DoD Inspector General Looks at Department’s Commercial IT Product Security

Jeff Brody

The Department of Defense's Office of the Inspector General conducted an audit to verify whether DoD assesses cybersecurity risks in commercial off-the-shelf information technology products.

The audit found that DoD employs COTS IT products that hold commonly known cyber vulnerabilities due to lack of associated policy, strategy and product standards, DoD IG said in a report publicly released Tuesday.

The study looked at procurements done via government purchase cards, and discovered that the U.S. Army and U.S. Air Force have $32.8M of combined IT product purchases made with GPCs in fiscal 2018.

These purchases include Lenovo computers and GoPro cameras that possess cybersecurity risks.

DoD IG recommends the secretary of defense to order the development of a risk-based evaluation approach for COTS items, an associated testing procedure and a process to prevent purchases of high-risk products.

The office also urges the undersecretary of defense for acquisition and sustainment to implement policy that requires organizations to assess cyber risks in COTS products. The recommendation also calls for the establishment of requirements for cybersecurity risk training.

Check Also

White House

President Trump Eyes Nomination of Nathan Smington as FCC Member

President Trump plans to nominate Nathan Simington, senior adviser at the National Telecommunications and Information Administration (NTIA), to serve as a member of the Federal Communications Commission (FCC). As part of his current role, Simington oversees supply chains, U.S. 5G security and the American Broadband Initiative, the White House said Tuesday.