1. Trang chủ
  2. » Kỹ Thuật - Công Nghệ

Tài liệu department of defense policies and procedures for the acquisition potx

109 570 0
Tài liệu được quét OCR, nội dung có thể không chính xác

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 109
Dung lượng 5,73 MB

Nội dung

OFFICE OF THE SECRETARY OF DEFENSE ‘The fundamental problem DoD faces is that the deliberate process through ‘which weapon systems and information technology are acquired does not match

Trang 2

“The epoirapneet nể the Defoe Sere Hoard (BSE

‘The DSH ca edea advsoey commie esblsbed provide sndependent abe 9 the Sooty of Defease Semen, pines,

‘onchsns and econo inthis rebo do no accra

‘eprctent the offic postion of the Deparment of Defense

‘The DS Tak Force on Deparment of Defense Poe and Procedures {or the Acquistion of lafimatio Tecnlogy completed is anformation _gatsing ts Decerber 208,

“This por uncle and cleared for public ease

Trang 3

OFFICE OF THE SECRETARY OF DEFENSE

‘The fundamental problem DoD faces is that the deliberate process through

‘which weapon systems and information technology are acquired does not match

‘ne speed at which new IT capabilities are being introduced in today’s information age Consequently, the principal recommendation ofthe study is thatthe Department needs @ new acquisition system for information technology Roles and responsibilities for those involved in the acquisition process must be clarified and strengthened andthe IT system ocquisiton skills required inthe workforce must also be strengthened

Trang 5

OFFICE OF THE SECRETARY OF DEFENSE "149 DEFENSE PENTAGON

MEMORANDUM FOR: Chairman, Defense Science Board

SUBJECT: Final Report ofthe Defense Science Board Task Foree on Department of Defense Policies and Procedures for the Acquistion of Information

Technology

‘The importance of information technology (IT) to U.S military capability is

widespread 1 enables nearly all ofthe nation’s military combat capability and has become a necessary element of our most critical warfare systems, Yet, there is growing concern within Congress and among Department of Defense leadership that the nation’s military advantage may be eroding

Atihe request of Congress, this task force undertook a review of Department of Defense polices and procedures forthe acquisition of information technology The broad scope ofthe study touched on acquisition and oversight policies and procedures, roles and responsibilities for acquisition officials department-ide, and reporting requirements and testing as they relate to IT acquisition,

Te primary conclusion of the tsk force is thatthe conventional DOD acquisition process is too long and too cumbersome to fit the needs of the many TT systems that require continuous ehanges and upgrades Ths the las force believes that dere is need fora unique acquisition system for information technology The task force offers the following recommendations to change the Department's approach to information,

technology acquisition,

+ Acquisition policies A new acquisition process for information technology should be developed—modeled on successful commercial practices, forthe rapid acquisition and continuous upgrade and improvement of IT capabilities The process should he agile and geared to delivering meaningful increments of capability in approximately 18 months or less—incremens that are prioritized based on need and technical readiness

+ Roles and responsibilities of the Assistant Secretary of Defense for Networks and Information Integration/DOD Chief Information Officer (ASD (NII/DOD CIO) The ASD (NINYDOD CIO sould have strong authorities and responsibilities {or enterprise-wide information policy visio, architecture infrastructure, metadata

Trang 6

and other standards spectrum interoperability information assurance, and system teiginering Some capabilities must he siengthened inorder to effectively execute {hese responsibilities in parcuar system engineering, information assurance, and network integration

+ Acquisition authorities and organization Acquisition authority and expertise in OSD is eutrendy spread across several organizations, resulting ina lack of enterprise-wide architecture and coordination Consolidate all acquisition

versight of information tehnology under the USD (AT&L) by moving into that, organization, those elements ofthe ASD (NI}VDOD CIO and Business

Transformation Ageney organizations responsible for IT acquisition oversight [We note that there wes nat a consensus within the taskforce concerning this recommendation; 2 dissenting view is included in appendix A.)

development, and management Siniaey program

executive officers seed trick reconts of proven success mm

“The inability to effectively acquire information technology systems is eritcal 10 national security Thus, the many challenges surrounding information technology must be addressed if DOD is o remain a military leader in the future The development of a new

‘sequisiton process, coupled with clear oles and responsibilities of Key decision makers, and an experienced leadership and workforce, ave important elements ofthe solution,

Dr Ronald Kerber Mr Vinoeat Vitto

Có Chấn Có Chấn

Trang 7

Table of Contents

Chapter 1 tnteoduction 1 Chaptee 2 The Information Technology Envieonment 6

Chaptee 3A Framework foe Information Techaology Acquistion 25 Chaptee 4, Existing Defense Acgustion Prices cad Chaptee 8 1 Acquisition Challenges and issues, 35 Chaptee 6, A New Acspisition Process for Information Techaology d

apter] Suy and Recommendation oo

Append A Dissent to Report o

‘enn of Reference and Legislative Directive Task Force Membership,

Presentations to the Task Force

Glossary

Trang 9

Executive Summary

Information technology (Hoffer immense epability io terme oF agit, Aesibiiy, sponsisenes, and efecrzeness I enables neatly al of our miktary combat capabily and has become a necessary element of our most cca

of systems However, thece is growing concem within Congess and among Depistment of Defense (DOD) leadership that the sation’s mulitaey advantage mas be eroding The delherste process through which weapon spstems and information techoology ace acquieed by DOD cannot keep pace with the speed

ar which new capabilities ate being intmoduced in eada’s formation ags—and the epocd with which potential adversaries can procue, adapt, and employ those same capabilies against the United States,

