Foreign Military Sales
DOD Needs to Take Additional Actions to Prevent Unauthorized Shipments of Spare Parts Gao ID: GAO-05-17 November 9, 2004Under Department of Defense (DOD) policy, the export of classified and controlled spare parts must be managed to prevent their release to foreign countries that may use them against U.S. interests. GAO has issued a series of reports on the foreign military sales program in which weaknesses in the military services' internal controls were identified. This report highlights (1) a systemic problem that GAO identified in the internal controls of the military services' requisition-processing systems and (2) a potential best practice that GAO identified in one service that provides an additional safeguard over foreign military sales of classified and controlled parts.
At the time GAO conducted its reviews, the Army, the Navy, and the Air Force were not testing their automated requisition-processing systems to ensure that the systems were accurately reviewing and approving blanket order requisitions for compliance with restrictions on the sale of classified and controlled spare parts and operating in accordance with foreign military sales policies. Blanket order requisitions are based on agreements between the U.S. government and a foreign country for a specific category of items for which foreign military sales customers will have a recurring need. GAO's tests of the services' requisition-processing systems showed that classified and controlled spare parts that the services did not want to be released to foreign countries under blanket orders were being released. GAO's internal control standards require periodic testing of new and revised software to ensure that it is working correctly, while the Office of Management and Budget's internal control standards require periodic reviews to determine how mission requirements might have changed and whether the information systems continue to fulfill ongoing and anticipated mission requirements. DOD either concurred or partially concurred with GAO's recommendations for testing the requisition-processing systems. The department, however, does not have a plan specifying the remedial actions to be taken to implement these recommendations. Internal control standards requiring testing also will be applicable to the Case Execution Management Information System, an automated requisition-processing system that DOD and the military services are developing to replace the existing individual military service systems. The Army's automated requisition-processing system incorporates a potential best practice that helps to prevent the release of classified or controlled parts that are not authorized under blanket orders to foreign countries. The automated systems used by the Navy and the Air Force allow country managers to override system decisions not to release to foreign countries classified or controlled parts that are requisitioned under blanket orders. GAO found instances where Navy and Air Force country managers overrode the systems' decisions without documenting their reasons for doing so. In contrast, the Army's system automatically cancels requisitions that are made under blanket orders for classified or controlled parts. Because the requisitions are automatically canceled, country managers do not have an opportunity to override the system's decisions. Compared with the Navy's and the Air Force's systems, the Army's system provides more stringent protection against releasing classified or controlled parts that are not authorized under blanket orders to foreign countries.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-05-17, Foreign Military Sales: DOD Needs to Take Additional Actions to Prevent Unauthorized Shipments of Spare Parts
This is the accessible text file for GAO report number GAO-05-17
entitled 'Foreign Military Sales: DOD Needs to Take Additional Actions
to Prevent Unauthorized Shipments of Spare Parts' which was released on
November 09, 2004.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Secretary of Defense:
United States Government Accountability Office:
GAO:
November 2004:
Foreign Military Sales:
DOD Needs to Take Additional Actions to Prevent Unauthorized Shipments
of Spare Parts:
GAO-05-17:
GAO Highlights:
Highlights of GAO-05-17, a report to the Secretary of Defense:
Why GAO Did This Study:
Under Department of Defense (DOD) policy, the export of classified and
controlled spare parts must be managed to prevent their release to
foreign countries that may use them against U.S. interests. GAO has
issued a series of reports on the foreign military sales program in
which weaknesses in the military services‘ internal controls were
identified. This report highlights (1) a systemic problem that GAO
identified in the internal controls of the military services‘
requisition-processing systems and (2) a potential best practice that
GAO identified in one service that provides an additional safeguard
over foreign military sales of classified and controlled parts.
What GAO Found:
At the time GAO conducted its reviews, the Army, the Navy, and the Air
Force were not testing their automated requisition-processing systems
to ensure that the systems were accurately reviewing and approving
blanket order requisitions for compliance with restrictions on the
sale of classified and controlled spare parts and operating in
accordance with foreign military sales policies. Blanket order
requisitions are based on agreements between the U.S. government and a
foreign country for a specific category of items for which foreign
military sales customers will have a recurring need. GAO‘s tests of
the services‘ requisition-processing systems showed that classified
and controlled spare parts that the services did not want to be
released to foreign countries under blanket orders were being
released. GAO‘s internal control standards require periodic testing of
new and revised software to ensure that it is working correctly, while
the Office of Management and Budget‘s internal control standards
require periodic reviews to determine how mission requirements might
have changed and whether the information systems continue to fulfill
ongoing and anticipated mission requirements. DOD either concurred or
partially concurred with GAO‘s recommendations for testing the
requisition-processing systems. The department, however, does not have
a plan specifying the remedial actions to be taken to implement these
recommendations. Internal control standards requiring testing also
will be applicable to the Case Execution Management Information
System, an automated requisition-processing system that DOD and the
military services are developing to replace the existing individual
military service systems.
