The Government Accountability Office has recommended that the Department of Defense assign responsibility for ensuring cyber incident reporting and document when individuals affected by a breach of personally identifiable information were notified.
Although DOD has reduced the number of cyber incidents, GAO found weaknesses in reporting such incidents, including incomplete data and failure to notify leaders of critical incidents, and that the department did not designate an entity that should oversee cyber incident reporting, according to a report published Monday.
“Until DOD assigns such responsibility, DOD does not have assurance that its leadership has an accurate picture of the department’s cybersecurity posture,” the GAO report reads.
The congressional watchdog said the Pentagon should also improve sharing of cyber incident information related to the defense industrial base and include detailed procedures for determining and informing leaders of critical cyber events in guidance.
According to GAO, DOD has come up with a process for managing all cyber incidents and another one for critical incidents but has not fully conducted either of these two methods.
