The Department of Defense (DoD) purchased $32.8 million of commercial off-the-shelf (COTS) IT products with cybersecurity flaws using government purchase cards, exposing the lack of controls on purchasing COTS items, according to an inspector general report released July 26.
The report found that for non-national security systems, DoD’s approved products list included items with cybersecurity risks, and the department did not have controls to prevent the purchase of high-risk items or a strategy to manage the risks from COTS products.
“If the DoD continues to purchase and use COTS information technology items without identifying, assessing, and mitigating the known vulnerabilities associated with COTS information technology items, missions critical to national security could be compromised,” the report states.
The report’s initial scope focused on micro-purchases through government purchase cards, with the inspector general finding at least $32.8 million in purchases of products with known vulnerabilities by the Army and the Air Force. The bulk of that spending went towards Lexmark printers, a company that has connections to Chinese cyberespionage and 20 vulnerabilities listed in the National Vulnerabilities Database. The report found that the Navy did not keep logs of its purchases, although the inspector general found LexMark printers on the Navy’s intranet.
Among the policy weaknesses, the report found that no one organization is responsible for managing the cyber risks posed by COTS technology, three different organizations in charge of a piece. The report also found that cybersecurity is not a required consideration for purchase cardholders, policies did not proactively address the cyber risks of COTS technology, and DoD’s Unified Capabilities approved product list did not consider cybersecurity risks introduced through the supply chain.
The report recommended that DoD direct an organization to develop a risk-based strategy for COTS cybersecurity, review acquisition policies to add cybersecurity evaluations for purchase cards, require supply chain risks be assessed for the Unified Capabilities approved product list, and expand the national security system-restricted list to include high risk items used for non-national security systems. DoD did not agree to develop a strategy, but agreed to implement the other three recommendations from the report.