The Army‘s automated requisition-processing system incorporates a
potential best practice that helps to prevent the release of
classified or controlled parts that are not authorized under blanket
orders to foreign countries. The automated systems used by the Navy
and the Air Force allow country managers to override system decisions
not to release to foreign countries classified or controlled parts that
are requisitioned under blanket orders. GAO found instances where Navy
and Air Force country managers overrode the systems‘ decisions without
documenting their reasons for doing so. In contrast, the Army‘s system
automatically cancels requisitions that are made under blanket orders
for classified or controlled parts. Because the requisitions are
automatically canceled, country managers do not have an opportunity to
override the system‘s decisions. Compared with the Navy…s and the Air
Force‘s systems, the Army‘s system provides more stringent protection
against releasing classified or controlled parts that are not
authorized under blanket orders to foreign countries.
What GAO Recommends:
GAO recommends that DOD (1) develop specific plans to institute the
required testing of the services‘ automated requisition-processing
systems; (2) incorporate, as appropriate, required testing in the
development of the Case Execution Management Information System; and
(3) determine whether the Army system‘s capability to reject
requisitions for classified and controlled parts that are made under
blanket orders is a best practice that should be applied to the Navy‘s
and the Air Force‘s systems. DOD generally concurred with the
recommendations.
www.gao.gov/cgi-bin/getrpt?GAO-05-17.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact William M. Solis at
(202) 512-8365 or solisw@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
Testing of the Requisition-Processing Systems Is Needed to Improve
Internal Controls for Foreign Military Sales:
Army's Practice Provides More Stringent Protection against the Improper
Release of Parts to Foreign Countries:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Comments from the Department of Defense:
Abbreviations:
DOD: Department of Defense:
GAO: Government Accountability Office:
United States Government Accountability Office:
Washington, DC 20548:
November 9, 2004:
The Honorable Donald H. Rumsfeld:
The Secretary of Defense:
Dear Mr. Secretary:
In response to a request from Senator Tom Harkin, we issued a series of
reports[Footnote 1] in which we analyzed Army, Navy, and Air Force
internal controls[Footnote 2] over foreign military sales of classified
and controlled cryptographic parts[Footnote 3] requisitioned under
blanket order cases.[Footnote 4] Under Department of Defense (DOD) and
service policy, the export of classified and controlled parts must be
managed to prevent their release to foreign countries that may use them
against U.S. interests. We assessed and tested whether key internal
controls, including the automated systems used by the services to
process requisitions received under blanket orders, adequately
restricted blanket order sales of classified and controlled spare parts
to foreign countries, and we determined whether periodic tests were
conducted to ensure that the services' systems were working as
intended. During these reviews, we identified weaknesses in the
military services' internal controls, which resulted in the release of
parts that were not authorized for release under a blanket order to
foreign countries, and made a number of recommendations to improve the
services' internal controls. The purpose of this report is to highlight
(1) a systemic problem that we identified in the internal controls of
the military services' requisition-processing systems and (2) a
potential best practice that we identified in one service that provides
an additional safeguard over foreign military sales of classified and
controlled parts.
For this report, we analyzed the findings and recommendations of our
prior reviews. We also reviewed DOD's written comments on our prior
reports. In general, we concentrated our prior work on classified and
controlled spare parts that foreign countries requisitioned under
blanket orders. As part of our previous work, we verified whether the
systems approved and released requisitioned parts in accordance with
DOD's and the services' foreign military sales policies. Our prior
reports provide a detailed explanation of the scope and methodology we
used to conduct each review. For this report, we did not conduct new
audit work. We conducted this review in accordance with generally
accepted government auditing standards from July through September
2004.
