Lights, camera, cyber!

Members of the 834th Cyber Operations Squadron, discuss options in response to a staged cyber attack during filming of a scene for an Air Force Reserve Command mission video at Joint Base San Antonio-Lackland, Texas, on June 1, 2019. (U.S. Air Force Photo by Maj. Christopher Vasquez)

WASHINGTON: The Pentagon is still struggling to deliver working software for its weapon systems in a timely matter, with programs lagging behind commercial standards that call for deliveries as frequently as two weeks, according to a new watchdog report.

In its annual Weapon System Annual Assessment, released June 8, the Government Accountability Office surveyed 59 Major Defense Acquisition Projects (MDAPs) and Middle Tier Acquisition (MTA) programs and found the department needs to rapidly increase delivery of software to a majority of those programs. 

The report comes a few months after Deputy Defense Secretary Kathleen Hicks approved a new software modernization strategy outlining three key objectives the Pentagon wants to achieve, including turning its 29 software factories into one overarching department-wide “ecosystem” to rapidly acquire and deliver software at speed.

The centralized software hub is anticipated to help streamline control points for end-to-end software delivery and speed innovation into warfighter hands. 

DoD programs aren’t delivering software frequently enough 

In its report, the GAO reviewed 39 MDAPs and MTA programs and found that the majority that reported using a modern software development approach actually deliver working software for user feedback slower than recommended by industry’s “agile” practices, which call for delivery of software as frequently as every two to six weeks. As a result, those programs may lose out on some of the benefits of using a modern approach. 

Seventy-nine percent of MTA programs were reported as using modern approaches compared to 60% of MDAPs. Some of the 39 programs reported delivering software to users as frequently as one year, 22 programs delivered software every 12 months or less and only six programs had a software delivery timeframe of three months or less. 

“However, software deliveries for user feedback at a frequency of six months to a year do not align with the Agile principle of delivering working software frequently and would not attain the benefits from fast iterative feedback cycles,” the report states. 

The Pentagon struggling with agile software deliveries isn’t new: Last year, the GAO’s annual report concluded that only six of the 42 major weapons programs reviewed actually met the industry-level standard of delivering software updates to users in a six-week timeframe.

RELATED: DoD ‘Agile’ Software Development Still Too Slow: GAO

A majority of the MDAP and MTA programs surveyed in this years report — 40 out of 59 programs — identified software development as a risk with the largest contributing factor being initial software integration with hardware. Other reported risks included the initial planned software effort proving to be more difficult than expected, hardware design changes that required additional software development efforts and requirements changes.

Workforce challenges also plague the programs, with the most commonly reported challenge being able to find staff that have the proper training and level of expertise needed to advance software development efforts.

As part of the GAO’s work on the department’s implementation of software acquisition reforms, it plans to examine DoD’s workforce issues. The report states that a 2020 RAND study presented options for DoD to track and manage its software acquisition workforce.

According to the GAO report, DoD initiated three software acquisition pilot programs in response to requirements set forth in the 2018 National Defense Authorization Act. To date, DoD has completed one of the pilot programs and is currently implementing another pilot program. 

DoD officials said they could not implement a third pilot on open source software due, in part, to the sensitivity of releasing weapon system software, according to the GAO. 

However, the GAO states DoD is continuing to mature its implementation of modern software development approaches.

According to the report, as of February 2022 DoD is tracking 35 programs using the software acquisition pathway established in 2020. The programs include a “wide array of software intensive systems to include command and control, cybersecurity, business systems, training, and software embedded weapon programs,” the report states. 

DoD weapon system cybersecurity concerns

The GAO found that the department’s cybersecurity practices remain “generally consistent” with its prior assessment, which found that all 59 programs surveyed reported either having an approved cybersecurity strategy or are planning to have one in the future. 

The report also states the the number of programs that reported key requirements addressing cybersecurity has increased this year: 39 out of 59 programs reported at least one key system attribute addressed cybersecurity compared to 37 programs last year. 

All DoD acquisition programs are required to execute cybersecurity testing and evaluation throughout the program’s life cycle, and GAO found that “this year, the percentages of programs that completed cybersecurity testing during developmental or operational testing changed since last year … Specifically, an increased percentage of programs this year reported conducting cooperative vulnerability and adversarial assessments during developmental testing, while a decreased percentage of programs reported conducting cooperative vulnerability and adversarial assessments during operational testing.”

However, the GAO did report the F-15EX program faces a cybersecurity vulnerability risk stemming from its design, “derived from FMS aircraft and, according to the program, not designed to U.S. Air Force cybersecurity requirements.”

“The program office plans to bring subject matter experts together in April 2022 to conduct a tabletop exercise in which they talk through how they would respond to simulated scenarios identifying vulnerabilities,” according to the report. “Subsequently, the program office plans to conduct other cybersecurity assessments, with results from the tabletop exercise determining the scope and dates of these additional assessments.”