oversight

Defense Acquisitions: Joint Cyber Warfighting Architecture Would Benefit from Defined Goals and Governance

Published by the Government Accountability Office on 2020-11-19.

This report is unreleased, or missing. Visit its landing page for more detail.

                United States Government Accountability Office
                Report to Congressional Committees




                DEFENSE
November 2020




                ACQUISITIONS

                Joint Cyber
                Warfighting
                Architecture
                Would Benefit from
                Defined Goals and
                Governance




GAO-21-68
                                               November 2020

                                               DEFENSE ACQUISITIONS
                                               Joint Cyber Warfighting Architecture Would Benefit
                                               from Defined Goals and Governance
Highlights of GAO-21-68, a report to
congressional committees




Why GAO Did This Study                         What GAO Found
Cyberspace is a growing, human-made            U.S. Cyber Command created the Joint Cyber Warfighting Architecture (JCWA)
environment that touches many parts            as a concept to integrate cyber warfighting systems. Department of Defense
of life, including education, economic         (DOD) officials told GAO that the JCWA is to serve as a guiding concept for
development, health, and other public          cyber warfighting acquisitions and investment decisions, rather than a traditional
services. For DOD, cyberspace is as            architecture that DOD’s systems engineering guidance states would address
important as the traditional land, sea,        functions, relationships, and dependencies of constituent systems. As of August
air, and space warfighting domains. To         2020, the JCWA consisted of a diagram of systems, including four acquisition
integrate these disparate cyber                programs and the cyber tools and sensors that support cyber warfighting (see
systems into a more cohesive
                                               figure). Three of these programs were in development before Cyber Command
capability, U.S. Cyber Command
                                               began efforts to link them together to create a more integrated set of systems.
introduced an overarching vision for
cyber capabilities known as the Joint          Joint Cyber Warfighting Architecture Conceptual Diagram
Cyber Warfighting Architecture.
The Senate Armed Services
Committee included a provision for
GAO to review the status of the JCWA.
This report (1) describes the JCWA
concept, systems, and planned
capabilities; and (2) assesses the
extent to which DOD has defined
interoperability goals and a
governance structure to guide JCWA
cyber system acquisitions.
To do this work, GAO reviewed
acquisition program documents and
joint cyber warfighting requirements
information. GAO conducted interviews
with DOD officials from key cyber
warfighting organizations, including
Cyber Command, as well as JCWA
program offices and stakeholders.

What GAO Recommends
GAO is making two recommendations              Although the primary element of the JCWA concept, according to Cyber
for Cyber Command to define and                Command officials, is the interoperability and information sharing among these
document JCWA interoperability goals           systems, Cyber Command has not defined JCWA interoperability goals for
as well as the JCWA governance                 constituent systems. The lack of defined goals is due in part to most programs
structure roles and responsibilities of        now included in the JCWA being in development prior to the concept being
key offices. DOD concurred with the            initiated. However, goals are essential to ensuring that operators have system
first and partially concurred with the         capabilities as anticipated. Cyber Command recently established two new offices
second recommendation. DOD’s plans             that would be responsible for prioritizing JCWA program acquisition requirements
are consistent with the intent of GAO’s        but as of August 2020, had not yet assigned roles and responsibilities for these
recommendations.                               key offices. Until Cyber Command develops a governance structure for the new
                                               offices with defined roles and responsibilities, it risks delays in providing needed
                                               joint cyber warfare capabilities.
View GAO-21-68. For more information,
contact W. William Russell at (202) 512-4841
or russellw@gao.gov.


                                                                                           United States Government Accountability Office
Contents


Letter                                                                                    1
               Background                                                                 3
               JCWA Is DOD’s Concept for Harmonizing Cyber Warfighting
                 Acquisition Programs                                                     7
               DOD Has Not Defined Key Goals and Governance Details for the
                 JCWA                                                                    9
               Conclusions                                                              12
               Recommendations for Executive Action                                     13
               Agency Comments and Our Evaluation                                       13

Appendix I     Joint Cyber Warfighting Architecture (JCWA)
               Acquisition Program Information and Status                               16



Appendix II    Comments from the Department of Defense                                  19



Appendix III   GAO Contact and Staff Acknowledgments                                    21


Tables
               Table 1: Key Department of Defense (DOD) Stakeholders in Joint
                       Cyber Warfighting Architecture (JCWA) Acquisitions                6
               Table 2: Unified Platform Acquisition Status                             17
               Table 3: Joint Cyber Command and Control Acquisition Status              17
               Table 4: Persistent Cyber Training Environment Acquisition Status        18

Figure
               Figure 1: Joint Cyber Warfighting Architecture Conceptual
                        Diagram                                                           8




               Page i                                         GAO-21-68 Defense Acquisitions
Abbreviations

DevSecOps         Development, Security, and Operations
DOD               Department of Defense
DODIN             DOD Information Network
JCWA              Joint Cyber Warfighting Architecture




This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.




Page ii                                                    GAO-21-68 Defense Acquisitions
                       Letter




441 G St. N.W.
Washington, DC 20548




                       November 19, 2020

                       Congressional Committees

                       Cyberspace is a growing, human-made environment that reaches into
                       many parts of life, including education, economic development, health,
                       and other public services. It has also evolved into an arena of conflict for
                       nation-states and independent groups or actors. From a military
                       perspective, cyberspace is as important as the traditional land, sea, air,
                       and space warfighting arenas or domains. Military actions in cyberspace
                       cover a spectrum of actions: from defensive activities that protect
                       vulnerable networks to offensive operations that damage enemy
                       capabilities.

