Access control
"Bug hunters must first pass a background check before being permitted to hack the agency's web properties."
Black hats (especially foreign ones) can't pass the background check and so are unable to hack the agency's sites.
White hats have found more than 100 vulnerabilities in Pentagon infrastructure under its bug bounty program. Some 1,400 hackers participated in the Hack the Pentagon bug bounty program handing out up to $US14,000 for disclosures of the worst vulnerabilities. US Defense Secretary Ashton Carter told the Defense One conference …
>>It would be interesting to know which bugs they squashed. How many were simple configuration errors?
I bet we can guess that it was everything from simple unsanitized inputs and non-parameterized sql queries on up to still using SSL. You can also bet that they had servers on the same network segment as the open internet. Basically all the crap you'd expect out of people that don't really know what they are doing.