Tài liệu department of defense policies and procedures for the acquisition potx

“The epoirapneet nể the Defoe Sere Hoard (BSE

‘The DSH ca edea advsoey commie esblsbed provide sndependent abe 9 the Sooty of Defease Semen, pines, ‘onchsns and econo inthis rebo do no accra ‘eprctent the offic postion of the Deparment of Defense

‘The DS Tak Force on Deparment of Defense Poe and Procedures {or the Acquistion of lafimatio Tecnlogy completed is anformation _gatsing ts Decerber 208,

OFFICE OF THE SECRETARY OF DEFENSE

MEMORANDUM FOR: Under Secretary of Defense for Acquisition, Technology and Logistics SUBJECT: Final Repor of the Defense Science Board Task Force on Department of Defense Policies and Procedures for the Acquisition of Information

Technology

am pleased to forward the final report of the Defense Science Board Task Force on Department of Defense (DoD) Policies and Procedures for the

‘Acquisition of Information Technology (I) This report examines the challenges facing the Department of Defense in acquiring information technology and offers, Tecommendations to improve current circumstances

‘The fundamental problem DoD faces is that the deliberate process through ‘which weapon systems and information technology are acquired does not match ‘ne speed at which new IT capabilities are being introduced in today’s information age Consequently, the principal recommendation ofthe study is thatthe Department needs @ new acquisition system for information technology Roles and responsibilities for those involved in the acquisition process must be clarified and strengthened andthe IT system ocquisiton skills required inthe workforce must also be strengthened

endorse all ofthe study’s recommendations and encourage you to forward the repor to the Secretary of Defense

(JQ on Qhel, I

OFFICE OF THE SECRETARY OF DEFENSE "149 DEFENSE PENTAGON

MEMORANDUM FOR: Chairman, Defense Science Board

SUBJECT: Final Report ofthe Defense Science Board Task Foree on Department of Defense Policies and Procedures for the Acquistion of Information Technology

‘The importance of information technology (IT) to U.S military capability is widespread 1 enables nearly all ofthe nation’s military combat capability and has become a necessary element of our most critical warfare systems, Yet, there is growing concern within Congress and among Department of Defense leadership that the nation’s military advantage may be eroding

Atihe request of Congress, this task force undertook a review of Department of Defense polices and procedures forthe acquisition of information technology The broad scope ofthe study touched on acquisition and oversight policies and procedures, roles and responsibilities for acquisition officials department-ide, and reporting requirements and testing as they relate to IT acquisition,

Te primary conclusion of the tsk force is thatthe conventional DOD acquisition process is too long and too cumbersome to fit the needs of the many TT systems that require continuous ehanges and upgrades Ths the las force believes that dere is need fora unique acquisition system for information technology The task force offers the following recommendations to change the Department's approach to information, technology acquisition,

+ Acquisition policies A new acquisition process for information technology should be developed—modeled on successful commercial practices, forthe rapid acquisition and continuous upgrade and improvement of IT capabilities The process should he agile and geared to delivering meaningful increments of capability in approximately 18 months or less—incremens that are prioritized based on need and technical readiness

and other standards spectrum interoperability information assurance, and system teiginering Some capabilities must he siengthened inorder to effectively execute {hese responsibilities in parcuar system engineering, information assurance, and network integration

+ Acquisition authorities and organization Acquisition authority and expertise in OSD is eutrendy spread across several organizations, resulting ina lack of enterprise-wide architecture and coordination Consolidate all acquisition

versight of information tehnology under the USD (AT&L) by moving into that, organization, those elements ofthe ASD (NI}VDOD CIO and Business

Transformation Ageney organizations responsible for IT acquisition oversight [We note that there wes nat a consensus within the taskforce concerning this recommendation; 2 dissenting view is included in appendix A.)

+ Acquisition expertise Today, the subject matter competencies required for suecesstul enterprise IT system acquisition are too often mis —

responsible for program execution Acquisition leaders ace proven and relevant business experience in the appropriate areas of acquisition, product munager

development, and management Siniaey program

executive officers seed trick reconts of proven success mm “The inability to effectively acquire information technology systems is eritcal 10 national security Thus, the many challenges surrounding information technology must be addressed if DOD is o remain a military leader in the future The development of a new ‘sequisiton process, coupled with clear oles and responsibilities of Key decision makers, and an experienced leadership and workforce, ave important elements ofthe solution,

44 fi tM lhe

Table of Contents Bxecative Somat si Chapter 1 tnteoduction 1 Chaptee 2 The Information Technology Envieonment 6

Chaptee 3A Framework foe Information Techaology Acquistion 25 Chaptee 4, Existing Defense Acgustion Prices cad Chaptee 8 1 Acquisition Challenges and issues, 35 Chaptee 6, A New Acspisition Process for Information Techaology d

apter] Suy and Recommendation oo

Append A Dissent to Report o ‘enn of Reference and Legislative Directive Task Force Membership,

Executive Summary

Information technology (Hoffer immense epability io terme oF agit, Aesibiiy, sponsisenes, and efecrzeness I enables neatly al of our miktary combat capabily and has become a necessary element of our most cca of systems However, thece is growing concem within Congess and among Depistment of Defense (DOD) leadership that the sation’s mulitaey advantage mas be eroding The delherste process through which weapon spstems and information techoology ace acquieed by DOD cannot keep pace with the speed ar which new capabilities ate being intmoduced in eada’s formation ags—and the epocd with which potential adversaries can procue, adapt, and employ those same capabilies against the United States,