Certainly, bares char preclude tansformation of the U.S national sccuisy apparanis eo mectehe challenges of a now strategic eta ate of parncuie snceen, [Neatly a decade ago the Deparment established a vision for the accitecare and steucture for information system management—a vision that is sill evolving, Horvevee, ris wel known thae acquisition has not been well managed foe these stems within this “enterprise level” construct, and the result has not served today's Tenders and soldiers well In fac it hinders the war fighter’ ability to use information technology to its fullest potential for situation awareness, ollborinon, and rapid deckion-making The redbing operational ampacr i profound

‘Yee despite the curent sinuation, successful programs exist that comprise largely of exclusively of information technologies or are deeply dependent on information technology in execution, The question then anses as to whether there are ckaments common to the acypistion oF these succesful programs that

‘would improve DOD's sib to Feld advintigeous information technology in 4 tomy and cost-effective maser [Smee the orginal Goldwuter Nichols legislation, DOD fas made several aires to revise seqution policy with dhe hope that such changes would shoren segustion yee ome Reveny, acsison peliey wos again modified in prt ro add more go and discipline in the early past of the acquisition proces Likewise, the Joint Capubiliis Integration and Development Sydem CIDS) Instruction and Manval are being vpdsed vith changes to dhe Joint Stalls oreright and governance of IT programs These polices derive from a single

Trang 10

acquisition model shar applies tooth snajoe automated information systems and major defense weapon spstems acquisition programe, Information technology is pervasive in weapon systems af well 38 defense business ystems In ts contsbutions to both Ractionalty and coah TỪ no: represents a considerable proportion of all aogusition programs undemay

‘oday—a proportion that is likely to increase in the forure Thus, whether

‘existing DOD acquisition polices and processes peovce the foundation foe an fective uvotmation technology acquisition model i xenical question forthe [Depastment-—one that dosenves special attention From the Seeretsry of Defense

At the request of Congress, the Defense Science Board (DSB) undertook 3 review of Department of Defense poliies and procedures forthe acquisition of information techaologs The findings aad recommendations presented tis report ace the eesult of a study that was broad scope, as established in legislative guidance —coveringacyisiton and oversight polices and procedures, roles and rsponsbiites for acquisition offical depactmentavide and reporting fechitements and resting as they eeate to FT acquisition,

More specially, she terms of reerece dete hat dhe ees ade

by the tak fore incu the fllowing: 1) DOD policies and proces for cqoiring information technology, 2) oles and reponse 1 impleenenting pallies and procedures, 3) appleation of acqusion poles and procures «9

TT that i integral weal weapons or weapon sptem, 4) legal reuiemens (US Cod) a8 thợc nức to the aeyusiton oF TT, 3) DOD pobes and process ts fiihite she ase of commer snformason kelmoloy, 0) ssitbiliy of DOD axpistion rultions, 7) adequacy and tansparensy of were, 8) effetenes of siting statutory and retary reporting requirements, 9} adequicy of operon and development test resource, and 1W} appropri polices and proces for technology nsessmnt, development ann operon eng

Based on the expertise ofthe tsk force members and information briefings received during the course of it delberitions, the task force believes that there is a need for a unique acquisition process for information technology, Sich a process mast be designed to accommodate the pid evolution oF information technologies their increasingly ential postion in DOD

‘warfare spate, sire support spstes, and business spetems: and the ever volving and often ungent IT needs of our sar fighters, The conventional process, with ity recent improvements, would be ased shen a system requires

Trang 11

significant scientific o engineering technology development, pariedlaly hardware development or the inte fan functionality partoning and trade-f

TT, supporubilty of hardware (wbich is often a commodity), software application, and opertinal euicements, Thus, dhe Department’ leadscs must tak

‘of commercial

at end, the sk force offer the ch eo

n to addeess this peoblem Toward

leaving recommendations t thange the Depanment’s appr information technology acsisition

Statutory Restrictions

The tak force believes that the staoty framework ts workable and ie not a rmojor impediment to improving IT acxusition within DOD Therefore, 09 recommendations are offered in this area, The main issue sith mggmd to statutory influence is that Congress has lost eonfdence in DOD's execution oF

IT programs, which has resulted in increasing program scrutiny ard budget sections (generally Funding cus) for programs that ace fukering Since DOD implementation oF FT acquission has fallen short, Congress has alded akira constraints om reporting and management, these ould become problematic

forts cnge of utes DOD Iestead, a new đoqtignon approsch address the fundamental challenges of aequiing mnfcemation technology s neoded that

js consistent with rapid TT development <yeles and solase-domimited

Trang 12

‘The Secretary of Defense should

Recognize thatthe eurent acquisition process fr information |

technology is ineffective Delays and cot growth For acquisition of er iujor weapons systems and information management systems create an unacceprble sk to national secuaty

ieee Under Secretary of Defense for Acquisition, Technology and Logistics (USD (AT&L) and the Vice Chairman, Joint Chiefs of Stl, to develop new acquisition and requirements (capabilties) development procestes for information technology systems, These peocesses should

be applicable 1 business systems, information inftasteucuee, command and contol, ISR (intelligence, surveillance, and reconnaissance) spstems,

‘embedded IT in weapon systems, and IT upgrades to fielded systems

1 Dies that all personnel within the Office of the Secretary of Defense (OSD), the Jone Staff, andthe Services and agencies involved with aquisition be accountable to ensure that their efforts are focused on the improvement, streamlining, and succes ofthe new process

“The USD (AT&L) should lead an effort, in conjunction with the Vice Chairman, Joint Chiefs of Sta, to develop new, streamlined, and agile capabilities (requirements) development and acquisition processes and associated policies for information technology programs

Trang 13

The process vequtes active engagement of the users (equirements)

‘community throughout the acquisition proces, with requisements constructed in an enterprise-wide context, It is envisioned thar requirements wil evolve so

