The Department of Defense’s weapons systems programs may be turning to developing cutting-edge software and cybersecurity practices more than ever, but their implementation has been patchy, according to a new surveillance report.
O Government Accountability Office found in its annual weapons systems review, released June 8, that the Pentagon needs to conduct better oversight for systems development using multiple acquisition pathways. DOD renewed its acquisition model with the introduction of the Adaptive Acquisition Framework in January 2020, which among other things helped streamline software acquisitions, emphasized the implementation of cybersecurity across the entire lifecycle of systems, and enabled greater adaptation acquisition strategies.
In the same assessment, the GAO reported that both major defense acquisition programs (MDAPs) and mid-level acquisition programs (MTAs) said that software development factors to include cybersecurity were “risks to the efforts of development and field capabilities for the warrior”. According to the GAO, this tracks the results of last year’s assessment.
“DOD has made efforts to improve in these areas, such as working to update its cybersecurity software and instructions and providing guidance on Agile software development practices,” says the review. “However, we found that most programs we researched continue to face challenges in executing modern software development practices, and many programs we researched are challenged to implement iterative and early cybersecurity assessments.”
MDAPs told GAO they struggled to complete software development in time for testing, while MTA programs said they were having trouble making initial software-to-hardware integration. And most of the programs said they did not ensure that program employees receive training in modern software practices or that the programs work with end users in an iterative feedback process, which are some of the top practices recommended by the Defense Science Board for modernization software acquisition.
Despite the emphasis on deploying software quickly in many batches, only six of 36 programs told the GAO that they delivered the software to users in less than three months. In an Agile development framework, software should be delivered within a few weeks.
“The MDAPs and MTA programs also reported challenges related to the software development workforce,” says the review. “For example, more than half of all MDAP and MTA programs reported staffing challenges, including hiring contractors and government employees in time to carry out planned work and identifying contractors and government employees with experience in software development.”
The picture isn’t much more optimistic on the cyber side. Half of all MDAPs and all MTA programs involved in evaluation have not consistently implemented the DOD guidelines that describe testing and evaluation processes that begin at the beginning of acquisition and continue through the program lifecycle. While most programs have created cyber strategies, many have neglected to include cyber security in their requirements documents.
“We found that the programs surveyed did not consistently conduct cooperative vulnerability-identification tests designed to identify vulnerabilities and plan ways to mitigate or resolve them,” says the review.
Ultimately, the GAO made a recommendation based on the assessment with which the DOD agreed: that the Under Secretary of Defense for Procurement and Maintenance should “ensure that internal and external reporting capabilities developed using various efforts or pathways provide information about each individual effort, as well as the overall planned cost and schedule needed to deliver the eventual capacity.”