Retour aux nouvelles

8 juin 2020 | International, C4ISR, Sécurité

GAO Chides DoD For Absence Of Cybersecurity Requirements

Overall, costs of major DoD acquisition programs have grown by 54 percent over their lifetimes and schedule delays average two years, GAO's annual report finds.

By

WASHINGTON: Five years after the Pentagon demanded every weapon system include the requirement that it be able to fight through Russian and Chinese cyber attacks expected on future battlefields, DoD “does not often include cybersecurity” in key performance parameters (KPP) for major programs, says GAO in its annual defense acquisition review.

Of the three services, the Air Force is the worst at fulfilling two of the three best cybersecurity practices, the report says. The congressional watchdog found “inconsistent implementation of leading software practices and cybersecurity measures” among high-dollar “major defense acquisition programs” (MDAPs) — 85 programs worth $1.80 trillion at the end of 2019.

“This included longer-than-expected delivery times for software and delays completing cybersecurity assessments— outcomes disruptive to DOD's efforts to keep pace with warfighters' needs for enhanced, software-dependent capabilities and protect weapon systems from increasingly sophisticated cybersecurity threats,” GAO said in the June 3 report.

Cybersecurity KPPs Left Out

The GAO report explains that KPP “are considered the most critical requirements by the sponsor military organization, while key system attributes (KSA) and other performance attributes are considered essential for an effective military capability.” In 2015, DOD modified its main requirements policy—the Joint Capabilities Integration and Development System Manual (JCIDS) rules on “survivability” requirements to include the ability to operate in a “degraded cyber environment.”

Yet, GAO found that, at the end of 2019, 25 of the 42 major acquisition programs reviewed regarding cybersecurity practices failed to include cybersecurity as a parameter in their KPPs; “even more programs reported that their KSAs did not address cybersecurity.”

GAO has targeted cybersecurity, software development and DoD-wide information technology (IT) improvement programs in its recent annual reviews because DoD weapon systems “are more networked than ever before — a change that while providing benefits for the warfighter also “has come at a cost” because “more weapon components can now be attacked using cybersecurity capabilities,” GAO explains. “Further, networks can be used as a pathway to attack other systems.”

The watchdog has found consistently that failing to bake in cybersecurity requirements to system design and development ends up costing more money and time when program offices struggle to re-engineer systems once they hit production. This is a problem that affects most types of software development; and similarly trying to upgrade or replace software to improve cybersecurity often proves impossible.

The 2019 report thus “looked at DOD's progress with developing:

  • (1) strategies that help ensure that programs are planning for and documenting cybersecurity risk management efforts (cybersecurity strategies),
  • (2) evaluations that allow testers to identify systems' weaknesses that are susceptible to cybersecurity attacks and that could potentially jeopardize mission execution (cybersecurity vulnerability evaluations), and
  • (3) assessments that evaluate the ability of a unit equipped with a system to support assigned missions (cybersecurity assessments).”

Most of the 38 MDAPs reviewed reported creation of cybersecurity strategies. However, of the 19 major programs that require cybersecurity vulnerability evaluations — under regulations set by the Office of the Undersecretary of Defense for Acquisition and Sustainment Ellen Lord — 11 have not completed them or failed to do so on time. Another three said they didn't have a schedule yet for doing so; and one — an unnamed Air Force program — told GAO it actually didn't know if it had undertaken the required evaluation. Indeed, the Air Force had the worst record on the evaluations, with none of its six programs having completed the evaluation processes.

Of the 42 programs, 14 told GAO they had not finished their cybersecurity assessments. GAO also “found variation among the military departments in the rates they had completed these assessments. Specifically, among the three military departments, the Army reported the best rate for programs conducting cybersecurity assessments, while the Air Force had the lowest rate.”

IT and Software Problems Plague Programs

“Over the years, weapon acquisition program officials, through their responses to our questionnaires, have consistently acknowledged software development as a risk item in their efforts to develop and field capabilities to the warfighter, and this year is no different,” GAO reported somewhat wryly.

