Despite some progress in maturing its architecture for guiding major purchases of platforms, U.S. Cyber Command still has not developed an outcome-based metric to support assessments of programs and staffing issues for acquisitions, according to a Government Accountability Office report released Wednesday.
The Senate mandated study, titled “Defense Acquisitions: Cyber Command Needs to Develop Metrics to Assess Warfighting Capabilities,” is the second such GAO assessment of Cybercom’s Joint Cyber Warfighting Architecture (JCWA), which was created in 2019 to help guide its acquisition priorities and programs.
The architecture includes four main programs: the Persistent Cyber Training Environment for conducting training and mission rehearsal, Unified Platform – considered the centerpiece where data is ingested, analyzed and shared – Joint Cyber Command and Control to command cyber forces and the larger cyber environment, and the Joint Common Access Platform for executing offensive operations.
Cyber Command has made progress in addressing concerns GAO raised in its original November 2020 report, such as creating new offices to provide a better governance structure. But inexperience and confusion have led to a lack of metrics and outcome-based approach in conducting so-called value assessments on the architecture and its programs, according to the watchdog.
These value assessments are formal and recurring assessments of an acquisition program’s effect on mission outcomes and whether those outcomes are worth the investment.
While such assessments were beginning to be scheduled in September 2021, GAO noted they weren’t done in a timely manner.
The assessments for some programs weren’t scheduled because officials misunderstood their role in leading them, believing they weren’t responsible for requesting them, according to the report.
Furthermore, Cybercom did not develop outcome-based metrics to assess whether JCWA programs are achieving their desired operational outcomes. Failure to develop such outcome-based metrics to inform a second round of value assessments will lead to greater risk of not understanding how new capabilities benefit the cyber mission, GAO said.
In spring 2021, command officials told GAO they had established a team to develop metrics, however, they could not provide a time frame for identifying them.
Reasons for the slow progress include inexperience with the Software Acquisition Pathway – which is being used for a majority of JCWA programs – the nature of the cyber mission continually changing, and the challenge of measuring new tactics or training on mission outcomes, according to the study.
The Pentagon concurred with GAO’s recommendation to develop outcome-based metrics to support future value assessments for JCWA programs.
The GAO report comes on the heels of the Pentagon’s chief weapons testers’ annual report charging that the command and JCWA lack a test and evaluation strategy as well as the proper authority and resources to manage new tools.
GAO stated that Cybercom is continuing to assess workforce needs as it matures JCWA governance, and is working to get the right contract offices and officials in place to execute oversight on these programs.
Command officials that spoke with GAO stated that offices involved in executing JCWA and other responsibilities do not have sufficient personnel.
It will take time to fill positions, according to Cybercom officials, because they have to justify and validate that the command has a need before beginning to address workforce issues in fiscal 2025, GAO said, adding that the command has a workforce study underway that will likely be completed later in fiscal 2022.
“According to Cyber Command officials, understaffing is creating an all-hands-on-deck atmosphere, with individuals attempting to address emergent issues regardless of their office’s role, rather than a more coordinated approach,” GAO found. “JCWA program officials said this atmosphere creates confusion because they are in contact with multiple Cyber Command officials, but unsure which official has the authority to advise or make decisions for their programs.”
Because the military services are procuring systems on behalf of Cybercom, there are inherent interoperability challenges associated with getting each system on the same page and integrated, according to GAO.
The command created the JCWA Capabilities Management Office to synchronize actions across platforms and identify gaps, the JCWA Integration Office to coordinate integration across programs and delivery while developing capabilities aligned with command priorities, and a JCWA concept of operations to define how it envisions employing and integrating the various capabilities in an operational context to better articulate how to put the disparate capabilities together and employ them.
GAO said the concept of operations serves as the core reference document for leaders to understand how JCWA can support operational planning and decision making and sets goals for interoperability between the programs. This document is intended to evolve as the cyber domain changes with the current document projecting five to 10 years into the future.
GAO found that Cyber Command plans to continue revising internal JCWA roles and responsibilities with action taken to address the intent of recommendations in the previous report.