Certainly, bares char preclude tansformation of the U.S national sccuisy apparanis eo mectehe challenges of a now strategic eta ate of parncuie snceen, [Neatly a decade ago the Deparment established a vision for the accitecare and steucture for information system management—a vision that is sill evolving, Horvevee, ris wel known thae acquisition has not been well managed foe these stems within this “enterprise level” construct, and the result has not served today's Tenders and soldiers well In fac it hinders the war fighter’ ability to use information technology to its fullest potential for situation awareness, ollborinon, and rapid deckion-making The redbing operational ampacr i profound

‘Yee despite the curent sinuation, successful programs exist that comprise largely of exclusively of information technologies or are deeply dependent on information technology in execution, The question then anses as to whether there are ckaments common to the acypistion oF these succesful programs that ‘would improve DOD's sib to Feld advintigeous information technology in 4 tomy and cost-effective maser [Smee the orginal Goldwuter Nichols legislation, DOD fas made several aires to revise seqution policy with dhe hope that such changes would shoren segustion yee ome Reveny, acsison peliey wos again modified in prt ro add more go and discipline in the early past of the acquisition proces Likewise, the Joint Capubiliis Integration and Development Sydem CIDS) Instruction and Manval are being vpdsed vith changes to dhe Joint Stalls oreright and governance of IT programs These polices derive from a single

acquisition model shar applies tooth snajoe automated information systems and major defense weapon spstems acquisition programe, Information technology is pervasive in weapon systems af well 38 defense business ystems In ts contsbutions to both Ractionalty and coah TỪ no: represents a considerable proportion of all aogusition programs undemay ‘oday—a proportion that is likely to increase in the forure Thus, whether ‘existing DOD acquisition polices and processes peovce the foundation foe an fective uvotmation technology acquisition model i xenical question forthe [Depastment-—one that dosenves special attention From the Seeretsry of Defense

At the request of Congress, the Defense Science Board (DSB) undertook 3 review of Department of Defense poliies and procedures forthe acquisition of information techaologs The findings aad recommendations presented tis report ace the eesult of a study that was broad scope, as established in legislative guidance —coveringacyisiton and oversight polices and procedures, roles and rsponsbiites for acquisition offical depactmentavide and reporting fechitements and resting as they eeate to FT acquisition,

More specially, she terms of reerece dete hat dhe ees ade by the tak fore incu the fllowing: 1) DOD policies and proces for cqoiring information technology, 2) oles and reponse 1 impleenenting pallies and procedures, 3) appleation of acqusion poles and procures «9 TT that i integral weal weapons or weapon sptem, 4) legal reuiemens (US Cod) a8 thợc nức to the aeyusiton oF TT, 3) DOD pobes and process ts fiihite she ase of commer snformason kelmoloy, 0) ssitbiliy of DOD axpistion rultions, 7) adequacy and tansparensy of were, 8) effetenes of siting statutory and retary reporting requirements, 9} adequicy of operon and development test resource, and 1W} appropri polices and proces for technology nsessmnt, development ann operon eng

significant scientific o engineering technology development, pariedlaly hardware development or the inte fan functionality partoning and trade-f

sion of mans comples systems sequin

Problems dat plague TT acquisition are sirar 10 those that plague the acquisition of aujor systems, most of which have a high content of embedded I, The conventional DOD acquisition process is too long and tao cumbersome to fit the needs of the many systems that require continuous changes and upgrades—a reality deiven by the shoet half

TT, supporubilty of hardware (wbich is often a commodity), software application, and opertinal euicements, Thus, dhe Department’ leadscs must tak ‘of commercial

at end, the sk force offer the ch eo

n to addeess this peoblem Toward

leaving recommendations t thange the Depanment’s appr information technology acsisition

Statutory Restrictions

The tak force believes that the staoty framework ts workable and ie not a rmojor impediment to improving IT acxusition within DOD Therefore, 09 recommendations are offered in this area, The main issue sith mggmd to statutory influence is that Congress has lost eonfdence in DOD's execution oF IT programs, which has resulted in increasing program scrutiny ard budget sections (generally Funding cus) for programs that ace fukering Since DOD implementation oF FT acquission has fallen short, Congress has alded akira constraints om reporting and management, these ould become problematic

‘vhs ad DOD gins exooutng programs wel

Acquisition Policies

Acyuiston poliies (DOD Dirvetive SOMA and Instrsction 5000.2) are poiipally designed for programs where techiology dessloprnent for harvare und software #3 cnc component The recent revisions to DOD Instron 5000.02, plemented December 2008, offer improvements t0 the process hạt dong

‘The Secretary of Defense should

Recognize thatthe eurent acquisition process fr information |

technology is ineffective Delays and cot growth For acquisition of er iujor weapons systems and information management systems create an unacceprble sk to national secuaty

ieee Under Secretary of Defense for Acquisition, Technology and Logistics (USD (AT&L) and the Vice Chairman, Joint Chiefs of Stl, to develop new acquisition and requirements (capabilties) development procestes for information technology systems, These peocesses should be applicable 1 business systems, information inftasteucuee, command and contol, ISR (intelligence, surveillance, and reconnaissance) spstems, ‘embedded IT in weapon systems, and IT upgrades to fielded systems 1 Dies that all personnel within the Office of the Secretary of Defense (OSD), the Jone Staff, andthe Services and agencies involved with

aquisition be accountable to ensure that their efforts are focused on the improvement, streamlining, and succes ofthe new process

