Defense Supply Chain Management Systems Are Vulnerable, GAO Says

WASHINGTON — The Government Accountability Office issued a report this week addressing cybersecurity vulnerabilities in the Department of Defense inventory management systems used to manage the national defense supply chain.
Risks in six inventory management systems run by the Defense Logistics Agency were reviewed in the report, along with what steps have already been taken to mitigate the potential danger. GAO has identified defense cybersecurity as a high-risk area since 1997.
“To carry out the agency’s missions and account for its resources, DLA relies on information systems to access and manage supply chain, inventory, and other logistics data,” GAO officials wrote in a letter to the House Committee on Armed Services. “As such, the security of these systems and data is vital to public confidence and the nation’s safety, prosperity, and well-being. However, cyber-based intrusions and attacks on both federal and nonfederal systems have become not only more numerous and diverse, but also more damaging and disruptive.”
GAO issued a series of five recommendations in the report, ranging from revising standard operating procedures to include system-specific monitoring strategies to ensuring the DLA director incorporates residual risk information in corrective action plans.
Another recommendation directs the DLA director to update and institute an assessment plan approval process, ensuring a designated authorizing official reviews and approves system assessment plans before the system’s evaluation.
The office also wants the DLA director to revise and carry out the agency’s process for obtaining waivers that accept “identified ongoing risk,” including 338 pending corrective action plans still awaiting waivers.
Another recommendation of the report dictates the DLA cybersecurity Office to design and produce a process for program offices to review the consistency and completeness of authorization documentation before submitting packages to the designated authorizing officials.
“We supplemented our analysis of documents and data by interviewing officials in DLA’s Cybersecurity Office and the system program offices about their efforts to assess, document, and review security controls for their respective systems,” the GAO report read. “We then made determinations about the extent to which each system’s program office had fully addressed, partially addressed, or not addressed all aspects of the required tasks for the risk management step based on the documents and data provided.”
Of the five recommendations in the report, DLA agreed with two and partially agreed with three. DLA issued partial concurrences with the recommendations and advised a revision of standard operating procedures, the instituting of the assessment plan approval process, and the creation of a process for reviewing authorization documentation.
DLA disagreed that there weren’t monitoring strategies determining the effectiveness of security controls and that there were “missed opportunities for risk-based decisions” regarding authorization issuances. It also did not agree that there is no process for reviewing authorization documentation before submitting requests for authorization.
GAO found the agency only fully addressed and remedied two of its six risk management steps for the inventory management systems: the categorization of systems and establishing an implementation approach. According to the report, the DLA partially addressed the selection of security controls, assessment of the controls, and system authorization and monitoring of security controls.
Until the DLA addresses all of the identified deficiencies, the agency’s control over cyber risks presented to critical systems will be “impeded and potentially pose risks to other DOD systems” should the DLA systems be compromised.
“This report does not address the extent to which DLA and the selected systems’ countermeasures are able to successfully prevent certain cyberattacks,” the report’s text continued. “Rather, it focuses on DLA’s efforts to manage the cybersecurity of these six systems through a risk management framework that is intended to help managers make informed decisions about cyber threats, and to prioritize mitigations and responses to threats in the most cost-effective manner.”
In The News
Health
Voting
Defense
BEIJING (AP) — Secretary of State Antony Blinken has postponed a planned high-stakes weekend diplomatic trip to China as the... Read More
BEIJING (AP) — Secretary of State Antony Blinken has postponed a planned high-stakes weekend diplomatic trip to China as the Biden administration weighs a broader response to the discovery of a high-altitude Chinese balloon flying over sensitive sites in the western United States, a U.S. official... Read More
WASHINGTON — The House on Thursday afternoon passed the National Defense Authorization Act, sending the $847 billion, 4,000-page measure on... Read More
WASHINGTON — The House on Thursday afternoon passed the National Defense Authorization Act, sending the $847 billion, 4,000-page measure on to the Senate for consideration before the end-of-year deadline. After months of negotiation, the annual defense authorization bill passed in a bipartisan vote of 350-80. The... Read More
SEOUL, South Korea (AP) — The nuclear-powered aircraft carrier USS Ronald Reagan launched a new round of naval drills with... Read More
SEOUL, South Korea (AP) — The nuclear-powered aircraft carrier USS Ronald Reagan launched a new round of naval drills with South Korean warships on Friday, a day after North Korea fired more ballistic missiles and flew warplanes in an escalation of tensions with its rivals. The... Read More
WASHINGTON — The District of Columbia’s mayor would gain a right to call out the National Guard in an emergency... Read More
WASHINGTON — The District of Columbia’s mayor would gain a right to call out the National Guard in an emergency under the National Defense Authorization Act approved by the U.S. House of Representatives this month. The $840.2 billion bill would fund the Defense Department for the... Read More
WASHINGTON — The Defense Department is requesting $3 billion in fiscal year 2023 “to address the effects of climate change,... Read More
WASHINGTON — The Defense Department is requesting $3 billion in fiscal year 2023 “to address the effects of climate change, bolster … installation resiliency and adaptation to climate challenges,” and start to invest in what it believes is a more efficient airplane for the future. At... Read More
WASHINGTON — Candidate Katie Arrington, currently hoping to unseat incumbent Rep. Nancy Mace, R-S.C., in the upcoming South Carolina congressional... Read More
WASHINGTON — Candidate Katie Arrington, currently hoping to unseat incumbent Rep. Nancy Mace, R-S.C., in the upcoming South Carolina congressional primary, sued the Defense Department on Tuesday seeking the release of records related to the suspension of her security clearance. Arrington previously ran for the seat... Read More