                       Since 2016, the Department of Defense (DOD) has invested in a range of
                       joint cyber warfighting systems and capabilities to support the full
                       spectrum of military cyber operations carried out by DOD’s Cyberspace
                       Operations Forces—units of cyber operators that support the armed
                       services and combatant commands across all warfighting domains. In
                       2019, to integrate these disparate systems into a more cohesive
                       capability, U.S. Cyber Command introduced an overarching vision for all
                       cyber warfighting known as the Joint Cyber Warfighting Architecture
                       (JCWA).

                       Senate Report 116-48, accompanying the National Defense Authorization
                       Act for Fiscal Year 2020, includes a provision for us to review the status
                       of the JCWA. This report (1) describes the JCWA concept, systems, and
                       planned capabilities; and (2) assesses the extent to which DOD has
                       defined interoperability goals and a governance structure to guide cyber
                       system acquisitions associated with the JCWA.

                       To address our first objective, we reviewed program briefs, budget
                       information, plans, and requirements documents from 2017-2020 to
                       identify the capabilities U.S. Cyber Command procures as part of the
                       JCWA. We obtained and reviewed individual acquisition program
                       documentation from each of the ongoing JCWA acquisitions (Unified
                       Platform, Joint Cyber Command and Control, the Persistent Cyber
                       Training Environment, and the Joint Common Access Platform). We used
                       these acquisition documents to identify program acquisition strategies
                       and interviewed cognizant program officials to discuss program progress
                       and confirm details.



                       Page 1                                            GAO-21-68 Defense Acquisitions
To address our second objective, we met with Cyber Command officials
to discuss the origins of the JCWA and how it changed over time. We
obtained available documentation of the JCWA, including early iterations
of the Unified Platform program and cyber warfighting Initial Capabilities
Documents. To identify the extent to which Cyber Command developed
key goals for the JCWA and its governance structure, we reviewed these
documents and interviewed JCWA stakeholders to assess these steps
against our prior work on the Government Performance and Results Act
and federal internal control standards related to achieving management
objectives. 1 We obtained cyber warfighters’ perspectives on the JCWA by
interviewing officials from each service’s cyber component: Army Cyber
Command, Marine Corps Forces Cyberspace Command, Navy’s Fleet
Cyber Command/Tenth Fleet, and Sixteenth Air Force (Air Forces Cyber).
We also interviewed officials from U.S. Cyber Command, the Office of the
Director, Operational Test and Evaluation; Office of Cost Assessment and
Program Evaluation; Office of the Under Secretary of Defense for
Acquisition and Sustainment; Office of the DOD Principal Cyber Advisor;
and the Office of the Under Secretary of Defense for Policy.

We limited our analysis to unclassified information sources due to
COVID-19-related restrictions that limited travel and access to systems
we use to process sensitive or classified information. We plan to include
these sources in future work.

We conducted this performance audit from October 2019 to November
2020 in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit to
obtain sufficient, appropriate evidence to provide a reasonable basis for
our findings and conclusions based on our audit objectives. We believe
that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objectives.




1GAO,  Executive Guide: Effectively Implementing the Government Performance and
Results Act, GAO/GGD-96-118 (Washington, D.C.: June 1996) and Standards for Internal
Control in the Federal Government, GAO-14-704G (Washington, D.C.: Sept. 2014).




Page 2                                                GAO-21-68 Defense Acquisitions
                       DOD conducts cyber operations through its Cyberspace Operations
Background             Forces, which include the Cyber Mission Force. U.S. Cyber Command is
                       responsible for commanding DOD’s cyberspace operations forces, as
                       well as identifying acquisition requirements to support cyber operations.

DOD Cyber Operations   Cyber operations entail cyber warfare, both offensive and defensive
                       actions in cyberspace. To defend against and engage cyber adversaries,
                       DOD relies on three primary types of cyber operations:

                       DOD Information Network (DODIN) Operations. The DODIN is a set of
                       information technology capabilities and processes for collecting,
                       processing, storing, disseminating, and managing information needed by
                       DOD personnel. According to DOD documentation, the DODIN comprises
                       all of DOD cyberspace, including classified and unclassified global
                       networks and many other components and weapon systems such as
                       aircraft and ships that rely on connected devices, networks, and
                       software. 2 DODIN operations entail actions to secure, configure, operate,
                       extend, maintain, and sustain DOD cyberspace.

                       Defensive Cyber Operations. DOD executes defensive cyber operations
                       to defend the DODIN or, when ordered, non-DOD networks. Defensive
                       missions defeat specific threats that have bypassed, breached, or are
                       threatening to breach security measures. Cyber forces conduct defensive
                       missions in response to specific threats of attack, exploitation, or other
                       effects of malicious cyberspace activity. Their actions can include
                       outmaneuvering or interdicting adversaries or returning a compromised
                       network to a secure and functional state. 3

                       Offensive Cyber Operations. According to DOD, offensive cyber
                       missions extend military operations in and through foreign cyberspace in
                       support of national security objectives. All actions cyber forces conduct
                       outside of DOD-protected cyberspace are considered offensive missions.

                       Examples of Cyber Command’s cyber operations include supporting
                       forces in Iraq and Afghanistan, defending the 2018 midterm elections,
                       and fighting terror groups in cyberspace.



                       2Chairman  of the Joint Chiefs of Staff, Joint Publication 3-12: Cyberspace Operations
                       (June 8, 2018).
                       3Joint   Publication 3-12.