“The USD (AT&L) should lead an effort, in conjunction with the Vice Chairman, Joint Chiefs of Sta, to develop new, streamlined, and agile capabilities (requirements) development and acquisition processes and associated policies for information technology programs

The process vequtes active engagement of the users (equirements) ‘community throughout the acquisition proces, with requisements constructed in an enterprise-wide context, It is envisioned thar requirements wil evolve so ‘desited capabilities” can be trded-off against cost and inital operational capabiliy to deliver the best capability #0 the field in a timely mannes A modular, open-systems methodology is required, with heavy emphasis on “design for change,” in order to rapidly adapt to changing circumstances Importantly, the process nseds to be supported by highly capable, sting ingrasnicture comprising robust systems engineering, model-driven capability ddeiniion, and implementation assessments —to reduce ấy speed progress, and increase the overll Wikebhood of repeated successes Easy, successive prototyping és needed to support the evolutionary approach, In adtion, key Stakeholders—the Chief Information Officer (CIO), Program Analysis and Evaluation (PARE), Director of Defense Research and Engneering (DDRKF), Operational Test and Evaluation (OT&E), the Comprroller, operational users, and othees—aced to be snvolved early in dhe proces, prio t0 the milestone bill decision, om s roses @ K="= | Figure EX-L, \ New |

quisition Process for Information Technology

capihliy to be defered to subsequent increments 4€ needed Crucial to the success of a new process is continuity of funding, 0 mntin a solid funding stream for following, sometimes overlapping, capability releases Nong with the Aesibiiey built into the peoeess, elevant mencs, similar to those used in commercial practice, ae needed 10 continuously tack FT acquisitions to ensure that the expected capability is being provided, costs are being, managed, and the schedule t inal capability ie on tack, Finally ost as there is no substitute for acquisition leadership experience in DOD, the sime is tue for the contactor community For contact award, program managers need to strongly consider

felevant contactor experience and past performance, especiilly in lược acquisitions nd ensure tht key personne are committed forthe duration of the project

Deciding When to Use the New IT Acquisition Process

It's important to clarify when to use the new IT acquision process versus the improved DOD 500002 process for mujor weapon systems and communication satlites In addition, i is also necessary to reduce potential confusion about technology development

The use of the improved DOD SiN proces For major weapon systems i segirsd when there are many design trade-ofs for hardware and FT systems and for parstioning the functions and interoperability of embedded TT systems and subsystems sy ner system, wile assuring iesoperablty and nots compasily with the lager enterprise, At the same time there are likely 20 be arwis of needed technology develepinent that require advances im scence and engincering the hae litle oF nothing to do wath TT— such as me mite properties, increased speed, or stlth, This hước sec and engineers

technology development should not be confised with the tutional angen oF ‘he TT community that defines technology development nearly imerchangebly ‘vith softwite development an hardware integrtion

The use of the new IT acquisition process is for new of replacement stand alone FT systems and subsystems or for ceplicement IT spstme embedded in ‘sisting weapon spats that are to he upgrided when there ws Hale of wo change in the hardware not associared with IT It may algo be appropnate to use the TP

requisition system process concept within the 500102 process for new ‘embedded IT systems ia a mayor weapon system acquisition a the EY

could othenvise be afew generations old when the syetem i flded, chmology While one could argue that this eired new decision could sửd confudon to the process one col lk ange Hh if the leadership ad pogratn managers cemot so cut this high-level decision they ave mo chance of effectively ‘managing oc oversceing the propeam,

‘hose individuals who hold mlestone decision amtoriy (discussed in the est section)

The DOD €1O function # currently housed ithe Office af the Aeyhti Seoretay of Defense for Networks and Information Inegranion/DOD Chit Information Offver (OASD (NM)/DOD CIO} DOD CIO responsibilities ate Aelieated within ties 10, 40, and M1 of the US Code As designated in legislaion, the Assistant Secretary of Defense for Nenworks and Information lntegnition/DOD Chief Infoaation Officer (ASD (NH)/DOD C10) reports diccty to the Secretary of Defensc—a reporsing chain that the task force believesi cdtel and muse continue in oder forthe ASD (NUD/DOD C10 to have the necessary authomty to catty out important Department Functions

The ASD (NI/DOD C1O should have steong authority and sexponsihlfy for information policy vision, achiecrure, anfsteuctute, standard, spectrum, information assurance, interoperability and entepdse-vide systems engineering, The ASD (NID/DOD CIO should be the Departments single authonty for certifying that IT acquisitions comply with an enterprise-wide architecture and should continually review ongoing programs for architectural compliance, He or she should also he » nithless designer of “the enterprise” infrstractae and should approve FT program manager rining and ccrifcuion,

“These Functions ate alsa applicable #9 CIOs atthe Service and agency level To execute the above responsibilis, Service and agency ClOs should ala de report to the head of the Service or agency, as requited by lslation

However, the task force believes that some of the functions delineated above rnoed the strengthened in order to ensure thatthe full esponsibilties o the fice ean be effectively executed,

YO

‘The ASD (NI/DOD CIO should actively exercise his or her authority to certify that all IT acquisitions are consistent with the Department's net-centrc architect

€enain capabiliúes in the OASD (NID/DOD CIO must be strengthened in order 1o more effectively execute these responsibilities — in particular, system engineering, information assurance, and network integration

In the Services and agencies, the COs should also have sương authorities and responsibiliies for system certification, compliance, applications development, and innovation,

