An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

Report | Feb. 10, 2021

Audit of Cybersecurity Requirements for Weapon Systems in the Operations and Support Phase of the Department of Defense Acquisition Life Cycle (DODIG-2021-051)

Audit

Publicly Released: February 12, 2021

Objective

The objective of this audit was to determine whether DoD Components took action to update cybersecurity requirements for weapon systems in the Operations and Support (O&S) phase of the acquisition life cycle, based on publicly acknowledged or known cybersecurity threats and intelligence-based cybersecurity threats.

Background

A weapon system is a combination of one or more weapons with related equipment, materials, services, and personnel, and with means of delivery and deployment. The threats to weapon systems include equipment failure, environmental disruptions, human or machine errors, and purposeful attacks, such as cyber attacks. When successful, attacks on weapon systems can result in the loss of the confidentiality, integrity, and availability of information processed, stored, and transmitted by those systems.

The DoD acquisition life cycle consists of five phases— Materiel Solution Analysis, Technology Maturation and Risk Reduction, Engineering and Manufacturing Development, Production and Deployment, and O&S. The O&S phase focuses on the cost-effectiveness of the support functions that sustain the system and the disposal of the system when it reaches the end of its life. The acquisition process also requires DoD Components to comply with the DoD Risk Management Framework (RMF) to improve cybersecurity and mitigate cybersecurity risks throughout the acquisition life cycle. The Risk Management Framework requires an authorization to operate for systems that receive, process, store, display, or transmit DoD information (unclassified and classified).

Finding

Program officials for the five DoD weapon systems that we assessed complied with Risk Management Framework requirements and obtained an authorization to operate. The officials also took actions to update cybersecurity requirements during the O&S phase of the acquisition life cycle based on publicly acknowledged or known cybersecurity threats and intelligence-based cybersecurity threats. Specifically, officials from the Army, Navy, Air Force, and U.S. Special Operations Command regularly obtained and analyzed cyber threats from various intelligence agencies to assess potential operational impacts to the weapon systems, and, based on their analysis, updated cybersecurity requirements to account for additional countermeasures implemented or needed to protect the weapon systems from the identified threats.

We identified best practices employed by program officials that ensured that information gathered and analysis performed was sufficient to identify and mitigate potential malicious activity, cyber vulnerabilities, and threats; and assess the effectiveness of protection measures within the weapon system for data and cyber resiliency. For example, the program officials formed intelligence-based working groups, conducted cyber tabletop exercises, and regularly completed cyber threat and risk assessments to mitigate the DoD’s susceptibility to cybersecurity threats to weapon systems.

Because the O&S phase of the acquisition life cycle may last for years, DoD Components must continue to emphasize the protection of weapon systems by mitigating cyber threats throughout the O&S phase. For example, the B-2 Spirit Bomber, one of the weapon systems that we assessed, has been in the O&S phase for 16 years. Program officials for all weapon systems should consider the best practices described in this report when developing plans and procedures for reducing cybersecurity risks within their programs.

Recommendations

We did not make any recommendations in this report

Management Comments and Our Response

We did not make recommendations; therefore, no management comments are required.

This report is a result of Project No. D2019-D000CR-0146.000.