In an audit of the Defense Department’s (DoD) cybersecurity requirements for weapon systems in the operations and support (O&S) phase of the DoD acquisition lifecycle, the DoD Inspector General (IG) highlighted five weapon systems that have been successfully updating cybersecurity requirements and meeting Risk Management Framework requirements.
In the DoD acquisition lifecycle, the O&S phase focuses primarily on the cost-effectiveness of support functions that sustain the weapon system and disposal of the system at the end of its life. The O&S phase can often last for years so DoD components must continue emphasizing weapon system protection by mitigating cybersecurity threats through the phase.
According to the IG, officials from the “[U.S.] Army, Navy, Air Force, and U.S. Special Operations Command had regularly obtained or analyzed cyber threats from various intelligence agencies to assess potential operational impacts to the weapon systems, and, based on their analysis, updated cybersecurity requirements to account for additional countermeasures implemented or needed to protect the weapon systems from the identified threats.”
The IG identified best practices of these officials to make sure information gathering and analyses being performed were sufficient to identify and mitigate potential malicious activity, cyber vulnerabilities, and cyber threats; as well as to assess the effectiveness of the data and cyber resiliency protection measures within the weapon system.
The threats to weapon systems include equipment failure, environmental disruptions, human or machine errors, and purposeful attacks, such as cyberattacks,” said the IG. “When successful, attacks on weapon systems can result in the loss of the confidentiality, integrity, and availability of information processed, stored, and transmitted by those systems.”
The IG didn’t make any recommendations but did maintain that officials should consider best practices highlighted in the report, including:
- Conducting cyber threat and risk assessments;
- Forming or participating in intelligence-based working groups; and
- Conducting cyber tabletop exercises.