Defense Acquisitions:

DOD Needs to Better Support Program Managers' Implementation of Anti-Tamper Protection

GAO-04-302: Published: Mar 31, 2004. Publicly Released: Mar 31, 2004.

Additional Materials:

Contact:

Anne Marie F. Lasowski
(202) 512-4841
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The U.S. government has invested hundreds of billions of dollars in developing the most sophisticated weapon systems and technologies in the world. Yet, U.S. weapons and technologies are vulnerable to exploitation, which can weaken U.S. military advantage, shorten the expected combat life of a system, and erode the U.S. industrial base's technological competitiveness. In an effort to protect U.S. technologies from exploitation, the Department of Defense (DOD) established in 1999 a policy directing each military service to implement anti-tamper techniques, which include software and hardware protective devices. This report reviews DOD's implementation of the anti-tamper policy as required by the Senate report accompanying the National Defense Authorization Act for Fiscal Year 2004.

Program managers have encountered difficulties in implementing DOD's anti-tamper policy on individual weapon systems. First, defining a critical technology--a basis for determining the need for anti-tamper--is subjective, which can result in different conclusions regarding what needs anti-tamper protection. While different organizations can check on program managers' assessments, no organization has complete information or visibility across all programs. Some program managers said they needed assistance in determining which technologies were critical, but resources to help them were limited or unknown and therefore not requested. Second, anti-tamper protection is treated as an added requirement and can affect a program's cost and schedule objectives, particularly if the program is further along in the acquisition process. Programs GAO contacted experienced or estimated cost increases, and some encountered schedule delays when applying antitamper protection. Officials from one program stated that their existing budget was insufficient to cover the added cost of applying anti-tamper protection and that they were waiting for separate funding before attempting to apply such protection. Finally, anti-tamper techniques can be technically difficult to incorporate in some weapon systems--particularly when the techniques are not fully developed or when the systems are already in design or production. One program that had difficulty incorporating the techniques resorted to alternatives that provided less security. While DOD is overseeing the development of generic anti-tamper techniques and tools to help program managers, many of these efforts are still in progress, and program managers ultimately have to design and incorporate techniques needed for their unique systems.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To maximize the return on investment of DOD's anti-tamper technology efforts, the Secretary of Defense should direct the Executive Agent to monitor the value of developing generic anti-tamper techniques and evaluate the effectiveness of the tools, once deployed, in assisting program managers to identify and apply techniques on individual programs.

    Agency Affected: Department of Defense

    Status: Closed - Not Implemented

    Comments: DOD has not implemented this recommendation. While the department did fund a study on anti-tamper techniques and general effectiveness, it was a one time snapshot rather than a tool to monitor these items on an ongoing basis.

    Recommendation: To help minimize the impact to program cost and schedule objectives, the Secretary of Defense should direct the Under Secretary for Acquisition, Technology, and Logistics to work with program managers to ensure that the cost and techniques needed to implement anti-tamper protection are identified early in a system's life cycle and to reflect that practice in guidance and decisions.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: In July 2008, DOD issued DOD Instruction 5200.39 which establishes policy for the protection of critical program information. The instruction assigns responsibilities to offices within DOD to establish procedures to identify critical program information early in the technology development and acquisition process and initiate protection of critical program information from the point of identification.

    Recommendation: To better support program managers in the identification of critical technologies, the Secretary of Defense should direct the Under Secretary for Acquisition, Technology, and Logistics, in coordination with the Executive Agent and the focal points, to (1) continue to identify available anti-tamper technical resources, (2) issue updated policy identifying roles and responsibilities of the technical support organizations, and (3) work with training organizations to ensure training includes practical information on how to identify critical technologies.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: In July 2008, DOD issued DOD Instruction 5200.39 which establishes policy for the protection of critical program information. The instruction assigns responsibilities to offices within DOD to require appropriate training for personnel regarding the identification and protection of critical program information.

    Recommendation: To better oversee identification of critical technologies for all programs subject to the anti-tamper policy, the Secretary of Defense should direct the Under Secretary for Acquisition, Technology, and Logistics, in coordination with the Executive Agent and the focal points, to (1) collect from program managers information they are to develop on critical technology identification and (2) appoint appropriate technical experts to centrally review the technologies identified for consistency across programs and services.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: In July 2008, DOD issued DOD Instruction 5200.39 which establishes policy for the protection of critical program information. The instruction assigns responsibilities to offices within DOD to establish a database and procedures to record and track critical program information for horizontal protection.

    Recommendation: To ensure successful implementation of the anti-tamper policy, the Secretary of Defense should direct the Under Secretary for Acquisition, Technology, and Logistics to develop a business case that determines whether the current organizational structure and resources are adequate to implement anti-tamper protection and if not, what other actions are needed to mitigate the risk of compromise of critical technologies.

    Agency Affected: Department of Defense

    Status: Closed - Not Implemented

    Comments: DOD has not developed a business case as recommended. Instead, the department uses the normal DoD budget development process as a means to monitor the funding of anti-tamper initiatives.

    Jul 17, 2014

    Jul 14, 2014

    Jul 11, 2014

    Jul 9, 2014

    Jul 8, 2014

    Jun 30, 2014

    Jun 26, 2014

    Looking for more? Browse all our products here