US watchdog calls upon DOD to take action to strengthen its risk mitigation approach to industrial base

The U.S. Government Accountability Office (GAO) has disclosed that the Department of Defense’s (DOD) Industrial Base Policy office does not yet have a consolidated and comprehensive strategy to cover risk mitigation to the industrial base. Instead, the office uses a combination of four previously issued reports created for other requirements because it devoted its resources to completing other priorities. As a result, the reports do not include several elements GAO has previously identified that would help DOD achieve results, evaluate progress, and ensure accountability.

To deal with these shortcomings, the GAO makes six recommendations, including that DOD develops a consolidated and comprehensive strategy to mitigate industrial base risks. It also suggested creating and using enterprise-wide performance measures to monitor the aggregate effectiveness of its efforts and reporting on its progress in mitigating risks. DOD generally concurred with the recommendations and identified some actions to address them.

“DOD must update its industrial base strategy following the submission of the next National Security Strategy Report, which is expected to be issued later in 2022,” the GAO said in its report. “By including all elements in a consolidated strategy, DOD could better ensure that all appropriate organizations are working toward the same priorities, promoting supply chain resiliency, and supporting national security objectives,” it added.

The report said that DOD is carrying out numerous efforts to bring about risk mitigation to the industrial base. “This includes more than $1 billion in reported efforts under Navy submarine and destroyer programs and $125 million to sustain a domestic microelectronics manufacturer. However, DOD has limited insight into the effectiveness of these efforts and how much progress it has made in addressing risks,” it added.

The U.S. defense industrial base includes a combination of people, technology, institutions, technological know-how, and facilities used to design, develop, manufacture, and maintain the weapons needed to meet U.S. national security objectives. The defense industrial base can be divided into several tiers – top tiers that include prime contractors and major subcontractors, and lower tiers that typically include suppliers of parts, electronic components, and raw materials.

Since 2017, the White House has issued executive orders directing DOD and other agencies to assess risks to the defense industrial base and high-priority supply chains such as semiconductors. The U.S. Congress also directed DOD to develop an analytical risk mitigation framework and included a GAO provision to review DOD’s efforts. The report assesses DOD’s strategy for mitigating industrial base risks and the extent to which DOD is monitoring and reporting on its progress in mitigating risks. In addition, GAO analyzed DOD policies and reports and interviewed DOD officials.

The watchdog made six recommendations to the DOD, including calling upon the Secretary of Defense to ensure that the National Technology and Industrial Base strategy is consolidated and comprehensive, such as by including required resources and an implementation plan. GAO also advised the Secretary of Defense to ensure that the Assistant Secretary of Defense for Industrial Base Policy, in coordination with the Industrial Base Council, develops and uses performance measures to monitor the aggregate effectiveness of mitigation efforts for DOD-wide industrial base risks. 

GAO also asked the Secretary of the Air Force should ensure that the Assistant Secretary of the Air Force for Acquisition, Technology, and Logistics develops and uses performance measures to monitor the aggregate effectiveness of mitigation efforts for Air Force and Space Force industrial base risks. Additionally, the Secretary of the Army should ensure that the Assistant Secretary of the Army for Acquisition, Logistics, and Technology develops and uses performance measures to monitor the aggregate effectiveness of mitigation efforts for Army industrial base risks. 

The GAO report also recommended that the Secretary of the Navy should ensure that the Assistant Secretary of the Navy for Research, Development, and Acquisition develops and uses performance measures to monitor the aggregate effectiveness of mitigation efforts for Navy and Marine Corps industrial base risks. Lastly, it called upon the Secretary of Defense should ensure that DOD reports its progress toward mitigating industrial base risks. For example, this information could be included in DOD’s annual Industrial Capabilities Reports, which include sector risk assessments.

The report concluded that the DOD recognizes the importance of maintaining a healthy industrial base to support U.S. national security goals and is well versed in identifying risks. However, the Industrial Base Policy office has struggled to provide the leadership and strategic vision needed to mitigate risks, some of which have been known for decades, such as in the shipbuilding and microelectronics sectors. 

“DOD’s current industrial base strategy, spread out over four different reports, does not contain some desirable characteristics that our prior work shows are essential for guiding the investment of billions of dollars to mitigate risks, including an implementation plan,” the GAO report said. 

By addressing in a single document various desirable characteristics of a national strategy, such as the purpose, risks, milestones, performance measures, required resources, responsible organizations, and implementation plan for risk mitigation, the DOD can better ensure its organizations are working toward the same priorities, promoting supply chain resiliency, and ensuring the industrial base supports national security objectives. 

Congress and other stakeholders have limited insight on how effectively DOD has used the billions of dollars it spent on risk mitigation efforts since the fiscal year 2018, GAO said. “This is because the Industrial Base Policy office and the military services have not developed performance measures to gauge their enterprise-wide progress or consistently reported on DOD’s efforts through the annual Industrial Capabilities Report,” it added. 

DOD acknowledged these shortcomings and is working on consolidating available data in its various information systems that could facilitate better monitoring and reporting. Such data efforts could be helpful but are years away from completion. “Until DOD makes improvements to its monitoring and reporting practices, it will continue to be at risk of investing billions of dollars in mitigation efforts without an accurate understanding of how successful these efforts are in addressing industrial base risks or what additional actions and resources may be needed,” the report added.

A GAO report last month identified that the Department of the Treasury’s Federal Insurance Office (FIO) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) should jointly assess the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response, and inform Congress of the results of their assessment.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.