This is the accessible text file for GAO report number GAO-05-17 entitled 'Foreign Military Sales: DOD Needs to Take Additional Actions to Prevent Unauthorized Shipments of Spare Parts' which was released on November 09, 2004. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Secretary of Defense: United States Government Accountability Office: GAO: November 2004: Foreign Military Sales: DOD Needs to Take Additional Actions to Prevent Unauthorized Shipments of Spare Parts: GAO-05-17: GAO Highlights: Highlights of GAO-05-17, a report to the Secretary of Defense: Why GAO Did This Study: Under Department of Defense (DOD) policy, the export of classified and controlled spare parts must be managed to prevent their release to foreign countries that may use them against U.S. interests. GAO has issued a series of reports on the foreign military sales program in which weaknesses in the military services’ internal controls were identified. This report highlights (1) a systemic problem that GAO identified in the internal controls of the military services’ requisition-processing systems and (2) a potential best practice that GAO identified in one service that provides an additional safeguard over foreign military sales of classified and controlled parts. What GAO Found: At the time GAO conducted its reviews, the Army, the Navy, and the Air Force were not testing their automated requisition-processing systems to ensure that the systems were accurately reviewing and approving blanket order requisitions for compliance with restrictions on the sale of classified and controlled spare parts and operating in accordance with foreign military sales policies. Blanket order requisitions are based on agreements between the U.S. government and a foreign country for a specific category of items for which foreign military sales customers will have a recurring need. GAO’s tests of the services’ requisition-processing systems showed that classified and controlled spare parts that the services did not want to be released to foreign countries under blanket orders were being released. GAO’s internal control standards require periodic testing of new and revised software to ensure that it is working correctly, while the Office of Management and Budget’s internal control standards require periodic reviews to determine how mission requirements might have changed and whether the information systems continue to fulfill ongoing and anticipated mission requirements. DOD either concurred or partially concurred with GAO’s recommendations for testing the requisition-processing systems. The department, however, does not have a plan specifying the remedial actions to be taken to implement these recommendations. Internal control standards requiring testing also will be applicable to the Case Execution Management Information System, an automated requisition-processing system that DOD and the military services are developing to replace the existing individual military service systems. The Army’s automated requisition-processing system incorporates a potential best practice that helps to prevent the release of classified or controlled parts that are not authorized under blanket orders to foreign countries. The automated systems used by the Navy and the Air Force allow country managers to override system decisions not to release to foreign countries classified or controlled parts that are requisitioned under blanket orders. GAO found instances where Navy and Air Force country managers overrode the systems’ decisions without documenting their reasons for doing so. In contrast, the Army’s system automatically cancels requisitions that are made under blanket orders for classified or controlled parts. Because the requisitions are automatically canceled, country managers do not have an opportunity to override the system’s decisions. Compared with the Navy‘s and the Air Force’s systems, the Army’s system provides more stringent protection against releasing classified or controlled parts that are not authorized under blanket orders to foreign countries. What GAO Recommends: GAO recommends that DOD (1) develop specific plans to institute the required testing of the services’ automated requisition-processing systems; (2) incorporate, as appropriate, required testing in the development of the Case Execution Management Information System; and (3) determine whether the Army system’s capability to reject requisitions for classified and controlled parts that are made under blanket orders is a best practice that should be applied to the Navy’s and the Air Force’s systems. DOD generally concurred with the recommendations. www.gao.gov/cgi-bin/getrpt?GAO-05-17. To view the full product, including the scope and methodology, click on the link above. For more information, contact William M. Solis at (202) 512-8365 or solisw@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Testing of the Requisition-Processing Systems Is Needed to Improve Internal Controls for Foreign Military Sales: Army's Practice Provides More Stringent Protection against the Improper Release of Parts to Foreign Countries: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Comments from the Department of Defense: Abbreviations: DOD: Department of Defense: GAO: Government Accountability Office: United States Government Accountability Office: Washington, DC 20548: November 9, 2004: The Honorable Donald H. Rumsfeld: The Secretary of Defense: Dear Mr. Secretary: In response to a request from Senator Tom Harkin, we issued a series of reports[Footnote 1] in which we analyzed Army, Navy, and Air Force internal controls[Footnote 2] over foreign military sales of classified and controlled cryptographic parts[Footnote 3] requisitioned under blanket order cases.