All CIOs should approve IT acquisition program manager raining and certification and advise the personnel selection process

The DOD CIO, supported by CIOs in the Services and agencies, should be responsible for certifying that systems and capabilities added 10 the enterprise do not introduce avoidable vulnerabiiies that can be exploited by adversaries

Both system vulnerability 1 sophisticated adversary threats snd information and mission assurance should be adlested throughout program development, particularly nthe early stages ding the business cise analysis andl development

phase As new capable, srastmuctare, and applications ae added toa spster, this Same assessment should be continuously monitored with particular emphasis fon source code analysis and supply chain ssk assessment A cobust testing Program must also be established ta minimize the intoduction of new vulaenbiliies New capabilites noed to be tested in nedisi tre heds under 3 ‘ator of deat scenarios

While not the centerpice of this report, the task forve believes that information and mission assurance must be an antegrt clement of the TT oo impostant to the

requisition process, not an afterthought IT sf

Department's war fighting and business endeavors to neglect information and rmision assurance, as the consequences of doing so ean aot only undermine the ‘current system but also other connected capabilis a well Ln this contest, iis instructive to remember that there is no way ta test a large TT system to assure hus, since its noe

that you “got whit you wanted” and only what you wanted

Mi stone Decision Authority Roles and Responsibility don authority ate

Clear ros and esponsibities oF those with milestone de

essential a new acquisition racess is to be successful and the desired outcomes achieved ‘The lack of claity in this regard is one of the most significant impediments to succesful mplementtion of the current proces The task force dl

bcloves thatthe preferred approach should be delegation tthe lowest le acquisition decision authority, consistent with program risk, Purhermoce, acquisition authority and expertise within OSD i currently spread across sever organizations—under the USD (AT&L), in OASD (S1)/DOD CIO, and in the Business Trsnsfoemasion Agency At the Service level, similar disaggregation of responsibly also sits, ‘This disaggregated approach seems inefficient to the taskforce, resulting in alack of enterprise-wide architecture and coordination Qualified IT acquisition and systems analysis and architecture personnel ate scarce and should nat be spread among separate OSD ngtniations

disggrgpvdon cvaeetbtee the di to maintin currency and coordination ‘within the aequsition workforce

st the speed with which information technol aceances, this Ie is imporaint to eosognize that IT acguistion rogutements are different and, bcause IT touches neatly everything acquied by the Defense Aeguisition Executive (he USD (AT&L), i is more than a side consideration Banging together the expertise frm many onginizations into a single one wil help to ensure that the unigue atibutes oŸ TT progrms are better understood In ildition t milestone decision authority respemsibities and onganivation, the seutive abvitory staff (DDR&E, PARE, OTRE, Comptroller) issue definition and resolution process often contributes ta Defense Aequisition ‘extended FT acquisition times

‘The USD (AT&L, is responsible for all acquisitions, the acquisition workforce, and is the milestone decision authority for all major defense Acquisition programs (MDAP), major automated information systems (MALS), and special interest programs The USD (AT&L) shou!

+ considera more effective management an! oversight mecanis to ‘ensure joint program stability and impeoved program outcomes Consolidate all acquisition oversight of information technology under the USD (AT&L) by moving into that organization those elements of the OASD (NI1)/DOD CIO and Business Transformation Agency respon- sible for IT acquisition oversight The remainder of OASD (NI})/DOD (C10 is retained as it exists today, but should be strengthened as indicated inthe previous recommendation

Acquisition Expertise

\ high degree oF relevant technical and proven management capability is needed for TT system aquisition lewership In ation, « set of IT domain txperts are needed within the segusition community 10 support acquisition ‘ovesigh and decision iking OSD ad the Services need TT acquisition sth ‘with extensive experience in Inge cae, embedded, and commercial IT

‘Today, the subject ma

system acquisition age too often missing in government managers responsible for cr competencies required For successful enterprise TT program execution Skil in program administration are conse with skill in operadoaal process design aal/oe with sll in TE Contracting, budgetary, and oganizaiomal design debates crowd out concepts of operations and system engineering debates Further, arhitecare i to often viewed a6 paper execse rather than a modeliven, anally supported, and sigorous engineering proces ineonporting enterpriewide considerations far fuetionalty and $ TT expertve is seave and the

intertice definition Within the Depart ‘competition fr tient ineresing

“There ie no substitute for experienced program mangers with mick records of proven success In rexiew oF mijor TT acquisition programs where cost, schedule, or quality and performance were ise thre mot causes emerped 3

the experience and qualifications of OSD and Serviee leaders, and progeamm esscutive officers and program manages ctiical to making the right judgments to begin peogram with executuble objectives and then manage it ta succesful competion,

Defense Acquisition Executive (USD (AT&L)) and the component acquisition executives have proven and relevant business experience in the appropriate atcas of acquisition, product development, and management Such qualifications apply to the ASD (NH)/DOD CIO and Service and agency CIOs 28 well

‘The USD (AT&L) must work with Service and agency acquisition executives to improve the capabilities and selection process for program executive officers and program managers

“The USD (AT&L) shall direct the Defense Acquisition Universi coordination with the Information Resources Management College, t0 integrate the new acquisition model into theitcuericulum,

Conclusion

“The bottom line is that the inability 0 effectively acquire LY systems is to national security, Today the United States has the mast capable Fielded var fighting systems in the world, Information technology is enical to a wide ange of capabilities: command and control, decision systems, precision weapons and sitvition awareness, The tisk force found tha performance of the epustmene’s curene FT acquisition proces ie not acceptable Thos, the many challenges surouining information technology must be addressed if DOD isto remain military Tea i the future