‘desited capabilities” can be trded-off against cost and inital operational capabiliy to deliver the best capability #0 the field in a timely mannes A modular, open-systems methodology is required, with heavy emphasis on “design for change,” in order to rapidly adapt to changing circumstances Importantly, the process nseds to be supported by highly capable, sting ingrasnicture comprising robust systems engineering, model-driven capability ddeiniion, and implementation assessments —to reduce ấy speed progress, and increase the overll Wikebhood of repeated successes Easy, successive prototyping és needed to support the evolutionary approach, In adtion, key Stakeholders—the Chief Information Officer (CIO), Program Analysis and Evaluation (PARE), Director of Defense Research and Engneering (DDRKF), Operational Test and Evaluation (OT&E), the Comprroller, operational users,

quisition Process for Information Technology

‘Testing methodologies and procesures noed to be engaged ear and often in the acquisition process, with integrated and consnucus development and

‘opetitional testing practiced during the development and demonstration phase for each capability release Contracting vehicles need to be devised that are exible enough to support thie agile process These vehicles must allow for changes in delivered capability within a puricular increment, as well as allow

Trang 14

capihliy to be defered to subsequent increments 4€ needed Crucial to the success of a new process is continuity of funding, 0 mntin a solid funding stream for following, sometimes overlapping, capability releases Nong with the Aesibiiey built into the peoeess, elevant mencs, similar to those used in commercial practice, ae needed 10 continuously tack FT acquisitions to ensure that the expected capability is being provided, costs are being, managed, and the schedule t inal capability ie on tack, Finally ost as there is no substitute for acquisition leadership experience in DOD, the sime is tue for the contactor community For contact award, program managers need to strongly consider

felevant contactor experience and past performance, especiilly in lược acquisitions nd ensure tht key personne are committed forthe duration of the project

“The tsk force belives that thie new process will have applicability over a broad range of nev DOD IT acquisitions and upgrides 10 existing national security ystems (nclading command and conteol systems), IT infrstracure nd other information systems (gure EX-2) IT is not simply a niche consideration—it touches wide range of systems and, in uen, enables a wide tinge of capabilities

Trang 15

Deciding When to Use the New IT Acquisition Process

It's important to clarify when to use the new IT acquision process versus the improved DOD 500002 process for mujor weapon systems and communication satlites In addition, i is also necessary to reduce potential confusion about technology development

The use of the improved DOD SiN proces For major weapon systems i segirsd when there are many design trade-ofs for hardware and FT systems and for parstioning the functions and interoperability of embedded TT systems and subsystems sy ner system, wile assuring iesoperablty and nots compasily with the lager enterprise, At the same time there are likely 20 be arwis of needed technology develepinent that require advances im scence and engincering the hae litle oF nothing to do wath TT— such as me mite properties, increased speed, or stlth, This hước sec and engineers

technology development should not be confised with the tutional angen oF

‘he TT community that defines technology development nearly imerchangebly

‘vith softwite development an hardware integrtion

The use of the new IT acquisition process is for new of replacement stand alone FT systems and subsystems or for ceplicement IT spstme embedded in

‘sisting weapon spats that are to he upgrided when there ws Hale of wo change

in the hardware not associared with IT It may algo be appropnate to use the TP

requisition system process concept within the 500102 process for new

‘embedded IT systems ia a mayor weapon system acquisition a the EY

could othenvise be afew generations old when the syetem i flded, chmology While one could argue that this eired new decision could sửd confudon

to the process one col lk ange Hh if the leadership ad pogratn managers cemot so cut this high-level decision they ave mo chance of effectively

‘managing oc oversceing the propeam,

Roles and Responsibilities of the ASD (NII)/DOD CIO Developing and implementing an seypistion process foe information technology san important step toward reducing delays and cost growth in information technology prograns, as walls promding expabikty more nguy f0 the war Fighter Peshape equally imporsan howeve, cling oles and responsibilities of the hey plger the procass—chie formation offices and

Trang 16

‘hose individuals who hold mlestone decision amtoriy (discussed in the est section)

The DOD €1O function # currently housed ithe Office af the Aeyhti Seoretay of Defense for Networks and Information Inegranion/DOD Chit Information Offver (OASD (NM)/DOD CIO} DOD CIO responsibilities ate Aelieated within ties 10, 40, and M1 of the US Code As designated in legislaion, the Assistant Secretary of Defense for Nenworks and Information lntegnition/DOD Chief Infoaation Officer (ASD (NH)/DOD C10) reports diccty to the Secretary of Defensc—a reporsing chain that the task force believesi cdtel and muse continue in oder forthe ASD (NUD/DOD C10 to have the necessary authomty to catty out important Department Functions

The ASD (NI/DOD C1O should have steong authority and sexponsihlfy for information policy vision, achiecrure, anfsteuctute, standard, spectrum, information assurance, interoperability and entepdse-vide systems engineering, The ASD (NID/DOD CIO should be the Departments single authonty for certifying that IT acquisitions comply with an enterprise-wide architecture and should continually review ongoing programs for architectural compliance, He or she should also he » nithless designer of “the enterprise” infrstractae and should approve FT program manager rining and ccrifcuion,

“These Functions ate alsa applicable #9 CIOs atthe Service and agency level

To execute the above responsibilis, Service and agency ClOs should ala

de report to the head of the Service or agency, as requited by lslation

However, the task force believes that some of the functions delineated above rnoed the strengthened in order to ensure thatthe full esponsibilties o the fice ean be effectively executed,

YO

‘The ASD (NI/DOD CIO should actively exercise his or her authority to certify that all IT acquisitions are consistent with the Department's net-centrc architect

The ASD (NID/DOD CIO should have strong authority and responsiblity for enterprise-wide information policy vision, architecture, infrastructure, metadata and other standards, spectrum, interoperability, information assurance, and system engineering

