Defense Acquisitions:

DOD Needs to Better Support Program Managers' Implementation of Anti-Tamper Protection

GAO-04-302: Published: Mar 31, 2004. Publicly Released: Mar 31, 2004.

Additional Materials:

Contact:

Anne Marie F. Lasowski
(202) 512-4841
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The U.S. government has invested hundreds of billions of dollars in developing the most sophisticated weapon systems and technologies in the world. Yet, U.S. weapons and technologies are vulnerable to exploitation, which can weaken U.S. military advantage, shorten the expected combat life of a system, and erode the U.S. industrial base's technological competitiveness. In an effort to protect U.S. technologies from exploitation, the Department of Defense (DOD) established in 1999 a policy directing each military service to implement anti-tamper techniques, which include software and hardware protective devices. This report reviews DOD's implementation of the anti-tamper policy as required by the Senate report accompanying the National Defense Authorization Act for Fiscal Year 2004.

Program managers have encountered difficulties in implementing DOD's anti-tamper policy on individual weapon systems. First, defining a critical technology--a basis for determining the need for anti-tamper--is subjective, which can result in different conclusions regarding what needs anti-tamper protection. While different organizations can check on program managers' assessments, no organization has complete information or visibility across all programs. Some program managers said they needed assistance in determining which technologies were critical, but resources to help them were limited or unknown and therefore not requested. Second, anti-tamper protection is treated as an added requirement and can affect a program's cost and schedule objectives, particularly if the program is further along in the acquisition process. Programs GAO contacted experienced or estimated cost increases, and some encountered schedule delays when applying antitamper protection. Officials from one program stated that their existing budget was insufficient to cover the added cost of applying anti-tamper protection and that they were waiting for separate funding before attempting to apply such protection. Finally, anti-tamper techniques can be technically difficult to incorporate in some weapon systems--particularly when the techniques are not fully developed or when the systems are already in design or production. One program that had difficulty incorporating the techniques resorted to alternatives that provided less security. While DOD is overseeing the development of generic anti-tamper techniques and tools to help program managers, many of these efforts are still in progress, and program managers ultimately have to design and incorporate techniques needed for their unique systems.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In July 2008, DOD issued DOD Instruction 5200.39 which establishes policy for the protection of critical program information. The instruction assigns responsibilities to offices within DOD to establish a database and procedures to record and track critical program information for horizontal protection.

    Recommendation: To better oversee identification of critical technologies for all programs subject to the anti-tamper policy, the Secretary of Defense should direct the Under Secretary for Acquisition, Technology, and Logistics, in coordination with the Executive Agent and the focal points, to (1) collect from program managers information they are to develop on critical technology identification and (2) appoint appropriate technical experts to centrally review the technologies identified for consistency across programs and services.

    Agency Affected: Department of Defense

  2. Status: Closed - Implemented

    Comments: In July 2008, DOD issued DOD Instruction 5200.39 which establishes policy for the protection of critical program information. The instruction assigns responsibilities to offices within DOD to require appropriate training for personnel regarding the identification and protection of critical program information.

    Recommendation: To better support program managers in the identification of critical technologies, the Secretary of Defense should direct the Under Secretary for Acquisition, Technology, and Logistics, in coordination with the Executive Agent and the focal points, to (1) continue to identify available anti-tamper technical resources, (2) issue updated policy identifying roles and responsibilities of the technical support organizations, and (3) work with training organizations to ensure training includes practical information on how to identify critical technologies.

    Agency Affected: Department of Defense

  3. Status: Closed - Implemented

    Comments: In July 2008, DOD issued DOD Instruction 5200.39 which establishes policy for the protection of critical program information. The instruction assigns responsibilities to offices within DOD to establish procedures to identify critical program information early in the technology development and acquisition process and initiate protection of critical program information from the point of identification.

    Recommendation: To help minimize the impact to program cost and schedule objectives, the Secretary of Defense should direct the Under Secretary for Acquisition, Technology, and Logistics to work with program managers to ensure that the cost and techniques needed to implement anti-tamper protection are identified early in a system's life cycle and to reflect that practice in guidance and decisions.

    Agency Affected: Department of Defense

  4. Status: Closed - Not Implemented

    Comments: DOD has not implemented this recommendation. While the department did fund a study on anti-tamper techniques and general effectiveness, it was a one time snapshot rather than a tool to monitor these items on an ongoing basis.

    Recommendation: To maximize the return on investment of DOD's anti-tamper technology efforts, the Secretary of Defense should direct the Executive Agent to monitor the value of developing generic anti-tamper techniques and evaluate the effectiveness of the tools, once deployed, in assisting program managers to identify and apply techniques on individual programs.

    Agency Affected: Department of Defense

  5. Status: Closed - Not Implemented

    Comments: DOD has not developed a business case as recommended. Instead, the department uses the normal DoD budget development process as a means to monitor the funding of anti-tamper initiatives.

    Recommendation: To ensure successful implementation of the anti-tamper policy, the Secretary of Defense should direct the Under Secretary for Acquisition, Technology, and Logistics to develop a business case that determines whether the current organizational structure and resources are adequate to implement anti-tamper protection and if not, what other actions are needed to mitigate the risk of compromise of critical technologies.

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Feb 24, 2021

Feb 22, 2021

Jan 21, 2021

Jan 19, 2021

Jan 14, 2021

Jan 12, 2021

Dec 10, 2020

Dec 2, 2020

Looking for more? Browse all our products here