[Footnote 4] Under Department of Defense (DOD) and service policy, the export of classified and controlled parts must be managed to prevent their release to foreign countries that may use them against U.S. interests. We assessed and tested whether key internal controls, including the automated systems used by the services to process requisitions received under blanket orders, adequately restricted blanket order sales of classified and controlled spare parts to foreign countries, and we determined whether periodic tests were conducted to ensure that the services' systems were working as intended. During these reviews, we identified weaknesses in the military services' internal controls, which resulted in the release of parts that were not authorized for release under a blanket order to foreign countries, and made a number of recommendations to improve the services' internal controls. The purpose of this report is to highlight (1) a systemic problem that we identified in the internal controls of the military services' requisition-processing systems and (2) a potential best practice that we identified in one service that provides an additional safeguard over foreign military sales of classified and controlled parts. For this report, we analyzed the findings and recommendations of our prior reviews. We also reviewed DOD's written comments on our prior reports. In general, we concentrated our prior work on classified and controlled spare parts that foreign countries requisitioned under blanket orders. As part of our previous work, we verified whether the systems approved and released requisitioned parts in accordance with DOD's and the services' foreign military sales policies. Our prior reports provide a detailed explanation of the scope and methodology we used to conduct each review. For this report, we did not conduct new audit work. We conducted this review in accordance with generally accepted government auditing standards from July through September 2004. Results in Brief: At the time we conducted our reviews, the Army, the Navy, and the Air Force were not testing their automated requisition-processing systems to ensure that the systems were accurately reviewing and approving blanket order requisitions for compliance with restrictions on the sale of classified and controlled spare parts and operating in accordance with foreign military sales policies. Our tests of the services' systems showed that classified and controlled spare parts that the services did not want to be released to foreign countries under blanket orders were being released. GAO's internal control standards require periodic testing of new and revised software to ensure that it is working correctly, while the Office of Management and Budget's internal control standards require periodic reviews to determine how mission requirements might have changed and whether the information systems continue to fulfill ongoing and anticipated mission requirements. DOD either concurred or partially concurred with our prior recommendations for testing the requisition-processing systems. The department, however, does not have a plan specifying the remedial actions to be taken to implement these recommendations. If actions are not taken to implement testing, the potential benefits of these controls in preventing the inadvertent release of classified or controlled spare parts may not be realized. In its comments on our prior recommendations, DOD concurred with the need to test the Army's system, stating that testing of the system and its logic would occur, given the funding and guidance required to do so. DOD also concurred with the need to test the Navy's system. DOD partially concurred with the need to test the Air Force's system and stated that a program was being developed to test new modifications to the Air Force's system and that testing of old modifications would be an ongoing effort. However, testing only the modifications to the Air Force's system, as DOD commented, will not necessarily ensure that the system's logic is working correctly. Subsequently, the Air Force reported that it had modified its system and would be conducting annual tests of the system's logic. Furthermore, internal control standards requiring testing will be applicable to the Case Execution Management Information System, which DOD and the military services are developing to replace the individual military services' systems. The Army's automated requisition-processing system incorporates a potential best practice that helps to prevent the release of classified or controlled parts that are not authorized under blanket orders to foreign countries. The automated systems used by the Navy and the Air Force allow country managers[Footnote 5] to override system decisions not to release classified or controlled parts that are requisitioned under blanket orders to foreign