DOD doesn’t keep track of duplicate or obsolete software
The US Marine Corps, the Navy, and the Air Force are not keeping track of their software inventories, according to a report released today by the US Department of Defense Inspector General (DOD IG).
Auditors said management at many services part of these three military branches “did not consistently rationalize their software applications” leading to situations where they acquired duplicate applications, underutilized, or used obsolete software.
The only military service that had a process in place for eliminating duplicative or obsolete applications was the US Fleet Forces Command.
Marine Corps divisions and Navy commands also had a system in place to detect duplicate software before acquisitions but did not keep track of obsolete software.
But the report’s general finding was that none of the commands or divisions that are part of the three military branches maintained accurate software inventories, all having gaps in the image of their own internal IT network.
DOD IG auditors raised the concern that this leads to situations where US military services are underutilizing their software systems, and are unaware of all their true capabilities.
There is also the issue with costs, with Marine, Navy, and Air Force divisions buying software that they already have, not replacing antiquated software, or paying maintenance costs for software applications they don’t need anymore.
But above all, auditors said that the lack of an up-to-date software inventory leads to cyber-security risks that come from not knowing if all software was patched against recent vulnerabilities.
The cyber-security issue that results from not having a full view of its software inventory was already known to the DOD Chief Information Officer (CIO), who in a July 10, 2018 memorandum to DoD officials, said the DoD has yet to report over 30 percent of its software inventory.
“The DoD and its Components lack visibility over their assets and, therefore, are unable to determine the extent of existing vulnerabilities that could impact operations if information processed, stored, or transmitted by software applications is compromised,” the report said.
The DOD IG audit did not look at the Army’s software use, which was the subject of another similar report last year.
Another DOD IG audit released last week said the DOD had also failed a security audit of the US’ ballistic missile defense system. Auditors found no data encryption, no antivirus programs, no multifactor authentication mechanisms, and 28-year-old unpatched vulnerabilities, among many others.