Defense Acquisitions: Knowledge of Software Suppliers Needed to Manage Risks
GAO-04-678
Published: May 25, 2004. Publicly Released: May 25, 2004.
Skip to Highlights
Highlights
The Department of Defense (DOD) is increasingly reliant on software and information systems for its weapon capabilities, and DOD prime contractors are subcontracting more of their software development. The increased reliance on software and a greater number of suppliers results in more opportunities to exploit vulnerabilities in defense software. In addition, DOD has reported that countries hostile to the United States are focusing resources on information warfare strategies. Therefore, software security, including the need for protection of software code from malicious activity, is an area of concern for many DOD programs. GAO was asked to examine DOD's efforts to (1) identify software development suppliers and (2) manage risks related to foreign involvement in software development on weapon systems.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Defense | To address risks attributable to software vulnerabilities and threats, the Secretary of Defense should require program managers, working with software assurance experts, acquisition personnel, and other organizations as necessary, to specifically define software security requirements, including those for identifying and managing software suppliers. These requirements should then be communicated as part of the prime development contract, to be used as part of the criteria to select software suppliers. |
DOD had several ongoing efforts to manage risks associated with defense software suppliers through departmentwide information security efforts, but these did not result in specific actions to address this recommendation. As of May 2011, AT&L declined to provide information on the status of these efforts and the DOD IG considered it closed, unimplemented.
|
| Department of Defense | To address risks attributable to software vulnerabilities and threats, the Secretary of Defense should based on defined software security requirements, require program managers to collect and maintain information on software suppliers, including software from foreign suppliers. This information should be evaluated periodically to assess changes in the status of suppliers and adjustments to program security requirements. |
DOD had several ongoing efforts to manage risks associated with defense software suppliers through departmentwide information security efforts, but these did not result in specific actions to address this recommendation. As of May 2011, AT&L declined to provide information on the status of these efforts and the DOD IG considered it closed, unimplemented.
|
| Department of Defense | To address risks attributable to software vulnerabilities and threats, the Secretary of Defense should require the Office of the Assistant Secretary of Defense for Networks and Information Integration and the Office of the Undersecretary of Defense for Acquisition Technology and Logistics, as part of their role to review, oversee, and formulate security and acquisition practices, to work with other organizations as necessary to ensure that weapon program risk assessments include specific attention to software development risks and threats, including those from foreign suppliers. For example, certification and accreditation processes, such as DITSCAP, should include verification that software development practices contain adequate security measures to address identified risks and threats. |
DOD had several ongoing efforts to manage risks associated with defense software suppliers through departmentwide information security efforts, but these did not result in specific actions to address this recommendation. As of May 2011, AT&L declined to provide information on the status of these efforts and the DOD IG considered it closed, unimplemented.
|
Full Report
GAO Contacts
Public Inquiries
Topics
Classified defense informationDefense procurementForeign policiesInformation accessInformation systemsInformation technologyMalicious codeProcurement policySecurity policiesSecurity threatsSoftwareWeapons systemsSystem vulnerabilities