July 26, 2019 —
Publicly released: July 30, 2019
We determined whether the DoD assessed and mitigated cybersecurity risks when purchasing commercial off-the-shelf (COTS) information technology items. Although we primarily focused on Government purchase card (GPC) purchases, we also assessed risks affecting traditional acquisition processes.
The DoD purchases and uses a wide variety of COTS information technology items, such as laptops, software, security cameras, and networking equipment. According to the Federal Acquisition Regulation, a COTS item is a commercial item sold in substantial quantity in the marketplace and offered to the Government in the same form in which it is sold to non-Government customers.
The DoD purchases COTS information technology items through several methods, including the traditional DoD acquisition process and GPCs. The traditional acquisition process is used to purchase COTS information technology items used for DoD programs and large acquisitions, such as weapon systems, aircraft, and command and control systems. COTS information technology items are also purchased through the use of GPCs to make micro-purchases, such as a television or an office printer. Micro-purchases are used for purchasing fixed-price commercial supplies that do not require the cardholder to agree to any terms and conditions other than price and delivery. The GPC program is intended to streamline the small purchase and payment process, minimize paperwork, and simplify the administrative process associated with procuring goods that cost less than the micro-purchase threshold of $10,000.
We determined that the DoD purchased and used COTS information technology items with known cybersecurity risks. Specifically, Army and Air Force GPC holders purchased at least $32.8 million of COTS information technology items, such as Lenovo computers, Lexmark printers, and GoPro cameras, with known cybersecurity vulnerabilities in FY 2018.
The DoD purchased and used COTS information technology items with commonly known cybersecurity risks because the DoD did not establish:
- responsibility for an organization or group to develop a strategy to manage the cybersecurity risks of COTS information technology items;
- acquisition policies that proactively address the cybersecurity risks of COTS information technology items;
- an approved products list to prevent unsecure items from being purchased; and
- controls to prevent the purchase of high-risk COTS information technology items with known cybersecurity risks similar to the controls implemented through the use of the national security systems-restricted list.
As a result, adversaries could exploit known cybersecurity vulnerabilities that exist in COTS items purchased by the DoD. If the DoD continues to purchase and use COTS information technology items without identifying, assessing, and mitigating the known vulnerabilities associated with COTS information technology items, missions critical to national security could be compromised. For example, the Department of State issued a warning in May 2017 against using Hangzhou Hikvision Digital Technology Company and Dahua Technology Company video surveillance equipment, citing cyberespionage concerns from China. Despite the inherent risks associated with their use, DoD Components continued to purchase and use these COTS items to monitor installation security until Congress banned the Government from using them in August 2018. In addition, despite reports from the National Security Agency DoD Components purchased and used the systems
We recommend that the Secretary of Defense direct an organization or group to develop a risk-based approach to prioritize COTS items for further evaluation, a process to test high-risk COTS items, and a process to prohibit the purchase and use of high-risk COTS items, when necessary, until mitigation strategies can limit the risk to an acceptable level.
In addition, we recommend that the Under Secretary of Defense for Acquisition and Sustainment update or develop and implement:
- DoD acquisition policy to require organizations to review and evaluate cybersecurity risks for high-risk COTS items prior to purchase, regardless of purchase method; and
- GPC program policy and training requirements to include training on common cybersecurity risks for COTS information technology items and the impact of the risks to the mission.
We also recommend that the DoD Chief Information Officer update DoD policy to require an assessment of supply chain risks as a condition for approval to be included on the Unified Capabilities Approved Products List.
Furthermore, we recommend that the Under Secretary of Defense for Acquisition and Sustainment and the DoD Chief Information Officer identify and implement administrative solutions, such as expanding the DoD’s implementation of its authority to prohibit DoD Components from purchasing COTS information technology items that support national security systems from specific manufacturers to reduce supply chain risks and, if those solutions are insufficient to address the issues identified in this report, seek legislative authority to expand the national security system-restricted list (list of COTS items prohibited from being used in national security systems) DoD-wide to include high-risk COTS information technology items used for non-national security systems.
Management Comments and Our Response
Comments from the Under Secretary and Chief Information Officer did not address the specifics of the recommendation to develop a risk-based approach to prioritize COTS items for further evaluation, a process to test high-risk COTS items, and a process to prohibit the purchase and use of high-risk COTS items, when necessary, until mitigation strategies can limit the risk to an acceptable level. Responsibility for identifying, testing, and mitigating cybersecurity risks is decentralized among many organizations with overlapping responsibilities and the risk identification processes are not effective at identifying high-risk COTS items that are used DoD-wide and ensuring that all high-risk COTS items are tested. Therefore, the recommendations are unresolved and the Acting Secretary of Defense, Under Secretary of Defense for Acquisition and Sustainment, or DoD Chief Information Officer, should provide additional comments identifying specific actions to address the recommendation.
The Under Secretary of Defense for Acquisition and Sustainment agreed with the recommendations to update DoD acquisition policy and GPC policy and training requirements, stating that she will update DoD acquisition policy and GPC program policy and training. In addition, the DoD Chief Information Officer agreed with the recommendation to update DoD policy to require an assessment of supply chain risks as a condition for approval to be included on the Unified Capabilities Approved Products List.
The Under Secretary of Defense for Acquisition and Sustainment and DoD Chief Information Officer agreed with the intended outcome of the recommendation to expand legal authorities to include high-risk COTS information technology items used for non-national security systems.
This report is a result of Project No. D2018-D000CR-0113.000