Defense Logistics Agency Needs to Address Risk Management Deficiencies in Inventory Systems

GAO selected six systems that the Defense Logistics Agency (DLA) officials deemed critical to inventory management operations. GAO reviewed documents, analyzed data, and interviewed officials to determine whether DLA fully addressed, partially addressed, or did not address DOD steps for cybersecurity risk management.

For the six selected inventory management systems that support processes for procuring, cataloging, distributing, and disposing of materiel, DLA fully addressed two of the Department of Defense’s (DOD) six cybersecurity risk management steps and partially addressed the other four. Specifically, the agency categorized the systems based on risk and established an implementation approach for security controls. However, it only partially addressed the four risk management steps of selecting, assessing, authorizing, and monitoring security controls.