was the only service with broad guidance to define cybersecurity requirements and incorporate them in contracts.
The Defense Department has a vast network of sophisticated weapons systems that need to withstand cyberattacks in order to function when required. But the DOD also has a documented history of finding mission critical security vulnerabilities within those programs due to what the GAO says is a lack of focus on weapon systems cybersecurity.
A GAO report from 2018 found that the DOD has historically focused its cybersecurity efforts on protecting networks and traditional IT systems. Since that report, the DOD has reportedly taken steps to make its network of high-tech weapon systems less vulnerable to cyberattacks.
“As we reported in 2018, DOD had not prioritized weapon systems cybersecurity until recently, and was still determining how best to address it during the acquisition process,” the report stated. “The department had historically focused its cybersecurity efforts on protecting networks and traditional IT systems, but not weapon systems, and key acquisition and requirements policies did not focus on cybersecurity. As a result, DOD likely designed and built many systems without adequate cybersecurity.”