DoD Inspector General Looks at Department’s Commercial IT Product Security

Jeff Brody

The Department of Defense's Office of the Inspector General conducted an audit to verify whether DoD assesses cybersecurity risks in commercial off-the-shelf information technology products.

The audit found that DoD employs COTS IT products that hold commonly known cyber vulnerabilities due to lack of associated policy, strategy and product standards, DoD IG said in a report publicly released Tuesday.

The study looked at procurements done via government purchase cards, and discovered that the U.S. Army and U.S. Air Force have $32.8M of combined IT product purchases made with GPCs in fiscal 2018.

These purchases include Lenovo computers and GoPro cameras that possess cybersecurity risks.

DoD IG recommends the secretary of defense to order the development of a risk-based evaluation approach for COTS items, an associated testing procedure and a process to prevent purchases of high-risk products.

The office also urges the undersecretary of defense for acquisition and sustainment to implement policy that requires organizations to assess cyber risks in COTS products. The recommendation also calls for the establishment of requirements for cybersecurity risk training.

You may also be interested in...

AI-Based Multisensor

Army Tests AI-Based Multisensor Tech for Explosives Detection

The U.S. Army has demonstrated a machine learning-based sensor technology designed for fixed-wing aircraft that works with synthetic aperture radars to detect explosives from a designated safety point. Lt. Col. Mike Fuller, program manager at the Defense Threat Reduction Agency, said the team used side-by-side comparisons of multiple modalities during the assessment to maximize the probability of threat detection while minimizing false alarms.