The Defense Department is not fully tracking employee training in its Cyber Awareness Challenge, a main element of the department’s cybersecurity programs, GAO has said.
That required training “is intended to help the DoD workforce maintain awareness of known and emerging cyber threats, and reinforce best practices to keep information and systems secure,” a report said. However, in examining 16 DoD components, GAO found that six lacked information on system users who had not completed the training in 2018, and eight lacked information on users whose network access had been revoked for not completing training.
Component heads “did not ensure that their respective components were accurately monitoring and reporting the necessary information,” GAO said. While some officials told GAO that there was no value compiling such information at high levels, GAO noted that “multiple DoD policy and guidance documents” require all network users to take the training annually and that all individuals with network access must complete the training to retain access.
GAO added that one component did not administer the training for its employees, substituting one of its own design instead. However, that program did not address all of the topics required by the general policy, it said.