This update comes on the same day that the Government Accountability Office released a report that examines the Defense Innovation Unit’s effectiveness in identifying and fielding industry-built technologies at scale.

When DIU first launched in 2015, it was originally designed to help Defense Department components team with the commercial sector and harness cutting-edge tech at a faster and less costly rate than traditional government buying methods allowed at the time. The unit’s first phase, DIU 1.0, primarily focused on building a foundational bridge between DOD and the commercial tech sector. From there, the second phase was geared toward proving that the government’s innovation problems could be solved with private sector capabilities and prototyped quickly to meet military demands.

In February 2024, the unit’s chief Doug Beck publicly unveiled his team’s vision for “DIU 3.0”, the latest phase that places a sharp focus on scaling the organization’s efforts to help close the U.S. military’s most crucial capability gaps and support contemporary operations.

However, according to the findings in GAO’s 53-page congressionally mandated report, “DIU does not yet have clear insight into whether it is making progress to achieve its 3.0 strategic goal of helping DOD solve its most critical operational gaps.”

“This is because DIU does not have a complete performance management process to assess its results. In addition, DIU has not yet aligned the goals of NSIN and NSIC — DIU’s two new components — with the strategic goal for DIU 3.0,” officials wrote, using acronyms to refer to the National Security Innovation Network and National Security Innovation Capital.

NSIN and NSIC are mechanisms DIU uses to engage and support nontraditional defense partners. The two are being integrated and streamlined in the DIU 3.0 transition.

Watchdog officials conducted this performance audit from May 2023 to February 2025. Among a variety of steps to carry out the review, they reviewed heaps of documentation and guidance in the process, and analyzed DIU-provided data about prototype agreements awarded between fiscal 2016 and 2023.

“We met with a broad range of DIU and military department officials engaged in innovation efforts for the report. We had good dialog and helpful support from all,” GAO Director William Russell told DefenseScoop on Thursday.

This performance audit ultimately suggests that, although it’s been more than a year since DIU 3.0 was announced, the unit hasn’t set official standards or reporting measures to assess the workforce’s progress toward achieving this new strategic goal.

“The bottom line is DIU showed it can quickly prototype and deliver innovative commercial technologies to the warfighter under 2.0. As DIU focuses on 3.0 efforts to deliver technology at scale, setting performance goals and metrics can help its leaders better gauge progress and course correct as needed,” Russell said.

The organization’s timeline for that course correction was not immediately clear after the report was published, but Russell confirmed that “DIU and DOD agreed with all of the report’s recommendations and [GAO plans] to monitor efforts to implement them” moving forward.

A DIU spokesperson said over email that the unit’s leadership team welcomes GAO’s recommendations and “looks forward to meeting the new administration’s goals in providing new capabilities to the warfighter at both speed and scale.”

“Since the release of the DIU 3.0 strategy in late 2023, DIU has been implementing against the plan, formally integrating the NSIC and NSIN teams into a new Commercial Operations structure, embedding personnel into the Combatant Commands, re-evaluating current and future prototype projects in close partnership with the Services and other DoD components, establishing new bodies that help coordinate on DoD-wide innovation efforts like Replicator and the Defense Innovation Community of Entities that are designed to deliver critical capability fast while helping the Department build new muscle to do so again and again, and rethinking how we evaluate and measure successes on accelerating commercial technology into the DoD,” the spokesperson told DefenseScoop.

The post Watchdog spotlights need for clear metrics to assess DIU’s impacts as it matures appeared first on DefenseScoop.

Although SDA planned to validate the technology’s utility in Tranche 0 of the Proliferated Warfighter Space Architecture (PWSA), the agency “has not yet successfully demonstrated the full range of its laser communications technology in space using its new [optical communications terminal] standard” as of December 2024, the Government Accountability Office wrote in a new report published Wednesday. 

As a result, the watchdog is recommending that SDA complete testing of the “minimum viable product” for laser link technology before pursuing future efforts — otherwise the organization runs the risk of moving forward with the PWSA’s development without incorporating critical lessons learned.

On-orbit laser communications involves using optical communications terminals (OCTs) to transmitting data via laser links between satellites, as well as to receivers located on land, sea and in the air. The technology is considered to have several advantages over radio frequencies traditionally used by the Defense Department for communications, such as being able to send data faster and more securely.

Laser comms are central to SDA’s planned mega-constellation known as the PWSA, envisioned as hundreds of satellites stationed in low-Earth orbit that create a “mesh network” of data relay, missile warning and missile-tracking capabilities for the U.S. military. However, the agency has previously stated that proving out laser links will be a challenging technological hurdle — a fact also noted in GAO’s new report.

