Defense Department Cyber Efforts:
More Detailed Guidance Needed to Ensure Military Services Develop Appropriate Cyberspace Capabilities
GAO-11-421: Published: May 20, 2011. Publicly Released: Jun 20, 2011.
The U.S. military depends heavily on computer networks, and potential adversaries see cyberwarfare as an opportunity to pose a significant threat at low cost---a few programmers could cripple an entire information system. The Department of Defense (DOD) created U.S. Cyber Command to counter cyber threats, and tasked the military services with providing support. GAO examined the extent to which DOD and U.S. Cyber Command have identified for the military services the (1) roles and responsibilities, (2) command and control relationships, and (3) mission requirements and capabilities to enable them to organize, train, and equip for cyberspace operations. GAO reviewed relevant plans, policies, and guidance, and interviewed key DOD and military service officials regarding cyberspace operations.
DOD and U.S. Cyber Command have made progress in identifying the roles and responsibilities of the organizations that support DOD cyberspace operations, but additional detail and clarity is needed. GAO's analysis of U.S. Cyber Command's November 2010 Concept of Operations showed that it generally meets joint guidance and maps out U.S. Cyber Command's organizational and operational relationships in general terms. However, greater specificity is needed as to the categories of personnel that can conduct various types of cyberspace operations in order for the military services to organize, train, and equip cyber forces. The services may use military, civilian government, and contractor personnel to conduct cyberspace operations, and U.S. Cyber Command's Concept of Operations describes general roles and responsibilities for cyberspace operations performed by U.S. Cyber Command's directorates, the military services, and the respective service components. However, service officials indicated that DOD guidance was insufficient to determine precisely what civilian activities are permissible for certain cyber activities, that DOD is still reviewing the appropriate roles for government civilians in this domain, and that the military services may be constrained by limits on their total number of uniformed personnel, among other things. Without the specific guidance, the services may in the future have difficulty in meeting personnel needs for certain types of cyber forces. U.S. Cyber Command's Concept of Operations generally describes the command and control relationships between U.S. Cyber Command and the geographic combatant commands, but additional specificity would enable the military services to better plan their support for DOD cyberspace operations. DOD guidance calls for command and control relationships to be identified in the planning process. The Concept of Operations recognizes that a majority of cyberspace operations will originate at the theater and local levels, placing them under the immediate control of the geographic combatant commanders and requiring U.S. Cyber Command to provide cyberspace operations support. However, officials from the four military services cited a need for additional specificity as to command and control relationships for cyberspace operations between U.S. Cyber Command and the geographic combatant commands, to enable them to provide forces to the appropriate command. DOD recognizes this challenge in command and control and is conducting exercises and studies to work toward its resolution. U.S. Cyber Command has made progress in operational planning for its missions but has not fully defined long-term mission requirements and desired capabilities to guide the services' efforts to recruit, train, and provide forces with appropriate skill sets. DOD guidance requires that combatant commanders provide mission requirements the services can use in plans to organize, train, and equip their forces. However, GAO determined that in the absence of detailed direction from U.S. Strategic Command, the services are using disparate, service-specific approaches to organize, train, and equip forces for cyberspace operations, and these approaches may not enable them to meet U.S. Cyber Command's mission needs. GAO recommends that DOD set a timeline to develop and publish specific guidance regarding U.S. Cyber Command and its service components' cyberspace operations, including: (1) categories of personnel that can conduct various cyberspace operations; (2) command and control relationships between U.S. Cyber Command and the geographic combatant commands; and (3) mission requirements and capabilities, including skill sets, the services must meet to provide longterm operational support to the command. DOD agreed with the recommendations.
Recommendations for Executive Action
Comments: As of September 2015, DOD is still in the process of finalizing a DOD Directive on "Cyber Workforce Management," which it expected to be formally approved sometime in fiscal year 2015. In concert with this directive, DOD is also working on a complementary DOD Instruction establishing a lexicon for cyberspace workroles and the baseline set of knowledge, skills, and abilities for each workrole; this Instruction should be used to develop a series of cyberspace workforce qualification manuals. Working groups to establish baseline qualification requirements for the cyberspace workforce in these qualification manuals will commence work in the first quarter of fiscal year 2016. The qualification manuals, if finalized, are to replace the DOD's manual on "Information Assurance." In addition, the DOD is developing another DOD Instruction, which should assign responsibilities and provide procedures for the planning and coordination of DoD cyberspace training. DOD expects this DOD Instruction to be formally approved by December 2015.
