Pentagon Weapons Programs Still Struggle to Use Modern Software Practices, Watchdog Says

Defense Department weapon systems programs may be turning to cutting-edge software development and cybersecurity practices more than ever but their implementation has been spotty, according to a new watchdog report. 

The Government Accountability Office found in its annual assessment of weapon systems, released June 8, that the Pentagon needs to conduct better oversight for the development of systems using multiple acquisition pathways. DOD revamped its acquisition model with the introduction of the Adaptive Acquisition Framework in January 2020, which among other things helped modernize software acquisitions, emphasized implementing cybersecurity throughout the lifecycle of systems, and allowed for greater tailoring of acquisition strategies. 

In the same assessment, GAO reported that both major defense acquisition programs (MDAPs) and middle-tier acquisition (MTA) programs said software development factors to include cybersecurity were “risks to efforts to develop and field capabilities to the warfighter.” According to GAO, this tracks with the findings in last year’s assessment. 

“DOD made efforts to improve in these areas, such as working to update its software and cybersecurity instructions and provide guidance on Agile software development practices,” the assessment reads. “However, we found that the majority of programs we surveyed continue to face challenges in executing modern software development practices and many programs we surveyed are challenged in implementing iterative and early cybersecurity assessments.”

MDAPs told GAO they struggled with completing software development in time to do testing, while MTA programs said they are having trouble doing initial integration of software with hardware. And most programs said they haven’t ensured program officials are receiving training on modern software practices or that programs work with end-users in an iterative feedback process, which are some of the key practices recommended by the Defense Science Board for software acquisition modernization. 

Despite the emphasis on deploying software quickly in many batches, only six of 36 programs told GAO they delivered software to users in less than three months. Under an Agile development framework, software is meant to be delivered in the space of a couple of weeks. 

“MDAPs and MTA programs also reported challenges related to their software development workforce,” the assessment reads. “For example, over half of all MDAP and MTA programs reported staffing challenges, including hiring contractor and government staff in time to perform planned work and identifying contractor and government staff with expertise in software development.”

The picture isn’t much rosier on the cyber side. Half of all MDAPs and every MTA program involved in the assessment have not consistently implemented DOD guidance outlining test and evaluation processes that start at the beginning of the acquisition and continue throughout the lifecycle of the program. While most programs created cyber strategies, many neglected to factor cybersecurity into requirements documents. 

“We found that the surveyed programs did not consistently conduct cooperative vulnerability identification tests designed to identify vulnerabilities and plan the means to mitigate or resolve them,” the assessment reads. 

GAO ultimately made one recommendation based on the assessment that the DOD concurred with: that the undersecretary of defense for acquisition and sustainment should “ensure that the internal and external reporting capabilities developed using multiple efforts or pathways provides information on each individual effort, as well as the overall planned cost and schedule required to deliver the eventual capability.”