                       Page 3                                                     GAO-21-68 Defense Acquisitions
Cyberspace Operations   DOD relies on a variety of military and civilian personnel to conduct cyber
Forces and the Cyber    operations through its Cyberspace Operations Forces, which include
                        Cyber Command subordinate Command elements, DOD Component
Mission Force
                        Network Operations Centers, and Cybersecurity Service Providers,
                        special capability providers, and specially designated units. As we noted
                        above, part of the Cyberspace Operations Forces is the Cyber Mission
                        Force, consisting of over 6,000 military, civilian, and contractor personnel
                        from across the military services. We previously reported that the Cyber
                        Mission Force primarily includes the following kinds of units:

                        •   Combat Mission Teams and their associated Combat Support Teams
                            support combatant commands by providing offensive cyberspace
                            capabilities in support of operational plans and contingency
                            operations.
                        •   National Mission Teams and their associated Mission Support Teams
                            defend the United States and its interests against cyberattacks of
                            significant consequence. 4
                        •   Cyber Protection Teams augment traditional defensive measures and
                            defend priority DOD networks and systems against priority threats.
                        U.S. Cyber Command began creating the Cyber Mission Force in 2013
                        and declared full operational capability in 2018. 5 DOD currently has 133
                        teams from across the military services, including Air National Guard and
                        Air Force Reserve personnel. Cyber Command plans for a second wave
                        of 21 additional Cyber Protection Teams with Army Reserve and Army
                        National Guard personnel to reach full operational capability by fiscal year
                        2024. 6

U.S. Cyber Command      As DOD’s reliance on computers, networks, and software-intensive
History                 systems has grown, the department’s approach to managing its use of
                        cyberspace has also evolved. DOD initially developed a series of joint
                        task forces to address computer network defense in the 1990s. In
                        October 2000, U.S. Space Command formally took control of DOD’s


                        4The  National Mission Teams and Combat Mission Teams have support teams that
                        typically include linguists, analysts, and other specialists.
                        5According  to DOD officials, full operational capability for Cyber Mission Force teams is an
                        evaluation that the team can perform its mission as designed.
                        6GAO,  DOD Training: U.S. Cyber Command and Services Should Take Actions to
                        Maintain a Trained Cyber Mission Force, GAO-19-362 (Washington, D.C.: Mar. 6, 2019).




                        Page 4                                                      GAO-21-68 Defense Acquisitions
                computer network activities. 7 Then, in 2002, the computer network
                defense mission moved to U.S. Strategic Command. Offensive cyber
                operations also fell under Strategic Command but under the oversight of
                the National Security Agency.

                In the 2004 National Military Strategy, the Joint Chiefs of Staff declared
                cyberspace a domain or warfighting arena, alongside air, land, sea, and
                space. Strategic Command reorganized cyber operations, though
                offensive operations remained under dual oversight with the National
                Security Agency. In 2008, DOD completed several reviews of the
                organization of its cyber functions, roles, and missions, leading
                department leadership to consider merging offensive and defensive cyber
                operations. In November 2008, the Secretary of Defense directed the
                creation of a new subunified command to Strategic Command: U.S.
                Cyber Command. As part of this effort, DOD merged offensive and
                defensive cyber operations under a new “dual-hat” structure that made
                the Commander of Cyber Command also the Director of the National
                Security Agency. DOD formally created Cyber Command in June 2009.

                In recognition of the growing centrality of cyberspace to U.S. national
                security, the Secretary of Defense recommended elevating U.S. Cyber
                Command to a unified combatant command in August 2017. At
                presidential direction, Cyber Command became a unified combatant
                command in May 2018. Cyber Command relies on forces drawn from the
                military service cyber components and their cyber component commands,
                which the services began developing in 2009. Between 2013 and 2018,
                Cyber Command began organizing and developing the Cyber Mission
                Force with the service cyber components.

Cyber Command   In the National Defense Authorization Act for Fiscal Year 2016, Congress
Acquisitions    granted acquisition authority up to $75 million to U.S. Cyber Command to
                support cyber operations—most other combatant commands do not have




                7DOD   originally established U.S. Space Command in 1985 but deactivated the command
                in 2002 and transferred its responsibilities to U.S. Strategic Command. DOD re-
                established Space Command in August 2019.




                Page 5                                                 GAO-21-68 Defense Acquisitions
                                             such an authority. 8 However, Cyber Command currently relies on
                                             Executive Agents, such as the Air Force, and other agreements through
                                             the military services for acquisition of the four main components of the
                                             JCWA. 9 Table 1 identifies the primary stakeholders in JCWA acquisitions.

Table 1: Key Department of Defense (DOD) Stakeholders in Joint Cyber Warfighting Architecture (JCWA) Acquisitions

Stakeholder                                                        Role
U.S. Cyber Command                                                 Combatant command responsible for cyber operations and
                                                                   overseeing Cyberspace Operations Forces
Service Cyber Components:                                          Each component is the service’s cyber warfighting element that
•   Army Cyber Command                                             provides personnel to Cyberspace Operations Forces as well as to
                                                                   support other kinds of cyber operations. They also provide subject
•   Marine Corps Forces Cyberspace Command                         matter experts to cyber acquisition programs to support
•   Fleet Cyber Command/Tenth Fleet (Navy)                         development.
•   Sixteenth Air Force (Air Forces Cyber)
Service Component Acquisition Executives:                          Officials within the DOD components with Decision Authority for
•   Assistant Secretary of the Army for Acquisition, Logistics,    program execution for current and planned programs within the
    and Technology                                                 JCWA concept
•   Assistant Secretary of the Air Force for Acquisition,
    Technology and Logistics
Acquisition Program Executive Officers (PEOs):                     Responsible for leading acquisition program offices, which develop
•   Army PEO Intelligence, Electronic Warfare, and Sensors         and acquire the relevant technological solution. The PEOs
                                                                   identified are responsible for current and planned acquisition
•   Army PEO Simulation, Training, and Instrumentation             programs within the JCWA concept.
•   Air Force PEO Command, Control, Communications,
    Intelligence and Networks
Principal Cyber Advisor                                            Office of the Under Secretary of Defense for Policy staff advisor to
                                                                   the Secretary of Defense on military and civilian cyber forces and
                                                                   activities
Under Secretary of Defense for Acquisition and Sustainment         Defense Acquisition Executive
Under Secretary of Defense for Research and Engineering            DOD authority for development and oversight of technology


