What We Found
Agencies have made some progress towards ensuring the effective protection of technologies, but several areas remain unaddressed, including improved interagency coordination.
Since our 2019 High-Risk Report, overall ratings for the five criteria remain unchanged, but we restructured our assessment of this area from two segments to one to better align with current federal efforts.
Specifically, we incorporated actions taken to implement export control reforms—previously its own segment—into the discussion of other federal agencies’ protection efforts. We also focused primarily on the Department of Defense’s (DOD) efforts to identify critical acquisition programs and technologies and how this information is shared with other federal agencies to inform their protection efforts.
Leadership commitment: partially met. In October 2018, the Secretary of Defense formed the Protecting Critical Technology Task Force (task force) to, in part, improve DOD’s process for developing and annually updating a list of acquisition programs, technologies, manufacturing capabilities, and research areas that are critical for maintaining a national security technological advantage of the United States over foreign countries of special concern.
Task force officials stated that the list, which DOD is required to establish and maintain in response to the John S. McCain National Defense Authorization Act for Fiscal Year 2019, will help inform government protection programs.
The task force reports directly to the Deputy Secretary of Defense and Vice Chairman of the Joint Chiefs of Staff. As of December 2020, though, DOD had not designated an organization that will assume responsibility for developing the list and overseeing protection efforts once the task force disbands in 2021. In January 2021, we recommended that DOD designate an organization to take over this responsibility to ensure that DOD’s current efforts to protect critical technologies do not stall. DOD partially concurred with this recommendation noting that it has not decided on an oversight mechanism, but recognizes the need for department-wide collaborative efforts to protect critical technologies.
In October 2020, the White House released its National Strategy for Critical and Emerging Technologies, which outlines the administration’s approach to protecting critical technologies as well as promoting investment and innovation. The strategy, which was developed by the National Security Council, encourages unity of effort across federal agencies and identifies 20 technology areas as critical and emerging, including artificial intelligence, biotechnologies, and space technologies.
The strategy further outlines the types of activities the U.S., with its allies and partners, should consider to maintain world leadership in these areas. According to DOD officials, DOD organizations—including the task force—and other federal agencies are expected to coordinate on how they will implement the strategy.
The Foreign Investment Risk Review Modernization Act of 2018 strengthened and modernized the activities of the Committee on Foreign Investment in the U.S., in part, by expanding the scope of covered transactions, increasing the time allowed to review a transaction, and granting special hiring authorities.
Capacity: partially met. DOD is assigning mandatory protection measures to the critical acquisition programs and technologies identified through the task force’s revised process.
However, DOD officials stated that the cost of implementing the protection measures has not been determined and will have to be balanced against competing funding demands. This determination could affect DOD’s ability to fully implement these protection measures as intended. We plan to monitor DOD’s efforts to implement protection measures.
Additionally, in 2018 we recommended that the Department of the Treasury (Treasury) coordinate with member agencies to better understand the workforce necessary to handle the Committee on Foreign Investment in the United States’ increasing workload. We also recommended that DOD identify the resources needed, among other things, to implement the National Industrial Security Program’s new piloted approach for overseeing contractors with access to classified material.
As of December 2020, Treasury has not addressed our recommendation while DOD has taken some action. Specifically, in 2019 DOD centralized its oversight of contractors with facilities that do not store classified materials. This has reduced the burden on field-based industrial security representatives and created an opportunity for the representatives to better address risk and communications with contractors that store classified information at their facilities. We will continue monitoring these efforts, especially since the Foreign Investment Risk Review Modernization Act provides some tools for Treasury and DOD to address workforce needs.
Action plan: partially met. The task force has outlined a revised four-step process to identify, communicate, protect, assess, and oversee DOD’s critical acquisition programs and technologies. For example, it provided guidance and instructions to DOD components on how to identify and prioritize their critical acquisition programs and technologies, as well as protection measures that should be implemented.
However, the task force has not provided direction to DOD components on how to share the annual critical acquisition programs and technologies list effectively across the department and with other federal agencies. In January 2021, we recommended that DOD determine a process for communicating its future critical acquisition programs and technologies lists to all relevant DOD organizations and federal agencies. DOD concurred with this recommendation noting that disseminating its critical acquisition programs and technologies list is key to the department’s efforts to protect critical technologies.