Chapter 1 Introduction

Information technology (1) offers immense capability in terms nể agily, esi, responsiveness and effectiveness IT embles nearly al oF ove military wombat capably and hee become 4 necessary element of our most critica -warfare systems, However, theres growing concer within Congress and among, Department of Defense (DOD) laclersip thie the nation’s muitry capi may be erodine The deibemwe process Hhrough which weapon spstem= and information technology ate aquired by DOD cannot keep pace with the speed at hick new expabiltes ate boing introduced in today’s snformaton spe—and the speed with which potental adversaries can procure, adap, and employ those same capabilities against the Ueited States For purposes of cant, IT, as defined inthis eepoe, is any spster subsystem of hardware and/or software whose pupose is aequiang, processing, song, of communicating information ae data OD has a very long definition of IT whichis toa complicated to be use

‘Certinly, buries Hat prelude teansformation of the US mations secusey apparas to meet tho challenges of anew steatepie er ae af particule concer Neatly a decade ago the Depastment esrablished vision forthe aechitecare and steucture for inlormation system management-—a vision that i stil evolving However, acquisition decision-making fas not boen well managed for these systems within this “enterprise level” constict, and the result hae not served today’s leaders and soldiers well It hinders the war fighter? ability 10 use information technology tite fullest potential for sinuation awarcness, collaboration, and eapid decision-making, The eesulting operational impact i profound

progam and iudget planning, and the ssi was not suiciently age to raec ‘nce the aced was apparent

Yer, despite these myriad obstiles, successful programs exist that a comprised hzely (or exclusively) of sormenion technologie, or are deeply Alependent on information rechoology #9 execution The question thea arses 28 to whether there ane elements common to the acquisition of these successful programs that would improve the Depacnents ability to Feld advantageous information technology i timely and cose-<ffotive manner,

Since the onginal Goldwater Nichols legislation, DOD as made sever anempts to revise acquition policy with the hope that such changes woold shorten acquisition eycle dese Recently, acquisition poliey was ain sodied in past road ore sigor and discipline inthe eal parr of the aequtiton process 14esise, the Jom Capabilities Integaation and Development System (IDS) lnsrucsion and) Mantil ae being updated with changes to che Joint StafPs lvessght and govemance of IT programs These polices derive feom a single acquisition model major defense acquisition programs that applies ro oth majoe automated information systems and Informacion technology is pervasive in weapon systems at well a defense bosiness systems In its comtbuions to both Functionality and cost, information technology now represents considerable proportion ofall acquision programs underway todaj—a proportion that is ikely to increase in the furare, Thus, whether esti DOD scquistion polices und processes provide the Foundation for an effective segpidfon model for informagion technology is a erica question For dhe Department-—one that deserves speci attmtion from the Secretary of Defense

procedures, roles and eesponsibilties for acquisition olicials departmentavide and reporting requrements and testing as they rela to TT aequsition More spect, the terms of reference dieeted thatthe matters addressed by the tsk force mehade the folosime

1 DOD policies and procedures for acquiring information technology, to hide nacional sesunty systems, major astomated information systems, business information systems, and other information technology Roles and sespoasihiides implementing policies and proceduees ofthe

Under Secretary of Defense Fr Auton, Techy and Logistics USD (MTSE) DOD Chie Information OFFcer

~ Director of the Business Transformation Agency Chic Information Office ofthe matty departs

+ defence agency acquisition officials

emanon officers of the defease agence

ssdos Opendiotl Test sad Evaluation and heads f dhe operational est and evalttion organizations ofthe militar clepartnents ana the defense agencies

3 Application of such policies and procedures t nfrmasion ‘ertical weapons or weapon

technologies that are an integra pat systems

5 Department of Defense policies and procedures for maximizing the usige of commercial information technology while eaeutine rae cui of the microelecroni

Department software, and nesvorks of

6 Suitabbity of DOD acquisition regulations, incading DODD 3000.1, ODI 50042, and accompansing wilestones, to the seisinon of FT Adequacy and transparency of metrics used by DOD for aequting IT 8 Effectiveness of existing statutory and regulatory reporting requirements for acquisition of T 9 Adequacy of operational and development test esources cluding intisteucture and personne), policies, and pravedunes ro ensure appropiate testing of IT system both curing devclapmene and before operational se

Appropriate policies and proceduses for technology assessment, evelopment, and operatios

commercial technologies into TT systems

testing fo purposes of aeping Based or the expertise ofthe entk force members and information bretings

cử đong the course oF ts deberatons, dhe task force believes there is a ion technology Sich ‘must be designed to accommodate the eapid evolution of information

need for a unique acquis proce

technologies; their inceeasingly cial postion in DOD waelre ystems, warlae support spstems, and business spstems; and the ever-evolving and often urgent IT needs of our war ghen,

The issues associated with the acquisition of TT spsteme are a subset of ssmlar problems dhe Department faves mn aequsing major weapon ste, most to al is that les area relity and must be accommoded—a DF which have a high content of embedded IT A comenon the

—

reality don bự the shost MP MŒ oể comenoxcal IT techaotogy, supporabiiy hardware (which is aftr a comeodiy, software applications, and operddonl regjuscmenty The conveational DOD acquisition process is oo long and (00 cumbersome tô fit the needs of the many systems that require continuous changes and upgrades Many existing progrims ace exceeding

coat and achedale baselines, which cannot continue anabated While the ask

problems, it ako hdliexettheếc + meet in minimizing the number of specialized acquisition approaches “That said acquisition of infomation echnology repeesens a case that must be addressed with a process that focuses on the unique chanscterstics IT repeesens,