                                             8Pub. L. No. 114-92, § 807 (2015). The Senate Report to the National Defense
                                             Authorization Act for Fiscal Year 2021 included a provision to remove the $75 million cap
                                             on cyber acquisitions obligations and expenditures. However, the report cautioned Cyber
                                             Command against attempting expansive acquisition efforts itself, including major defense
                                             acquisition programs, as the command lacks the capacity and expertise to manage large
                                             acquisition programs. S. Rep. No. 116-236, 116th Cong, 2d Sess. 338 (2020),
                                             (accompanying S. 4049, National Defense Authorization Act for Fiscal Year 2021).
                                             9According  to DOD Directive 5101.1, DOD Executive Agent, a DOD Executive Agent is the
                                             head of a DOD component to whom the Secretary of Defense or Deputy Secretary
                                             assigned specific responsibilities, functions, and authorities to provide defined levels of
                                             support for operational missions or administrative or other designated activities that
                                             involve two or more of the DOD components. For example, the Director of the Defense
                                             Information Systems Agency is the Executive Agent for Information Technology
                                             Standards, developing and maintaining information technology standards.




                                             Page 6                                                     GAO-21-68 Defense Acquisitions
Stakeholder                                                             Role
Director of Cost Assessment and Program Evaluation                      DOD Principal Staff Assistant for independent cost assessment,
                                                                        program evaluation, and analysis
Chief Information Officer                                               Senior Advisor for information technology, including national
                                                                        security systems and defense business systems
Director, Operational Test and Evaluation                               DOD’s operational test authority
Combatant Commands and Services                                         These components rely on the cyber warfighting systems and
                                                                        Cyberspace Operations Forces to support operations among the
                                                                        land, sea, air, space, and cyber domains.
Source: GAO summary of DOD documents. │ GAO-21-68



                                                    DOD created the JCWA as a concept to harmonize cyber capabilities and
JCWA Is DOD’s                                       their enabling acquisition programs to meet the needs of the Cyberspace
Concept for                                         Operations Forces. Cyber Command officials told us that the defining
                                                    goal of the JCWA concept is to develop interoperability among systems to
Harmonizing Cyber                                   provide a comprehensive, integrated, cyberspace architecture. The
Warfighting                                         Cyberspace Operations Forces primarily rely on independent military
                                                    services’ systems to conduct cyber operations, but common systems that
Acquisition Programs                                are more interoperable could help unify information sharing and decision-
                                                    making to support joint operations. However, Cyber Command officials
                                                    also told us that the JCWA is only loosely an architecture—an idea to
                                                    bring acquisitions together. In contrast, DOD guidance defines an
                                                    architecture as part of a system of systems that addresses overall system
                                                    objectives and encompasses the functions, relationships, and
                                                    dependencies of constituent systems. 10 According to Cyber Command
                                                    officials, the JCWA is to serve as a guiding concept for the acquisition of
                                                    cyber warfighting capability, helping steer requirements and investment
                                                    decisions.

                                                    As of August 2020, the JCWA is defined by a diagram of its programs and
                                                    systems as outlined below. Cyber Command currently identifies four
                                                    acquisition programs and two other types of cyber warfighting support as
                                                    part of the JCWA. Three of these four programs were at least in
                                                    development before Cyber Command began linking them together to
                                                    create a more capable set of systems. The programs that already had
                                                    defined, approved requirements could change depending on how Cyber
                                                    Command develops the JCWA concept. In November 2020, Cyber
                                                    Command officials stated that they are making progress in further


                                                    10Office of the Deputy Undersecretary of Defense for Acquisition and Technology,
                                                    Systems and Software Engineering, Systems Engineering Guide for Systems of Systems,
                                                    Version 1.0. (Washington, D.C.: Aug. 2008), 19.




                                                    Page 7                                                  GAO-21-68 Defense Acquisitions
                                        defining a JCWA systems architecture. Figure 1 depicts the programs
                                        within the JCWA concept and the Cyberspace Operations Forces.

Figure 1: Joint Cyber Warfighting Architecture Conceptual Diagram




                                        Unified Platform–data management and integration. The purpose of
                                        Unified Platform is to function as a data synchronization and access
                                        system for cyber warfighters and supporting personnel. According to
                                        program officials, Cyberspace Operations Forces will be able to obtain
                                        data across the military services to conduct advanced analytics as well as
                                        access other JCWA capabilities such as Joint Cyber Command and
                                        Control. The program office plans to deliver its next increment by October
                                        2020.



                                        Page 8                                          GAO-21-68 Defense Acquisitions
                       Joint Cyber Command and Control–decision making. The goal of this
                       program is to integrate situational awareness data from multiple sources
                       to support commanders’ warfighting decisions. This system relies in part
                       on information from Unified Platform. The majority of the Joint Cyber
                       Command and Control system development efforts are planned to begin
                       during fiscal year 2021.

                       Persistent Cyber Training Environment–training, assessment, and
                       mission rehearsal. This system provides a platform for training,
                       assessment, and mission rehearsal. The purpose of such a framework is
                       to create an environment for cyber warfighters to configure networks,
                       devices, software, and tools to evaluate and practice operations—for
                       example, simulating the cyberspace disruption of an enemy system to
                       develop new methods and tactics. The system recently supported a large-
                       scale cyber exercise, Cyber Flag 20-2, by successfully connecting users
                       across five countries with a high volume of data traffic.

