Defense Acquisitions:
DOD Needs to Better Support Program Managers' Implementation of Anti-Tamper Protection
GAO-04-302: Published: Mar 31, 2004. Publicly Released: Mar 31, 2004.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Text:
Contact:
(202) 512-4841
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
The U.S. government has invested hundreds of billions of dollars in developing the most sophisticated weapon systems and technologies in the world. Yet, U.S. weapons and technologies are vulnerable to exploitation, which can weaken U.S. military advantage, shorten the expected combat life of a system, and erode the U.S. industrial base's technological competitiveness. In an effort to protect U.S. technologies from exploitation, the Department of Defense (DOD) established in 1999 a policy directing each military service to implement anti-tamper techniques, which include software and hardware protective devices. This report reviews DOD's implementation of the anti-tamper policy as required by the Senate report accompanying the National Defense Authorization Act for Fiscal Year 2004.
Program managers have encountered difficulties in implementing DOD's anti-tamper policy on individual weapon systems. First, defining a critical technology--a basis for determining the need for anti-tamper--is subjective, which can result in different conclusions regarding what needs anti-tamper protection. While different organizations can check on program managers' assessments, no organization has complete information or visibility across all programs. Some program managers said they needed assistance in determining which technologies were critical, but resources to help them were limited or unknown and therefore not requested. Second, anti-tamper protection is treated as an added requirement and can affect a program's cost and schedule objectives, particularly if the program is further along in the acquisition process. Programs GAO contacted experienced or estimated cost increases, and some encountered schedule delays when applying antitamper protection. Officials from one program stated that their existing budget was insufficient to cover the added cost of applying anti-tamper protection and that they were waiting for separate funding before attempting to apply such protection. Finally, anti-tamper techniques can be technically difficult to incorporate in some weapon systems--particularly when the techniques are not fully developed or when the systems are already in design or production. One program that had difficulty incorporating the techniques resorted to alternatives that provided less security. While DOD is overseeing the development of generic anti-tamper techniques and tools to help program managers, many of these efforts are still in progress, and program managers ultimately have to design and incorporate techniques needed for their unique systems.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: In July 2008, DOD issued DOD Instruction 5200.39 which establishes policy for the protection of critical program information. The instruction assigns responsibilities to offices within DOD to establish a database and procedures to record and track critical program information for horizontal protection.
Recommendation: To better oversee identification of critical technologies for all programs subject to the anti-tamper policy, the Secretary of Defense should direct the Under Secretary for Acquisition, Technology, and Logistics, in coordination with the Executive Agent and the focal points, to (1) collect from program managers information they are to develop on critical technology identification and (2) appoint appropriate technical experts to centrally review the technologies identified for consistency across programs and services.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: In July 2008, DOD issued DOD Instruction 5200.39 which establishes policy for the protection of critical program information. The instruction assigns responsibilities to offices within DOD to require appropriate training for personnel regarding the identification and protection of critical program information.
Recommendation: To better support program managers in the identification of critical technologies, the Secretary of Defense should direct the Under Secretary for Acquisition, Technology, and Logistics, in coordination with the Executive Agent and the focal points, to (1) continue to identify available anti-tamper technical resources, (2) issue updated policy identifying roles and responsibilities of the technical support organizations, and (3) work with training organizations to ensure training includes practical information on how to identify critical technologies.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: In July 2008, DOD issued DOD Instruction 5200.39 which establishes policy for the protection of critical program information. The instruction assigns responsibilities to offices within DOD to establish procedures to identify critical program information early in the technology development and acquisition process and initiate protection of critical program information from the point of identification.
Recommendation: To help minimize the impact to program cost and schedule objectives, the Secretary of Defense should direct the Under Secretary for Acquisition, Technology, and Logistics to work with program managers to ensure that the cost and techniques needed to implement anti-tamper protection are identified early in a system's life cycle and to reflect that practice in guidance and decisions.
Agency Affected: Department of Defense
Status: Closed - Not Implemented
Comments: DOD has not implemented this recommendation. While the department did fund a study on anti-tamper techniques and general effectiveness, it was a one time snapshot rather than a tool to monitor these items on an ongoing basis.
Recommendation: To maximize the return on investment of DOD's anti-tamper technology efforts, the Secretary of Defense should direct the Executive Agent to monitor the value of developing generic anti-tamper techniques and evaluate the effectiveness of the tools, once deployed, in assisting program managers to identify and apply techniques on individual programs.
Agency Affected: Department of Defense
Status: Closed - Not Implemented
Comments: DOD has not developed a business case as recommended. Instead, the department uses the normal DoD budget development process as a means to monitor the funding of anti-tamper initiatives.
Recommendation: To ensure successful implementation of the anti-tamper policy, the Secretary of Defense should direct the Under Secretary for Acquisition, Technology, and Logistics to develop a business case that determines whether the current organizational structure and resources are adequate to implement anti-tamper protection and if not, what other actions are needed to mitigate the risk of compromise of critical technologies.
Agency Affected: Department of Defense
Explore the full database of GAO's Open Recommendations
»
Feb 24, 2021
-
Defense Budget:
Opportunities Exist to Improve DOD's Management of Defense SpendingGAO-21-415T: Published: Feb 24, 2021. Publicly Released: Feb 24, 2021.
Feb 22, 2021
-
Service Acquisitions:
DOD's Report to Congress Identifies Steps Taken to Improve Management, But Does Not Address Some Key Planning IssuesGAO-21-267R: Published: Feb 22, 2021. Publicly Released: Feb 22, 2021.
Jan 21, 2021
-
Close Air Support:
Actions Needed to Enhance Friendly Force Tracking Capabilities and Fully Evaluate TrainingGAO-21-99: Published: Jan 21, 2021. Publicly Released: Jan 21, 2021.
Jan 19, 2021
-
GPS Modernization:
DOD Continuing to Develop New Jam-Resistant Capability, But Widespread Use Remains Years AwayGAO-21-145: Published: Jan 19, 2021. Publicly Released: Jan 19, 2021.
Jan 14, 2021
-
Columbia Class Submarine:
Delivery Hinges on Timely and Quality Materials from an Atrophied Supplier BaseGAO-21-257: Published: Jan 14, 2021. Publicly Released: Jan 14, 2021. -
Department of Defense:
Actions Needed to Improve Accounting of Intradepartmental TransactionsGAO-21-84: Published: Jan 14, 2021. Publicly Released: Jan 14, 2021.
Jan 12, 2021
-
DOD Critical Technologies:
Plans for Communicating, Assessing, and Overseeing Protection Efforts Should Be CompletedGAO-21-158: Published: Jan 12, 2021. Publicly Released: Jan 12, 2021.
Dec 10, 2020
-
Climate Resilience:
DOD Coordinates with Communities, but Needs to Assess the Performance of Related Grant ProgramsGAO-21-46: Published: Dec 10, 2020. Publicly Released: Dec 10, 2020. -
Electromagnetic Spectrum Operations:
DOD Needs to Address Governance and Oversight Issues to Help Ensure SuperiorityGAO-21-64: Published: Dec 10, 2020. Publicly Released: Dec 10, 2020.
Dec 2, 2020
-
Navy and Marine Corps:
Services Continue Efforts to Rebuild Readiness, but Recovery Will Take Years and Sustained Management AttentionGAO-21-225T: Published: Dec 2, 2020. Publicly Released: Dec 2, 2020.
Looking for more? Browse all our products here