“[T]his technology is much more complex, and the Space Force is working with multiple vendors to develop it. Nevertheless, the number of vendors involved adds further complexity to the overall effort,” the document stated. “Among other things, the Space Force will need to ensure that different vendors’ satellite optical communications terminals (OCT), devices used to establish laser data transmission links, are able to communicate with each other.”

The watchdog noted that SDA has taken steps to prove the technology, such as developing a government OCT standard, conducting OCT laboratory tests and maturing various component capabilities. But overall, efforts to fully demonstrate space-based laser links on the agency’s experimental satellites known as Tranche 0 have not moved as quickly as expected, according to GAO. 

Delays have been largely attributed to supply chain challenges that pushed the constellation’s launch back by several months. SDA has also stalled in demonstrating laser links in orbit due to challenges in coordinating ground support and the agency’s prioritization of other technologies over laser communications, the report added.

“Specifically, as of December 2024, SDA reported that one of its four prime contractors in [Tranche 0] had demonstrated three of the eight planned laser communications capabilities while another contractor had demonstrated one of the eight capabilities,” GAO officials wrote. “The remaining two contractors have not yet achieved any planned capabilities.”

In January, York Space Systems and SpaceX announced they had successfully demonstrated a laser link connection between two of their Tranche 0 satellites. However, the GAO report emphasized that the two companies are using OCTs developed by the same subcontractor, meaning “SDA has yet to demonstrate a link between two OCT vendors in space as originally planned.”

Furthermore, the watchdog claims that the agency’s plans to launch the first operational batch of PWSA satellites — known as Tranche 1 — in the coming months without having fully demonstrated its enabling technology does not align with best practices for rapid delivery of complex tech.

Dubbed “spiral development,” SDA’s acquisition approach for the PWSA involves rapidly fielding systems through incremental “tranches” every two years, allowing for each phase to build upon previous iterations and ensuring warfighters are using the most advanced technology available.

“Our leading practices emphasize that prioritizing schedule — as SDA has done — and using an iterative development approach can support delivering products with speed to users,” the report stated. “However, our leading practices also note that speed cannot come at the cost of demonstrating critical capability.”

The watchdog noted SDA still intends to demonstrate a Tranche 0 mesh network before it launches Tranche 1 — although the agency will test only some of the capabilities it originally planned. At the same time, the report highlighted that SDA’s goal to dramatically increase both the number of PWSA satellites in orbit and the complexity of their capabilities could be compromised if the agency doesn’t have demonstrated success from previous tranches. 

“Since [Tranche 1] and [Tranche 2] are already in development, SDA may have limited opportunities to incorporate required design changes into those designs,” officials wrote. “Incorporating design changes in those tranches could potentially delay capability, meaning that laser communications capability required to support multiple DOD missions may not be available for the warfighter as planned.”

GAO said the Pentagon has concurred with the four recommendations in the report, but added that the department “believes it is already implementing our recommendations” — a position the watchdog disagreed with.

“The evidence presented throughout our draft and final report supports our view that SDA is not already taking the actions we recommend. We continue to believe SDA would benefit from taking steps aimed at implementing our recommendations,” GAO concluded.

The report’s release comes after weeks of controversy surrounding the Space Development Agency, which is currently having its semi-independent acquisition authority being reviewed by the Pentagon, according to a report from Breaking Defense. At the same time, the Department of the Air Force has placed SDA Director Derek Tournear on administrative investigative leave following a bid protest that has since prompted the agency to re-compete one of the PWSA’s contracts.

The post GAO: Space Development Agency has not matured important laser link technology appeared first on DefenseScoop.

According to a new report from the Government Accountability Office (GAO), the department cannot completely pinpoint who all is part of its AI workforce or which positions demand AI-specific skill sets at this time, which also makes it impossible to fully grasp the current state of its AI staff or conduct effective future-planning that’s required.

“Since 2018, DOD has made organizational changes and is investing billions of dollars to incorporate AI technology into its operations. [The Chief Digital and AI Office, or CDAO] and other staff offices within the Office of the Secretary of Defense have taken some steps to define and identify DOD’s AI workforce. However, DOD has not formally assigned responsibility and does not have a timeline for completing the additional steps required to fully define and identify its AI workforce, such as coding the work roles in various workforce data systems, developing a qualification program, updating workforce guidance, and any other actions DOD may identify,” officials wrote in the report.

They further state that “DOD’s Human Capital Operating Plan is not fully consistent with its Agency Strategic Plan and Annual Performance Plan as it relates to AI workforce issues.” As a result, implementation could potentially vary across components.

The government watchdog conducted this performance audit from January 2022 to December 2023, based on a provision in the House report accompanying the fiscal 2022 National Defense Authorization Act that explicitly required it to review DOD’s AI workforce. 