                       Joint Common Access Platform–mission enablement. The purpose of
                       the Joint Common Access Platform is to provide a common cyber firing
                       platform for cyber operators to project combat power, using a
                       comprehensive suite of tools. It is the newest JCWA program, initiated in
                       May 2020.

                       Cyber Tools and Sensors–operations and situational awareness.
                       Cyber tools and sensors do not represent a single program or family of
                       programs, but are multiple ongoing and planned efforts within each
                       service and U.S. Cyber Command. These efforts acquire and deploy
                       cyber tools to defend friendly networks and systems as well as affect the
                       operations of enemy systems. Sensors help deliver intelligence,
                       surveillance, and reconnaissance data to inform cyber warfighters.
                       Examples include tools, such as forensic kits to evaluate enemy actions
                       and sensors such as firewalls to detect adversary activity.

                       Appendix I includes additional details on these programs.

                       DOD created the JCWA as a concept to harmonize cyber capabilities.
DOD Has Not            However, as of August 2020, Cyber Command had not yet progressed
Defined Key Goals      beyond diagramming the JCWA concept and beginning efforts to
                       establish supporting offices. Specifically, Cyber Command has not
and Governance         established the goals or objectives that would define interoperability
Details for the JCWA   requirements across JCWA systems or a governance structure to
                       prioritize requirements among the programs. According to Cyber
                       Command and acquisition program officials, without clearly defined


                       Page 9                                          GAO-21-68 Defense Acquisitions
                        interoperability requirements, JCWA programs may face challenges in
                        providing needed capabilities to Cyberspace Operations Forces.

Cyber Command Has Not   Cyber Command has not defined goals for the JCWA that would describe
Established JCWA        how current and future joint cyber warfighting systems DOD procures
                        would interoperate. The absence of goals is contrary to leading practices
Interoperability
                        we identified in our prior work, which call for program goals to clearly
Requirement Goals       define desired program outcomes. 11 Clearly defined goals explain the
                        purposes of a program and the results an organization intends to achieve.
                        Goals also provide the basis for developing performance measures that
                        help organizations demonstrate progress. By defining JCWA goals, DOD
                        can describe overall system objectives, relationships, and dependencies
                        of its JCWA programs and then develop performance measures to track
                        progress of the JCWA systems as whole.

                        In the absence of interoperability goals, JCWA programs lack objectives
                        that would implement consistent practices among the programs, such as
                        data tagging standards. Program officials told us they discuss such
                        standards informally, in a “coalition of the willing.” This group represents
                        acquisition personnel within the various JCWA programs that coordinate
                        informally to share information, but these efforts are not synchronized
                        through JCWA goals—meaning each program is working independently
                        to become interoperable. According to program officials we interviewed,
                        information sharing, user feedback, and collaboration across Unified
                        Platform, Joint Cyber Command and Control, and the Persistent Cyber
                        Training Environment occur regularly, but this effort between programs is
                        largely ad hoc and does not systematically address broader data sharing
                        or interoperability questions.

                        According to Cyber Command officials, operational challenges and
                        strategic changes delayed Cyber Command in developing JCWA goals.
                        Cyber Command officials told us that cyber warfighting techniques can
                        evolve rapidly and systems need to support new tactics. However,
                        determining program requirements to support these techniques that can
                        change in hours or days is a challenge. Cyber Command developed the
                        systems to support the pace of cyber warfare before developing broader
                        goals to make the systems interoperate. Further, Cyber Command
                        previously focused on establishing the Cyber Mission Force and since



                        11GAO,  Executive Guide: Effectively Implementing the Government Performance and
                        Results Act, GAO/GGD-96-118 (Washington, D.C.: June, 1996).




                        Page 10                                                GAO-21-68 Defense Acquisitions
                             2018 has reoriented to identify and procure the systems to support cyber
                             warfighting.

                             According to Cyber Command and acquisition program officials, without
                             clearly defined goals, JCWA programs may fail to interoperate as
                             anticipated, despite early informal successes in information sharing. For
                             example, Cyber Command plans for Unified Platform to provide data
                             analysis to support cyber operations. However, it relies on different
                             systems and Big Data Platforms that collect data in different formats. 12
                             DOD officials stated that, to make these disparate data readily available
                             for search and analysis within Unified Platform, each system must tag
                             data as they are collected, according to common, pre-determined
                             standards, which Cyber Command has not defined for the JCWA. As a
                             result, Unified Platform may not be able to fully interoperate with other
                             systems’ data. If Unified Platform or other JCWA systems are not
                             interoperable, Cyberspace Operations Forces may not have anticipated
                             system capabilities to conduct operations.

Cyber Command Has Not        We also found that Cyber Command has not defined roles and
Defined JCWA                 responsibilities to manage the JCWA, despite recent efforts to establish
                             new offices. Federal internal control standards state that managers
Governance Structure
                             should establish an organizational structure with assigned responsibilities
Roles and Responsibilities   to achieve the organization’s objectives. 13 Cyber Command identifies
                             requirements or needs for a cyber warfighting system but relies on the
                             military services to procure these systems. Therefore, developing a
                             governance structure for the JCWA involves organizations outside of
                             Cyber Command.

                             Officials we interviewed from the DOD organizations involved in cyber
                             warfighting acquisitions, including users, identified a lack of command-
                             level coordination of the JCWA concept that is causing operational
                             confusion and uncoordinated acquisitions. Further, our review of Cyber
                             Command documents shows early efforts underway to develop a
                             governance structure and define command-level coordination, but they
                             are not yet complete or approved. In early 2020, Cyber Command

                             12The Defense Information Systems Agency developed its Big Data Platform to provide a
                             computing solution that is capable of ingesting, storing, processing, sharing, and
                             visualizing multiple petabytes of data from DODIN sources. Three of the service cyber
                             components—Army, Marine Corps, and Air Force—each has its own Big Data Platform
                             and ingest data from its respective cyberspace missions.
                             13GAO, Standards for Internal Control in the Federal Government, GAO-14-704G
                             (Washington, D.C.: Sept. 2014).




