June 8, 2020 | International, C4ISR, Security
WASHINGTON: Five years after the Pentagon demanded every weapon system include the requirement that it be able to fight through Russian and Chinese cyber attacks expected on future battlefields, DoD “does not often include cybersecurity” in key performance parameters (KPP) for major programs, says GAO in its annual defense acquisition review.
Of the three services, the Air Force is the worst at fulfilling two of the three best cybersecurity practices, the report says. The congressional watchdog found “inconsistent implementation of leading software practices and cybersecurity measures” among high-dollar “major defense acquisition programs” (MDAPs) — 85 programs worth $1.80 trillion at the end of 2019.
“This included longer-than-expected delivery times for software and delays completing cybersecurity assessments— outcomes disruptive to DOD's efforts to keep pace with warfighters' needs for enhanced, software-dependent capabilities and protect weapon systems from increasingly sophisticated cybersecurity threats,” GAO said in the June 3 report.
Cybersecurity KPPs Left Out
The GAO report explains that KPP “are considered the most critical requirements by the sponsor military organization, while key system attributes (KSA) and other performance attributes are considered essential for an effective military capability.” In 2015, DOD modified its main requirements policy—the Joint Capabilities Integration and Development System Manual (JCIDS) rules on “survivability” requirements to include the ability to operate in a “degraded cyber environment.”
Yet, GAO found that, at the end of 2019, 25 of the 42 major acquisition programs reviewed regarding cybersecurity practices failed to include cybersecurity as a parameter in their KPPs; “even more programs reported that their KSAs did not address cybersecurity.”
GAO has targeted cybersecurity, software development and DoD-wide information technology (IT) improvement programs in its recent annual reviews because DoD weapon systems “are more networked than ever before — a change that while providing benefits for the warfighter also “has come at a cost” because “more weapon components can now be attacked using cybersecurity capabilities,” GAO explains. “Further, networks can be used as a pathway to attack other systems.”
The watchdog has found consistently that failing to bake in cybersecurity requirements to system design and development ends up costing more money and time when program offices struggle to re-engineer systems once they hit production. This is a problem that affects most types of software development; and similarly trying to upgrade or replace software to improve cybersecurity often proves impossible.
The 2019 report thus “looked at DOD's progress with developing:
Most of the 38 MDAPs reviewed reported creation of cybersecurity strategies. However, of the 19 major programs that require cybersecurity vulnerability evaluations — under regulations set by the Office of the Undersecretary of Defense for Acquisition and Sustainment Ellen Lord — 11 have not completed them or failed to do so on time. Another three said they didn't have a schedule yet for doing so; and one — an unnamed Air Force program — told GAO it actually didn't know if it had undertaken the required evaluation. Indeed, the Air Force had the worst record on the evaluations, with none of its six programs having completed the evaluation processes.
Of the 42 programs, 14 told GAO they had not finished their cybersecurity assessments. GAO also “found variation among the military departments in the rates they had completed these assessments. Specifically, among the three military departments, the Army reported the best rate for programs conducting cybersecurity assessments, while the Air Force had the lowest rate.”
IT and Software Problems Plague Programs
“Over the years, weapon acquisition program officials, through their responses to our questionnaires, have consistently acknowledged software development as a risk item in their efforts to develop and field capabilities to the warfighter, and this year is no different,” GAO reported somewhat wryly.
GAO found that more than a quarter of the 42 MDAPs reviewed reported cost growth from software changes but admitted that “details
are limited” in DoD reporting.
Part of that uncertainty might be due to the fact that GAO found a number of major programs are transitioning to commercial approaches to software development, such as “agile development” that involves introducing incremental improvements over time. However, GAO found, “deliveries often lag
behind industry standards.”
Indeed, Air Force acquisition czar Will Roper told a webinar yesterday sponsored by Dcode, a tech innovation hub connecting commercial industry to government agencies, that while the Air Force can't go back and re-do old programs, “every new contract we do has to include DevSecOps.”
“We are all in,” he added, “it's going to change the world.”
DevSecOps stands for “development, security and operations,” and is a framework and tools for “designing in” software and cybersecurity. Roper long has been a key champion within DoD for moving to commercial practices and has repeatedly said he wants the Air Force to become a “software company.”
GAO said that officials from 26 of the MDAPs regarding software development reported that software concerns had created risks at some point during their program's history.
The biggest problem faced was — you guessed it — changes necessitated to ensure cybersecurity. The second biggest program was that the software development simply was “more difficult than expected.” Hardware design changes also played a big role in creating software problems, requiring subsequent changes in software configurations.
Interestingly, while often bemoaned as a cause for program delays, requirements changes came in at the low of end of the reported issues troubling software development.
Of the 15 major DoD IT programs reviewed, worth $15.1 million, 10 had delays in their original baseline schedules. But on the bright side, 11 showed decreased life cycle cost estimates.
Further, all 15 have cybersecurity strategies as required by DoD regulations, and most reported having undertaken in 2019 at least one operational cybersecurity test.