Results in Brief:
At the time we conducted our reviews, the Army, the Navy, and the Air
Force were not testing their automated requisition-processing systems
to ensure that the systems were accurately reviewing and approving
blanket order requisitions for compliance with restrictions on the sale
of classified and controlled spare parts and operating in accordance
with foreign military sales policies. Our tests of the services'
systems showed that classified and controlled spare parts that the
services did not want to be released to foreign countries under blanket
orders were being released. GAO's internal control standards require
periodic testing of new and revised software to ensure that it is
working correctly, while the Office of Management and Budget's internal
control standards require periodic reviews to determine how mission
requirements might have changed and whether the information systems
continue to fulfill ongoing and anticipated mission requirements. DOD
either concurred or partially concurred with our prior recommendations
for testing the requisition-processing systems. The department,
however, does not have a plan specifying the remedial actions to be
taken to implement these recommendations. If actions are not taken to
implement testing, the potential benefits of these controls in
preventing the inadvertent release of classified or controlled spare
parts may not be realized. In its comments on our prior
recommendations, DOD concurred with the need to test the Army's system,
stating that testing of the system and its logic would occur, given the
funding and guidance required to do so. DOD also concurred with the
need to test the Navy's system. DOD partially concurred with the need
to test the Air Force's system and stated that a program was being
developed to test new modifications to the Air Force's system and that
testing of old modifications would be an ongoing effort. However,
testing only the modifications to the Air Force's system, as DOD
commented, will not necessarily ensure that the system's logic is
working correctly. Subsequently, the Air Force reported that it had
modified its system and would be conducting annual tests of the
system's logic. Furthermore, internal control standards requiring
testing will be applicable to the Case Execution Management Information
System, which DOD and the military services are developing to replace
the individual military services' systems.
The Army's automated requisition-processing system incorporates a
potential best practice that helps to prevent the release of classified
or controlled parts that are not authorized under blanket orders to
foreign countries. The automated systems used by the Navy and the Air
Force allow country managers[Footnote 5] to override system decisions
not to release classified or controlled parts that are requisitioned
under blanket orders to foreign countries. We found instances where
Navy and Air Force country managers overrode the systems' decisions
without documenting their reasons for doing so. In contrast, the Army's
system automatically cancels requisitions that are made under blanket
orders for classified or controlled parts. Because the requisitions are
automatically canceled, country managers do not have an opportunity to
override the system's decisions. Compared with the Navy's and the Air
Force's systems, the Army's system provides more stringent protection
against releasing classified or controlled parts to countries that are
not authorized to receive them under blanket orders.
This report contains recommendations aimed at (1) ensuring that DOD and
the military services follow up on our prior recommendations by
developing specific plans to institute the required testing of their
automated systems, (2) incorporating required testing in the
development of the Case Execution Management Information System, and
(3) determining if it would be beneficial to modify the Navy's and the
Air Force's requisition-processing systems so that the systems reject
requisitions for classified or controlled parts that foreign countries
make under blanket orders and preclude managers from manually
overriding system decisions, and to modify their systems as
appropriate.
In its comments on a draft of this report, DOD generally agreed with
the report's recommendations.
Background:
The sale or transfer of U.S. defense items to friendly nations and
allies is an integral component of both U.S. national security and
foreign policy. The U.S. government authorizes the sale or transfer of
military equipment, including spare parts, to foreign countries either
through government-to-government agreements or through direct sales
from U.S. manufacturers. The Arms Export Control Act[Footnote 6] and
the Foreign Assistance Act of 1961[Footnote 7] authorize the DOD
foreign military sales program. From 1993 through 2002, DOD delivered
over $150 billion worth of services and defense articles to foreign
countries through foreign military sales programs administered by the
military services. The articles sold include classified and controlled
cryptographic spare parts.
The Department of State sets overall policy concerning which countries
are eligible to participate in the DOD foreign military sales program.
DOD identifies military technology that requires control when its
transfer to potential adversaries could significantly enhance a foreign
country's military or war-making capability. Various agencies such as
the Department of State and DOD are responsible for controlling, in
part, the transfer or release of military technology to foreign
countries.
The Defense Security Cooperation Agency, under the direction of the
Under Secretary of Defense for Policy, has overall responsibility for
administering the foreign military sales program, and the military
services generally execute the sales agreements with the individual
countries. A foreign country representative initiates a request by
sending a letter to DOD asking for such information as the price and
availability of goods and services, training, technical assistance, and
follow-on support. Once the foreign customer decides to proceed with
the purchase, DOD prepares a Letter of Offer and Acceptance stating the
terms of the sale for the items and services to be provided. After this
letter has been accepted, the foreign customer is generally required to
pay, in advance, the amounts necessary to cover the costs associated
with the services or items to be purchased from DOD and then is allowed
to request spare parts through DOD's supply system.
