Defense Acquisitions:

Departmentwide Direction Is Needed for Implementation of the Anti-tamper Policy

GAO-08-91: Published: Jan 11, 2008. Publicly Released: Jan 11, 2008.

Additional Materials:


Belva M. Martin
(202) 512-3000


Office of Public Affairs
(202) 512-4800

The Department of Defense (DOD) invests billions of dollars on sophisticated weapon systems and technologies. These may be at risk of exploitation when exported, stolen, or lost during combat or routine missions. In an effort to minimize this risk, DOD developed an anti-tamper policy in 1999, calling for DOD components to implement anti-tamper techniques for critical technologies. In March 2004, GAO reported that program managers had difficulties implementing this policy, including identifying critical technologies. This follow-up report (1) describes recent actions DOD has taken to implement its anti-tamper policy and (2) identifies challenges facing program managers. GAO reviewed documentation on actions DOD has taken since 2004 to implement its anti-tamper policy, and interviewed officials from the Anti-Tamper Executive Agent's Office, the military services, other DOD components, and a cross-section of program offices.

Since 2004, DOD has taken several actions to raise awareness about anti-tamper protection and develop resources that provide program managers with general information on its anti-tamper policy. These actions include developing a Web site with anti-tamper information and events, establishing an online learning module on anti-tamper protection, and sponsoring research on generic anti-tamper techniques. However, DOD lacks departmentwide direction for implementation of its anti-tamper policy. Without such direction, individual DOD components are left on their own to develop initiatives. For example, the Navy is developing a database that is intended to provide a horizontal view of what DOD components have identified as critical program information. While many officials we spoke with pointed to this database as a potential tool for identifying critical technologies that may need anti-tamper protection, the database is currently incomplete. Specifically, the Missile Defense Agency is not providing information because its information is classified at a level above what the database can support. Also, the Air Force is not currently providing information because not all commands have provided consent to participate. At the same time, program managers face challenges implementing DOD's anti-tamper policy--due largely to a lack of information or tools needed to make informed assessments at key decision points. First, program managers have limited information for defining what is critical or insight into what technologies other programs have deemed critical to ensure similar protection across programs. Determining whether technologies are critical is largely left to the discretion of the individual program manager, resulting in an uncoordinated and stove piped process. Therefore, the same technology can be identified as critical in one program office but not another. Second, program managers have not always had sufficient or consistent information from the intelligence community to identify threats and vulnerabilities to technologies that have been identified as critical. The potential impact of inconsistent threat assessments is twofold: If the threat is deemed to be low but is actually high, the technology is susceptible to tampering; conversely, if the threat is deemed to be high and is actually low, an anti-tamper solution is more robust than needed. Finally, program managers have had difficulty selecting sufficient anti-tamper solutions--in part because they lack information and tools, such as risk and cost-estimating models, to determine how much anti-tamper protection is needed. As a result, program managers may select a suboptimal solution. Given these combined challenges, there is an increased risk that some technologies that need protection may not be identified or may not have sufficient protection.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: DOD has efforts underway to implement this recommendation. Specifically, DOD is developing a manual, DOD 5200.39-M, "Procedures for Critical Program Information within the DOD" that is intended to guide implementation of policies and procedures for identifying and protecting critical program information which includes critical technologies. The manual is to include guidance for carrying out DOD's anti-tamper policy, among other things. DOD estimates the manual will be completed by October 2013.

    Recommendation: As DOD examines its policies for protecting critical assets, the Secretary of Defense should direct the Under Secretary of Acquisition, Technology, and Logistics, in coordination with the Anti-Tamper Executive Agent and the Under Secretary of Defense for Intelligence, to issue or be involved in developing and providing departmentwide direction for application of its anti-tamper policy that prescribes how to carry out the policy and establishes definitions for critical program information and critical technologies.

    Agency Affected: Department of Defense

  2. Status: Closed - Implemented

    Comments: DOD has provided additional tools to assist program managers in the anti-tamper decision process. DOD issued Anti-Tamper Guidelines for program managers and developed a two-day anti-tamper short course. The short course provides information for specifying, designing, and evaluating anti-tamper technology as well as information on anti-tamper design milestones and their relationship to the acquisition cycle.

    Recommendation: To help ensure the effectiveness of anti-tamper implementation, the Secretary of Defense should direct the Anti-Tamper Executive Agent to identify and provide additional tools to assist program managers in the anti-tamper decision process.

    Agency Affected: Department of Defense


Explore the full database of GAO's Open Recommendations »

Looking for more? Browse all our products here