The DOD’s information technology business arm still lacks cybersecurity strategies in several of its programs, according to a sweeping review of the government’s military and national security spending patterns released Thursday.
The programs that help support day-to-day software needs of Defense Department employees should get approved cyber strategies in place as soon as possible to best position them against cyberattacks and to reduce scheduling and performance costs, the U.S. Government Accountability Office said in its annual assessment of DOD’s IT spending.
GAO found in last year’s assessment that six of the DOD’s business IT programs did not have approved cyber strategies in place, and officials in March of this year acknowledged they are needed, GAO said. Draft strategies are still in the works and awaiting approval, according to Thursday’s oversight report.
The specific programs lacking the strategies are unnamed but are supposed to have plans that include cybersecurity and resilience requirements, as well as system documentation for security testing, according to previously released DOD IT system requirements dating back to 2014.
The 21 assessed IT programs include DOD’s healthcare management portal, a travel budget platform and several personnel systems used by the Pentagon’s military branches to process payments.
Still, most of the programs reported conducting full assessments, including penetration testing, which evaluates how easily a hacker could breach a given system. Several programs conducted assessments focused on secure code and data privacy.
DOD’s IT infrastructure presents a target-rich environment for cybercriminals and nation-state hackers because the department’s personnel data can be easily connected back to sensitive or classified information, including intelligence data, national security assessments or closed-off weapons designs.
In some cases, DOD staff often transfer data across devices or may take their work with them on travel assignments, opening more doors for potential exploitation if the systems they’re working on are unsecured.
The Defense Department faces its own 2027 deadline to implement a framework focused on zero trust, a cybersecurity management blueprint that assumes all users on a network cannot be trusted and should always be verified when moving across systems. GAO said Thursday it’s still monitoring the department’s implementation progress.