Recommendation: To assist the military services in fulfilling their responsibilities to organize, train, and equip cyber forces, the Secretary of Defense should set a timeline and direct the Under Secretary of Defense for Policy and the Under Secretary of Defense for Personnel and Readiness, in consultation with the DOD Office of General Counsel, to develop and publish detailed policies and guidance pertaining to categories of personnel that can conduct the various forms of cyberspace operations.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: DOD has taken a number of actions in response to this recommendation. In May 2012, the Joint Staff obtained Secretary of Defense approval on its Transitional Cyberspace Operations Command and Control Concept of Operations (CONOPS). As directed in the Concept of Operations, the Combatant Commands implemented the transitional command and control model and over the following year, the Joint Staff partnered with the U.S. Strategic Command, the U.S. Cyber Command, other Combatant Commands, Services and DoD Agencies to evaluate the transitional model and develop a more enduring cyberspace operations command and control framework. In June 2013, the Chairman issued the "Execute Order to Implement Cyberspace Operations Command and Control Framework," which builds upon the transitional concept specifying command relationships among cyberspace entities across DOD. In July 2014, Cyber Command published version 4.1 of its Cyber Force Concept of Operations and Employment, including an annex on the command and control of Cyber Mission Forces. The annex details more specific guidance on the supporting and supported relationships between Cyber Command and the combatant commands. In November 2014, the Chairman of the Joint Chiefs of Staff also issued a modification to its June 2013 Execute Order establishing a new Joint Force Headquarters DOD Information Network to direct and execute global network operations and Defensive Cyber Operations. Cyber Command also published a Concept of Operations in October 2014 for the DOD Information Network, which outlines specific guidance on the command and control relationships between Cyber Command and the combatant commands.
Recommendation: To assist the military services in fulfilling their responsibilities to organize, train, and equip cyber forces, the Secretary of Defense should set a timeline and direct the Chairman of the Joint Chiefs of Staff to develop and publish authoritative and specific guidance regarding the supporting and supported command and control relationships between U.S. Cyber Command and the geographic combatant commands for cyberspace operations.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: DOD has taken a number of actions to address this recommendation. As of July 2015, U.S. Cyber Command has developed joint training and assessment standards for individual and collective training specific to its Cyber Mission Force teams across three primary documents. These documents provide specific guidance on and assist the Services in identifying the necessary mission requirements and skill sets of its personnel assigned to Cyber Mission Force teams and are as follows: 1) Joint Cyberspace Training and Certification Standards which encompasses standardized joint procedures, guidelines, and standards for individual, staff, and collective training across all four phases of the Joint Training System. The standards document was signed in November 2014. 2) Cyber Mission Force Training Pipeline Version 2.2 - the training pipeline outlines the required and optional training courses for each cyber position. 3)Cyber Command Training and Readiness Manual - the document is a unit-based manual, in which each unit chapter contains applicable individual, sub-element, and collective training standards. The manual serves as a tool for Cyber Command to oversee a sustainment training program, ensuring continued proficiency and readiness of forces to complete cyber missions; it also intends to ensure training remains focused on mission accomplishment and that training and readiness reporting is tied to Cyber Mission Force mission essential tasks. Version 2.8 of this manual was published in February 2015.
Recommendation: To assist the military services in fulfilling their responsibilities to organize, train, and equip cyber forces, the Secretary of Defense should set a timeline and direct the Commander, U.S. Strategic Command, in conjunction with U.S. Cyber Command, to develop and publish authoritative and specific guidance regarding the mission requirements and capabilities, including skill sets, that the services should meet to provide long-term operational support to U.S. Cyber Command.
Agency Affected: Department of Defense