countries. We found instances where Navy and Air Force country managers overrode the systems' decisions without documenting their reasons for doing so. In contrast, the Army's system automatically cancels requisitions that are made under blanket orders for classified or controlled parts. Because the requisitions are automatically canceled, country managers do not have an opportunity to override the system's decisions. Compared with the Navy's and the Air Force's systems, the Army's system provides more stringent protection against releasing classified or controlled parts to countries that are not authorized to receive them under blanket orders. This report contains recommendations aimed at (1) ensuring that DOD and the military services follow up on our prior recommendations by developing specific plans to institute the required testing of their automated systems, (2) incorporating required testing in the development of the Case Execution Management Information System, and (3) determining if it would be beneficial to modify the Navy's and the Air Force's requisition-processing systems so that the systems reject requisitions for classified or controlled parts that foreign countries make under blanket orders and preclude managers from manually overriding system decisions, and to modify their systems as appropriate. In its comments on a draft of this report, DOD generally agreed with the report's recommendations. Background: The sale or transfer of U.S. defense items to friendly nations and allies is an integral component of both U.S. national security and foreign policy. The U.S. government authorizes the sale or transfer of military equipment, including spare parts, to foreign countries either through government-to-government agreements or through direct sales from U.S. manufacturers. The Arms Export Control Act[Footnote 6] and the Foreign Assistance Act of 1961[Footnote 7] authorize the DOD foreign military sales program. From 1993 through 2002, DOD delivered over $150 billion worth of services and defense articles to foreign countries through foreign military sales programs administered by the military services. The articles sold include classified and controlled cryptographic spare parts. The Department of State sets overall policy concerning which countries are eligible to participate in the DOD foreign military sales program. DOD identifies military technology that requires control when its transfer to potential adversaries could significantly enhance a foreign country's military or war-making capability. Various agencies such as the Department of State and DOD are responsible for controlling, in part, the transfer or release of military technology to foreign countries. The Defense Security Cooperation Agency, under the direction of the Under Secretary of Defense for Policy, has overall responsibility for administering the foreign military sales program, and the military services generally execute the sales agreements with the individual countries. A foreign country representative initiates a request by sending a letter to DOD asking for such information as the price and availability of goods and services, training, technical assistance, and follow-on support. Once the foreign customer decides to proceed with the purchase, DOD prepares a Letter of Offer and Acceptance stating the terms of the sale for the items and services to be provided. After this letter has been accepted, the foreign customer is generally required to pay, in advance, the amounts necessary to cover the costs associated with the services or items to be purchased from DOD and then is allowed to request spare parts through DOD's supply system. Generally, the military services use separate automated systems to process requisitions from foreign countries for spare parts. While the Air Force has retained responsibility for its system, responsibility for the Army's and the Navy's systems was transferred to the Defense Security Assistance Development Center in October 1997. The Center, which is part of the Defense Security Cooperation Agency, has overall responsibility for providing system information technology maintenance support, such as testing the system. For blanket orders, the systems use various codes and item identifiers to restrict the spare parts available to the countries. In cases where the systems validate a requisition, the requisition is sent to a supply center to be filled and shipped. In cases where the systems reject a requisition, the requisition is sent to a country manager for review. The country manager will either validate the requisition and forward it to the supply center to be filled and shipped or reject the requisition, in which case the requisition is canceled. Testing of the Requisition-Processing Systems Is Needed to Improve Internal Controls for Foreign Military Sales: Our reviews showed that the Army, the Navy, and the Air Force were not testing their automated systems to ensure that the systems were accurately reviewing and approving blanket order requisitions for compliance with restrictions and operating in accordance with foreign military sales policies. Our tests of the services' automated systems used to manage foreign countries' requisitions for spare parts made through blanket orders showed that classified and