Pointing to some of the agency’s past research, GAO officials note in this latest report that “DOD is currently pursuing AI capabilities for warfighting that largely focus on (1) recognizing targets through intelligence and surveillance analysis, (2) providing recommendations to operators on the battlefield (such as where to move troops or which weapon is best positioned to respond to a threat), and (3) increasing the autonomy of uncrewed systems.”

Some potential forthcoming uses for the department, they also note, include “fusing data to provide a common operating picture on the battlefield; supporting semi-autonomous and autonomous vehicles; and operating lethal autonomous weapon systems.”

The Pentagon did identify certain military and civilian occupations (like computer scientists) that execute on AI work for defense purposes. Via their audit, GAO’s analysts also verified that DOD has developed specific AI work roles — or “specialized sets of tasks and functions requiring specific knowledge, skills, and abilities.” 

Among other results, though, GAO also found that Pentagon leadership has “not assigned responsibility to the organizations necessary” to complete specific additional steps that are “required to define and identify its AI workforce” — like coding the work roles in various workforce data systems and updating guidance — or a timeline to address those.

The watchdog recommended that the secretary of defense “should ensure the CDAO assigns responsibility to complete the additional steps necessary to fully define and identify DOD’s AI workforce,” and that the office establishes a clear timeline for the effort.

The Pentagon chief also “should ensure that the Under Secretary of Defense for Personnel and Readiness updates the Human Capital Operating Plan to be consistent with the Agency Strategic Plan and Annual Performance Plan relating to AI workforce issues in the next annual review,” officials wrote.

The Defense Department pushed back on some of the GAO’s findings and inclusions in the study. In its official response, the Pentagon partially concurred with each of GAO’s three recommendations after viewing a draft of the report ahead of its release — but also proposed explicit revisions of the recommendations. 

For instance, GAO officials note that the department “proposed that we revise the wording of the first two recommendations to include the Under Secretary of Defense for Personnel and Readiness as a coordinating office.” 

“We applaud DOD’s emphasis on stakeholder coordination and recognize the value that coordination with the Under Secretary of Defense for Personnel and Readiness and others, such as the Chief Information Officer, can add to the department’s efforts to define and identify the AI workforce. However, we did not make this change to the recommendations because of the CDAO’s existing ability to coordinate with the Under Secretary of Defense,” they wrote. 

On those first two recommendations, DOD officials also argued “that there is a conflation of workforce definition and identification processes for work roles compared to occupational series,” and inaccuracies regarding the order of operations and other GAO recommendations, the report noted.

Watchdog officials took issue with that Pentagon assessment.

“We do not agree that we conflated workforce definition and identification processes for work roles compared to occupational series. We based our analysis on [Office of Personnel Management] and DOD guidance. DOD did not describe or elaborate on how the processes might be conflated in its written response or in its technical comments provided along with the response to our draft report,” they stated.

The agency’s three recommendations for DOD remain open.

The post GAO urges Pentagon to better define and identify its AI workforce appeared first on DefenseScoop.

In a report, prompted by Congress, the GAO examined how DOD acquires AI tools. The GAO noted that the Pentagon’s planned spend in 2023 on these technologies signals that the technology is a key priority for staying ahead of adversaries. Despite this, the department’s struggles in emerging technology continue, according to the congressional watchdog.

“We have reported for decades on DOD’s challenges in acquiring software-intensive weapon systems,” GAO wrote in a letter to the Senate Armed Services accompanying its report.

GAO put the Pentagon’s issues in stark terms, finding that despite numerous components purchasing, developing and using AI, the DOD doesn’t have guidance for how organizations should approach acquiring it.

“DOD is in the process of planning to develop such guidance, but it has not defined concrete plans and has no timeline to do so,” it said. “The military services also lack AI acquisition-specific guidance, though military officials noted that such guidance would be helpful to navigate the AI acquisition process. Without department-wide and tailored service-level guidance, DOD is missing an opportunity to ensure that it is consistently acquiring AI capabilities in a manner that accounts for the unique challenges associated with AI.”

With no DOD-wide guidance, some service organizations have begun piecemeal issuing their own, however, GAO noted that components it interviewed acquisition guidance on AI would be helpful to navigate acquiring AI capabilities.

GAO reported that the creation of the Office of the Chief Digital and AI Officer in late 2021 – which consolidated several offices within the Office of the Secretary of Defense such as the Joint Artificial Intelligence Center, Defense Digital Service and Chief Data Officer – paused the development of DOD-wide AI acquisition guidance until CDAO has a clearer plan.

The risks associated with not having guidance means DOD could be spending limited precious resources on AI tools and technologies that don’t address challenges associated with AI and aren’t tailored to specific needs.

