The department also was able to reduce cybersecurity risks as it bought IT products and services in response to the COVID-19 pandemic, an inspector general report concluded.
The Defense Department procured information technology services in response to the COVID-19 pandemic responsibly, according to a new audit.
A DOD Office of Inspector General report dated Feb. 12 concluded the Army, Navy and Air Force as well as the Defense Health Agency and the Defense Information Systems Agency acquired IT services and products under the Coronavirus Aird, Relief and Economic Security, or CARES, act “at reasonable prices and at a reduced risk of cybersecurity vulnerabilities.” The audit used a nonstatistical sample of 28 contract actions worth $81.5 million to examine pandemic IT spending.
Much of DOD’s IT spending—which includes 300 contracts awarded between Feb. 2020 and May 2021—during the pandemic went to products and services that enabled the shift to mass telework, such as mobile devices, software, virtual private networks and IT support services, according to the audit. Some of the DOD contracts audited include an award to rapidly acquire hardware upgrades that allow remote email access and one to acquire laptops for Air Force officials to remotely access the Secret Internet Protocol Router Network, or SIPRNet.
DOD followed Federal Acquisition Regulations requirements by conducting price analyses and prepared price negotiation memos for IT contract actions, according to the audit. Nine of the price analyses included consideration of competitive quotes, while eight considered historical prices, 19 used price lists, 14 considered Independent Government Cost Estimates and 13 used market research prices.
Based on contract files, procurement information, configuration guides, Security Technical Implementation Guide compliance reports, and discussions with cybersecurity officials, auditors surmised the components in charge of the 28 contract actions reviewed reduced the risk of introducing cybersecurity vulnerabilities into the IT products procured. For example, a Navy software contract for Microsoft Office 365 and Outlook Web Access was continuously monitored using an Assured Compliance Assessment Solution tool.
“Navy cybersecurity officials used ACAS to identify any cyber vulnerabilities associated with the software products and continuously monitored the Navy systems and networks by conducting biweekly ACAS scans as part of their risk mitigation efforts,” the audit reads. “Additionally, Navy cybersecurity personnel patched vulnerabilities identified by ACAS and conducted additional scans to ensure that the vulnerabilities affecting the Navy’s network and the procured software services were remediated.”