Generally, the military services use separate automated systems to
process requisitions from foreign countries for spare parts. While the
Air Force has retained responsibility for its system, responsibility
for the Army's and the Navy's systems was transferred to the Defense
Security Assistance Development Center in October 1997. The Center,
which is part of the Defense Security Cooperation Agency, has overall
responsibility for providing system information technology maintenance
support, such as testing the system. For blanket orders, the systems
use various codes and item identifiers to restrict the spare parts
available to the countries. In cases where the systems validate a
requisition, the requisition is sent to a supply center to be filled
and shipped. In cases where the systems reject a requisition, the
requisition is sent to a country manager for review. The country
manager will either validate the requisition and forward it to the
supply center to be filled and shipped or reject the requisition, in
which case the requisition is canceled.
Testing of the Requisition-Processing Systems Is Needed to Improve
Internal Controls for Foreign Military Sales:
Our reviews showed that the Army, the Navy, and the Air Force were not
testing their automated systems to ensure that the systems were
accurately reviewing and approving blanket order requisitions for
compliance with restrictions and operating in accordance with foreign
military sales policies. Our tests of the services' automated systems
used to manage foreign countries' requisitions for spare parts made
through blanket orders showed that classified and controlled spare
parts that the services did not want released were being released to
countries. For example, we identified 5 out of 38 blanket order
requisitions for which the Navy's system approved and released 32
circuit card assemblies' controlled cryptographic spare parts to
foreign countries. According to Defense Security Assistance Development
Center officials, who are responsible for this portion of the Navy's
system, the system was not programmed to review the controlled
cryptographic items codes, and as a result, the system automatically
approved and released the parts requested by the foreign countries.
Navy and DOD officials were unaware that the system was not reviewing
controlled cryptographic parts prior to their release to foreign
countries.
For another example, the Air Force's system used controls that were
based on supply class restrictions and that were ineffective and
resulted in erroneously approving requisitions for shipment. Included
in an item's national stock number is a four-digit federal supply
class, which may be shared by thousands of items. The national stock
number also contains a nine-digit item identification number that is
unique for each item in the supply system. We found that countries
requisitioning parts under the Air Force's system could obtain a
classified or controlled spare part by using an incorrect, but
unrestricted, supply class with an item's correct national item
identification number. The Air Force was unaware of this situation
until our test of the system identified the problem. In response to our
work, the Air Force corrected the problem.
GAO's internal control standards require periodic testing of new and
revised software to ensure that it is working correctly, while the
Office of Management and Budget's internal control standards require
periodic reviews to determine how mission requirements might have
changed and whether the information systems continue to fulfill ongoing
and anticipated mission requirements.[Footnote 8] The importance of
testing and reviewing systems to ensure that they are operating
properly is highlighted in the Federal Information Security Management
Act of 2002.[Footnote 9] The act requires periodic testing and
evaluation of the effectiveness of information security controls and
techniques. Moreover, the act requires agencies, as part of their
information security program, to include a process for planning,
implementing, evaluating, and documenting remedial actions to address
deficiencies. Under guidance from the Office of Management and Budget,
agencies are to develop a Plan of Actions & Milestones to report on the
status of remediation efforts. This plan is to list information
security weaknesses, show estimated resource needs or other challenges
to resolving them, key milestones and completion dates, and the status
of corrective actions.
In commenting on our prior reports, DOD either concurred or partially
concurred with our recommendations for testing the services'
requisition-processing systems. The department, however, does not have
a plan specifying the remedial actions to be taken to implement these
recommendations. If actions are not taken to implement testing and
reviews, the potential benefits of these controls in preventing the
inadvertent release of classified or controlled spare parts may not be
realized.
* Regarding our recommendation to periodically test the Army's system,
DOD concurred and stated that testing of the Army system and its logic
would occur, given the funding and guidance required to do so.
* In response to our recommendation to periodically test the Navy's
system, DOD concurred.
* Concerning our recommendation to periodically test the Air Force's
system, DOD partially concurred and stated that a program was being
developed to test new modifications to the Air Force's system and that
testing of old modifications would be an ongoing effort. Testing only
the modifications to the Air Force's system, as DOD commented, will not
necessarily ensure that the system's logic is working correctly.
Subsequently, the Air Force concurred with our recommendation and
reported that it had modified its system and would be conducting annual
tests of the system's logic.
The Defense Security Cooperation Agency and the military services are
developing a new automated system, the Case Execution Management
Information System, to process foreign military sales requisitions. The
new system will replace the services' existing legacy systems with a
standard DOD system. DOD expects to deploy the new system in fiscal
year 2007. Internal control standards requiring testing will be
applicable to the new system.