“Until DOD establishes department-wide guidance to act as a framework, it cannot ensure that its components are acquiring AI capabilities in a manner that accounts for the unique challenges and considerations associated with AI as they navigate the acquisition process,” GAO said. “Additionally, given that DOD is investing considerable effort and funds toward developing and acquiring AI tools and capabilities and requested $1.1 billion for core AI in fiscal year 2023, establishing guidance would better position DOD to effectively spend funds on AI acquisitions consistently across its components. This guidance could, as appropriate, leverage key private company observations identified earlier.”

GAO issued a total of four recommendations to DOD, the Army, the Navy and Air Force, all of which, the department concurred with.

The Secretary of Defense should ensure that the CDAO along with other DOD acquisition policy offices prioritize establishing department-wide AI acquisition guidance, GAO recommended.

Once that guidance is issued, GAO recommended the secretaries of the Army, Navy and Air Force should establish service-specific AI acquisition guidance that includes oversight processes and clear goals for such acquisitions.

The post DOD lacks comprehensive guidance for acquiring AI technologies, says GAO appeared first on DefenseScoop.

The specific item, which was included in the chairman’s mark for the fiscal 2024 National Defense Authorization Act, directs the comptroller general and the Government Accountability Office to review the Department of Defense’s management of cyber operations.

The chairman’s mark generally reflects the priorities of the committee’s chairman and includes input from other members as well. It was released Monday ahead of the full committee markup on June 21.   

Specifically, the provision seeks an evaluation of:

• The number of commands, organizations, units and personnel responsible for conducting cyberspace operations across the Department of Defense;
• The command and control relationships associated with such commands and organizations;
• The number of command staff with any responsibility for budgetary, personnel, policy, or training matters;
• The ratio of personnel within commands, organizations and units determined to be fully trained and qualified, as defined by the commander of the U.S. Cyber Command, relative to the total number of such personnel assigned to operational billets;
• The ratio of command staff relative to the total number of personnel assigned to billets within the cyber mission force of Cybercom provided by each of the services, and;
• An assessment of potential duplication in effort or cost between the various entities, among others.

“There is a robust infrastructure within each service that establishes curriculums, funding profiles, manning rosters, upon which cyberspace operations are built. In practical terms, that means that there are four independent teams across the Army, Navy, Air Force, and Marines conceiving and implementing cyber training requirements,” a senior House Armed Services Committee aide told DefenseScoop regarding the provision. “The aspect that required the dedicated study by the Comptroller General is the degree of redundancy and unnecessary duplication of effort towards the organize, train, and equip functions for cyberspace operations which exists across the services.”

This provision follows similar proposals in previous years’ bills, most notably last year’s NDAA, which raised issues about how the services present forces to Cybercom to conduct cyber operations.

As it currently stands, the services are responsible to train forces – based on uniform training standards, in principle, provided by Cybercom – and provide a set number of teams to Cybercom as part of the cyber mission force. Cybercom last year was granted enhanced budget authority, which will be effective October 1 and allow it to assume the budgetary responsibility and authority for its programs and operations that previously were provided by the services.

With this unique model for force presentation, Congress has grown concerned recently regarding the state and readiness of teams. A provision in last year’s NDAA required a study, which among many aspects, called for an examination of the current cyber enterprise, requested how the services should man, train and equip for cyber, and inquired if a single military service should be responsible for basic, intermediate and advanced cyber training of the cyber mission force.

The post House bill directs study on redundancies in cyber training and funding across military services appeared first on DefenseScoop.

The EITaaS program is meant to outsource basic IT services so that the Air Force can free up airmen for more specialized, cyber-focused network defense and mission assurance. 

Officials have said that with Wave 1, the department will for the first time have enterprise IT service management, one platform and one easy way to enter a trouble ticket, as well as a wider variety of end-user devices and an easier way to order them. The initiative will include improved and consolidated service desks for more than 800,000 users worldwide, and it’s also expected to yield major lifecycle cost savings.

“Wave 1 will transform DAF IT services from in-house, base-centric delivery models to an enterprise servicer model,” according to Friday’s release from the Air Force Life Cycle Management Center.

In August, the Defense Department announced a $5.7 billion blanket purchase agreement award for Wave 1 to an industry team led by CACI NSS, with support from Bowhead Logistics Management, Cartridge Technologies, InSequence, Cask NX, CDIT, Vision Information Technology Consultants, Oneida Technical Solutions, Enhanced Veterans Solutions, and Expansia Group.

However, in September the losing bidders — Accenture, Peraton and Science Applications International Corp. — each filed protests with the Government Accountability Office.