Trang 17

€enain capabiliúes in the OASD (NID/DOD CIO must be strengthened in order 1o more effectively execute these responsibilities —

in particular, system engineering, information assurance, and network integration

In the Services and agencies, the COs should also have sương authorities and responsibiliies for system certification, compliance, applications development, and innovation,

All CIOs should approve IT acquisition program manager raining and certification and advise the personnel selection process

The DOD CIO, supported by CIOs in the Services and agencies, should be responsible for certifying that systems and capabilities added 10 the enterprise do not introduce avoidable vulnerabiiies that can be exploited by adversaries

Both system vulnerability 1 sophisticated adversary threats snd information and mission assurance should be adlested throughout program development, particularly nthe early stages ding the business cise analysis andl development

phase As new capable, srastmuctare, and applications ae added toa spster, this Same assessment should be continuously monitored with particular emphasis fon source code analysis and supply chain ssk assessment A cobust testing Program must also be established ta minimize the intoduction of new vulaenbiliies New capabilites noed to be tested in nedisi tre heds under 3

‘ator of deat scenarios

While not the centerpice of this report, the task forve believes that information and mission assurance must be an antegrt clement of the TT oo impostant to the

requisition process, not an afterthought IT sf

Department's war fighting and business endeavors to neglect information and rmision assurance, as the consequences of doing so ean aot only undermine the

‘current system but also other connected capabilis a well Ln this contest, iis instructive to remember that there is no way ta test a large TT system to assure hus, since its noe

Trang 18

Mi stone Decision Authority Roles and Responsibility

don authority ate

Clear ros and esponsibities oF those with milestone de

essential a new acquisition racess is to be successful and the desired outcomes achieved ‘The lack of claity in this regard is one of the most significant impediments to succesful mplementtion of the current proces The task force dl

bcloves thatthe preferred approach should be delegation tthe lowest le acquisition decision authority, consistent with program risk, Purhermoce, acquisition authority and expertise within OSD i currently spread across sever organizations—under the USD (AT&L), in OASD (S1)/DOD CIO, and in the Business Trsnsfoemasion Agency At the Service level, similar disaggregation of responsibly also sits, ‘This disaggregated approach seems inefficient to the taskforce, resulting in alack of enterprise-wide architecture and coordination Qualified IT acquisition and systems analysis and architecture personnel ate scarce and should nat be spread among separate OSD ngtniations

disggrgpvdon cvaeetbtee the di to maintin currency and coordination

‘within the aequsition workforce

st the speed with which information technol aceances, this

Ie is imporaint to eosognize that IT acguistion rogutements are different and, bcause IT touches neatly everything acquied by the Defense Aeguisition Executive (he USD (AT&L), i is more than a side consideration Banging together the expertise frm many onginizations into a single one wil help to ensure that the unigue atibutes oŸ TT progrms are better understood In ildition t milestone decision authority respemsibities and onganivation, the

seutive abvitory staff (DDR&E, PARE, OTRE, Comptroller) issue definition and resolution process often contributes ta

1 aggressively delegate milestone decision authority commmensunite with program risk

Trang 19

+ considera more effective management an! oversight mecanis to ‘ensure joint program stability and impeoved program outcomes Consolidate all acquisition oversight of information technology under the USD (AT&L) by moving into that organization those elements of the OASD (NI1)/DOD CIO and Business Transformation Agency respon- sible for IT acquisition oversight The remainder of OASD (NI})/DOD (C10 is retained as it exists today, but should be strengthened as indicated inthe previous recommendation

‘ovesigh and decision iking OSD ad the Services need TT acquisition sth

‘with extensive experience in Inge cae, embedded, and commercial IT

‘Today, the subject ma

system acquisition age too often missing in government managers responsible for cr competencies required For successful enterprise TT program execution Skil in program administration are conse with skill in operadoaal process design aal/oe with sll in TE Contracting, budgetary, and oganizaiomal design debates crowd out concepts of operations and system engineering debates Further, arhitecare i to often viewed a6 paper execse rather than a modeliven, anally supported, and sigorous engineering proces ineonporting enterpriewide considerations far fuetionalty and $ TT expertve is seave and the

intertice definition Within the Depart

‘competition fr tient ineresing

“There ie no substitute for experienced program mangers with mick records

of proven success In rexiew oF mijor TT acquisition programs where cost, schedule, or quality and performance were ise thre mot causes emerped

3

‘secutive officers andl program managers Id inadequate experience Thi, the acquisition process was bureaucratic and cumbersome, where many who are not senior leaders licked experience and understanding Second, the program accountable must say “yes" before authority 19 proceed i granted, Among these problems, lack of experience dominated

Trang 20

the experience and qualifications of OSD and Serviee leaders, and progeamm esscutive officers and program manages ctiical to making the right judgments to begin peogram with executuble objectives and then manage it ta succesful competion,

Defense Acquisition Executive (USD (AT&L)) and the component acquisition executives have proven and relevant business experience in the appropriate atcas of acquisition, product development, and management Such qualifications apply to the ASD (NH)/DOD CIO and Service and agency CIOs 28 well

‘The USD (AT&L) must work with Service and agency acquisition executives to improve the capabilities and selection process for program executive officers and program managers

“The USD (AT&L) shall direct the Defense Acquisition Universi coordination with the Information Resources Management College, t0 integrate the new acquisition model into theitcuericulum,

“The task force believes that actions in the four areas discussed above — acquisition policies and process, oles and responsibilities of the CIO, milestone deiion authonty roles and esponsblites, and acquisition “lesdership tespertse vill imprave the acquisition of information technology in DOD But

‘ution i ofered that emphasis andl focus only om the agpition proces it not

‘moni While the tsk Force Fels tht a new process is needed tha beter takes

Trang 21

into consideration the unique aspects of information technology it alone will aot yield success IF the mamas associated with responsbiries and authorities,

