According to a watchdog report said that Congress passed landmark Cybersecurity legislation in late 2015, but the Defense Department has failed to fully implement the law. The 2015 Cybersecurity Information Sharing Act (CISA) that intends encourage sharing of Cybersecurity threat data between the government and the private sector entities.
The Department of Defense Office of Inspector General report published on Nov.8, found that the four DoD components the National Security Agency (NSA), U.S. Cyber Command, the Defense Information Systems Agency (DISA), and the DOD Cyber Crime Center (DC3) took substantial steps to implement the CISA provisions, but no one did so completely. The report concluded that the uneven and inconsistent implementation of CISA requirements was due to the lack of a DOD-wide policy from the CIO. The report stated that as a result, the DOD restricted its ability to achieve a more complete understanding of Cybersecurity risks since it did not fully leverage the collective knowledge and capabilities of sharing entities or spread internally generated Cyber threat indicators and defensive measures with other federal and non-federal entities.
The report further noted that DISA and U.S. Cyber Command lacked policies for sharing cyber threat indicators, while DC3 wasn’t always checking, whether it was sharing cyber threat indicators with private-sector personnel through the secret DIBNet-U portal that hosts information on Defense Industrial Base companies. The report also cited that NSA can’t receive cyber threat indicators or defensive measures by the Department of Homeland Security’s Automated Information System due to internal NSA storing procedures. The report also suggested that the DOD CIO issue department-wide policy to execute CISA requirements, including the requirement that defense agencies notice roadblocks to sharing cyber threat indicators and defensive measures and take appropriate actions to mitigate the identified barriers.