GAO found that more than a quarter of the 42 MDAPs reviewed reported cost growth from software changes but admitted that “details
are limited” in DoD reporting.

Part of that uncertainty might be due to the fact that GAO found a number of major programs are transitioning to commercial approaches to software development, such as “agile development” that involves introducing incremental improvements over time. However, GAO found, “deliveries often lag
behind industry standards.”

Indeed, Air Force acquisition czar Will Roper told a webinar yesterday sponsored by Dcode, a tech innovation hub connecting commercial industry to government agencies, that while the Air Force can't go back and re-do old programs, “every new contract we do has to include DevSecOps.”

“We are all in,” he added, “it's going to change the world.”

DevSecOps stands for “development, security and operations,” and is a framework and tools for “designing in” software and cybersecurity. Roper long has been a key champion within DoD for moving to commercial practices and has repeatedly said he wants the Air Force to become a “software company.”

GAO said that officials from 26 of the MDAPs regarding software development reported that software concerns had created risks at some point during their program's history.

The biggest problem faced was — you guessed it — changes necessitated to ensure cybersecurity. The second biggest program was that the software development simply was “more difficult than expected.” Hardware design changes also played a big role in creating software problems, requiring subsequent changes in software configurations.

Interestingly, while often bemoaned as a cause for program delays, requirements changes came in at the low of end of the reported issues troubling software development.

Of the 15 major DoD IT programs reviewed, worth $15.1 million, 10 had delays in their original baseline schedules. But on the bright side, 11 showed decreased life cycle cost estimates.

Further, all 15 have cybersecurity strategies as required by DoD regulations, and most reported having undertaken in 2019 at least one operational cybersecurity test.

That said, “less than half reported conducting developmental cybersecurity testing,” GAO found. And according to DoD's own “Cybersecurity Testing and Evaluation Guidebook,” GAO scolds, “not conducting developmental cybersecurity testing puts programs at an increased risk of cost and schedule growth and poor program performance.

Cost and Schedule Growth Stabilizes

As it does every year, GAO also reviewed all 85 MDAPs for cost and schedule growth, and on that front the news is good: GAO found that the programs DoD Overview “have generally stabilized non-quantity related — (i.e. meaning not related to buy more stuff) — cost growth and schedule growth.”

“Between 2018 and 2019, total acquisition cost estimates for DoD's 85 current MDAPs grew by a combined $64 billion (a 4 percent increase), growth that was driven by decisions to increase planned quantities of some weapon systems,” GAO found. “For example, DoD more than doubled in the past year the total number of missiles it plans to acquire through the Air Force's Joint Air-to-Surface Standoff Missile program.”

And some programs actually lowered their year-average costs. GAO found that 55 MDAPs (more than half) “had lower average procurement unit costs since last year. Examples of programs with lower unit costs include the Navy's Joint Precision Approach and Landing System (16 percent decrease) and the Air Force's F-22 Increment 3.2B Modernization (15 percent decrease).”

“Also between 2018 and 2019, capability delivery schedules for MDAPs increased, on average, by just over 1 month (a 1 percent increase),” GAO said.

However, the report cautioned that cost/schedule performance looks “less encouraging as measured against their original approved program baselines.”

