The Defense Department’s current activities for protecting weapons systems from cyber security vulnerabilities either in the system design or sustainment phases are “insufficient” as are its processes for keeping track of “obsolescence and vulnerabilities in its inventory of microelectronic parts,” according to a Pentagon report.

Pentagon programs that go through milestone decision authorities are required to address supply chain threats—including cyber vulnerabilities—in their Program Protection Plans (PPP), although these plans “do not carry over robustly to the sustainment phase,” says the report, Cyber Supply Chain, by a Defense Science Board (DSB) task force. The DSB issued the executive summary of the report on April 17.iStock Cyber Lock

The report says that “guidance, expertise, and support” for creating the PPPs “are insufficient, with limited engagement by the system engineering community and limited influence on system design. Program protection planning activities are uneven in quality and focus as some programs focus on protecting microelectronics availability whereas others emphasize protection of personnel or system security.”

The report says the focus should be on “reducing the probability of mission failure” and recommends using the Joint Federated Assurance Center’s expertise to help program managers plan for protecting their programs. The JFAC resides within the Pentagon’s research and engineering office and is focused on reducing program costs and risks through software assurance tools and processes.

The task force also says that in long acquisition processes, about 70 percent of the electronics in a weapon system are obsolete by the time a system is fielded yet the processes for tracking the obsolescence and vulnerabilities are “inadequate.” It also says that there is a lack of oversight across DoD to track component obsolescence.

The report suggests creation of “a shared vulnerability database and a parts application database of installed hardware could promulgate corrective actions across weapons systems.”

The report also says that the security exercise Cyber Awakening has shown that there are “exploitable cyber supply chain vulnerabilities in key weapons systems,” yet there is no process to take the lessons learned from these exercises and provide them to program executive offices and program managers, or provide cyber training to logistics and maintenance personnel “at appropriate classification levels.” It says Cyber Awakening exercises can be used to “identify and classify vulnerabilities,” providing lessons to be learned.