Defense Cybersecurity: Opportunities Exist for DOD to Share Cybersecurity Resources with Small Businesses
Highlights
What GAO Found
The Department of Defense (DOD) Office of Small Business Programs (OSBP) has explored some options, such as online training videos, to integrate cybersecurity into its existing efforts; however, as of July 2015, the office had not identified and disseminated cybersecurity resources in its outreach and education efforts to defense small businesses. While DOD OSBP is not required to educate small businesses on cybersecurity, DOD OSBP officials acknowledged that cybersecurity is an important and timely issue for small businesses—and therefore the office is considering incorporating cybersecurity into its existing outreach and education efforts. During the review, GAO identified 15 existing federal cybersecurity resources that DOD OSBP could disseminate to defense small businesses.
Selected Examples of Cybersecurity Resources GAO Identified as Available to Defense Small Businesses
Resource |
Implementing Agency |
Program Overview |
DOD Defense Security Service |
Online courses related to cybersecurity topics such as risk management and phishing—that is, social engineering that uses authentic-looking, but fake, e-mails to request information from users or direct them to a fake website that requests information. |
|
U.S. Small Business Administration |
Provides a 30 minute online program that covers cybersecurity concepts for small business. |
|
Federal Communications Commission |
Provides guidance based on areas of risk self-identified by small businesses. The guidance includes links to additional cybersecurity resources for small businesses. |
Source: GAO analysis of information from listed agencies. | GAO-15-777
While DOD OSBP officials recognized the importance of identifying and disseminating cybersecurity resources through outreach and education efforts to small businesses, they identified factors that had limited their progress in doing so. Specifically, they were not aware of existing cybersecurity resources, they had leadership turnover in the office, and the office was focused on developing a training curriculum for professionals who work with small businesses. While GAO recognizes that these factors could affect progress, federal government internal controls state that management should ensure there are adequate means of communicating with, and obtaining information from, external stakeholders who may have a significant impact on the agency's achieving its goals. DOD OSBP officials agreed that identifying and disseminating information about existing cybersecurity resources to defense small businesses could help small businesses be more aware of cybersecurity practices and cyber threats. In addition, by identifying and disseminating this information, DOD OSBP could help small businesses to protect their networks, thereby supporting the 2015 DOD Cyber Strategy goals of working with the private sector to help secure defense industrial base trade data and build layered cyber defenses.
Why GAO Did This Study
Small businesses, including those that conduct business with DOD, are vulnerable to cyber threats and may have fewer resources, such as robust cybersecurity systems, than larger businesses to counter cyber threats.
The Joint Explanatory Statement accompanying the National Defense Authorization Act for Fiscal Year 2015 included a provision that GAO assess DOD OSBP's outreach and education efforts to small businesses on cyber threats. This report addresses the extent to which DOD OSBP has integrated cybersecurity into its outreach and education efforts to defense small businesses. DOD OSBP's mission includes providing small business policy advice to the Office of the Secretary of Defense, and policy oversight to DOD military department and component small business offices.
To conduct this review, GAO analyzed documentation and interviewed officials from DOD OSBP about its cybersecurity outreach and education efforts. GAO also analyzed documentation and interviewed officials from nine organizations selected for their cybersecurity expertise to identify examples of cybersecurity outreach and education programs potentially available to defense small businesses.
Recommendations
GAO recommends that DOD identify and disseminate cybersecurity resources to defense small businesses. DOD concurred with the recommendation and agreed to implement training events and education programs.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Defense | To better position defense small businesses in protecting information and networks from cyber threats, the Secretary of Defense should direct the Director of the DOD OSBP, as part of its existing outreach efforts, to identify and disseminate cybersecurity resources to defense small businesses. |
In May 2016, an official from the DOD Office of Small Business Programs (OSBP) informed us that in response to our recommendation, the office had distributed cybersecurity resources and information to defense small businesses and DOD small business professionals in meetings, conferences, training sessions, and outreach events. DOD OSBP also produced and made publically available a reference guide entitled "Defense Cybersecurity Requirements: What Small Businesses Need to Know." DOD OSBP provided us an electronic version of this this guide to demonstrate their efforts. We believe these actions meet the intent of our recommendation.
|