Army's Practice Provides More Stringent Protection against the Improper
Release of Parts to Foreign Countries:
Our reviews showed that the Navy's and the Air Force's systems allowed
country managers, who are responsible for managing the sale of items to
foreign countries, to override system decisions not to release to
foreign countries classified or controlled parts that are requisitioned
under blanket orders. We identified instances where Navy and Air Force
country managers overrode the systems' decisions without documenting
their reasons for doing so. For example, of the 123 Air Force
requisitions we reviewed, the Air Force's system identified 36
requisitions for country manager review. For 19 of the requisitions,
the managers overrode the system's decisions and shipped classified and
controlled spare parts without documenting their reasons for overriding
the system. The managers we queried could not provide an explanation
for overriding the system.
In 1999, the Army modified its system to reject requisitions that are
made under blanket orders for classified or controlled parts. As a
result, Army country managers were precluded from manually overriding
the Army system's decisions. Compared with the Navy's and the Air
Force's systems, the Army's system provides more stringent protection
against releasing classified or controlled parts that are not
authorized for release under blanket orders to foreign countries.
Conclusions:
Preventing the inadvertent release of classified and controlled spare
parts that are not authorized for release under blanket orders to
foreign countries deserves the highest level of management attention.
The preemptive nature of testing and reviewing systems allows this
internal control to identify system weaknesses prior to the inadvertent
release of classified or controlled spare parts. Had the services
conducted periodic tests of their systems, the instances of releasing
spare parts that DOD did not want released that we identified in our
reports could have been significantly reduced, if not eliminated.
Developing effective corrective action plans is key to ensuring that
remedial action is taken to address significant information-system
internal control deficiencies. We believe the department could
demonstrate its commitment to addressing this systemic weakness by
providing specific information on its planned remedial actions.
Documenting country managers' decisions to override system decisions is
a control that could help prevent the release of classified or
controlled parts that are not authorized for release under blanket
orders to a foreign country. However, modifying systems, as the Army
did, to reject requisitions that are made under blanket orders for
classified or controlled parts and to preclude country managers from
manually overriding system decisions would provide more stringent
protection against releasing classified or controlled parts that are
not authorized for release under blanket orders to a foreign country.
Recommendations for Executive Action:
To reduce the likelihood of releasing classified and controlled spare
parts that DOD does not want to be released to foreign countries, we
recommend that you take the following three actions:
* Direct the Under Secretary of Defense for Policy, in conjunction with
the Secretaries of the Army and the Navy, and direct the Secretary of
the Air Force to develop an implementation plan, such as a Plan of
Actions & Milestones, specifying the remedial actions to be taken to
ensure that applicable testing and review of the existing requisition-
processing systems are conducted on a periodic basis.
* Direct the Under Secretary of Defense for Policy, in conjunction with
the Secretaries of the Army, the Air Force, and the Navy, to determine
whether current plans for developing the Case Execution Management
Information System call for periodic testing and, if not, provide for
such testing.
* Direct the Under Secretary of Defense for Policy, in conjunction with
the Secretary of the Navy, and direct the Secretary of the Air Force to
determine if it would be beneficial to modify the Navy's and the Air
Force's requisition-processing systems so that the systems reject
requisitions for classified or controlled parts that foreign countries
make under blanket orders and preclude country managers from manually
overriding system decisions, and to modify their systems as
appropriate.
Agency Comments and Our Evaluation:
The Director of the Defense Security Cooperation Agency provided
written comments on a draft of this report for DOD and partially
concurred with one recommendation and concurred with two
recommendations.
DOD partially concurred with our recommendation to develop a Plan of
Actions & Milestones specifying the remedial actions to be taken to
ensure that applicable testing and review of the existing requisition-
processing systems is conducted on a periodic basis. DOD stated that
the services have made appropriate changes to their systems in response
to our prior reports and routine maintenance and have tested the
applications accordingly. DOD also stated that, in lieu of a formal
Plan of Actions & Milestones, the military services, in concert with
DOD, can institute a practice of testing the applications on an annual
basis, if those applications are not otherwise changed and tested as a
matter of routine maintenance, to satisfy the requirement for periodic
testing. We agree that alternatives to a formal Plan of Actions &
Milestones may address the needed remedial actions. However, we believe
any alternative should specify the remedial actions to be taken to
ensure that applicable testing and review of the existing requisition-
processing systems are conducted on a periodic basis, and we have
modified our recommendation accordingly.
