Defense Supply Chain Management Systems Are Vulnerable, GAO Says
WASHINGTON — The Government Accountability Office issued a report this week addressing cybersecurity vulnerabilities in the Department of Defense inventory management systems used to manage the national defense supply chain.
Risks in six inventory management systems run by the Defense Logistics Agency were reviewed in the report, along with what steps have already been taken to mitigate the potential danger. GAO has identified defense cybersecurity as a high-risk area since 1997.
“To carry out the agency’s missions and account for its resources, DLA relies on information systems to access and manage supply chain, inventory, and other logistics data,” GAO officials wrote in a letter to the House Committee on Armed Services. “As such, the security of these systems and data is vital to public confidence and the nation’s safety, prosperity, and well-being. However, cyber-based intrusions and attacks on both federal and nonfederal systems have become not only more numerous and diverse, but also more damaging and disruptive.”
GAO issued a series of five recommendations in the report, ranging from revising standard operating procedures to include system-specific monitoring strategies to ensuring the DLA director incorporates residual risk information in corrective action plans.
Another recommendation directs the DLA director to update and institute an assessment plan approval process, ensuring a designated authorizing official reviews and approves system assessment plans before the system’s evaluation.
The office also wants the DLA director to revise and carry out the agency’s process for obtaining waivers that accept “identified ongoing risk,” including 338 pending corrective action plans still awaiting waivers.
Another recommendation of the report dictates the DLA cybersecurity Office to design and produce a process for program offices to review the consistency and completeness of authorization documentation before submitting packages to the designated authorizing officials.
“We supplemented our analysis of documents and data by interviewing officials in DLA’s Cybersecurity Office and the system program offices about their efforts to assess, document, and review security controls for their respective systems,” the GAO report read. “We then made determinations about the extent to which each system’s program office had fully addressed, partially addressed, or not addressed all aspects of the required tasks for the risk management step based on the documents and data provided.”
Of the five recommendations in the report, DLA agreed with two and partially agreed with three. DLA issued partial concurrences with the recommendations and advised a revision of standard operating procedures, the instituting of the assessment plan approval process, and the creation of a process for reviewing authorization documentation.
DLA disagreed that there weren’t monitoring strategies determining the effectiveness of security controls and that there were “missed opportunities for risk-based decisions” regarding authorization issuances. It also did not agree that there is no process for reviewing authorization documentation before submitting requests for authorization.
GAO found the agency only fully addressed and remedied two of its six risk management steps for the inventory management systems: the categorization of systems and establishing an implementation approach. According to the report, the DLA partially addressed the selection of security controls, assessment of the controls, and system authorization and monitoring of security controls.
Until the DLA addresses all of the identified deficiencies, the agency’s control over cyber risks presented to critical systems will be “impeded and potentially pose risks to other DOD systems” should the DLA systems be compromised.
“This report does not address the extent to which DLA and the selected systems’ countermeasures are able to successfully prevent certain cyberattacks,” the report’s text continued. “Rather, it focuses on DLA’s efforts to manage the cybersecurity of these six systems through a risk management framework that is intended to help managers make informed decisions about cyber threats, and to prioritize mitigations and responses to threats in the most cost-effective manner.”
In The News
WASHINGTON — The Department of Defense’s Office of Local Defense Community Cooperation released its report on defense spending by state,... Read More
WASHINGTON — The Department of Defense’s Office of Local Defense Community Cooperation released its report on defense spending by state, revealing the department’s contract obligations and payroll spending across all 50 states and Washington, D.C. The DOD report was published to highlight DOD’s domestic spending figures... Read More
WASHINGTON -- Members of the House might not agree on much these days, but one thing they do seem to... Read More
WASHINGTON -- Members of the House might not agree on much these days, but one thing they do seem to be in agreement on is that passing the annual defense spending authorization falls into the same rarified category as mom and apple pie. On Thursday, the... Read More
WASHINGTON -- U.S. Defense Department officials on Wednesday afternoon acknowledged the kind of surprise about the fall of Afghanistan mentioned... Read More
WASHINGTON -- U.S. Defense Department officials on Wednesday afternoon acknowledged the kind of surprise about the fall of Afghanistan mentioned in a new inspector general’s report. “No, I did not see a collapse of an army of that size in 11 days,” Army Gen. Mark Milley... Read More
Costs associated with the United States' “Global War on Terror” have mounted significantly in the nearly 20 years following the... Read More
Costs associated with the United States' “Global War on Terror” have mounted significantly in the nearly 20 years following the Sept. 11 World Trade Center attacks. The underlying mission of the Global War on Terror in 2001 was to fortify the U.S.’s national security against future... Read More
WASHINGTON - The Department of Defense is conducting its first fiscal research study in over 30 years to determine the... Read More
WASHINGTON - The Department of Defense is conducting its first fiscal research study in over 30 years to determine the efficiency and overall health of the military industry and its private contractors. The decision comes as part of a push by the DOD to utilize budgeted... Read More
Spouses of military reservists feel they are healthy and financially comfortable, but more of them complained of stress and loneliness... Read More
Spouses of military reservists feel they are healthy and financially comfortable, but more of them complained of stress and loneliness in a survey released Tuesday by the Department of Defense. The survey of Reserve Component Spouses is conducted every two years, and along with the Survey... Read More