                             Page 11                                                 GAO-21-68 Defense Acquisitions
              established its JCWA Integration Office to help address some of the
              challenges associated with defining and implementing the JCWA concept.
              According to Cyber Command officials, this office will help develop
              guidance to integrate the individual JCWA programs into a more holistic,
              interoperable construct. In addition, Cyber Command officials stated that
              a new JCWA Capabilities Management Office will work with the JCWA
              Integration Office to identify and align requirements across JCWA
              systems based on Cyberspace Operations Forces’ needs. Although DOD
              introduced the JCWA concept in early 2019, Cyber Command officials
              were still drafting a charter for the JCWA Integration Office and working
              with other DOD stakeholders on the JCWA concept to establish roles and
              responsibilities to oversee and implement the JCWA as of August 2020. 14
              In November 2020, Cyber Command officials stated they are making
              progress to define these offices’ roles and responsibilities within Cyber
              Command.

              Improved governance would help with prioritizing and coordinating
              acquisition program requirements and broader JCWA goals. Defined
              roles and responsibilities for the JCWA Integration Office and JCWA
              Capabilities Management Office would allow Cyber Command to assess
              requirements collectively to prioritize cyber warfighting needs across
              programs. Further, Cyber Command officials stated that these offices will
              also help ensure program interoperability in support of the JCWA’s
              primary goal. However, until Cyber Command defines these roles and
              responsibilities, DOD is at risk of delaying needed joint cyber warfighting
              capabilities.

              To defend and fight in cyberspace, DOD is procuring new systems to
Conclusions   harmonize cyber functions and promote information sharing. However,
              DOD and Cyber Command have just begun their work to support these
              systems as a unified whole. U.S. Cyber Command established program
              requirements and initiated several of the cyber acquisition programs now
              identified as part of the JCWA prior to developing the concept itself.
              14The Senate Armed Services Committee also noted concern that oversight and
              coordination of the JCWA acquisition programs is inadequate and stated that DOD must
              exercise deliberate oversight to ensure that acquisition priorities and objectives are
              aligned to Cyber Command’s mission needs. In the Senate Report accompanying the
              National Defense Authorization Act for Fiscal Year 2021, the committee directed DOD to
              develop a plan by December 1, 2020 to include (1) a structure and process to enable the
              proper integration of JCWA components as a functional system of systems that can
              readily adapt to cyber mission needs; and (2) a mechanism to ensure that the JCWA
              component program offices are responsive to the needs of the Joint Force as represented
              by Cyber Command. S. Rep. No. 116-236, 116th Cong, 2d Sess. 357 (2020),
              (accompanying S. 4049, National Defense Authorization Act for Fiscal Year 2021).




              Page 12                                                 GAO-21-68 Defense Acquisitions
                      Rapidly evolving cyber warfighting techniques coupled with a lack of
                      goals to define interoperability has hampered JCWA efforts. The JCWA
                      concept also lacks command-level coordination needed for a portfolio of
                      interoperable systems. Cyber Command has begun to grapple with these
                      challenges by taking initial steps at identifying governance roles and
                      responsibilities within and elsewhere in DOD. Until Cyber Command
                      establishes goals for interoperability requirements as well as addresses
                      governance shortfalls, the JCWA portfolio of programs remains at risk of
                      failing to provide needed joint cyber warfighting capability.

                      We are making two recommendations to the Department of Defense.
Recommendations for
Executive Action      •   The Secretary of Defense should direct the Commander, U.S. Cyber
                          Command, to define and document Joint Cyber Warfighting
                          Architecture goals for interoperability requirements to help
                          synchronize acquisition efforts. (Recommendation 1)
                      •   The Secretary of Defense should direct the Commander, U.S. Cyber
                          Command, to further develop the Joint Cyber Warfighting Architecture
                          governance structure by defining and documenting the roles and
                          responsibilities of the Joint Cyber Warfighting Architecture Integration
                          Office and Joint Cyber Warfighting Architecture Capabilities
                          Management Office. (Recommendation 2)

                      We provided a draft of this product to the Department of Defense for
Agency Comments       comment. In its comments, reproduced in appendix II, DOD concurred
and Our Evaluation    with our first recommendation and partially concurred with the second.
                      Specifically, DOD concurred with our first recommendation and noted that
                      JCWA interoperability goals are required and plans to ensure that JCWA
                      material solution integration and architecture goals are also addressed.
                      DOD partially concurred with our second recommendation and stated that
                      Cyber Command plans to further develop the JCWA governance
                      structure with DOD stakeholders. These actions align with the intent of
                      our recommendations and we will continue to monitor DOD efforts in our
                      future work. DOD also provided technical comments that, among other
                      things, provided updates on JCWA implementation activities and clarified
                      JCWA program funding, which we incorporated as appropriate and where
                      documentation was provided.




                      Page 13                                          GAO-21-68 Defense Acquisitions
We are sending copies of this report to the appropriate congressional
committees, the Secretary of Defense, and the Commander, U.S. Cyber
Command. In addition, the report will be available at no charge on GAO’s
website at https://www.gao.gov.

If you or your staff have any questions about this report, please contact
me at (202) 512-4841 or russellw@gao.gov. Contact points for our offices
of Congressional Relations and Public Affairs may be found on the last
page of this report. GAO staff who made key contributions to this report
are listed in appendix III.




