IG review of FISMA requirements says Pentagon lacks cybersecurity oversight

By Rick Weber / January 11, 2019 at 4:37 PM

The Defense Department's inspector general has issued a summary of past reports that includes a review of the Pentagon's implementation of the Federal Information Security Modernization Act and reiterates concerns about a lack of management oversight of cybersecurity risks.

"However, the DOD needs to continue focusing on managing cybersecurity risks related to governance, asset management, information protection processes and procedures, identity management and access control, security continuous monitoring, detection processes, and communications," the IG states in its summary of reports from July 2017 through June 2018 issued last week.

"The largest number of weaknesses identified in this year's summary were related to governance, which allows an organization to inform its management of cybersecurity risk through the policies, procedures, and processes to manage and monitor the organization's regulatory, legal, risk, environmental, and operational requirements," the Jan. 9 report states.

The IG warns that failure to effectively manage cybersecurity risks undermines the military's overall mission.

"Without proper governance, the DOD cannot ensure that it effectively identifies and manages cybersecurity risk as it continues to face a growing variety of cyber threats from adversaries, such as offensive cyberspace operations used to disrupt, degrade, or destroy targeted information systems," the summary report states. "The DOD must also ensure that cybersecurity risks are effectively managed to safeguard its reliance on cyberspace to support its operations and implement proper controls and processes where weaknesses are identified to improve the overall cybersecurity."

FISMA requires every federal agency to conduct an annual independent evaluation to determine the effectiveness of information security programs and practices, and the IG offers its summary review as meeting that independent assessment.

"We used this summary report to develop the annual DOD OIG independent evaluation and to meet the reporting requirement, which we communicated to the DOD Chief Information Officer on October 31, 2018," the report states.

"We found that DOD Components implemented many of the agreed-upon corrective actions necessary to improve system weaknesses identified in issued reports summarized in our FY 2017 cybersecurity summary report; however, recently issued cybersecurity reports indicate that the DOD still faces challenges in managing cybersecurity risk to its network," IG concludes.