Defense Cybersecurity: Defense Logistics Agency Needs to Address Risk Management Deficiencies in Inventory Systems
A Department of Defense task force concluded in 2018 that DOD's inventory management systems were potentially vulnerable to attack. These systems, run by the Defense Logistics Agency, are used to manage the defense supply chain.
We reviewed efforts to reduce the risks in 6 inventory management systems. The agency has taken some prescribed risk management actions but could do more. For example, we found 69% of its plans to fix identified security weaknesses were not carried out on time.
We made 5 recommendations to improve the cybersecurity of these systems.
U.S. cybersecurity has been a topic on our High Risk List since 1997.
What GAO Found
For six selected inventory management systems that support processes for procuring, cataloging, distributing, and disposing of materiel, the Defense Logistics Agency (DLA) fully addressed two of the Department of Defense's (DOD) six cybersecurity risk management steps and partially addressed the other four. Specifically, the agency categorized the systems based on risk and established an implementation approach for security controls. However, it only partially addressed the four risk management steps of selecting, assessing, authorizing, and monitoring security controls (see figure).
Extent to Which the Defense Logistics Agency Addressed the Department of Defense's Risk Management Steps for Six Selected Inventory Management Systems
• Select security controls : DLA selected specific security controls, but it did not develop system-level monitoring strategies to assess the effectiveness of selected security controls for three of the six systems GAO assessed. DOD's risk management framework requires components to develop a system-specific monitoring strategy during the security control selection step.
• Assess security controls : DLA assessed the security controls for the six selected inventory management systems, but its assessment procedures lacked approvals, as required. As a result, GAO found that DLA's assessment plans lacked essential details and missed opportunities for risk-based decisions.
• Authorize the system : DLA authorized the selected systems, but it did not report complete and consistent security and risk assessment information to support decisions. GAO found that DLA had not established a process for program offices to review authorization documentation prior to submitting packages to the authorizing official.
• Monitor security controls : DLA did not consistently monitor the remediation of identified security weaknesses across its six inventory management systems. As a result, GAO found that 1,115 of the 1,627 corrective action plans (69 percent) for the six systems did not complete intended remediation within DLA's required time frame of 365 days or less--they were ongoing for an average of 485 days.
Until DLA addresses the identified deficiencies, the agency's management of cyber risks for critical systems will be impeded and potentially pose risks to other DOD systems that could be accessed if DLA's systems are compromised.
Why GAO Did This Study
In November 2018 DOD's Survivable Logistics Task Force examined current and emerging threats to DOD logistics, including cybersecurity threats. The task force concluded that DOD's inventory management systems were potentially vulnerable to cyberattacks, and that DOD did not have corrective action plans to mitigate the potential risks posed by associated vulnerabilities.
House Report 116-120, accompanying a bill for the National Defense Authorization Act for Fiscal Year 2020, included a provision for GAO to evaluate DOD's efforts to manage cybersecurity risks to the DOD supply chain. GAO's report determines the extent to which DLA has implemented risk management steps to address cybersecurity risks to its inventory management systems. GAO selected six systems that DLA officials deemed critical to inventory management operations. GAO reviewed documents, analyzed data, and interviewed officials to determine whether DLA fully addressed, partially addressed, or did not address DOD steps for cybersecurity risk management.
GAO is making five recommendations for DLA to address shortfalls in its critical inventory management systems' adherence to DOD cybersecurity risk management steps. DLA agreed with two and partially agreed with three recommendations. GAO continues to believe all its recommendations are still warranted.
Recommendations for Executive Action
|Department of Defense||The Secretary of Defense should ensure that the Director of DLA revises its standard operating procedures to require program offices to develop a system-specific monitoring strategy that is consistent with DOD's risk management framework and related NIST guidance. (Recommendation 1)||
DOD partially concurred with our April 2021 recommendation, but acknowledged the need to update the DLA Risk Management Framework Standard Operating Procedure (DLARMF SOP) to explicitly require each system to document their system level continuous monitoring strategy as a part of the Implementation Plan in Enterprise Mission Assurance Support Service (eMASS). This system level continuous monitoring strategy would document any system level monitoring in addition to the DLA Enterprise Continuous Monitoring Schedule. The expected completion date for this action is December 31, 2021.
|Department of Defense||The Secretary of Defense should ensure that the Director of DLA revises and implements an assessment plan approval process that ensures that a designated authorizing official reviews and approves system assessment plans prior to a system being assessed. (Recommendation 2)||
DOD partially concurred with our April 2021 recommendation, and acknowledged there were missed opportunities for risk-based decisions. The department stated they will update the DLA RMF SOP to require the Security Plan (which contains the assessment plan) be approved prior to any assessment or validation activities being performed. DLA will utilize the Security Plan Approval workflow in eMASS to ensure the Authorizing Official or Authorizing Official Designated Representative approve the Security Plan. The expected completion date for this action is May 1, 2022.
|Department of Defense||The Secretary of Defense should ensure that the Director of DLA directs the DLA Cybersecurity Office to establish a process for program offices to review the consistency and completeness of authorization documentation prior to submitting the package to the designated authorizing officials. (Recommendation 3)||
DOD partially concurred with our April 2021 recommendation, but acknowledged there were missing Plan of Action and Milestones(POA&M) items in eMASS. In response to our recommendation, DLA established a robust POA&M approval process which requires every system to submit new POA&M items for approval on a quarterly basis. Part of that approval is to ensure all elements of the POA&M items are completed properly and thoroughly. Additionally, eMASS has made those POA&M elements required fields that must be filled out when creating new POA&M items, and DLA has also ensured that all existing DLA owned ongoing POA&M items have these POA&M fields populated.
|Department of Defense||The Secretary of Defense should ensure that the Director of DLA revises and implements the agency's process for obtaining waivers that accept identified ongoing risk–including the 338 corrective action plans awaiting waivers. (Recommendation 4)||
DOD concurred with our April 2021 recommendation. The department stated that the department has successfully implemented their process for approving waivers (which DoD refers to as Authorizing Official Risk Acceptance (AORA)) and Aged POA&M processes in eMASS. The AORA process has reduced the approval timeline from eight months to 60 days. Additionally, aged POA&M items that are ongoing for more than 365days, additional documentation from the Program Manager and in some cases the Portfolio Manager is required to be provided in the approval request. This ensures additional management visibility and ownership in closing out the ongoing POA&M items.
|Department of Defense||The Secretary of Defense should ensure that the Director of DLA includes required information—such as residual risk levels—in corrective action plans. (Recommendation 5)||
DOD concurred with our April 2021 recommendation. The department stated that DLA has established a robust POA&M approval process which requires every system to submit new POA&M items for approval on a quarterly basis and to ensure all elements of the POA&M items are completed properly and thoroughly. Additionally, eMASS has made those POA&M elements DLA has established a robust required fields that must be filled out when creating new POA&M items. DLA has also ensured that all existing DLA owned ongoing POA&M items have these POA&M fields populated.