“The protesters challenged various aspects of the agency’s evaluation of quotations and the best-value tradeoff decision. The protesters also alleged that CACI obtained an unfair competitive advantage due to its employment of three former agency employees,” according to the GAO.

The watchdog eventually “dismissed the protests as academic” after the Air Force “elected to take voluntary corrective action in the form of a reevaluation of quotations, a new best-value tradeoff decision, and an investigation into the alleged unfair competitive advantage.”

After the Air Force’s reevaluation, service officials again determined that CACI presented the best value and informed contractors in December. Peraton then filed another protest with the GAO.

“Peraton raises several allegations challenging the agency’s evaluation of quotations and the resulting selection decision. Peraton alleges that CACI obtained an unfair competitive advantage through its employment of former Air Force personnel, and the agency’s failure to disqualify CACI from the procurement on that basis was unreasonable. The protester also challenges the Air Force’s evaluation of CACI’s quotation under the gate one prior experience factor, the evaluation of both vendors’ quotations under the gate two non-price factors, and the best-value tradeoff decision,” the GAO said in its April 12 decision on the latest protest, which was released last week.

“Although we do not address all of the protester’s arguments in this decision, we have considered each argument and find no basis to sustain the protest,” the agency said.

Peraton has not responded to a request for comment. CACI did not provide comment to DefenseScoop by the publication deadline.

Work on the EITaaS program had been on hold while GAO considered the protest.

“After several rounds of protest, the Government Accountability Office denied the final challenge … clearing the way for the Air Force and CACI NSS LLC to move forward with a blanket purchase agreement for Enterprise Information Technology as a Service ‘Wave 1’ services,” the Air Force said in the release on Friday.

The service first initiated “risk reduction” pilots under the EITaaS initiative in 2018 that included AT&T and Microsoft. Wave 1 will allow the Air Force to embark on the full-scale program.

“We have seen the user experience improve dramatically at the current bases participating in our risk reduction efforts, and we are excited to be moving forward in providing these services to all our Airmen and Guardians,” Col. Justin Collins, senior materiel leader for the enterprise IT and cyber infrastructure division at AFLCMC, said in a statement.

When the contract award was first announced last year, the DOD said the work was expected to be completed by Aug. 29, 2032.

“Work will predominantly be performed in Chantilly, Virginia, with additional locations depending on individual BPA order requirements,” per the announcement.

Meanwhile, the Air Force is planning for Wave 2, which will include overhauling base infrastructure, CIO Lauren Knausenberger said last year at a forum hosted by the Potomac Officers Club, adding that about 30 bases will be prioritized. The service has not yet issued an award for the next wave.

“I suspect that the money will come when one of our industry partners knocks it out of the park and shows us that that next-generation architecture makes a huge impact for unclassified and secret warfighting capabilities as well as a huge impact to our business capability, our ability to fight with our allies and our ability just to be more efficient in our day-to-day business,” Knausenberger said.

The post Air Force’s multibillion-dollar Enterprise IT as a Service program cleared for takeoff appeared first on DefenseScoop.

Adversaries are becoming more active in this realm, seeking to contest U.S. and friendly forces every day. This daily competition largely takes place below the threshold of armed conflict, but, in the event of a war, adversaries will seek to disrupt info systems by, for example, jamming radio frequency communications and leaving military decision-makers with incomplete or inaccurate information.

“According to DOD, our competitors and adversaries are taking advantage of vulnerabilities in the information environment to advance their national objectives and offset the U.S.’s position as the preeminent warfighting force. DOD’s military operations in the information environment play a pivotal role in engaging our adversaries,” the report states. “The wide reach and fluid nature of the information environment poses risks that adversaries can contest and attack to undermine U.S. and friendly forces’ understanding, decision-making, morale, and will, according to DOD.”

The Pentagon has taken several steps in recent years to reestablish its prowess in the information environment and beat back adversaries by placing greater importance on these capabilities. In 2017, it elevated information to a joint function, identified globally integrated operations in the information environment as a special area of emphasis for education, issued an update last fall to its joint publication for information in joint operations, completed an assessment of capability gaps and challenges with operations in the information environment, and is slated to publish an update to the 2016 Strategy for Operations in the Information Environment this year.

However, outside experts still believe the proof is in the pudding regarding whether or not these efforts will be implemented and the department will better integrate its capabilities.

GAO’s study, mandated by the annual defense policy bill for fiscal 2022, notes that while progress has been made, the Pentagon has not given clear guidance for what components should focus on for training.

“DOD components are unclear about what information environment aspects to cover in such education and training because guidance does not specify what content to include. DOD officials also reported having limited resources for their education and training efforts and cited simulation, infrastructure, and personnel limitations as further impeding these efforts. Officials stated that these limitations hinder the creation of realistic environments in which leaders can practice decision-making skills,” the report states.

