Defense Supply Chain Management Systems Are Vulnerable, GAO Says
WASHINGTON — The Government Accountability Office issued a report this week addressing cybersecurity vulnerabilities in the Department of Defense inventory management systems used to manage the national defense supply chain.
Risks in six inventory management systems run by the Defense Logistics Agency were reviewed in the report, along with what steps have already been taken to mitigate the potential danger. GAO has identified defense cybersecurity as a high-risk area since 1997.
“To carry out the agency’s missions and account for its resources, DLA relies on information systems to access and manage supply chain, inventory, and other logistics data,” GAO officials wrote in a letter to the House Committee on Armed Services. “As such, the security of these systems and data is vital to public confidence and the nation’s safety, prosperity, and well-being. However, cyber-based intrusions and attacks on both federal and nonfederal systems have become not only more numerous and diverse, but also more damaging and disruptive.”
GAO issued a series of five recommendations in the report, ranging from revising standard operating procedures to include system-specific monitoring strategies to ensuring the DLA director incorporates residual risk information in corrective action plans.
Another recommendation directs the DLA director to update and institute an assessment plan approval process, ensuring a designated authorizing official reviews and approves system assessment plans before the system’s evaluation.
The office also wants the DLA director to revise and carry out the agency’s process for obtaining waivers that accept “identified ongoing risk,” including 338 pending corrective action plans still awaiting waivers.
Another recommendation of the report dictates the DLA cybersecurity Office to design and produce a process for program offices to review the consistency and completeness of authorization documentation before submitting packages to the designated authorizing officials.
“We supplemented our analysis of documents and data by interviewing officials in DLA’s Cybersecurity Office and the system program offices about their efforts to assess, document, and review security controls for their respective systems,” the GAO report read. “We then made determinations about the extent to which each system’s program office had fully addressed, partially addressed, or not addressed all aspects of the required tasks for the risk management step based on the documents and data provided.”
Of the five recommendations in the report, DLA agreed with two and partially agreed with three. DLA issued partial concurrences with the recommendations and advised a revision of standard operating procedures, the instituting of the assessment plan approval process, and the creation of a process for reviewing authorization documentation.
DLA disagreed that there weren’t monitoring strategies determining the effectiveness of security controls and that there were “missed opportunities for risk-based decisions” regarding authorization issuances. It also did not agree that there is no process for reviewing authorization documentation before submitting requests for authorization.
GAO found the agency only fully addressed and remedied two of its six risk management steps for the inventory management systems: the categorization of systems and establishing an implementation approach. According to the report, the DLA partially addressed the selection of security controls, assessment of the controls, and system authorization and monitoring of security controls.
Until the DLA addresses all of the identified deficiencies, the agency’s control over cyber risks presented to critical systems will be “impeded and potentially pose risks to other DOD systems” should the DLA systems be compromised.
“This report does not address the extent to which DLA and the selected systems’ countermeasures are able to successfully prevent certain cyberattacks,” the report’s text continued. “Rather, it focuses on DLA’s efforts to manage the cybersecurity of these six systems through a risk management framework that is intended to help managers make informed decisions about cyber threats, and to prioritize mitigations and responses to threats in the most cost-effective manner.”
In The News
KYIV, Ukraine (AP) — Ukraine's leaders sought to reassure the nation that a feared invasion from neighboring Russia was not... Read More
KYIV, Ukraine (AP) — Ukraine's leaders sought to reassure the nation that a feared invasion from neighboring Russia was not imminent, even as they acknowledged the threat is real and prepared to accept a shipment of American military equipment Tuesday to shore up their defenses. Russia... Read More
WASHINGTON (AP) — President Joe Biden signed the National Defense Authorization Act into law, authorizing $768.2 billion in military spending,... Read More
WASHINGTON (AP) — President Joe Biden signed the National Defense Authorization Act into law, authorizing $768.2 billion in military spending, including a 2.7% pay raise for service members, for 2022. The NDAA authorizes a 5% increase in military spending, and is the product of intense negotiations... Read More
WASHINGTON — The Senate on Wednesday afternoon passed the National Defense Authorization Act, ending a prolonged standoff on amendments, many... Read More
WASHINGTON — The Senate on Wednesday afternoon passed the National Defense Authorization Act, ending a prolonged standoff on amendments, many of which were jettisoned from the final bill. In the end the vote was a decidedly bipartisan 89-10. The bill will now go to President Biden’s... Read More
WASHINGTON— The House on Tuesday evening passed the National Defense Authorization Act, sending it to the Senate after an overwhelmingly... Read More
WASHINGTON— The House on Tuesday evening passed the National Defense Authorization Act, sending it to the Senate after an overwhelmingly bipartisan 363-to-70 vote. The Senate is expected to take the measure up by Friday. In the end, 169 Democrats and 194 Republicans wound up voting for... Read More
WASHINGTON — A federal judge in Washington has set a deadline for next week seeking information in a top Defense... Read More
WASHINGTON — A federal judge in Washington has set a deadline for next week seeking information in a top Defense Department official's lawsuit over why she was released from her job after first losing her security clearance. Katie Arrington oversaw cybersecurity for defense contractors when she... Read More
WASHINGTON — The Department of Defense’s Office of Local Defense Community Cooperation released its report on defense spending by state,... Read More
WASHINGTON — The Department of Defense’s Office of Local Defense Community Cooperation released its report on defense spending by state, revealing the department’s contract obligations and payroll spending across all 50 states and Washington, D.C. The DOD report was published to highlight DOD’s domestic spending figures... Read More