‘onpiniztion, and expertise ace not also addressed, the new process proposed hese ie likely to meet with the sime outcomes as process improvements recommended by other groups who have studied shis isue This set of recommendations ie designed to both streamline the IT acquisition process and ackiress the fundamenval problems that exist the system oda

Trang 23

Chapter 1 Introduction

Information technology (1) offers immense capability in terms nể agily, esi, responsiveness and effectiveness IT embles nearly al oF ove military wombat capably and hee become 4 necessary element of our most critica -warfare systems, However, theres growing concer within Congress and among, Department of Defense (DOD) laclersip thie the nation’s muitry capi may be erodine The deibemwe process Hhrough which weapon spstem= and information technology ate aquired by DOD cannot keep pace with the speed

at hick new expabiltes ate boing introduced in today’s snformaton spe—and the speed with which potental adversaries can procure, adap, and employ those same capabilities against the Ueited States For purposes of cant, IT, as defined inthis eepoe, is any spster subsystem of hardware and/or software whose pupose is aequiang, processing, song, of communicating information ae data

OD has a very long definition of IT whichis toa complicated to be use

‘Certinly, buries Hat prelude teansformation of the US mations secusey apparas to meet tho challenges of anew steatepie er ae af particule concer Neatly a decade ago the Depastment esrablished vision forthe aechitecare and steucture for inlormation system management-—a vision that i stil evolving However, acquisition decision-making fas not boen well managed for these systems within this “enterprise level” constict, and the result hae not served today’s leaders and soldiers well It hinders the war fighter? ability 10 use information technology tite fullest potential for sinuation awarcness, collaboration, and eapid decision-making, The eesulting operational impact i profound

According 19 the Defense Science Board 2006 Summer Study on Informacion Management for Net Centic Operations information management

in Ing and Afghamsstin sos a principal concen among sa fighters Sgmiiat

ad hoc activity was taking place especially atthe tactical level, to gain desired cipabii, To counter the interoperability problem, many approaches were used

to move information from ote stove-pipe to ancither Especilly important, acconding t0 the 2006 report, was that much of the maltary capabiliy used to support the conflits was paid with supplemental funding—peograms that were hot part of the Department's planned capability, This crcumstance reflects the

Ft hat the need for sich programs could not he predicted during presious cone

Trang 24

progam and iudget planning, and the ssi was not suiciently age to raec

‘nce the aced was apparent

Yer, despite these myriad obstiles, successful programs exist that a comprised hzely (or exclusively) of sormenion technologie, or are deeply Alependent on information rechoology #9 execution The question thea arses 28

to whether there ane elements common to the acquisition of these successful programs that would improve the Depacnents ability to Feld advantageous information technology i timely and cose-<ffotive manner,

Since the onginal Goldwater Nichols legislation, DOD as made sever anempts to revise acquition policy with the hope that such changes woold shorten acquisition eycle dese Recently, acquisition poliey was ain sodied in past road ore sigor and discipline inthe eal parr of the aequtiton process 14esise, the Jom Capabilities Integaation and Development System (IDS) lnsrucsion and) Mantil ae being updated with changes to che Joint StafPs lvessght and govemance of IT programs These polices derive feom a single acquisition model major defense acquisition programs that applies ro oth majoe automated information systems and Informacion technology is pervasive in weapon systems at well a defense bosiness systems In its comtbuions to both Functionality and cost, information technology now represents considerable proportion ofall acquision programs underway todaj—a proportion that is ikely to increase in the furare, Thus, whether esti DOD scquistion polices und processes provide the Foundation for an effective segpidfon model for informagion technology is a erica question For dhe Department-—one that deserves speci attmtion from the Secretary of Defense

At the request of Congress, the Defense Seience Board (DSB) undertook a review of Department of Defense policies and proceduces forthe acquisition of| information technology The tsk force offers recommendations to change the Department's approach to acquiring infomation technologies, The Findings and recommendations are the resul of a study that was broad in seope as established

in legilanve guidince—covering acquisition and oversight poheies and

Trang 25

procedures, roles and eesponsibilties for acquisition olicials departmentavide and reporting requrements and testing as they rela to TT aequsition More spect, the terms of reference dieeted thatthe matters addressed

by the tsk force mehade the folosime

1 DOD policies and procedures for acquiring information technology, to hide nacional sesunty systems, major astomated

information systems, business information systems, and other

~ Director of the Business Transformation Agency

Chic Information Office ofthe matty departs

+ defence agency acquisition officials

emanon officers of the defease agence

ssdos Opendiotl Test sad Evaluation and heads f dhe

operational est and evalttion organizations ofthe militar

clepartnents ana the defense agencies

3 Application of such policies and procedures t nfrmasion ‘ertical weapons or weapon

Trang 26

5 Department of Defense policies and procedures for maximizing the usige of commercial information technology while eaeutine rae cui of the microelecroni

Department software, and nesvorks of

6 Suitabbity of DOD acquisition regulations, incading DODD 3000.1, ODI 50042, and accompansing wilestones, to the seisinon of FT Adequacy and transparency of metrics used by DOD for aequting IT

8 Effectiveness of existing statutory and regulatory reporting requirements for acquisition of T

cử đong the course oF ts deberatons, dhe task force believes there is a ion technology Sich

‘must be designed to accommodate the eapid evolution of information

to al is that les area relity and must be accommoded—a

DF which have a high content of embedded IT A comenon the

reality don bự the shost MP MŒ oể comenoxcal IT techaotogy, supporabiiy hardware (which is aftr a comeodiy, software applications, and operddonl regjuscmenty The conveational DOD acquisition process is oo long and (00 cumbersome tô fit the needs of the many systems that require continuous changes and upgrades Many existing progrims ace exceeding

coat and achedale baselines, which cannot continue anabated While the ask

foece recognizes that these is n0 Tone-size-fital” solution to DOD's acquisition

Trang 27

problems, it ako hdliexettheếc + meet in minimizing the number of specialized acquisition approaches “That said acquisition of infomation echnology repeesens a case that must be addressed with a process that focuses on the unique chanscterstics IT repeesens,