“The bodom ao is Ht thế inaily 0 effectively acquiee IT aysteme is critical ta matonal security Today, the United States has the most capable ekled defense spsteme in the work, and information technology i camcal ra these ‘apabiliées—to command and contrl, decision systems, pecision weapons, and siruation awaceness Spending on IT is rapidly growing in both embedded and standalone systems As well, [T system acquisition and IT upgrades to existing ‘weapon systems represent a signticane and greasing percentage oF current sequeilons, Purter, inadequate attention eo eyber security in the acquisition process is an Achilles hel chat can he actively exploited by our advecsais, While this report does not address cyber secur in any detail it does highlight the ned to beep this critical issue in mind both dunng IT acquisition and through personal procedures inthe field, These many challenges surounding information technology must he addressed if DOD is to maintain ou national security objectives as «military leader nthe furore

Chapter 2 The Information Technology Environment

Informasion technology is pervasive throughout DOD systems, fom infrastructure to business systems to TT embedded in weapon systems, Whereas in 1970 software accounted for about 20 percent of weapon system funcional, bby 2000 it accounted for as much as 8D percent” and today can deliver 90 percent or more ofa system's functionality While its importance is growing, the information technology environment is experiencing a disturbing set of trends (gure 9) oe TT Gà AB 200 zone 2m 2m8 208 Figure 1 The Perfect ITStorm

“These ends include an incsease in CT compleity, foreign supply, sulnetabilties, deat, and cost with a concomitant reduction in the supply oF US computing graduates and qualtied expert government staff Simultaneously, the rte of technology change is meresing a8 is the inercoomnected mature of systoms, while timelines are sinking—ciecumstances that pose both a bent and nett» BOD, Fach of these key trends and their implications i dete in the remainder ofthis caper

‘Technology Change

Informadion technology—fom hardware softvae to complex sytems— consinace to epi advance, Computer haar mpily evolved fom vacuo tubes to transistors to nanosecuelogy la hờ 1965 poper, mel codonnder GGonlon E, Moore predicted th the number of transstor on at negated Giri board would increase "at arate of oughly a factor af two pe yea” In 1075, Moore efi his projection toa doubling every ro years, Sil Ene ae Moote’s Law (gue 2), in exponential growth hae held for processing sped, snemory epi, an even the mimber aa size of pls dg came! While Mooe’s Taw has held for decades, processing speed is no Tongee increasing a this rte Instead the industry has moved to mult-core approach Untorunatel, parallel processing sofiwate has Lge behind Th wll be a imponant tend foe DOD to nto and undertn

Inaaldtion wo changes in andvare, [Parhitecrues have evolved over the past ever) decides from fsoited computing spss of the 196i; t0 netsorked stovepipes in the 1970s nd 1980s; to dhe we of message passe males t glue together mission applcasons i the 1990s; 0 the open, service creme arcitectares (S04) of today (gues 5) SOA 8 method For oqnaiang, exposing, and nhưng sited capa Ht my be under the contol of đe enehip dom “This evohion towasd the diagurestion of sjstems toto dibeted sevies promises mowe rpid development, ease, and surviabaiy, yet at dhe sime sme inceeases imerdepedenies, vulocebitis, and comply (ind posshly impacts potfoanance}-"The inact ofthis evolution is underestinated, Il low substinal chang ia the manure and substance of TT aquisgons by Kurc enabling the rapid ddevdopment ad fielding of small ncremens of capably

While ini tempts to expose and standandize Lage amounts of dan and snetalata about egy systnns have proves highly complex and tin intensive, one method tha has suceafly emerged s know as “owe coupling” ia wich minal but neal dae ineties ace exposed to support iteoperabiey Foe example, Cursor on Target! a mchinewo-machine language’ designed communicate hardeteld information, enables apd hut mati intepaton ofa fer crvial data clements (eg, pation, time, abject erent) across legacy systoms, In surumry, technology will contin 10 capuly eval, imposing hullenges for personnel and programs to ems cure

Disaggregated Architectures

DOD's IT vision includes one very specal Feare—the separation of dat frou services and apphersions This separition provides 0 bình pHoriy bene

1 Trsupports requiring lengthy, expensive N-squated, appication-0-applcation the imroduction of new applications and/or services without latgrdion

* Trenables opecitors to discover, use, publish, and govern data that vere not planned or aniipated on an operational, as-needed ss in ways While the introduction of disagarepited architectures and the separation of do (tom applications and services will provide significant benefits to the Depustmnt it both development and operons the planned ents a very diữesnt entomment Reyjme shese benefits sll rgice rethinking nd modihng the Deparments processes

2) soring out which stems are expecta to provide data for use hy these same This sokation is ot ideal for ths set of systems, as it will ot provide all of the benefits of a diaguregated environment where data is separated fom applications, services, and govemince It is ao clear eat not all of the information secusty requicements will be addressed by the IT infrastructure; some of these requifements must he addressed within the mission applications oF srvices, Whi this should not bea surprise, ie worth noting since the goal i have as many of the entespnse functone performed by the infastnicnure a possible, ia order to facta the introduction of new applications and series

