(U) Followup Audit on Corrective Actions Taken by DoD Components
in Response to DoD Cyber Red Team-Identified Vulnerabilities and
Additional Challenges Facing DoD Cyber Red Team Missions
DODIG-2020-067 (Project No. D2019-D000CR-0075.000)│i
(U) Objective
(U) The objective of this followup audit was to determine
whether DoD Cyber Red Teams and DoD Components
took actions to correct problems identified in Report No.
DODIG-2013-035, “Better Reporting and Certification
Processes Can Improve Red Teams’ Effectiveness,”
December 21, 2012. In addition, we determined whether
DoD Cyber Red Teams supported operational testing and
combatant command exercises to identify network
vulnerabilities, threats, and other security weaknesses
affecting DoD systems, networks, and facilities, and
whether corrective actions were taken to address DoD
Cyber Red Team findings. We also assessed risks affecting
the ability of DoD Cyber Red Teams to support DoD
missions and priorities.
(U) Background
(U) DoD Cyber Red Teams are independent, multi-
disciplinary groups of DoD personnel that are certified,
accredited, and authorized to identify vulnerabilities
that impact the confidentiality, integrity, or availability
of DoD systems and networks by portraying the tactics,
techniques, and procedures of adversaries. The DoD
uses DoD Cyber Red Teams to highlight vulnerabilities,
improve joint cyberspace operations, and protect the DoD
Information Network and DoD weapons systems from
vulnerabilities and threats that affect the DoD’s security
posture. Unlike traditional vulnerabilities, such as
misconfigured security settings and unpatched software,
DoD Cyber Red Teams use known vulnerabilities, zero
day attacks (attacks that exploit a previously unknown
hardware, firmware, or software vulnerability), and other
tactics an adversary may use to penetrate systems,
networks, and facilities, and test the defense-in-depth
strength (use of multiple barriers and layers of defenses
(U) to protect systems, networks, and organizations
and responses taken to DoD Cyber Red Team actions.
As of September 2019, the National Security Agency
accredited 10 DoD Cyber Red Teams.
(U) Summary of Prior Report
(U//FOUO) In our prior report, issued in December 2012,
we determined that DoD Cyber Red Teams did not
effectively report the results of their assessments to the
assessed organizations; the Director, Operational Test
and Evaluation; U.S. Cyber Command; the Joint Force
Headquarters-DoD Information Network; and other
DoD Cyber Red Teams. In addition, we found that the DoD
Components did not effectively correct or mitigate
Red Team-identified vulnerabilities and did not track
or report the vulnerabilities on a plan of action and
milestones as required by the Chairman of the Joint Chiefs
of Staff Instruction 6510.01F. Furthermore, we found that
the DoD Cyber Red Team certification and accreditation
process did not effectively assess the skills of the DoD
Cyber Red Teams and their ability to perform mission
functions and meet training requirements.
(U/
/FOUO)
I
n that report, we recommended that
U.S.
Strategic Command
. In addition, we recommended that
the Services develop procedures to:
• (U//FOUO)
• (U//FO
UO)
• (U//FO
UO)
March 13, 2020 (U) Background (cont’d)
