Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

DoD Lacks Visibility into Software Inventories, Audit Finds

The U.S. Department of Defense lacks visibility into software inventories, a review of Marine Corps, Navy, and Air Force commands and divisions reveals.

The U.S. Department of Defense lacks visibility into software inventories, a review of Marine Corps, Navy, and Air Force commands and divisions reveals.

The audit found that the Marine Corps divisions and the Navy commands had a process in place to prevent duplication when purchasing applications, but the Air Force did not. Moreover, only the U.S. Fleet Forces Command had a process to eliminate duplicative or obsolete software applications.

The newly published DoD report also reveals that none of the reviewed commands or divisions maintained accurate software inventories. This introduces security risks because of the lack of visibility over software inventories and the inability to identify existing vulnerabilities associated with the owned application.

“In addition, the DoD is not realizing the cost savings associated with the elimination of duplicate and obsolete software applications that it has already procured and is paying to maintain,” the Pentagon’s Management of Software Applications report (PDF) reads.

The root cause of the issue, the report claims, is that the DoD Chief Information Officer (CIO) failed to implement an enterprise-wide solution to create a software application inventory in response to Federal Information Technology Acquisition Reform Act requirements. Instead, the CIO limited rationalization to data center consolidation efforts.

Federal and DoD guidance already includes requirements to optimize information technology portfolios, programs, and resources, including software. DoD is required to develop, review, and update an inventory of applications, federal agencies need to ensure they don’t pay for unused software, and CIOs need to identify and reduce duplication and waste within the portfolios, including software.

Despite that, a review of seven commands and divisions identified internal control weaknesses related to the DoD’s processes for software application rationalization: there were no processes in place to identify and eliminate duplicative or obsolete applications. The audit focused on the Marine Corps, the Navy, and the Air Force because the Army already performed such a review in its data centers.

The report recommends that the DoD CIO, in coordination with the DoD Chief Management Officer, implements an enterprise-wide process for conducting the software application rationalization process throughout the DoD, as well as guidance requiring the DoD components to conduct software application rationalization.

DoD component CIOs should develop implementing guidance to outline responsibilities and processes for software application rationalization, while also requiring DoD components to regularly validate the accuracy of their owned and in-use applications inventory.

The report also recommends conducting periodic reviews to ensure that duplicate and obsolete software is eliminated. Without a response from the DoD CIO, the recommendations remain unresolved, the report notes.

“We conducted this performance audit from February 2018 through November 2018 in accordance with generally accepted government auditing standards. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective,” the report reads.

Related: Technical Data on U.S. Missile Defense System Lacks Adequate Protections, DoD Says

Related: Outdated DoD IT Jeopardizes National Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...