“The bodom ao is Ht thế inaily 0 effectively acquiee IT aysteme is critical ta matonal security Today, the United States has the most capable ekled defense spsteme in the work, and information technology i camcal ra these

‘apabiliées—to command and contrl, decision systems, pecision weapons, and siruation awaceness Spending on IT is rapidly growing in both embedded and standalone systems As well, [T system acquisition and IT upgrades to existing

‘weapon systems represent a signticane and greasing percentage oF current sequeilons, Purter, inadequate attention eo eyber security in the acquisition process is an Achilles hel chat can he actively exploited by our advecsais, While this report does not address cyber secur in any detail it does highlight the ned to beep this critical issue in mind both dunng IT acquisition and through personal procedures inthe field, These many challenges surounding information technology must he addressed if DOD is to maintain ou national security objectives as «military leader nthe furore

“The chapters thet follow deta the work ofthe task Fore, lading up t a set

bf actions for DOD Chapter 2 begins with an overview oF the informution technology environment, followed in Chapter 3 by a framework For evaluating IT acquisiion Chapters 4 and 5 fens oi thợ edexng asgnSidon stern and the problems tat ase withthe acquasiion oF TT programs Chapter 6 proposes 3 new acquisition process for information techaology: The eport concludes inthe

al chapter with key Endings and eocommendations

Trang 28

Chapter 2 The Information Technology

2 Defense Since Hout Tat Frc on Defense Softwar, November 28

5 Pin ns Ga Hoare, 201, het 2p a

Trang 29

“These ends include an incsease in CT compleity, foreign supply, sulnetabilties, deat, and cost with a concomitant reduction in the supply oF

US computing graduates and qualtied expert government staff Simultaneously, the rte of technology change is meresing a8 is the inercoomnected mature of systoms, while timelines are sinking—ciecumstances that pose both a bent and nett» BOD, Fach of these key trends and their implications i dete in the remainder ofthis caper

‘Technology Change

Informadion technology—fom hardware softvae to complex sytems— consinace to epi advance, Computer haar mpily evolved fom vacuo tubes to transistors to nanosecuelogy la hờ 1965 poper, mel codonnder GGonlon E, Moore predicted th the number of transstor on at negated Giri board would increase "at arate of oughly a factor af two pe yea” In 1075, Moore efi his projection toa doubling every ro years, Sil Ene ae Moote’s Law (gue 2), in exponential growth hae held for processing sped, snemory epi, an even the mimber aa size of pls dg came! While Mooe’s Taw has held for decades, processing speed is no Tongee increasing a this rte Instead the industry has moved to mult-core approach Untorunatel, parallel processing sofiwate has Lge behind Th wll be a imponant tend foe DOD to nto and undertn

Inaaldtion wo changes in andvare, [Parhitecrues have evolved over the past ever) decides from fsoited computing spss of the 196i; t0 netsorked stovepipes in the 1970s nd 1980s; to dhe we of message passe males t glue together mission applcasons i the 1990s; 0 the open, service creme arcitectares (S04) of today (gues 5) SOA 8 method For oqnaiang, exposing, and nhưng sited capa Ht my be under the contol of đe enehip dom

“This evohion towasd the diagurestion of sjstems toto dibeted sevies promises mowe rpid development, ease, and surviabaiy, yet at dhe sime sme inceeases imerdepedenies, vulocebitis, and comply (ind posshly impacts potfoanance}-"The inact ofthis evolution is underestinated, Il low substinal chang ia the manure and substance of TT aquisgons by Kurc enabling the rapid ddevdopment ad fielding of small ncremens of capably

4 Dale ,Jocmen an Chases W, Were, 21 el) Mona Sst Nee Eso,

‘Sf Cin he te Fat pp wrs nde estiog/ 18 beoft 8 Ey ip ge Sypean nel Resench Coe me

Trang 30

Sie Pes MN Open Mdevre MN Open Svies

Trang 31

While ini tempts to expose and standandize Lage amounts of dan and snetalata about egy systnns have proves highly complex and tin intensive, one method tha has suceafly emerged s know as “owe coupling” ia wich minal but neal dae ineties ace exposed to support iteoperabiey Foe example, Cursor on Target! a mchinewo-machine language’ designed communicate hardeteld information, enables apd hut mati intepaton ofa fer crvial data clements (eg, pation, time, abject erent) across legacy systoms, In surumry, technology will contin 10 capuly eval, imposing hullenges for personnel and programs to ems cure

Disaggregated Architectures

DOD's IT vision includes one very specal Feare—the separation of dat frou services and apphersions This separition provides 0 bình pHoriy bene

1 Trsupports requiring lengthy, expensive N-squated, appication-0-applcation the imroduction of new applications and/or services without latgrdion

* Trenables opecitors to discover, use, publish, and govern data that vere not planned or aniipated on an operational, as-needed ss in ways While the introduction of disagarepited architectures and the separation of

do (tom applications and services will provide significant benefits to the Depustmnt it both development and operons the planned ents a very diữesnt entomment Reyjme shese benefits sll rgice rethinking nd modihng the Deparments processes

From an architecture perspective, its likely th the disaggregated model wil not directly support all ofthe Departments ow ltency requirements in the nsar- term, The solution to this appears to be telitively straightforward Simply allow lew latency applications to receive dita on a “push” eathee than a “pull” bass,

