Watchdog Warns of Weak Cybersecurity in DOD Weapons Contracts

A government watchdog warned that the U.S. military has failed to adequately include cybersecurity provisions in contracts for acquiring weapons systems.

The Government Accountability Office, which reports to Congress, “found examples of program contracts omitting cybersecurity requirements, acceptance criteria or verification processes,” according to a Thursday report, which studied five representative contracts. “Some contracts we reviewed had no cybersecurity requirements when they were awarded, with vague requirements added later.”

The Department of Defense didn’t immediately respond to a request for comment. The department concurred with some of its recommendations, according to the GAO report.

The assessment was published amid scrutiny of U.S. cybersecurity after suspected Russian hackers broke into at least nine federal agencies and 100 private sector companies after compromising popular software from Texas-based SolarWinds Corp.

It also comes more than two years after the GAO released a report detailing significant problems with weapons systems cybersecurity. While the watchdog stated there has been some progress since then, it said weapons acquisition programs have struggled to “translate cybersecurity concepts into detailed and specific cybersecurity requirements for contracts.”

Bill Russell, a director in GAO’s contracting and national security acquisitions team, said in an interview, “Until they can get detailed requirements into the contracts it’s still going to be a challenge to ensure that you’re getting robust cybersecurity.”

©2021 Bloomberg L.P.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.