DoD Inspector General Looks at Department’s Commercial IT Product Security

Jeff Brody

The Department of Defense's Office of the Inspector General conducted an audit to verify whether DoD assesses cybersecurity risks in commercial off-the-shelf information technology products.

The audit found that DoD employs COTS IT products that hold commonly known cyber vulnerabilities due to lack of associated policy, strategy and product standards, DoD IG said in a report publicly released Tuesday.

The study looked at procurements done via government purchase cards, and discovered that the U.S. Army and U.S. Air Force have $32.8M of combined IT product purchases made with GPCs in fiscal 2018.

These purchases include Lenovo computers and GoPro cameras that possess cybersecurity risks.

DoD IG recommends the secretary of defense to order the development of a risk-based evaluation approach for COTS items, an associated testing procedure and a process to prevent purchases of high-risk products.

The office also urges the undersecretary of defense for acquisition and sustainment to implement policy that requires organizations to assess cyber risks in COTS products. The recommendation also calls for the establishment of requirements for cybersecurity risk training.

You may also be interested in...

Nickolas Guertin

Carnegie Mellon’s Nickolas Guertin in Line to Become Next Defense OT&E Director

Nickolas Guertin, a senior software systems engineer at Carnegie Mellon University, has been nominated by President Biden to become the Department of Defense's (DoD) director of operational test and evaluation (DOT&E). The Reading, Connecticut native was a former U.S. Navy serviceman with experience in ship construction and maintenance, systems engineering, weapons testing and development, and submarine operations, the White House said Thursday.