Defense Department Cyber Efforts: More Detailed Guidance Needed to Ensure Military Services Develop Appropriate Cyberspace Capabilities
GAO-11-421
Published: May 20, 2011. Publicly Released: Jun 20, 2011.
Skip to Highlights
Highlights
The U.S. military depends heavily on computer networks, and potential adversaries see cyberwarfare as an opportunity to pose a significant threat at low cost---a few programmers could cripple an entire information system. The Department of Defense (DOD) created U.S. Cyber Command to counter cyber threats, and tasked the military services with providing support. GAO examined the extent to which DOD and U.S. Cyber Command have identified for the military services the (1) roles and responsibilities, (2) command and control relationships, and (3) mission requirements and capabilities to enable them to organize, train, and equip for cyberspace operations. GAO reviewed relevant plans, policies, and guidance, and interviewed key DOD and military service officials regarding cyberspace operations.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Defense | To assist the military services in fulfilling their responsibilities to organize, train, and equip cyber forces, the Secretary of Defense should set a timeline and direct the Under Secretary of Defense for Policy and the Under Secretary of Defense for Personnel and Readiness, in consultation with the DOD Office of General Counsel, to develop and publish detailed policies and guidance pertaining to categories of personnel that can conduct the various forms of cyberspace operations. | As of October 2017, DOD has not completed the DODI (see below) which would address the recommendation. As of May 2016, DOD finalized DOD Directive 8140.01 Cyber Workforce Management, which provides overarching policy guidance for the DOD cyber workforce and directs development of implementing policies. The directive however does not provide detailed guidance on personnel categories performing cyberspace operations. Additionally, DOD is in the process of finalizing DOD Instruction (DODI) 8140.aa Cyberspace Workforce Identification, Tracking, and Reporting--which is to establish DOD cyber workforce policy and procedures, assign responsibilities, and provide direction for the identification... and tracking of DOD cyber workforce positions and personnel. DOD must revise the draft DoDI 8140.aa to make it compliant with federal cyber workforce identification and coding requirements within the "Federal Cybersecurity Workforce Assessment Act of 2015" (Division N, Title III, Sections 301 - 305 of PL 114-113). DOD is coordinating with the Office of Personnel Management and the National Institute of Standards and Technology to develop the federal cyber workforce coding structure all federal agencies must follow. The department projects this DODI will be published in 2017. Lastly, the department is to begin drafting DOD cyberspace workforce qualification manuals--one for each element of the cyber workforce--to replace DOD 8570.01-M Information Assurance Workforce Improvement Program and to address the full spectrum of the cyber workforce. To support this effort, DOD has identified draft criteria for establishing standards and requirements for DOD cyber workforce qualifications. The DOD Cyber Workforce Qualifications Working Group is to leverage these criteria to begin establishing qualifications. These findings will be included in the new qualification manuals, and these manuals are intended to provide the DOD cyber workforce with a skills maturity model for career progression. Until the publication of these workforce qualification manuals, DOD 8570.01-M will remain in effect to govern qualification requirements for the information assurance (cybersecurity) workforce. DOD did not project a timeframe for the new manuals' completion.
View More |
| Department of Defense | To assist the military services in fulfilling their responsibilities to organize, train, and equip cyber forces, the Secretary of Defense should set a timeline and direct the Chairman of the Joint Chiefs of Staff to develop and publish authoritative and specific guidance regarding the supporting and supported command and control relationships between U.S. Cyber Command and the geographic combatant commands for cyberspace operations. | DOD has taken a number of actions in response to this recommendation. In May 2012, the Joint Staff obtained Secretary of Defense approval on its Transitional Cyberspace Operations Command and Control Concept of Operations (CONOPS). As directed in the Concept of Operations, the Combatant Commands implemented the transitional command and control model and over the following year, the Joint Staff partnered with the U.S. Strategic Command, the U.S. Cyber Command, other Combatant Commands, Services and DoD Agencies to evaluate the transitional model and develop a more enduring cyberspace operations command and control framework. In June 2013, the Chairman issued the "Execute Order to...
|
| Department of Defense | To assist the military services in fulfilling their responsibilities to organize, train, and equip cyber forces, the Secretary of Defense should set a timeline and direct the Commander, U.S. Strategic Command, in conjunction with U.S. Cyber Command, to develop and publish authoritative and specific guidance regarding the mission requirements and capabilities, including skill sets, that the services should meet to provide long-term operational support to U.S. Cyber Command. | DOD has taken a number of actions to address this recommendation. As of July 2015, U.S. Cyber Command has developed joint training and assessment standards for individual and collective training specific to its Cyber Mission Force teams across three primary documents. These documents provide specific guidance on and assist the Services in identifying the necessary mission requirements and skill sets of its personnel assigned to Cyber Mission Force teams and are as follows: 1) Joint Cyberspace Training and Certification Standards which encompasses standardized joint procedures, guidelines, and standards for individual, staff, and collective training across all four phases of the Joint...
|
Full Report
Public Inquiries
Topics
Classified defense informationComputer networksConcept of operationsDefense capabilitiesDefense contingency planningMilitary cost controlMilitary operationsMilitary trainingNational defense operationsCyberspace operations