DOD concurred with our recommendation regarding the Case Execution
Management Information System. DOD stated that the system's software
program testing will adhere to software-testing standards in place at
the time of implementation, including testing to ensure that the
functionality of existing software code is not changed when the coding
is modified or enhanced.
DOD also concurred with our recommendation to determine if it would be
beneficial to modify the Navy's and the Air Force's requisition-
processing systems so that the systems reject requisitions for
classified or controlled parts that foreign countries make under
blanket orders and preclude managers from manually overriding system
decisions, and to modify their systems as appropriate. DOD stated that
it will review the Navy's and the Air Force's business processes, as
well as the requisition-processing systems. DOD noted that a better
option may be to mandate that country managers seek the appropriate
waivers in accordance with DOD policy to allow the release of a
classified or controlled spare part under a blanket order; provide
sufficient documentation for doing so; and make sure it is done as the
exception, not the rule. We agree that this option would enhance the
Navy's and the Air Force's controls and could help prevent the release
of classified or controlled parts that are not authorized for release
under a blanket order to a foreign country.
DOD also provided technical and editorial comments, which we have
incorporated as appropriate.
DOD's comments are reprinted in appendix I of this letter.
As you know, 31 U.S.C. 720 requires the head of a federal agency to
submit a written statement of the actions taken on our recommendations
to the Senate Committee on Governmental Affairs and to the House
Committee on Government Reform not later than 60 days from the date of
the report and to the House and Senate Committees on Appropriations
with the agency's first request for appropriations made more than 60
days after the date of the report. Because agency personnel serve as
the primary source of information on the status of recommendations, we
request that DOD also provide us with a copy of DOD's statement of
action to serve as preliminary information on the status of open
recommendations. Please provide me with a copy of your responses. My e-
mail address is solisw@gao.gov.
We are sending copies of this report to Senator Tom Harkin; the Senate
and House Committees on Armed Services; the Secretaries of the Army,
the Navy, and the Air Force; the Director, Office of Management and
Budget; and other interested congressional committees. The report is
also available on GAO's home page at http://www.gao.gov.
If you have any questions, please call me at (202) 512-8365. Key
contributors to this report were Thomas Gosling, Louis Modliszewski,
and R. K. Wild. Key contributors to our prior reports are listed in
those reports.
Sincerely yours,
Signed by:
William M. Solis, Director:
Defense Capabilities and Management:
[End of section]
Appendix I: Comments from the Department of Defense:
Note: GAO's comments supplementing those in the report's text appear at
the end of this appendix.
Note: Page numbers in the draft report may differ from those in this
report.
DEFENSE SECURITY COOPERATION AGENCY:
WASHINGTON, DC 20301-2800:
OCT 08 2004:
In reply refer to: I-04/013316-P3:
Mr. William M. Solis, Director:
Defense Capabilities and Management:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, D.C. 20548:
Dear Mr. Solis:
This is the Department of Defense (DoD) response to the GAO draft
report, "FOREIGN MILITARY SALES: DoD Needs to Take Additional Actions
to Prevent Unauthorized Shipments of Spare Parts," dated September 24,
2004 (Code 350586/ GAO-05-17).
DoD acknowledges receipt of the draft report, and we concur with the
report in principle. Our responses to the three recommendations posed
by the GAO, as well as a separate listing of technical/editorial
comments for the GAO's consideration when preparing the final report,
are attached. We continue to pursue corrective measures to ensure that
adequate controls are in place to prevent shipments of spare parts not
authorized under blanket orders to foreign countries.
The Department appreciates the opportunity to comment on the draft
report. My point of contact on this matter is Ms. Kathy Robinson. She
may be contacted by email: kathy.robinson@dsca.mil or by telephone at
(703) 601-4368.
Sincerely,
Signed by:
JEFFREY B. KOHLER:
LIEUTENANT GENERAL, USAF:
DIRECTOR:
Attachments
As stated
GAO DRAFT REPORT - DATED SEPTEMBER 24, 2004 GAO CODE 350586/GAO-05-17:
"FOREIGN MILITARY SALES: DOD Needs to Take Additional Actions to
Prevent Unauthorized Shipments of Spare Parts,"
DEPARTMENT OF DEFENSE COMMENTS TO THE RECOMMENDATIONS:
RECOMMENDATION 1: The GAO recommended that the Secretary of Defense
direct the Under Secretary of Defense for Policy, in conjunction with
the Secretaries of the Army and Navy, and direct the Secretary of the
Air Force to develop a Plan of Action & Milestones specifying the
remedial actions to be taken to ensure that applicable testing and
review of the existing requisition-processing systems is conducted on a
periodic basis. (Page 11/GAO Draft Report):
DOD RESPONSE: Partially concur. The Services, in concert with DoD,
already perform system testing to ensure the requisition-processing
applications are running correctly to meet agency and customer needs.
