Report | July 1, 2021

Audit of the Cybersecurity of Department of Defense Additive Manufacturing Systems (DODIG-2021-098)

Audit

Publicly Released: July 7, 2021

Objective

The objective of this audit was to determine whether DoD Components secured additive manufacturing (AM) systems to prevent unauthorized changes and ensure the integrity of the design data. AM systems are printers and computer workstations used to develop three-dimensional (3‑D) products.

 

Background

AM creates 3‑D physical objects by adding layers of material from a digital description of the product’s design. AM is used to build physical models, prototypes, patterns, and production parts in plastic, metal, ceramic, and glass. The DoD uses AM to improve its logistics support and increase materiel readiness. For example, the DoD uses AM to create molds for personal protection body armor, parts for tactical vehicles, brackets for weapons systems, and medical implants and prostheses (artificial body parts). The DoD also uses AM to create spare parts on demand, which reduces the need to store or maintain large on hand inventories, allowing units to relocate quickly if mission requirements change.

 

Findings

DoD Component officials at the five sites we reviewed did not consistently secure or manage their AM systems to prevent unauthorized changes and ensure the integrity of the design data. Officials at the five sites generally had controls in place or corrected the minor deficiencies we identified for managing user accounts, configuring authentication factors, accounting for AM assets, and implementing physical security controls.

The DoD Components did not consistently secure or manage their AM systems or design data because AM users considered the AM systems as “tools” to generate supply parts instead of information technology systems that required cybersecurity controls. In addition, the DoD Components incorrectly categorized the AM systems as stand-alone systems and erroneously concluded that the systems did not require an authority to operate.

As a result, DoD Components were unaware of existing AM system vulnerabilities that exposed the DoD Information Network to unnecessary cybersecurity risks. Unless the DoD properly protects the confidentiality and integrity of its AM systems and design data, internal or external malicious actors could compromise AM systems to steal the design data or gain access to the DoD Information Network. The compromise of AM design data could allow an adversary to re-create and use DoD’s technology to the adversary’s advantage on the battlefield. In addition, if malicious actors change the AM design data, the changes could affect the end strength and utility of the 3D-printed products.

 

Recommendations

We recommend that the DoD Chief Information Officer (CIO), in coordination with the Under Secretary of Defense for Research and Engineering (USD[R&E]), and the Under Secretary of Defense for Acquisition and Sustainment (USD[A&S]), include additive manufacturing systems in the information technology systems portfolio and establish and maintain cybersecurity controls in accordance with Federal and DoD guidance.

We recommend that the DoD Chief Information Officer require AM system owners to immediately identify and implement security controls to minimize risk until obtaining an authority to operate.

We recommend that the DoD Chief Information Officer and the DoD Component CIOs, in coordination with designated AM Leads, require all AM systems to obtain an authority to operate in accordance with DoD policy before their use.

Finally, we recommend that the DoD Component Commanders or Director update all AM computer operating systems to Windows 10, or obtain an approved waiver; scan all AM systems for vulnerabilities, or have exceptions to regularly scanning documented in an approved authority to operate; and label, secure, and scan, as applicable, all removable media devices connected to AM systems in accordance with DoD guidance.

 

Management Comments and Our Response

The DoD CIO disagreed that cybersecurity guidance should be established for AM systems, stating that DoD Instructions 8500.01 and 8510.01 require all systems, including AM systems, to apply cybersecurity controls and undergo a final risk determination and authorization decision. We agree with the DoD CIO that DoD Instructions 8500.01 and 8510.01 are applicable to all information systems; however, the AM system owners did not consider the AM systems as information systems and to reduce the risk of continued noncompliance, specific guidance is needed. Further, although the DoD CIO disagreed, the actions taken and planned by the USD(R&E), USD(A&S), and the DoD Components meet the intent of the recommendation. Therefore, we will close the recommendation once the USD(R&E) and USD(A&S) provide copies of guidance requiring AM systems to be included in the information technology portfolio and to be in compliance with Federal and DoD cybersecurity controls.

The DoD Component CIOs, in coordination with designated AM Leads, agreed to require all AM systems to obtain an authority to operate in accordance with DoD policy before use, unless a waiver is granted. We will close the recommendation once the DoD Component CIOs provide approved guidance requiring all AM systems to obtain an authority to operate.

The DoD Component Commanders or Director agreed to update all AM computer operating systems to Windows 10, or obtain a waiver; scan all AM systems for vulnerabilities or have an exception; and label, secure, and scan all applicable removable media devices connected to AM systems in accordance with DoD guidance. We will close the recommendations once the DoD Components Commanders or Director provide documentation showing that all AM computers are using the Windows 10 operating system; all AM systems have been scanned for vulnerabilities; and, removable media devices have been labelled, secured, and scanned in accordance with DoD guidance.

 

This report is the result of Proj. No. D2019-D000CU-0142.