The Defense Department's inspector general has determined that the DoD failed to fully carry out the mandate of a 2015 statute designed to enhance the cybersecurity posture of government and private organizations.
The Cybersecurity Information Sharing Act of 2015 called on seven federal agencies, including the DoD, to develop policies that would facilitate the sharing of classified and unclassified cybersecurity threat indicators and defense measures among government as well as private entities, the DoD IG stated in a recently-released audit report.
The DoD IG observed that CISA was enacted inconsistently across the DoD, noting that “none of the four DoD Components reviewed” — namely the National Security Agency, the DoD Cyber Crime Center, the Defense Information Systems Agency and U.S. Cyber Command — “implemented all of the CISA requirements.”
The inspector general attributed this deficiency to the failure of the Defense Department’s chief information officer to promulgate an agency-wide CISA implementation and compliance directive.
The DoD IG went on to push for the formulation of such a directive since the fragmentary implementation of CISA prevents the DoD from gaining “a more complete understanding of increasing and persistent cybersecurity threats by leveraging the collective knowledge and capabilities of sharing entities.”