The Department of Defense’s Office of the Inspector General conducted an audit to verify whether DoD assesses cybersecurity risks in commercial off-the-shelf information technology products.
The audit found that DoD employs COTS IT products that hold commonly known cyber vulnerabilities due to lack of associated policy, strategy and product standards, DoD IG said in a report publicly released Tuesday.
The study looked at procurements done via government purchase cards, and discovered that the U.S. Army and U.S. Air Force have $32.8M of combined IT product purchases made with GPCs in fiscal 2018.
These purchases include Lenovo computers and GoPro cameras that possess cybersecurity risks.
DoD IG recommends the secretary of defense to order the development of a risk-based evaluation approach for COTS items, an associated testing procedure and a process to prevent purchases of high-risk products.
The office also urges the undersecretary of defense for acquisition and sustainment to implement policy that requires organizations to assess cyber risks in COTS products. The recommendation also calls for the establishment of requirements for cybersecurity risk training.