Summary
The Department of Defense (DOD) is increasingly reliant on software and information systems for its weapon capabilities, and DOD prime contractors are subcontracting more of their software development. The increased reliance on software and a greater number of suppliers results in more opportunities to exploit vulnerabilities in defense software. In addition, DOD has reported that countries hostile to the United States are focusing resources on information warfare strategies. Therefore, software security, including the need for protection of software code from malicious activity, is an area of concern for many DOD programs. GAO was asked to examine DOD's efforts to (1) identify software development suppliers and (2) manage risks related to foreign involvement in software development on weapon systems.
DOD acquisition and software security policies do not fully address the risk of using foreign suppliers to develop weapon system software. The current acquisition guidance allows program officials discretion in managing foreign involvement in software development, without requiring them to identify and mitigate such risks. Moreover, other policies intended to mitigate information system vulnerabilities focus mostly on operational software security threats, such as external hacking and unauthorized access to information systems, but not on insider threats, such as the insertion of malicious code by software developers. Recent DOD initiatives may provide greater focus on these risks, but to date have not been adopted as practice within DOD. While DOD has begun to recognize potential risks from foreign software content, this is not always the case within the weapon programs where software is developed or acquired. Program officials for the systems in this review did not make foreign involvement in software development a specific element of their risk identification and mitigation efforts. As a result, program officials' knowledge of the foreign developed software included in their weapon systems varied. In addition, risk mitigation efforts emphasized program level risks, such as meeting program cost and schedule goals, instead of software security risks. Further, program officials often delegated risk mitigation and source selection to contractors who are primarily concerned with software functionality and quality assurance, rather than specifically addressing software security for development risks associated with foreign suppliers. Unless program officials provide specific guidance, contractors may favor business considerations over potential software development security risks associated with using foreign suppliers. As the amount of software on weapon systems increases, it becomes more difficult and costly to test every line of code. Further, DOD cannot afford to monitor all worldwide software development facilities or provide clearances for all potential software developers. Therefore, the program manager must know more about who is developing software and where early in the software acquisition process, so that it can be included as part of software source selection and risk mitigation decisions.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Ann Marie Calvaresi Barr
Government Accountability Office: Acquisition and Sourcing Management
(202) 512-4841
Recommendations for Executive Action
Recommendation: To address risks attributable to software vulnerabilities and threats, the Secretary of Defense should require program managers, working with software assurance experts, acquisition personnel, and other organizations as necessary, to specifically define software security requirements, including those for identifying and managing software suppliers. These requirements should then be communicated as part of the prime development contract, to be used as part of the criteria to select software suppliers.
Agency Affected: Department of Defense
Status: In process
Comments: DOD has several ongoing efforts to manage risks associated with defense software suppliers. Specifically, DOD has two teams (work groups) whose focus is to identify and mitigate risks with defense software suppliers. In their most recent update, AT&L stated that the two teams should help address this recommendation; however, they are in the early phases of development and will begin implementation within the next year. First, DOD's Chief Information Officer is chairing a working group aimed at improving the Information Technology security for prime contractors' employees when working on government contracts from their home. This working group also includes other federal agencies. Second, DOD's AT&L, Software and Systems Engineering, Software and Systems Assurance Group is chairing a working group called, "Supply Chain Risk Management Policy and Processes Group." Its focus is to create contract requirements that allow for more vetting of suppliers for programs that contain critical defense software requirements. This requirement would be implemented on a program-by-program, contract-by-contract basis. Before implementation, the working group plans to consult with other DOD organizations with experience in supply chain risk management, such as the Defense Trusted Foundry program, to discuss criteria for the attributes the help determine trustworthiness of software suppliers and challenges faced when implementing the trusted foundry initiative. The working group also plans to hold meetings with its general counsel to seek consultation as to how to build these requirements into the individual contracts without overly constraining the supply chain.
Recommendation: To address risks attributable to software vulnerabilities and threats, the Secretary of Defense should based on defined software security requirements, require program managers to collect and maintain information on software suppliers, including software from foreign suppliers. This information should be evaluated periodically to assess changes in the status of suppliers and adjustments to program security requirements.
Agency Affected: Department of Defense
Status: In process
Comments: DOD has several ongoing efforts to manage risks associated with defense software suppliers. Specifically, DOD has two teams (work groups) whose focus is to identify and mitigate risks with defense software suppliers. In their most recent update, AT&L stated that the two teams that should help address this recommendation; however, they are in the early phases of development and will begin implementation within the next year. First, DOD's Chief Information Officer is chairing a working group aimed at improving the Information Technology security for prime contractors' employees when working on government contracts from their home. This working group also includes other federal agencies. Second, DOD's AT&L, Software and Systems Engineering, Software and Systems Assurance Group is chairing a working group called, "Supply Chain Risk Management Policy and Processes Group." Its focus is to create contract requirements that allow for more vetting of suppliers for programs that contain critical defense software requirements. This requirement would be implemented on a program-by-program, contract-by-contract basis. Before implementation, the working group plans to consult with other DOD organizations with experience in supply chain risk management, such as the Defense Trusted Foundry program, to discuss criteria for the attributes that help determine trustworthiness of software suppliers and challenges faced when implementing the trusted foundry initiative. The working group also plans to hold meetings with its general counsel to seek consultation as to how to build these requirements into the individual contracts without overly constraining the supply chain.
Recommendation: To address risks attributable to software vulnerabilities and threats, the Secretary of Defense should require the Office of the Assistant Secretary of Defense for Networks and Information Integration and the Office of the Undersecretary of Defense for Acquisition Technology and Logistics, as part of their role to review, oversee, and formulate security and acquisition practices, to work with other organizations as necessary to ensure that weapon program risk assessments include specific attention to software development risks and threats, including those from foreign suppliers. For example, certification and accreditation processes, such as DITSCAP, should include verification that software development practices contain adequate security measures to address identified risks and threats.
Agency Affected: Department of Defense
Status: In process
Comments: DOD has several ongoing efforts to manage risks associated with defense software suppliers. Specifically, DOD has two teams (work groups) whose focus is to identify and mitigate risks with defense software suppliers. In its most recent update, AT&L stated that the two teams should help address this recommendation; however, they are in the early phases of development and will begin implementation within the next year. First, DOD's Chief Information Officer is chairing a working group aimed at improving the Information Technology security for prime contractors' employees when working on government contracts from their home. This working group also includes other federal agencies. Second, DOD's AT&L, Software and Systems Engineering, Software and Systems Assurance Group is chairing a working group called, "Supply Chain Risk Management Policy and Processes Group." Its focus is to create contract requirements that allow for more vetting of suppliers for programs that contain critical defense software requirements. This requirement would be implemented on a program-by-program, contract-by-contract basis. This particular working group is in the design phase and plans to begin implementation within the next year. Before implementation, the working group plans to consult with other DOD organizations with experience in supply chain risk management, such as the Defense Trusted Foundry program, to discuss criteria for the attributes the help determine trustworthiness of software suppliers and challenges faced when implementing the trusted foundry initiative. The working group also plans to hold meetings with its general counsel to seek consultation as to how to build these requirements into the individual contracts without overly constraining the supply chain.
