A US Department of Defense internal audit into its own oversight of sensitive technology related to the Lockheed Martin F-35 Joint Strike Fighter has concluded that "advanced aviation and weapons technology in the programme may have been compromised by unauthorised access at facilities and in computers at BAE Systems".
The DoD inspector general (IG) found no evidence of any compromise. However, it found that processes used by its own investigative agency - the Defense Security Service (DSS) - were inadequate to determine whether security procedures devised by BAE Systems' US subsidiary were sufficiently robust.
A BAE Systems statement stressed that the IG audit "explicitly found no instances of unauthorised access to classified or export control information on the JSF programme. We strongly disagree with the IG's suggestion that nonetheless, such information may have been compromised in some unidentified way by unauthorised access at BAE Systems".
BAE is the largest foreign-owned contractor for the DoD.
The IG audit, dated 6 March and obtained by the Project on Government Oversight, found, for example, that BAE's internal reports identified more security weaknesses than the DSS's own investigators found in a series of annual reviews.
Making matters worse, the DSS never checked the contractor's internal security reports, so the investigators were unaware of the additional potential security weaknesses.
The IG audit team first reviewed and cleared seven requests by the F-35 programme's two major suppliers - BAE and Northrop Grumman - for export control licences. The IG then widened the investigation to include security procedures at BAE's US facilities.