The Department of Defense already has a process to identify and protect the billions of dollars of critical technologies it acquires, but it needs to improve the way it communicates those findings internally and to other agencies, according to the Government Accountability Office.
The department began implementing a new four-step process in February 2020 that is more specific about what parts of acquisition programs, technologies, manufacturing capabilities, and research areas must be protected, and how the DOD will accomplish that. But it needs to do better at sharing what it learns in that process, the GAO found in a new audit.
“Critical technologies — such as elements of artificial intelligence and biotechnology — are those necessary to maintain U.S. technological superiority. As such, they are frequently the target of theft, espionage, and illegal export by adversaries,” the Jan. 12 report reads.
Officials haven’t finalized the steps in the new process on how the DOD will communicate the list internally and to other agencies, what the assessment metrics for protection measures are, and which organization will manage future protection efforts. The sooner they figure out those steps, the better, according to the GAO.
“By determining the approach for completing these tasks, DOD can better ensure its revised process will support the protection of critical acquisition programs and technologies consistently across the department,” the report reads.
Officials from the Protecting Critical Technology Task Force told the GAO they may plan to communicate the new list of critical technologies the same way they have in past years: by formal memorandum to the military secretaries. The GAO found that this approach, however, did not always loop in the people actually responsible for protecting critical technologies. Entities such as the Anti-Tamper Executive Agent and the Defense Security Cooperation Agency reported not receiving the 2019 critical acquisition programs and technologies list.
The GAO recommended that the Pentagon specify how it will communicate its critical programs and technologies list, develop metrics to measure protection efforts, and select a DOD organization that will manage protection efforts after 2020. The department concurred with the first recommendation and partially concurred with the second and third.