‘while at the sume time, require He data source to post heir dita sm parle For other uees/aser This appeoach wll roquite: 1) development of te etter For deciding shih systems have such steingent low latency reguizements (eg, fixe coateol systems) thar they will be allowed to obtain data on a “push” bass, and L5 Nhle and Wink Dac Capa a fri Doe Sat we feo wok led pyeeich mpre 1/7 2/07 82 pA

Trang 32

2) soring out which stems are expecta to provide data for use hy these same This sokation is ot ideal for ths set of systems, as it will ot provide all of the benefits of a diaguregated environment where data is separated fom applications, services, and govemince It is ao clear eat not all of the information secusty requicements will be addressed by the IT infrastructure; some of these requifements must he addressed within the mission applications oF srvices, Whi this should not bea surprise, ie worth noting since the goal i have as many of the entespnse functone performed by the infastnicnure a possible, ia order to facta the introduction of new applications and series

Theếc ate alko some ianpieations from acqutition and denplementation perspectives While there ae signiicant enelits to being able to implement acs applications and seevices quickly, the acquisition process will need to suppoet these quick sim efforts pore easily han it does today (hich will he discussed in more detail m liter chapters of this eepor) To deliver acceptable quality of | service and to support the information and the network secunty required by DOD in an enterprise-wide SOA, with enterprise-wide access to dae by authorized users, a well engineered and governed enterprise IT infastuctice is sseemil

However, creating an enterprise infrastructure is aot tial, Transitioning from the existing platform/system and occasionally enclae-based environment, ton enterprise IT infrstnictace wll put akditonal seston the Deparment, spevaly on the techni management and acquisition process For example, the test provess wil have to change to allow DOD 0 speed applision and service implementations At dhe sume time there will be differences forthe test Finetion, ae tests must be performed on both the infastrcture snd on the individual applications / serves, Both ace seired to deer capa, but the rest sine should be very diferent

There will alo he Finding challenges The Deparment’s three core pracesset—regutements,aepusinon, and resourcing —are just sting to move From planers t0 capabilites, although the feu on sidivval capa die merements sill dominives Adoption of a setvie-onented architectne and instusionalzition oF at enteprisesvide TT environment sil roguire a sgmficrnt investment st the infistnacnae its The good news 3° th implementation can be segmented aver ne and purpose, Individual applications

Trang 33

and services that wil ultimately rely on the infastrurace mast trust tha it willbe successfully funded and developed

‘Two ackhtimal matters relate 10 funding this “common good.” One & the need to expose snd maintain data for unannipate users, hich is necessary to avoid an erosion DẾ confidence dhe enterpnsevide environment A second i thar building and deliveing a eeusable service cleasly provides a cost beni if the service reused, but cn eequie addonal funds for che developer that must increase support for unplanocd uses from othe pacts of the onganiztion,

Connectivity

Jostas we ate experiencing rapid technology change, we ate also facing pid slobal increases an connctrity among computers and coneequently, among pope, Thete are already nearly one and one hal bilion Intemet usces By 2012, fone quarter of the world population will have regular access ta dhe Internet” Brazil, Russia Ind, and China are experiencing some ofthe highest growth estes [More impesant than growth inthe rave numbers of users isthe belief thất theie collective poner increases exponentially with the number of nodes, Robert Netcal, founder of 3Com Corporation, noted that the value or usliey of 3 network is equal to she square of dhe number of nodes (cg the number oF connected indvidils)—the sơ cdled Metolfs Lay (Figure 1) Whether the value grows as Metclas Iw, as login) ar some researchers no belive, or as Rees las, which sttes thi it grows favter due s0 forming communis: oF ingerest a i beginning in DOD, ie not as portant to wnderstanl as the et thar the value i growing a highly nonlinear way with respect sie

The Deparment of Defense has recognized and capitalized om the potential fof net cemidw The Ginbả Information Grid (GIG) is a globally inteeconnecte, end-to-end set of information capabilites, associated processes, and personne for collecting, processing, stonng, disseminating, and managing information om demand for the Deparment of Defense Ss oF 2008, the GIG incorporited 21 satelite communications nerwotkss 63 nations; over 3,501 brses/posts approsimatey 15,000 networks thousands of applications, 120,000 commercial telecommunications cites: and 7 milion DOD computers (ice

6 Sch V Jae 3, 2008 Ga fart Wore One open Foca, 7 2012

Fepterocanh

Trang 34

ss many a in 2005) While the size and ubiquity of this ever growing enterprise is

1 challenge in ise, adclttonal TT functional and increased ceoss-ompanization, coalition, and secusty boundary connectivity further exacerbates the enterprise chleng

Most importaiy, but ens overlooked, i¢ that achiewing “the power of networks” requires the elements of the network to be constnucted according t0 widely accepted and adopted standards, and executed in accordance wth an foveratching nervork architecure concept and design, Chaotic creation of “nerworks” and/or “network nodes” will not yield the benefits promised by MetcalPs Lav ‘The underlying proposition is that adoption of standards which gives encouragement t increase the

inereases the ability to “connec

number of conaectors In tutn, this enables an increase in the information

exchanged as well asthe uty and value of information exchanged within and smog the network)

Figure 4 MetcalPs Law: The Possee of Network

Trang 35

Size and Complexity

While the sheer num ct of nodes (computers, routers, business systems, weapon systems) and connections among nodes in the GIG & increasing deimawell the undedlying software code base growing, deving complesty of design, operation, protection, and mauntenance Thíc occuring both in infeastractue software, 28 wells in weapon systems software For example, the

‘most ubiquitous commercial operating system (Microsoft Windows) has grown from thousands of lines of code (LOC) to tens of eilions lft graphic below)” and popular open source operating systems (eg, Debian) (ight graphic below) have small grown rapidly (Figure 5)