controlled spare parts that the services did not want released were being released to countries. For example, we identified 5 out of 38 blanket order requisitions for which the Navy's system approved and released 32 circuit card assemblies' controlled cryptographic spare parts to foreign countries. According to Defense Security Assistance Development Center officials, who are responsible for this portion of the Navy's system, the system was not programmed to review the controlled cryptographic items codes, and as a result, the system automatically approved and released the parts requested by the foreign countries. Navy and DOD officials were unaware that the system was not reviewing controlled cryptographic parts prior to their release to foreign countries. For another example, the Air Force's system used controls that were based on supply class restrictions and that were ineffective and resulted in erroneously approving requisitions for shipment. Included in an item's national stock number is a four-digit federal supply class, which may be shared by thousands of items. The national stock number also contains a nine-digit item identification number that is unique for each item in the supply system. We found that countries requisitioning parts under the Air Force's system could obtain a classified or controlled spare part by using an incorrect, but unrestricted, supply class with an item's correct national item identification number. The Air Force was unaware of this situation until our test of the system identified the problem. In response to our work, the Air Force corrected the problem. GAO's internal control standards require periodic testing of new and revised software to ensure that it is working correctly, while the Office of Management and Budget's internal control standards require periodic reviews to determine how mission requirements might have changed and whether the information systems continue to fulfill ongoing and anticipated mission requirements.[Footnote 8] The importance of testing and reviewing systems to ensure that they are operating properly is highlighted in the Federal Information Security Management Act of 2002.[Footnote 9] The act requires periodic testing and evaluation of the effectiveness of information security controls and techniques. Moreover, the act requires agencies, as part of their information security program, to include a process for planning, implementing, evaluating, and documenting remedial actions to address deficiencies. Under guidance from the Office of Management and Budget, agencies are to develop a Plan of Actions & Milestones to report on the status of remediation efforts. This plan is to list information security weaknesses, show estimated resource needs or other challenges to resolving them, key milestones and completion dates, and the status of corrective actions. In commenting on our prior reports, DOD either concurred or partially concurred with our recommendations for testing the services' requisition-processing systems. The department, however, does not have a plan specifying the remedial actions to be taken to implement these recommendations. If actions are not taken to implement testing and reviews, the potential benefits of these controls in preventing the inadvertent release of classified or controlled spare parts may not be realized. * Regarding our recommendation to periodically test the Army's system, DOD concurred and stated that testing of the Army system and its logic would occur, given the funding and guidance required to do so. * In response to our recommendation to periodically test the Navy's system, DOD concurred. * Concerning our recommendation to periodically test the Air Force's system, DOD partially concurred and stated that a program was being developed to test new modifications to the Air Force's system and that testing of old modifications would be an ongoing effort. Testing only the modifications to the Air Force's system, as DOD commented, will not necessarily ensure that the system's logic is working correctly. Subsequently, the Air Force concurred with our recommendation and reported that it had modified its system and would be conducting annual tests of the system's logic. The Defense Security Cooperation Agency and the military services are developing a new automated system, the Case Execution Management Information System, to process foreign military sales requisitions. The new system will replace the services' existing legacy systems with a standard DOD system. DOD expects to deploy the new system in fiscal year 2007. Internal control standards requiring testing will be applicable to the new system. Army's Practice Provides More Stringent Protection against the Improper Release of Parts to Foreign Countries: Our reviews showed that the Navy's and the Air Force's systems allowed country managers, who are responsible for managing the sale of items to foreign countries, to override system decisions not to release to foreign countries classified or controlled parts that are requisitioned under blanket orders. We identified instances where Navy and Air Force country managers overrode the systems' decisions without documenting their reasons for doing so. For example, of the 123 Air Force requisitions we reviewed, the Air Force's system identified 