Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

DoD Lacks Visibility into Software Inventories, Audit Finds

The U.S. Department of Defense lacks visibility into software inventories, a review of Marine Corps, Navy, and Air Force commands and divisions reveals.

The U.S. Department of Defense lacks visibility into software inventories, a review of Marine Corps, Navy, and Air Force commands and divisions reveals.

The audit found that the Marine Corps divisions and the Navy commands had a process in place to prevent duplication when purchasing applications, but the Air Force did not. Moreover, only the U.S. Fleet Forces Command had a process to eliminate duplicative or obsolete software applications.

The newly published DoD report also reveals that none of the reviewed commands or divisions maintained accurate software inventories. This introduces security risks because of the lack of visibility over software inventories and the inability to identify existing vulnerabilities associated with the owned application.

“In addition, the DoD is not realizing the cost savings associated with the elimination of duplicate and obsolete software applications that it has already procured and is paying to maintain,” the Pentagon’s Management of Software Applications report (PDF) reads.

The root cause of the issue, the report claims, is that the DoD Chief Information Officer (CIO) failed to implement an enterprise-wide solution to create a software application inventory in response to Federal Information Technology Acquisition Reform Act requirements. Instead, the CIO limited rationalization to data center consolidation efforts.

Federal and DoD guidance already includes requirements to optimize information technology portfolios, programs, and resources, including software. DoD is required to develop, review, and update an inventory of applications, federal agencies need to ensure they don’t pay for unused software, and CIOs need to identify and reduce duplication and waste within the portfolios, including software.

Despite that, a review of seven commands and divisions identified internal control weaknesses related to the DoD’s processes for software application rationalization: there were no processes in place to identify and eliminate duplicative or obsolete applications. The audit focused on the Marine Corps, the Navy, and the Air Force because the Army already performed such a review in its data centers.

The report recommends that the DoD CIO, in coordination with the DoD Chief Management Officer, implements an enterprise-wide process for conducting the software application rationalization process throughout the DoD, as well as guidance requiring the DoD components to conduct software application rationalization.

Advertisement. Scroll to continue reading.

DoD component CIOs should develop implementing guidance to outline responsibilities and processes for software application rationalization, while also requiring DoD components to regularly validate the accuracy of their owned and in-use applications inventory.

The report also recommends conducting periodic reviews to ensure that duplicate and obsolete software is eliminated. Without a response from the DoD CIO, the recommendations remain unresolved, the report notes.

“We conducted this performance audit from February 2018 through November 2018 in accordance with generally accepted government auditing standards. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective,” the report reads.

Related: Technical Data on U.S. Missile Defense System Lacks Adequate Protections, DoD Says

Related: Outdated DoD IT Jeopardizes National Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...