The Services have already made appropriate changes to those
applications in response to the GAO reports and routine maintenance and
have tested the applications accordingly; both to ensure the change was
made and to ensure other functions were not negatively impacted. The
Services, in concert with DoD, can institute a practice of testing the
requisition processing applications on an annual basis, if those
applications are not otherwise changed and therefore tested as a matter
of routine maintenance, during the course of a year, which would
satisfy the requirement for periodic testing. DoD believes this will
meet the requirements of the GAO without developing a formal Plan of
Action & Milestones document as defined by the Office of Management and
Budget.
RECOMMENDATION 2: Direct the Under Secretary of Defense for Policy, in
conjunction with the Secretaries of the Army, the Air Force, and the
Navy, to determine whether current plans for developing the Case
Execution Management Information System call for periodic testing and,
if not, provide for such testing. (Page 11/GAO Draft Report):
DOD RESPONSE: Concur. The Case Execution Management Information System
(CEMIS) will be developed in accordance with all known USG and DoD
standards for the acquisition and the implementation of automated
information technology systems. Accordingly, CEMIS software program
testing will adhere to all software-testing standards in place at the
time of implementation, including "regression testing". Regression
testing is the recognized method for ensuring that the functionality
of existing code is not changed when program coding is modified or
enhanced to supplement the functionality.
RECOMMENDATION 3: The GAO recommended that the Secretary of Defense
direct the Under Secretary of Defense for Policy, in conjunction with
the Secretary of the Navy, and direct the Secretary of the Air Force,
to determine if it would be beneficial to modify the Navy's and Air
Forces' requisition-processing systems so that the systems reject
requisitions for classified or controlled parts that foreign countries
make under blanket orders and preclude country managers from manually
overriding system decisions, and to modify their systems as
appropriate.
(Page 11/GAO Draft Report):
DOD RESPONSE: Concur. DoD will review the Navy and Air Force business
processes, as well as the requisition processing systems, to determine
the benefits of modifying the systems to mirror the Army's system. A
better way may be to mandate that country managers seek the appropriate
waivers in accordance with DSCA policy to allow the release of a
classified or controlled spare part under a blanket order case, provide
sufficient documentation for doing so, and make sure it is done as the
exception, not the rule. This is primarily a matter of education and
training, particularly for new employees as they begin performing
security assistance work; in addition to management attention to make
sure the process is being done correctly.
Technical/editorial comments addressing specific pages and lines in the
GAO's draft report, GAO Code 350586/GAO-05-17 for the GAO's
consideration during preparation of the final report:
a. Title: Replace "Foreign Military Sales: DOD Needs to Take Additional
Actions to Prevent Unauthorized Shipments of Spare Parts", with
"Foreign Military Sales: DOD Needs to Take Additional Actions to
Prevent Shipments of Spare Parts Not Authorized under Blanket Orders."
DoD Comment: This is needed to clarify that the parts were not
authorized for release under blanket orders, not that the countries
were not authorized to receive them. It was the means by which they
received the parts, not the parts themselves and the countries that
received them that were in error.
b "Highlights" Page, line 26 - Replace ........ controlled parts to
countries that are not authorized to receive them" with "controlled
parts that are not authorized under blanket orders to foreign
countries." DoD Comment: This is needed to clarify that the parts were
not authorized for release under blanket orders, not that the
countries were not authorized to receive them. It was the means by
which they received the parts, not the parts themselves and the
countries that received them that were in error.
c "Highlights" Page, line 37 - Replace..... "parts to countries that
are not authorized to receive them under blanket orders", with "parts
that are not authorized under blanket orders to foreign countries." DoD
Comment: This is needed to clarify that the parts were not authorized
for release under blanket orders, not that the countries were not
authorized to receive them. It was the means by which they received the
parts, not the parts themselves and the countries that received them
that were in error.
d. Page 2, line 11 - Replace "which resulted in the release of parts to
foreign countries that were not authorized to receive the parts under a
blanket order" with "which resulted in the release of parts that were
not authorized for release under a blanket order to foreign countries."