That said, “less than half reported conducting developmental cybersecurity testing,” GAO found. And according to DoD's own “Cybersecurity Testing and Evaluation Guidebook,” GAO scolds, “not conducting developmental cybersecurity testing puts programs at an increased risk of cost and schedule growth and poor program performance.
Cost and Schedule Growth Stabilizes
As it does every year, GAO also reviewed all 85 MDAPs for cost and schedule growth, and on that front the news is good: GAO found that the programs DoD Overview “have generally stabilized non-quantity related — (i.e. meaning not related to buy more stuff) — cost growth and schedule growth.”
“Between 2018 and 2019, total acquisition cost estimates for DoD's 85 current MDAPs grew by a combined $64 billion (a 4 percent increase), growth that was driven by decisions to increase planned quantities of some weapon systems,” GAO found. “For example, DoD more than doubled in the past year the total number of missiles it plans to acquire through the Air Force's Joint Air-to-Surface Standoff Missile program.”
And some programs actually lowered their year-average costs. GAO found that 55 MDAPs (more than half) “had lower average procurement unit costs since last year. Examples of programs with lower unit costs include the Navy's Joint Precision Approach and Landing System (16 percent decrease) and the Air Force's F-22 Increment 3.2B Modernization (15 percent decrease).”
“Also between 2018 and 2019, capability delivery schedules for MDAPs increased, on average, by just over 1 month (a 1 percent increase),” GAO said.
However, the report cautioned that cost/schedule performance looks “less encouraging as measured against their original approved program baselines.”
The report found that the major acquisition programs “have accumulated over $628 billion (or 54%) in total cost growth since program start, most of which is unrelated to the increase in quantities purchased. Additionally, over the same time period, time required to deliver initial capabilities has increased by 30%, resulting in an average delay of more than two years.
https://breakingdefense.com/2020/06/major-dod-acquisition-programs-flounder-on-cybersecurity-gao
February 1, 2022 | International, Aerospace
Boeing and the Air Force say the new version of the KC-46's Remote Vision System remains on schedule, despite lingering problems still being worked out.
October 12, 2018 | International, Aerospace
By: Tara Copp and Shawn Snow The Pentagon announced Thursday it is grounding its entire fleet of F-35s, just days after the first crash of an F-35B led investigators to suspect there is a widespread problem with the advanced fighter's fuel tubes. “The U.S. Services and international partners have temporarily suspended F-35 flight operations while the enterprise conducts a fleet-wide inspection of a fuel tube within the engine on all F-35 aircraft,” the F-35 Joint Program Office announced in a statement Thursday morning. “If suspect fuel tubes are installed, the part will be removed and replaced. If known good fuel tubes are already installed, then those aircraft will be returned to flight status. Inspections are expected to be completed within the next 24 to 48 hours.” The office said the grounding “is driven from initial data from the ongoing investigation of the F-35B that crashed in the vicinity of Beaufort, South Carolina on 28 September. The aircraft mishap board is continuing its work and the U.S. Marine Corps will provide additional information when it becomes available.” In the Sept. 28 crash in South Carolina near the Marine Corps Air Station Beaufort, the pilot safely ejected from the aircraft, which belonged to 2nd Marine Aircraft Wing, Marine Fighter Attack Training Squadron 501, known as the “Warlords.” While the F-35′s U.S-based Joint Program Office had indicated that the grounding included aircraft purchased by foreign militaries, the British military signaled Monday that its entire fleet is not grounded. The F-35 Joint Program Office has said safety is a top priority. “The primary goal following any mishap is the prevention of future incidents. We will take every measure to ensure safe operations while we deliver, sustain and modernize the F-35 for the warfighter and our defense partners.” The U.S. grounding comes after the Pentagon announced that a Marine Corps F-35B conducted the platform's first-ever combat mission on Sept. 27. The Marine Corps' aircraft launched from the amphibious warship Essex, striking targets in Afghanistan. In April, a Marine Corps F-35B out the Marine Corps air station at Cherry Point, North Carolina, was forced to make an emergency landing when the aircraft fuel light came on. The grounding news also comes two days after Defense News reported that Secretary of Defense Jim Mattis has ordered the military services to get readiness rates on four planes, including the F-35, up above 80 percent by next September. According to data for fiscal year 2017, the most recent available, the Air Force's F-35A models had around a 55 percent readiness rate, well below that target. Although the Marine Corps is the first U.S. service to fly its joint strike fighters in combat, the aircraft has been used by the Israeli air force to strike targets. In May, Israel Defense Forces officials confirmed that the country's F-35 “Adir” fighters had seen combat in two airstrikes somewhere in the Middle East. The Marine Corps declared the F-35B operational in 2015, becoming the first service to integrate the joint strike fighter into its fleet. The Air Force followed by declaring initial operational capability for the F-35A conventional variant in 2016, while the Navy plans to declare initial operational capability for the F-35C carrier variant in February 2019. The F-35 joint strike fighter is the most expensive program in the Pentagon's history. Currently, the