“DOD has not assessed or comprehensively reviewed component assessments of resources. Until DOD develops guidance and assesses its resources, it will lack assurance that it will be able to educate and train leaders to prepare them to make decisions in a contested information environment,” it added.

The watchdog made two recommendations: the secretary of defense and chairman of the Joint Chiefs of Staff should develop DOD-wide guidance about what content to include in education and training for decision-making in a contested information environment; and conduct an assessment and comprehensive review related to component assessments of resources needed to meet current education needs and train leaders.

The Pentagon agreed in part on the first recommendation and concurred on the second. Regarding the first recommendation, the DOD said the secretary would develop guidance regarding content to include, but noted that combatant commands would determine the frequency of such efforts based on their operational tempos.

Regarding the second recommendation, DOD did not provide GAO with a timeline for completing the assessment.

“Given the critical nature and challenges associated with conducting operations in a contested information environment, the department will be better positioned to provide any required education and training resources by taking these actions in the near future,” the watchdog said.

The post Watchdog warns DOD lacks clear guidance for training leaders in contested information environments appeared first on DefenseScoop.

GAO’s audit, which was part of a congressional ask to examine DOD’s goals, found that DOD is still in the early stages of defining what existing systems will contribute and what future capabilities are needed to be developed for Joint All-Domain Command and Control (JADC2).

JADC2 refers to the Pentagon’s vision for fighting future wars, which seeks to connect sensors and shooters and provide battlefield commanders with the right information to make faster decisions. As GAO laid out in the past, the DOD and services have prioritized individual systems, which has hindered joint interoperability. Now, facing the prospect of conflict with highly sophisticated adversaries, the DOD needs these disparate systems and networks to connect and communicate seamlessly.

Each of the services is pursuing its own efforts in line with JADC2: the Air Force’s Advanced Battle Management System, the Army’s Project Convergence and the Navy’s Project Overmatch.

Despite positive steps — such as the issuance of a JADC2 strategy, implementation plan and reference architecture — GAO said DOD is still in the early stages of identifying capabilities and in the process of identifying JADC2 implementation challenges.

The Joint Requirements Oversight Council defined overall JADC2 goals in 2019 that broadly outlined the need for a secure environment to share data on threats across all domains while connecting headquarters to forces to enable faster decision-making and command and control.

Over the next year, the DOD will assess joint capability gaps, identify and prioritize requirements, and recommend where to allocate resources to accomplish near-term, mid-term and long-term goals, according to GAO.

As an update to the 2019 JADC2 Campaign Plan, this effort will inform what existing technologies contribute to JADC2 and what might be needed to be developed allowing officials to properly prioritize.

Additionally, the services have begun prioritizing their own JADC2-related capabilities to develop based on their needs, which, GAO states, are not necessarily aligned with DOD’s highest priorities. One reason is that when they started their respective efforts, the JADC2 cross-functional team had not established its strategy, and thus each service carried out efforts independently.

Now, the cross-functional team chair stated DOD has recently identified the need to address capability gaps and will work to align efforts across the department.

GAO also found that DOD has yet to develop an overall assessment of the cost and schedule requirements to deliver JADC2 capabilities. While the services have done so for some programs, there is no complete cost and schedule information for all efforts.

In order to have a more informed investment strategy, the JADC2 budget operational planning team said it plans to complete an annual inventory of JADC2 efforts that will support investment tracking and resource recommendations. Already the services and defense agencies have submitted their budget requests for JADC2 investments in July 2022, which informed the program and budget review process for 2024-2028, GAO said.

Highlighting a key question many outside experts have raised since the inception of JADC2, GAO also found that officials across DOD have expressed concerns that the cross-functional team does not have sufficient authority to direct the services’ acquisition priorities for JADC2.

“Officials from four JADC2 working groups noted that the CFT’s level of authority limits its role because military departments are not required to implement CFT recommendations to address JADC2 issues or tasks. Officials stated that it could be a challenge for the CFT to maintain momentum for JADC2 efforts going forward without this authority,” GAO’s report said.

The cross-functional team chair said the team has sufficient authority to ensure the services complete tasks necessary to achieve JADC2 goals such as raising potential issues of contention among services to authoritative bodies including the Deputy’s Management Action Group.

Congress has been concerned about clarity from the Pentagon regarding JADC2. DOD was due to provide a report by Dec. 30, 2022, to Congress outlining an inventory of JADC2-related development efforts, a description of JADC2 performance goals and a list of potential JADC2 capability gaps. GAO said the DOD will provide an update to Congress between January and March 2023.  

