Defense Cybersecurity: DOD's Monitoring of Progress in Implementing Cyber Strategies Can Be Strengthened, Report to Congressional Committees [open pdf - 1MB]
"DOD acknowledges that malicious cyber intrusions of its networks have negatively affected its information technology systems, and that adversaries are gaining capability over time. In 2010, the President re-designated the director of the NSA [National Security Agency] as CYBERCOM's [Cyber Command] commander, establishing a dual-hat leadership arrangement for these agencies with critical cybersecurity responsibilities. House Reports 114-537 and 114-573 both included provisions for GAO [Government Accountability Office] to assess DOD's management of its cybersecurity enterprise. This report, among other things, examines (1) DOD officials' perspectives on the advantages and disadvantages of the dual-hat leadership arrangement of NSA/CSS [Central Security Service] and CYBERCOM, and actions that could mitigate risks if the leadership arrangement ends, and (2) the extent to which DOD has implemented key strategic cybersecurity guidance. GAO analyzed DOD cybersecurity strategies, guidance, and information and interviewed cognizant DOD officials. GAO recommends that DOD take the following two actions: (1) modify its criteria for closing tasks from The DOD Cyber Strategy; and (2) establish a timeframe and monitoring for implementing an objective of the DOD Cybersecurity Campaign to transition to commander-driven operational risk assessments for cybersecurity readiness. DOD partially concurred with these recommendations and identified actions it plans to take. If implemented, GAO believes these actions would satisfy the intent of the recommendations."
Government Accountability Office: http://www.gao.gov/