Defense Supply Chain Management Systems Are Vulnerable, GAO Says

WASHINGTON — The Government Accountability Office issued a report this week addressing cybersecurity vulnerabilities in the Department of Defense inventory management systems used to manage the national defense supply chain.

Risks in six inventory management systems run by the Defense Logistics Agency were reviewed in the report, along with what steps have already been taken to mitigate the potential danger. GAO has identified defense cybersecurity as a high-risk area since 1997.

“To carry out the agency’s missions and account for its resources, DLA relies on information systems to access and manage supply chain, inventory, and other logistics data,” GAO officials wrote in a letter to the House Committee on Armed Services. “As such, the security of these systems and data is vital to public confidence and the nation’s safety, prosperity, and well-being. However, cyber-based intrusions and attacks on both federal and nonfederal systems have become not only more numerous and diverse, but also more damaging and disruptive.”

GAO issued a series of five recommendations in the report, ranging from revising standard operating procedures to include system-specific monitoring strategies to ensuring the DLA director incorporates residual risk information in corrective action plans. 

Another recommendation directs the DLA director to update and institute an assessment plan approval process, ensuring a designated authorizing official reviews and approves system assessment plans before the system’s evaluation.

The office also wants the DLA director to revise and carry out the agency’s process for obtaining waivers that accept “identified ongoing risk,” including 338 pending corrective action plans still awaiting waivers. 

Another recommendation of the report dictates the DLA cybersecurity Office to design and produce a process for program offices to review the consistency and completeness of authorization documentation before submitting packages to the designated authorizing officials.

“We supplemented our analysis of documents and data by interviewing officials in DLA’s Cybersecurity Office and the system program offices about their efforts to assess, document, and review security controls for their respective systems,” the GAO report read. “We then made determinations about the extent to which each system’s program office had fully addressed, partially addressed, or not addressed all aspects of the required tasks for the risk management step based on the documents and data provided.”

Of the five recommendations in the report, DLA agreed with two and partially agreed with three. DLA issued partial concurrences with the recommendations and advised a revision of standard operating procedures, the instituting of the assessment plan approval process, and the creation of a process for reviewing authorization documentation.

DLA disagreed that there weren’t monitoring strategies determining the effectiveness of security controls and that there were “missed opportunities for risk-based decisions” regarding authorization issuances. It also did not agree that there is no process for reviewing authorization documentation before submitting requests for authorization.

GAO found the agency only fully addressed and remedied two of its six risk management steps for the inventory management systems: the categorization of systems and establishing an implementation approach. According to the report, the DLA partially addressed the selection of security controls, assessment of the controls, and system authorization and monitoring of security controls.

Until the DLA addresses all of the identified deficiencies, the agency’s control over cyber risks presented to critical systems will be “impeded and potentially pose risks to other DOD systems” should the DLA systems be compromised.

“This report does not address the extent to which DLA and the selected systems’ countermeasures are able to successfully prevent certain cyberattacks,” the report’s text continued. “Rather, it focuses on DLA’s efforts to manage the cybersecurity of these six systems through a risk management framework that is intended to help managers make informed decisions about cyber threats, and to prioritize mitigations and responses to threats in the most cost-effective manner.”