36 requisitions for country manager review. For 19 of the requisitions, the managers overrode the system's decisions and shipped classified and controlled spare parts without documenting their reasons for overriding the system. The managers we queried could not provide an explanation for overriding the system. In 1999, the Army modified its system to reject requisitions that are made under blanket orders for classified or controlled parts. As a result, Army country managers were precluded from manually overriding the Army system's decisions. Compared with the Navy's and the Air Force's systems, the Army's system provides more stringent protection against releasing classified or controlled parts that are not authorized for release under blanket orders to foreign countries. Conclusions: Preventing the inadvertent release of classified and controlled spare parts that are not authorized for release under blanket orders to foreign countries deserves the highest level of management attention. The preemptive nature of testing and reviewing systems allows this internal control to identify system weaknesses prior to the inadvertent release of classified or controlled spare parts. Had the services conducted periodic tests of their systems, the instances of releasing spare parts that DOD did not want released that we identified in our reports could have been significantly reduced, if not eliminated. Developing effective corrective action plans is key to ensuring that remedial action is taken to address significant information-system internal control deficiencies. We believe the department could demonstrate its commitment to addressing this systemic weakness by providing specific information on its planned remedial actions. Documenting country managers' decisions to override system decisions is a control that could help prevent the release of classified or controlled parts that are not authorized for release under blanket orders to a foreign country. However, modifying systems, as the Army did, to reject requisitions that are made under blanket orders for classified or controlled parts and to preclude country managers from manually overriding system decisions would provide more stringent protection against releasing classified or controlled parts that are not authorized for release under blanket orders to a foreign country. Recommendations for Executive Action: To reduce the likelihood of releasing classified and controlled spare parts that DOD does not want to be released to foreign countries, we recommend that you take the following three actions: * Direct the Under Secretary of Defense for Policy, in conjunction with the Secretaries of the Army and the Navy, and direct the Secretary of the Air Force to develop an implementation plan, such as a Plan of Actions & Milestones, specifying the remedial actions to be taken to ensure that applicable testing and review of the existing requisition- processing systems are conducted on a periodic basis. * Direct the Under Secretary of Defense for Policy, in conjunction with the Secretaries of the Army, the Air Force, and the Navy, to determine whether current plans for developing the Case Execution Management Information System call for periodic testing and, if not, provide for such testing. * Direct the Under Secretary of Defense for Policy, in conjunction with the Secretary of the Navy, and direct the Secretary of the Air Force to determine if it would be beneficial to modify the Navy's and the Air Force's requisition-processing systems so that the systems reject requisitions for classified or controlled parts that foreign countries make under blanket orders and preclude country managers from manually overriding system decisions, and to modify their systems as appropriate. Agency Comments and Our Evaluation: The Director of the Defense Security Cooperation Agency provided written comments on a draft of this report for DOD and partially concurred with one recommendation and concurred with two recommendations. DOD partially concurred with our recommendation to develop a Plan of Actions & Milestones specifying the remedial actions to be taken to ensure that applicable testing and review of the existing requisition- processing systems is conducted on a periodic basis. DOD stated that the services have made appropriate changes to their systems in response to our prior reports and routine maintenance and have tested the applications accordingly. DOD also stated that, in lieu of a formal Plan of Actions & Milestones, the military services, in concert with DOD, can institute a practice of testing the applications on an annual basis, if those applications are not otherwise changed and tested as a matter of routine maintenance, to satisfy the requirement for periodic testing. We agree that alternatives to a formal Plan of Actions & Milestones may address the needed remedial actions. However, we believe any alternative should specify the remedial actions to be taken to ensure that applicable testing and review of the existing requisition- processing systems are conducted on a periodic basis, and we have modified our recommendation accordingly. DOD concurred with our recommendation regarding the Case Execution Management Information System. DOD stated that the system's software program testing will