A Department of Defense (DoD) Inspector General (IG) report released on July 30 found that more than 9,000 commercially available IT products (COTS) purchased in FY 2018 — costing at least $32.8 million — could be used to spy, surveille, or sabotage US military personnel and facilities. In contrast to traditional DoD processes for large acquisitions such as weapon systems, aircraft, and command and control systems, these purchases were made via Government Purchase Cards which are intended to simplify procurement of less than $10,000.

Axar.az reports citing However, just because the dollars amount are small doesn’t mean that risk is reduced, as the products in question were long identified as security threats. Moreover, many of the most devastating cybersecurity attacks such as those against Target, Equifax, and the Office of Personnel Management were instigated at low levels of approval and control, frequently via contractors or COTS devices.

The IG highlighted four critical issues:

No entity within DoD has responsibility for developing a strategy to mitigate cybersecurity risks through COTS purchases.

The DoD lacks sound acquisition policies which would consider cybersecurity risk before purchase.

The Pentagon’s Approved Products List (APL) includes products with cyber and supply chain risks.

The DoD did not establish “controls to prevent the purchase of high-risk COTS information technology items with known cybersecurity risks.”