The post Pentagon has not yet defined capabilities needed to achieve JADC2, GAO says appeared first on DefenseScoop.

The report, commissioned by Congress as part of last year’s annual defense authorization bill, notes that the services use a different model for tracking personnel than Cybercom.

“While the military services track cyber personnel staffing levels by career fields, USCYBERCOM uses work role designations to assign personnel to cyber mission teams,” GAO said. “As a result, military service officials cannot determine if specific work roles are experiencing staffing gaps. Tracking staffing data at the work role level would enable the military services to identify and address staffing challenges in providing the right personnel to carry out key missions at USCYBERCOM. This information is also essential for increasing personnel assigned to USCYBERCOM as planned by the Department of Defense (DOD).”

The Navy is the only service that tracks personnel by work roles, meaning the Army, Air Force and Marine Corps “may not be equipped to identify staffing gaps and project staffing needs for critical work roles,” GAO found.

This is especially important as Cybercom is expected to gain 11 more teams in the next two years — the first such growth since the cyber mission force was built in 2012 — making the tracking and understanding of where personnel, work role and career field gaps exist critical.

Each of the services trains their cyber warriors to a joint standard set forth by Cybercom whereby each person at their respective school house receives notionally the same level of training regardless of if they’re going to an offensive, defensive or support team. They’ll typically get additional training and guidance once they get to their operational unit.

Despite these joint standards, the services still exercise their own service-unique flavor to how they organize and manage forces within their ranks, though once presented to Cybercom, they will typically work in a joint fashion.

Cybercom’s work roles have specific requirements and certifications needed to perform the function and can be filled by the services through a variety of career fields. For example, the Army’s 17C career field for enlisted cyber operators was used to fill eight different Cybercom work roles, which can mask staffing shortages for some roles.

GAO explained that Army officials described the approach to filling work roles as a “best athlete” model focusing on skills versus career field.

Given how relatively new Cybercom and its cyber mission force are, several of the cyber career fields and work roles are new, with Cybercom making several revisions over the last few years resulting in changes to guidance.

GAO did state that the services and Cybercom are working to better align work roles in fiscal 2023.

“USCYBERCOM officials stated that tracking personnel data by work role would provide them and the military services with greater visibility of current and projected staffing levels for work roles,” the report found. “[O]fficials with the office of the DOD Chief Information Officer stated that tracking data by work role allows for identifying gaps in the workforce. For example, officials provided a demonstration of the system they use to track civilian cyber positions by work role. In this system, some occupations appeared healthy when viewed at the occupation level, but when sorted by work role, gaps in specific work roles were identified.”

If DOD is able to address these issues, GAO said, it will be better postured to recruit and retain a knowledgeable and skilled force in the face of competition from the private and public sectors.

GAO recommended that the secretaries of the Army and Air Force take steps to integrate Cybercom’s work roles into their personnel systems to track cyber personnel data by work role. GAO made the same recommendation for the secretary of the Navy to ensure the Marine Corps does the same.

Return “ION” investment

The report also pointed out that some of the services have not ensured adequate return on investment for lengthy and costly training for a critical work role identified by Cybercom: Interactive On-Net Operator (ION).

The training for this work role — which is largely associated with offensive operations that break into adversaries’ systems for either effects or reconnaissance — is advanced, requires a significant time investment of between one to three years to complete and can cost between $220,000 to $500,000 per service member.

“[T]wo of the four military services are not positioned to ensure adequate return on their investment in lengthy and expensive cyber training,” GAO said. “Personnel who complete training to fill the ION work role—which may take a year or more and costs the department hundreds of thousands of dollars—may not remain in the military to use those skills for a significant length of time after training.”

Given that commitment of resources needed, the Navy and Air Force have worked to ensure a return on their investment instituting a three-year obligation for ION work roles.

The Army has some challenges associated with service obligations for IONs, which along with general ION training, dates back several years.

Advanced cyber courses, including ION training, are not listed in Army regulations, making it difficult to calculate or implement obligations.

“U.S. Army Cyber Command officials noted that at times this has resulted in an officer attending a year-long course costing hundreds of thousands of dollars —such as the training for ION certification—and then leaving the military soon after completing certification, leaving the Army without an adequate return on its investment,” GAO found.

The Army is working to revise its regulations to clearly define a service obligation of 36 months for completion of the training, though, when GAO reviewed a revised draft, it did include a designated service obligation for advanced cyber training to include ION training.

The Marine Corps, however, does not require any service obligation for IONs.

“Without developing guidance in a timely manner to clearly define service obligations for advanced cyber training—particularly ION training—the Marine Corps may continue to forego an adequate return on its investment in such training,” GAO said. “In addition, the Marine Corps may find itself understaffed in critical cyber skills as a result of investing in training for personnel who may take those skills elsewhere immediately after completing the training and certification.”

