The military services are exposing networks to “unnecessary cybersecurity risks” thanks in part to a lack of visibility over software application inventories, according to a Department of Defense Inspector General report.
The IG investigated whether DoD components rationalized their software applications by identifying and eliminating any duplicative or obsolete applications. Rationalizing software applications seeks to improve enterprise IT by identifying all software applications on the network; determining if existing applications are needed, duplicative or obsolete; and determining if applications already existing within the network prior to purchasing new ones.
The audit — which focused on Marine Corps, Navy and Air Force commands and divisions — found that the groups examined did not consistently perform this rationalization process. By not having visibility into software application inventories, these organizations were unable to identify the extent of existing vulnerabilities within their applications, the report found.
Moreover, such a process could lead to cost savings associated with eliminating duplicative and obsolete applications.
Fleet Forces Command was the only command the IG reviewed that had a process in place for eliminating duplicative or obsolete applications. The Air Force did not have a process in place to prevent duplication when purchasing new applications.
The report placed blame on the DoD chief information officer for not implementing a solution for software rationalization in response to Federal Information Technology Acquisition Reform Act requirements.
The IG made three recommendations for the CIO, who did not provide a response to draft recommendations:
- Develop an enterprisewide process for conduction software application rationalization throughout DoD;
- Establish guidance requiring DoD components to conduct rationalization and require DoD component CIOs to develop implementation guidance outlining responsibilities for rationalization. Such a policy should also require components on at least an annual basis to validate the accuracy of their owned and in use software applications inventory; and
- Conduct periodic review to ensure components are regularly validating the accuracy of their inventory and they are eliminating duplicative and obsolete applications.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.