In a military context that's like taking down all the signs warning strollers not to wander out on the business end of a rifle range, or neglect to mention to those learning to fire a mortar that they should point the weapons any direction but directly at a nearby road.
DoDcritics don't know where to start
The final two recommendations are the ones you'd expect to come first in any evaluation of an organization's effectiveness: assess your weaknesses in the area of competence being examined, then develop a plan and funding strategy to address those weaknesses.
The real problem with DoD is that the GAO found so little direction in the Pentagon's cyberwar efforts its analysts felt they couldn't make recommendations on how to make forward progress without mentioning the DoD couldn't even figure out how to sit down if it didn't first learn how to find its but with both hands.
Much of the GAO's own research had to start by figuring out how DoD's cybersecurity was actually organized, because none of the reality appeared to match any of the assumptions, documentation or expectations of any of the people involved.
Then GAO analysts had to figure out what the DoD actually was trying to do. More accurately, since organizations are usually built with a single goal in mind, and are structured to address that goal, the GAO had to figure out whether the DoD actually had a goal toward which it was building and what the haphazard organization it ended up building was constitutionally capable of accomplishing.
Then, having been forced to define what the DoD's lack of overall cybersecurity organization was concerned with doing, it had to compare what the Cyber Command was actually capable of doing and whether those abilities were sufficient to even address the current level of threat.
Although individual officers and some cybersecurity groups certainly knew what they were doing within their own little spheres –and individual services were more coherent in their internal cyberwar efforts than the Pentagon as a whole – it's clear that those theoretically in charge of the overall DoD cyberwar efforts knew less about what the Pentagon was doing to prepare for cyberattacks than those who were attacking.
There is a military term for armies so uncertain of their own skills, resources, strategy and command that the enemy is able to find out more from spying missions than the commanders can by asking questions:
The term is "loser."
Sandia National Labs.