DoD Comment: This is needed to clarify that the parts were not
authorized for release under blanket orders, not that the countries
were not authorized to receive them. It was the means by which they
received the parts, not the parts themselves and the countries that
received them that were in error.
e. Page 4, line 1 - "DOD did not provide information on planned
remedial actions, such as resources needed and key milestones." DoD
Comment: In accordance with guidelines from the DoDIG, DOD's liaison
with the GAO, the DoD provided appropriate comments to the GAO reports
on Service procedures. Comments are required only for those
recommendations to which there are partial concurrences or
nonconcurrences. It was never cited in any of the previous reports that
DoD was required to provide additional information or specific details
for a response of "Concur".
f. Page 4, line 8 - "DOD did not cite specific actions that would be
taken to test the Army's and the Navy's systems. DoD Comment: Similar
to b. above, the GAO never indicated that specific details were
required, or even warranted, for such a report. The GAO had not
requested such a response in their recommendations or other official
correspondence; no standards or targets were offered by GAO to which a
response could be framed, and the abbreviated time required for
Service inputs and DoD responses to the draft/final reports provided
no time to develop a Plan of Action and Milestones at that time.
g. Page 4, line 20 - Replace.. "parts to countries that are not
authorized to receive them under blanket orders", with "parts that are
not authorized under blanket orders to foreign countries." DoD Comment:
This is needed to clarify that the parts were not authorized for
release under blanket orders, not that the countries were not
authorized to receive them. It was the means by which they received
the parts, not the parts themselves and the countries that received
them that were in error.
h. Page 10, line 7-Replace "Preventing the inadvertent release of
classified and controlled spare parts to countries that are not
authorized to receive them under blanket orders....", with "Preventing
the inadvertent release of classified and controlled spare parts that
are not authorized for release under blanket orders to countries....".
DoD Comment: This is needed to clarify that the parts were not
authorized for release under blanket orders, not that the countries
were not authorized to receive them. It was the means by which they
received the parts, not the parts themselves and the countries that
received them that were in error.
GAO's Comments:
The following are GAO's comments on the Department of Defense's letter
dated October 8, 2004.
1. In our report, we modified the text to clarify that the parts were
not authorized for release under blanket orders. The title of this
report is consistent with the titles of our prior reports on this
subject, as listed on page 1, and we did not modify it as DOD suggests.
2. In response to DOD's comments, we modified the text to state that
DOD does not have a plan specifying the remedial actions to be taken to
implement our recommendations.
[End of section]
FOOTNOTES
[1] GAO, Foreign Military Sales: Improved Navy Controls Could Prevent
Unauthorized Shipments of Classified and Controlled Spare Parts to
Foreign Countries, GAO-04-507 (Washington, D.C.: June 25, 2004);
Foreign Military Sales: Improved Army Controls Could Prevent
Unauthorized Shipments of Classified Spare Parts and Items Containing
Military Technology to Foreign Countries, GAO-04-327 (Washington, D.C.:
Apr. 15, 2004); Foreign Military Sales: Air Force Does Not Use Controls
to Prevent Spare Parts Containing Sensitive Military Technology from
Being Released to Foreign Countries, GAO-03-939R (Washington, D.C.:
Sept. 10, 2003); and Foreign Military Sales: Improved Air Force
Controls Could Prevent Unauthorized Shipments of Classified and
Controlled Spare Parts to Foreign Countries, GAO-03-664 (Washington,
D.C.: July 29, 2003).
[2] Internal control activities include the policies, procedures, and
processes that are essential for the proper stewardship of and
accountability for government resources, and for achieving effective
and efficient program results.
[3] Classified parts are restricted for national security reasons;
controlled parts are not classified but contain military technology/
applications or are controlled cryptographic parts, hereafter referred
to as "controlled parts."
[4] Blanket order cases are based on agreements between the U.S.
government and a foreign country for a specific category of items for
which foreign military sales customers will have a recurring need. The
agreements have a dollar ceiling and no definitive listing of items or
quantities. Once a blanket order case is established, a foreign country
may submit requisitions for spare parts. We refer to requisitions for
parts under blanket order cases as "blanket orders."
[5] Country managers are responsible for managing the sale of items to
foreign countries and perform supply and financial technical work.
[6] Pub. L. No. 90-629, as amended.
[7] Pub. L. No. 87-195, as amended.
[8] GAO, Federal Information System Controls Audit Manual, GAO/AIMD-
12.19.6 (Washington, D.C.: January 1999); Office of Management and
Budget, Management of Federal Information Resources (Washington, D.C.:
November 2000); and GAO, Internal Control Management and Evaluation
Tool, GAO-01-1008G (Washington, D.C.: August 2001).
[9] Pub. L. No. 107-347, §§ 301-305.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