‘ipabiites conld not only se exponentially but, where the capability is enabled

by opensource software, could increase by ten mes the cost of similar

iow Many Lines of Colin Windows?” Knowing NET, Deemer 6 308 Se do Richa

SeN mạc 2b Nah 200 "Memuany Sone Lanes Of Cede SLOG) ae ge bl ta

‘Mitts abso hap //bog lator wheat

‘exonpdiaor/ Source er of ce

Trang 36

capability provided by she established and structed commercial software industry This conclusion assumes that the cast oF maintaining a singe line of cod i relatively constant overtime and the maintenance cost (pee SLOC) is the same for both commercial ofFtheshelf and open source soFosare Cleat, the [Depastment wil have ro develop and pracceal way That the majority oF commercial ende, such as for example a steategy to conteol this growth in a teasonable Microsoft Windows, has grown exponentially while the cost hus been nealy Tonstint and has not tracked the linerof-code metric, gives an even more sompcling reason for DOD to develop stindards and processes to wie and acquire as much commercal-based code as possible

Software has pread well beyond defense infartscare nt the vey ear of

‘weapon spss, Por example, dhusands of miceopocessor, liner cleeic dive contol, dynamic sensors, and mili of hnes of sophisicited code emble the sarlng conhildex ofthe F-22 and Joint Srike Fighter a well 5 (jn increases inthe sestvty achieved using pre-set sensors Xerenl yesn ago a handheld grenade lnincher was erated wth smart projectiles sided

by 2000 fines of code” Moreover, de sofware cone base within mission systems is ging api From generation to gencation, The executable sour es of cork SLOG) within weapon systems, uch as isles, ship, and ace hate

ov from a few thousand to tene of ion (go 0 Tóc eangle the 18 tndiơn LOC bass forthe Nass IDG 100 i growing over 36 percent to 5 snllon LOC inthe evolution the Aegis 71a." ta ation, the FAIS verb appresimacly 10 maton LOC is gewing to over 15 mon án the Join Sooke Fehr

9, "Deen FT fel Sus aon Software Coty Cheap.” Gomer Cage Nes, Ma 7 200 (rote com/ acl /s pol S10? Lm)

1 Sf nt Stns 206, Nol Reet ny Comite, RAC D608,

Trang 37

a

es ee Source: CARD Dit, SE, SIS nis

Trang 38

Source: CARD dat, Fee Prociement Database Stem, QSM, CSS Anais

Figure 7, Estimated Source Lines of Code forthe National Scurty Comunity ESLOC is valuable and intuitive measure thats comrelated with the number

of people required ro build, use, and maintin software systems.” However, dimensions heyond size can sgaiticuntly increase the complesity of TT systems Foe example, Boehm and Lane (2006) describe how software intensive systems

of systems (SISOS) “integrate muliple, independently developed systems” and are very large, dynamically ecolving, and unprecedented with emergent requirements and behaviors, and comples socio-technical issues to address” SISOS ae characterized by 10-100 millon LOC; M300 estemal interfaces; 2-

200 suppliers 6-12 hierarchical levels of suppliers (primes and subs) and 20-200,

‘coordination groups (orintegnited product teams)

Boehm and Lane argue for a ik-dkiven spiral development model that suddesses the acquisition challenges of many systems, many supplier levels, and

‘many increments where rid ding, high assurance, and evolution ae esental for success They point out successful continuous independent venation and validation practices found inthe continuous build practices st Microsoft® and in

2008, “ewan Anite Compe." IEEE Sf

12 Beh and Lane, 3 lu, 2 "se Cnty Prcens fo kegddng 2 Cota Sf Iie eof Si Cia Ju eS

Trang 39

agile methods" as well a the use of anchoe point milestones and evolutionary development inthe Rational Unified Peocess.*

‘Vulnerability

Inceeasing amounts of ESLOC increases the likelihood of walnerabities The Common Vularabilies Enumeration (CVE) site (evesmiteorg) in October of

2008 vas reporting, 19 ew vulneriilines cach diy The umber of

‘ulnerabilties caprured in the National Vulaerbilty Database (avdnist.gox),

‘which incorporates CVE, hs risen nearly four-fold from a yearly rite of 1,700 in 2001 to 620 in 2007 As of October 2008, there were over 33,387 CVE xulnenbiidecin the đàm be,

“The latest available data from four sulnerbility sources confirms the exponential growth trend in recent years (Figure 8) In shore, more software means more vulnesbilty Adversaries understand this Thus, aot only are

‘vulnerabilities increasing the threat is increasing as wel Its also more diverse, ranging from capable state actors to smal, independent, non-state rogue actors, all of which can produce enormous coneequences Aecording to one source, attack volume has inereased fom 50 t 5,000 per week Adversary attacks have ako increased in sophistication (eg., Eom genera phishing to individualized spear phishing based on ineeligence Similarly, the number of viruses rose fom approximately 20,00 in 1998, eo 30,0 by 2000, to cove I millon in 2008,

“This growth in vulnerabilities cannot be ignored in defense systems In reality, vulnerbiies cannot he completely eliminates therefore it must be sesumed that some vulnerability wil abvays exist DOD must develop tactics, techniques, and procedures, and concepts of operations to operate z0th degraded

“systems Conti tests to validate system and subsystem integrity must also be pestormed,

TH Beck K: Fone Prag 15 Reon ine Dong tr Rosy W it Be Soo sm, atonal Sowa Crp 20Fs eon Ck, 1998

Trang 40

‘he year), unit costs actually declined between 6 and 16 percent per yeu" Yer commercial software has become such lage cost and valuable investment that the Financial Accounting Standards Board no longee considers it an sntangible

16 sional Aetdomie Pest 2006, esi Sachin Now any, Fig 5,p 19

"¬——

Ngày đăng: 23/02/2014, 02:20

TỪ KHÓA LIÊN QUAN

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN

w