GAO: CYBERCOM lacks metrics to assess fielded capabilities

By Briana Reilly / March 30, 2022 at 4:21 PM

U.S. Cyber Command has not yet developed outcome-based metrics to assess and review key warfighting programs that have recently fielded capabilities, the Government Accountability Office found.

The reality, today’s GAO report warns, could leave officials without an understanding of “whether and how new capabilities benefit the cyber warfighting mission.”

Through the Defense Department’s Joint Cyber Warfighting Architecture, CYBERCOM officials are aiming “to provide a comprehensive, integrated cyberspace architecture,” which includes four already-underway acquisition programs and efforts led by each military department and the command that acquire and deploy cyber tools, according to GAO.

But GAO determined CYBERCOM has more work to do in evaluating the programs that have and will continue to be delivering capabilities. Specifically, the report shows that while officials began scheduling the so-called “value assessments” for the JCWA programs it oversees in the fall, “the command will not complete all of them by the required dates”: within a year of fielding capabilities.

Part of the reason for the delay, GAO notes, is CYBERCOM’s misunderstanding of its role in the assessments -- a difficulty compounded by the newness of DOD’s fledgling software acquisition pathway, which almost all major JCWA programs are leveraging.

Relatedly, command officials as of December haven’t yet developed broad metrics to track whether those programs are meeting their intended cyber operational outcomes -- meaning the command likely won’t have outcome-based standards in place before its first value assessments are completed, GAO reported.

Those metrics, which can include whether a given effort is improving infrastructure security, are especially important given the need to determine how the multiple programs tied to JWCA are working together, the report adds, and whether those efforts are increasing speed in conducting certain kinds of cyber operations, for example.

Though CYBERCOM began efforts last spring to develop such metrics, officials told GAO that their inexperience with the software acquisition pathway, the continually evolving nature of the cyber mission and difficulties with measuring factors such as new tactics or training on outcomes were slowing their progress. GAO noted that the command would have more time to establish metrics ahead of the next set of JCWA program value assessments.

The Pentagon in its response agreed with GAO’s recommendation to develop broad metrics to support future assessments. Officials noted that CYBERCOM submitted a request to DOD for extra resources to boost the command’s ability to understand the external forces affecting its efforts to create an outcome-based metrics program.

The latest report on the JWCA comes as CYBERCOM has made progress in defining interoperability goals such as data tagging standards for its more than two-year-old architecture that could have prevented its systems from sharing information and working in coordination. GAO credited the command for setting those goals in its first Concept of Operations document from September 2021 and establishing plans to regularly update them.

214440

About the Insider

The INSIDER is a daily news digest from Inside Defense. Every business day, the INSIDER delivers news and notes on the Defense Department, Congress and the defense industry. And every day, we send you highlights via email.

Depending on the terms of your subscription to Inside Defense, you will have easy access to the linked articles and documents.

If you have any questions about the INSIDER, please contact our Customer Service Department at 1-800-424-9068 or insidedefense@iwpnews.com.