adhere to software-testing standards in place at the time of implementation, including testing to ensure that the functionality of existing software code is not changed when the coding is modified or enhanced. DOD also concurred with our recommendation to determine if it would be beneficial to modify the Navy's and the Air Force's requisition- processing systems so that the systems reject requisitions for classified or controlled parts that foreign countries make under blanket orders and preclude managers from manually overriding system decisions, and to modify their systems as appropriate. DOD stated that it will review the Navy's and the Air Force's business processes, as well as the requisition-processing systems. DOD noted that a better option may be to mandate that country managers seek the appropriate waivers in accordance with DOD policy to allow the release of a classified or controlled spare part under a blanket order; provide sufficient documentation for doing so; and make sure it is done as the exception, not the rule. We agree that this option would enhance the Navy's and the Air Force's controls and could help prevent the release of classified or controlled parts that are not authorized for release under a blanket order to a foreign country. DOD also provided technical and editorial comments, which we have incorporated as appropriate. DOD's comments are reprinted in appendix I of this letter. As you know, 31 U.S.C. 720 requires the head of a federal agency to submit a written statement of the actions taken on our recommendations to the Senate Committee on Governmental Affairs and to the House Committee on Government Reform not later than 60 days from the date of the report and to the House and Senate Committees on Appropriations with the agency's first request for appropriations made more than 60 days after the date of the report. Because agency personnel serve as the primary source of information on the status of recommendations, we request that DOD also provide us with a copy of DOD's statement of action to serve as preliminary information on the status of open recommendations. Please provide me with a copy of your responses. My e- mail address is solisw@gao.gov. We are sending copies of this report to Senator Tom Harkin; the Senate and House Committees on Armed Services; the Secretaries of the Army, the Navy, and the Air Force; the Director, Office of Management and Budget; and other interested congressional committees. The report is also available on GAO's home page at http://www.gao.gov. If you have any questions, please call me at (202) 512-8365. Key contributors to this report were Thomas Gosling, Louis Modliszewski, and R. K. Wild. Key contributors to our prior reports are listed in those reports. Sincerely yours, Signed by: William M. Solis, Director: Defense Capabilities and Management: [End of section] Appendix I: Comments from the Department of Defense: Note: GAO's comments supplementing those in the report's text appear at the end of this appendix. Note: Page numbers in the draft report may differ from those in this report. DEFENSE SECURITY COOPERATION AGENCY: WASHINGTON, DC 20301-2800: OCT 08 2004: In reply refer to: I-04/013316-P3: Mr. William M. Solis, Director: Defense Capabilities and Management: U.S. Government Accountability Office: 441 G Street, N.W. Washington, D.C. 20548: Dear Mr. Solis: This is the Department of Defense (DoD) response to the GAO draft report, "FOREIGN MILITARY SALES: DoD Needs to Take Additional Actions to Prevent Unauthorized Shipments of Spare Parts," dated September 24, 2004 (Code 350586/ GAO-05-17). DoD acknowledges receipt of the draft report, and we concur with the report in principle. Our responses to the three recommendations posed by the GAO, as well as a separate listing of technical/editorial comments for the GAO's consideration when preparing the final report, are attached. We continue to pursue corrective measures to ensure that adequate controls are in place to prevent shipments of spare parts not authorized under blanket orders to foreign countries. The Department appreciates the opportunity to comment on the draft report. My point of contact on this matter is Ms. Kathy Robinson. She may be contacted by email: kathy.robinson@dsca.mil or by telephone at (703) 601-4368. Sincerely, Signed by: JEFFREY B. KOHLER: LIEUTENANT GENERAL, USAF: DIRECTOR: Attachments As stated GAO DRAFT REPORT - DATED SEPTEMBER 24, 2004 GAO CODE 350586/GAO-05-17: "FOREIGN MILITARY SALES: DOD Needs to Take Additional Actions to Prevent Unauthorized Shipments of Spare Parts," DEPARTMENT OF DEFENSE COMMENTS TO THE RECOMMENDATIONS: RECOMMENDATION 1: The GAO recommended that the Secretary of Defense direct the Under Secretary of Defense for Policy, in conjunction with the Secretaries of the Army and Navy, and direct the Secretary of the Air Force to develop a Plan of Action & Milestones specifying the remedial actions to be taken to ensure that applicable testing and review of the existing requisition-processing systems is conducted on a periodic basis. (Page 11/GAO Draft Report): DOD RESPONSE: Partially concur. The Services, in concert with DoD, already perform system testing to ensure the requisition-processing applications are running correctly to meet agency and customer needs. The