Security News > 2021 > March > U.S. DoD Weapons Programs Lack ‘Key’ Cybersecurity Measures

Weapons programs from the U.S. Department of Defense are falling short when it comes to incorporating cybersecurity requirements, according to a new watchdog report.

While the DoD has developed a range of policies aimed at hardening the security for its weapon systems, the guidance leaves out a key detail - the contracts for procuring various weapons.

According to a new report by the U.S. Government Accountability Office, 60 percent of the contracts included zero requirements when it comes to cybersecurity protection measures.

The GAO, which is an independent, non-partisan agency that works for Congress and acts as a "Congressional watchdog" and third-party auditor, noted that the inclusion of cybersecurity stipulations in the contracts is "Key." When it comes to any type of requirement in weapons contracts, whether it's cybersecurity- or services-related, "If it is not in the contract, do not expect to get it," according to the report.

When it comes to security, the weapons contracts should define requirements "To satisfy the needs of the agency, identify criteria for accepting or rejecting the work, and where applicable, establish how the government will verify that requirements have been met," according to the GAO. However, the majority of the DoD's weapons contracts do not include any cybersecurity requirements at all - and if they do, the terms remain vague in terms of how security measures would be implemented, or shy away from defining cybersecurity activities "In objective terms with a clear basis for accepting or rejecting the system."

Key Recommendations For DoD. Moving forward, the GAO made three recommendations: Each suggesting that the Army, Navy and Marine Corps provide better guidance on how programs should incorporate tailored cybersecurity requirements into contracts.

News URL

https://threatpost.com/dod-weapons-programs-lack-cybersecurity/164545/