The Department of Defense’s claim that nearly two dozen of its weapons programs are using “agile” software development — a methodology where iterative updates are pushed out rapidly — doesn’t quite meet industry standards, the report says.
And while some branches have embraced penetration testing for IT networks and other more life-like cybersecurity tests on their networks, less than half of the 42 major weapons systems the GAO reviewed conducted such tests. But many did do table-top exercises.
Those are the key IT-related findings in the 2020 Acquisitions Annual Assessment, which comes after the DOD transitioned much of the oversight over programs to service branches in 2019. The total bill for what DOD “currently plans to invest” on major programs runs more than $1.8 trillion. Of that current and future spending on the books, $15 billion will be for 15 major IT projects, according to the report.
‘Agile’ not so agile
While the general definition of agile holds that software updates should occur every six weeks, 16 of the 22 self-described agile programs reported taking longer than that, according to the GAO. Thirteen of the weapons programs reported taking more than seven months per update, nearly five times industry standards.
Other industry standards, like setting up software factories where code is written within a certain style framework to speed up collaboration, are only met by four of the programs. No programs claimed to follow the newly favorable DevSecOps methodology, according to the report.
The software delays were not only harmful to rapid development, in some cases delays incurred cost growth on systems.
“Though most indicated that costs had remained the same, more than a quarter (11 of 42) of the responding programs indicated their total costs increased as a result of either changes or challenges associated with software development,” the report states.
Cybersecurity needs more testing
The report also dinged the military branches for a lack of cybersecurity requirements and needing to do more cyber testing to ensure the highly networked weapons are secure. The Navy led two lists of programs that lack cybersecurity requirements in program parameters, according to the GAO.
“DOD weapon systems are more networked than ever before … this change has come at a cost,” the report states. “More weapon components can now be attacked using cybersecurity capabilities.”
The challenge of securing weapons and other networked devices comes at a time when the DOD is still not doing enough to protect its IT systems, GAO found.
“These challenges also occur in an environment where DOD faces global cybersecurity threats to its weapon and IT systems, but has made only limited progress to date in identifying and eliminating its vulnerabilities,” according to the report.