The Marines have requested to have a service obligation of 54 months from the start of ION training, though a Marine Corps Forces Cyberspace Command official told GAO they were unsure if this would be approved and implemented.

GAO recommended that the secretary of the Army ensure updates to relevant Army regulations to clearly define active duty obligations for ION training for both enlisted and officer personnel and the secretary of the Navy ensure the commandant of the Marine Corps develops guidance to establish active duty obligations for ION training.

The post GAO: Cybercom and services not on same page tracking personnel appeared first on DefenseScoop.

In a new report, the GAO found that the DOD has experienced more than 12,000 cyber incidents since 2015. However, those incidents have become less frequent in recent years with 1,331 in 2019, 812 in 2020 and 948 in 2021. By comparison, there were 3,880 such incidents in 2015.

Pentagon officials attribute the decline to an increase in the deployment of defense mechanisms during that time period. However, despite this reduction, the DOD’s reporting of them remains an issue.

“DOD’s system for reporting all incidents often contained incomplete information and DOD could not always demonstrate that they had notified appropriate leadership of relevant critical incidents,” the GAO found. “The weaknesses in the implementation of the two processes are due to DOD not assigning an organization responsible for ensuring proper incident reporting and compliance with guidance, among other reasons. Until DOD assigns such responsibility, DOD does not have assurance that its leadership has an accurate picture of the department’s cybersecurity posture.”

One process DOD established but is not fully implementing is a cyber incident management process for all incidents that requires cybersecurity service providers (CSSPs) to report all incidents into a repository called JIMS and notify appropriate leadership, according to the watchdog. Another is an operational reporting process in which CSSPs report critical cyber incidents in the form of a significant activity report that is used to notify commanders at all levels.

The GAO noted that the Pentagon has not clearly assigned an organization responsible for ensuring components and CSSPs follow policy guidance.

“Until DOD assigns responsibility for ensuring complete and updated incident reporting and proper leadership notification, the department will not have assurance that its leadership has an accurate picture of its posture,” the watchdog said. “As a result, the department may miss opportunities to assess threats and weaknesses, gather intelligence, support commanders, and share information. Further, until DOD improves the reporting of cyber incidents, DOD will be limited in its ability to achieve the department’s goals and policy for enabling cyberspace accountability of DOD components and information systems.”

Additionally, differences in reporting requirements in DOD guidance to record cyber incidents has resulted in a lack of complete reporting.

Moreover, the GAO discovered that PII breaches have more than doubled with 928 in 2015, 1,551 in 2019, 1,608 in 2020 and 1,891 in 2021 — for a total of 8,886 since 2015.

The watchdog discovered that the DOD’s notification of affected users in these cases is somewhat unclear. The department could not provide evidence it had always notified affected individuals, noting that components will often notify individuals verbally, by phone or by email with no record of the notification retained.

Notably, the GAO also determined that there is no fully established process for reporting and sharing cyber incident information that affects the defense industrial base.

“DOD has not yet decided whether DIB cyber incidents detected by cybersecurity service providers should be shared with all relevant stakeholders, according to officials. DOD guidance states that to protect the interests of national security, cyber incidents must be coordinated among and across DOD organizations and outside sources, such as DIB partners,” the report said. “Until DOD examines whether this information should be shared with all relevant parties, there could be lost opportunities to identify system threats and improve system weaknesses.”

GAO Recommendations

The GAO issued six recommendations, which Pentagon officials concurred with.

The recommendations include:

–The Defense secretary should ensure the chief information officer, commander of U.S. Cyber Command and the commander of Joint Force Headquarters-DOD Information Networks assign responsibility for overseeing cyber incident reporting and policy compliance.

–The Defense secretary, CIO, commander of Cybercom and commander of JFHQ-DODIN should align policy and system requirements to enable an enterprise-wide visibility of cyber incident reporting to support tactical, strategic and military strategies for response.

–The Defense secretary should ensure the CIO, commander of Cybercom and commander of JFHQ-DOIN include in new guidance on incident reporting detailed procedures for identifying and reporting to leadership.

–The Defense secretary should ensure the commander of Cybercom, in coordination with others, examine if information on DIB-related cyber incidents handled by CSSPs is relevant to the missions of other DOD components — and who it should be should be shared with.

–The Defense secretary should ensure the CIO determines what actions need to be taken to encourage more complete and timely mandatory cyber incident reporting from DIB companies.

–The Defense secretary should ensure DOD components document instances where individuals affected by a privacy data breach were notified.

The post Watchdog finds decrease in cyber incidents on DOD networks, but major increase in PII breaches appeared first on DefenseScoop.