In addition, according to DOD officials, agencies involved in developing the White House’s National Strategy for Critical and Emerging Technologies will be identifying steps to implement the strategy. We will monitor DOD and other agencies’ implementation efforts moving forward.
Related to export controls, the Departments of State and Commerce implemented a recommendation we made in March 2019 by establishing a Memorandum of Understanding between the two agencies to share information from their respective watch lists to facilitate screening export license applications, including those for certain firearms.
In May 2020 we reported that universities raised concern that guidance and outreach from the Departments of State and Commerce did not adequately address university-specific export compliance issues. In addition, we noted that the universities’ perception that DOD misunderstands what constitutes fundamental research could potentially hinder universities’ abilities to conduct research for DOD.
All three agencies concurred with recommendations to update guidance or increase awareness to address these issues but have not yet taken action to implement them. Additionally, the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 amended a provision of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 requiring DOD to establish an initiative to work with institutions of higher education that, among others, perform defense research and engineering activities to support the protection of information about critical technologies relevant to national security.
Monitoring: partially met. DOD’s task force established time frames for implementing its revised four-step process to identify and protect its critical programs and technologies. However, the task force has not yet established metrics to assess the sufficiency of its protection measures.
In January 2021, we recommended that DOD develop and periodically review appropriate metrics to assess the implementation and sufficiency of protection efforts that would enable programs to assess their own protection efforts, and allow military departments or the Office of the Under Secretary of Defense to assess protection efforts more broadly. DOD partially concurred with this recommendation noting that it is considering future technology protection roles and responsibilities that may include establishing metrics to ensure effective implementation of protection requirements across the department.
Additionally, DOD has not implemented a recommendation we made in 2017 to measure progress and develop corresponding metrics related to changes to policies and procedures supporting the anti-tamper program. This program establishes methods, such as encryption and hardware protective coatings, to help delay the exploitation of technologies lost on the battlefield.
Demonstrated progress: partially met. Agencies have taken steps to improve their respective protection program over the past 2 years, but collective coordination of protection efforts across the agencies involved still needs improvement. Among the steps taken, the Departments of State and Commerce established a Memorandum of Understanding to share their watch lists. In addition, Treasury updated information on its website in March 2018 in response to our recommendation to clarify the requirement for geographic coordinates when filing a transaction with the Committee on Foreign Investment in the U.S to better identify potential national security concerns.
DOD’s actions to develop and maintain a list of its critical acquisition programs and technologies are intended to inform interagency protection efforts as well as offer an opportunity to demonstrate progress on information sharing and coordination across the federal agencies.
DOD spends billions of dollars each year to develop and acquire technologies that provide an advantage for the warfighter. Many of these technologies are also sold or transferred to promote U.S. economic, foreign policy, and national security interests. Foreign entities can also acquire these technologies through investment in the U.S. companies that develop or manufacture them. In addition, they are targets for unauthorized transfer, such as theft, espionage, reverse engineering, and illegal export.
The U.S. government has a number of programs and activities to identify and protect technologies critical to U.S. interests. These include export controls—those developed to regulate exports that are transferred to foreign parties consistent with U.S. interests—as well as other activities, including anti-tamper policies, the National Industrial Security Program, and the Committee on Foreign Investment in the United States.
These programs and activities are administered by multiple federal agencies, including DOD—the only agency with a role in each of those we identified—and the Departments of Commerce, Homeland Security, Justice, State, and the Treasury. We first designated this area high risk in 2007 and continue to do so given the fragmented nature of these initiatives and lack of communication across the federal agencies involved.
The need for action remains across the agencies and within the protection programs. Addressing recommendations we made in January 2021 aimed at strengthening DOD’s efforts to protect its critical technologies and improving coordination among the agencies responsible for programs designed to protect technologies critical to national security could lead to improvements in each of the criteria above. In particular, DOD should
- designate the DOD organization that will be responsible for overseeing the department’s protection efforts;
- provide direction to the DOD components for communicating DOD’s critical acquisition programs and technologies list to other federal agencies; and
- implement protection measures associated with DOD’s revised efforts and establish measurable metrics to monitor the sufficiency of these efforts.
To strengthen agency protection programs, agencies should
- address resource issues in the Committee on Foreign Investment in the United States; and
- follow up on data collection and tracking recommendations for the anti-tamper program.