U.S. military has purchased 245 aircraft from Lockheed Martin. The Air Force has 156, the Marine Corps has 61 and the Navy has 28, according to data provided by the joint program office. The U.S. Air Force, Navy and Marine Corps plan to buy a total of 2,456 F-35s, at an estimated cost of $325 billion. In total, the aircraft program is projected to cost about $1 trillion to develop, produce, field and sustain over its lifetime, according to the Government Accountability Office. The F-35B is the short takeoff, vertical landing variant of the aircraft, which allows the pilot to hover and land vertically like a helicopter — a necessity for the Marines, which typically operate from amphibious ships with smaller decks than aircraft carriers. Because the problem is related to a fleetwide engine issue, rather than just in the F-35B models, it appears unlikely that the problem is unrelated to the short-takeoff and vertical-landing capabilities of the Marine's design. The issue as described by the JPO indicates the issue is believed to come from a subcontractor who supplied the fuel tubes for engine manufacturer Pratt & Whitney. A spokesman for the F-35s manufacturer, Lockheed Martin, said Thursday morning that industry partners were working with the F-35's Joint Program Office to investigate the problems. "We are actively partnering with the Pentagon's F-35 Joint Program Office, our global customers and Pratt & Whitney to support the resolution of this issue and limit disruption to the fleet,” said Friedman, Michael, the spokesman for Lockheed. The U.S. Government Accountability Office has projected a total lifetime cost of $1 trillion for the program. F-35s have already been delivered to the United Kingdom, Italy, Israel, Netherlands, Turkey, Australia, Japan, South Korea and Norway. This story is developing and will be updated. Defense News staff writers Aaron Mehta and Valerie Insinna contributed to this report. https://www.militarytimes.com/news/your-military/2018/10/11/dod-announces-global-grounding-of-all-f-35s
October 1, 2018 | International, Land
By: Vivek Raghuvanshi NEW DELHI — India has quietly approved a $5.43 billion program to buy five S-400 Triumf air defense systems from Russia, just a week before Russian President Vladimir Putin's Oct. 5 visit to the country. The program was approved earlier this week by the Indian government's highest defense approval body, the Cabinet Committee on Security headed by Prime Minister Narendra Modi. When asked about India's decision in relation to U.S. objections over the purchase, a top Ministry of Defence official said: “We already have communicated our stand on the subject to Washington.” A formal government-to-government contract is expected to be announced during the 19th India-Russia summit on Oct. 5. “Apparently, the Indian defense establishment is convinced that S-400 Triumf system is ideally suited to fill a critical gap in our existing capabilities. That being the case, there is no reason for India to buckle under the U.S. pressure to roll back procurement of hardware from Russia,” said Amit Cowshish, a former former financial adviser on defense acquisition for the MoD. U.S. embassy diplomats were unavailable for comment. Indian defense forces have been apprehensive about the fate of armament supplies from Russia following U.S. sanctions on Russian entities under the Countering America's Adversaries Through Sanctions Act, or CAATSA. India and Russia signed an intergovernmental agreement on the sale of five S-400 units during 17th India-Russia summit in October 2016 in Goa in the presence of Putin and Modi. The Russian-built S-400 is capable of intercepting and destroying airborne targets at a distance of up to 400 kilometers (250 miles) and can simultaneously engage up to six targets. Each S-400 unit comprises tracking and search radar systems, eight launchers, 112 guided missiles, and command and support vehicles. The first missile system will be delivered by the end of 2020. Further cooperation India is also expected to announce a $2.2 billion government-to-government contract with United Shipbuilding Corporation of Russia for two Krivak-class stealth frigates. In addition, an intergovernmental agreement will be inked for the joint production of AK-103 assault rifles in India. U.S. sanctions against Russia compelled India early this year to freeze payments of more than $2 billion, temporarily halting several ongoing defense programs receiving assistance from several Russian defense original equipment manufacturers. Until last month, CAATSA also affected India's purchase of spare parts, components, raw materials and other assistance for which Indian entities are dependent on Russia for domestic licence manufacturing and maintenance of existing equipment, according to another MoD official. Following an April 7 verdict by the U.S. Office of Foreign Assets Control, India's national bank, the State Bank of India, stopped all payments to Russian arms trading company Rosoboronexport. “This [problem] is more or less rectified now," the official added. India now wants a new 10-year framework agreement with Russia to manufacture and upgrade at least a dozen types of Russian armament systems in India, including for Sukhoi Su-30 MKI fighters, Mi-series helicopters, Kamov helicopters, T-90 tanks, artillery guns and Smerch multi-barrel rocket launcher systems. Cowshish noted that India cannot afford to distance itself from Russia, if for no other reason than the fact that it requires Russia's continued support to maintain and operate in-service equipment, a large proportion of which is of Russian-origin. Russia remains the largest defense supplier to India, but its share of the Indian market has fallen sharply. https://www.defensenews.com/land/2018/09/28/india-approves-s-400-buy-from-russia-amid-expectations-for-more-bilateral-deals