The report found that the major acquisition programs “have accumulated over $628 billion (or 54%) in total cost growth since program start, most of which is unrelated to the increase in quantities purchased. Additionally, over the same time period, time required to deliver initial capabilities has increased by 30%, resulting in an average delay of more than two years.

https://breakingdefense.com/2020/06/major-dod-acquisition-programs-flounder-on-cybersecurity-gao

Sur le même sujet

  • For DoD cyber, 2019 is the year of doing

    31 janvier 2019 | International, C4ISR

    For DoD cyber, 2019 is the year of doing

    By: Mark Pomerleau Following a year of cyberspace strategizing, 2019 will be all about implementing rules and tools, according to the Department of Defense's top uniformed cyber policy adviser. Appearing Jan. 29 before the Senate Armed Services Subcommittee on Cybersecurity, Brig. Gen. Dennis Crall said the department knows where it needs to head following last year's DoD cyber strategy (the first in three years) and now is the time to show results. “This is the year of outcomes and that's what we're focused on — delivering the capabilities and improvements that we've discussed for some time,” he told the committee, adding that the strategy process allowed them to take a look at some departmental gaps and get after them. The strategy actually has actionable lines of effort and there are things they can do to measure progress, he said. The document lays out five objectives and five areas of interest under its strategic approach. The five objectives include: Ensuring the joint force can achieve its missions in a contested cyberspace environment; Strengthening the joint force by conducting cyberspace operations that enhance U.S. military advantages; Defending U.S. critical infrastructure from malicious cyber activity that alone, or as part of a campaign, could cause a significant cyber incident; Securing DoD information and systems against malicious cyber activity, including DoD information on non-DoD-owned networks; and Expanding DoD cyber cooperation with interagency, industry, and international partners. The five areas of interest under the guise of its strategic approach include building a more lethal joint force; competing and deterring in cyberspace; strengthening alliances and attracting new partners; reforming the department; and cultivating talent. The strategy also notes DoD must take action in cyberspace during day-to-day competition to preserve U.S. military advantages and defend U.S. interests. The focus will be on nation states that can pose strategic threats to the United States, namely China and Russia. “We will conduct cyberspace operations to collect intelligence and prepare military cyber capabilities to be used in the event of crisis or conflict,” the document says. Dana Deasy, the department's chief information officer, told the same committee that the threat from Russia and China is so acute he is briefed weekly from U.S. Cyber Command and the National Security Agency on them. This allows him to understand their offensive and defensive posture relative to the DoD. “Suffice to say that these are very strong, capable adversaries, but at the same time we have some strong, capable abilities ourselves,” he said. Cyber Command has now assembled a full force of cyberwarriors and received limited acquisition authority to start equipping them. However, there is much more work to be done. In fact, aside from individual tools, the force is still in need of a training range where cyberwarriors can do individual and collective training, as well as mission rehearsal, similar to rifle ranges or national training centers in the physical world. The Persistent Cyber Training Environment, being run by the Army for the joint force, will get after this; however, it is still in the prototype phase with a limited capability delivered to users. Additionally, the force needs a large-scale command-and-control platform that will house tools, provide commanders global situational awareness of forces and enable forces to plug into operations from remote locations. This is the goal of Unified Platform, which is also still in the prototype phase, though officials have said a limited product could be delivered as early as the spring. https://www.fifthdomain.com/dod/2019/01/30/for-dod-cyber-2019-is-the-year-of-doing

  • For emerging tech, DoD funds $100M in new projects to help bridge ‘valley of death’

    21 juillet 2022 | International, Aérospatial, Naval, Terrestre, C4ISR, Sécurité, Autre défense

    For emerging tech, DoD funds $100M in new projects to help bridge ‘valley of death’

    “APFIT holds great promise to transform the way the Department procures next generations solutions,” Heidi Shyu, undersecretary of defense for research and engineering, said. “This pilot program is well positioned to be a key asset as we continue to work to bridge the valley of death."

  • BAE Tempest : la possible participation japonaise

    29 octobre 2021 | International, Aérospatial

    BAE Tempest : la possible participation japonaise

    Le Japon pourrait devenir partenaire au sein du team Tempest, lequel devrait voir une évolution sous forme de contrats avec les principaux partenaires à savoir la Suède et l'Italie d'ici la fin de cette année. BAE Systems avait déjà proposé ses compétences dans le cadre de l'étude du F-X japonais, le successeur du F-2.

Toutes les nouvelles