Defense urged to take steps to prevent systems tampering

GAO recommends Pentagon issue instructions to Defense agencies on protecting critical technologies.

The Defense Department has made strides in implementing an anti-tamper policy to protect weapons systems and technologies, but more direction is needed for its agencies, the Government Accountability Office reports.

Defense has been working since 1999 to protect its multibillion-dollar investments in sophisticated weapons systems and technologies from tampering and exploitation. Top officials aim to determine which technologies are critical and vulnerable and to develop protective measures. According to a GAO report (GAO-08-91) released Friday, Defense has made progress since it last looked into the program in 2004, but guidance still is insufficient to ensure that the Pentagon can implement anti-tamper policies departmentwide.

GAO recommended issuing a formal directive or instructions incorporating its anti-tamper policy into acquisition guidance. Without departmentwide guidance, Defense agencies are left to develop their own strategies, according to the report. GAO found that program managers were struggling to identify critical technologies, assess threats to existing systems and find solutions.

"A lack of information or tools . . . has significantly challenged program managers in effectively implementing DoD's anti-tamper policy," the report said.

Defense should increase coordination across all of its agencies to determine which technologies are critical, GAO said. As it stands now, one form of technology can be protected under one program and not protected under another, increasing the risk of exploitation. Program managers also must have sufficient and consistent information on emerging threats from the intelligence community.

Tools such as risk assessment and cost-estimate models would help program managers select proper solutions to tampering risks, the report said.

"Until DoD establishes a formal directive or instruction for implementing its policy departmentwide and equips program managers with adequate implementation tools, program managers will continue to face difficulties in identifying critical technologies and implementing anti-tamper protection," wrote Ann Calvaresi-Barr, GAO's director of acquisition and sourcing management and author of the report.

Defense officials agreed with the need for additional tools and said its anti-tamper executive agent was drafting guidelines to facilitate implementation across the department.

Defense officials, however, disagreed with the recommendation that the undersecretary for acquisition, technology and logistics issue departmentwide direction, noting that the undersecretary for intelligence was in charge of anti-tamper policies.

According to Defense, the anti-tamper executive agent was planning to include a new section in its manual on anti-tamper policies. The guidelines will describe how to implement protections for critical programs, including some foreign military and direct commercial sales, and science and technology projects.

GAO expressed concern over delays in updating the directive and said Defense should consider interim measures to meet immediate needs. The watchdog agency also reiterated its recommendation that the undersecretary for acquisition, technology and logistics be more involved in developing implementation guidelines.