GAO warns of weapons software policy loopholes
- By Dawn S. Onley
- May 26, 2004
Defense acquisition and software security policies have loopholes when addressing some risks associated with using foreign suppliers to develop weapons system software, according to a General Accounting Office report.
The GAO investigated 16 software-intensive weapons systems in the DOD and found that program officials for 11 of the programs had very little knowledge of how much software on their systems was being developed by foreign suppliers.
In yesterday's report, 'Defense Acquisitions: Knowledge of Software Suppliers Needed to Manage Risks," GAO added that as weapons systems contain more and more commercial software, it is imperative for program managers to know who is developing the software early in the acquisition process.
'As the amount of software on weapon systems increases, it becomes more difficult and costly to test every line of code," the GAO found. 'Further, DOD cannot afford to monitor all worldwide software development facilities or provide clearances for all potential software developers. The increased dependence on software capability, combined with an exposure to a greater variety of suppliers, results in more opportunities to exploit vulnerabilities in defense software."
The GAO recommended that the DOD:
- Require program managers to specifically define software security requirements, including those for identifying and managing software suppliers
- Ensure that program managers collect and maintain information on software suppliers
- Require the Office of the Assistant Secretary of Defense for Networks and Information Integration and the Office of the Undersecretary of Defense for Acquisition Technology and Logistics to work with other organizations to ensure weapon program risk assessments include software development from foreign suppliers
The Defense Department agreed that the agency needed to enhance its risk management processes and that software security risks should be better defined for weapons systems.