W. William Russell
Director, Contracting and National
  Security Acquisitions




Page 14                                        GAO-21-68 Defense Acquisitions
List of Committees

The Honorable James M. Inhofe
Chairman
The Honorable Jack Reed
Ranking Member
Committee on Armed Services
United States Senate

The Honorable Richard C. Shelby
Chairman
The Honorable Richard Durbin
Ranking Member
Subcommittee on Defense
Committee on Appropriations
United States Senate

The Honorable Adam Smith
Chairman
The Honorable Mac Thornberry
Ranking Member
Committee on Armed Services
House of Representatives

The Honorable Peter J. Visclosky
Chairman
The Honorable Ken Calvert
Ranking Member
Subcommittee on Defense
Committee on Appropriations
House of Representatives




Page 15                            GAO-21-68 Defense Acquisitions
Appendix I: Joint Cyber Warfighting
              Appendix I: Joint Cyber Warfighting
              Architecture (JCWA) Acquisition Program


Architecture (JCWA) Acquisition Program
              Information and Status




Information and Status
              The following acquisition programs and supporting systems were part of
              the JCWA concept as of August 2020.

              Unified Platform–data management and integration. The Air Force, as
              Executive Agent, initiated Unified Platform as a middle tier acquisition
              rapid prototyping program but realigned the program to DOD’s new
              Software Acquisition Pathway. 1 The Air Force is managing system
              integration efforts for Unified Platform and using a Development, Security,
              and Operations (DevSecOps) approach to software development with the
              intent of continuously delivering capability to the user. 2 The DevSecOps
              approach emphasizes delivery of new system capabilities to users in
              iterations—every 3 months in the case of Unified Platform. According to
              program officials, the Air Force established the LevelUP software factory
              to more rapidly develop, test, and field these new capabilities for Unified
              Platform and other JCWA programs. 3 U.S. Cyber Command accepted six
              increments of Unified Platform capability between April 2019 and July
              2020.




              1The  Under Secretary of Defense for Acquisition and Sustainment released the Software
              Acquisition Pathway in January 2020, entitled Software Acquisition Pathway Interim Policy
              and Procedures. In its recent guidance restructuring the defense acquisition system, DOD
              designed the Software Acquisition Pathway to facilitate rapid and iterative deployment of
              software capability. Operation of the Adaptive Acquisition Framework, DOD Instruction
              5000.02, January 23, 2020. The rapid prototyping pathway is to use innovative
              technologies to rapidly develop fieldable prototypes to demonstrate new capabilities and
              meet emerging needs. The objective of a rapid prototyping program is to field a prototype
              in an operational environment and provide for a residual operational capability within 5
              years of the development of an approved requirement.
              2The DevSecOps concept of software development emphasizes rapid prototyping,
              security, and continuous integration and delivery of software products.
              3LevelUP    software factory is the Air Force’s centralized team for developing cyber
              capability using a DevSecOps method. The Defense Science Board defines software
              factories as a set of software tools programmers use to write their code, confirm it meets
              requirements, collaborate with members of the programming team, and automatically
              build, test, and document their progress. This type of software production is intended to
              result in more rapid and continuous iteration, enabling greater flexibility as requirements
              change.




              Page 16                                                     GAO-21-68 Defense Acquisitions
                                                             Appendix I: Joint Cyber Warfighting
                                                             Architecture (JCWA) Acquisition Program
                                                             Information and Status




Table 2: Unified Platform Acquisition Status

Procuring service                               Air Force
Vendor                                          Unified Platform relies on a variety of government and contractor personnel leveraging the Air
                                                Force’s cyber software factory to develop the system.a
Contracting strategy                            Unified Platform uses multiple contracts and multiple contract types to acquire required expertise,
                                                labor, and tools to accomplish government-lead development efforts, rather than relying on a
                                                contractor for systems development.
Next event                                      Program increment 7 is planned to formally conclude in October 2020.
Source: Department of Defense (DOD) officials and GAO review of DOD documentation. │ GAO-21-68
                                                             a
                                                              The Defense Science Board defines software factories as a set of software tools programmers use
                                                             to write their code, confirm it meets requirements, collaborate with members of the programming
                                                             team, and automatically build, test, and document their progress.


                                                             Joint Cyber Command and Control–decision making. The Air Force,
                                                             as Executive Agent, initiated this program in 2017, but it has not yet
                                                             formally entered the acquisition lifecycle. Program officials expect the
                                                             program to follow the Software Acquisition Pathway. According to
                                                             program officials, the program has sustained and delivered multiple
                                                             systems while the majority of the Joint Cyber Command and Control
                                                             system development efforts will begin during fiscal year 2021 when the
                                                             program’s available funding increases. Air Force officials stated that the
                                                             program is currently leveraging existing technology development efforts,
                                                             such as the DOD Strategic Capabilities Office’s Project IKE—a prototype
                                                             for cyber situational awareness.

                                                             Joint Cyber Command and Control is using the same DevSecOps
                                                             approach to development as Unified Platform and is also relying on the
                                                             LevelUP software factory. Officials stated that they are using this
                                                             approach to help synchronize development between Joint Cyber
                                                             Command and Control and Unified Platform.

