Security Experts:

DoD Lacks Visibility into Software Inventories, Audit Finds

The U.S. Department of Defense lacks visibility into software inventories, a review of Marine Corps, Navy, and Air Force commands and divisions reveals.

The audit found that the Marine Corps divisions and the Navy commands had a process in place to prevent duplication when purchasing applications, but the Air Force did not. Moreover, only the U.S. Fleet Forces Command had a process to eliminate duplicative or obsolete software applications.

The newly published DoD report also reveals that none of the reviewed commands or divisions maintained accurate software inventories. This introduces security risks because of the lack of visibility over software inventories and the inability to identify existing vulnerabilities associated with the owned application.

“In addition, the DoD is not realizing the cost savings associated with the elimination of duplicate and obsolete software applications that it has already procured and is paying to maintain,” the Pentagon's Management of Software Applications report (PDF) reads.

The root cause of the issue, the report claims, is that the DoD Chief Information Officer (CIO) failed to implement an enterprise-wide solution to create a software application inventory in response to Federal Information Technology Acquisition Reform Act requirements. Instead, the CIO limited rationalization to data center consolidation efforts.

Federal and DoD guidance already includes requirements to optimize information technology portfolios, programs, and resources, including software. DoD is required to develop, review, and update an inventory of applications, federal agencies need to ensure they don’t pay for unused software, and CIOs need to identify and reduce duplication and waste within the portfolios, including software.

Despite that, a review of seven commands and divisions identified internal control weaknesses related to the DoD’s processes for software application rationalization: there were no processes in place to identify and eliminate duplicative or obsolete applications. The audit focused on the Marine Corps, the Navy, and the Air Force because the Army already performed such a review in its data centers.

The report recommends that the DoD CIO, in coordination with the DoD Chief Management Officer, implements an enterprise-wide process for conducting the software application rationalization process throughout the DoD, as well as guidance requiring the DoD components to conduct software application rationalization.

DoD component CIOs should develop implementing guidance to outline responsibilities and processes for software application rationalization, while also requiring DoD components to regularly validate the accuracy of their owned and in-use applications inventory.

The report also recommends conducting periodic reviews to ensure that duplicate and obsolete software is eliminated. Without a response from the DoD CIO, the recommendations remain unresolved, the report notes.

“We conducted this performance audit from February 2018 through November 2018 in accordance with generally accepted government auditing standards. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective,” the report reads.

Related: Technical Data on U.S. Missile Defense System Lacks Adequate Protections, DoD Says

Related: Outdated DoD IT Jeopardizes National Security

view counter