Theếc ate alko some ianpieations from acqutition and denplementation perspectives While there ae signiicant enelits to being able to implement acs applications and seevices quickly, the acquisition process will need to suppoet these quick sim efforts pore easily han it does today (hich will he discussed in more detail m liter chapters of this eepor) To deliver acceptable quality of | service and to support the information and the network secunty required by DOD in an enterprise-wide SOA, with enterprise-wide access to dae by authorized users, a well engineered and governed enterprise IT infastuctice is sseemil

However, creating an enterprise infrastructure is aot tial, Transitioning from the existing platform/system and occasionally enclae-based environment, ton enterprise IT infrstnictace wll put akditonal seston the Deparment, spevaly on the techni management and acquisition process For example, the test provess wil have to change to allow DOD 0 speed applision and service implementations At dhe sume time there will be differences forthe test Finetion, ae tests must be performed on both the infastrcture snd on the individual applications / serves, Both ace seired to deer capa, but the rest sine should be very diferent

and services that wil ultimately rely on the infastrurace mast trust tha it willbe successfully funded and developed

‘Two ackhtimal matters relate 10 funding this “common good.” One & the need to expose snd maintain data for unannipate users, hich is necessary to avoid an erosion DẾ confidence dhe enterpnsevide environment A second i thar building and deliveing a eeusable service cleasly provides a cost beni if the service reused, but cn eequie addonal funds for che developer that must increase support for unplanocd uses from othe pacts of the onganiztion,

Connectivity

Jostas we ate experiencing rapid technology change, we ate also facing pid slobal increases an connctrity among computers and coneequently, among pope, Thete are already nearly one and one hal bilion Intemet usces By 2012, fone quarter of the world population will have regular access ta dhe Internet” Brazil, Russia Ind, and China are experiencing some ofthe highest growth estes

[More impesant than growth inthe rave numbers of users isthe belief thất theie collective poner increases exponentially with the number of nodes, Robert Netcal, founder of 3Com Corporation, noted that the value or usliey of 3 network is equal to she square of dhe number of nodes (cg the number oF connected indvidils)—the sơ cdled Metolfs Lay (Figure 1) Whether the value grows as Metclas Iw, as login) ar some researchers no belive, or as Rees las, which sttes thi it grows favter due s0 forming communis: oF ingerest a i beginning in DOD, ie not as portant to wnderstanl as the et thar the value i growing a highly nonlinear way with respect sie

The Deparment of Defense has recognized and capitalized om the potential fof net cemidw The Ginbả Information Grid (GIG) is a globally inteeconnecte, end-to-end set of information capabilites, associated processes, and personne for collecting, processing, stonng, disseminating, and managing information om demand for the Deparment of Defense Ss oF 2008, the GIG incorporited 21 satelite communications nerwotkss 63 nations; over 3,501 brses/posts approsimatey 15,000 networks thousands of applications, 120,000 commercial telecommunications cites: and 7 milion DOD computers (ice

ss many a in 2005) While the size and ubiquity of this ever growing enterprise is 1 challenge in ise, adclttonal TT functional and increased ceoss-ompanization, coalition, and secusty boundary connectivity further exacerbates the enterprise

chleng

Most importaiy, but ens overlooked, i¢ that achiewing “the power of networks” requires the elements of the network to be constnucted according t0 widely accepted and adopted standards, and executed in accordance wth an foveratching nervork architecure concept and design, Chaotic creation of “nerworks” and/or “network nodes” will not yield the benefits promised by MetcalPs Lav ‘The underlying proposition is that adoption of standards which gives encouragement t increase the

inereases the ability to “connec

number of conaectors In tutn, this enables an increase in the information

exchanged as well asthe uty and value of information exchanged within and smog the network)

vn

Size and Complexity

While the sheer num ct of nodes (computers, routers, business systems, weapon systems) and connections among nodes in the GIG & increasing deimawell the undedlying software code base growing, deving complesty of design, operation, protection, and mauntenance Thíc occuring both in infeastractue software, 28 wells in weapon systems software For example, the ‘most ubiquitous commercial operating system (Microsoft Windows) has grown from thousands of lines of code (LOC) to tens of eilions lft graphic below)” and popular open source operating systems (eg, Debian) (ight graphic below) have small grown rapidly (Figure 5) “ aa | sp = * H8 ic Es âm Ễ 8 ‘00 ga > 3 0 = 2 0 NTA MT3S NTO” 20 Vita ° 2 ot 0931984 1996 2000, 2007 tooo HN aang Figure 5 Source Lines of Code (SLO for Windows and Debian Operting Systems

Figure 3 also implies that DOD's toa cpe expenditres for software maintenance could grow, perhaps at a simlarly exponential rte Even more innerstng, s that annual cost of maintaining the Depariments software-emabled ‘ipabiites conld not only se exponentially but, where the capability is enabled by opensource software, could increase by ten mes the cost of similar

iow Many Lines of Colin Windows?” Knowing NET, Deemer 6 308 Se do Richa SeN mạc 2b Nah 200 "Memuany Sone Lanes Of Cede SLOG) ae ge bl ta ‘Mitts abso hap //bog lator wheat

capability provided by she established and structed commercial software industry This conclusion assumes that the cast oF maintaining a singe line of cod i relatively constant overtime and the maintenance cost (pee SLOC) is the same for both commercial ofFtheshelf and open source soFosare Cleat, the [Depastment wil have ro develop and pracceal way That the majority oF commercial ende, such as for example a steategy to conteol this growth in a teasonable Microsoft Windows, has grown exponentially while the cost hus been nealy Tonstint and has not tracked the linerof-code metric, gives an even more sompcling reason for DOD to develop stindards and processes to wie and acquire as much commercal-based code as possible

