Audits have unfortunately become an opportunity to criticize an organization for its weaknesses and failures, a trend that ICIT believes is harmful to improving the security and resiliency of our nation’s critical infrastructures. While it is difficult for any organization to receive constructive criticism and easy for those on the outside to point the finger, it is a vital step in the process of improvement. Therefore, responsible stakeholders and community members must resist the urge to criticize and instead support organizations as they digest audit feedback and work as partners to help them grow and evolve as a result of these assessments.
Based on recent internal audits and reporting from the Government Accountability Office and Inspector General’s office, the United States Department of Defense (DoD) may be susceptible to attacks in which sophisticated nation-state sponsored advanced persistent threats and cyber mercenaries could exfiltrate highly classified defense documents, steal intellectual property, plant malware on systems critical to national security, digitally neutralize defensive capabilities, or wholly seize control of weapons systems.
In this report, ICIT has summarized four of these recent audits which focused on:
- Financial and Business Management Systems
- Weapons Systems
- The Implementation of the NIST Cybersecurity Framework
- Ballistic Missile Defense System Facilities
Our goal with this report is to provide a factual summary of these audits, along with high level recommendations based on the findings of these audits so that the defense industrial base and other DoD stakeholders can understand the vulnerabilities that exist and become part of the solution to support our colleagues within the DoD as they work to address these vulnerabilities to improve the resiliency of our most vital national security asset.