DOD lags in implementing the Cybersecurity Information Sharing Act
- By Adam Mazmanian
- Nov 13, 2018
Congress passed landmark cybersecurity legislation in late 2015, but the Pentagon hasn't done much to put the law in play, according to a watchdog report.
The Cybersecurity Information Sharing Act required Defense Department component agencies to come up with plans and procedures for sharing threat indicators with civilian and non-governmental entities.
A Nov. 8 report by the Department of Defense Office of Inspector General focused on CISA implementation by the National Security Agency, the Defense Information Systems Agency, Cyber Command and the DOD Cyber Crime Center, known as DC3.
The report concluded that the uneven and inconsistent implementation of CISA requirements was due to the lack of a DOD-wide policy from the CIO.
"As a result, the DOD limited its ability to gain a more complete understanding of cybersecurity threats since it did not fully leverage the collective knowledge and capabilities of sharing entities, or disseminate internally generated cyber threat indicators and defensive measures with other federal and non‑federal entities," the report stated.
DISA and Cyber Command lacked policies for sharing cyber threat indicators, while DC3 wasn't always checking on whether it was sharing cyber threat indicators with cleared private-sector personnel via the secret DIBNet-U portal that hosts information on Defense Industrial Base companies.
The report also mentioned that NSA can't receive cyber threat indicators or defensive measures via the Department of Homeland Security's Automated Information System "due to internal NSA storing procedures." AIS is a machine-to-machine capability that relies on structured data specifications and protocols for participants to share information.
The report has been redacted at key points, so the IG's exact recommendations for DISA, CyberCom, DC3 and NSA were not revealed. The report did indicate that so far the NSA has yet to respond and urged the agency to comment on the recommendations.
The report also recommended that the DOD CIO issue departmentwide policy to implement CISA requirements, including the requirement that defense agencies "document barriers to sharing cyber threat indicators and defensive measures and take appropriate actions to mitigate the identified barriers."
DOD Principal Deputy CIO Essye Miller agreed with the recommendations. Responses from DISA and Cyber Command were almost completely redacted.
Adam Mazmanian is executive editor of FCW.
Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.
Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.