Software has pread well beyond defense infartscare nt the vey ear of ‘weapon spss, Por example, dhusands of miceopocessor, liner cleeic dive contol, dynamic sensors, and mili of hnes of sophisicited code emble the sarlng conhildex ofthe F-22 and Joint Srike Fighter a well 5 (jn increases inthe sestvty achieved using pre-set sensors Xerenl yesn ago a handheld grenade lnincher was erated wth smart projectiles sided by 2000 fines of code” Moreover, de sofware cone base within mission systems is ging api From generation to gencation, The executable sour es of

cork SLOG) within weapon systems, uch as isles, ship, and ace hate ov from a few thousand to tene of ion (go 0 Tóc eangle the 18 tndiơn LOC bass forthe Nass IDG 100 i growing over 36 percent to 5 snllon LOC inthe evolution the Aegis 71a." ta ation, the FAIS verb appresimacly 10 maton LOC is gewing to over 15 mon án the Join Sooke Fehr

9, "Deen FT fel Sus aon Software Coty Cheap.” Gomer Cage Nes, Ma 7 200 (rote com/ acl /s pol S10? Lm)

0 + a es ee Source: CARD Dit, SE, SIS nis Figure 6, Exccutable Source Lines of

Source: CARD dat, Fee Prociement Database Stem, QSM, CSS Anais

Figure 7, Estimated Source Lines of Code forthe National Scurty Comunity ESLOC is valuable and intuitive measure thats comrelated with the number of people required ro build, use, and maintin software systems.” However, dimensions heyond size can sgaiticuntly increase the complesity of TT systems Foe example, Boehm and Lane (2006) describe how software intensive systems of systems (SISOS) “integrate muliple, independently developed systems” and are very large, dynamically ecolving, and unprecedented with emergent requirements and behaviors, and comples socio-technical issues to address” SISOS ae characterized by 10-100 millon LOC; M300 estemal interfaces; 2- 200 suppliers 6-12 hierarchical levels of suppliers (primes and subs) and 20-200, ‘coordination groups (orintegnited product teams)

Boehm and Lane argue for a ik-dkiven spiral development model that suddesses the acquisition challenges of many systems, many supplier levels, and ‘many increments where rid ding, high assurance, and evolution ae esental for success They point out successful continuous independent venation and validation practices found inthe continuous build practices st Microsoft® and in 2008, “ewan Anite Compe." IEEE Sf

12 Beh and Lane, 3 lu, 2 "se Cnty Prcens fo kegddng 2 Cota Sf Iie eof Si Cia Ju eS

13, Cusumano, ML, and R Selby Minnof Sere Hagper Colin, 1996,

agile methods" as well a the use of anchoe point milestones and evolutionary development inthe Rational Unified Peocess.*

‘Vulnerability

Inceeasing amounts of ESLOC increases the likelihood of walnerabities The Common Vularabilies Enumeration (CVE) site (evesmiteorg) in October of 2008 vas reporting, 19 ew vulneriilines cach diy The umber of ‘ulnerabilties caprured in the National Vulaerbilty Database (avdnist.gox), ‘which incorporates CVE, hs risen nearly four-fold from a yearly rite of 1,700 in 2001 to 620 in 2007 As of October 2008, there were over 33,387 CVE xulnenbiidecin the đàm be,

“The latest available data from four sulnerbility sources confirms the exponential growth trend in recent years (Figure 8) In shore, more software means more vulnesbilty Adversaries understand this Thus, aot only are ‘vulnerabilities increasing the threat is increasing as wel Its also more diverse, ranging from capable state actors to smal, independent, non-state rogue actors, all of which can produce enormous coneequences Aecording to one source, attack volume has inereased fom 50 t 5,000 per week Adversary attacks have ako increased in sophistication (eg., Eom genera phishing to individualized spear phishing based on ineeligence Similarly, the number of viruses rose fom approximately 20,00 in 1998, eo 30,0 by 2000, to cove I millon in 2008,

“This growth in vulnerabilities cannot be ignored in defense systems In reality, vulnerbiies cannot he completely eliminates therefore it must be sesumed that some vulnerability wil abvays exist DOD must develop tactics, techniques, and procedures, and concepts of operations to operate z0th degraded “systems Conti tests to validate system and subsystem integrity must also be pestormed,

crores cee CN CON

Source: Compute Emerges Response Ten Coordinton Center CERT/CO) Symantec Voloentiy Dubas, Open Sauce Vlaeahty Dane (OSVDB) and Natal Valery Daan (98D)

Figure 8, Corclated Upward Trends in Valnerlites Cost

Another unfivorable trond & the cost of FT acquisitions While hardware costs tend to follow a predictable trend, pricing software is challenging for many reasons, Though duplicition cost i low, service life i difboult 40 predict Commercial software pricing is challenging, for example, because cost cn be based on upgrades, stand-alone, oF sustes In a study of operating system uns coats, while the average price grew about one peecent a year inthe 19905, shen normalized for the functionality acnaly provided (whieh typically nereases over ‘he year), unit costs actually declined between 6 and 16 percent per yeu" Yer commercial software has become such lage cost and valuable investment that the Financial Accounting Standards Board no longee considers it an sntangible 16 sional Aetdomie Pest 2006, esi Sachin Now any, Fig 5,p 19