A U.S. Department of Defense (DoD) audit report found that the defense agency along with the Department of Homeland Security (DHS) failed to plan and execute activities to implement the memorandums between the two agencies, regarding cybersecurity and cyberspace operations and critical infrastructure environments.
The DoD’s Office of Inspector General conducted the audit in coordination with the DHS Office of Inspector General, which in turn carried out a simultaneous inspection of the DHS activities taken to implement the memorandums, according to the audit report. The DHS Office of Inspector General expects to issue a final report this year, with findings and recommendations specific to the DHS.
Since September 2010, the DoD and the DHS have signed three interdepartmental memorandums to define the terms by which the DoD and the DHS will collaborate to respond to and deter cyber threats to the U.S. and its critical infrastructure environments, which includes systems and assets, whether physical or virtual, so vital that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those.
The overall intent of the memorandums was to increase interdepartmental collaboration in strategic planning for national cybersecurity, mutual support for the development of cybersecurity capabilities, and coordination of operational cybersecurity mission activities, and to develop a cyber action plan and clarify each department’s roles and responsibilities.
In October 2018, the secretaries of Defense and Homeland Security signed a memorandum to clarify the roles and responsibilities between the DoD and DHS for enhancing the U.S. Government’s readiness to respond to cyber threats
The inspector general’s report released this week determined that the DoD officials executed some activities to implement the 2018 memorandum, such as developing policy memorandums and participating in interagency meetings with DHS officials. However, the Cyber Protection and Defense Steering Group (CPD SG) has not developed an implementation plan with milestones and completion deadlines to ensure all activities to implement the 2018 memorandum are executed.
The co-chairs of the CPD SG stated that they did not develop an implementation plan because they did not intend for the 2018 memorandum to serve as a contractual agreement, according to the inspector general’s report. Instead, the DoD CPD SG co-chairs stated the 2018 memorandum was developed to promote engagement between the DoD and DHS and define common areas of interest for collaboration.
As there is no clear implementation plan that defined roles and responsibilities and identifies milestones and completion dates, the DoD may not be able to sustain collaboration with the DHS in protecting the nation’s critical infrastructure environments, according to the audit report.
“Specific to the 2018 memorandum, the lack of an implementation plan could result in DoD officials not providing the level of assistance to the DHS needed for the DoD and the DHS to conduct joint operations to protect critical infrastructure; support state, local, tribal, and territorial governments; and jointly defend military and civilian networks from cyber threats,” according to the audit report.
In addition, the 2018 memorandum stated that the DoD is responsible for supporting efforts to protect defense critical infrastructure and defense industrial base networks and systems from malicious cyber activity that could undermine U.S. military strength. It also established six lines of effort (LOEs) to secure, protect, and defend the U.S. with a focus on cooperation and collaboration between the DoD and the DHS.
In 2020, multiple federal agencies and the private sector were compromised by malicious actors using a trusted source, SolarWinds Orion. Although the SolarWinds Orion compromise was not related to the lack of an implementation plan, the compromise continues to show the importance of the DoD’s and DHS’s ability to respond to any and all cyber threats, which would be significantly improved by implementing a plan to accomplish shared goals in the 2018 joint memorandum.
The inspector general’s report recommends that the deputy secretary of defense and the chairman of the joint chiefs of staff direct the DoD co-chairs of the joint DoD-DHS CPD SG to work with the DHS co-chair to develop and approve plans of action and milestones for each line of effort, and track activities executed and identify gaps that limit the DoD and DHS in fully implementing all lines of effort in the 2018 memorandum.
The inspector general’s report stated that the Deputy Secretary of Defense agreed with the recommendations to develop plans of action and milestones for the 2018 memorandum’s lines of effort and track all collaborative activities related to protecting and defending critical infrastructure environments, gaps identified, and areas requiring improvements.
The vice director of the Joint Staff, responding for the chairman of the Joint Chiefs of Staff, disagreed with the recommendation to develop plans of action and milestones for the 2018 memorandum’s lines of effort and did not address the specifics of the other recommendation to track activities and identify gaps in fully implementing the 2018 memorandum.
However, the vice director stated that the Joint Staff planned to convene the CPD SG and achieve interdepartmental consensus on the best way to address the DoD Office of Inspector General’s concerns, the audit report stated. Therefore, “we consider the planned actions by the Deputy Secretary of Defense and the Joint Staff sufficient to resolve the recommendations. We will close the recommendations once we verify that the action is complete,” it added.
Another audit carried out by the Office of Inspector General at the DHS found that the agency had made limited progress implementing the continuous diagnostics and mitigation (CDM) program, which helps agencies monitor and manage cybersecurity vulnerabilities.
“As of March 2020, DHS had developed an internal CDM dashboard, but reported less than half of the required asset management data. Efforts were still underway to automate and integrate the data collection process among components so DHS could report additional data, as required, the Office of Inspector General of the DHS said in its audit report. “DHS now needs to upgrade its dashboard to ensure sufficient processing capacity for component data. Until these capabilities are complete, the Department cannot leverage intended benefits of the dashboard to manage, prioritize, and respond to cyber risks in real time,” it added.