Services have already made appropriate changes to those applications in response to the GAO reports and routine maintenance and have tested the applications accordingly; both to ensure the change was made and to ensure other functions were not negatively impacted. The Services, in concert with DoD, can institute a practice of testing the requisition processing applications on an annual basis, if those applications are not otherwise changed and therefore tested as a matter of routine maintenance, during the course of a year, which would satisfy the requirement for periodic testing. DoD believes this will meet the requirements of the GAO without developing a formal Plan of Action & Milestones document as defined by the Office of Management and Budget. RECOMMENDATION 2: Direct the Under Secretary of Defense for Policy, in conjunction with the Secretaries of the Army, the Air Force, and the Navy, to determine whether current plans for developing the Case Execution Management Information System call for periodic testing and, if not, provide for such testing. (Page 11/GAO Draft Report): DOD RESPONSE: Concur. The Case Execution Management Information System (CEMIS) will be developed in accordance with all known USG and DoD standards for the acquisition and the implementation of automated information technology systems. Accordingly, CEMIS software program testing will adhere to all software-testing standards in place at the time of implementation, including "regression testing". Regression testing is the recognized method for ensuring that the functionality of existing code is not changed when program coding is modified or enhanced to supplement the functionality. RECOMMENDATION 3: The GAO recommended that the Secretary of Defense direct the Under Secretary of Defense for Policy, in conjunction with the Secretary of the Navy, and direct the Secretary of the Air Force, to determine if it would be beneficial to modify the Navy's and Air Forces' requisition-processing systems so that the systems reject requisitions for classified or controlled parts that foreign countries make under blanket orders and preclude country managers from manually overriding system decisions, and to modify their systems as appropriate. (Page 11/GAO Draft Report): DOD RESPONSE: Concur. DoD will review the Navy and Air Force business processes, as well as the requisition processing systems, to determine the benefits of modifying the systems to mirror the Army's system. A better way may be to mandate that country managers seek the appropriate waivers in accordance with DSCA policy to allow the release of a classified or controlled spare part under a blanket order case, provide sufficient documentation for doing so, and make sure it is done as the exception, not the rule. This is primarily a matter of education and training, particularly for new employees as they begin performing security assistance work; in addition to management attention to make sure the process is being done correctly. Technical/editorial comments addressing specific pages and lines in the GAO's draft report, GAO Code 350586/GAO-05-17 for the GAO's consideration during preparation of the final report: a. Title: Replace "Foreign Military Sales: DOD Needs to Take Additional Actions to Prevent Unauthorized Shipments of Spare Parts", with "Foreign Military Sales: DOD Needs to Take Additional Actions to Prevent Shipments of Spare Parts Not Authorized under Blanket Orders." DoD Comment: This is needed to clarify that the parts were not authorized for release under blanket orders, not that the countries were not authorized to receive them. It was the means by which they received the parts, not the parts themselves and the countries that received them that were in error. b "Highlights" Page, line 26 - Replace ........ controlled parts to countries that are not authorized to receive them" with "controlled parts that are not authorized under blanket orders to foreign countries." DoD Comment: This is needed to clarify that the parts were not authorized for release under blanket orders, not that the countries were not authorized to receive them. It was the means by which they received the parts, not the parts themselves and the countries that received them that were in error. c "Highlights" Page, line 37 - Replace..... "parts to countries that are not authorized to receive them under blanket orders", with "parts that are not authorized under blanket orders to foreign countries." DoD Comment: This is needed to clarify that the parts were not authorized for release under blanket orders, not that the countries were not authorized to receive them. It was the means by which they received the parts, not the parts themselves and the countries that received them that were in error. d. Page 2, line 11 - Replace "which resulted in the release of parts to foreign countries that were not authorized to receive the parts under a blanket order" with "which resulted in the release of parts that were not authorized for release under a blanket order to foreign countries." DoD Comment: This is needed to clarify that the parts were not authorized for release under blanket orders, not that the countries were not authorized to receive them. It was the means by which they received the parts, not the parts themselves and the