The Pentagon Doesn’t Know All the Software on Its Networks—And That’s a Problem

The Defense Department’s poor software management practices put its networks at “unnecessary” cyber risk—and that’s on the department’s chief information officer, according to the agency inspector general.

The department doesn’t have an enterprisewide software application rationalization program—an inventory of what the department owns and is in use—as required by the Federal Information Technology Acquisition Reform Act, the Defense inspector general wrote in a report released Tuesday. Such programs help agencies get rid of duplicative or obsolete applications and avoid buying redundant software.

Instead of an enterprisewide solution, the Defense CIO in 2017 revised a Joint Information Environment objective to limit software rationalization to data centers.

“As a result, the DoD and its Components are exposing the DoD Information Network to unnecessary cybersecurity risks because they lack visibility over software application inventories and, therefore, are unable to identify the extent of existing vulnerabilities associated with their owned software applications,” the inspectors wrote.

Without a complete software inventory, the department can’t be sure its software is up to date on security patches. As of July, the department accounted for only 30 percent of its software to comply with a congressional request, according to a memo from Defense CIO Dana Deasy. Deasy instructed agencies to boost known software inventory by December and pushed the department to use automated means to find the number of installed applications.

Last week, Congress recognized some improvement in the department’s FITARA scorecard in part because it created a software library. However, it has lots of room to improve; it only increased its grade from an ‘F+’ to a ‘D+’ and was the lowest scoring agency for several scorecards. 

Deasy came onboard as Defense CIO in May, the first permanent CIO since Terry Halvorsen retired in February 2017.

The IG recommended the CIO coordinate the Defense chief management officer to develop an enterprisewide software application rationalization process and create guidance for components that includes at least an annual review of how accurate their owned and in-use software inventories are. The IG also suggested periodic reviews to make sure components are eliminating duplicate and obsolete software applications.

"DOD CIO in coordination with the DOD CMO have been working together to develop a comprehensive business application and software rationalization effort," Defense spokeswoman Heather Babb told Nextgov. 

Editor's note: This article was updated with a comment from the Defense Department.