Table 3: Joint Cyber Command and Control Acquisition Status

Procuring service                               Air Force
Vendor                                          Joint Cyber Command and Control uses a variety of government and contractor personnel
                                                leveraging the same software factory as Unified Platform to develop the system.
Contracting strategy                            Joint Cyber Command and Control uses multiple contracts and multiple contract types to acquire
                                                required expertise, labor, and tools to accomplish government-lead development efforts, rather
                                                than relying on a contractor for systems development.
Next event                                      According to DOD officials, the program plans to enter the software acquisition pathway in the
                                                fourth quarter of fiscal year 2020.
Source: Department of Defense (DOD) officials and GAO review of DOD documentation. │ GAO-21-68




                                                             Page 17                                                        GAO-21-68 Defense Acquisitions
                                                             Appendix I: Joint Cyber Warfighting
                                                             Architecture (JCWA) Acquisition Program
                                                             Information and Status




                                                             Persistent Cyber Training Environment–training, assessment, and
                                                             mission rehearsal. The Army initiated this program in 2016 pursuant to a
                                                             prior iteration of DOD Instruction 5000.02. The program achieved
                                                             Milestone B to enter system development in December 2019. The
                                                             program is using an Agile approach to software development that
                                                             releases incremental software upgrades based on user feedback from
                                                             across the services. Additionally, different contractor or government
                                                             teams can develop individual training modules and content that they
                                                             share with other system users.

Table 4: Persistent Cyber Training Environment Acquisition Status

Procuring service                               Army
Vendor                                          Persistent Cyber Training Environment uses multiple vendors while the government acts as the
                                                system integrator to coordinate the integration of different vendor capabilities.
Contracting strategy                            Persistent Cyber Training Environment uses diverse contract vehicles to acquire required expertise
                                                and tools. For example, the program has used Other Transactions and other contracts, but will add
                                                an indefinite delivery/indefinite quantity contract with its Cyber TRIDENT contract award.
Next event                                      Cyber TRIDENT contract award planned for the second quarter of fiscal year 2021.
Source: Department of Defense (DOD) officials and GAO review of DOD documentation. │ GAO-21-68



                                                             Joint Common Access Platform–mission enablement. The Army is
                                                             the lead for this program, which DOD formally initiated in May 2020. DOD
                                                             officials stated that, when the system enters the acquisition lifecycle they
                                                             expect to follow the major capabilities pathway, but are also considering
                                                             the Software Acquisition Pathway. The program is likely to leverage and
                                                             enhance existing programs, with the intent of incorporating “best of breed”
                                                             components.

                                                             Cyber Tools and Sensors–operations and situational awareness.
                                                             Cyber Tools and Sensors is a category describing multiple acquisition
                                                             efforts ranging from technology development efforts to application of
                                                             existing technologies. The services and Cyber Command are responsible
                                                             for procuring tools and sensors to meet their mission needs.




                                                             Page 18                                               GAO-21-68 Defense Acquisitions
Appendix II: Comments from the Department
             Appendix II: Comments from the Department
             of Defense


of Defense




             Page 19                                     GAO-21-68 Defense Acquisitions
Appendix II: Comments from the Department
of Defense




Page 20                                     GAO-21-68 Defense Acquisitions
Appendix III: GAO Contact and Staff
                  Appendix III: GAO Contact and Staff
                  Acknowledgments


Acknowledgments

                  W. William Russell at (202) 512-4841 or russellw@gao.gov.
GAO Contact
                  In addition to the contact named above, Raj Chitikila, Assistant Director;
Staff             Brandon Booth; Virginia Chanley; Burns C. Eckert (Analyst-in-Charge);
Acknowledgments   Brian Fersch; Lori Fields; Laura Greifner; Jordan Kudrna; Christine
                  Pecora; and Jessica Waselkow made key contributions to this report.




(103881)
                  Page 21                                          GAO-21-68 Defense Acquisitions
                         The Government Accountability Office, the audit, evaluation, and investigative
GAO’s Mission            arm of Congress, exists to support Congress in meeting its constitutional
                         responsibilities and to help improve the performance and accountability of the
                         federal government for the American people. GAO examines the use of public
                         funds; evaluates federal programs and policies; and provides analyses,
                         recommendations, and other assistance to help Congress make informed
                         oversight, policy, and funding decisions. GAO’s commitment to good government
                         is reflected in its core values of accountability, integrity, and reliability.

                         The fastest and easiest way to obtain copies of GAO documents at no cost is
Obtaining Copies of      through our website. Each weekday afternoon, GAO posts on its website newly
GAO Reports and          released reports, testimony, and correspondence. You can also subscribe to
                         GAO’s email updates to receive notification of newly posted products.
Testimony
Order by Phone           The price of each GAO publication reflects GAO’s actual cost of production and
                         distribution and depends on the number of pages in the publication and whether
                         the publication is printed in color or black and white. Pricing and ordering
                         information is posted on GAO’s website, https://www.gao.gov/ordering.htm.
                         Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
                         TDD (202) 512-2537.
                         Orders may be paid for using American Express, Discover Card, MasterCard,
                         Visa, check, or money order. Call for additional information.

                         Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO         Subscribe to our RSS Feeds or Email Updates. Listen to our Podcasts.
                         Visit GAO on the web at https://www.gao.gov.

                         Contact FraudNet:
To Report Fraud,
                         Website: https://www.gao.gov/fraudnet/fraudnet.htm
Waste, and Abuse in
                         Automated answering system: (800) 424-5454 or (202) 512-7700
Federal Programs
                         Orice Williams Brown, Managing Director, WilliamsO@gao.gov, (202) 512-4400,
Congressional            U.S. Government Accountability Office, 441 G Street NW, Room 7125,
Relations                Washington, DC 20548

                         Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs           U.S. Government Accountability Office, 441 G Street NW, Room 7149
                         Washington, DC 20548

                         Stephen J. Sanford, Acting Managing Director, spel@gao.gov, (202) 512-4707
Strategic Planning and   U.S. Government Accountability Office, 441 G Street NW, Room 7814,
External Liaison         Washington, DC 20548




                            Please Print on Recycled Paper.
                                                                                                          1