countries that received them that were in error. e. Page 4, line 1 - "DOD did not provide information on planned remedial actions, such as resources needed and key milestones." DoD Comment: In accordance with guidelines from the DoDIG, DOD's liaison with the GAO, the DoD provided appropriate comments to the GAO reports on Service procedures. Comments are required only for those recommendations to which there are partial concurrences or nonconcurrences. It was never cited in any of the previous reports that DoD was required to provide additional information or specific details for a response of "Concur". f. Page 4, line 8 - "DOD did not cite specific actions that would be taken to test the Army's and the Navy's systems. DoD Comment: Similar to b. above, the GAO never indicated that specific details were required, or even warranted, for such a report. The GAO had not requested such a response in their recommendations or other official correspondence; no standards or targets were offered by GAO to which a response could be framed, and the abbreviated time required for Service inputs and DoD responses to the draft/final reports provided no time to develop a Plan of Action and Milestones at that time. g. Page 4, line 20 - Replace.. "parts to countries that are not authorized to receive them under blanket orders", with "parts that are not authorized under blanket orders to foreign countries." DoD Comment: This is needed to clarify that the parts were not authorized for release under blanket orders, not that the countries were not authorized to receive them. It was the means by which they received the parts, not the parts themselves and the countries that received them that were in error. h. Page 10, line 7-Replace "Preventing the inadvertent release of classified and controlled spare parts to countries that are not authorized to receive them under blanket orders....", with "Preventing the inadvertent release of classified and controlled spare parts that are not authorized for release under blanket orders to countries....". DoD Comment: This is needed to clarify that the parts were not authorized for release under blanket orders, not that the countries were not authorized to receive them. It was the means by which they received the parts, not the parts themselves and the countries that received them that were in error. GAO's Comments: The following are GAO's comments on the Department of Defense's letter dated October 8, 2004. 1. In our report, we modified the text to clarify that the parts were not authorized for release under blanket orders. The title of this report is consistent with the titles of our prior reports on this subject, as listed on page 1, and we did not modify it as DOD suggests. 2. In response to DOD's comments, we modified the text to state that DOD does not have a plan specifying the remedial actions to be taken to implement our recommendations. [End of section] FOOTNOTES [1] GAO, Foreign Military Sales: Improved Navy Controls Could Prevent Unauthorized Shipments of Classified and Controlled Spare Parts to Foreign Countries, GAO-04-507 (Washington, D.C.: June 25, 2004); Foreign Military Sales: Improved Army Controls Could Prevent Unauthorized Shipments of Classified Spare Parts and Items Containing Military Technology to Foreign Countries, GAO-04-327 (Washington, D.C.: Apr. 15, 2004); Foreign Military Sales: Air Force Does Not Use Controls to Prevent Spare Parts Containing Sensitive Military Technology from Being Released to Foreign Countries, GAO-03-939R (Washington, D.C.: Sept. 10, 2003); and Foreign Military Sales: Improved Air Force Controls Could Prevent Unauthorized Shipments of Classified and Controlled Spare Parts to Foreign Countries, GAO-03-664 (Washington, D.C.: July 29, 2003). [2] Internal control activities include the policies, procedures, and processes that are essential for the proper stewardship of and accountability for government resources, and for achieving effective and efficient program results. [3] Classified parts are restricted for national security reasons; controlled parts are not classified but contain military technology/ applications or are controlled cryptographic parts, hereafter referred to as "controlled parts." [4] Blanket order cases are based on agreements between the U.S. government and a foreign country for a specific category of items for which foreign military sales customers will have a recurring need. The agreements have a dollar ceiling and no definitive listing of items or quantities. Once a blanket order case is established, a foreign country may submit requisitions for spare parts. We refer to requisitions for parts under blanket order cases as "blanket orders." [5] Country managers are responsible for managing the sale of items to foreign countries and perform supply and financial technical work. [6] Pub. L. No. 90-629, as amended. [7] Pub. L. No. 87-195, as amended. [8] GAO, Federal Information System Controls Audit Manual, GAO/AIMD- 12.19.6 (Washington, D.C.: January 1999); Office of Management and Budget, Management of Federal Information Resources (Washington, D.C.: November 2000); and GAO, Internal Control Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: August 2001). [9] Pub. L. No. 107-347, §§ 301-305. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: