GAO: DOD Needs Permanent Group to Protect Critical Technologies

A Defense Department task force is making progress on developing procedures for identifying and protecting critical technologies but should designate an organization to run protection efforts departmentwide to ensure consistent leadership, according to a new Government Accountability Office audit released Jan. 12. 

The 2019 National Defense Authorization Act mandated DOD come up with a list of acquisition programs, technologies, manufacturing capabilities and research areas critical to maintaining U.S. military superiority. Such a list would enable DOD and other federal agencies to establish protection members aimed at preventing adversaries from spying or stealing this technology. But previous methods of identification didn’t work for DOD, so the department began implementing a revised process in February 2020. 

That work, which is not yet complete, is being led by the Protecting Critical Technology Task Force, established by then-Defense Secretary James Mattis in 2018. Maj. Gen. Thomas Murphy, who heads up the task force, indicated this work is concerned with combating any means by which technology, information and data could be stolen, including via cyber activities.

The task force was supposed to dissolve in October 2020, according to the audit, but will likely stay intact until spring in order to transition responsibilities. Which organization will assume these responsibilities is the question.

“With the new administration coming in, we think it's really important that there is a specific organization, designated to carry out these last steps, and then to ultimately administer this whole process going forward,” William Russell, who directs GAO’s contracting and national security acquisitions team and led the audit, said. 

“This is something that's cyclical. Every year there should be a new refresh of the list and some of these steps, and so it's important that there's a place within the DOD organization that's going to be specifically responsible for finishing out some of the steps,” he added. 

DOD’s procedure for protecting critical technologies has four steps: identify, communicate, protect, assess and oversee. Most of the progress in this effort has come in the identification and protection steps. While work on those two steps is not complete, DOD has the most work to do in hammering out a communications strategy and establishing metrics to gauge the success of protection efforts. According to task force officials, it will likely take until September 2021 to implement all four steps in the process. 

In the past, DOD has used formal memos sent to secretaries for military departments to communicate the list formally, but the audit suggested too much discussion of the list has happened informally, particularly when it comes to communicating with other federal agencies. 

Russell said formal communication of the list just isn’t consistent, but it’s necessary in order to be certain that protection of critical technologies is not left to chance. The departments of State, Commerce, and Treasury all play a role in protection activities such as export control and reviews of transactions. 

“Having a formal way to know what DOD thinks is important really helps to also ensure that consistency across some of these agencies,” Russell said. “Consistent protection of critical technologies is something that's been on GAO’s high-risk list beginning in 2007, and it's really about that, making sure there are no gaps in the safety net of programs that are set up to protect critical technology and information.”

The audit also found the task force has not identified metrics to measure the implementation of protection measures.

“Until program-specific and DOD-wide metrics are in place—and periodically reviewed to account for adversaries’ changing tactics—DOD will not be able to assess the implementation and sufficiency of its protection measures potentially leaving critical acquisition programs and technologies at risk of being vulnerable to adversaries,” the audit reads. 

GAO’s three recommendations suggest DOD identify an organization to oversee departmentwide protection efforts, determine a strategy to formally communicate the critical technologies list to stakeholders, and create metrics to measure protection efforts. 

DOD concurred with the recommendation around communications, and partially concurred with the others without providing much detail.