Defense Acquisitions:

Knowledge of Software Suppliers Needed to Manage Risks

GAO-04-678: Published: May 25, 2004. Publicly Released: May 25, 2004.

Additional Materials:

Contact:

William T. Woods
(202) 512-4841
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Department of Defense (DOD) is increasingly reliant on software and information systems for its weapon capabilities, and DOD prime contractors are subcontracting more of their software development. The increased reliance on software and a greater number of suppliers results in more opportunities to exploit vulnerabilities in defense software. In addition, DOD has reported that countries hostile to the United States are focusing resources on information warfare strategies. Therefore, software security, including the need for protection of software code from malicious activity, is an area of concern for many DOD programs. GAO was asked to examine DOD's efforts to (1) identify software development suppliers and (2) manage risks related to foreign involvement in software development on weapon systems.

DOD acquisition and software security policies do not fully address the risk of using foreign suppliers to develop weapon system software. The current acquisition guidance allows program officials discretion in managing foreign involvement in software development, without requiring them to identify and mitigate such risks. Moreover, other policies intended to mitigate information system vulnerabilities focus mostly on operational software security threats, such as external hacking and unauthorized access to information systems, but not on insider threats, such as the insertion of malicious code by software developers. Recent DOD initiatives may provide greater focus on these risks, but to date have not been adopted as practice within DOD. While DOD has begun to recognize potential risks from foreign software content, this is not always the case within the weapon programs where software is developed or acquired. Program officials for the systems in this review did not make foreign involvement in software development a specific element of their risk identification and mitigation efforts. As a result, program officials' knowledge of the foreign developed software included in their weapon systems varied. In addition, risk mitigation efforts emphasized program level risks, such as meeting program cost and schedule goals, instead of software security risks. Further, program officials often delegated risk mitigation and source selection to contractors who are primarily concerned with software functionality and quality assurance, rather than specifically addressing software security for development risks associated with foreign suppliers. Unless program officials provide specific guidance, contractors may favor business considerations over potential software development security risks associated with using foreign suppliers. As the amount of software on weapon systems increases, it becomes more difficult and costly to test every line of code. Further, DOD cannot afford to monitor all worldwide software development facilities or provide clearances for all potential software developers. Therefore, the program manager must know more about who is developing software and where early in the software acquisition process, so that it can be included as part of software source selection and risk mitigation decisions.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To address risks attributable to software vulnerabilities and threats, the Secretary of Defense should require program managers, working with software assurance experts, acquisition personnel, and other organizations as necessary, to specifically define software security requirements, including those for identifying and managing software suppliers. These requirements should then be communicated as part of the prime development contract, to be used as part of the criteria to select software suppliers.

    Agency Affected: Department of Defense

    Status: Closed - Not Implemented

    Comments: DOD had several ongoing efforts to manage risks associated with defense software suppliers through departmentwide information security efforts, but these did not result in specific actions to address this recommendation. As of May 2011, AT&L declined to provide information on the status of these efforts and the DOD IG considered it closed, unimplemented.

    Recommendation: To address risks attributable to software vulnerabilities and threats, the Secretary of Defense should based on defined software security requirements, require program managers to collect and maintain information on software suppliers, including software from foreign suppliers. This information should be evaluated periodically to assess changes in the status of suppliers and adjustments to program security requirements.

    Agency Affected: Department of Defense

    Status: Closed - Not Implemented

    Comments: DOD had several ongoing efforts to manage risks associated with defense software suppliers through departmentwide information security efforts, but these did not result in specific actions to address this recommendation. As of May 2011, AT&L declined to provide information on the status of these efforts and the DOD IG considered it closed, unimplemented.

    Recommendation: To address risks attributable to software vulnerabilities and threats, the Secretary of Defense should require the Office of the Assistant Secretary of Defense for Networks and Information Integration and the Office of the Undersecretary of Defense for Acquisition Technology and Logistics, as part of their role to review, oversee, and formulate security and acquisition practices, to work with other organizations as necessary to ensure that weapon program risk assessments include specific attention to software development risks and threats, including those from foreign suppliers. For example, certification and accreditation processes, such as DITSCAP, should include verification that software development practices contain adequate security measures to address identified risks and threats.

    Agency Affected: Department of Defense

    Status: Closed - Not Implemented

    Comments: DOD had several ongoing efforts to manage risks associated with defense software suppliers through departmentwide information security efforts, but these did not result in specific actions to address this recommendation. As of May 2011, AT&L declined to provide information on the status of these efforts and the DOD IG considered it closed, unimplemented.

    Apr 11, 2014

    Apr 10, 2014

    Apr 9, 2014

    Apr 8, 2014

    Apr 3, 2014

    Apr 2, 2014

    Apr 1, 2014

    Mar 31, 2014

    Looking for more? Browse all our products here