Audit of the Department of Defense’s (DoD) Management of the Cybersecurity Risks for Government Purchase Card Purchases of Commercial Off-the-Shelf Items DoDIG-2019-106View full audit
The objective of this audit was to determine whether the DoD assessed and mitigated cybersecurity risks when purchasing commercial off-the-shelf (COTS) information technology items. Although primarily focused on government purchase card (GPC) purchases, it also assessed risks affecting traditional acquisition processes.
It was recommended that:
- The Secretary of Defense direct an organization or group to develop a risk-based approach to prioritize COTS items for further evaluation, a process to test high-risk COTS items and a process to prohibit the purchase and use of high-risk COTS items, when necessary, until mitigation strategies can limit the risk to an acceptable level.
- The Under Secretary of Defense for Acquisition and Sustainment update or develop and implement:
- DoD acquisition policy to require organizations to review and evaluate cybersecurity risks for high-risk COTS items prior to purchase, regardless of purchase method.
- GPC program policy and training requirements to include training on common cybersecurity risks for COTS information technology items and the impact of the risks to the mission.
- The DoD Chief Information Officer should consider updating DoD policy to require an assessment of supply chain risks as a condition for approval to be included on the Unified Capabilities Approved Products List.
- The Under Secretary of Defense for Acquisition and Sustainment and the DoD Chief Information Officer identify and implement administrative solutions, such as expanding the DoD’s implementation of its authority to prohibit DoD Components from purchasing COTS information technology items that support national security systems from specific manufacturers to reduce supply chain risks and, if those solutions are insufficient to address the issues identified in this report, seek legislative authority to expand the national security system-restricted list (list of COTS items prohibited from being used in national security systems) DoD-wide to include high-risk COTS information technology items used for non-national security systems.