The Department of Defense's Defense Logistics Bureau has only partially taken critical risk management steps in its inventory management operations, the U.S. Government Accountability Office said in a report released Monday. management issues involving selection, assessment, approval and monitoring of security controls.
In November 2018, the DOD's survival logistics team concluded that the department's inventory management system was potentially vulnerable to cyberattacks and that it had no corrective action plans to mitigate the potential.
A US House of Representatives report accompanying a bill contained a provision for GAO to evaluate the DOD's efforts to address cyber security risks for the DOD supply chain.
The GAO report states that the DLA evaluated specific security controls but did not develop system-level monitoring strategies for three of the six systems assessed by the GAO; the assessment procedures lacked the necessary approvals. it did not report complete and consistent safety and risk assessment information to support decisions; and it did not consistently monitor the redress of identified security flaws in its six inventory management systems. reviews and implements a process for approving the assessment plan; calls on the DLA's cyber security office to set up a program office process to review the consistency and completeness of authorization documentation before sending the package to officials, revises and implements the agency's process to obtain exemptions that accept identified ongoing risk; and contains necessary information such as remaining risk levels in corrective action plans.
The GAO said in a report issued in May that the continued availability and affordability of cyber insurance "remains uncertain."