The U.S. Defense Department failed to communicate cybersecurity guidelines to contractors tasked with building systems for its weapon programs, according to a new watchdog report, released on Thursday. While the agency has developed a range of policies aimed at strengthening the security for its weapon programs, the guidance misses out a key point – the contracts for securing various weapons.
The U.S. government sanctions hundreds of billions of dollars each year for contracting various manufacturers, from military contractors to small businesses. In a new report released on Thursday, the U.S. Government Accountability Office (GAO) said, 60 percent of the contracts meet zero requirements when it comes to cybersecurity measures.
According to the GAO report, three out of five contracts reviewed by them had no cybersecurity requirements written into the contract language when they were awarded, with only vague requirements added later. The Air Force was the only service with broad guidance to define cybersecurity requirements and incorporate them in contracts.
“Specifically, cybersecurity requirements should be defined in acquisition program contracts, and criteria should be established for accepting or rejecting the work and for how the government will verify that requirements have been met,” according to the GAO’s report.
The Defense Department (DOD) has a huge network of sophisticated weapons systems that need to resist cyberattacks in order to operate when required. But the DOD also has a documented history of discovering mission-critical security flaws within those programs due to what the GAO says is a lack of focus on weapon systems cybersecurity.
“As we reported in 2018, DOD had not prioritized weapon systems cybersecurity until recently, and was still determining how best to address it during the acquisition process. The department had historically focused its cybersecurity efforts on protecting networks and traditional IT systems, and key acquisition and requirements policies did not focus on cybersecurity. AS a result, DOD likely designed and build many systems without adequate security,” the report read.