GAO 国防総省はサイバー衛生を改善する必要があるので7つの推奨事項を作ったよ！という報告書

こんにちは、丸山満彦です。

GAOは日本の会計検査院と同等の組織です。

	GAO	会計検査院
長	Gene Dodaro	森田祐司
設置	1921年	1880年
人数	約3000名（FTE）	約1250名（2019.01.01）
予算 2019年度	637 M US$ (約700億円)	約177億円

GDP比的に見ても米国は厚い陣容です。。。

ちなみに、現在の会計検査院長の森田さんは、私がトーマツに入った時の上司で最初の結婚式の仲人的な方です。システム監査をしておられて、ISACAに入るきっかけになった方でもあります(^^)。

話が脱線しましたが、そのGAOが国防総省にサイバー衛生を改善するように指摘をしております。。。

● U.S. Government Accountability Office (GAO) [wikipedia]

・2020.04.13 CYBERSECURITY:DOD Needs to Take Decisive Actions to Improve Cyber Hygiene

　・[PDF] Highlights Page

　・[PDF] Full Report

-----

Fast Facts

“Cyber hygiene” is a set of practices for managing the most common and pervasive cybersecurity risks. The Department of Defense’s cyber hygiene is critical as threats to its information and networks increase.

DOD has had 3 cyber hygiene initiatives underway. These efforts are incomplete—or their status is unknown because no one is in charge of reporting on progress.

DOD has also developed lists of its adversaries’ most frequently used techniques, and practices to combat them. Yet, DOD doesn’t know the extent to which it’s using these practices.

We made 7 recommendations that would have DOD fully implement cyber hygiene practices.

-----

Recommendation:

1. The Secretary of Defense should ensure that the DOD CIO takes appropriate steps to ensure implementation of the DC3I tasks. 
2. The Secretary of Defense should ensure that DOD components develop plans with scheduled completion dates to implement the four remaining CDIP tasks overseen by DOD CIO. 
3. The Secretary of Defense should ensure that the Deputy Secretary of Defense identifies a DOD component to oversee the implementation of the seven CDIP tasks not overseen by DOD CIO and report on progress implementing them. 
4. he Secretary of Defense should ensure that DOD components accurately monitor and report information on the extent that users have completed the Cyber Awareness Challenge training as well as the number of users whose access to the network was revoked because they have not completed the training.
5. he Secretary of Defense should ensure that the DOD CIO ensures all DOD components, including DARPA, require their users to take the Cyber Awareness Challenge training developed by DISA.
6. The Secretary of Defense should direct a component to monitor the extent to which practices are implemented to protect the department's network from key cyberattack techniques. 
7. The Secretary of Defense should ensure that the DOD CIO assesses the extent to which senior leaders' have more complete information to make risk-based decisions—and revise the recurring reports (or develop a new report) accordingly. Such information could include DOD's progress on implementing (a) cybersecurity practices identified in cyber hygiene initiatives and (b) cyber hygiene practices to protect DOD networks from key cyberattack techniques.

 

　

● WIRED

・2020.04.15 The Pentagon Hasn't Fixed Basic Cybersecurity Blind Spots - Five years ago, the Department of Defense set dozens of security hygiene goals. A new report finds that it has abandoned or lost track of most of them. by Lily Hay Newman